SM2/SM4 Mechanisms
This section describes the C-based PKCS#11 interface to the SM2/SM4 functions in the HSM firmware. Although PKCS#11 constitutes the core client-side API to the HSM, it is expected that other API layers (like Java) will be required in order to support the customers’ application environment. These APIs are yet to be defined.
NOTE
>SM2
>SM4
SM2
Generate Key Pair
Generate a keypair of type CKK_SM2.
CK_BYTE sm2p256v1[] = { 0x06, 0x08, 0x2A, 0x81, 0x1C, 0xCF, 0x55, 0x01, 0x82, 0x2D }; CK_RV C_GenerateKeyPair( CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, // CKM_SM2_KEY_PAIR_GEN CK_ATTRIBUTE_PTR pPublicKeyTemplate, // eg CKA_EC_PARAMS with curve sm2p256v1 or any other curve CK_ULONG ulPublicKeyAttributeCount, CK_ATTRIBUTE_PTR pPrivateKeyTemplate, CK_ULONG ulPrivateKeyAttributeCount, CK_OBJECT_HANDLE_PTR phPublicKey, CK_OBJECT_HANDLE_PTR phPrivateKey );
Sign
Use the C_Sign* family of functions.
typedef struct CK_SM2DSA_PARAMS { CK_MECHANISM_TYPE zhashAlg; // eg CKM_SM3 CK_ULONG ulUserIdLen; CK_VOID_PTR pUserId; } CK_SM2DSA_PARAMS; CK_RV C_SignInit( CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, // eg CKM_SM3_SM2DSA with CK_SM2DSA_PARAMS CK_OBJECT_HANDLE hKey ); CK_RV C_Sign( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen );
Also supported:
>C_SignUpdate, C_SignFinal for multi-part operations
>C_VerifyInit, C_Verify for verifying (single-part operations)
>C_VerifyUpdate, C_VerifyFinal for verifying (multi-part operations)
Available mechanisms for signing include:
>CKM_SM2DSA
>CKM_SM3_SM2DSA
>CKM_SHA1_SM2DSA
>CKM_SHA224_SM2DSA
>CKM_SHA256_SM2DSA
>CKM_SHA384_SM2DSA
>CKM_SHA512_SM2DSA
Available mechanisms for field zHashAlg include:
>CKM_SM3
>CKM_SHA1
>CKM_SHA224
>CKM_SHA256
>CKM_SHA384
>CKM_SHA512
SM4
Generate Key
Generate a secret key of type CKK_SM4.
CK_RV C_GenerateKey(
CK_SESSION_HANDLE hSession
CK_MECHANISM_PTR pMechanism, // CKM_SM4_KEY_GEN
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulCount,
CK_OBJECT_HANDLE_PTR phKey
);
Encrypt
Use the C_Encrypt* family of functions.
CK_RV C_EncryptInit(
CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism, // eg CKM_SM4_CBC_PAD with InitializationVector [16 bytes]
CK_OBJECT_HANDLE hKey
);
CK_RV C_Encrypt(
CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pData,
CK_ULONG ulDataLen,
CK_BYTE_PTR pEncryptedData,
CK_ULONG_PTR pulEncryptedDataLen
);
Also supported:
>C_EncryptUpdate, C_EncryptFinal for multi-part operations
>C_DecryptInit, C_Decrypt for decrypting (single-part operations)
>C_DecryptUpdate, C_DecryptFinal for decrypting (multi-part operations)
Available mechanisms for encryption include:
>CKM_SM4_ECB
>CKM_SM4_CBC
>CKM_SM4_CBC_PAD