update saf

2026-05-07 08:56:17 +08:00 · 2017-02-24 21:46:17 +08:00
parent dc4041ea4b
commit 18e83f3624
18 changed files with 579 additions and 256 deletions
--- a/crypto/saf/build.info
+++ b/crypto/saf/build.info
@@ -1,4 +1,4 @@
 LIBS=../../libcrypto
 SOURCE[../../libcrypto]=saf_lib.c saf_errstr.c saf_app.c saf_keyhandle.c \
 	saf_ec.c saf_sm2.c saf_rand.c saf_hash.c saf_enc.c saf_mac.c saf_symmkeyobj.c \
-	saf_base64.c saf_cert.c saf_err.c
+	saf_base64.c saf_cert.c saf_err.c saf_pkcs7.c
--- a/crypto/saf/saf_app.c
+++ b/crypto/saf/saf_app.c
@@ -63,6 +63,7 @@ int SAF_Initialize(
 {
 	int ret = SAR_UnknownErr;
 	SAF_APP *app = NULL;
+	char *engine_id = pubCfgFilePath;

 	if (!phAppHandle || !pubCfgFilePath) {
 		SAFerr(SAF_F_SAF_INITIALIZE, ERR_R_PASSED_NULL_PARAMETER);
@@ -74,8 +75,19 @@ int SAF_Initialize(
 		return SAR_MemoryErr;
 	}

+	if (!(app->engine = ENGINE_by_id(engine_id))
+		|| !ENGINE_init(app->engine)) {
+		SAFerr(SAF_F_SAF_INITIALIZE, ERR_R_ENGINE_LIB);
+		goto end;
+	}
+
 	*phAppHandle = app;
-	return SAR_Ok;
+	app = NULL;
+	ret = SAR_Ok;
+
+end:
+	SAF_Finalize(app);
+	return ret;
 }

 /* 7.1.3 */
@@ -83,6 +95,11 @@ int SAF_Finalize(
 	void *hAppHandle)
 {
 	SAF_APP *app = (SAF_APP *)hAppHandle;
+
+	if (app->engine) {
+		ENGINE_finish(app->engine);
+	}
+
 	OPENSSL_free(app);
 	return SAR_Ok;
 }
--- a/crypto/saf/saf_cert.c
+++ b/crypto/saf/saf_cert.c
@@ -252,4 +252,3 @@ int SAF_EnumKeyContainerInfoFree(
 {
 	return SAR_NotSupportYetErr;
 }
-
--- a/crypto/saf/saf_ec.c
+++ b/crypto/saf/saf_ec.c
@@ -63,6 +63,7 @@ int SAF_GenEccKeyPair(
 	unsigned int uiExportFlag)
 {
 	int ret = -1;
+	SAF_APP *app = (SAF_APP *)hAppHandle;

 	/* check arguments */
 	if (!hAppHandle || !pucContainerName) {
@@ -88,13 +89,37 @@ int SAF_GenEccKeyPair(
 		return SAR_KeyUsageErr;
 	}

-	/* set return value */
-	ret = SAR_Ok;
+	/* process */
+	EVP_PKEY_CTX *pctx = NULL;
+	EVP_PKEY *pkey = NULL;

+	if (!(pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, app->engine))
+		|| EVP_PKEY_keygen_init(pctx) <= 0
+		|| EVP_PKEY_keygen(pctx, &pkey) <= 0) {
+		SAFerr(SAF_F_SAF_GENECCKEYPAIR, ERR_R_EVP_LIB);
+		goto end;
+	}
+
+	ret = SAR_Ok;
 end:
+	EVP_PKEY_CTX_free(pctx);
+	EVP_PKEY_free(pkey);
 	return ret;
 }

+const char *SGD_GetKeyUsageName(unsigned int uiKeyUsage)
+{
+	switch (uiKeyUsage) {
+	case SGD_PK_SIGN:
+		return "sign";
+	case SGD_PK_ENC:
+		return "enc";
+	case SGD_PK_DH:
+		return "dh";
+	}
+	return NULL;
+}
+
 /* 7.3.24 */
 int SAF_GetEccPublicKey(
 	void *hAppHandle,
@@ -106,7 +131,6 @@ int SAF_GetEccPublicKey(
 {
 	int ret = SAR_UnknownErr;
 	SAF_APP *app = (SAF_APP *)hAppHandle;
-	int rv;

 	/* check arguments */
 	if (!hAppHandle || !pucContainerName || !pucPublicKey ||
@@ -134,13 +158,30 @@ int SAF_GetEccPublicKey(
 		return SAR_IndataErr;
 	}

-	/* load public key */
+	/* process */
+	EVP_PKEY *pkey = NULL;
+	char key_id[1024];
+	int len;

+	snprintf(key_id, sizeof(key_id), "%s.%s", (char *)pucContainerName,
+		SGD_GetKeyUsageName(uiKeyUsage));
+
+	if (!(pkey = ENGINE_load_public_key(app->engine, key_id, NULL, NULL))) {
+		SAFerr(SAF_F_SAF_GETECCPUBLICKEY, ERR_R_ENGINE_LIB);
+		goto end;
+	}
+	if ((len = i2d_PUBKEY(pkey, &pucPublicKey)) <= 0) {
+		SAFerr(SAF_F_SAF_GETECCPUBLICKEY, ERR_R_X509_LIB);
+		goto end;
+	}
+
+	*puiPublicKeyLen = (unsigned int)len;

 	/* set return value */
 	ret = SAR_Ok;

 end:
+	EVP_PKEY_free(pkey);
 	return ret;
 }

@@ -156,8 +197,7 @@ int SAF_EccSign(
 	unsigned int *puiSignDataLen)
 {
 	int ret = SAR_UnknownErr;
-	void *hSessionHandle = NULL;
-	unsigned int uiISKIndex;
+	SAF_APP *app = (SAF_APP *)hAppHandle;

 	/* check arguments */
 	if (!hAppHandle || !pucContainerName || !pucInData ||
@@ -185,8 +225,28 @@ int SAF_EccSign(
 		return SAR_IndataErr;
 	}

+	/* process */
+	char key_id[1024];
+	EVP_PKEY *pkey = NULL;
+	EVP_PKEY_CTX *pctx = NULL;
+	size_t siglen;
+
+	snprintf(key_id, sizeof(key_id), "%s.sign", (char *)pucContainerName);
+
+	if (!(pkey = ENGINE_load_private_key(app->engine, key_id, NULL, NULL))
+		|| !(pctx = EVP_PKEY_CTX_new(pkey, app->engine))
+		|| EVP_PKEY_sign_init(pctx) <= 0
+		|| EVP_PKEY_sign(pctx, pucSignData, &siglen, pucInData, (size_t)uiInDataLen) <= 0) {
+		SAFerr(SAF_F_SAF_ECCSIGN, ERR_R_EVP_LIB);
+		goto end;
+	}
+
+	*puiSignDataLen = (unsigned int)siglen;
+
 	ret = SAR_Ok;
 end:
+	EVP_PKEY_free(pkey);
+	EVP_PKEY_CTX_free(pctx);
 	return ret;
 }

@@ -224,9 +284,22 @@ int SAF_EccVerifySign(
 		return SAR_IndataLenErr;
 	}

-	ret = SAR_Ok;
+	/* process */
+	EVP_PKEY *pkey = NULL;
+	EVP_PKEY_CTX *pctx = NULL;

