update saf

2026-05-24 01:06:33 +08:00 · 2017-03-03 22:24:12 +08:00
parent df18c19abc
commit 67eda02ef2
13 changed files with 860 additions and 64 deletions
--- a/crypto/saf/saf_cert.c
+++ b/crypto/saf/saf_cert.c
@@ -51,6 +51,7 @@
 #include <string.h>
 #include <stdlib.h>
 #include <openssl/evp.h>
+#include <openssl/pem.h>
 #include <openssl/conf.h>
 #include <openssl/gmsaf.h>
 #include "saf_lcl.h"
@@ -82,7 +83,7 @@ int SAF_AddTrustedRootCaCertificate(
 		goto end;
 	}

-	if (!(x509 = d2i_X509(NULL, &pucCertificate, uiCertificateLen))) {
+	if (!(x509 = d2i_X509(NULL, (const unsigned char **)&pucCertificate, uiCertificateLen))) {
 		SAFerr(SAF_F_SAF_ADDTRUSTEDROOTCACERTIFICATE, SAF_R_LOAD_CERTS_FAILURE);
 		goto end;
 	}
@@ -162,7 +163,7 @@ int SAF_GetRootCaCertificate(
 		goto end;
 	}

-	if ((len = i2d_X509(x509, pucCertificate)) <= 0) {
+	if ((len = i2d_X509(x509, &pucCertificate)) <= 0) {
 		SAFerr(SAF_F_SAF_GETROOTCACERTIFICATE, ERR_R_X509_LIB);
 		goto end;
 	}
@@ -248,7 +249,7 @@ int SAF_AddCaCertificate(
 		goto end;
 	}

-	if (!(x509 = d2i_X509(NULL, &pucCertificate, uiCertificateLen))) {
+	if (!(x509 = d2i_X509(NULL, (const unsigned char **)&pucCertificate, uiCertificateLen))) {
 		SAFerr(SAF_F_SAF_ADDCACERTIFICATE, SAF_R_LOAD_CERTS_FAILURE);
 		goto end;
 	}
@@ -327,7 +328,7 @@ int SAF_GetCaCertificate(
 		goto end;
 	}

-	if ((len = i2d_X509(x509, pucCertificate)) <= 0) {
+	if ((len = i2d_X509(x509, &pucCertificate)) <= 0) {
 		SAFerr(SAF_F_SAF_GETCACERTIFICATE, ERR_R_X509_LIB);
 		goto end;
 	}
@@ -393,8 +394,6 @@ int SAF_AddCrl(
 	unsigned char *pucDerCrl,
 	unsigned int uiDerCrlLen)
 {
-	int ret = SAR_UnknownErr;
-	SAF_APP *app = (SAF_APP *)hAppHandle;
 	return SAR_NotSupportYetErr;
 }

@@ -404,8 +403,6 @@ int SAF_VerifyCertificate(
 	unsigned char *pucUsrCertificate,
 	unsigned int uiUsrCertificateLen)
 {
-	int ret = SAR_UnknownErr;
-	SAF_APP *app = (SAF_APP *)hAppHandle;
 	return SAR_NotSupportYetErr;
 }

@@ -417,8 +414,6 @@ int SAF_VerifyCertificateByCrl(
 	unsigned char *pucDerCrl,
 	unsigned int uiDerCrlLen)
 {
-	int ret = SAR_UnknownErr;
-	SAF_APP *app = (SAF_APP *)hAppHandle;
 	return SAR_NotSupportYetErr;
 }

@@ -445,8 +440,6 @@ int SAF_GetCertFromLdap(
 	unsigned char *pucOutCert,
 	unsigned int *puiOutCertLen)
 {
-	int ret = SAR_UnknownErr;
-	SAF_APP *app = (SAF_APP *)hAppHandle;
 	return SAR_NotSupportYetErr;
 }

@@ -472,8 +465,6 @@ int SAF_GetCertificateInfo(
 	unsigned char *pucInfo,
 	unsigned int *puiInfoLen)
 {
-	int ret = SAR_UnknownErr;
-	SAF_APP *app = (SAF_APP *)hAppHandle;
 	return SAR_NotSupportYetErr;
 }

@@ -488,8 +479,6 @@ int SAF_GetExtTypeInfo(
 	unsigned char *pucInfo,
 	unsigned int *puiInfoLen)
 {
-	int ret = SAR_UnknownErr;
-	SAF_APP *app = (SAF_APP *)hAppHandle;
 	return SAR_NotSupportYetErr;
 }

@@ -498,8 +487,6 @@ int SAF_EnumCertificates(
 	void *hAppHandle,
 	SGD_USR_CERT_ENUMLIST *usrCerts)
 {
-	int ret = SAR_UnknownErr;
-	SAF_APP *app = (SAF_APP *)hAppHandle;
 	return SAR_NotSupportYetErr;
 }

@@ -508,8 +495,6 @@ int SAF_EnumKeyContainerInfo(
 	void *hAppHandle,
 	SGD_KEYCONTAINERINFO_ENUMLIST *keyContainerInfo)
 {
-	int ret = SAR_UnknownErr;
-	SAF_APP *app = (SAF_APP *)hAppHandle;
 	return SAR_NotSupportYetErr;
 }

@@ -518,8 +503,6 @@ int SAF_EnumCertificatesFree(
 	void *hAppHandle,
 	SGD_USR_CERT_ENUMLIST *usrCerts)
 {
-	int ret = SAR_UnknownErr;
-	SAF_APP *app = (SAF_APP *)hAppHandle;
 	return SAR_NotSupportYetErr;
 }

