diff --git a/include/openssl/saf.h b/include/openssl/saf.h
new file mode 100644
index 00000000..4109e15f
--- /dev/null
+++ b/include/openssl/saf.h
@@ -0,0 +1,778 @@
+/* ====================================================================
+ * Copyright (c) 2016 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+/*
+ * SAF API is a crypto API with key and certificate management.
+ * The API is defined in the GM standard GM/T 0019-2012:
+ * Universal Cryptography Service Interface Specification
+ */
+
+#ifndef HEADER_SAF_H
+#define HEADER_SAF_H
+
+
+#define SGD_MAX_COUNT		64
+#define SGD_MAX_NAME_SIZE	256
+
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+typedef struct SGD_USR_CERT_ENUMLIST_ {
+	unsigned int certCount;
+	unsigned char *certificate[SGD_MAX_COUNT];
+	unsigned int certificateLen[SGD_MAX_COUNT];
+	unsigned char *containerName[SGD_MAX_COUNT];
+	unsigned int containterNameLen[SGD_MAX_COUNT]; //correct?ß
+	unsigned int keyUsage[SGD_MAX_COUNT];
+} SGD_USR_CERT_ENUMLIST;
+
+typedef struct SGD_KEYCONTAINERINFO_ENUMLIST_ {
+	unsigned int keyPairCount;
+	unsigned char *containerName[SGD_MAX_COUNT];
+	unsigned int conatinerNameLen[SGD_MAX_COUNT];
+	unsigned int keyUsage[SGD_MAX_COUNT];
+	unsigned int keyType[SGD_MAX_COUNT];
+} SGD_KEYCONTAINERINFO_ENUMLIST;
+
+typedef struct {
+	unsigned char dn_c[SGD_MAX_NAME_SIZE];
+	unsigned char dn_c_len[1];
+	unsigned char dn_s[SGD_MAX_NAME_SIZE];
+	unsigned char dn_s_len[1];
+	unsigned char dn_l[SGD_MAX_NAME_SIZE];
+	unsigned char dn_l_len[1];
+	unsigned char dn_o[5][SGD_MAX_NAME_SIZE];
+	unsigned int dn_o_len[5];
+	unsigned char dn_ou[5][SGD_MAX_NAME_SIZE];
+	unsigned int dn_ou_len[5];
+	unsigned char dn_cn[2][SGD_MAX_NAME_SIZE];
+	unsigned int dn_cn_len[2];
+	unsigned char dn_email[2][SGD_MAX_NAME_SIZE];
+	unsigned int dn_email_len[2];
+} SGD_NAME_INFO;
+
+int SAF_Initialize(
+	void **phAppHandle,
+	char *pubCfgFilePath);
+
+int SAF_Finalize(
+	void *hAppHandle);
+
+int SAF_GetVersion(
+	unsigned int *puiVersion);
+
+int SAF_Login(
+	void *hAppHandle,
+	unsigned int uiUsrType,
+	unsigned char *pucContainerName,
+	unsigned int uiContainerNameLen,
+	unsigned char *pucPin,
+	unsigned int uiPinLen,
+	unsigned int *puiRemainCount);
+
+int SAF_ChangePin(
+	void *hAppHandle,
+	unsigned int uiUsrType,
+	unsigned char *pucContainerName,
+	unsigned int uiContainerNameLen,
+	unsigned char *pucOldPin,
+	unsigned int uiOldPinLen,
+	unsigned char *pucNewPin,
+	unsigned int uiNewPinLen,
+	unsigned int *puiRemainCount);
+
+int SAF_Logout(
+	void *hAppHandle,
+	unsigned int uiUsrType);
+
+int SAF_AddTrustedRootCaCertificate(
+	void *hAppHandle,
+	unsigned char *pucCertificate,
+	unsigned int uiCertificateLen);
+
+int SAF_GetRootCaCertificateCount(
+	void *hAppHandle,
+	unsigned int *puiCount);
+
+int SAF_GetRootCaCertificate(
+	void *hAppHandle,
+	unsigned int uiIndex,
+	unsigned char *pucCertificate,
+	unsigned int *puiCertificateLen);
+
+int SAF_RemoveRootCaCertificate(
+	void *hAppHandle,
+	unsigned int uiIndex);
+
+int SAF_AddCaCertificate(
+	void *hAppHandle,
+	unsigned char *pucCertificate,
+	unsigned int *puiCertificateLen);
+
+int SAF_GetCaCertificateCount(
+	void *hAppHandle,
+	unsigned int *puiCount);
+
+int SAF_GetCaCertificate(
+	void *hAppHandle,
+	unsigned int uiIndex,
+	unsigned char *pucCertificate,
+	unsigned int *puiCertificateLen);
+
+int SAF_RemoveCaCertificate(
+	void *hAppHandle,
+	unsigned int uiIndex);
+
+int SAF_AddCrl(
+	void *hAppHandle,
+	unsigned char *pucDerCrl,
+	unsigned int uiDerCrlLen);
+
+int SAF_VerifyCertificate(
+	void *hAppHandle,
+	unsigned char *pucUsrCertificate,
+	unsigned int uiUsrCertificateLen);
+
+int SAF_VerifyCertificateByCrl(
+	void *hAppHandle,
+	unsigned char *pucUsrCertificate,
+	unsigned int uiUsrCertificateLen,
+	unsigned char *pucDerCrl,
+	unsigned int uiDerCrlLen);
+
+int SAF_GetCertificateStateByOCSP(
+	void *hAppHandle,
+	unsigned char *pcOcspHostURL,
+	unsigned int uiOcspHostURLLen,
+	unsigned char *pucUsrCertificate,
+	unsigned int uiUsrCertificateLen,
+	unsigned char *pucCACertificate,
+	unsigned int uiCACertficateLen);
+
+int SAF_GetCertFromLdap(
+	void *hAppHandle,
+	char *pcLdapHostURL,
+	unsigned int uiLdapHostURLLen,
+	unsigned char *pucQueryDN,
+	unsigned int uiQueryDNLen,
+	unsigned char *pucOutCert,
+	unsigned int *puiOutCertLen);
+
+int SAF_GetCrlFromLdap(
+	void *hAppHandle,
+	char *pcLdapHostURL,
+	unsigned int uiLdapHostURLLen,
+	unsigned char *pucCertificate,
+	unsigned int uiCertificateLen,
+	unsigned char *pucCrlData,
+	unsigned int *puiCrlDataLen);
+
+int SAF_GetCertificateInfo(
+	void *hAppHandle,
+	unsigned char *pucCertificate,
+	unsigned int uiCertificateLen,
+	unsigned int uiInfoType,
+	unsigned char *pucInfo,
+	unsigned int *puiInfoLen);
+
+int SAF_GetExtTypeInfo(
+	void *hAppHandle,
+	unsigned char *pucDerCert,
+	unsigned int uiDerCertLen,
+	unsigned int uiInfoType,
+	unsigned char *pucPriOid,
+	unsigned int uiPriOidLen,
+	unsigned char *pucInfo,
+	unsigned int *puiInfoLen);
+
+int SAF_EnumCertificates(
+	void *hAppHandle,
+	SGD_USR_CERT_ENUMLIST *usrCerts);
+
+int SAF_EnumKeyContainerInfo(
+	void *hAppHandle,
+	SGD_KEYCONTAINERINFO_ENUMLIST *keyContainerInfo);
+
+int SAF_EnumCertificatesFree(
+	void *hAppHandle,
+	SGD_USR_CERT_ENUMLIST *usrCerts);
+
+int SAF_EnumKeyContainerInfoFree(
+	void *hAppHandle,
+	SGD_KEYCONTAINERINFO_ENUMLIST *keyContainerInfo);
+
+int SAF_Base64_Encode(
+	unsigned char *pucInData,
+	unsigned int puiInDataLen,
+	unsigned char *pucOutData,
+	unsigned int *puiOutDataLen);
+
+int SAF_Base64_Decode(
+	unsigned char *pucInData,
+	unsigned int puiInDataLen,
+	unsigned char *pucOutData,
+	unsigned int *puiOutDataLen);
+
+int SAF_Base64_CreateBase64Obj(
+	void **phBase64Obj);
+
+int SAF_Base64_DestroyBase64Obj(
+	void *hBase64Obj);
+
+int SAF_Base64_EncodeUpdate(
+	void *hBase64Obj,
+	unsigned char *pucInData,
+	unsigned int puiInDataLen,
+	unsigned char *pucOutData,
+	unsigned int *puiOutDataLen);
+
+int SAF_Base64_EncodeFinal(
+	void *hBase64Obj,
+	unsigned char *pucOutData,
+	unsigned int *puiOutDataLen);
+
+int SAF_Base64_DecodeUpdate(
+	void *hBase64Obj,
+	unsigned char *pucInData,
+	unsigned int puiInDataLen,
+	unsigned char *pucOutData,
+	unsigned int *puiOutDataLen);
+
+int SAF_Base64_DecodeFinal(
+	void *hBase64Obj,
+	unsigned char *pucOutData,
+	unsigned int *puiOutDataLen);
+
+int SAF_GenRandom(
+	unsigned int uiRandLen,
+	unsigned char *pucRand);
+
+int SAF_Hash(
+	unsigned int uiAlgoType,
+	unsigned char *pucInData,
+	unsigned int uiInDataLen,
+	unsigned char *pucPublicKey,
+	unsigned int uiPublicKeyLen,
+	unsigned char *pubID,
+	unsigned int ulIDLen,
+	unsigned char *pucOutData,
+	unsigned int *puiOutDataLen);
+
+int SAF_CreateHashObj(void **phHashObj,
+	unsigned int uiAlgoType,
+	unsigned char *pucPublicKey,
+	unsigned int uiPublicKeyLen,
+	unsigned char *pucID,
+	unsigned int ulIDLen);
+
+int SAF_DestroyHashObj(
+	void *phHashObj);
+
+int SAF_HashUpdate(
+	void *phHashObj,
+	const unsigned char *pucInData,
+	unsigned int uiInDataLen);
+
+int SAF_HashFinal(
+	void *phHashObj,
+	unsigned char *pucOutData,
+	unsigned int *uiOutDataLen);
+
+int SAF_GenRsaKeyPair(
+	void *hAppHandle,
+	unsigned char *pucContainerName,
+	unsigned int uiContainerNameLen,
+	unsigned int uiKeyBits,
+	unsigned int uiKeyUsage,
+	unsigned int uiExportFlag);
+
+int SAF_GetPublicKey(
+	void *hAppHandle,
+	unsigned char *pucContainerName,
+	unsigned int uiContainerNameLen,
+	unsigned int uiKeyUsage,
+	unsigned char *pucPublicKey,
+	unsigned int *puiPublicKeyLen);
+
+int SAF_RsaSign(
+	void *hAppHandle,
+	unsigned char *pucContainerName,
+	unsigned int uiContainerNameLen,
+	unsigned int uiHashAlgoType,
+	unsigned char *pucInData,
+	unsigned int uiInDataLen,
+	unsigned char *pucSignature,
+	unsigned int *puiSignatureLen);
+
+int SAF_RsaSignFile(
+	void *hAppHandle,
+	unsigned char *pucContainerName,
+	unsigned int uiContainerNameLen,
+	unsigned int uiHashAlgoType,
+	unsigned char *pucFileName,
+	unsigned char *pucSignature,
+	unsigned int *puiSignatureLen);
+
+int SAF_RsaVerifySign(
+	unsigned int uiHashAlgoType,
+	unsigned char *pucPublicKey,
+	unsigned int uiPublicKeyLen,
+	unsigned char *pucInData,
+	unsigned int uiInDataLen,
+	unsigned char *pucSignature,
+	unsigned int uiSignatureLen);
+
+int SAF_RsaVerifySignFile(
+	unsigned int uiHashAlgoType,
+	unsigned char *pucPublicKey,
+	unsigned int uiPublicKeyLen,
+	unsigned char *pucFileName,
+	unsigned char *pucSignature,
+	unsigned int uiSignatureLen);
+
+int SAF_VerifySignByCert(
+	unsigned int uiHashAlgoType,
+	unsigned char *pucCertificate,
+	unsigned int uiCertificateLen,
+	unsigned char *pucInData,
+	unsigned int uiInDataLen,
+	unsigned char *pucSignature,
+	unsigned int uiSignatureLen);
+
+int SAF_GenEccKeyPair(
+	void *hAppHandle,
+	unsigned char *pucContainerName,
+	unsigned int uiContainerNameLen,
+	unsigned int uiKeyBits,
+	unsigned int uiKeyUsage,
+	unsigned int uiExportFlag);
+
+int SAF_GetEccPublicKey(
+	void *hAppHandle,
+	unsigned char *pucContainerName,
+	unsigned int uiContainerNameLen,
+	unsigned int uiKeyUsage,
+	unsigned char *pucPublicKey,
+	unsigned int *puiPublicKeyLen);
+
+int SAF_EccSign(
+	void *hAppHandle,
+	unsigned char *pucContainerName,
+	unsigned int uiContainerNameLen,
+	unsigned int uiAlgorithmID,
+	unsigned char *pucInData,
+	unsigned int uiInDataLen,
+	unsigned char *pucSignData,
+	unsigned int *puiSignDataLen);
+
+int SAF_EccVerifySign(
+	unsigned char *pucPublicKey,
+	unsigned int uiPublicKeyLen,
+	unsigned int uiAlgorithmID,
+	unsigned char *pucInData,
+	unsigned int uiInDataLen,
+	unsigned char *pucSignData,
+	unsigned int uiSignDataLen);
+
+int SAF_EccPublicKeyEnc(
+	unsigned char *pucPublicKey,
+	unsigned int uiPublicKeyLen,
+	unsigned int uiAlgorithmID,
+	unsigned char *pucInData,
+	unsigned int uiInDataLen,
+	unsigned char *pucOutData,
+	unsigned int *puiOutDataLen);
+
+int SAF_EccPublicKeyEncByCert(
+	unsigned char *pucCertificate,
+	unsigned int uiCertificateLen,
+	unsigned int uiAlgorithmID,
+	unsigned char *pucInData,
+	unsigned int uiInDataLen,
+	unsigned char *pucOutData,
+	unsigned int *puiOutDataLen);
+
+int SAF_EccVerifySignByCert(
+	unsigned int uiAlgorithmID,
+	unsigned char *pucCertificate,
+	unsigned int uiCertificateLen,
+	unsigned char *pucInData,
+	unsigned int uiInDataLen,
+	unsigned char *pucSignData,
+	unsigned int uiSignDataLen);
+
+int SAF_CreateSymmKeyObj(
+	void *hAppHandle,
+	void **phSymmKeyObj,
+	unsigned char *pucContainerName,
+	unsigned int uiContainerLen,
+	unsigned char *pucIV,
+	unsigned int uiIVLen,
+	unsigned int uiEncOrDec,
+	unsigned int uiCryptoAlgID);
+
+int SAF_GenerateKeyWithEPK(
+	void *hSymmKeyObj,
+	unsigned char *pucPublicKey,
+	unsigned int uiPublicKeyLen,
+	unsigned char *pucSymmKey,
+	unsigned int uiSymmKeyLen,
+	void **phKeyHandle);
+
+int SAF_ImportEncedKey(
+	void *hSymmKeyObj,
+	unsigned char *pucSymmKey,
+	unsigned int uiSymmKeyLen,
+	void **phKeyHandle);
+
+int SAF_GenerateAgreementDataWithECC(
+	void *hSymmKeyObj,
+	unsigned char *pucContainerName,
+	unsigned int uiContainerNameLen,
+	unsigned int uiKeyBits,
+	unsigned char *pucSponsorID,
+	unsigned int uiSponsorIDLength,
+	unsigned char *pucSponsorPublicKey,
+	unsigned int *puiSponsorPublicKeyLen,
+	unsigned char *pucSponsorTmpPublicKey,
+	unsigned int *puiSponsorTmpPublicKeyLen,
+	void **phAgreementHandle);
+
+int SAF_GenerateKeyWithECC(
+	void *phAgreementHandle,
+	unsigned char *pucResponseID,
+	unsigned int uiResponseIDLength,
+	unsigned char *pucResponsePublicKey,
+	unsigned int uiResponsePublicKeyLen,
+	unsigned char *pucResponseTmpPublicKey,
+	unsigned int uiResponseTmpPublicKeyLen,
+	void **phKeyHandle);
+
+int SAF_GenerateAgreementDataAdnKeyWithECC(
+	void *hSymmKeyObj,
+	unsigned char *pucContainerName,
+	unsigned int uiContainerNameLen,
+	unsigned int uiKeyBits,
+	unsigned char *pucResponseID,
+	unsigned int uiResponseIDLength,
+	unsigned char *pucSponsorID,
+	unsigned int uiSponsorIDLength,
+	unsigned char *pucSponsorPublicKey,
+	unsigned int *puiSponsorPublicKeyLen,
+	unsigned char *pucSponsorTmpPublicKey,
+	unsigned int *puiSponsorTmpPublicKeyLen,
+	unsigned char *pucResponsePublicKey,
+	unsigned int uiResponsePublicKeyLen,
+	unsigned char *pucResponseTmpPublicKey,
+	unsigned int uiResponseTmpPublicKeyLen,
+	void **phKeyHandle);
+
+int SAF_DestroySymmAlgoObj(
+	void *hSymmKeyObj);
+
+int SAF_DestroyKeyHandle(
+	void *hKeyHandle);
+
+int SAF_SymmEncrypt(
+	void *hKeyHandle,
+	const unsigned char *pucInData,
+	unsigned int uiInDataLen,
+	unsigned char *pucOutData,
+	unsigned int *puiOutDataLen);
+
+int SAF_SymmEncryptUpdate(
+	void *hKeyHandle,
+	const unsigned char *pucInData,
+	unsigned int uiInDataLen,
+	unsigned char *pucOutData,
+	unsigned int *puiOutDataLen);
+
+int SAF_SymmEncryptFinal(
+	void *hKeyHandle,
+	unsigned char *pucOutData,
+	unsigned int *puiOutDataLen);
+
+int SAF_SymmDecrypt(
+	void *hKeyHandle,
+	unsigned char *pucInData,
+	unsigned int uiInDataLen,
+	unsigned char *pucOutData,
+	unsigned int *puiOutDataLen);
+
+int SAF_SymmDecryptUpdate(
+	void *hKeyHandle,
+	unsigned char *pucInData,
+	unsigned int uiInDataLen,
+	unsigned char *pucOutData,
+	unsigned int *puiOutDataLen);
+
+int SAF_SymmDecryptFinal(
+	void *hKeyHandle,
+	unsigned char *pucOutData,
+	unsigned int *puiOutDataLen);
+
+int SAF_Mac(
+	void *hKeyHandle,
+	const unsigned char *pucInData,
+	unsigned int uiInDataLen,
+	unsigned char *pucOutData,
+	unsigned int *puiOutDataLen);
+
+int SAF_MacUpdate(
+	void *hKeyHandle,
+	const unsigned char *pucInData,
+	unsigned int uiInDataLen);
+
+int SAF_MacFinal(
+	void *hKeyHandle,
+	unsigned char *pucOutData,
+	unsigned int *puiOutDataLen);
+
+int SAF_Pkcs7_EncodeData(
+	void *hAppHandle,
+	unsigned char *pucSignContainerName,
+	unsigned int uiSignContainerNameLen,
+	unsigned int uiSignKeyUsage,
+	unsigned char *pucSignerCertificate,
+	unsigned int uiSignerCertificateLen,
+	unsigned int uiDigestAlgorithm,
+	unsigned char *pucEncCertificate,
+	unsigned int uiEncCertificateLen,
+	unsigned char *pucData,
+	unsigned int uiDataLen,
+	unsigned char *pucDerP7Data,
+	unsigned int *puiDerP7DataLen);
+
+int SAF_Pkcs7_DecodeData(
+	void *hAppHandle);
+
+int SAF_Pkcs7_EncodeSignedData(
+	void *hAppHandle,
+	unsigned char *pucSignContainerName,
+	unsigned int uiSignContainerNameLen,
+	unsigned int uiSignKeyUsage,
+	unsigned char *pucSignerCertificate,
+	unsigned int uiSignerCertificateLen,
+	unsigned int uiDigestAlgorithm,
+	unsigned char *pucData,
+	unsigned int uiDataLen,
+	unsigned char *pucDerP7Data,
+	unsigned int *puiDerP7DataLen);
+
+int SAF_Pkcs7_DecodeSignedData(
+	void *hAppHandle,
+	unsigned char *pucDerP7SignedData,
+	unsigned int uiDerP7SignedDataLen,
+	unsigned char *pucSignerCertificate,
+	unsigned int uiSignerCertificateLen,
+	unsigned int uiDigestAlgorithm,
+	unsigned char *pucData,
+	unsigned int uiDataLen,
+	unsigned char *pucSign,
+	unsigned int *puiSignLen);
+
+int SAF_Pkcs7_EncodeEnvelopedData(
+	void *hAppHandle,
+	unsigned char *pucData,
+	unsigned int uiDataLen,
+	unsigned char *pucEncCertificate,
+	unsigned int uiEncCertificateLen,
+	unsigned int uiSymmAlgorithm,
+	unsigned char *pucDerP7EnvelopedData,
+	unsigned int *puiDerP7EnvelopedDataLen);
+
+int SAF_Pkcs7_DecodeEnvelopedData(
+	void *hAppHandle,
+	unsigned char *pucDecContainerName,
+	unsigned int uiDecContainerNameLen,
+	unsigned int uiDecKeyUsage,
+	unsigned char *pucDerP7EnvelopedData,
+	unsigned int uiDerP7EnvelopedDataLen,
+	unsigned char *pucData,
+	unsigned int *puiDataLen);
+
+int SAF_Pkcs7_EncodeDigestedData(
+	void *hAppHandle,
+	unsigned int uiDigestAlgorithm,
+	unsigned char *pucData,
+	unsigned int uiDataLen,
+	unsigned char *pucDerP7DigestedData,
+	unsigned int *puiDerP7DigestedDataLen);
+
+int SAF_Pkcs7_DecodeDigestedData(
+	void *hAppHandle,
+	unsigned int uiDigestAlgorithm,
+	unsigned char *pucDerP7DigestedData,
+	unsigned int uiDerP7DigestedDataLen,
+	unsigned char *pucData,
+	unsigned int uiDataLen,
+	unsigned char *pucDigest,
+	unsigned int *puiDigestLen);
+
+int SAF_SM2_EncodeSignedAndEnvelopedData(
+	void *hAppHandle,
+	unsigned char *pucSignContainerName,
+	unsigned int uiSignContainerNameLen,
+	unsigned int uiSignKeyUsage,
+	unsigned char *pucSignerCertificate,
+	unsigned int uiSignerCertificateLen,
+	unsigned int uiDigestAlgorithm,
+	unsigned char *pucEncCertificate,
+	unsigned int uiEncCertificateLen,
+	unsigned int uiSymmAlgorithm,
+	unsigned char *pucData,
+	unsigned int uiDataLen,
+	unsigned char *pucDerSignedAndEnvelopedData,
+	unsigned int *puiDerSignedAndEnvelopedDataLen);
+
+int SAF_SM2_DecodeSignedAndEnvelopedData(
+	void *hAppHandle,
+	unsigned char *pucDerContainerName,
+	unsigned int uiDerContainerNameLen,
+	unsigned int uiDecKeyUsage,
+	unsigned char *pucDerSignedAndEnvelopedData,
+	unsigned int uiDerSignedAndEnvelopedDataLen,
+	unsigned char *pucData,
+	unsigned int *puiDataLen,
+	unsigned char *pucSignerCertificate,
+	unsigned int *puiSignerCertificateLen,
+	unsigned int *puiDigestAlgorithms);
+
+int SAF_SM2_EncodeSignedData(
+	void *hAppHandle,
+	unsigned char *pucSignContainerName,
+	unsigned int uiSignContainerNameLen,
+	unsigned int uiSignKeyUsage,
+	unsigned char *pucSignerCertificate,
+	unsigned int uiSignerCertificateLen,
+	unsigned int uiDigestAlgorithm,
+	unsigned char *pucData,
+	unsigned int uiDataLen,
+	unsigned char *pucDerSignedData,
+	unsigned int *puiDerSignedDataLen);
+
+int SAF_SM2_DecodeSignedData(
+	void *hAppHandle,
+	unsigned char *pucDerSignedData,
+	unsigned int uiDerSignedDataLen,
+	unsigned char *pucSignerCertificate,
+	unsigned int uiSignerCertificateLen,
+	unsigned int uiDigestAlgorithm,
+	unsigned char *pucData,
+	unsigned int uiDataLen,
+	unsigned char *pucSign,
+	unsigned int *puiSignLen);
+
+int SAF_SM2_EncodeEnvelopedData(
+	void *hAppHandle,
+	unsigned char *pucData,
+	unsigned int uiDataLen,
+	unsigned char *pucEncCertificate,
+	unsigned int uiEncCertificateLen,
+	unsigned int uiSymmAlgorithm,
+	unsigned char *pucDerEnvelopedData,
+	unsigned int *puiDerEnvelopedDataLen);
+
+int SAF_SM2_DecodeEnvelopedData(
+	void *hAppHandle,
+	unsigned char *pucDecContainerName,
+	unsigned int uiDecContainerNameLen,
+	unsigned int uiDecKeyUsage,
+	unsigned char *pucDerEnvelopedData,
+	unsigned int uiDerEnvelopedDataLen,
+	unsigned char *pucData,
+	unsigned int *puiDataLen);
+
+
+#define SAR_Ok			0x00000000
+#define SAR_UnknownErr		0x02000001
+#define SAR_NotSupportYetErr	0x02000002
+#define SAR_FileErr		0x02000003
+#define SAR_ProviderTypeErr	0x02000004
+#define SAR_LoadProviderErr	0x02000005
+#define SAR_LoadDevMngApiErr	0x02000006
+#define SAR_AlgoTypeErr		0x02000007
+#define SAR_NameLenErr		0x02000008
+#define SAR_KeyUsageErr		0x02000009
+#define SAR_ModulusLenErr	0x02000010
+#define SAR_NotInitializeErr	0x02000011
+#define SAR_ObjErr		0x02000012
+#define SAR_MemoryErr		0x02000100
+#define SAR_TimeoutErr		0x02000101
+#define SAR_IndataLenErr	0x02000200
+#define SAR_IndataErr		0x02000201
+#define SAR_GenRandErr		0x02000300
+#define SAR_HashObjErr		0x02000301
+#define SAR_HashErr		0x02000302
+#define SAR_GenRsaKeyErr	0x02000303
+#define SAR_RsaModulusLenErr	0x02000304
+#define SAR_CspImportPubKeyErr	0x02000305
+#define SAR_RsaEncErr		0x02000306
+#define SAR_RsaDecErr		0x02000307
+#define SAR_HashNotEqualErr	0x02000308
+#define SAR_KeyNotFoundErr	0x02000309
+#define SAR_CertNotFoundErr	0x02000310
+#define SAR_NotExportErr	0x02000311
+#define SAR_CertRevokedErr	0x02000316
+#define SAR_CertNotYetValidErr	0x02000317
+#define SAR_CerthashExpiredErr	0x02000318
+#define SAR_CertVerifyErr	0x02000319
+#define SAR_CertEncodeErr	0x02000320
+#define SAR_DecryptPadErr	0x02000400
+#define SAR_MacLenErr		0x02000401
+#define SAR_KeyInfoTypeErr	0x02000402
+#define SAR_NotLogin		0x02000403
+
+
+#ifdef __cplusplus
+}
+#endif
+#endif
diff --git a/include/openssl/sdf.h b/include/openssl/sdf.h
new file mode 100644
index 00000000..35d179c6
--- /dev/null
+++ b/include/openssl/sdf.h
@@ -0,0 +1,505 @@
+/* ====================================================================
+ * Copyright (c) 2016 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+/*
+ * SDF API is a cryptographic API for PCI-E cards defined in standard
+ * GM/T 0018-2012: Interface Specifications of Cryptography Device Application
+ *
+ * Note: this header file follows the specification of GM/T 0018-2012. As we
+ * know, some vendors provide header files with some differences, especially
+ * the definations of data structures. So be sure to check the file provided by
+ * vendors and compare with this one.
+ *
+ * The implementations of SDF API from different vendors might have different
+ * behaviors on the same function. The comments in this file will show
+ * information and warnings on these issues. If the application developer use
+ * the GmSSL implementation, see `crypto/gmapi/sdf_lcl.h` for more information.
+ */
+
+#ifndef HEADER_SDF_H
+#define HEADER_SDF_H
+
+#include <stdio.h>
+#include <openssl/sgd.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+typedef struct DeviceInfo_st{
+	unsigned char IssuerName[40];
+	unsigned char DeviceName[16];
+	unsigned char DeviceSerial[16];	/* 8-char date +
+					 * 3-char batch num +
+					 * 5-char serial num
+					 */
+	unsigned int DeviceVersion;
+	unsigned int StandardVersion;
+	unsigned int AsymAlgAbility[2];	/* AsymAlgAbility[0] = algors
+					 * AsymAlgAbility[1] = modulus lens
+					 */
+	unsigned int SymAlgAbility;
+	unsigned int HashAlgAbility;
+	unsigned int BufferSize;
+} DEVICEINFO;
+
+#define RSAref_MAX_BITS    2048
+#define RSAref_MAX_LEN     ((RSAref_MAX_BITS + 7) / 8)
+#define RSAref_MAX_PBITS   ((RSAref_MAX_BITS + 1) / 2)
+#define RSAref_MAX_PLEN    ((RSAref_MAX_PBITS + 7)/ 8)
+
+typedef struct RSArefPublicKey_st {
+	unsigned int bits;
+	unsigned char m[RSAref_MAX_LEN];
+	unsigned char e[RSAref_MAX_LEN];
+} RSArefPublicKey;
+
+typedef struct RSArefPrivateKey_st {
+	unsigned int bits;
+	unsigned char m[RSAref_MAX_LEN];
+	unsigned char e[RSAref_MAX_LEN];
+	unsigned char d[RSAref_MAX_LEN];
+	unsigned char prime[2][RSAref_MAX_PLEN];
+	unsigned char pexp[2][RSAref_MAX_PLEN];
+	unsigned char coef[RSAref_MAX_PLEN];
+} RSArefPrivateKey;
+
+#define ECCref_MAX_BITS		512
+#define ECCref_MAX_LEN		((ECCref_MAX_BITS+7) / 8)
+
+typedef struct ECCrefPublicKey_st {
+	unsigned int bits;
+	unsigned char x[ECCref_MAX_LEN];
+	unsigned char y[ECCref_MAX_LEN];
+} ECCrefPublicKey;
+
+typedef struct ECCrefPrivateKey_st {
+    unsigned int  bits;
+    unsigned char K[ECCref_MAX_LEN];
+} ECCrefPrivateKey;
+
+typedef struct ECCCipher_st {
+	unsigned char x[ECCref_MAX_LEN];
+	unsigned char y[ECCref_MAX_LEN];
+	/*
+	 * In SM2 ciphertext the `M` is the hash result of the plaintext
+	 * with generated Diffie-Hellman keys, so the length should be the
+	 * digest length, for SM3 it is 256-bit which is equal to the max
+	 * elliptic curve key length (256-bit).
+	 */
+	unsigned char M[32];
+
+	/* length of ciphertext `C` */
+	unsigned int L;
+	unsigned char C[1];
+} ECCCipher;
+
+typedef struct ECCSignature_st {
+	unsigned char r[ECCref_MAX_LEN];
+	unsigned char s[ECCref_MAX_LEN];
+} ECCSignature;
+
+/* ENVELOPEDKEYBLOB is not used in this API, and it requires the
+ * ECCCIPHERBLOB and ECCPUBLICKEYBLOB defined in SKF API
+ */
+#if 0
+typedef struct SDF_ENVELOPEDKEYBLOB {
+	unsigned long Version;
+	unsigned long ulSymmAlgID;
+	ECCCIPHERBLOB ECCCipehrBlob;
+	ECCPUBLICKEYBLOB PubKey;
+	unsigned char cbEncryptedPrivKey[64];
+} ENVELOPEDKEYBLOB, *PENVELOPEDKEYBLOB;
+#endif
+
+int SDF_OpenDevice(
+	void **phDeviceHandle);
+
+int SDF_CloseDevice(
+	void *hDeviceHandle);
+
+int SDF_OpenSession(
+	void *hDeviceHandle,
+	void **phSessionHandle);
+
+int SDF_CloseSession(
+	void *hSessionHandle);
+
+int SDF_GetDeviceInfo(
+	void *hSessionHandle,
+	DEVICEINFO *pstDeviceInfo);
+
+int SDF_GenerateRandom(
+	void *hSessionHandle,
+	unsigned int uiLength,
+	unsigned char *pucRandom);
+
+int SDF_GetPrivateKeyAccessRight(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	unsigned char *pucPassword,
+	unsigned int uiPwdLength);
+
+int SDF_ReleasePrivateKeyAccessRight(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex);
+
+int SDF_ExportSignPublicKey_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	RSArefPublicKey *pucPublicKey);
+
+int SDF_ExportEncPublicKey_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	RSArefPublicKey *pucPublicKey);
+
+int SDF_GenerateKeyPair_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyBits,
+	RSArefPublicKey *pucPublicKey,
+	RSArefPrivateKey *pucPrivateKey);
+
+int SDF_GenerateKeyWithIPK_RSA(
+	void *hSessionHandle,
+	unsigned int uiIPKIndex,
+	unsigned int uiKeyBits,
+	unsigned char *pucKey,
+	unsigned int *puiKeyLength,
+	void **phKeyHandle);
+
+int SDF_GenerateKeyWithEPK_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyBits,
+	RSArefPublicKey *pucPublicKey,
+	unsigned char *pucKey,
+	unsigned int *puiKeyLength,
+	void **phKeyHandle);
+
+int SDF_ImportKeyWithISK_RSA(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned char *pucKey,
+	unsigned int uiKeyLength,
+	void **phKeyHandle);
+
+int SDF_ExchangeDigitEnvelopeBaseOnRSA(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	RSArefPublicKey *pucPublicKey,
+	unsigned char *pucDEInput,
+	unsigned int uiDELength,
+	unsigned char *pucDEOutput,
+	unsigned int *puiDELength);
+
+int SDF_ExportSignPublicKey_ECC(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	ECCrefPublicKey *pucPublicKey);
+
+int SDF_ExportEncPublicKey_ECC(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	ECCrefPublicKey *pucPublicKey);
+
+int SDF_GenerateKeyPair_ECC(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	unsigned int  uiKeyBits,
+	ECCrefPublicKey *pucPublicKey,
+	ECCrefPrivateKey *pucPrivateKey);
+
+int SDF_GenerateKeyWithIPK_ECC(
+	void *hSessionHandle,
+	unsigned int uiIPKIndex,
+	unsigned int uiKeyBits,
+	ECCCipher *pucKey,
+	void **phKeyHandle);
+
+int SDF_GenerateKeyWithEPK_ECC(
+	void *hSessionHandle,
+	unsigned int uiKeyBits,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	ECCCipher *pucKey,
+	void **phKeyHandle);
+
+int SDF_ImportKeyWithISK_ECC(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	ECCCipher *pucKey,
+	void **phKeyHandle);
+
+int SDF_GenerateAgreementDataWithECC(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned int uiKeyBits,
+	unsigned char *pucSponsorID,
+	unsigned int uiSponsorIDLength,
+	ECCrefPublicKey *pucSponsorPublicKey,
+	ECCrefPublicKey *pucSponsorTmpPublicKey,
+	void **phAgreementHandle);
+
+int SDF_GenerateKeyWithECC(
+	void *hSessionHandle,
+	unsigned char *pucResponseID,
+	unsigned int uiResponseIDLength,
+	ECCrefPublicKey *pucResponsePublicKey,
+	ECCrefPublicKey *pucResponseTmpPublicKey,
+	void *hAgreementHandle,
+	void **phKeyHandle);
+
+int SDF_GenerateAgreementDataAndKeyWithECC(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned int uiKeyBits,
+	unsigned char *pucResponseID,
+	unsigned int uiResponseIDLength,
+	unsigned char *pucSponsorID,
+	unsigned int uiSponsorIDLength,
+	ECCrefPublicKey *pucSponsorPublicKey,
+	ECCrefPublicKey *pucSponsorTmpPublicKey,
+	ECCrefPublicKey *pucResponsePublicKey,
+	ECCrefPublicKey *pucResponseTmpPublicKey,
+	void **phKeyHandle);
+
+int SDF_ExchangeDigitEnvelopeBaseOnECC(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	ECCCipher *pucEncDataIn,