+	if (!(pkey = d2i_PUBKEY(NULL, (const unsigned char **)&pucPublicKey, (long)uiPublicKeyLen))
+		|| !(pctx = EVP_PKEY_CTX_new(pkey, NULL))
+		|| EVP_PKEY_verify_init(pctx) <= 0
+		|| EVP_PKEY_verify(pctx, pucSignData, uiSignDataLen, pucInData, uiInDataLen) <= 0) {
+		SAFerr(SAF_F_SAF_ECCVERIFYSIGN, ERR_R_EVP_LIB);
+		goto end;
+	}
+
+	ret = SAR_Ok;
 end:
+	EVP_PKEY_free(pkey);
+	EVP_PKEY_CTX_free(pctx);
 	return ret;
 }

@@ -269,8 +342,25 @@ int SAF_EccPublicKeyEnc(
 		return SAR_IndataLenErr;
 	}

+	/* precess */
+	EVP_PKEY *pkey = NULL;
+	EVP_PKEY_CTX *pctx = NULL;
+	size_t outlen = *puiOutDataLen;
+
+	if (!(pkey = d2i_PUBKEY(NULL, (const unsigned char **)&pucPublicKey, (long)uiPublicKeyLen))
+		|| !(pctx = EVP_PKEY_CTX_new(pkey, NULL))
+		|| EVP_PKEY_decrypt_init(pctx) <= 0
+		|| EVP_PKEY_decrypt(pctx, pucOutData, &outlen, pucInData, uiInDataLen) <= 0) {
+		SAFerr(SAF_F_SAF_ECCPUBLICKEYENC, ERR_R_EVP_LIB);
+		goto end;
+	}
+
+	*puiOutDataLen = (unsigned int)outlen;
+
 	ret = SAR_Ok;
 end:
+	EVP_PKEY_free(pkey);
+	EVP_PKEY_CTX_free(pctx);
 	return ret;
 }

@@ -285,8 +375,6 @@ int SAF_EccPublicKeyEncByCert(
 	unsigned int *puiOutDataLen)
 {
 	int ret = SAR_UnknownErr;
-	ECCrefPublicKey publicKey;
-	int rv;

 	/* check arguments */
 	if (!pucCertificate || !pucInData || !pucOutData || !puiOutDataLen) {
@@ -315,9 +403,36 @@ int SAF_EccPublicKeyEncByCert(
 		return SAR_IndataLenErr;
 	}

+	/* process */
+	X509 *x509 = NULL;
+	unsigned char pubkey[1024];
+	unsigned char *p = pubkey;
+	int len;
+
+	if (!(x509 = d2i_X509(NULL, (const unsigned char **)&pucCertificate, (long)uiCertificateLen))) {
+		SAFerr(SAF_F_SAF_ECCPUBLICKEYENCBYCERT, ERR_R_X509_LIB);
+		goto end;
+	}
+
+	if ((len = i2d_PUBKEY(X509_get0_pubkey(x509), &p)) <= 0) {
+		SAFerr(SAF_F_SAF_ECCPUBLICKEYENCBYCERT, ERR_R_X509_LIB);
+		goto end;
+	}
+
+	ret = SAF_EccPublicKeyEnc(
+		pubkey,
+		(unsigned int)len,
+		uiAlgorithmID,
+		pucInData,
+		uiInDataLen,
+		pucOutData,
+		puiOutDataLen);
+
+
 	/* set return value */
 	ret = SAR_Ok;
 end:
+	X509_free(x509);
 	return ret;
 }

@@ -332,8 +447,6 @@ int SAF_EccVerifySignByCert(
 	unsigned int uiSignDataLen)
 {
 	int ret = SAR_UnknownErr;
-	ECCrefPublicKey publicKey;
-	int rv;

 	/* check arguments */
 	if (!pucCertificate || !pucInData || !pucSignData) {
@@ -362,11 +475,39 @@ int SAF_EccVerifySignByCert(
 		return SAR_IndataLenErr;
 	}

-	/* load public key form cert */
+	/* process */
+	X509 *x509 = NULL;
+	unsigned char pucPublicKey[1024];
+	unsigned int uiPublicKeyLen;
+	unsigned char *p = pucPublicKey;
+	int len;
+
+	if (!(x509 = d2i_X509(NULL, (const unsigned char **)&pucCertificate, (long)uiCertificateLen))) {
+		SAFerr(SAF_F_SAF_ECCVERIFYSIGNBYCERT, ERR_R_X509_LIB);
+		goto end;
+	}
+
+	if ((len = i2d_PUBKEY(X509_get0_pubkey(x509), &p)) <= 0) {
+		SAFerr(SAF_F_SAF_ECCVERIFYSIGNBYCERT, ERR_R_X509_LIB);
+		goto end;
+	}
+
+	uiPublicKeyLen = (unsigned int)len;
+
+	ret = SAF_EccVerifySign(
+		pucPublicKey,
+		uiPublicKeyLen,
+		uiAlgorithmID,
+		pucInData,
+		uiInDataLen,
+		pucSignData,
+		uiSignDataLen);
+

 	/* set return value */
 	ret = SAR_Ok;
 end:
+	X509_free(x509);
 	return ret;
 }

@@ -385,10 +526,9 @@ int SAF_GenerateAgreementDataWithECC(
 	void **phAgreementHandle)
 {
 	int ret = -1;
-	unsigned int uiISKIndex;

 	ret = SAR_Ok;
-end:
+
 	return ret;
 }

@@ -405,7 +545,7 @@ int SAF_GenerateKeyWithECC(
 {
 	int ret = -1;

-	return 0;
+	return ret;
 }

 /* 7.3.35 */
--- a/crypto/saf/saf_enc.c
+++ b/crypto/saf/saf_enc.c
@@ -63,21 +63,26 @@ int SAF_SymmEncryptUpdate(
 {
 	int ret = SAR_UnknownErr;
 	SAF_KEY *hkey = (SAF_KEY *)hKeyHandle;
-	unsigned char *out = pucOutData;
-	int inlen, outlen;
+	int outlen;

 	if (!hKeyHandle || !pucInData || !pucOutData || !puiOutDataLen) {
 		SAFerr(SAF_F_SAF_SYMMENCRYPTUPDATE, ERR_R_PASSED_NULL_PARAMETER);
 		return SAR_IndataErr;
 	}
-	if (uiInDataLen > INT_MAX) {
+
+	if (uiInDataLen <= 0 || uiInDataLen > INT_MAX) {
 		SAFerr(SAF_F_SAF_SYMMENCRYPTUPDATE, SAF_R_INVALID_LENGTH);
 		return SAR_IndataLenErr;
 	}

 	if (!hkey->cipher_ctx) {
-		unsigned char iv[32];
-		int ivlen;
+		const EVP_CIPHER *cipher;
+
+		if (!(cipher = EVP_get_cipherbysgd(hkey->hSymmKeyObj->uiCryptoAlgID))) {
+			SAFerr(SAF_F_SAF_SYMMENCRYPTUPDATE, SAF_R_INVALID_KEY_HANDLE);
+			ret = SAR_IndataErr;
+			goto end;
+		}

 		if (!(hkey->cipher_ctx = EVP_CIPHER_CTX_new())) {
 			SAFerr(SAF_F_SAF_SYMMENCRYPTUPDATE, ERR_R_MALLOC_FAILURE);
@@ -85,31 +90,16 @@ int SAF_SymmEncryptUpdate(
 			goto end;
 		}

