BestHub
Sign in
Information Security 12 min read

Master GmSSL: Build, Install, and Use China’s National Cryptography Suite

This guide introduces GmSSL, an OpenSSL‑compatible toolbox that implements China’s national cryptographic algorithms, explains its lightweight and cross‑platform features, and provides step‑by‑step instructions for compiling, installing, and using core commands, SM4/SM3/SM2 operations, and certificate authority workflows.

Open Source Tech Hub
Open Source Tech Hub
Open Source Tech Hub
Master GmSSL: Build, Install, and Use China’s National Cryptography Suite

Overview

GmSSL is an open‑source cryptographic library that implements the Chinese national algorithms SM2, SM3, SM4, SM9, ZUC and the corresponding TLS/SSL protocols (TLCP). It retains API compatibility with OpenSSL, is released under a BSD‑style license, and the source code is hosted on GitHub.

Main Features

Ultra‑lightweight: minimal memory usage and binary size, no dynamic memory allocation, suitable for MCU/SOC environments.

Compliance‑oriented: can be built to include only national algorithms and TLCP, simplifying certification.

Security‑enhanced: TLS 1.3 support, RFC 8998 national cipher suites, default key protection against side‑channel attacks.

Cross‑platform build: CMake works with Visual Studio, Android NDK, or custom Makefiles without Perl.

Language bindings: Java, Go, PHP and a REST API.

National Algorithms

SM2 is an ECC‑based public‑key scheme that provides digital signatures, key exchange and encryption, replacing RSA/DH/ECDSA/ECDH. SM3 is a hash function that replaces MD5, SHA‑1 and SHA‑256. SM4 is a 128‑bit block cipher that replaces DES/AES. SM9 is an identity‑based encryption scheme that can replace certificate‑based PKI.

Build and Installation

Download the source archive and extract it:

wget https://github.com/guanzhi/GmSSL/archive/refs/tags/v3.1.1.zip
unzip v3.1.1.zip

Compile and install with CMake:

cd GmSSL-3.1.1/
mkdir build
cd build
sudo cmake ..
sudo make
sudo make install

If the runtime reports libgmssl.so.3: cannot open shared object file, add /usr/local/lib to /etc/ld.so.conf, run ldconfig, and verify the installation with: gmssl version Successful output should contain GmSSL 3.1.1.

Basic Commands

Run gmssl --help to list available sub‑commands, e.g. sm2keygen, sm2sign, sm2encrypt, sm3, sm4, certgen, tls13_client, etc.

SM4 Encryption / Decryption

KEY=11223344556677881122334455667788
IV=11223344556677881122334455667788
echo "Hello Tinywan" | gmssl sm4 -cbc -encrypt -key $KEY -iv $IV -out sm4.cbc
gmssl sm4 -cbc -decrypt -key $KEY -iv $IV -in sm4.cbc

SM3 Hash

echo -n "开源技术小栈" | gmssl sm3
# 3b944faa488763d08967e7999aa565f8035277f9b017adc8fe209e81de698465

SM2 Key Pair, Signing and Encryption

# Generate SM2 key pair (encrypted private key)
gmssl sm2keygen -pass 1234 -out sm2.pem -pubout sm2pub.pem
# Sign data
printf "hello" | gmssl sm2sign -key sm2.pem -pass 1234 -out sm2.sig
# Verify signature
gmssl sm2verify -pubkey sm2pub.pem -sig sm2.sig -id 1234567812345678
# Encrypt with public key
printf "hello" | gmssl sm2encrypt -pubkey sm2pub.pem -out sm2.der
# Decrypt with private key
gmssl sm2decrypt -key sm2.pem -pass 1234 -in sm2.der

Certificate Authority (CA) Creation

# Root CA key and self‑signed certificate
gmssl sm2keygen -pass 1234 -out rootcakey.pem
gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA \
    -days 3650 -key rootcakey.pem -pass 1234 -out rootcacert.pem \
    -key_usage keyCertSign -key_usage cRLSign

# Sub‑CA key and certificate signing request
gmssl sm2keygen -pass 1234 -out cakey.pem
gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" \
    -days 3650 -key cakey.pem -pass 1234 -out careq.pem
# Sign Sub‑CA request with Root CA
gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign \
    -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem \
    -pass 1234 -out cacert.pem

Issue End‑Entity Certificates

# Signing certificate
gmssl sm2keygen -pass 1234 -out signkey.pem
gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost \
    -days 365 -key signkey.pem -pass 1234 -out signreq.pem
gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature \
    -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem

# Encryption certificate
gmssl sm2keygen -pass 1234 -out enckey.pem
gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost \
    -days 365 -key enckey.pem -pass 1234 -out encreq.pem
gmssl reqsign -in encreq.pem -days 365 -key_usage keyEncipherment \
    -cacert cacert.pem -key cakey.pem -pass 1234 -out enccert.pem

Combine and Verify Server Certificate

# Concatenate leaf and intermediate certificates
cat signcert.pem > certs.pem
cat cacert.pem >> certs.pem
# Verify the chain against the root CA
gmssl certverify -in certs.pem -cacert rootcacert.pem

Inspect Certificates

gmssl certparse -in cacert.pem

For additional usage examples, refer to the official quick‑start guide at http://gmssl.org/docs/quickstart.html.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

OpenSSLTLScryptographySM2SM3SM4GmSSL
Open Source Tech Hub
Written by

Open Source Tech Hub

Sharing cutting-edge internet technologies and practical AI resources.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment