From 693a9eb4caeccf8f0554b668e44544c21b9a288f Mon Sep 17 00:00:00 2001
From: Zhi Guan <guanzhi1980@gmail.com>
Date: Sat, 7 May 2022 15:56:54 +0800
Subject: [PATCH] Update SDF and Demo

---
 .gitignore               |   10 -
 demos/sm3/CMakeLists.txt |    8 +
 demos/sm3/sm3demo.c      |   74 ++
 src/sdf.c                |  142 ++++
 src/sdf/sdf.c            |  244 ++++++
 src/sdf/sdf.h            |  503 +++++++++++++
 src/sdf/sdf_dummy.c      |  768 +++++++++++++++++++
 src/sdf/sdf_ext.c        |  309 ++++++++
 src/sdf/sdf_ext.h        |   92 +++
 src/sdf/sdf_int.h        |  459 ++++++++++++
 src/sdf/sdf_lib.c        | 1507 ++++++++++++++++++++++++++++++++++++++
 src/sdf/sdf_meth.c       |  143 ++++
 src/sdf/sdf_sansec.c     |  305 ++++++++
 src/sdf/sdf_sansec.h     |  192 +++++
 14 files changed, 4746 insertions(+), 10 deletions(-)
 create mode 100644 demos/sm3/CMakeLists.txt
 create mode 100644 demos/sm3/sm3demo.c
 create mode 100644 src/sdf.c
 create mode 100644 src/sdf/sdf.c
 create mode 100644 src/sdf/sdf.h
 create mode 100644 src/sdf/sdf_dummy.c
 create mode 100644 src/sdf/sdf_ext.c
 create mode 100644 src/sdf/sdf_ext.h
 create mode 100644 src/sdf/sdf_int.h
 create mode 100644 src/sdf/sdf_lib.c
 create mode 100644 src/sdf/sdf_meth.c
 create mode 100644 src/sdf/sdf_sansec.c
 create mode 100644 src/sdf/sdf_sansec.h

diff --git a/.gitignore b/.gitignore
index 4cb35b62..cd2c6f1b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -199,12 +199,6 @@ apps/gmca/.ca
 # gmtls
 /ssl/ssl_load.c
 
-# demos
-/demos
-/demos/kdf
-/demos/ssl
-/demos/otp
-/demos/sm9
 
 # engines
 /engines/e_skf*
@@ -212,10 +206,6 @@ apps/gmca/.ca
 /engines/sdf
 /engines/skf
 
-/sdf/*
-/skf/*
-/src/skf*
-/src/sdf*
 
 include/openssl/srp.h
 
diff --git a/demos/sm3/CMakeLists.txt b/demos/sm3/CMakeLists.txt
new file mode 100644
index 00000000..52b0c3f2
--- /dev/null
+++ b/demos/sm3/CMakeLists.txt
@@ -0,0 +1,8 @@
+cmake_minimum_required(VERSION 3.0)
+project(sm3demo)
+
+include_directories(/usr/local/include)
+link_directories(/usr/local/lib)
+
+add_executable(sm3demo sm3demo.c)
+target_link_libraries(sm3demo gmssl)
diff --git a/demos/sm3/sm3demo.c b/demos/sm3/sm3demo.c
new file mode 100644
index 00000000..226bb9dd
--- /dev/null
+++ b/demos/sm3/sm3demo.c
@@ -0,0 +1,74 @@
+/*
+ * Copyright (c) 2014 - 2021 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <gmssl/sm3.h>
+
+
+int main(int argc, char **argv)
+{
+	SM3_CTX sm3_ctx;
+	uint8_t buf[4096];
+	ssize_t len;
+	uint8_t dgst[32];
+	int i;
+
+	sm3_init(&sm3_ctx);
+	while ((len = fread(buf, 1, sizeof(buf), stdin)) > 0) {
+		sm3_update(&sm3_ctx, buf, len);
+	}
+	sm3_finish(&sm3_ctx, dgst);
+
+	for (i = 0; i < sizeof(dgst); i++) {
+		printf("%02x", dgst[i]);
+	}
+	printf("\n");
+	return 0;
+}
diff --git a/src/sdf.c b/src/sdf.c
new file mode 100644
index 00000000..80ee75d4
--- /dev/null
+++ b/src/sdf.c
@@ -0,0 +1,142 @@
+/*
+ * Copyright (c) 2014 - 2021 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <gmssl/sdf.h>
+#include <gmssl/error.h>
+
+
+/*
+typedef struct {
+	void *device_handle;
+	char device_issuer[41];
+	char device_name[17];
+	char device_serial[17];
+} SDF_DEVICE;
+
+typedef struct {
+	void *session_handle;
+	int key_index;
+	SM2_KEY public_key;
+} SDF_KEY;
+
+*/
+int sdf_open_device(SDF_DEVICE *dev)
+{
+	int ret = 0;
+	void *hDevice = NULL;
+	void *hSession = NULL;
+	DEVICEINFO devInfo = {{0}};
+
+	if (SDF_OpenDevice(&hDevice) != SDR_OK) {
+		error_print();
+		goto end;
+	}
+	if (SDF_OpenSession(hDevice, &hSession) != SDR_OK) {
+		error_print();
+		goto end;
+	}
+	if (SDF_GetDeviceInfo(hSession, &devInfo) != SDR_OK) {
+		error_print();
+		goto end;
+	}
+	SDF_PrintDeviceInfo(stdout, &devInfo);
+
+	sdf_session = hSession;
+	hSession = NULL;
+	sdf_dev = hDevice;
+	hDevice = NULL;
+	ret = 1;
+
+end:
+	if (hSession && SDF_CloseSession(hSession) != SDR_OK) {
+		ret = 0;
+	}
+	if (hDevice && SDF_CloseDevice(hDevice) != SDR_OK) {
+		ret = 0;
+	}
+	return ret;
+}
+
+int sdf_print_device_info(FILE *fp, int fmt, int ind, const char *lable, SDF_DEVICE *dev)
+{
+	error_print();
+	return -1;
+}
+
+int sdf_rand_bytes(SDF_DEVICE *dev, uint8_t *buf, size_t len)
+{
+	error_print();
+	return -1;
+}
+
+int sdf_load_key(SDF_DEVICE *dev, SDF_KEY *key, int index, const char *pass)
+{
+	error_print();
+	return -1;
+}
+
+int sdf_sign(SDF_KEY *key, const uint8_t dgst[32], uint8_t *sig, size_t *siglen)
+{
+	error_print();
+	return -1;
+}
+
+int sdf_release_key(SDF_KEY *key)
+{
+	error_print();
+	return -1;
+}
+
+int sdf_close_device(SDF_DEVICE *dev)
+{
+	error_print();
+	return -1;
+}
diff --git a/src/sdf/sdf.c b/src/sdf/sdf.c
new file mode 100644
index 00000000..4d3b35a6
--- /dev/null
+++ b/src/sdf/sdf.c
@@ -0,0 +1,244 @@
+/*
+ * Copyright (c) 2014 - 2021 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <gmssl/sdf.h>
+#include <gmssl/sm2.h>
+#include <gmssl/error.h>
+#include "sdf.h"
+#include "sdf_ext.h"
+
+
+static const uint8_t zeros[ECCref_MAX_LEN - 32] = {0};
+
+
+int SDF_ECCrefPublicKey_to_SM2_KEY(const ECCrefPublicKey *ref, SM2_KEY *sm2_key)
+{
+	if (ref->bits != 256) {
+		error_print();
+		return -1;
+	}
+	if (memcmp(ref->x, zeros, sizeof(zeros)) != 0
+		|| memcmp(ref->y, zeros, sizeof(zeros)) != 0) {
+		error_print();
+		return -1;
+	}
+	memset(sm2_key, 0, sizeof(SM2_KEY));
+	memcpy(sm2_key->public_key.x, ref->x + ECCref_MAX_LEN - 32, 32);
+	memcpy(sm2_key->public_key.y, ref->y + ECCref_MAX_LEN - 32, 32);
+	return 1;
+}
+
+int SDF_ECCSignature_to_SM2_SIGNATURE(const ECCSignature *ref, SM2_SIGNATURE *sig)
+{
+	memset(sig, 0, sizeof(SM2_SIGNATURE));
+	memcpy(sig->r, ref->r + ECCref_MAX_LEN - 32, 32);
+	memcpy(sig->s, ref->s + ECCref_MAX_LEN - 32, 32);
+	return 1;
+}
+
+int sdf_load_library(const char *so_path, const char *vendor)
+{
+	if (SDF_LoadLibrary((char *)so_path, (char *)vendor) != SDR_OK) {
+		error_print();
+		return -1;
+	}
+	return 1;
+}
+
+void sdf_unload_library(void)
+{
+	SDF_UnloadLibrary();
+}
+
+int sdf_open_device(SDF_DEVICE *dev)
+{
+	int ret = 0;
+	void *hDevice = NULL;
+	void *hSession = NULL;