-		/* generate random iv and output */
-		ivlen = EVP_CIPHER_block_size(hkey->cipher);
-		if (ivlen <= 0 || ivlen > sizeof(iv)) {
-			SAFerr(SAF_F_SAF_SYMMENCRYPTUPDATE, SAF_R_INVALID_CONTEXT);
-			ret = SAR_ObjErr;
-			goto end;
-		}
-		if (!RAND_bytes(iv, ivlen)) {
-			SAFerr(SAF_F_SAF_SYMMENCRYPTUPDATE, SAF_R_GEN_RANDOM);
-			ret = SAR_GenRandErr;
-			goto end;
-		}
-
-		/* output iv, update out pointer */
-		memcpy(out, iv, ivlen);
-		out += ivlen;
-
-		if (!EVP_EncryptInit(hkey->cipher_ctx, hkey->cipher, hkey->key, iv)) {
+		if (!EVP_EncryptInit_ex(hkey->cipher_ctx, cipher,
+			hkey->hSymmKeyObj->app->engine,
+			hkey->key, hkey->hSymmKeyObj->pucIV)) {
 			SAFerr(SAF_F_SAF_SYMMENCRYPTUPDATE, ERR_R_EVP_LIB);
 			goto end;
 		}
 	}

-	inlen = (int)uiInDataLen;
-	if (!EVP_EncryptUpdate(hkey->cipher_ctx, out, &outlen, pucInData, inlen)) {
+	if (!EVP_EncryptUpdate(hkey->cipher_ctx, pucOutData, &outlen,
+		pucInData, (int)uiInDataLen)) {
 		SAFerr(SAF_F_SAF_SYMMENCRYPTUPDATE, ERR_R_EVP_LIB);
 		goto end;
 	}
@@ -131,7 +121,31 @@ int SAF_SymmEncryptFinal(
 	unsigned char *pucOutData,
 	unsigned int *puiOutDataLen)
 {
-	return 0;
+	int ret = SAR_UnknownErr;
+	SAF_KEY *hkey = (SAF_KEY *)hKeyHandle;
+	int outlen;
+
+	if (!hKeyHandle || !pucOutData || !puiOutDataLen) {
+		SAFerr(SAF_F_SAF_SYMMENCRYPTFINAL, ERR_R_PASSED_NULL_PARAMETER);
+		return SAR_IndataErr;
+	}
+
+	if (!hkey->cipher_ctx) {
+		SAFerr(SAF_F_SAF_SYMMENCRYPTFINAL, SAF_R_ENCRYPT_NOT_INITIALIED);
+		return SAR_NotInitializeErr;
+	}
+
+	if (!EVP_EncryptFinal_ex(hkey->cipher_ctx, pucOutData, &outlen)) {
+		SAFerr(SAF_F_SAF_SYMMENCRYPTFINAL, ERR_R_EVP_LIB);
+		goto end;
+	}
+	*puiOutDataLen = (unsigned int)outlen;
+
+	ret = SAR_OK;
+end:
+	EVP_CIPHER_CTX_free(hkey->cipher_ctx);
+	hkey->cipher_ctx = NULL;
+	return ret;
 }

 /* 7.3.42 */
@@ -144,8 +158,7 @@ int SAF_SymmDecryptUpdate(
 {
 	int ret = SAR_UnknownErr;
 	SAF_KEY *hkey = (SAF_KEY *)hKeyHandle;
-	unsigned char *in = pucInData;
-	int inlen, outlen;
+	int outlen;

 	if (!hKeyHandle || !pucInData || !pucOutData || !puiOutDataLen) {
 		SAFerr(SAF_F_SAF_SYMMDECRYPTUPDATE, ERR_R_PASSED_NULL_PARAMETER);
@@ -156,11 +169,14 @@ int SAF_SymmDecryptUpdate(
 		return SAR_IndataLenErr;
 	}

-	inlen = (int)uiInDataLen;
-
 	if (!hkey->cipher_ctx) {
-		unsigned char iv[32];
-		int ivlen;
+		const EVP_CIPHER *cipher;
+
+		if (!(cipher = EVP_get_cipherbysgd(hkey->hSymmKeyObj->uiCryptoAlgID))) {
+			SAFerr(SAF_F_SAF_SYMMDECRYPTUPDATE, SAF_R_INVALID_KEY_HANDLE);
+			ret = SAR_IndataErr;
+			goto end;
+		}

 		if (!(hkey->cipher_ctx = EVP_CIPHER_CTX_new())) {
 			SAFerr(SAF_F_SAF_SYMMDECRYPTUPDATE, ERR_R_MALLOC_FAILURE);
@@ -168,25 +184,16 @@ int SAF_SymmDecryptUpdate(
 			goto end;
 		}

-		/* get iv from input */
-		ivlen = EVP_CIPHER_block_size(hkey->cipher);
-		if (ivlen <= 0 || ivlen > sizeof(iv)) {
-			SAFerr(SAF_F_SAF_SYMMDECRYPTUPDATE, SAF_R_INVALID_CONTEXT);
-			ret = SAR_ObjErr;
-			goto end;
-		}
-
-		memcpy(iv, in, ivlen);
-		in += ivlen;
-		inlen -= ivlen;
-
-		if (!EVP_DecryptInit(hkey->cipher_ctx, hkey->cipher, hkey->key, iv)) {
+		if (!EVP_DecryptInit_ex(hkey->cipher_ctx, cipher,
+			hkey->hSymmKeyObj->app->engine,
+			hkey->key, hkey->hSymmKeyObj->pucIV)) {
 			SAFerr(SAF_F_SAF_SYMMDECRYPTUPDATE, ERR_R_EVP_LIB);
 			goto end;
 		}
 	}

-	if (!EVP_DecryptUpdate(hkey->cipher_ctx, pucOutData, &outlen, in, inlen)) {
+	if (!EVP_DecryptUpdate(hkey->cipher_ctx, pucOutData, &outlen,
+		pucInData, (int)uiInDataLen)) {
 		SAFerr(SAF_F_SAF_SYMMDECRYPTUPDATE, ERR_R_EVP_LIB);
 		goto end;
 	}
@@ -208,7 +215,32 @@ int SAF_SymmDecryptFinal(
 	unsigned char *pucOutData,
 	unsigned int *puiOutDataLen)
 {
-	return 0;
+	int ret = SAR_UnknownErr;
+	SAF_KEY *hkey = (SAF_KEY *)hKeyHandle;
+	int outlen;
+
+	if (!hKeyHandle || !pucOutData || !puiOutDataLen) {
+		SAFerr(SAF_F_SAF_SYMMDECRYPTFINAL, ERR_R_PASSED_NULL_PARAMETER);
+		return SAR_IndataErr;
+	}
+
+	if (!hkey->cipher_ctx) {
+		SAFerr(SAF_F_SAF_SYMMDECRYPTFINAL, SAF_R_DECRYPT_NOT_INITIALIZED);
+		return SAR_NotInitializeErr;
+	}
+
+	if (!EVP_DecryptFinal_ex(hkey->cipher_ctx, pucOutData, &outlen)) {
+		SAFerr(SAF_F_SAF_SYMMDECRYPTFINAL, ERR_R_EVP_LIB);
+		goto end;
+	}
+	*puiOutDataLen = (unsigned int)outlen;
+
+	ret = SAR_OK;
+
+end:
+	EVP_CIPHER_CTX_free(hkey->cipher_ctx);
+	hkey->cipher_ctx = NULL;
+	return ret;
 }

 /* 7.3.38 */
@@ -219,24 +251,20 @@ int SAF_SymmEncrypt(
 	unsigned char *pucOutData,
 	unsigned int *puiOutDataLen)
 {
-	int ret;
-	unsigned char *out;
-	unsigned int outlen;
-
-	out = pucOutData;
-	outlen = *puiOutDataLen;
+	int ret = SAR_UnknownErr;
+	unsigned int len;

 	if ((ret = SAF_SymmEncryptUpdate(hKeyHandle, pucInData, uiInDataLen,
-		out, &outlen)) != SAR_OK) {
+		pucOutData, puiOutDataLen)) != SAR_OK) {
 		return ret;
 	}
-	out += outlen;
-	if ((ret = SAF_SymmEncryptFinal(hKeyHandle, out, &outlen)) != SAR_OK) {
-		return ret;
-	}
-	out += outlen;

-	*puiOutDataLen = out - pucOutData;
+	if ((ret = SAF_SymmEncryptFinal(hKeyHandle,
+		pucOutData + *puiOutDataLen, &len)) != SAR_OK) {
+		return ret;
+	}
+	*puiOutDataLen += len;
+
 	return SAR_OK;
 }

@@ -248,23 +276,19 @@ int SAF_SymmDecrypt(
 	unsigned char *pucOutData,
 	unsigned int *puiOutDataLen)
 {
-	int ret;
-	unsigned char *out;
-	unsigned int outlen;
-
-	out = pucOutData;
-	outlen = *puiOutDataLen;
+	int ret = SAR_UnknownErr;
+	unsigned int len;

 	if ((ret = SAF_SymmDecryptUpdate(hKeyHandle, pucInData, uiInDataLen,
-		out, &outlen)) != SAR_OK) {
+		pucOutData, puiOutDataLen)) != SAR_OK) {
 		return ret;
 	}
-	out += outlen;
-	if ((ret = SAF_SymmDecryptFinal(hKeyHandle, out, &outlen)) != SAR_OK) {
-		return ret;
-	}
-	out += outlen;

-	*puiOutDataLen = out - pucOutData;
+	if ((ret = SAF_SymmDecryptFinal(hKeyHandle,
+		pucOutData + *puiOutDataLen, &len)) != SAR_OK) {
+		return ret;
+	}
+	*puiOutDataLen += len;
+
 	return SAR_OK;
 }
--- a/crypto/saf/saf_err.c
+++ b/crypto/saf/saf_err.c
@@ -35,12 +35,11 @@ static ERR_STRING_DATA SAF_str_functs[] = {
    {ERR_FUNC(SAF_F_SAF_ECCVERIFYSIGN), "SAF_EccVerifySign"},
    {ERR_FUNC(SAF_F_SAF_ECCVERIFYSIGNBYCERT), "SAF_EccVerifySignByCert"},
    {ERR_FUNC(SAF_F_SAF_GENECCKEYPAIR), "SAF_GenEccKeyPair"},
-    {ERR_FUNC(SAF_F_SAF_GENERATEAGREEMENTDATAWITHECC),
-     "SAF_GenerateAgreementDataWithECC"},
-    {ERR_FUNC(SAF_F_SAF_GENERATEKEYWITHECC), "SAF_GenerateKeyWithECC"},
    {ERR_FUNC(SAF_F_SAF_GENERATEKEYWITHEPK), "SAF_GenerateKeyWithEPK"},
    {ERR_FUNC(SAF_F_SAF_GENRANDOM), "SAF_GenRandom"},
+    {ERR_FUNC(SAF_F_SAF_GENRSAKEYPAIR), "SAF_GenRsaKeyPair"},
    {ERR_FUNC(SAF_F_SAF_GETECCPUBLICKEY), "SAF_GetEccPublicKey"},
+    {ERR_FUNC(SAF_F_SAF_GETRSAPUBLICKEY), "SAF_GetRsaPublicKey"},
    {ERR_FUNC(SAF_F_SAF_GETVERSION), "SAF_GetVersion"},
    {ERR_FUNC(SAF_F_SAF_IMPORTENCEDKEY), "SAF_ImportEncedKey"},
    {ERR_FUNC(SAF_F_SAF_INITIALIZE), "SAF_Initialize"},
@@ -48,28 +47,33 @@ static ERR_STRING_DATA SAF_str_functs[] = {
    {ERR_FUNC(SAF_F_SAF_LOGOUT), "SAF_Logout"},
    {ERR_FUNC(SAF_F_SAF_MACFINAL), "SAF_MacFinal"},
    {ERR_FUNC(SAF_F_SAF_MACUPDATE), "SAF_MacUpdate"},
-    {ERR_FUNC(SAF_F_SAF_PKCS7_DECODEDIGESTEDDATA),
-     "SAF_Pkcs7_DecodeDigestedData"},
-    {ERR_FUNC(SAF_F_SAF_PKCS7_ENCODEDIGESTEDDATA),
-     "SAF_Pkcs7_EncodeDigestedData"},
+    {ERR_FUNC(SAF_F_SAF_PKCS7_ENCODEENVELOPEDDATA),
+     "SAF_Pkcs7_EncodeEnvelopedData"},
+    {ERR_FUNC(SAF_F_SAF_RSASIGN), "SAF_RsaSign"},
+    {ERR_FUNC(SAF_F_SAF_RSAVERIFYSIGN), "SAF_RsaVerifySign"},
+    {ERR_FUNC(SAF_F_SAF_SYMMDECRYPTFINAL), "SAF_SymmDecryptFinal"},
    {ERR_FUNC(SAF_F_SAF_SYMMDECRYPTUPDATE), "SAF_SymmDecryptUpdate"},
+    {ERR_FUNC(SAF_F_SAF_SYMMENCRYPTFINAL), "SAF_SymmEncryptFinal"},
    {ERR_FUNC(SAF_F_SAF_SYMMENCRYPTUPDATE), "SAF_SymmEncryptUpdate"},
+    {ERR_FUNC(SAF_F_SAF_VERIFYSIGNBYCERT), "SAF_VerifySignByCert"},
    {0, NULL}
 };

 static ERR_STRING_DATA SAF_str_reasons[] = {
    {ERR_REASON(SAF_R_BUFFER_TOO_SMALL), "buffer too small"},
-    {ERR_REASON(SAF_R_CBCMAC_FAILURE), "cbcmac failure"},
    {ERR_REASON(SAF_R_CMAC_FAILURE), "cmac failure"},
+    {ERR_REASON(SAF_R_DECRYPT_NOT_INITIALIZED), "decrypt not initialized"},
    {ERR_REASON(SAF_R_ENCRYPT_KEY_FAILURE), "encrypt key failure"},
+    {ERR_REASON(SAF_R_ENCRYPT_NOT_INITIALIED), "encrypt not initialied"},
    {ERR_REASON(SAF_R_GEN_RANDOM), "gen random"},
    {ERR_REASON(SAF_R_GEN_RANDOM_FAILURE), "gen random failure"},
    {ERR_REASON(SAF_R_INT_OVERFLOW), "int overflow"},
    {ERR_REASON(SAF_R_INVALID_ALGOR), "invalid algor"},
+    {ERR_REASON(SAF_R_INVALID_CERTIFICATE), "invalid certificate"},
    {ERR_REASON(SAF_R_INVALID_CONTEXT), "invalid context"},
-    {ERR_REASON(SAF_R_INVALID_DIGEST_ALGOR), "invalid digest algor"},
    {ERR_REASON(SAF_R_INVALID_HANDLE), "invalid handle"},
    {ERR_REASON(SAF_R_INVALID_INPUT_LENGTH), "invalid input length"},
+    {ERR_REASON(SAF_R_INVALID_KEY_HANDLE), "invalid key handle"},
    {ERR_REASON(SAF_R_INVALID_KEY_LENGTH), "invalid key length"},
    {ERR_REASON(SAF_R_INVALID_KEY_USAGE), "invalid key usage"},
    {ERR_REASON(SAF_R_INVALID_LENGTH), "invalid length"},
@@ -77,7 +81,7 @@ static ERR_STRING_DATA SAF_str_reasons[] = {
    {ERR_REASON(SAF_R_NOT_SUPPORTED), "not supported"},
    {ERR_REASON(SAF_R_OPERATION_NOT_INITIALIZED),
     "operation not initialized"},
-    {ERR_REASON(SAF_R_SAF_ERROR), "saf error"},
+    {ERR_REASON(SAF_R_UNSUPPORTED_ALGOR), "unsupported algor"},
    {0, NULL}
 };