+	ECCCipher *pucEncDataOut);
+
+int SDF_GenerateKeyWithKEK(
+	void *hSessionHandle,
+	unsigned int uiKeyBits,
+	unsigned int uiAlgID,
+	unsigned int uiKEKIndex,
+	unsigned char *pucKey,
+	unsigned int *puiKeyLength,
+	void **phKeyHandle);
+
+int SDF_ImportKeyWithKEK(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	unsigned int uiKEKIndex,
+	unsigned char *pucKey,
+	unsigned int uiKeyLength,
+	void **phKeyHandle);
+
+int SDF_DestroyKey(
+	void *hSessionHandle,
+	void *hKeyHandle);
+
+int SDF_ExternalPublicKeyOperation_RSA(
+	void *hSessionHandle,
+	RSArefPublicKey *pucPublicKey,
+	unsigned char *pucDataInput,
+	unsigned int uiInputLength,
+	unsigned char *pucDataOutput,
+	unsigned int *puiOutputLength);
+
+int SDF_InternalPublicKeyOperation_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	unsigned char *pucDataInput,
+	unsigned int uiInputLength,
+	unsigned char *pucDataOutput,
+	unsigned int *puiOutputLength);
+
+int SDF_InternalPrivateKeyOperation_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	unsigned char *pucDataInput,
+	unsigned int uiInputLength,
+	unsigned char *pucDataOutput,
+	unsigned int *puiOutputLength);
+
+int SDF_ExternalVerify_ECC(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	unsigned char *pucDataInput,
+	unsigned int uiInputLength,
+	ECCSignature *pucSignature);
+
+int SDF_InternalSign_ECC(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	ECCSignature *pucSignature);
+
+int SDF_InternalVerify_ECC(
+	void *hSessionHandle,
+	unsigned int uiIPKIndex,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	ECCSignature *pucSignature);
+
+int SDF_ExternalEncrypt_ECC(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	ECCCipher *pucEncData);
+
+int SDF_Encrypt(
+	void *hSessionHandle,
+	void *hKeyHandle,
+	unsigned int uiAlgID,
+	unsigned char *pucIV,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	unsigned char *pucEncData,
+	unsigned int *puiEncDataLength);
+
+int SDF_Decrypt(
+	void *hSessionHandle,
+	void *hKeyHandle,
+	unsigned int uiAlgID,
+	unsigned char *pucIV,
+	unsigned char *pucEncData,
+	unsigned int uiEncDataLength,
+	unsigned char *pucData,
+	unsigned int *puiDataLength);
+
+int SDF_CalculateMAC(
+	void *hSessionHandle,
+	void *hKeyHandle,
+	unsigned int uiAlgID,
+	unsigned char *pucIV,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	unsigned char *pucMAC,
+	unsigned int *puiMACLength);
+
+int SDF_HashInit(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	unsigned char *pucID,
+	unsigned int uiIDLength);
+
+int SDF_HashUpdate(
+	void *hSessionHandle,
+	unsigned char *pucData,
+	unsigned int uiDataLength);
+
+int SDF_HashFinal(void *hSessionHandle,
+	unsigned char *pucHash,
+	unsigned int *puiHashLength);
+
+int SDF_CreateFile(
+	void *hSessionHandle,
+	unsigned char *pucFileName,
+	unsigned int uiNameLen, /* max 128-byte */
+	unsigned int uiFileSize);
+
+int SDF_ReadFile(
+	void *hSessionHandle,
+	unsigned char *pucFileName,
+	unsigned int uiNameLen,
+	unsigned int uiOffset,
+	unsigned int *puiReadLength,
+	unsigned char *pucBuffer);
+
+int SDF_WriteFile(
+	void *hSessionHandle,
+	unsigned char *pucFileName,
+	unsigned int uiNameLen,
+	unsigned int uiOffset,
+	unsigned int uiWriteLength,
+	unsigned char *pucBuffer);
+
+int SDF_DeleteFile(
+	void *hSessionHandle,
+	unsigned char *pucFileName,
+	unsigned int uiNameLen);
+
+#define SDR_OK			0x0
+#define SDR_BASE		0x01000000
+#define SDR_UNKNOWERR		(SDR_BASE + 0x00000001)
+#define SDR_NOTSUPPORT		(SDR_BASE + 0x00000002)
+#define SDR_COMMFAIL		(SDR_BASE + 0x00000003)
+#define SDR_HARDFAIL		(SDR_BASE + 0x00000004)
+#define SDR_OPENDEVICE		(SDR_BASE + 0x00000005)
+#define SDR_OPENSESSION		(SDR_BASE + 0x00000006)
+#define SDR_PARDENY		(SDR_BASE + 0x00000007)
+#define SDR_KEYNOTEXIST		(SDR_BASE + 0x00000008)
+#define SDR_ALGNOTSUPPOT	(SDR_BASE + 0x00000009)
+#define SDR_ALGMODNOTSUPPORT	(SDR_BASE + 0x0000000A)
+#define SDR_PKOPERR		(SDR_BASE + 0x0000000B)
+#define SDR_SKOPERR		(SDR_BASE + 0x0000000C)
+#define SDR_SIGNERR		(SDR_BASE + 0x0000000D)
+#define SDR_VERIFYERR		(SDR_BASE + 0x0000000E)
+#define SDR_SYMOPERR		(SDR_BASE + 0x0000000F)
+#define SDR_STEPERR		(SDR_BASE + 0x00000010)
+#define SDR_FILESIZEERR		(SDR_BASE + 0x00000011)
+#define SDR_FILENOEXIST		(SDR_BASE + 0x00000012)
+#define SDR_FILEOFSERR		(SDR_BASE + 0x00000013)
+#define SDR_KEYTYPEERR		(SDR_BASE + 0x00000014)
+#define SDR_KEYERR		(SDR_BASE + 0x00000015)
+#define SDR_ENCDATAERR		(SDR_BASE + 0x00000016)
+#define SDR_RANDERR		(SDR_BASE + 0x00000017)
+#define SDR_PRKRERR		(SDR_BASE + 0x00000018)
+#define SDR_MACERR		(SDR_BASE + 0x00000019)
+#define SDR_FILEEXSITS		(SDR_BASE + 0x0000001A)
+#define SDR_FILEWERR		(SDR_BASE + 0x0000001B)
+#define SDR_NOBUFFER		(SDR_BASE + 0x0000001C)
+#define SDR_INARGERR		(SDR_BASE + 0x0000001D)
+#define SDR_OUTARGERR		(SDR_BASE + 0x0000001E)
+
+
+#ifdef __cplusplus
+}
+#endif
+#endif
diff --git a/include/openssl/skf.h b/include/openssl/skf.h
new file mode 100644
index 00000000..eb219316
--- /dev/null
+++ b/include/openssl/skf.h
@@ -0,0 +1,749 @@
+/* ====================================================================
+ * Copyright (c) 2015 - 2016 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+/* This header file is from the official specification with minor
+ * modification.
+ */
+
+#ifndef HEADER_SKF_H
+#define HEADER_SKF_H
+
+#include <openssl/sgd.h>
+
+//FIXME: all the WIN32 types
+#ifndef WIN32
+typedef signed char		INT8;
+typedef signed short		INT16;
+typedef signed int		INT32;
+typedef unsigned char		UINT8;
+typedef unsigned short		UINT16;
+typedef unsigned int		UINT32;
+typedef long			BOOL;
+typedef UINT8			BYTE;
+typedef UINT8			CHAR;
+typedef INT16			SHORT;
+typedef UINT16			USHORT;
+typedef INT32			LONG;
+typedef UINT32			ULONG;
+typedef UINT32			UINT;
+typedef UINT16			WORD;
+typedef UINT32			DWORD;
+typedef UINT32			FLAGS;
+typedef CHAR *			LPSTR;
+typedef void *			HANDLE;
+#else
+#ifndef _WINDEF_H
+typedef signed char		INT8;
+typedef signed short		INT16;
+typedef signed int		INT32;
+typedef unsigned char		UINT8;
+typedef unsigned short		UINT16;
+typedef unsigned int		UINT32;
+typedef long			BOOL;
+typedef UINT8			BYTE;
+typedef UINT8			CHAR;
+typedef INT16			SHORT;
+typedef UINT16			USHORT;
+typedef INT32			LONG;
+typedef UINT32			ULONG;
+typedef UINT32			UINT;
+typedef UINT16			WORD;
+typedef UINT32			DWORD;
+typedef UINT32			FLAGS;
+typedef CHAR *			LPSTR;
+typedef void *			HANDLE;
+#endif
+#endif
+