@@ -528,7 +511,5 @@ int SAF_EnumKeyContainerInfoFree(
 	void *hAppHandle,
 	SGD_KEYCONTAINERINFO_ENUMLIST *keyContainerInfo)
 {
-	int ret = SAR_UnknownErr;
-	SAF_APP *app = (SAF_APP *)hAppHandle;
 	return SAR_NotSupportYetErr;
 }
--- a/crypto/saf/saf_err.c
+++ b/crypto/saf/saf_err.c
@@ -60,8 +60,12 @@ static ERR_STRING_DATA SAF_str_functs[] = {
    {ERR_FUNC(SAF_F_SAF_LOGOUT), "SAF_Logout"},
    {ERR_FUNC(SAF_F_SAF_MACFINAL), "SAF_MacFinal"},
    {ERR_FUNC(SAF_F_SAF_MACUPDATE), "SAF_MacUpdate"},
+    {ERR_FUNC(SAF_F_SAF_PKCS7_ENCODEDIGESTEDDATA),
+     "SAF_Pkcs7_EncodeDigestedData"},
    {ERR_FUNC(SAF_F_SAF_PKCS7_ENCODEENVELOPEDDATA),
     "SAF_Pkcs7_EncodeEnvelopedData"},
+    {ERR_FUNC(SAF_F_SAF_PKCS7_ENCODESIGNEDDATA),
+     "SAF_Pkcs7_EncodeSignedData"},
    {ERR_FUNC(SAF_F_SAF_REMOVECACERTIFICATE), "SAF_RemoveCaCertificate"},
    {ERR_FUNC(SAF_F_SAF_REMOVEROOTCACERTIFICATE),
     "SAF_RemoveRootCaCertificate"},
@@ -86,6 +90,7 @@ static ERR_STRING_DATA SAF_str_reasons[] = {
    {ERR_REASON(SAF_R_INT_OVERFLOW), "int overflow"},
    {ERR_REASON(SAF_R_INVALID_ALGOR), "invalid algor"},
    {ERR_REASON(SAF_R_INVALID_CERTIFICATE), "invalid certificate"},
+    {ERR_REASON(SAF_R_INVALID_DIGEST_ALGOR), "invalid digest algor"},
    {ERR_REASON(SAF_R_INVALID_HANDLE), "invalid handle"},
    {ERR_REASON(SAF_R_INVALID_INDEX), "invalid index"},
    {ERR_REASON(SAF_R_INVALID_INPUT_LENGTH), "invalid input length"},
@@ -95,6 +100,7 @@ static ERR_STRING_DATA SAF_str_reasons[] = {
    {ERR_REASON(SAF_R_INVALID_LENGTH), "invalid length"},
    {ERR_REASON(SAF_R_INVALID_PUBLIC_KEY), "invalid public key"},
    {ERR_REASON(SAF_R_LOAD_CERTS_FAILURE), "load certs failure"},
+    {ERR_REASON(SAF_R_LOAD_KEY_FAILURE), "load key failure"},
    {ERR_REASON(SAF_R_MAC_FAILURE), "mac failure"},
    {ERR_REASON(SAF_R_NOT_SUPPORTED), "not supported"},
    {ERR_REASON(SAF_R_OPERATION_NOT_INITIALIZED),
--- a/crypto/saf/saf_keyhandle.c
+++ b/crypto/saf/saf_keyhandle.c
@@ -86,7 +86,7 @@ int SAF_GenerateKeyWithEPK(
 	outlen = (size_t)*puiSymmKeyLen;
 	if (!(cipher = EVP_get_cipherbysgd(obj->uiCryptoAlgID))
 		|| !RAND_bytes(keybuf, EVP_CIPHER_key_length(cipher))
-		|| !(pkey = d2i_PUBKEY(NULL, &pucPublicKey, (long)uiPublicKeyLen))
+		|| !(pkey = d2i_PUBKEY(NULL, (const unsigned char **)&pucPublicKey, (long)uiPublicKeyLen))
 		|| !(pkctx = EVP_PKEY_CTX_new(pkey, NULL))
 		|| !EVP_PKEY_encrypt_init(pkctx)
 		|| !EVP_PKEY_encrypt(pkctx, pucSymmKey, &outlen, keybuf, (size_t)EVP_CIPHER_key_length(cipher))) {
--- a/crypto/saf/saf_lib.c
+++ b/crypto/saf/saf_lib.c
@@ -55,3 +55,4 @@ static int readfile(const char *file, unsigned char **pout, size_t *len)
 	return SAR_Ok;
 }

+
--- a/crypto/saf/saf_pkcs7.c
+++ b/crypto/saf/saf_pkcs7.c
@@ -58,18 +58,29 @@ int SAF_Pkcs7_EncodeData(
 	void *hAppHandle,
 	unsigned char *pucSignContainerName,
 	unsigned int uiSignContainerNameLen,
-	unsigned int uiSignKeyUsage,
 	unsigned char *pucSignerCertificate,
 	unsigned int uiSignerCertificateLen,
 	unsigned int uiDigestAlgorithm,
 	unsigned char *pucEncCertificate,
 	unsigned int uiEncCertificateLen,
+	unsigned int uiSymmAlgorithm,
 	unsigned char *pucData,
 	unsigned int uiDataLen,
 	unsigned char *pucDerP7Data,
 	unsigned int *puiDerP7DataLen)
 {
 	int ret = SAR_UnknownErr;
+
+	STACK_OF(X509) *encerts = NULL;
+
+	p7 = PKCS7_encrypt(encerts, in, cipher, flags);
+
+	p7 = PKCS7_sign(NULL, NULL, other, in, flags);
+
+
+
+
+
 	return ret;
 }

@@ -82,6 +93,14 @@ int SAF_Pkcs7_DecodeData(
 	return ret;
 }

+EVP_PKEY *SAF_LoadPrivateKey(
+	void *hAppHandle,
+	unsigned char *pucSignContainerName,
+	unsigned int uiSignContainerNameLen)
+{
+	return NULL;
+}
+
 /* 7.4.4 */
 int SAF_Pkcs7_EncodeSignedData(
 	void *hAppHandle,
@@ -97,6 +116,64 @@ int SAF_Pkcs7_EncodeSignedData(
 	unsigned int *puiDerP7DataLen)
 {
 	int ret = SAR_UnknownErr;
+	EVP_PKEY *pkey = NULL;
+	X509 *x509 = NULL;
+	BIO *data = NULL;
+
+	if (!hAppHandle || !pucSignContainerName || !pucSignerCertificate
+		|| !pucData || !pucDerP7Data || !puiDerP7DataLen) {
+		SAFerr(SAF_F_SAF_PKCS7_ENCODESIGNEDDATA, ERR_R_PASSED_NULL_PARAMETER);
+		return SAR_IndataErr;
+	}
+
+	if (uiSignContainerNameLen <= 0 || uiSignContainerNameLen > INT_MAX
+		|| uiSignerCertificateLen <= 0 || uiSignerCertificateLen > INT_MAX
+		|| uiDataLen <= 0 || uiDataLen > INT_MAX) {
+		SAFerr(SAF_F_SAF_PKCS7_ENCODESIGNEDDATA, SAF_R_INVALID_INPUT_LENGTH);
+		return SAR_IndataLenErr;
+	}
+
+	if (!(pkey = SAF_LoadPrivateKey(
+		hAppHandle,
+		pucSignContainerName,
+		uiSignContainerNameLen))) {
+		SAFerr(SAF_F_SAF_PKCS7_ENCODESIGNEDDATA, SAF_R_LOAD_KEY_FAILURE);
+		goto end;
+	}
+
+	if (!(x509 = d2i_X509(NULL, &pucSignerCertificate, uiSignerCertificateLen))) {
+		SAFerr(SAF_F_SAF_PKCS7_ENCODESIGNEDDATA, ERR_R_X509_LIB);
+		goto end;
+	}
+
+	if (!(data = BIO_new_mem_buf(pucData, uiDataLen))) {
+		SAFerr(SAF_F_SAF_PKCS7_ENCODESIGNEDDATA, ERR_R_BIO_LIB);
+		goto end;
+	}
+
+	if (!(p7 = PKCS7_sign(x509, pkey, NULL, data, PKCS7_BINARY))) {
+		SAFerr(SAF_F_SAF_PKCS7_ENCODESIGNEDDATA, ERR_R_PKCS7_LIB);
+		goto end;
+	}
+
+	if (*puiDerP7DataLen < i2d_PKCS7(p7, NULL)) {
+		SAFerr(SAF_F_SAF_PKCS7_ENCODESIGNEDDATA, SAF_R_BUFFER_TOO_SMALL);
+		ret = SAR_IndataLenErr;
+		goto end;
+	}
+
+	if ((len = i2d_PKCS7(p7, &pucDerP7Data)) <= 0) {
+		SAFerr(SAF_F_SAF_PKCS7_ENCODESIGNEDDATA, ERR_R_PKCS7_LIB);
+		goto end;
+	}
+
+	*puiDerP7DataLen = len;
+	ret = SAR_Ok;
+
+end:
+	PKCS7_free(p7);
+	X509_free(x509);
+	BIO_free(data);
 	return ret;
 }

@@ -105,15 +182,46 @@ int SAF_Pkcs7_DecodeSignedData(
 	void *hAppHandle,
 	unsigned char *pucDerP7SignedData,
 	unsigned int uiDerP7SignedDataLen,
+	unsigned int *puiDigestAlgorithm,
 	unsigned char *pucSignerCertificate,
-	unsigned int uiSignerCertificateLen,
-	unsigned int uiDigestAlgorithm,
+	unsigned int *puiSignerCertificateLen,
 	unsigned char *pucData,
-	unsigned int uiDataLen,
-	unsigned char *pucSign,
-	unsigned int *puiSignLen)
+	unsigned int *puiDataLen,
+	unsigned char *pucSig,
+	unsigned int *puiSigLen)
 {
 	int ret = SAR_UnknownErr;
+	PKCS7 *p7 = NULL;
+	X509 *x509 = NULL;
+
+	p7 = d2i_PKCS7(NULL, &pucDerP7SignedData, uiDerP7SignedDataLen);
+
+	if (!PKCS7_type_is_signed(p7)) {
+		goto end;
+	}
+
+	PKCS7_SIGNED *p7signed = p7->d.sign;
+
+	X509_ALGOR *algor = sk_X509_ALGOR_value(p7signed->md_algs, 0);
+	const EVP_MD *md = EVP_get_digestbyobj(algor->algorithm);
+	*puiDigestAlgorithm = EVP_MD_sdg(md);
+
+	X509 *x509 = sk_X509_ALGOR_value(p7signed->cert);
+	PKCS7_SIGNER_INFO *signer_info = sk_PKCS7_SIGNER_INFO_value(p7signed->signer_info, 0);
+
+	PKCS7 *p7data = p7signed->contents;
+	if (!PKCS7_type_is_data(p7data)) {
+		goto end;
+	}
+	ASN1_OCTET_STRING *data = p7data->d.data;
+
+	*puiDataLen = ASN1_OCTET_STRING_length(data);
+	memcpy(pucData, ASN1_OCTET_STRING_get0_data(data), *puiDataLen);
+
+
+	PKCS7_verify(p7, NULL, chain_store, NULL, outbio, flags);
+
+
 	return ret;
 }