+	DEVICEINFO devInfo = {{0}};
+
+	if (SDF_OpenDevice(&hDevice) != SDR_OK
+		|| SDF_OpenSession(hDevice, &hSession) != SDR_OK
+		|| SDF_GetDeviceInfo(hSession, &devInfo) != SDR_OK) {
+		error_print();
+		goto end;
+	}
+	SDF_PrintDeviceInfo(stdout, &devInfo);
+
+	memset(dev, 0, sizeof(SDF_DEVICE));
+	dev->handle = hDevice;
+	hDevice = NULL;
+	memcpy(dev->issuer, devInfo.IssuerName, 40);
+	memcpy(dev->name, devInfo.DeviceName, 16);
+	memcpy(dev->serial, devInfo.DeviceSerial, 16);
+	ret = 1;
+
+end:
+	if (hSession) SDF_CloseSession(hSession);
+	if (hDevice) SDF_CloseDevice(hDevice);
+	return ret;
+}
+
+int sdf_print_device_info(FILE *fp, int fmt, int ind, const char *lable, SDF_DEVICE *dev)
+{
+	void *hSession = NULL;
+	DEVICEINFO devInfo = {{0}};
+
+	if (SDF_OpenSession(dev->handle, hSession) != SDR_OK
+		|| SDF_GetDeviceInfo(hSession, &devInfo) != SDR_OK) {
+		error_print();
+		return -1;
+	}
+	SDF_PrintDeviceInfo(fp, &devInfo);
+	SDF_CloseSession(&hSession);
+	return 1;
+}
+
+int sdf_rand_bytes(SDF_DEVICE *dev, uint8_t *buf, size_t len)
+{
+	int ret = -1;
+	void *hSession = NULL;
+
+	if (!dev || !buf || !len) {
+		error_print();
+		return -1;
+	}
+	if (!dev->handle) {
+		error_print();
+		return -1;
+	}
+	if (SDF_OpenSession(dev->handle, &hSession) != SDR_OK
+		|| SDF_GenerateRandom(hSession, len, buf) != SDR_OK) {
+		error_print();
+		goto end;
+	}
+	ret = 1;
+end:
+	if (hSession) SDF_CloseSession(hSession);
+	return ret;
+}
+
+int sdf_load_key(SDF_DEVICE *dev, SDF_KEY *key, int index, const char *pass)
+{
+	int ret = -1;
+	void *hSession = NULL;
+	ECCrefPublicKey eccPublicKey;
+
+	if (SDF_OpenSession(dev->handle, &hSession) != SDR_OK
+		|| SDF_ExportSignPublicKey_ECC(hSession, index, &eccPublicKey) != SDR_OK
+		|| SDF_ECCrefPublicKey_to_SM2_KEY(&eccPublicKey, &key->public_key) != SDR_OK
+		|| SDF_GetPrivateKeyAccessRight(hSession, index, (unsigned char *)pass, strlen(pass)) != SDR_OK) {
+		error_print();
+		return -1;
+	}
+
+	memset(key, 0, sizeof(SDF_KEY));
+	key->session = hSession;
+	key->index = index;
+	hSession = NULL;
+	ret = 1;
+
+end:
+	if (hSession) SDF_CloseSession(hSession);
+	return ret;
+}
+
+
+int sdf_sign(SDF_KEY *key, const uint8_t dgst[32], uint8_t *sig, size_t *siglen)
+{
+	ECCSignature ecc_sig;
+	SM2_SIGNATURE sm2_sig;
+
+	if (!key || !dgst || !sig || !siglen) {
+		error_print();
+		return -1;
+	}
+	if (!key->session || key->index < 0) {
+		error_print();
+		return -1;
+	}
+	if (SDF_InternalSign_ECC(key->session, key->index, (unsigned char *)dgst, 32, &ecc_sig) != SDR_OK
+		|| SDF_ECCSignature_to_SM2_SIGNATURE(&ecc_sig, &sm2_sig) != SDR_OK) {
+		error_print();
+		return -1;
+	}
+	*siglen = 0;
+	if (sm2_signature_to_der(&sm2_sig, &sig, siglen) != 1) {
+		error_print();
+		return -1;
+	}
+	return 1;
+}
+
+int sdf_release_key(SDF_KEY *key)
+{
+	if (SDF_ReleasePrivateKeyAccessRight(key->session, key->index) != SDR_OK) {
+		error_print();
+		return -1;
+	}
+	if (SDF_CloseSession(key->session) != SDR_OK) {
+		error_print();
+		return -1;
+	}
+
+	memset(key, 0, sizeof(SDF_KEY));
+	return 1;
+}
+
+int sdf_close_device(SDF_DEVICE *dev)
+{
+	if (SDF_CloseDevice(dev->handle) != SDR_OK) {
+		error_print();
+		return -1;
+	}
+	memset(dev, 0, sizeof(SDF_DEVICE));
+	return 1;
+}
diff --git a/src/sdf/sdf.h b/src/sdf/sdf.h
new file mode 100644
index 00000000..00b6e006
--- /dev/null
+++ b/src/sdf/sdf.h
@@ -0,0 +1,503 @@
+/*
+ * Copyright (c) 2014 - 2021 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+/*
+ * SDF API is a cryptographic API for PCI-E cards defined in standard
+ * GM/T 0018-2012: Interface Specifications of Cryptography Device Application
+ *
+ * Note: this header file follows the specification of GM/T 0018-2012. As we
+ * know, some vendors provide header files with some differences, especially
+ * the definations of data structures. So be sure to check the file provided by
+ * vendors and compare with this one.
+ *
+ * The implementations of SDF API from different vendors might have different
+ * behaviors on the same function. The comments in this file will show
+ * information and warnings on these issues. If the application developer use
+ * the GmSSL implementation, see `crypto/gmapi/sdf_lcl.h` for more information.
+ */
+
+#ifndef HEADER_SDF_H
+#define HEADER_SDF_H
+
+#include <stdio.h>
+#include "../sgd.h"
+
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+
+#pragma pack(1)
+typedef struct DeviceInfo_st {
+	unsigned char IssuerName[40];
+	unsigned char DeviceName[16];
+	unsigned char DeviceSerial[16];	/* 8-char date +
+					 * 3-char batch num +
+					 * 5-char serial num
+					 */
+	unsigned int DeviceVersion;
+	unsigned int StandardVersion;
+	unsigned int AsymAlgAbility[2];	/* AsymAlgAbility[0] = algors
+					 * AsymAlgAbility[1] = modulus lens
+					 */
+	unsigned int SymAlgAbility;
+	unsigned int HashAlgAbility;
+	unsigned int BufferSize;
+} DEVICEINFO;
+
+typedef struct RSArefPublicKey_st {
+	unsigned int bits;
+	unsigned char m[RSAref_MAX_LEN];
+	unsigned char e[RSAref_MAX_LEN];
+} RSArefPublicKey;
+
+typedef struct RSArefPrivateKey_st {
+	unsigned int bits;
+	unsigned char m[RSAref_MAX_LEN];
+	unsigned char e[RSAref_MAX_LEN];
+	unsigned char d[RSAref_MAX_LEN];
+	unsigned char prime[2][RSAref_MAX_PLEN];
+	unsigned char pexp[2][RSAref_MAX_PLEN];
+	unsigned char coef[RSAref_MAX_PLEN];
+} RSArefPrivateKey;
+
+typedef struct ECCrefPublicKey_st {
+	unsigned int bits;
+	unsigned char x[ECCref_MAX_LEN];
+	unsigned char y[ECCref_MAX_LEN];
+} ECCrefPublicKey;
+
+typedef struct ECCrefPrivateKey_st {
+    unsigned int  bits;
+    unsigned char K[ECCref_MAX_LEN];
+} ECCrefPrivateKey;
+
+typedef struct ECCCipher_st {
+	unsigned char x[ECCref_MAX_LEN];
+	unsigned char y[ECCref_MAX_LEN];
+	unsigned char M[32];
+	unsigned int L;
+	unsigned char C[1];
+} ECCCipher;
+
+typedef struct ECCSignature_st {
+	unsigned char r[ECCref_MAX_LEN];
+	unsigned char s[ECCref_MAX_LEN];
+} ECCSignature;
+
+typedef struct SDF_ENVELOPEDKEYBLOB {
+	unsigned long Version;
+	unsigned long ulSymmAlgID;
+	ECCCipher ECCCipehrBlob;
+	ECCrefPublicKey PubKey;
+	unsigned char cbEncryptedPrivKey[64];
+} EnvelopedKeyBlob, *PEnvelopedKeyBlob;
+#pragma pack()
+
+int SDF_OpenDevice(
+	void **phDeviceHandle);
+
+int SDF_CloseDevice(
+	void *hDeviceHandle);
+
+int SDF_OpenSession(
+	void *hDeviceHandle,
+	void **phSessionHandle);
+
+int SDF_CloseSession(
+	void *hSessionHandle);
+
+int SDF_GetDeviceInfo(
+	void *hSessionHandle,
+	DEVICEINFO *pstDeviceInfo);
+
+int SDF_GenerateRandom(
+	void *hSessionHandle,
+	unsigned int uiLength,
+	unsigned char *pucRandom);
+
+int SDF_GetPrivateKeyAccessRight(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	unsigned char *pucPassword,
+	unsigned int uiPwdLength);
+
+int SDF_ReleasePrivateKeyAccessRight(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex);
+
+int SDF_ExportSignPublicKey_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	RSArefPublicKey *pucPublicKey);
+
+int SDF_ExportEncPublicKey_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	RSArefPublicKey *pucPublicKey);
+
+int SDF_GenerateKeyPair_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyBits,
+	RSArefPublicKey *pucPublicKey,
+	RSArefPrivateKey *pucPrivateKey);
+
+int SDF_GenerateKeyWithIPK_RSA(
+	void *hSessionHandle,
+	unsigned int uiIPKIndex,
+	unsigned int uiKeyBits,
+	unsigned char *pucKey,
+	unsigned int *puiKeyLength,
+	void **phKeyHandle);
+
+int SDF_GenerateKeyWithEPK_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyBits,
+	RSArefPublicKey *pucPublicKey,
+	unsigned char *pucKey,
+	unsigned int *puiKeyLength,
+	void **phKeyHandle);
+
+int SDF_ImportKeyWithISK_RSA(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned char *pucKey,
+	unsigned int uiKeyLength,
+	void **phKeyHandle);
+
+int SDF_ExchangeDigitEnvelopeBaseOnRSA(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	RSArefPublicKey *pucPublicKey,
+	unsigned char *pucDEInput,
+	unsigned int uiDELength,
+	unsigned char *pucDEOutput,
+	unsigned int *puiDELength);
+
+int SDF_ExportSignPublicKey_ECC(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	ECCrefPublicKey *pucPublicKey);
+
+int SDF_ExportEncPublicKey_ECC(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	ECCrefPublicKey *pucPublicKey);
+
+int SDF_GenerateKeyPair_ECC(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	unsigned int  uiKeyBits,
+	ECCrefPublicKey *pucPublicKey,
+	ECCrefPrivateKey *pucPrivateKey);
+
+int SDF_GenerateKeyWithIPK_ECC(
+	void *hSessionHandle,
+	unsigned int uiIPKIndex,
+	unsigned int uiKeyBits,
+	ECCCipher *pucKey,
+	void **phKeyHandle);
+
+int SDF_GenerateKeyWithEPK_ECC(
+	void *hSessionHandle,
+	unsigned int uiKeyBits,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	ECCCipher *pucKey,
+	void **phKeyHandle);
+
+int SDF_ImportKeyWithISK_ECC(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	ECCCipher *pucKey,
+	void **phKeyHandle);
+
+int SDF_GenerateAgreementDataWithECC(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned int uiKeyBits,
+	unsigned char *pucSponsorID,
+	unsigned int uiSponsorIDLength,
+	ECCrefPublicKey *pucSponsorPublicKey,
+	ECCrefPublicKey *pucSponsorTmpPublicKey,
+	void **phAgreementHandle);
+
+int SDF_GenerateKeyWithECC(
+	void *hSessionHandle,
+	unsigned char *pucResponseID,
+	unsigned int uiResponseIDLength,
+	ECCrefPublicKey *pucResponsePublicKey,
+	ECCrefPublicKey *pucResponseTmpPublicKey,
+	void *hAgreementHandle,
+	void **phKeyHandle);
+
+int SDF_GenerateAgreementDataAndKeyWithECC(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned int uiKeyBits,
+	unsigned char *pucResponseID,
+	unsigned int uiResponseIDLength,
+	unsigned char *pucSponsorID,
+	unsigned int uiSponsorIDLength,
+	ECCrefPublicKey *pucSponsorPublicKey,
+	ECCrefPublicKey *pucSponsorTmpPublicKey,
+	ECCrefPublicKey *pucResponsePublicKey,
+	ECCrefPublicKey *pucResponseTmpPublicKey,
+	void **phKeyHandle);
+
+int SDF_ExchangeDigitEnvelopeBaseOnECC(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	ECCCipher *pucEncDataIn,
+	ECCCipher *pucEncDataOut);
+
+int SDF_GenerateKeyWithKEK(
+	void *hSessionHandle,
+	unsigned int uiKeyBits,
+	unsigned int uiAlgID,
+	unsigned int uiKEKIndex,
+	unsigned char *pucKey,
+	unsigned int *puiKeyLength,
+	void **phKeyHandle);
+
+int SDF_ImportKeyWithKEK(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	unsigned int uiKEKIndex,
+	unsigned char *pucKey,
+	unsigned int uiKeyLength,
+	void **phKeyHandle);
+
+int SDF_DestroyKey(
+	void *hSessionHandle,
+	void *hKeyHandle);
+
+int SDF_ExternalPublicKeyOperation_RSA(
+	void *hSessionHandle,
+	RSArefPublicKey *pucPublicKey,
+	unsigned char *pucDataInput,
+	unsigned int uiInputLength,
+	unsigned char *pucDataOutput,
+	unsigned int *puiOutputLength);
+
+int SDF_InternalPublicKeyOperation_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	unsigned char *pucDataInput,
+	unsigned int uiInputLength,
+	unsigned char *pucDataOutput,
+	unsigned int *puiOutputLength);
+
+int SDF_InternalPrivateKeyOperation_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	unsigned char *pucDataInput,
+	unsigned int uiInputLength,
+	unsigned char *pucDataOutput,
+	unsigned int *puiOutputLength);
+
+int SDF_ExternalVerify_ECC(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	unsigned char *pucDataInput,
+	unsigned int uiInputLength,
+	ECCSignature *pucSignature);
+
+int SDF_InternalSign_ECC(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	ECCSignature *pucSignature);
+
+int SDF_InternalVerify_ECC(
+	void *hSessionHandle,
+	unsigned int uiIPKIndex,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	ECCSignature *pucSignature);
+
+int SDF_ExternalEncrypt_ECC(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	ECCCipher *pucEncData);
+
+int SDF_InternalEncrypt_ECC(
+	void *hSessionHandle,
+	unsigned int uiIPKIndex,
+	unsigned int uiAlgID,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	ECCCipher *pucEncData);
+
+int SDF_InternalDecrypt_ECC(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned int uiAlgID,
+	ECCCipher *pucEncData,
+	unsigned char *pucData,
+	unsigned int *uiDataLength);
+
+int SDF_Encrypt(
+	void *hSessionHandle,
+	void *hKeyHandle,