+typedef HANDLE DEVHANDLE;
+typedef HANDLE HAPPLICATION;
+typedef HANDLE HSESSION;
+typedef HANDLE HCONTAINER;
+
+
+#ifndef FALSE
+#define FALSE			0x00000000
+#endif
+
+#ifndef TRUE
+#define TRUE			0x00000001
+#endif
+
+#ifdef WIN32
+#define DEVAPI __stdcall
+#else
+#define DEVAPI
+#endif
+
+#ifndef ADMIN_TYPE
+#define ADMIN_TYPE			0
+#endif
+
+#ifndef USER_TYPE
+#define USER_TYPE			1
+#endif
+
+#define MAX_RSA_MODULUS_LEN		256
+#define MAX_RSA_EXPONENT_LEN		4
+#define ECC_MAX_XCOORDINATE_BITS_LEN	512
+#define ECC_MAX_YCOORDINATE_BITS_LEN	512
+#define ECC_MAX_MODULUS_BITS_LEN	512
+
+#define MAX_IV_LEN			32
+
+#define MAX_FILE_NAME_SIZE		32
+#define MAX_FILE_CONTAINER_NAME_SIZE	64
+
+#define SECURE_NEVER_ACCOUNT		0x00000000
+#define SECURE_ADM_ACCOUNT		0x00000001
+#define SECURE_USER_ACCOUNT		0x00000010
+#define SECURE_ANYONE_ACCOUNT		0x000000FF
+
+
+
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+typedef struct Struct_Version{
+	BYTE major;
+	BYTE minor;
+} VERSION;
+
+typedef struct Struct_DEVINFO {
+	VERSION	Version;
+	CHAR	Manufacturer[64];
+	CHAR	Issuer[64];
+	CHAR	Label[32];
+	CHAR	SerialNumber[32];
+	VERSION	HWVersion;
+	VERSION	FirmwareVersion;
+	ULONG	AlgSymCap;
+	ULONG	AlgAsymCap;
+	ULONG	AlgHashCap;
+	ULONG	DevAuthAlgId;
+	ULONG	TotalSpace;
+	ULONG	FreeSpace;
+	ULONG	MaxECCBufferSize;
+	ULONG	MaxBufferSize;
+	BYTE  	Reserved[64];
+} DEVINFO, *PDEVINFO;
+
+typedef struct Struct_RSAPUBLICKEYBLOB {
+	ULONG	AlgID;
+	ULONG	BitLen;
+	BYTE	Modulus[MAX_RSA_MODULUS_LEN];
+	BYTE	PublicExponent[MAX_RSA_EXPONENT_LEN];
+} RSAPUBLICKEYBLOB, *PRSAPUBLICKEYBLOB;
+
+typedef struct Struct_RSAPRIVATEKEYBLOB {
+	ULONG	AlgID;
+	ULONG	BitLen;
+	BYTE	Modulus[MAX_RSA_MODULUS_LEN];
+	BYTE	PublicExponent[MAX_RSA_EXPONENT_LEN];
+	BYTE	PrivateExponent[MAX_RSA_MODULUS_LEN];
+	BYTE	Prime1[MAX_RSA_MODULUS_LEN/2];
+	BYTE	Prime2[MAX_RSA_MODULUS_LEN/2];
+	BYTE	Prime1Exponent[MAX_RSA_MODULUS_LEN/2];
+	BYTE	Prime2Exponent[MAX_RSA_MODULUS_LEN/2];
+	BYTE	Coefficient[MAX_RSA_MODULUS_LEN/2];
+} RSAPRIVATEKEYBLOB, *PRSAPRIVATEKEYBLOB;
+
+typedef struct Struct_ECCPUBLICKEYBLOB {
+	ULONG	BitLen;
+	BYTE	XCoordinate[ECC_MAX_XCOORDINATE_BITS_LEN/8];
+	BYTE	YCoordinate[ECC_MAX_YCOORDINATE_BITS_LEN/8];
+} ECCPUBLICKEYBLOB, *PECCPUBLICKEYBLOB;
+
+typedef struct Struct_ECCPRIVATEKEYBLOB {
+	ULONG	BitLen;
+	BYTE	PrivateKey[ECC_MAX_MODULUS_BITS_LEN/8];
+} ECCPRIVATEKEYBLOB, *PECCPRIVATEKEYBLOB;
+
+typedef struct Struct_ECCCIPHERBLOB {
+	BYTE	XCoordinate[ECC_MAX_XCOORDINATE_BITS_LEN/8];
+	BYTE	YCoordinate[ECC_MAX_XCOORDINATE_BITS_LEN/8];
+	BYTE	HASH[32];
+	ULONG	CipherLen;
+	BYTE	Cipher[1];
+} ECCCIPHERBLOB, *PECCCIPHERBLOB;
+
+typedef struct Struct_ECCSIGNATUREBLOB {
+	BYTE	r[ECC_MAX_XCOORDINATE_BITS_LEN/8];
+	BYTE	s[ECC_MAX_XCOORDINATE_BITS_LEN/8];
+} ECCSIGNATUREBLOB, *PECCSIGNATUREBLOB;
+
+typedef struct Struct_BLOCKCIPHERPARAM {
+	BYTE	IV[MAX_IV_LEN];
+	ULONG	IVLen;
+	ULONG	PaddingType;
+	ULONG	FeedBitLen;
+} BLOCKCIPHERPARAM, *PBLOCKCIPHERPARAM;
+
+typedef struct SKF_ENVELOPEDKEYBLOB {
+	ULONG	Version;
+	ULONG	ulSymmAlgID;
+	ULONG	ulBits;
+	BYTE	cbEncryptedPriKey[64];
+	ECCPUBLICKEYBLOB	PubKey;
+	ECCCIPHERBLOB		ECCCipherBlob;
+} ENVELOPEDKEYBLOB, *PENVELOPEDKEYBLOB;
+
+typedef struct Struct_FILEATTRIBUTE {
+	CHAR	FileName[MAX_FILE_NAME_SIZE];
+	ULONG	FileSize;
+	ULONG	ReadRights;
+	ULONG	WriteRights;
+} FILEATTRIBUTE, *PFILEATTRIBUTE;
+
+
+ULONG DEVAPI SKF_WaitForDevEvent(
+	LPSTR szDevName,
+	ULONG *pulDevNameLen,
+	ULONG *pulEvent);
+
+ULONG DEVAPI SKF_CancelWaitForDevEvent(
+	void);
+
+ULONG DEVAPI SKF_EnumDev(BOOL bPresent,
+	LPSTR szNameList,
+	ULONG *pulSize);
+
+ULONG DEVAPI SKF_ConnectDev(
+	LPSTR szName,
+	DEVHANDLE *phDev);
+
+ULONG DEVAPI SKF_DisConnectDev(
+	DEVHANDLE hDev);
+
+ULONG DEVAPI SKF_GetDevState(
+	LPSTR szDevName,
+	ULONG *pulDevState);
+
+ULONG DEVAPI SKF_SetLabel(
+	DEVHANDLE hDev,
+	LPSTR szLabel);
+
+ULONG DEVAPI SKF_GetDevInfo(
+	DEVHANDLE hDev,
+	DEVINFO *pDevInfo);
+
+ULONG DEVAPI SKF_LockDev(
+	DEVHANDLE hDev,
+	ULONG ulTimeOut);
+
+ULONG DEVAPI SKF_UnlockDev(
+	DEVHANDLE hDev);
+
+ULONG DEVAPI SKF_Transmit(
+	DEVHANDLE hDev,
+	BYTE *pbCommand,
+	ULONG ulCommandLen,
+	BYTE *pbData,
+	ULONG *pulDataLen);
+
+ULONG DEVAPI SKF_ChangeDevAuthKey(
+	DEVHANDLE hDev,
+	BYTE *pbKeyValue,
+	ULONG ulKeyLen);
+
+ULONG DEVAPI SKF_DevAuth(
+	DEVHANDLE hDev,
+	BYTE *pbAuthData,
+	ULONG ulLen);
+
+ULONG DEVAPI SKF_ChangePIN(
+	HAPPLICATION hApplication,
+	ULONG ulPINType,
+	LPSTR szOldPin,
+	LPSTR szNewPin,
+	ULONG *pulRetryCount);
+
+LONG DEVAPI SKF_GetPINInfo(
+	HAPPLICATION hApplication,
+	ULONG ulPINType,
+	ULONG *pulMaxRetryCount,
+	ULONG *pulRemainRetryCount,
+	BOOL *pbDefaultPin);
+
+ULONG DEVAPI SKF_VerifyPIN(
+	HAPPLICATION hApplication,
+	ULONG ulPINType,
+	LPSTR szPIN,
+	ULONG *pulRetryCount);
+
+ULONG DEVAPI SKF_UnblockPIN(
+	HAPPLICATION hApplication,
+	LPSTR szAdminPIN,
+	LPSTR szNewUserPIN,
+	ULONG *pulRetryCount);
+
+ULONG DEVAPI SKF_ClearSecureState(
+	HAPPLICATION hApplication);
+
+ULONG DEVAPI SKF_CreateApplication(
+	DEVHANDLE hDev,
+	LPSTR szAppName,
+	LPSTR szAdminPin,
+	DWORD dwAdminPinRetryCount,
+	LPSTR szUserPin,
+	DWORD dwUserPinRetryCount,
+	DWORD dwCreateFileRights,
+	HAPPLICATION *phApplication);
+
+ULONG DEVAPI SKF_EnumApplication(DEVHANDLE hDev,
+	LPSTR szAppName,
+	ULONG *pulSize);
+
+ULONG DEVAPI SKF_DeleteApplication(
+	DEVHANDLE hDev,
+	LPSTR szAppName);
+
+ULONG DEVAPI SKF_OpenApplication(
+	DEVHANDLE hDev,
+	LPSTR szAppName,
+	HAPPLICATION *phApplication);
+
+ULONG DEVAPI SKF_CloseApplication(
+	HAPPLICATION hApplication);
+
+ULONG DEVAPI SKF_CreateFile(
+	HAPPLICATION hApplication,
+	LPSTR szFileName,
+	ULONG ulFileSize,
+	ULONG ulReadRights,
+	ULONG ulWriteRights);
+
+ULONG DEVAPI SKF_DeleteFile(
+	HAPPLICATION hApplication,
+	LPSTR szFileName);
+
+ULONG DEVAPI SKF_EnumFiles(
+	HAPPLICATION hApplication,
+	LPSTR szFileList,
+	ULONG *pulSize);
+
+ULONG DEVAPI SKF_GetFileInfo(
+	HAPPLICATION hApplication,
+	LPSTR szFileName,
+	FILEATTRIBUTE *pFileInfo);
+
+ULONG DEVAPI SKF_ReadFile(
+	HAPPLICATION hApplication,
+	LPSTR szFileName,
+	ULONG ulOffset,
+	ULONG ulSize,
+	BYTE *pbOutData,
+	ULONG *pulOutLen);
+
+ULONG DEVAPI SKF_WriteFile(
+	HAPPLICATION hApplication,
+	LPSTR szFileName,
+	ULONG ulOffset,
+	BYTE *pbData,
+	ULONG ulSize);
+
+ULONG DEVAPI SKF_CreateContainer(
+	HAPPLICATION hApplication,
+	LPSTR szContainerName,
+	HCONTAINER *phContainer);
+
+ULONG DEVAPI SKF_DeleteContainer(
+	HAPPLICATION hApplication,