--- a/crypto/saf/saf_hash.c
+++ b/crypto/saf/saf_hash.c
@@ -145,4 +145,3 @@ int SAF_Hash(

 	return SAR_Ok;
 }
-
--- a/crypto/saf/saf_keyhandle.c
+++ b/crypto/saf/saf_keyhandle.c
@@ -82,8 +82,28 @@ int SAF_GenerateKeyWithEPK(
 		return SAR_IndataLenErr;
 	}

+/*
+ 65 typedef struct {
+ 66         SAF_APP *app;
+ 67         unsigned char *pucContainerName;
+ 68         unsigned int uiContainerLen;
+ 69         unsigned char *pucIV;
+ 70         unsigned int uiIVLen;
+ 71         unsigned int uiEncOrDec;
+ 72         unsigned int uiCryptoAlgID;
+ 73 } SAF_SYMMKEYOBJ;
+ 74 
+ 75 typedef struct {
+ 76         SAF_SYMMKEYOBJ *hSymmKeyObj;
+ 77         unsigned char key[64];
+ 78         int keylen;
+ 79         EVP_CIPHER_CTX *cipher_ctx;
+ 80         CMAC_CTX *cmac_ctx;
+ 81 } SAF_KEY;
+*/
+
 	outlen = (size_t)*puiSymmKeyLen;
-	if (!(cipher = EVP_get_cipherbysgd(obj->algor))
+	if (!(cipher = EVP_get_cipherbysgd(obj->uiCryptoAlgID))
 		|| !RAND_bytes(keybuf, EVP_CIPHER_key_length(cipher))
 		|| !(pkey = d2i_PUBKEY(NULL, &pucPublicKey, (long)uiPublicKeyLen))
 		|| !(pkctx = EVP_PKEY_CTX_new(pkey, NULL))
--- a/crypto/saf/saf_lcl.h
+++ b/crypto/saf/saf_lcl.h
@@ -54,7 +54,6 @@
 #include <openssl/engine.h>

 typedef struct saf_app_st {
-	const char *config_path;
 	ENGINE *engine;
 } SAF_APP;

@@ -64,20 +63,22 @@ typedef struct {
 } SAF_BASE64OBJ;

 typedef struct {
-	unsigned int algor;
-	unsigned char container[256];
-	unsigned int containerlen;
-	unsigned char iv[16];
-	unsigned int ivlen;
-	unsigned int enc;
+	SAF_APP *app;
+	unsigned char *pucContainerName;
+	unsigned int uiContainerLen;
+	unsigned char *pucIV;
+	unsigned int uiIVLen;
+	unsigned int uiEncOrDec;
+	unsigned int uiCryptoAlgID;
 } SAF_SYMMKEYOBJ;

 typedef struct {
-	SAF_SYMMKEYOBJ obj;
+	SAF_SYMMKEYOBJ *hSymmKeyObj;
 	unsigned char key[64];
 	int keylen;
-	const EVP_CIPHER *cipher;
 	EVP_CIPHER_CTX *cipher_ctx;
 	CMAC_CTX *cmac_ctx;
 } SAF_KEY;

+SAF_SYMMKEYOBJ *SAF_SYMMKEYOBJ_dup(const SAF_SYMMKEYOBJ *a);
+void SAF_SYMMKEYOBJ_free(SAF_SYMMKEYOBJ *a);
--- a/crypto/saf/saf_lib.c
+++ b/crypto/saf/saf_lib.c
@@ -50,77 +50,8 @@
 #include <openssl/gmsaf.h>
 #include "saf_lcl.h"

-//FIXME: use PEM_write_bio_ECPrivateKey in next version
-int saf_save_ec_keypair(
-	void *hAppHandle,
-	unsigned char *pucContainerName,
-	unsigned int uiContainerNameLen,
-	unsigned int uiKeyBits,
-	unsigned int uiKeyUsage,
-	unsigned int uiExportFlag,
-	ECCrefPublicKey *pucPublicKey,
-	ECCrefPrivateKey *pucPrivateKey)
-{
-	return -1;
-}
-
-int saf_save_rsa_keypair(void *hAppHandle,
-	unsigned char *pucContainerName,
-	unsigned int uiContainerNameLen,
-	unsigned int uiKeyBits,
-	unsigned int uiKeyUsage,
-	unsigned int uiExportFlag,
-	RSArefPublicKey *pucPublicKey,
-	RSArefPrivateKey *pucPrivateKey)
-{
-	return -1;
-}
-
-int saf_get_sdf_session_and_keyindex(
-	void *hAppHandle,
-	unsigned char *pucContainerName,
-	unsigned int uiContainerNameLen,
-	unsigned int uiKeyUsage,
-	void *phSessionHandle,
-	unsigned int puiKeyIndex)
-{
-	return -1;
-}
-
-void saf_release_sdf_session(void *hSessionHandle)
-{
-}
-
-int saf_get_sdf_session_and_ecsignkey(
-	void *hAppHandle,
-	unsigned char *pucContainerName,
-	unsigned int uiContainerNameLen,
-	unsigned int uiAlgorithmID, /* SGD_SM2_1 */
-	void **phSessionhandle,
-	unsigned int *puiISKIndex)
-{
-	return -1;
-}
-
-int saf_get_ec_public_key_from_cert(
-	unsigned char *pucCertificate,
-	unsigned int uiCertificateLen,
-	ECCrefPublicKey *pucPublicKey)
-{
-	return -1;
-}
-
 static int readfile(const char *file, unsigned char **pout, size_t *len)
 {
 	return SAR_Ok;
 }

-static int cert_get_pubkey(
-	unsigned char *pucCertificate,
-	unsigned int uiCertificateLen,
-	unsigned char **pout,
-	unsigned int *outlen)
-{
-	return 0;
-}
-
--- a/crypto/saf/saf_mac.c
+++ b/crypto/saf/saf_mac.c
@@ -67,18 +67,33 @@ int SAF_MacUpdate(
 		return SAR_IndataErr;
 	}

+	if (uiInDataLen <= 0 || uiInDataLen > INT_MAX) {
+		SAFerr(SAF_F_SAF_MACUPDATE, SAF_R_INVALID_INPUT_LENGTH);
+		return SAR_IndataLenErr;
+	}
+
 	if (!hkey->cmac_ctx) {
+		const EVP_CIPHER *cipher;
+
+		if (!(cipher = EVP_get_cipherbysgd(hkey->hSymmKeyObj->uiCryptoAlgID))) {
+			SAFerr(SAF_F_SAF_MACUPDATE, SAF_R_INVALID_KEY_HANDLE);
+			ret = SAR_IndataErr;
+			goto end;
+		}
+
 		if (!(hkey->cmac_ctx = CMAC_CTX_new())) {
 			SAFerr(SAF_F_SAF_MACUPDATE, ERR_R_MALLOC_FAILURE);
 			goto end;
 		}
-		if (!CMAC_Init(hkey->cmac_ctx, hkey->key, hkey->keylen, hkey->cipher, NULL)) {
+
+		if (!CMAC_Init(hkey->cmac_ctx, hkey->key, hkey->keylen, cipher,
+			hkey->hSymmKeyObj->app->engine)) {
 			SAFerr(SAF_F_SAF_MACUPDATE, SAF_R_CMAC_FAILURE);
 			goto end;
 		}
 	}