@@ -212,13 +320,64 @@ int SAF_Pkcs7_DecodeEnvelopedData(
 	void *hAppHandle,
 	unsigned char *pucDecContainerName,
 	unsigned int uiDecContainerNameLen,
-	unsigned int uiDecKeyUsage,
 	unsigned char *pucDerP7EnvelopedData,
 	unsigned int uiDerP7EnvelopedDataLen,
 	unsigned char *pucData,
 	unsigned int *puiDataLen)
 {
 	int ret = SAR_UnknownErr;
+	SAF_APP *app = (SAF_APP *)hAppHandle;
+	PKCS7 *p7 = NULL;
+	EVP_PKEY *pkey = NULL;
+	X509 *x509 = NULL;
+	BIO *bio = NULL;
+	BUF_MEM *buf = NULL;
+
+	if (!hAppHandle || !pucDecContainerName || !pucDerP7EnvelopedData || !pucData)
+		SAFerr(SAF_F_SAF_PKCS7_DECODEENVELOPEDDATA, ERR_R_PASSED_NULL_PARAMETER);
+		return SAR_IndataErr;
+	}
+
+	if (uiDecContainerNameLen <= 0 || uiDecContainerNameLen > INT_MAX
+		|| uiDerP7EnvelopedDataLen <= 0 || uiDerP7EnvelopedDataLen > INT_MAX) {
+		SAFerr(SAF_F_SAF_PKCS7_DECODEENVELOPEDDATA, SAR_R_INVALID_INPUT_LENGTH);
+		return SAR_IndataLenErr;
+	}
+
+	if (!pucData) {
+		*puiDataLen = uiDerP7EnvelopedDataLen;
+		return SAR_Ok;
+	} else if (*puiDataLen <= 0 || *puiDataLen > INT_MAX) {
+		SAFerr(SAF_F_SAF_PKCS7_DECODEENVELOPEDDATA, SAR_R_INVALID_INPUT_LENGTH);
+		return SAR_IndataLenErr;
+	}
+
+	if (!(pkey = SAF_load_private_key(app, pucDecContainerName,
+		uiDecContainerNameLen, SGD_PK_ENC))) {
+	}
+
+	if (!(x509 = SAF_LoadCertificate(app, pucDecContainerName,
+		uiDecContainerNameLen, SGD_PK_ENC))) {
+	}
+
+	if (!(bio = BIO_new(BIO_s_membuf()))) {
+	}
+
+	if (!PKCS7_decrypt(p7, pkey, x509, bio, 0)) {
+	}
+
+	if (!BIO_get_mem_buf(bio, &buf)) {
+	}
+
+	memcpy(pucData, buf->data, buf->length);
+	*puiDataLen = buf->length;
+
+	ret = SAR_Ok;
+end:
+	PKCS7_free(p7);
+	EVP_PKEY_free(pkey);
+	X509_free(x509);
+	BIO_free(bio);
 	return ret;
 }

@@ -232,20 +391,154 @@ int SAF_Pkcs7_EncodeDigestedData(
 	unsigned int *puiDerP7DigestedDataLen)
 {
 	int ret = SAR_UnknownErr;
+	const EVP_MD *md;
+	PKCS7 *p7 = NULL;
+	BIO *p7bio = NULL;
+	int len;
+
+	if (!hAppHandle || !pucData || !pucDerP7DigestedData
+		|| !puiDerP7DigestedDataLen) {
+		SAFerr(SAF_F_SAF_PKCS7_ENCODEDIGESTEDDATA, ERR_R_PASSED_NULL_PARAMETER);
+		return SAR_IndataErr;
+	}
+	if (uiDataLen <= 0 || uiDataLen > INT_MAX) {
+		SAFerr(SAF_F_SAF_PKCS7_ENCODEDIGESTEDDATA, SAF_R_INVALID_INPUT_LENGTH);
+		return SAR_IndataLenErr;
+	}
+
+	if (!(md = EVP_get_digestbysgd(uiDigestAlgorithm))) {
+		SAFerr(SAF_F_SAF_PKCS7_ENCODEDIGESTEDDATA, SAF_R_INVALID_DIGEST_ALGOR);
+		return SAR_AlgoTypeErr;
+	}
+
+	if (!(p7 = PKCS7_new())
+		|| !PKCS7_set_type(p7, NID_pkcs7_digest)
+		|| !PKCS7_set_digest(p7, md)
+		|| !PKCS7_content_new(p7, NID_pkcs7_data)
+		|| !(p7bio = PKCS7_dataInit(p7, NULL))
+		|| BIO_write(p7bio, pucData, (int)uiDataLen) != uiDataLen
+		|| !PKCS7_dataFinal(p7, p7bio)) {
+		SAFerr(SAF_F_SAF_PKCS7_ENCODEDIGESTEDDATA, ERR_R_PKCS7_LIB);
+		goto end;
+	}
+
+	if (*puiDerP7DigestedDataLen < i2d_PKCS7(p7, NULL)) {
+		SAFerr(SAF_F_SAF_PKCS7_ENCODEDIGESTEDDATA, SAF_R_BUFFER_TOO_SMALL);
+		ret = SAR_IndataLenErr;
+		goto end;
+	}
+
+	if ((len = i2d_PKCS7(p7, &pucDerP7DigestedData)) <= 0) {
+		SAFerr(SAF_F_SAF_PKCS7_ENCODEDIGESTEDDATA, ERR_R_PKCS7_LIB);
+		goto end;
+	}
+
+	ret = SAR_Ok;
+
+end:
+	PKCS7_free(p7);
+	BIO_free(p7bio);
 	return ret;
 }