+	unsigned int uiAlgID,
+	unsigned char *pucIV,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	unsigned char *pucEncData,
+	unsigned int *puiEncDataLength);
+
+int SDF_Decrypt(
+	void *hSessionHandle,
+	void *hKeyHandle,
+	unsigned int uiAlgID,
+	unsigned char *pucIV,
+	unsigned char *pucEncData,
+	unsigned int uiEncDataLength,
+	unsigned char *pucData,
+	unsigned int *puiDataLength);
+
+int SDF_CalculateMAC(
+	void *hSessionHandle,
+	void *hKeyHandle,
+	unsigned int uiAlgID,
+	unsigned char *pucIV,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	unsigned char *pucMAC,
+	unsigned int *puiMACLength);
+
+int SDF_HashInit(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	unsigned char *pucID,
+	unsigned int uiIDLength);
+
+int SDF_HashUpdate(
+	void *hSessionHandle,
+	unsigned char *pucData,
+	unsigned int uiDataLength);
+
+int SDF_HashFinal(void *hSessionHandle,
+	unsigned char *pucHash,
+	unsigned int *puiHashLength);
+
+int SDF_CreateFile(
+	void *hSessionHandle,
+	unsigned char *pucFileName,
+	unsigned int uiNameLen, /* max 128-byte */
+	unsigned int uiFileSize);
+
+int SDF_ReadFile(
+	void *hSessionHandle,
+	unsigned char *pucFileName,
+	unsigned int uiNameLen,
+	unsigned int uiOffset,
+	unsigned int *puiReadLength,
+	unsigned char *pucBuffer);
+
+int SDF_WriteFile(
+	void *hSessionHandle,
+	unsigned char *pucFileName,
+	unsigned int uiNameLen,
+	unsigned int uiOffset,
+	unsigned int uiWriteLength,
+	unsigned char *pucBuffer);
+
+int SDF_DeleteFile(
+	void *hSessionHandle,
+	unsigned char *pucFileName,
+	unsigned int uiNameLen);
+
+#define SDR_OK			0x0
+#define SDR_BASE		0x01000000
+#define SDR_UNKNOWERR		(SDR_BASE + 0x00000001)
+#define SDR_NOTSUPPORT		(SDR_BASE + 0x00000002)
+#define SDR_COMMFAIL		(SDR_BASE + 0x00000003)
+#define SDR_HARDFAIL		(SDR_BASE + 0x00000004)
+#define SDR_OPENDEVICE		(SDR_BASE + 0x00000005)
+#define SDR_OPENSESSION		(SDR_BASE + 0x00000006)
+#define SDR_PARDENY		(SDR_BASE + 0x00000007)
+#define SDR_KEYNOTEXIST		(SDR_BASE + 0x00000008)
+#define SDR_ALGNOTSUPPORT	(SDR_BASE + 0x00000009)
+#define SDR_ALGMODNOTSUPPORT	(SDR_BASE + 0x0000000A)
+#define SDR_PKOPERR		(SDR_BASE + 0x0000000B)
+#define SDR_SKOPERR		(SDR_BASE + 0x0000000C)
+#define SDR_SIGNERR		(SDR_BASE + 0x0000000D)
+#define SDR_VERIFYERR		(SDR_BASE + 0x0000000E)
+#define SDR_SYMOPERR		(SDR_BASE + 0x0000000F)
+#define SDR_STEPERR		(SDR_BASE + 0x00000010)
+#define SDR_FILESIZEERR		(SDR_BASE + 0x00000011)
+#define SDR_FILENOEXIST		(SDR_BASE + 0x00000012)
+#define SDR_FILEOFSERR		(SDR_BASE + 0x00000013)
+#define SDR_KEYTYPEERR		(SDR_BASE + 0x00000014)
+#define SDR_KEYERR		(SDR_BASE + 0x00000015)
+#define SDR_ENCDATAERR		(SDR_BASE + 0x00000016)
+#define SDR_RANDERR		(SDR_BASE + 0x00000017)
+#define SDR_PRKRERR		(SDR_BASE + 0x00000018)
+#define SDR_MACERR		(SDR_BASE + 0x00000019)
+#define SDR_FILEEXSITS		(SDR_BASE + 0x0000001A)
+#define SDR_FILEWERR		(SDR_BASE + 0x0000001B)
+#define SDR_NOBUFFER		(SDR_BASE + 0x0000001C)
+#define SDR_INARGERR		(SDR_BASE + 0x0000001D)
+#define SDR_OUTARGERR		(SDR_BASE + 0x0000001E)
+
+
+#ifdef __cplusplus
+}
+#endif
+#endif
diff --git a/src/sdf/sdf_dummy.c b/src/sdf/sdf_dummy.c
new file mode 100644
index 00000000..df9fce00
--- /dev/null
+++ b/src/sdf/sdf_dummy.c
@@ -0,0 +1,768 @@
+/* ====================================================================
+ * Copyright (c) 2014 - 2021 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "../sgd.h"
+#include "sdf.h"
+
+static char *deviceHandle = "SDF Device Handle";
+static char *sessionHandle = "SDF Session Handle";
+static char *keyHandle = "SDF Key Handle";
+static char *agreementHandle = "SDF Agreement Handle";
+
+unsigned char rsaPublicKeyBuf[516] = {
+	0x00,0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0xd5,0x43,0xbf,0x24,0xd2,0x69,0x56,0x21,0x20,0x57,0x8a,0xd8,
+	0x67,0x4f,0xbd,0xd5,0xf5,0x3a,0xf5,0x9e,0xa5,0x87,0x52,0x39,0x47,0xc3,0xce,0x32,
+	0x56,0xb6,0x06,0x2d,0xdc,0x8d,0xc2,0x18,0x53,0x5c,0xb0,0xcb,0xb6,0xe8,0x7c,0x82,
+	0x97,0x38,0xbb,0x85,0x45,0x2e,0xc8,0x24,0x08,0x96,0x9e,0xb0,0x00,0xaf,0xd9,0xa7,
+	0x1f,0x50,0x7f,0xc4,0x93,0x14,0x74,0x9a,0x43,0x8e,0x04,0x95,0xa0,0xd6,0xd9,0xdd,
+	0xb4,0x97,0xb3,0x52,0x93,0xe4,0xbe,0xd1,0x1f,0x8c,0xf9,0xcd,0xe1,0xae,0x54,0xae,
+	0x72,0xdf,0x94,0xe3,0x15,0x6a,0x5c,0x99,0xd6,0x80,0x46,0x94,0xad,0xb3,0x76,0x95,
+	0x4e,0x14,0x8f,0x8f,0xe5,0x55,0xf1,0x3f,0xd0,0xd3,0x96,0x01,0xf6,0x94,0x3e,0x61,
+	0xc1,0x8e,0xb3,0x89,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x01,0x00,0x01,};
+unsigned char rsaPrivateKeyBuf[1412] = {
+	0x00,0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0xd5,0x43,0xbf,0x24,0xd2,0x69,0x56,0x21,0x20,0x57,0x8a,0xd8,
+	0x67,0x4f,0xbd,0xd5,0xf5,0x3a,0xf5,0x9e,0xa5,0x87,0x52,0x39,0x47,0xc3,0xce,0x32,
+	0x56,0xb6,0x06,0x2d,0xdc,0x8d,0xc2,0x18,0x53,0x5c,0xb0,0xcb,0xb6,0xe8,0x7c,0x82,
+	0x97,0x38,0xbb,0x85,0x45,0x2e,0xc8,0x24,0x08,0x96,0x9e,0xb0,0x00,0xaf,0xd9,0xa7,
+	0x1f,0x50,0x7f,0xc4,0x93,0x14,0x74,0x9a,0x43,0x8e,0x04,0x95,0xa0,0xd6,0xd9,0xdd,
+	0xb4,0x97,0xb3,0x52,0x93,0xe4,0xbe,0xd1,0x1f,0x8c,0xf9,0xcd,0xe1,0xae,0x54,0xae,
+	0x72,0xdf,0x94,0xe3,0x15,0x6a,0x5c,0x99,0xd6,0x80,0x46,0x94,0xad,0xb3,0x76,0x95,
+	0x4e,0x14,0x8f,0x8f,0xe5,0x55,0xf1,0x3f,0xd0,0xd3,0x96,0x01,0xf6,0x94,0x3e,0x61,
+	0xc1,0x8e,0xb3,0x89,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x01,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x1e,0xd9,0x55,0xe4,0xf5,0xaa,0xd7,0x12,0xa3,0xa3,0x06,0x2a,
+	0x97,0x87,0x29,0x66,0xb1,0xba,0x7d,0x9d,0x1d,0x44,0x9d,0xd8,0x3b,0x51,0x4f,0x9a,
+	0x68,0x80,0x9c,0x14,0x36,0x3b,0x2b,0x40,0x69,0x8e,0x96,0xe4,0x60,0xe8,0xf0,0x59,
+	0xd3,0x96,0x19,0x4a,0x05,0xdf,0xe6,0x83,0x8f,0xda,0x79,0xc9,0xeb,0xcf,0x84,0x24,
+	0x70,0x9b,0x2c,0x5f,0xf7,0x56,0xe2,0xe0,0xc7,0xfb,0x67,0x92,0xd2,0xf6,0x59,0x19,
+	0xe9,0xdd,0xb4,0x54,0x52,0x0d,0xf8,0xda,0x64,0x67,0xe0,0xb9,0xe6,0x52,0x08,0xff,
+	0x28,0x06,0x89,0x5c,0x2b,0xd5,0x6e,0x21,0xe1,0x6d,0x1d,0xe3,0xf8,0x1e,0x0f,0x20,
+	0x9f,0x0a,0x60,0xd1,0xff,0x4e,0xa2,0x45,0xa1,0xee,0x96,0x90,0xc0,0xc4,0xa8,0x25,