-	if (!CMAC_Update(hkey->cmac_ctx, pucInData, (size_t)uiInDataLen)) {
+	if (!CMAC_Update(hkey->cmac_ctx, pucInData, uiInDataLen)) {
 		SAFerr(SAF_F_SAF_MACUPDATE, SAF_R_CMAC_FAILURE);
 		return SAR_UnknownErr;
 	}
@@ -99,15 +114,16 @@ int SAF_MacFinal(
 	unsigned char *pucOutData,
 	unsigned int *puiOutDataLen)
 {
+	int ret = SAR_UnknownErr;
 	SAF_KEY *hkey = (SAF_KEY *)hKeyHandle;
-	size_t siz;
+	size_t outlen = *puiOutDataLen;

 	if (!hKeyHandle || !pucOutData || !puiOutDataLen) {
 		SAFerr(SAF_F_SAF_MACFINAL, ERR_R_PASSED_NULL_PARAMETER);
 		return SAR_IndataErr;
 	}

-	if (*puiOutDataLen < EVP_CIPHER_block_size(hkey->cipher)) {
+	if (*puiOutDataLen < EVP_MAX_MD_SIZE) {
 		SAFerr(SAF_F_SAF_MACFINAL, SAF_R_BUFFER_TOO_SMALL);
 		return SAR_IndataLenErr;
 	}
@@ -117,14 +133,18 @@ int SAF_MacFinal(
 		return SAR_UnknownErr;
 	}

-	siz = EVP_CIPHER_block_size(hkey->cipher);
-	if (!CMAC_Final(hkey->cmac_ctx, pucOutData, &siz)) {
+	if (!CMAC_Final(hkey->cmac_ctx, pucOutData, &outlen)) {
 		SAFerr(SAF_F_SAF_MACFINAL, SAF_R_MAC_FAILURE);
-		return SAR_UnknownErr;
+		goto end;
 	}

-	*puiOutDataLen = (unsigned int)siz;
-	return SAR_OK;
+	*puiOutDataLen = (unsigned int)outlen;
+	ret = SAR_Ok;
+
+end:
+	CMAC_CTX_free(hkey->cmac_ctx);
+	hkey->cmac_ctx = NULL;
+	return ret;
 }

 /* 7.4.44 */
@@ -144,4 +164,3 @@ int SAF_Mac(
 	}
 	return SAR_OK;
 }
-
--- a/crypto/saf/saf_pkcs7.c
+++ b/crypto/saf/saf_pkcs7.c
@@ -134,6 +134,7 @@ int SAF_Pkcs7_EncodeEnvelopedData(
 	STACK_OF(X509) *certs = NULL;
 	BIO *bio = NULL;
 	const EVP_CIPHER *cipher;
+	int len;

 	/* check arguments */
 	if (!hAppHandle || !pucData || !pucEncCertificate || !puiDerP7EnvelopedDataLen) {
--- a/crypto/saf/saf_rand.c
+++ b/crypto/saf/saf_rand.c
@@ -70,7 +70,7 @@ int SAF_GenRandom(
 		return SAR_IndataErr;
 	}

-	if (!RAND_bytes(pucRand, uiRandLen)) {
+	if (!RAND_bytes(pucRand, (int)uiRandLen)) {
 		SAFerr(SAF_F_SAF_GENRANDOM, SAF_R_GEN_RANDOM_FAILURE);
 		return SAR_GenRandErr;
 	}
--- a/crypto/saf/saf_rsa.c
+++ b/crypto/saf/saf_rsa.c
@@ -61,11 +61,30 @@ int SAF_GenRsaKeyPair(void *hAppHandle,
 	unsigned int uiKeyUsage,
 	unsigned int uiExportFlag)
 {
-	return SAR_NotSupportYetErr;
+	int ret = SAR_UnknownErr;
+	SAF_APP *app = (SAF_APP *)hAppHandle;
+
+	/* process */
+	EVP_PKEY_CTX *pctx = NULL;
+	EVP_PKEY *pkey = NULL;
+
+	if (!(pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, app->engine))
+		|| EVP_PKEY_keygen_init(pctx) <= 0
+		|| EVP_PKEY_CTX_set_rsa_keygen_bits(pctx, uiKeyBits) <= 0
+		|| EVP_PKEY_keygen(pctx, &pkey) <= 0) {
+		SAFerr(SAF_F_SAF_GENRSAKEYPAIR, ERR_R_EVP_LIB);
+		goto end;
+	}
+
+	ret = SAR_Ok;
+end:
+	EVP_PKEY_CTX_free(pctx);
+	EVP_PKEY_free(pkey);
+	return ret;
 }

 /* 7.3.17 */
-int SAF_GetPublicKey(
+int SAF_GetRsaPublicKey(
 	void *hAppHandle,
 	unsigned char *pucContainerName,
 	unsigned int uiContainerNameLen,
@@ -73,7 +92,38 @@ int SAF_GetPublicKey(
 	unsigned char *pucPublicKey,
 	unsigned int *puiPublicKeyLen)
 {
-	return SAR_NotSupportYetErr;
+	int ret = SAR_UnknownErr;
+	SAF_APP *app = (SAF_APP *)hAppHandle;
+
+	/* process */
+	EVP_PKEY *pkey = NULL;
+	char key_id[1024];
+	int len;
+
+	snprintf(key_id, sizeof(key_id), "%s.%s", (char *)pucContainerName,
+		SGD_GetKeyUsageName(uiKeyUsage));
+
+	if (!(pkey = ENGINE_load_public_key(app->engine, key_id, NULL, NULL))) {
+		SAFerr(SAF_F_SAF_GETRSAPUBLICKEY, ERR_R_ENGINE_LIB);
+		goto end;
+	}
+	if (EVP_PKEY_base_id(pkey) != EVP_PKEY_RSA) {
+		SAFerr(SAF_F_SAF_GETRSAPUBLICKEY, ERR_R_ENGINE_LIB);
+		goto end;
+	}
+	if ((len = i2d_PUBKEY(pkey, &pucPublicKey)) <= 0) {
+		SAFerr(SAF_F_SAF_GETRSAPUBLICKEY, ERR_R_X509_LIB);
+		goto end;
+	}
+
+	*puiPublicKeyLen = (unsigned int)len;
+
+	/* set return value */
+	ret = SAR_Ok;
+
+end:
+	EVP_PKEY_free(pkey);
+	return ret;
 }