 /* 7.4.9 */
 int SAF_Pkcs7_DecodeDigestedData(
 	void *hAppHandle,
-	unsigned int uiDigestAlgorithm,
-	unsigned char *pucDerP7DigestedData,
+	unsigned char pucDerP7DigestedData,
 	unsigned int uiDerP7DigestedDataLen,
+	unsigned int *puiDigestAlgorithm,
 	unsigned char *pucData,
-	unsigned int uiDataLen,
+	unsigned int *puiDataLen,
 	unsigned char *pucDigest,
 	unsigned int *puiDigestLen)
 {
 	int ret = SAR_UnknownErr;
+	PKCS7 *p7 = NULL;
+	PKCS7_DIGEST *p7dgst;
+	ASN1_OCTET_STRING *data;
+
+	if (!hAppHandle || !puiDigestAlgorithm || !puiDataLen || !puiDigestLen) {
+		SAFerr(SAF_F_SAF_PKCS7_DECODEDIGESTEDDATA, ERR_R_PASSED_NULL_PARAMETER);
+		return SAR_IndataErr;
+	}
+
+	if (!pucData) {
+		*puiDataLen = uiDerP7DigestedDataLen;
+		return SAR_Ok;
+	}
+
+	if (!pucDigest) {
+		*puiDigestLen = EVP_MAX_MD_SIZE;
+		return SAR_Ok;
+	}
+
+	if (uiDerP7DigestedDataLen <= 0 || uiDerP7DigestedDataLen > INT_MAX
+		|| *puiDataLen <= 0 || *puiDataLen > INT_MAX
+		|| *puiDigestLen <= 0 || *puiDigestLen > INT_MAX) {
+		SAFerr(SAF_F_SAF_PKCS7_DECODEDIGESTEDDATA, SAF_R_INVALID_INPUT_LENGTH);
+		return SAR_IndataLenErr;
+	}
+
+	/* process */
+	if (!(p7 = d2i_PKCS7(NULL, &pucDerP7DigestedData, uiDerP7DigestedDataLen))) {
+		SAFerr(SAF_F_SAF_PKCS7_DECODEDIGESTEDDATA, SAF_R_INVALID_PKCS7);
+		ret = SAR_IndataErr;
+		goto end;
+	}
+
+	if (!PKCS7_type_is_digest(p7)) {
+		SAFerr(SAF_F_SAF_PKCS7_DECODEDIGESTEDDATA, SAF_R_INVALID_PKCS7_TYPE;
+		ret = SAR_IndataErr;
+		goto end;
+	}
+	p7dgst = p7->d.digest;
+
+	/* output digset algor */
+	if ((*puiDigestAlgorithm = EVP_MD_sgd(
+		EVP_get_digestbyobj(p7dgst->md->algorithm))) <= 0) {
+		SAFerr(SAF_F_SAF_PKCS7_DECODEDIGESTEDDATA, SAF_R_UNSUPPORTED_DIGEST_ALGOR;
+		ret = SAR_IndataErr;
+		goto end;
+	}
+
+	/* output digested data */
+	if (!PKCS7_type_is_data(p7dgst->contents)) {
+		SAFerr(SAF_F_SAF_PKCS7_DECODEDIGESTEDDATA, SAR_R_INVALID_PKCS7_DATA);
+		ret = SAR_IndataErr;
+		goto end;
+	}
+
+	if (!(data = p7dgst->contents->d.data)) {
+		SAFerr(SAF_F_SAF_PKCS7_DECODEDIGESTEDDATA, SAR_R_INVALID_PKCS7_DATA);
+		ret = SAR_IndataErr;
+		goto end;
+	}
+
+	if (*puiDataLen < ASN1_OCTET_STRING_length(data)) {
+		SAFerr(SAF_F_SAF_PKCS7_DECODEDIGESTEDDATA, SAR_R_BUFFER_TOO_SMALL);
+		ret = SAR_IndataLenErr;
+		goto end;
+	}
+	memcpy(pucData, ASN1_OCTET_STRING_get0_data(data), ASN1_OCTET_STRING_length(data));
+	*puiDataLen = ASN1_OCTET_STRING_length(data);
+
+	/* output digest */
+	if (!p7dgst->digest) {
+		SAFerr(SAF_F_SAF_PKCS7_DECODEDIGESTEDDATA, SAR_R_INVALID_PKCS7_DATA);
+		ret = SAR_IndataErr;
+		goto end;
+	}
+
+	if (*puiDigestLen < ASN1_OCTET_STRING_length(p7dgst->digest)) {
+		SAFerr(SAF_F_SAF_PKCS7_DECODEDIGESTEDDATA, SAR_R_BUFFER_TOO_SMALL);
+		ret = SAR_IndataLenErr;
+		goto end;
+	}
+	memcpy(pucDigest, ASN1_OCTET_STRING_get0_data(p7dgst->digest), ASN1_OCTET_STRING_length(p7dgst->digest));
+	*puiDigestLen = ASN1_OCTET_STRING_length(p7dgst->digest);
+
+	ret = SAR_Ok;
+end:
+	PKCS7_free(p7);
 	return ret;
 }
--- a/crypto/saf/saf_sm2.c
+++ b/crypto/saf/saf_sm2.c
@@ -57,7 +57,6 @@ int SAF_SM2_EncodeSignedAndEnvelopedData(
 	void *hAppHandle,
 	unsigned char *pucSignContainerName,
 	unsigned int uiSignContainerNameLen,
-	unsigned int uiSignKeyUsage,
 	unsigned char *pucSignerCertificate,
 	unsigned int uiSignerCertificateLen,
 	unsigned int uiDigestAlgorithm,
@@ -69,8 +68,20 @@ int SAF_SM2_EncodeSignedAndEnvelopedData(
 	unsigned char *pucDerSignedAndEnvelopedData,
 	unsigned int *puiDerSignedAndEnvelopedDataLen)
 {
-	int ret = SAR_UnknownErr;
-	return 0;
+	return SAF_Pkcs7_EncodeData(
+		hAppHandle,
+		pucSignContainerName,
+		uiSignContainerNameLen,
+		pucSignerCertificate,
+		uiSignerCertificateLen,
+		uiDigestAlgorithm,
+		pucEncCertificate,
+		uiEncCertificateLen,
+		uiSymmAlgorithm,
+		pucData,
+		uiDataLen,
+		pucDerSignedAndEnvelopedData,
+		puiDerSignedAndEnvelopedDataLen);
 }