+	0x5a,0xe8,0xe8,0xa1,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0xf5,0xde,0x0d,0x0c,0xc5,0x03,0x53,0x44,0xfa,0x70,0xc7,0x44,
+	0x63,0xf8,0x57,0x7e,0x49,0x76,0xe4,0x7a,0x76,0x01,0x7d,0xda,0x65,0xaa,0x9d,0xbe,
+	0xfe,0x24,0x9b,0x48,0xf9,0xa8,0x18,0x42,0x47,0xf3,0x1a,0x1e,0x61,0xe9,0xb8,0xb3,
+	0x07,0xee,0xfd,0x83,0x2e,0xf2,0xf8,0xb9,0x1f,0x9a,0xee,0xeb,0x21,0xd0,0xc0,0x13,
+	0xa2,0x31,0x33,0xe7,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0xde,0x0d,0xba,0xf3,0x62,0x8f,0x75,0x16,0xe6,0x87,0x72,0xba,
+	0x12,0x6a,0x43,0x5c,0xde,0x22,0x60,0xea,0xef,0x7a,0x7e,0xb6,0x28,0x16,0x4f,0xda,
+	0xe7,0xb8,0xfe,0x48,0x17,0x65,0x1a,0x73,0x38,0x98,0xdb,0xa2,0xda,0x50,0xc8,0x81,
+	0x53,0x07,0x1d,0x0e,0xa7,0x3f,0x48,0x57,0xea,0x5b,0x34,0x64,0x9f,0x0a,0x8b,0x36,
+	0x7e,0x08,0xef,0x0f,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0xa8,0xd9,0xe6,0x7c,0x6e,0x90,0xea,0x0e,0xe5,0x2f,0xae,0xa9,
+	0xf9,0x3e,0x04,0x58,0x66,0x7b,0x90,0x4d,0xc9,0xdd,0x1c,0x61,0x70,0x90,0xcb,0xe4,
+	0xef,0x04,0x94,0xe0,0x79,0x14,0x48,0x14,0xbc,0xf4,0xe7,0x6b,0x16,0x33,0x3c,0xf5,
+	0x36,0xed,0x9a,0x8d,0x0d,0x21,0x30,0x4f,0x72,0xb5,0x24,0x7f,0xb6,0xa9,0x76,0x40,
+	0x05,0x93,0x64,0xe1,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x85,0x35,0x31,0x68,0x9e,0x40,0xb7,0x1a,0x34,0xd3,0x1e,0x84,
+	0xf7,0x55,0x1d,0xf2,0x11,0x24,0x08,0x86,0x07,0x81,0xb1,0x8f,0xee,0xfe,0x6b,0x8b,
+	0x43,0xa5,0x5b,0x8d,0xbd,0xd3,0x1e,0x09,0xee,0xf2,0xec,0x17,0x86,0xe6,0x1d,0x52,
+	0x4f,0x8f,0x9d,0xe3,0xd3,0x7b,0x08,0x18,0x0d,0x74,0x07,0x3b,0x31,0x99,0x6e,0xa8,
+	0x12,0xf5,0xa3,0x0b,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x23,0x60,0x23,0xc4,0x44,0x67,0x91,0xb7,0xde,0x06,0x9a,0x17,
+	0x49,0x3a,0x8e,0x66,0xb4,0x54,0x61,0x4b,0xc4,0x9e,0xf8,0xe6,0xbc,0xf8,0x87,0xef,
+	0x06,0xb5,0x40,0x4b,0xab,0xaf,0xf0,0xa0,0x46,0x43,0xc5,0xbd,0xec,0xff,0x57,0xfd,
+	0x51,0x8a,0x6b,0x7b,0x32,0xee,0xeb,0x2f,0x81,0xd0,0xa0,0xa2,0x09,0x18,0xab,0x5c,
+	0x85,0x1b,0x0f,0x57,};
+unsigned char eccPublicKeyBuf[132] = {
+	0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x0e,0x42,0x92,0x4a,0x1b,0x01,0xb6,0x64,0x89,0x97,0xfb,0x67,
+	0x3f,0xa5,0xa6,0xc4,0xc4,0x82,0xa2,0xfa,0xe6,0x96,0xc9,0x0a,0x37,0xf2,0x44,0x6c,
+	0xac,0x37,0x85,0x67,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0xf8,0xbb,0x32,0x55,0xe2,0x47,0x34,0x9a,0xc9,0xb5,0xdb,0xc7,
+	0x17,0x4a,0xd9,0x84,0xbf,0xc5,0x3e,0x99,0x92,0xc6,0xd8,0x2d,0x6f,0xea,0xff,0x79,
+	0x6b,0xde,0x3d,0x37,};
+unsigned char eccPrivateKeyBuf[68] = {
+	0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0xe6,0x51,0x2e,0xf8,0xca,0x14,0x84,0xa2,0xd9,0x76,0xc9,0x0d,
+	0x37,0x1d,0xf1,0x95,0x49,0xbe,0x83,0x8e,0x70,0x09,0x1d,0x81,0xbd,0x6e,0xd9,0x5c,
+	0xad,0x02,0x19,0x44,};
+
+
+#define SDF_TRACE() fprintf(stderr, "SDF_Dummy->%s\n", __FUNCTION__)
+
+int SDF_OpenDevice(
+	void **phDeviceHandle)
+{
+	if (!phDeviceHandle /* || !(*phDeviceHandle) */)
+		return SDR_INARGERR;
+
+	*phDeviceHandle = deviceHandle;
+	return SDR_OK;
+}
+
+int SDF_CloseDevice(
+	void *hDeviceHandle)
+{
+	return SDR_OK;
+}
+
+int SDF_OpenSession(
+	void *hDeviceHandle,
+	void **phSessionHandle)
+{
+	if (!phSessionHandle  /* || !(*phSessionHandle) */)
+		return SDR_INARGERR;
+	*phSessionHandle = sessionHandle;
+	return SDR_OK;
+}
+
+int SDF_CloseSession(
+	void *hSessionHandle)
+{
+	return SDR_OK;
+}
+
+#define SDF_DEV_DATE		"20140101"
+#define SDF_DEV_BATCH_NUM	"001"
+#define SDF_DEV_SERIAL_NUM	"00123"
+#define SDF_DEV_SERIAL		SDF_DEV_DATE \
+				SDF_DEV_BATCH_NUM \
+				SDF_DEV_SERIAL_NUM
+
+int SDF_GetDeviceInfo(
+	void *hSessionHandle,
+	DEVICEINFO *pstDeviceInfo)
+{
+	if (!pstDeviceInfo)
+		return SDR_INARGERR;
+	memset(pstDeviceInfo, 0, sizeof(*pstDeviceInfo));
+	strncpy((char *)pstDeviceInfo->IssuerName, "GmSSL Project (http://gmssl.org)",
+		sizeof(pstDeviceInfo->IssuerName));
+	strncpy((char *)pstDeviceInfo->DeviceName, "Dummy SDF",
+		sizeof(pstDeviceInfo->DeviceName));
+	strncpy((char *)pstDeviceInfo->DeviceSerial, SDF_DEV_SERIAL,
+		sizeof(pstDeviceInfo->DeviceSerial));
+	pstDeviceInfo->DeviceVersion = 1;
+	pstDeviceInfo->StandardVersion = 1;
+	pstDeviceInfo->AsymAlgAbility[0] = SGD_RSA_SIGN|SGD_RSA_ENC|
+		SGD_SM2_1|SGD_SM2_2|SGD_SM2_3;
+	pstDeviceInfo->AsymAlgAbility[1] = 256|512|1024|2048|4096;
+	pstDeviceInfo->SymAlgAbility = SGD_SM1|SGD_SSF33|SGD_SM4|SGD_ZUC|
+		SGD_ECB|SGD_CBC|SGD_CFB|SGD_OFB|SGD_MAC;
+	pstDeviceInfo->HashAlgAbility = SGD_SM3|SGD_SHA1|SGD_SHA256;
+	pstDeviceInfo->BufferSize = 256*1024;
+	return SDR_OK;
+}
+
+int SDF_GenerateRandom(
+	void *hSessionHandle,
+	unsigned int uiLength,
+	unsigned char *pucRandom)
+{
+	return SDR_OK;
+}
+
+int SDF_GetPrivateKeyAccessRight(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	unsigned char *pucPassword,
+	unsigned int uiPwdLength)
+{
+	return SDR_OK;
+}
+
+int SDF_ReleasePrivateKeyAccessRight(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex)
+{
+	return SDR_OK;
+}
+
+int SDF_ExportSignPublicKey_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	RSArefPublicKey *pucPublicKey)
+{
+	if (!pucPublicKey)
+		return SDR_INARGERR;
+	memcpy(pucPublicKey, rsaPublicKeyBuf, sizeof(*pucPublicKey));
+	return SDR_OK;
+}
+
+int SDF_ExportEncPublicKey_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	RSArefPublicKey *pucPublicKey)
+{
+	if (!pucPublicKey)
+		return SDR_INARGERR;
+	memcpy(pucPublicKey, rsaPublicKeyBuf, sizeof(*pucPublicKey));
+	return SDR_OK;
+}
+
+int SDF_GenerateKeyPair_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyBits,
+	RSArefPublicKey *pucPublicKey,
+	RSArefPrivateKey *pucPrivateKey)
+{
+	if (!pucPublicKey || !pucPrivateKey)
+		return SDR_INARGERR;
+	memcpy(pucPublicKey, rsaPublicKeyBuf, sizeof(*pucPublicKey));
+	memcpy(pucPrivateKey, rsaPrivateKeyBuf, sizeof(*pucPrivateKey));
+	return SDR_OK;
+}
+
+int SDF_GenerateKeyWithIPK_RSA(
+	void *hSessionHandle,
+	unsigned int uiIPKIndex,
+	unsigned int uiKeyBits,
+	unsigned char *pucKey,
+	unsigned int *puiKeyLength,
+	void **phKeyHandle)
+{
+	if (!puiKeyLength)
+		return SDR_INARGERR;
+	*puiKeyLength = 2048/8;
+	if (phKeyHandle && *phKeyHandle)
+		*phKeyHandle = keyHandle;
+	return SDR_OK;
+}