 /* 7.3.18 */
@@ -87,7 +137,32 @@ int SAF_RsaSign(
 	unsigned char *pucSignature,
 	unsigned int *puiSignatureLen)
 {
-	return SAR_NotSupportYetErr;
+	int ret = SAR_UnknownErr;
+	SAF_APP *app = (SAF_APP *)hAppHandle;
+
+	/* process */
+	char key_id[1024];
+	EVP_PKEY *pkey = NULL;
+	EVP_PKEY_CTX *pctx = NULL;
+	size_t siglen;
+
+	snprintf(key_id, sizeof(key_id), "%s.sign", (char *)pucContainerName);
+
+	if (!(pkey = ENGINE_load_private_key(app->engine, key_id, NULL, NULL))
+		|| !(pctx = EVP_PKEY_CTX_new(pkey, app->engine))
+		|| EVP_PKEY_sign_init(pctx) <= 0
+		|| EVP_PKEY_sign(pctx, pucSignData, &siglen, pucInData, (size_t)uiInDataLen) <= 0) {
+		SAFerr(SAF_F_SAF_RSASIGN, ERR_R_EVP_LIB);
+		goto end;
+	}
+
+	*puiSignDataLen = (unsigned int)siglen;
+
+	ret = SAR_Ok;
+end:
+	EVP_PKEY_free(pkey);
+	EVP_PKEY_CTX_free(pctx);
+	return ret;
 }

 /* 7.3.19 */
@@ -113,7 +188,24 @@ int SAF_RsaVerifySign(
 	unsigned char *pucSignature,
 	unsigned int uiSignatureLen)
 {
-	return SAR_NotSupportYetErr;
+	int ret = SAR_UnknownErr;
+	/* process */
+	EVP_PKEY *pkey = NULL;
+	EVP_PKEY_CTX *pctx = NULL;
+
+	if (!(pkey = d2i_PUBKEY(NULL, (const unsigned char **)&pucPublicKey, (long)uiPublicKeyLen))
+		|| !(pctx = EVP_PKEY_CTX_new(pkey, NULL))
+		|| EVP_PKEY_verify_init(pctx) <= 0
+		|| EVP_PKEY_verify(pctx, pucSignData, uiSignDataLen, pucInData, uiInDataLen) <= 0) {
+		SAFerr(SAF_F_SAF_RSAVERIFYSIGN, ERR_R_EVP_LIB);
+		goto end;
+	}
+
+	ret = SAR_Ok;
+end:
+	EVP_PKEY_free(pkey);
+	EVP_PKEY_CTX_free(pctx);
+	return ret;
 }

 /* 7.3.21 */
@@ -138,6 +230,39 @@ int SAF_VerifySignByCert(
 	unsigned char *pucSignature,
 	unsigned int uiSignatureLen)
 {
-	return SAR_OK;
-}
+	int ret = SAR_UnknownErr;
+	/* process */
+	X509 *x509 = NULL;
+	unsigned char pucPublicKey[1024];
+	unsigned int uiPublicKeyLen;
+	unsigned char *p = pucPublicKey;
+	int len;

+	if (!(x509 = d2i_X509(NULL, (const unsigned char **)&pucCertificate, (long)uiCertificateLen))) {
+		SAFerr(SAF_F_SAF_VERIFYSIGNBYCERT, ERR_R_X509_LIB);
+		goto end;
+	}
+
+	if ((len = i2d_PUBKEY(X509_get0_pubkey(x509), &p)) <= 0) {
+		SAFerr(SAF_F_SAF_VERIFYSIGNBYCERT, ERR_R_X509_LIB);
+		goto end;
+	}
+
+	uiPublicKeyLen = (unsigned int)len;
+
+	ret = SAF_RsaVerifySign(
+		pucPublicKey,
+		uiPublicKeyLen,
+		uiAlgorithmID,
+		pucInData,
+		uiInDataLen,
+		pucSignData,
+		uiSignDataLen);
+
+
+	/* set return value */
+	ret = SAR_Ok;
+end:
+	X509_free(x509);
+	return ret;
+}
--- a/crypto/saf/saf_sm2.c
+++ b/crypto/saf/saf_sm2.c
@@ -104,7 +104,18 @@ int SAF_SM2_EncodeSignedData(
 	unsigned char *pucDerSignedData,
 	unsigned int *puiDerSignedDataLen)
 {
-	return 0;
+	return SAF_Pkcs7_EncodeSignedData(
+		hAppHandle,
+		pucSignContainerName,
+		pucSignContainerName,
+		uiSignKeyUsage,
+		pucSignerCertificate,
+		uiSignerCertificateLen,
+		uiDigestAlgorithm,
+		pucData,
+		uiDataLen,
+		pucDerSignedData,
+		puiDerSignedDataLen);
 }

 /* 7.4.13 */
@@ -120,7 +131,17 @@ int SAF_SM2_DecodeSignedData(
 	unsigned char *pucSign,
 	unsigned int *puiSignLen)
 {
-	return 0;
+	return SAF_Pkcs7_DecodeSignedData(
+		hAppHandle,
+		pucDerSignedData,
+		uiDerSignedDataLen,
+		pucSignerCertificate,
+		uiSignerCertificateLen,
+		uiDigestAlgorithm,
+		pucData,
+		uiDataLen,
+		pucSign,
+		puiSignLen);
 }

 /* 7.4.14 */
@@ -134,8 +155,15 @@ int SAF_SM2_EncodeEnvelopedData(
 	unsigned char *pucDerEnvelopedData,
 	unsigned int *puiDerEnvelopedDataLen)
 {
-	int ret = SAR_UnknownErr;
-	return ret;
+	return SAF_Pkcs7_EncodeEnvelopedData(
+		hAppHandle,
+		pucData,
+		uiDataLen,
+		pucEncCertificate,
+		uiEncCertificateLen,
+		uiSymmAlgorithm,
+		pucDerEnvelopedData,
+		puiDerEnvelopedDataLen);
 }

 /* 7.4.15 */
@@ -149,5 +177,13 @@ int SAF_SM2_DecodeEnvelopedData(
 	unsigned char *pucData,
 	unsigned int *puiDataLen)
 {
-	return 0;
+	return SAF_Pkcs7_DecodeEnvelopedData(
+		hAppHandle,
+		pucDecContainerName,
+		uiDecContainerNameLen,
+		uiDecKeyUsage,
+		pucDerEnvelopedData,
+		uiDerEnvelopedDataLen,
+		pucData,
+		puiDataLen);
 }
--- a/crypto/saf/saf_symmkeyobj.c
+++ b/crypto/saf/saf_symmkeyobj.c
@@ -79,18 +79,18 @@ int SAF_CreateSymmKeyObj(
 		return SAR_IndataLenErr;
 	}

-	/* init object */
-	if (!(obj = OPENSSL_zalloc(sizeof(*obj)))) {
+	if (!(obj = OPENSSL_zalloc(sizeof(*obj)))
+		|| !(obj->pucContainerName = OPENSSL_memdup(pucContainerName, uiContainerLen))
+		|| !(obj->pucIV = OPENSSL_memdup(pucIV, uiIVLen))) {
 		SAFerr(SAF_F_SAF_CREATESYMMKEYOBJ, ERR_R_MALLOC_FAILURE);
 		goto end;
 	}

-	memcpy(obj->container, pucContainerName, uiContainerLen);
-	obj->containerlen = uiContainerLen;
-	memcpy(obj->iv, pucIV, uiIVLen);
-	obj->ivlen = uiIVLen;
-	obj->enc = uiEncOrDec;
-	obj->algor = uiCryptoAlgID;
+	obj->app = (SAF_APP *)hAppHandle;
+	obj->uiContainerLen = uiContainerLen;
+	obj->uiIVLen = uiIVLen;
+	obj->uiEncOrDec = uiEncOrDec;
+	obj->uiCryptoAlgID = uiCryptoAlgID;