 /* 7.4.11 */
@@ -78,16 +89,25 @@ int SAF_SM2_DecodeSignedAndEnvelopedData(
 	void *hAppHandle,
 	unsigned char *pucDerContainerName,
 	unsigned int uiDerContainerNameLen,
-	unsigned int uiDecKeyUsage,
 	unsigned char *pucDerSignedAndEnvelopedData,
 	unsigned int uiDerSignedAndEnvelopedDataLen,
 	unsigned char *pucData,
 	unsigned int *puiDataLen,
 	unsigned char *pucSignerCertificate,
 	unsigned int *puiSignerCertificateLen,
-	unsigned int *puiDigestAlgorithms)
+	unsigned int *puiDigestAlgorithm)
 {
-	return 0;
+	return SAF_Pkcs7_DecodeData(
+		hAppHandle,
+		pucDerContainerName,
+		uiDerContainerNameLen,
+		pucDerSignedAndEnvelopedData,
+		uiDerSignedAndEnvelopedDataLen,
+		pucData,
+		puiDataLen,
+		pucSignerCertificate,
+		puiSignerCertificateLen,
+		puiDigestAlgorithm);
 }

 /* 7.4.12 */
--- a/crypto/sof/sof_lib.c
+++ b/crypto/sof/sof_lib.c
@@ -54,6 +54,8 @@
 static long sof_sign_method = SGD_SM2;
 static long sof_enc_method = SGD_SM4_CBC;
 static long sof_last_error = SOR_OK;
+static void *sof_app = NULL;
+static int sof_user_type = SGD_USER;


 BSTR SOF_GetVersion(void)
@@ -97,11 +99,23 @@ BSTR SOF_ExportUserCert(BSTR ContainerName)
 	return NULL;
 }

-/* LOGIN CMD ? */
 BOOL SOF_Login(BSTR ContainerName, BSTR PassWd)
 {
-	SOFerr(SOF_F_SOF_LOGIN, SOF_R_NOT_IMPLEMENTED);
-	return NULL;
+	unsigned int uiRemainCount;
+
+	if ((rv = SAF_Login(
+		sof_app,
+		sof_user_type,
+		(unsigned char *)ContainerName,
+		(unsigned int)strlen(ContainerName),
+		(unsigned char *)PassWd,
+		(unsigned int)strlen(PassWd),
+		&uiRemainCount)) != SAR_Ok) {
+		SOFerr(SOF_F_SOF_LOGIN, ERR_R_SAF_LIB);
+		return FALSE;
+	}
+
+	return TRUE;
 }

 long SOF_GetPinRetryCount(BSTR ContainerName)
@@ -112,12 +126,30 @@ long SOF_GetPinRetryCount(BSTR ContainerName)

 BOOL SOF_ChangePassWd(BSTR ContainerName, BSTR OldPassWd, BSTR NewPassWd)
 {
-	SOFerr(SOF_F_SOF_CHANGEPASSWD, SOF_R_NOT_IMPLEMENTED);
-	return NULL;
+	int rv;
+	unsigned int uiRemainCount;
+
+	if ((rv = SAF_ChangePin(
+		sof_app,
+		sof_user_type,
+		(unsigned char *)ContainerName,
+		(unsigned int)strlen(ContainerName),
+		(unsigned char *)OldPassWd,
+		(unsigned int)strlen(OldPassWd),
+		(unsigned char *)NewPassWd,
+		(unsigned int)strlen(NewPassWd),
+		&uiRemainCount)) != SAR_Ok) {
+		SOFerr(SOF_F_SOF_CHANGEPASSWD, ERR_R_SAF_LIB);
+		return FALSE;
+	}
+
+	return TRUE;
 }