+
+int SDF_GenerateKeyWithEPK_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyBits,
+	RSArefPublicKey *pucPublicKey,
+	unsigned char *pucKey,
+	unsigned int *puiKeyLength,
+	void **phKeyHandle)
+{
+	if (!puiKeyLength)
+		return SDR_INARGERR;
+	*puiKeyLength = 2048/8;
+	if (phKeyHandle && *phKeyHandle)
+		*phKeyHandle = keyHandle;
+	return SDR_OK;
+}
+
+int SDF_ImportKeyWithISK_RSA(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned char *pucKey,
+	unsigned int uiKeyLength,
+	void **phKeyHandle)
+{
+	if (!phKeyHandle || !(*phKeyHandle))
+		return SDR_INARGERR;
+	*phKeyHandle = keyHandle;
+	return SDR_OK;
+}
+
+int SDF_ExchangeDigitEnvelopeBaseOnRSA(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	RSArefPublicKey *pucPublicKey,
+	unsigned char *pucDEInput,
+	unsigned int uiDELength,
+	unsigned char *pucDEOutput,
+	unsigned int *puiDELength)
+{
+	if (!puiDELength)
+		return SDR_INARGERR;
+	*puiDELength = 2048/8;
+	return SDR_OK;
+}
+
+int SDF_ExportSignPublicKey_ECC(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	ECCrefPublicKey *pucPublicKey)
+{
+	if (!pucPublicKey)
+		return SDR_INARGERR;
+	memcpy(pucPublicKey, eccPublicKeyBuf, sizeof(*pucPublicKey));
+	return SDR_OK;
+}
+
+int SDF_ExportEncPublicKey_ECC(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	ECCrefPublicKey *pucPublicKey)
+{
+	if (!pucPublicKey)
+		return SDR_INARGERR;
+	memcpy(pucPublicKey, eccPublicKeyBuf, sizeof(*pucPublicKey));
+	return SDR_OK;
+}
+
+int SDF_GenerateKeyPair_ECC(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	unsigned int  uiKeyBits,
+	ECCrefPublicKey *pucPublicKey,
+	ECCrefPrivateKey *pucPrivateKey)
+{
+	if (!pucPublicKey || !pucPublicKey)
+		return SDR_INARGERR;
+	memcpy(pucPublicKey, eccPublicKeyBuf, sizeof(*pucPublicKey));
+	memcpy(pucPrivateKey, eccPrivateKeyBuf, sizeof(*pucPrivateKey));
+	return SDR_OK;
+}
+
+int SDF_GenerateKeyWithIPK_ECC(
+	void *hSessionHandle,
+	unsigned int uiIPKIndex,
+	unsigned int uiKeyBits,
+	ECCCipher *pucKey,
+	void **phKeyHandle)
+{
+	if (!phKeyHandle || !(*phKeyHandle))
+		return SDR_INARGERR;
+	*phKeyHandle = keyHandle;
+	return SDR_OK;
+}
+
+int SDF_GenerateKeyWithEPK_ECC(
+	void *hSessionHandle,
+	unsigned int uiKeyBits,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	ECCCipher *pucKey,
+	void **phKeyHandle)
+{
+	if (!phKeyHandle || !(*phKeyHandle))
+		return SDR_INARGERR;
+	*phKeyHandle = keyHandle;
+	return SDR_OK;
+}
+
+int SDF_ImportKeyWithISK_ECC(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	ECCCipher *pucKey,
+	void **phKeyHandle)
+{
+	if (!phKeyHandle || !(*phKeyHandle))
+		return SDR_INARGERR;
+	*phKeyHandle = keyHandle;
+	return SDR_OK;
+}
+
+/* 6.3.14 */
+int SDF_GenerateAgreementDataWithECC(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned int uiKeyBits,
+	unsigned char *pucSponsorID,
+	unsigned int uiSponsorIDLength,
+	ECCrefPublicKey *pucSponsorPublicKey,
+	ECCrefPublicKey *pucSponsorTmpPublicKey,
+	void **phAgreementHandle)
+{
+	// any output public key ?
+	if (!phAgreementHandle || !(*phAgreementHandle))
+		return SDR_INARGERR;
+	*phAgreementHandle = agreementHandle;
+	return SDR_OK;
+}
+
+/* 6.3.15 */
+int SDF_GenerateKeyWithECC(
+	void *hSessionHandle,
+	unsigned char *pucResponseID,
+	unsigned int uiResponseIDLength,
+	ECCrefPublicKey *pucResponsePublicKey,
+	ECCrefPublicKey *pucResponseTmpPublicKey,
+	void *hAgreementHandle,
+	void **phKeyHandle)
+{
+	if (!phKeyHandle || !(*phKeyHandle))
+		return SDR_INARGERR;
+	*phKeyHandle = keyHandle;
+	return SDR_OK;
+}
+
+/* 6.3.16 */
+int SDF_GenerateAgreementDataAndKeyWithECC(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned int uiKeyBits,
+	unsigned char *pucResponseID,
+	unsigned int uiResponseIDLength,
+	unsigned char *pucSponsorID,
+	unsigned int uiSponsorIDLength,
+	ECCrefPublicKey *pucSponsorPublicKey,
+	ECCrefPublicKey *pucSponsorTmpPublicKey,
+	ECCrefPublicKey *pucResponsePublicKey,
+	ECCrefPublicKey *pucResponseTmpPublicKey,
+	void **phKeyHandle)
+{
+	// any output
+	if (!phKeyHandle || !(*phKeyHandle))
+		return SDR_INARGERR;
+	*phKeyHandle = keyHandle;
+	return SDR_OK;
+}
+
+int SDF_ExchangeDigitEnvelopeBaseOnECC(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	ECCCipher *pucEncDataIn,
+	ECCCipher *pucEncDataOut)
+{
+	return SDR_OK;
+}
+
+int SDF_GenerateKeyWithKEK(
+	void *hSessionHandle,
+	unsigned int uiKeyBits,
+	unsigned int uiAlgID,
+	unsigned int uiKEKIndex,
+	unsigned char *pucKey,
+	unsigned int *puiKeyLength,
+	void **phKeyHandle)
+{
+	if (!phKeyHandle || !(*phKeyHandle))
+		return SDR_INARGERR;
+	*phKeyHandle = keyHandle;
+	return SDR_OK;
+}
+
+int SDF_ImportKeyWithKEK(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	unsigned int uiKEKIndex,
+	unsigned char *pucKey,
+	unsigned int uiKeyLength,
+	void **phKeyHandle)
+{
+	if (!phKeyHandle || !(*phKeyHandle))
+		return SDR_INARGERR;
+	*phKeyHandle = keyHandle;
+	return SDR_OK;
+}
+
+int SDF_DestroyKey(
+	void *hSessionHandle,
+	void *hKeyHandle)
+{
+	return SDR_OK;
+}
+
+int SDF_ExternalPublicKeyOperation_RSA(
+	void *hSessionHandle,
+	RSArefPublicKey *pucPublicKey,
+	unsigned char *pucDataInput,
+	unsigned int uiInputLength,
+	unsigned char *pucDataOutput,
+	unsigned int *puiOutputLength)
+{
+	if (!puiOutputLength)
+		return SDR_INARGERR;
+	*puiOutputLength = 2048/8;
+	return SDR_OK;
+}
+
+int SDF_ExternalPrivateKeyOperation_RSA(
+	void *hSessionHandle,
+	RSArefPrivateKey *pucPrivateKey,
+	unsigned char *pucDataInput,
+	unsigned int uiInputLength,
+	unsigned char *pucDataOutput,
+	unsigned int *puiOutputLength)
+{
+	if (!puiOutputLength)
+		return SDR_INARGERR;
+	*puiOutputLength = 2048/8;
+	return SDR_OK;
+}
+
+int SDF_InternalPrivateKeyOperation_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	unsigned char *pucDataInput,
+	unsigned int uiInputLength,
+	unsigned char *pucDataOutput,
+	unsigned int *puiOutputLength)
+{
+	if (!puiOutputLength)
+		return SDR_INARGERR;
+	*puiOutputLength = 2048/8;
+	return SDR_OK;
+}
+
+int SDF_ExternalVerify_ECC(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	unsigned char *pucDataInput,