 	/* set output */
 	*phSymmKeyObj = obj;
@@ -109,7 +109,8 @@ int SAF_DestroySymmAlgoObj(
 {
 	SAF_SYMMKEYOBJ *obj = (SAF_SYMMKEYOBJ *)hSymmKeyObj;
 	if (obj) {
-		OPENSSL_cleanse(obj, sizeof(*obj));
+		OPENSSL_free(obj->pucContainerName);
+		OPENSSL_free(obj->pucIV);
 		OPENSSL_free(obj);
 	}
 	return SAR_OK;
--- a/include/openssl/gmsaf.h
+++ b/include/openssl/gmsaf.h
@@ -80,51 +80,57 @@ int ERR_load_SAF_strings(void);
 # define SAF_F_SAF_BASE64_ENCODE                          104
 # define SAF_F_SAF_BASE64_ENCODEFINAL                     105
 # define SAF_F_SAF_BASE64_ENCODEUPDATE                    106
-# define SAF_F_SAF_CHANGEPIN                              123
-# define SAF_F_SAF_CREATESYMMKEYOBJ                       107
-# define SAF_F_SAF_ECCPUBLICKEYENC                        108
-# define SAF_F_SAF_ECCPUBLICKEYENCBYCERT                  109
-# define SAF_F_SAF_ECCSIGN                                110
-# define SAF_F_SAF_ECCVERIFYSIGN                          111
-# define SAF_F_SAF_ECCVERIFYSIGNBYCERT                    112
-# define SAF_F_SAF_GENECCKEYPAIR                          113
-# define SAF_F_SAF_GENERATEAGREEMENTDATAWITHECC           114
-# define SAF_F_SAF_GENERATEKEYWITHECC                     115
-# define SAF_F_SAF_GENERATEKEYWITHEPK                     124
-# define SAF_F_SAF_GENRANDOM                              125
-# define SAF_F_SAF_GETECCPUBLICKEY                        116
-# define SAF_F_SAF_GETVERSION                             126
-# define SAF_F_SAF_IMPORTENCEDKEY                         127
-# define SAF_F_SAF_INITIALIZE                             128
-# define SAF_F_SAF_LOGIN                                  129
-# define SAF_F_SAF_LOGOUT                                 130
-# define SAF_F_SAF_MACFINAL                               117
-# define SAF_F_SAF_MACUPDATE                              118
-# define SAF_F_SAF_PKCS7_DECODEDIGESTEDDATA               119
-# define SAF_F_SAF_PKCS7_ENCODEDIGESTEDDATA               120
-# define SAF_F_SAF_SYMMDECRYPTUPDATE                      121
-# define SAF_F_SAF_SYMMENCRYPTUPDATE                      122
+# define SAF_F_SAF_CHANGEPIN                              107
+# define SAF_F_SAF_CREATESYMMKEYOBJ                       108
+# define SAF_F_SAF_ECCPUBLICKEYENC                        109
+# define SAF_F_SAF_ECCPUBLICKEYENCBYCERT                  110
+# define SAF_F_SAF_ECCSIGN                                111
+# define SAF_F_SAF_ECCVERIFYSIGN                          112
+# define SAF_F_SAF_ECCVERIFYSIGNBYCERT                    113
+# define SAF_F_SAF_GENECCKEYPAIR                          114
+# define SAF_F_SAF_GENERATEKEYWITHEPK                     115
+# define SAF_F_SAF_GENRANDOM                              116
+# define SAF_F_SAF_GENRSAKEYPAIR                          117
+# define SAF_F_SAF_GETECCPUBLICKEY                        118
+# define SAF_F_SAF_GETRSAPUBLICKEY                        119
+# define SAF_F_SAF_GETVERSION                             120
+# define SAF_F_SAF_IMPORTENCEDKEY                         121
+# define SAF_F_SAF_INITIALIZE                             122
+# define SAF_F_SAF_LOGIN                                  123
+# define SAF_F_SAF_LOGOUT                                 124
+# define SAF_F_SAF_MACFINAL                               125
+# define SAF_F_SAF_MACUPDATE                              126
+# define SAF_F_SAF_PKCS7_ENCODEENVELOPEDDATA              127
+# define SAF_F_SAF_RSASIGN                                128
+# define SAF_F_SAF_RSAVERIFYSIGN                          129
+# define SAF_F_SAF_SYMMDECRYPTFINAL                       133
+# define SAF_F_SAF_SYMMDECRYPTUPDATE                      130
+# define SAF_F_SAF_SYMMENCRYPTFINAL                       134
+# define SAF_F_SAF_SYMMENCRYPTUPDATE                      131
+# define SAF_F_SAF_VERIFYSIGNBYCERT                       132

 /* Reason codes. */
 # define SAF_R_BUFFER_TOO_SMALL                           100
-# define SAF_R_CBCMAC_FAILURE                             101
-# define SAF_R_CMAC_FAILURE                               115
-# define SAF_R_ENCRYPT_KEY_FAILURE                        116
-# define SAF_R_GEN_RANDOM                                 102
-# define SAF_R_GEN_RANDOM_FAILURE                         117
-# define SAF_R_INT_OVERFLOW                               103
-# define SAF_R_INVALID_ALGOR                              104
-# define SAF_R_INVALID_CONTEXT                            105
-# define SAF_R_INVALID_DIGEST_ALGOR                       106
-# define SAF_R_INVALID_HANDLE                             107
-# define SAF_R_INVALID_INPUT_LENGTH                       108
-# define SAF_R_INVALID_KEY_LENGTH                         109
-# define SAF_R_INVALID_KEY_USAGE                          110
-# define SAF_R_INVALID_LENGTH                             111
-# define SAF_R_MAC_FAILURE                                112
-# define SAF_R_NOT_SUPPORTED                              118
-# define SAF_R_OPERATION_NOT_INITIALIZED                  113
-# define SAF_R_SAF_ERROR                                  114
+# define SAF_R_CMAC_FAILURE                               101
+# define SAF_R_DECRYPT_NOT_INITIALIZED                    118
+# define SAF_R_ENCRYPT_KEY_FAILURE                        102
+# define SAF_R_ENCRYPT_NOT_INITIALIED                     119
+# define SAF_R_GEN_RANDOM                                 103
+# define SAF_R_GEN_RANDOM_FAILURE                         104
+# define SAF_R_INT_OVERFLOW                               105
+# define SAF_R_INVALID_ALGOR                              106
+# define SAF_R_INVALID_CERTIFICATE                        107
+# define SAF_R_INVALID_CONTEXT                            108
+# define SAF_R_INVALID_HANDLE                             109
+# define SAF_R_INVALID_INPUT_LENGTH                       110
+# define SAF_R_INVALID_KEY_HANDLE                         120
+# define SAF_R_INVALID_KEY_LENGTH                         111
+# define SAF_R_INVALID_KEY_USAGE                          112
+# define SAF_R_INVALID_LENGTH                             113
+# define SAF_R_MAC_FAILURE                                114
+# define SAF_R_NOT_SUPPORTED                              115
+# define SAF_R_OPERATION_NOT_INITIALIZED                  116
+# define SAF_R_UNSUPPORTED_ALGOR                          117

 # ifdef  __cplusplus
 }
--- a/include/openssl/saf.h
+++ b/include/openssl/saf.h
@@ -334,7 +334,7 @@ int SAF_GenRsaKeyPair(
 	unsigned int uiKeyUsage,
 	unsigned int uiExportFlag);

-int SAF_GetPublicKey(
+int SAF_GetRsaPublicKey(
 	void *hAppHandle,
 	unsigned char *pucContainerName,
 	unsigned int uiContainerNameLen,