 BSTR SOF_ExportExchangeUserCert(BSTR ContainerName)
 {
+
+
 	SOFerr(SOF_F_SOF_EXPORTEXCHANGEUSERCERT, SOF_R_NOT_IMPLEMENTED);
 	return NULL;
 }
@@ -125,6 +157,40 @@ BSTR SOF_ExportExchangeUserCert(BSTR ContainerName)
 /* `type` defined as SGD_CERT_XXX, SGD_EXT_XXX in sgd.h */
 BSTR SOF_GetCertInfo(BSTR Base64EncodeCert, short Type)
 {
+	// decode x.509 in pem format
+
+	switch (Type) {
+	case SGD_CERT_VERSION:
+	case SGD_CERT_SERIAL:
+	case SGD_CERT_ISSUER:
+	case SGD_CERT_VALID_TIME:
+	case SGD_CERT_SUBJECT:
+	case SGD_CERT_DER_PUBLIC_KEY:
+	case SGD_CERT_DER_EXTENSIONS:
+	case SGD_EXT_AUTHORITYKEYIDENTIFIER_INFO:
+	case SGD_EXT_SUBJECTKEYIDENTIFIER_INFO:
+	case SGD_EXT_KEYUSAGE_INFO:
+	case SGD_EXT_PRIVATEKEYUSAGEPERIOD_INFO:
+	case SGD_EXT_CERTIFICATEPOLICIES_INFO:
+	case SGD_EXT_POLICYMAPPINGS_INFO:
+	case SGD_EXT_BASICCONSTRAINTS_INFO:
+	case SGD_EXT_POLICYCONSTRAINTS_INFO:
+	case SGD_EXT_EXTKEYUSAGE_INFO:
+	case SGD_EXT_CRLDISTRIBUTIONPOINTS_INFO:
+	case SGD_EXT_NETSCAPE_CERT_TYPE_INFO:
+	case SGD_EXT_SELFDEFINED_EXTENSION_INFO:
+	case SGD_CERT_ISSUER_CN:
+	case SGD_CERT_ISSUER_O:
+	case SGD_CERT_ISSUER_OU:
+	case SGD_CERT_SUBJECT_CN:
+	case SGD_CERT_SUBJECT_O:
+	case SGD_CERT_SUBJECT_OU:
+	case SGD_CERT_SUBJECT_EMAIL:
+	case SGD_CERT_NOTBEFORE_TIME:
+	case SGD_CERT_NOTAFTER_TIME:
+	default:
+	}
+
 	SOFerr(SOF_F_SOF_GETCERTINFO, SOF_R_NOT_IMPLEMENTED);
 	return NULL;
 }
@@ -147,11 +213,45 @@ long SOF_ValidateCert(BSTR Base64EncodeCert)
 	return 0;
 }

-/* PKCS #7 or CMS ? */
 BSTR SOF_SignData(BSTR ContainerName, BSTR InData)
 {
-	SOFerr(SOF_F_SOF_SIGNDATA, SOF_R_NOT_IMPLEMENTED);
-	return NULL;
+	char *ret = NULL;
+	char *b64 = NULL;
+	unsigned int uiHashAlgoType;
+	unsigned char *pucInData = NULL;
+	unsigned int uiInDataLen;
+	unsigned char pucSignature[256];
+	unsigned int uiSignatureLen = (unsigned int)sizeof(pucSignature);
+
+	if (SOF_Decode(InData, &pucInData, &uiInDataLen) != SOR_OK) {
+		SOFerr(SOF_F_SOF_SIGNDATA, SOF_R_DECODE_FAILURE);
+		goto end;
+	}
+
+	rv = SAF_RsaSign(
+		hAppHandle,
+		(unsigned char *)ContainerName,
+		(unsigned int)strlen(ContainerName),
+		uiHashAlgoType,
+		pucInData,
+		uiInDataLen,
+		pucSignature,
+		&uiSignatureLen);
+
+	rv = SAF_EccSign(
+		hAppHandle,
+		(unsigned char *)ContainerName,
+		(unsigned int)strlen(ContainerName),
+		uiHashAlgoType,
+		pucInData,
+		uiInDataLen,
+		pucSignature,
+		&uiSignatureLen);
+
+end:
+	OPENSSL_free(b64);
+	OPENSSL_free(pucInData);
+	return ret;
 }

 BOOL SOF_VerifySignedData(BSTR Base64EncodeCert, BSTR InData, BSTR SignValue)
@@ -162,20 +262,66 @@ BOOL SOF_VerifySignedData(BSTR Base64EncodeCert, BSTR InData, BSTR SignValue)

 BSTR SOF_SignFile(BSTR ContainerName, BSTR InFile)
 {
-	SOFerr(SOF_F_SOF_SIGNFILE, SOF_R_NOT_IMPLEMENTED);
-	return NULL;
+	BSTR ret;
+	unsigned char *pucInData = NULL;
+	unsigned int uiInDataLen;
+	unsigned char pucSignature[256];
+	unsigned int uiSignatureLen = (unsigned int)sizeof(pucSignature);
+
+	if (SOF_ReadFile(InFile, &pucInData, &uiInDataLen) != SOR_OK) {
+		SOFerr(SOF_F_SOF_SIGNFILE, SOF_R_READ_FILE_FAILURE);
+		return NULL;
+	}
+
+	if ((rv = SAF_EccSign(
+		hAppHandle,
+		(unsigned char *)ContainerName,
+		(unsigned int)strlen(ContainerName),
+		uiHashAlgoType,
+		pucInData,
+		uiInDataLen,
+		pucSignature,
+		&uiSignatureLen)) != SAR_Ok) {
+		SOFerr(SOF_F_SOF_SIGNFILE, ERR_R_SAF_LIB);
+		goto end;
+	}
+
+	if (!(b64 = SOF_Encode(pucSignature, uiSignatureLen))) {
+	}
+
+	ret = b64;
+	b64 = NULL;
+
+end:
+	OPENSSL_free(b64);
+	OPENSSL_free(pucInData);
+	return ret;
 }