+	LPSTR szContainerName);
+
+ULONG DEVAPI SKF_EnumContainer(
+	HAPPLICATION hApplication,
+	LPSTR szContainerName,
+	ULONG *pulSize);
+
+ULONG DEVAPI SKF_OpenContainer(
+	HAPPLICATION hApplication,
+	LPSTR szContainerName,
+	HCONTAINER *phContainer);
+
+ULONG DEVAPI SKF_CloseContainer(
+	HCONTAINER hContainer);
+
+ULONG DEVAPI SKF_GetContainerType(
+	HCONTAINER hContainer,
+	ULONG *pulContainerType);
+
+ULONG DEVAPI SKF_ImportCertificate(
+	HCONTAINER hContainer,
+	BOOL bExportSignKey,
+	BYTE *pbCert,
+	ULONG ulCertLen);
+
+ULONG DEVAPI SKF_ExportCertificate(
+	HCONTAINER hContainer,
+	BOOL bSignFlag,
+	BYTE *pbCert,
+	ULONG *pulCertLen);
+
+ULONG DEVAPI SKF_ExportPublicKey(
+	HCONTAINER hContainer,
+	BOOL bSignFlag,
+	BYTE *pbBlob,
+	ULONG *pulBlobLen);
+
+ULONG DEVAPI SKF_GenRandom(
+	DEVHANDLE hDev,
+	BYTE *pbRandom,
+	ULONG ulRandomLen);
+
+ULONG DEVAPI SKF_GenExtRSAKey(
+	DEVHANDLE hDev,
+	ULONG ulBitsLen,
+	RSAPRIVATEKEYBLOB *pBlob);
+
+ULONG DEVAPI SKF_GenRSAKeyPair(
+	HCONTAINER hContainer,
+	ULONG ulBitsLen,
+	RSAPUBLICKEYBLOB *pBlob);
+
+ULONG DEVAPI SKF_ImportRSAKeyPair(
+	HCONTAINER hContainer,
+	ULONG ulSymAlgId,
+	BYTE *pbWrappedKey,
+	ULONG ulWrappedKeyLen,
+	BYTE *pbEncryptedData,
+	ULONG ulEncryptedDataLen);
+
+ULONG DEVAPI SKF_RSASignData(
+	HCONTAINER hContainer,
+	BYTE *pbData,
+	ULONG ulDataLen,
+	BYTE *pbSignature,
+	ULONG *pulSignLen);
+
+ULONG DEVAPI SKF_RSAVerify(
+	DEVHANDLE hDev,
+	RSAPUBLICKEYBLOB *pRSAPubKeyBlob,
+	BYTE *pbData,
+	ULONG ulDataLen,
+	BYTE *pbSignature,
+	ULONG ulSignLen);
+
+ULONG DEVAPI SKF_RSAExportSessionKey(
+	HCONTAINER hContainer,
+	ULONG ulAlgId,
+	RSAPUBLICKEYBLOB *pPubKey,
+	BYTE *pbData,
+	ULONG *pulDataLen,
+	HANDLE *phSessionKey);
+
+ULONG DEVAPI SKF_ExtRSAPubKeyOperation(
+	DEVHANDLE hDev,
+	RSAPUBLICKEYBLOB *pRSAPubKeyBlob,
+	BYTE *pbInput,
+	ULONG ulInputLen,
+	BYTE *pbOutput,
+	ULONG *pulOutputLen);
+
+ULONG DEVAPI SKF_ExtRSAPriKeyOperation(
+	DEVHANDLE hDev,
+	RSAPRIVATEKEYBLOB *pRSAPriKeyBlob,
+	BYTE *pbInput,
+	ULONG ulInputLen,
+	BYTE *pbOutput,
+	ULONG *pulOutputLen);
+
+ULONG DEVAPI SKF_GenECCKeyPair(
+	HCONTAINER hContainer,
+	ULONG ulAlgId,
+	ECCPUBLICKEYBLOB *pBlob);
+
+ULONG DEVAPI SKF_ImportECCKeyPair(
+	HCONTAINER hContainer,
+	ENVELOPEDKEYBLOB *pEnvelopedKeyBlob);
+
+ULONG DEVAPI SKF_ECCSignData(
+	HCONTAINER hContainer,
+	BYTE *pbDigest,
+	ULONG ulDigestLen,
+	ECCSIGNATUREBLOB *pSignature);
+
+ULONG DEVAPI SKF_ECCVerify(
+	DEVHANDLE hDev,
+	ECCPUBLICKEYBLOB *pECCPubKeyBlob,
+	BYTE *pbData,
+	ULONG ulDataLen,
+	ECCSIGNATUREBLOB *pSignature);
+
+ULONG DEVAPI SKF_ECCExportSessionKey(
+	HCONTAINER hContainer,
+	ULONG ulAlgId,
+	ECCPUBLICKEYBLOB *pPubKey,
+	ECCCIPHERBLOB *pData,
+	HANDLE *phSessionKey);
+
+ULONG DEVAPI SKF_ExtECCEncrypt(
+	DEVHANDLE hDev,
+	ECCPUBLICKEYBLOB *pECCPubKeyBlob,
+	BYTE *pbPlainText,
+	ULONG ulPlainTextLen,
+	ECCCIPHERBLOB *pCipherText);
+
+ULONG DEVAPI SKF_ExtECCDecrypt(
+	DEVHANDLE hDev,
+	ECCPRIVATEKEYBLOB *pECCPriKeyBlob,
+	ECCCIPHERBLOB *pCipherText,
+	BYTE *pbPlainText,
+	ULONG *pulPlainTextLen);
+
+ULONG DEVAPI SKF_ExtECCSign(
+	DEVHANDLE hDev,
+	ECCPRIVATEKEYBLOB *pECCPriKeyBlob,
+	BYTE *pbData,
+	ULONG ulDataLen,
+	ECCSIGNATUREBLOB *pSignature);
+
+ULONG DEVAPI SKF_ExtECCVerify(
+	DEVHANDLE hDev,
+	ECCPUBLICKEYBLOB *pECCPubKeyBlob,
+	BYTE *pbData,
+	ULONG ulDataLen,
+	ECCSIGNATUREBLOB *pSignature);
+
+ULONG DEVAPI SKF_GenerateAgreementDataWithECC(
+	HCONTAINER hContainer,
+	ULONG ulAlgId,
+	ECCPUBLICKEYBLOB *pTempECCPubKeyBlob,
+	BYTE *pbID,
+	ULONG ulIDLen,
+	HANDLE *phAgreementHandle);
+
+ULONG DEVAPI SKF_GenerateAgreementDataAndKeyWithECC(
+	HANDLE hContainer,
+	ULONG ulAlgId,
+	ECCPUBLICKEYBLOB *pSponsorECCPubKeyBlob,
+	ECCPUBLICKEYBLOB *pSponsorTempECCPubKeyBlob,
+	ECCPUBLICKEYBLOB *pTempECCPubKeyBlob,
+	BYTE *pbID,
+	ULONG ulIDLen,
+	BYTE *pbSponsorID,
+	ULONG ulSponsorIDLen,
+	HANDLE *phKeyHandle);
+
+ULONG DEVAPI SKF_GenerateKeyWithECC(
+	HANDLE hAgreementHandle,
+	ECCPUBLICKEYBLOB *pECCPubKeyBlob,
+	ECCPUBLICKEYBLOB *pTempECCPubKeyBlob,
+	BYTE *pbID,
+	ULONG ulIDLen,
+	HANDLE *phKeyHandle);
+
+ULONG DEVAPI SKF_ImportSessionKey(
+	HCONTAINER hContainer,
+	ULONG ulAlgId,
+	BYTE *pbWrapedData,
+	ULONG ulWrapedLen,
+	HANDLE *phKey);
+
+ULONG DEVAPI SKF_SetSymmKey(
+	DEVHANDLE hDev,
+	BYTE *pbKey,
+	ULONG ulAlgID,
+	HANDLE *phKey);
+
+ULONG DEVAPI SKF_EncryptInit(
+	HANDLE hKey,
+	BLOCKCIPHERPARAM EncryptParam);
+
+ULONG DEVAPI SKF_Encrypt(
+	HANDLE hKey,
+	BYTE *pbData,
+	ULONG ulDataLen,
+	BYTE *pbEncryptedData,
+	ULONG *pulEncryptedLen);
+
+ULONG DEVAPI SKF_EncryptUpdate(
+	HANDLE hKey,
+	BYTE *pbData,
+	ULONG ulDataLen,
+	BYTE *pbEncryptedData,
+	ULONG *pulEncryptedLen);
+
+ULONG DEVAPI SKF_EncryptFinal(
+	HANDLE hKey,
+	BYTE *pbEncryptedData,
+	ULONG *pulEncryptedDataLen);
+
+ULONG DEVAPI SKF_DecryptInit(
+	HANDLE hKey,
+	BLOCKCIPHERPARAM DecryptParam);
+
+ULONG DEVAPI SKF_Decrypt(
+	HANDLE hKey,
+	BYTE *pbEncryptedData,
+	ULONG ulEncryptedLen,
+	BYTE *pbData,
+	ULONG *pulDataLen);
+
+ULONG DEVAPI SKF_DecryptUpdate(
+	HANDLE hKey,
+	BYTE *pbEncryptedData,
+	ULONG ulEncryptedLen,
+	BYTE *pbData,
+	ULONG *pulDataLen);
+
+ULONG DEVAPI SKF_DecryptFinal(
+	HANDLE hKey,
+	BYTE *pbDecryptedData,
+	ULONG *pulDecryptedDataLen);
+
+ULONG DEVAPI SKF_DigestInit(
+	DEVHANDLE hDev,
+	ULONG ulAlgID,
+	ECCPUBLICKEYBLOB *pPubKey,
+	BYTE *pbID,
+	ULONG ulIDLen,
+	HANDLE *phHash);
+
+ULONG DEVAPI SKF_Digest(
+	HANDLE hHash,
+	BYTE *pbData,
+	ULONG ulDataLen,
+	BYTE *pbHashData,
+	ULONG *pulHashLen);
+
+ULONG DEVAPI SKF_DigestUpdate(
+	HANDLE hHash,
+	BYTE *pbData,
+	ULONG ulDataLen);
+
+ULONG DEVAPI SKF_DigestFinal(
+	HANDLE hHash,
+	BYTE *pHashData,
+	ULONG *pulHashLen);
+
+ULONG DEVAPI SKF_MacInit(
+	HANDLE hKey,
+	BLOCKCIPHERPARAM *pMacParam,
+	HANDLE *phMac);
+
+ULONG DEVAPI SKF_Mac(
+	HANDLE hMac,
+	BYTE *pbData,
+	ULONG ulDataLen,
+	BYTE *pbMacData,
+	ULONG *pulMacLen);
+
+ULONG DEVAPI SKF_MacUpdate(
+	HANDLE hMac,
+	BYTE *pbData,
+	ULONG ulDataLen);
+
+ULONG DEVAPI SKF_MacFinal(
+	HANDLE hMac,
+	BYTE *pbMacData,
+	ULONG *pulMacDataLen);
+
+ULONG DEVAPI SKF_CloseHandle(
+	HANDLE hHandle);
+
+
+#define SAR_OK				0x00000000
+#define SAR_FAIL			0x0A000001
+#define SAR_UNKNOWNERR			0x0A000002
+#define SAR_NOTSUPPORTYETERR		0x0A000003
+#define SAR_FILEERR			0x0A000004
+#define SAR_INVALIDHANDLEERR		0x0A000005
+#define SAR_INVALIDPARAMERR		0x0A000006
+#define SAR_READFILEERR			0x0A000007
+#define SAR_WRITEFILEERR		0x0A000008
+#define SAR_NAMELENERR			0x0A000009