+	unsigned int uiInputLength,
+	ECCSignature *pucSignature)
+{
+	return SDR_OK;
+}
+
+int SDF_InternalSign_ECC(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	ECCSignature *pucSignature)
+{
+	return SDR_OK;
+}
+
+int SDF_InternalVerify_ECC(
+	void *hSessionHandle,
+	unsigned int uiIPKIndex,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	ECCSignature *pucSignature)
+{
+	return SDR_OK;
+}
+
+int SDF_ExternalEncrypt_ECC(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	ECCCipher *pucEncData)
+{
+	if (!pucEncData)
+		return SDR_INARGERR;
+	pucEncData->L = uiDataLength;
+	return SDR_OK;
+}
+
+int SDF_Encrypt(
+	void *hSessionHandle,
+	void *hKeyHandle,
+	unsigned int uiAlgID,
+	unsigned char *pucIV,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	unsigned char *pucEncData,
+	unsigned int *puiEncDataLength)
+{
+	if (!puiEncDataLength)
+		return SDR_INARGERR;
+	*puiEncDataLength = uiDataLength;
+	return SDR_OK;
+}
+
+int SDF_Decrypt(
+	void *hSessionHandle,
+	void *hKeyHandle,
+	unsigned int uiAlgID,
+	unsigned char *pucIV,
+	unsigned char *pucEncData,
+	unsigned int uiEncDataLength,
+	unsigned char *pucData,
+	unsigned int *puiDataLength)
+{
+	if (!puiDataLength)
+		return SDR_INARGERR;
+	*puiDataLength = uiEncDataLength;
+	return SDR_OK;
+}
+
+int SDF_CalculateMAC(
+	void *hSessionHandle,
+	void *hKeyHandle,
+	unsigned int uiAlgID,
+	unsigned char *pucIV,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	unsigned char *pucMAC,
+	unsigned int *puiMACLength)
+{
+	if (!puiMACLength)
+		return SDR_INARGERR;
+	*puiMACLength = 16; /* CBC-MAC length */
+	return SDR_OK;
+}
+
+int SDF_HashInit(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	unsigned char *pucID,
+	unsigned int uiIDLength)
+{
+	return SDR_OK;
+}
+
+int SDF_HashUpdate(
+	void *hSessionHandle,
+	unsigned char *pucData,
+	unsigned int uiDataLength)
+{
+	return SDR_OK;
+}
+
+int SDF_HashFinal(void *hSessionHandle,
+	unsigned char *pucHash,
+	unsigned int *puiHashLength)
+{
+	if (!puiHashLength)
+		return SDR_INARGERR;
+	*puiHashLength = 32;
+	return SDR_OK;
+}
+
+int SDF_CreateFile(
+	void *hSessionHandle,
+	unsigned char *pucFileName,
+	unsigned int uiNameLen,
+	unsigned int uiFileSize)
+{
+	return SDR_OK;
+}
+
+int SDF_ReadFile(
+	void *hSessionHandle,
+	unsigned char *pucFileName,
+	unsigned int uiNameLen,
+	unsigned int uiOffset,
+	unsigned int *puiReadLength,
+	unsigned char *pucBuffer)
+{
+	if (!puiReadLength)
+		return SDR_INARGERR;
+	return SDR_OK;
+}
+
+int SDF_WriteFile(
+	void *hSessionHandle,
+	unsigned char *pucFileName,
+	unsigned int uiNameLen,
+	unsigned int uiOffset,
+	unsigned int uiWriteLength,
+	unsigned char *pucBuffer)
+{
+	return SDR_OK;
+}
+
+int SDF_DeleteFile(
+	void *hSessionHandle,
+	unsigned char *pucFileName,
+	unsigned int uiNameLen)
+{
+	return SDR_OK;
+}
diff --git a/src/sdf/sdf_ext.c b/src/sdf/sdf_ext.c
new file mode 100644
index 00000000..5fb75e23
--- /dev/null
+++ b/src/sdf/sdf_ext.c
@@ -0,0 +1,309 @@
+/* ====================================================================
+ * Copyright (c) 2016 - 2017 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <limits.h>
+#include <gmssl/error.h>
+#include "sdf_int.h"
+#include "sdf_sansec.h"
+
+
+#define SDFerr(a,b)
+
+
+typedef struct {
+	ULONG id;
+	char *name;
+} table_item_t;
+
+static table_item_t sdf_cipher_caps[] = {
+	{ SGD_SM1_ECB, "sm1-ecb" },
+	{ SGD_SM1_CBC, "sm1-cbc" },
+	{ SGD_SM1_CFB, "sm1-cfb" },
+	{ SGD_SM1_OFB, "sm1-ofb128" },
+	{ SGD_SM1_MAC, "cbcmac-sm1" },
+	{ SGD_SSF33_ECB, "ssf33-ecb" },
+	{ SGD_SSF33_CBC, "ssf33-cbc" },
+	{ SGD_SSF33_CFB, "ssf33-cfb" },
+	{ SGD_SSF33_OFB, "ssf33-ofb128" },
+	{ SGD_SSF33_MAC, "cbcmac-ssf33" },
+	{ SGD_SM4_ECB, "sms4-ecb" },
+	{ SGD_SM4_CBC, "sms4-cbc" },
+	{ SGD_SM4_CFB, "sms4-cfb" },
+	{ SGD_SM4_OFB, "sms4-ofb128" },
+	{ SGD_SM4_MAC, "cbcmac-sms4" },
+	{ SGD_ZUC_EEA3, "zuc_128eea3" },
+	{ SGD_ZUC_EIA3, "zuc_128eia3" }
+};
+
+static table_item_t sdf_digest_caps[] = {
+	{ SGD_SM3,  "sm3" },
+	{ SGD_SHA1, "sha1" },
+	{ SGD_SHA256, "sha256" },
+};
+
+static table_item_t sdf_pkey_caps[] = {
+	{ SGD_RSA_SIGN, "rsa" },
+	{ SGD_RSA_ENC, "rsaEncryption" },
+	{ SGD_SM2_1, "sm2sign" },
+	{ SGD_SM2_2, "sm2exchange" },
+	{ SGD_SM2_3, "sm2encrypt" }
+};
+
+int SDF_PrintDeviceInfo(FILE *out, DEVICEINFO *pstDeviceInfo)
+{
+	size_t i, n;
+	DEVICEINFO buf;
+	DEVICEINFO *devInfo = &buf;
+
+	memcpy(devInfo, pstDeviceInfo, sizeof(DEVICEINFO));
+	devInfo->IssuerName[39] = 0;
+	devInfo->DeviceName[15] = 0;
+	devInfo->DeviceSerial[15] = 0;
+
+	fprintf(out, "  %-18s : %s\n", "Device Name", devInfo->DeviceName);
+	fprintf(out, "  %-18s : %s\n", "Serial Number", devInfo->DeviceSerial);
+	fprintf(out, "  %-18s : %s\n", "Issuer", devInfo->IssuerName);
+	fprintf(out, "  %-18s : %u\n", "Hardware Version", devInfo->DeviceVersion);
+	fprintf(out, "  %-18s : %u\n", "Standard Version", devInfo->StandardVersion);
+	fprintf(out, "  %-18s : ", "Public Key Algors");
+	for (i = n = 0; i < sizeof(sdf_pkey_caps)/sizeof(sdf_pkey_caps[0]); i++) {
+		if ((devInfo->AsymAlgAbility[0] & sdf_pkey_caps[i].id) ==
+			sdf_pkey_caps[i].id) {
+			fprintf(out, "%s%s", n ? "," : "", sdf_pkey_caps[i].name);
+			n++;
+		}
+	}
+	fprintf(out, "\n");
+
+	fprintf(out, "  %-18s : ", "Ciphers");
+	for (i = n = 0; i < sizeof(sdf_cipher_caps)/sizeof(sdf_cipher_caps[0]); i++) {
+		if ((devInfo->SymAlgAbility & sdf_cipher_caps[i].id) ==
+			sdf_cipher_caps[i].id) {
+			fprintf(out, "%s%s", n ? "," : "", sdf_cipher_caps[i].name);
+			n++;
+		}
+	}
+	fprintf(out, "\n");
+
+	fprintf(out, "  %-18s : ", "Digests");
+	for (i = n = 0; i < sizeof(sdf_digest_caps)/sizeof(sdf_digest_caps[0]); i++) {
+		if ((devInfo->HashAlgAbility & sdf_digest_caps[i].id) ==
+			sdf_digest_caps[i].id) {
+			fprintf(out, "%s%s", n ? "," : "", sdf_digest_caps[i].name);
+			n++;
+		}
+	}
+	fprintf(out, "\n");
+	fprintf(out, "\n");
+
+	return SDR_OK;
+}
+
+int SDF_PrintRSAPublicKey(FILE *out, RSArefPublicKey *blob)
+{
+	(void)fprintf(out, "bits: %d\n", blob->bits);
+	(void)fprintf(out, "m:\n    ");