 BOOL SOF_VerifySignedFile(BSTR Base64EncodeCert, BSTR InFile, BSTR SignValue)
 {
-	SOFerr(SOF_F_SOF_VERIFYSIGNEDFILE, SOF_R_NOT_IMPLEMENTED);
-	return 0;
 }

 BSTR SOF_EncryptData(BSTR Base64EncodeCert, BSTR InData)
 {
-	SOFerr(SOF_F_SOF_ENCRYPTDATA, SOF_R_NOT_IMPLEMENTED);
-	return NULL;
+	char *ret = NULL;
+	unsigned char *pucCertificate = NULL;
+	unsigned int uiCertificateLen;
+	unsigned char *pucInData = NULL;
+	unsigned int uiInDataLen;
+
+	if (SOF_Decode(Base64EncodeCert, &pucCertificate, &uiCertificateLen) != SOR_OK
+		|| SOF_Decode(InData, &pucInData, &uiInDataLen) != SOR_OK
+		|| (rv = SAF_EccPublicKeyEncByCert(
+			pucCertificate,
+			uiCertificateLen,
+			uiAlgorithmID,
+			pucInData,
+			uiInDataLen,
+			pucOutData,
+			puiOutDataLen)) != SAR_Ok) {
+	}
+
 }

 BSTR SOF_DecryptData(BSTR ContainerName, BSTR InData)
@@ -186,14 +332,40 @@ BSTR SOF_DecryptData(BSTR ContainerName, BSTR InData)

 BOOL SOF_EncryptFile(BSTR Base64EncodeCert, BSTR InFile, BSTR OutFile)
 {
-	SOFerr(SOF_F_SOF_ENCRYPTFILE, SOF_R_NOT_IMPLEMENTED);
-	return 0;
+	int ret = FALSE;
+	int rv;
+	unsigned char *pucCertificate = NULL;
+	unsigned int uiCertificateLen;
+
+	if (SOF_Decode(Base64EncodeCert, &pucCertificate, &uiCertificateLen) != SOR_OK) {
+		SOFerr(SOF_F_SOF_ENCRYPTFILE, SOF_R_DECODE_FAILURE);
+		goto end;
+	}
+
+	if ((rv = SAF_EccPublicKeyEncByCert(
+		pucCertificate,
+		uiCertificateLen,
+		uiAlgorithmID,
+		pucInData,
+		uiInDataLen,
+		pucOutData,
+		puiOutDataLen)) != SAR_Ok) {
+		SOFerr(SOF_F_SOF_ENCRYPTFILE, ERR_R_SAF_LIB);
+		goto end;
+	}
+
+	ret = TRUE;
+
+end:
+	OPENSSL_free(pucCertificate);
+	return ret;
 }

+
 BOOL SOF_DecryptFile(BSTR ContainerName, BSTR InFile, BSTR OutFile)
 {
-	SOFerr(SOF_F_SOF_DECRYPTFILE, SOF_R_NOT_IMPLEMENTED);
-	return 0;
+	int ret = FALSE;
+	int rv;
 }

 BSTR SOF_SignMessage(short flag, BSTR ContainerName, BSTR InData)
@@ -216,6 +388,15 @@ BSTR SOF_GetInfoFromSignedMessage(BSTR SignedMessage, short Type)

 BSTR SOF_SignDataXML(BSTR ContainerName, BSTR InData)
 {
+	int rv;
+	unsigned char outbuf[1024];
+
+	if ((rv = SAF_EccSignFile(
+		hAppHandle,
+		(unsigned char *)ContainerName,
+		(unsigned int)strlen(ContainerName),
+		sof_digest_method,
+
 	SOFerr(SOF_F_SOF_SIGNDATAXML, SOF_R_NOT_IMPLEMENTED);
 	return NULL;
 }
@@ -232,11 +413,27 @@ BSTR SOF_GetXMLSignatureInfo(BSTR XMLSignedData, short Type)
 	return NULL;
 }

-/* return base64 encoded data */
 BSTR SOF_GenRandom(short RandomLen)
 {
-	SOFerr(SOF_F_SOF_GENRANDOM, SOF_R_NOT_IMPLEMENTED);
-	return NULL;
+	int rv;
+	unsigned char *ret = NULL;
+	unsigned char *bin = NULL;
+	unsigned char *b64 = NULL;
+
+	if (!(bin = OPENSSL_malloc(RandomLen))
+		|| !(ret = OPENSSL_zalloc((RandomLen * 4)/3 + 128))
+		|| (rv = SAF_GenRandom(RandomLen, buf)) != SAR_Ok
+		|| (rv = SAF_Base64_Encode(buf, RandomLen, ret, &retlen)) != SAR_Ok) {
+		goto end;
+	}
+
+	ret = b64;
+	b64 = NULL;
+
+end:
+	OPENSSL_free(bin);
+	OPENSSL_free(b64);
+	return ret;
 }

 long SOF_GetLastError(void)