+#define SAR_KEYUSAGEERR			0x0A00000A
+#define SAR_MODULUSLENERR		0x0A00000B
+#define SAR_NOTINITIALIZEERR		0x0A00000C
+#define SAR_OBJERR			0x0A00000D
+#define SAR_MEMORYERR			0x0A00000E
+#define SAR_TIMEOUTERR			0x0A00000F
+#define SAR_INDATALENERR		0x0A000010
+#define SAR_INDATAERR			0x0A000011
+#define SAR_GENRANDERR			0x0A000012
+#define SAR_HASHOBJERR			0x0A000013
+#define SAR_HASHERR			0x0A000014
+#define SAR_GENRSAKEYERR		0x0A000015
+#define SAR_RSAMODULUSLENERR		0x0A000016
+#define SAR_CSPIMPRTPUBKEYERR		0x0A000017
+#define SAR_RSAENCERR			0x0A000018
+#define SAR_RSADECERR			0x0A000019
+#define SAR_HASHNOTEQUALERR		0x0A00001A
+#define SAR_KEYNOTFOUNTERR		0x0A00001B
+#define SAR_CERTNOTFOUNTERR		0x0A00001C
+#define SAR_NOTEXPORTERR		0x0A00001D
+#define SAR_DECRYPTPADERR		0x0A00001E
+#define SAR_MACLENERR			0x0A00001F
+#define SAR_BUFFER_TOO_SMALL		0x0A000020
+#define SAR_KEYINFOTYPEERR		0x0A000021
+#define SAR_NOT_EVENTERR		0x0A000022
+#define SAR_DEVICE_REMOVED		0x0A000023
+#define SAR_PIN_INCORRECT		0x0A000024
+#define SAR_PIN_LOCKED			0x0A000025
+#define SAR_PIN_INVALID			0x0A000026
+#define SAR_PIN_LEN_RANGE		0x0A000027
+#define SAR_USER_ALREADY_LOGGED_IN	0x0A000028
+#define SAR_USER_PIN_NOT_INITIALIZED	0x0A000029
+#define SAR_USER_TYPE_INVALID		0x0A00002A
+#define SAR_APPLICATION_NAME_INVALID	0x0A00002B
+#define SAR_APPLICATION_EXISTS		0x0A00002C
+#define SAR_USER_NOT_LOGGED_IN		0x0A00002D
+#define SAR_APPLICATION_NOT_EXISTS	0x0A00002E
+#define SAR_FILE_ALREADY_EXIST		0x0A00002F
+#define SAR_NO_ROOM			0x0A000030
+#define SAR_FILE_NOT_EXIST		0x0A000031
+
+
+#ifdef __cplusplus
+}
+#endif
+#endif
diff --git a/include/openssl/sof.h b/include/openssl/sof.h
new file mode 100644
index 00000000..e7539ca9
--- /dev/null
+++ b/include/openssl/sof.h
@@ -0,0 +1,165 @@
+/* ====================================================================
+ * Copyright (c) 2016 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+/* GM/T 0020 */
+
+
+#ifndef HEADER_SOF_H
+#define HEADER_SOF_H
+
+typedef char * BSTR;
+typedef long BOOL;
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+BSTR SOF_GetVersion(void);
+long SOF_SetSignMethod(long SignMethod);
+long SOF_GetSignMethod(void);
+long SOF_SetEncryptMethod(long EncryptMethod);
+long SOF_GetEncryptMethod(void);
+BSTR SOF_GetUserList(void);
+BSTR SOF_ExportUserCert(BSTR ContainerName);
+BOOL SOF_Login(BSTR ContainerName, BSTR PassWd);
+long SOF_GetPinRetryCount(BSTR ContainerName);
+BOOL SOF_ChangePassWd(BSTR ContainerName, BSTR OldPassWd, BSTR NewPassWd);
+BSTR SOF_ExportExChangeUserCert(BSTR ContainerName);
+BSTR SOF_GetCertInfo(BSTR Base64EncodeCert, short Type);
+BSTR SOF_GetCertInfoByOid(BSTR Base64EncodeCert, BSTR Oid);
+BSTR SOF_GetDeviceInfo(BSTR ContainerName, long Type);
+long SOF_ValidateCert(BSTR Base64EncodeCert);
+BSTR SOF_SignData(BSTR ContainerName, BSTR InData);
+BOOL SOF_VerifySignedData(BSTR Base64EncodeCert, BSTR InData, BSTR SignValue);
+BSTR SOF_SignFile(BSTR ContainerName, BSTR InFile);
+BOOL SOF_VerifySignedFile(BSTR Base64EncodeCert, BSTR InFile, BSTR SignValue);
+BSTR SOF_EncryptData(BSTR Base64EncodeCert, BSTR InData);
+BSTR SOF_DecryptData(BSTR ContainerName, BSTR InData);
+BOOL SOF_EncryptFile(BSTR Base64EncodeCert, BSTR InFile, BSTR OutFile);
+BOOL SOF_DecryptFile(BSTR ContainerName, BSTR InFile, BSTR OutFile);
+BSTR SOF_SignMessage(short flag, BSTR ContainerName, BSTR InData);
+BOOL SOF_VerifySignedMessage(BSTR MessageData, BSTR InData);
+BSTR SOF_GetInfoFromSignedMessage(BSTR SignedMessage, short Type);
+BSTR SOF_SignDataXML(BSTR ContainerName, BSTR InData);
+BOOL SOF_VerifySignedDataXML(BSTR InData);
+BSTR SOF_GetXMLSignatureInfo(BSTR XMLSignedData, short Type);
+BSTR SOF_GenRandom(short RandomLen);
+long SOF_GetLastError(void);
+
+long SOF_SetCertTrustList(BSTR CTLAltName, BSTR CTLContent, short CTLContentLen);
+BSTR SOF_GetCertTrustListAltNames(void);
+BSTR SOF_GetCertTrustList(BSTR CTLAltName);
+long SOF_DelCertTrustList(BSTR CTLAltName);
+long SOF_InitCertAppPolicy(BSTR PolicyName);
+BSTR SOF_GetServerCertificate(short CertUsage);
+BSTR SOF_SignMessageDetach(BSTR InData);
+long SOF_VerifySignedMessageDetach(BSTR InData, BSTR SignedMessage);
+BSTR SOF_CreateTimeStampRequest(BSTR InData);
+BSTR SOF_CreateTimeStampResponse(BSTR TimeStampRequest);
+long SOF_VerifyTimeStamp(BSTR InData, BSTR tsResponseData);
+BSTR SOF_GetTimeStampInfo(BSTR tsResponseData, short type);
+
+#define SOR_OK			0x00000000
+#define SOR_UnknownErr		0x0B000001
+#define SOR_NotSupportYetErr	0x0B000002
+#define SOR_FileErr		0x0B000003
+#define SOR_ProviderTypeErr	0x0B000004
+#define SOR_LoadProviderErr	0x0B000005
+#define SOR_LoadDevMngApiErr	0x0B000006
+#define SOR_AlgoTypeErr		0x0B000007
+#define SOR_NameLenErr		0x0B000008
+#define SOR_KeyUsageErr		0x0B000009
+#define SOR_ModulusLenErr	0x0B000010
+#define SOR_NotInitializeErr	0x0B000011
+#define SOR_ObjErr		0x0B000012
+#define SOR_MemoryErr		0x0B000100
+#define SOR_TimeoutErr		0x0B000101
+#define SOR_IndataLenErr	0x0B000200
+#define SOR_IndataErr		0x0B000201
+#define SOR_GenRandErr		0x0B000300
+#define SOR_HashObjErr		0x0B000301
+#define SOR_HashErr		0x0B000302
+#define SOR_GenRsaKeyErr	0x0B000303
+#define SOR_RsaModulusLenErr	0x0B000304
+#define SOR_CspImprtPubKeyErr	0x0B000305
+#define SOR_RsaEncErr		0x0B000306
+#define SOR_RsaDecErr		0x0B000307
+#define SOR_HashNotEqualErr	0x0B000308
+#define SOR_KeyNotFountErr	0x0B000309
+#define SOR_CertNotFountErr	0x0B000310
+#define SOR_NotExportErr	0x0B000311
+#define SOR_VerifyPolicyErr	0x0B000312
+#define SOR_DecryptPadErr	0x0B000400
+#define SOR_MacLenErr		0x0B000401
+#define SOR_KeyInfoTypeErr	0x0B000402
+#define SOR_NullPointerErr	0x0B000403
+#define SOR_AppNotFoundErr	0x0B000404
+#define SOR_CertEncodeErr	0x0B000405
+#define SOR_CertInvalidErr	0x0B000406
+#define SOR_CertHasExpiredErr	0x0B000407
+#define SOR_CertRevokedErr	0x0B000408
+#define SOR_SignDataErr		0x0B000409
+#define SOR_VerifySignDataErr	0x0B000410
+#define SOR_ReadFileErr		0x0B000411
+#define SOR_WriteFileErr	0x0B000412
+#define SOR_SecretSegmentErr	0x0B000413
+#define SOR_SecretRecoverErr	0x0B000414
+#define SOR_EncryptDataErr	0x0B000415
+#define SOR_DecryptDataErr	0x0B000416
+#define SOR_PKCS7EncodeErr	0x0B000417
+#define SOR_XMLEncodeErr	0x0B000418
+#define SOR_ParameterNotSupportErr 0x0B000419
+#define SOR_CTLNotFound		0x0B000420
+#define SOR_AppNotFound		0x0B000421
+
+
+
+#ifdef __cplusplus
+}
+#endif
+#endif