+	(void)format_bytes(out, 4, 16, "m", blob->m, sizeof(blob->m));
+	(void)fprintf(out, "\n");
+	(void)fprintf(out, "e:\n    ");
+	(void)format_bytes(out, 4, 16, "e", blob->e, sizeof(blob->e));
+	(void)fprintf(out, "\n");
+	return SDR_OK;
+}
+
+int SDF_PrintRSAPrivateKey(FILE *bio, RSArefPrivateKey *blob)
+{
+	(void)fprintf(bio, "bits: %d", blob->bits);
+	(void)format_bytes(bio, 4, 16, "m", blob->m, sizeof(blob->m));
+	(void)format_bytes(bio, 4, 16, "e", blob->e, sizeof(blob->e));
+	(void)format_bytes(bio, 4, 16, "d", blob->d, sizeof(blob->d));
+	(void)format_bytes(bio, 4, 16, "prime[0]", blob->prime[0], sizeof(blob->prime[0]));
+	(void)format_bytes(bio, 4, 16, "prime[1]", blob->prime[1], sizeof(blob->prime[1]));
+	(void)format_bytes(bio, 4, 16, "pexp[0]", blob->pexp[0], sizeof(blob->pexp[0]));
+	(void)format_bytes(bio, 4, 16, "pexp[1]", blob->pexp[1], sizeof(blob->pexp[1]));
+	(void)format_bytes(bio, 4, 16, "coef", blob->coef, sizeof(blob->coef));
+	(void)fprintf(bio, "\n");
+
+	return SDR_OK;
+}
+
+int SDF_PrintECCPublicKey(FILE *bio, ECCrefPublicKey *blob)
+{
+	(void)fprintf(bio, "bits: %d", blob->bits);
+	(void)format_bytes(bio, 4, 16, "x", blob->x, sizeof(blob->x));
+	(void)format_bytes(bio, 4, 16, "y", blob->y, sizeof(blob->y));
+	(void)fprintf(bio, "\n");
+
+	return SDR_OK;
+}
+
+int SDF_PrintECCPrivateKey(FILE *bio, ECCrefPrivateKey *blob)
+{
+	(void)fprintf(bio, "bits: %d", blob->bits);
+	(void)format_bytes(bio, 4, 16, "K", blob->K, sizeof(blob->K));
+	(void)fprintf(bio, "\n");
+
+	return SDR_OK;
+}
+
+int SDF_PrintECCCipher(FILE *bio, ECCCipher *blob)
+{
+	(void)format_bytes(bio, 4, 16, "x", blob->x, sizeof(blob->x));
+	(void)format_bytes(bio, 4, 16, "y", blob->y, sizeof(blob->y));
+	(void)format_bytes(bio, 4, 16, "M", blob->M, sizeof(blob->M));
+	(void)fprintf(bio, "\nL: %d", blob->L);
+	(void)format_bytes(bio, 4, 16, "C", blob->C, sizeof(blob->C));
+	(void)fprintf(bio, "\n");
+
+	return SDR_OK;
+}
+
+int SDF_PrintECCSignature(FILE *bio, ECCSignature *blob)
+{
+	(void)format_bytes(bio, 4, 16, "r", blob->r, sizeof(blob->r));
+	(void)format_bytes(bio, 4, 16, "s", blob->s, sizeof(blob->s));
+	(void)fprintf(bio, "\n");
+
+	return SDR_OK;
+}
+
+int SDF_ImportKey(
+	void *hSessionHandle,
+	unsigned char *pucKey,
+	unsigned int uiKeyLength,
+	void **phKeyHandle)
+{
+	(void)hSessionHandle;
+	(void)pucKey;
+	(void)uiKeyLength;
+	(void)phKeyHandle;
+	SDFerr(SDF_F_SDF_IMPORTKEY, SDF_R_NOT_IMPLEMENTED);
+	return SDR_NOTSUPPORT;
+}
+
+int SDF_NewECCCipher(ECCCipher **cipher, size_t ulDataLen)
+{
+	ECCCipher *ecc_cipher = NULL;
+	size_t len;
+
+	if (!cipher) {
+		SDFerr(SDF_F_SDF_NEWECCCIPHER, ERR_R_PASSED_NULL_PARAMETER);
+		return SDR_INARGERR;
+	}
+
+	if (!ulDataLen || ulDataLen > INT_MAX) {
+		SDFerr(SDF_F_SDF_NEWECCCIPHER,
+			SDF_R_INVALID_SM2_CIPHERTEXT_LENGTH);
+		return SDR_INARGERR;
+	}
+
+	len = sizeof(ECCCipher) - 1 + ulDataLen;
+	if (len < sizeof(SANSEC_ECCCipher)) {
+		len = sizeof(SANSEC_ECCCipher);
+	}
+
+	if (!(ecc_cipher = malloc(len))) {
+		SDFerr(SDF_F_SDF_NEWECCCIPHER, ERR_R_MALLOC_FAILURE);
+		return SDR_NOBUFFER;
+	}
+	memset(ecc_cipher, 0, sizeof(*ecc_cipher));
+
+	ecc_cipher->L = (unsigned int)ulDataLen;
+
+	*cipher = ecc_cipher;
+	return SDR_OK;
+}
+
+int SDF_FreeECCCipher(ECCCipher *cipher)
+{
+	free(cipher);
+	return SDR_OK;
+}
+
+const char *SDF_GetErrorReason(int err)
+{
+	switch (err) {
+	case SDR_OK: return "SDR_OK";
+	case SDR_BASE: return "SDR_BASE";
+	case SDR_UNKNOWERR: return "SDR_UNKNOWERR";
+	case SDR_NOTSUPPORT: return "SDR_NOTSUPPORT";
+	case SDR_COMMFAIL: return "SDR_COMMFAIL";
+	case SDR_HARDFAIL: return "SDR_HARDFAIL";
+	case SDR_OPENDEVICE: return "SDR_OPENDEVICE";
+	case SDR_OPENSESSION: return "SDR_OPENSESSION";
+	case SDR_PARDENY: return "SDR_PARDENY";
+	case SDR_KEYNOTEXIST: return "SDR_KEYNOTEXIST";
+	case SDR_ALGNOTSUPPORT: return "SDR_ALGNOTSUPPORT";
+	case SDR_ALGMODNOTSUPPORT: return "SDR_ALGMODNOTSUPPORT";
+	case SDR_PKOPERR: return "SDR_PKOPERR";
+	case SDR_SKOPERR: return "SDR_SKOPERR";
+	case SDR_SIGNERR: return "SDR_SIGNERR";
+	case SDR_VERIFYERR: return "SDR_VERIFYERR";
+	case SDR_SYMOPERR: return "SDR_SYMOPERR";
+	case SDR_STEPERR: return "SDR_STEPERR";
+	case SDR_FILESIZEERR: return "SDR_FILESIZEERR";
+	case SDR_FILENOEXIST: return "SDR_FILENOEXIST";
+	case SDR_FILEOFSERR: return "SDR_FILEOFSERR";
+	case SDR_KEYTYPEERR: return "SDR_KEYTYPEERR";
+	case SDR_KEYERR: return "SDR_KEYERR";
+	case SDR_ENCDATAERR: return "SDR_ENCDATAERR";
+	case SDR_RANDERR: return "SDR_RANDERR";
+	case SDR_PRKRERR: return "SDR_PRKRERR";
+	case SDR_MACERR: return "SDR_MACERR";
+	case SDR_FILEEXSITS: return "SDR_FILEEXSITS";
+	case SDR_FILEWERR: return "SDR_FILEWERR";
+	case SDR_NOBUFFER: return "SDR_NOBUFFER";
+	case SDR_INARGERR: return "SDR_INARGERR";
+	case SDR_OUTARGERR: return "SDR_OUTARGERR";
+	}
+	return "(unknown)";
+}
diff --git a/src/sdf/sdf_ext.h b/src/sdf/sdf_ext.h
new file mode 100644
index 00000000..0e066600
--- /dev/null
+++ b/src/sdf/sdf_ext.h
@@ -0,0 +1,92 @@
+/*
+ * Copyright (c) 2014 - 2021 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef SDFUTIL_SDF_EXT_H
+#define SDFUTIL_SDF_EXT_H
+
+
+#include <stdio.h>
+#include <stdint.h>
+#include "../sgd.h"
+#include "sdf.h"
+
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+#define SDF_MIN_KEY_INDEX	  1 /* defined by GM/T 0018 */
+#define SDF_MAX_KEY_INDEX	 32 /* defined by GmSSL */
+#define SDF_MIN_PASSWORD_LENGTH	  8 /* defined by GM/T 0018 */
+#define SDF_MAX_PASSWORD_LENGTH	255 /* defined by GmSSL */
+#define SDF_MAX_FILE_SIZE	(256 * 1024)
+
+
+
+int SDF_LoadLibrary(char *so_path, char *vendor);
+int SDF_UnloadLibrary(void);
+int SDF_ImportKey(void *hSessionHandle, unsigned char *pucKey,
+	unsigned int uiKeyLength, void **phKeyHandle);
+
+int SDF_PrintDeviceInfo(FILE *out, DEVICEINFO *devInfo);
+int SDF_PrintRSAPublicKey(FILE *out, RSArefPublicKey *ref);
+int SDF_PrintRSAPrivateKey(FILE *out, RSArefPrivateKey *ref);
+int SDF_PrintECCPublicKey(FILE *out, ECCrefPublicKey *ref);
+int SDF_PrintECCPrivateKey(FILE *out, ECCrefPrivateKey *ref);
+int SDF_NewECCCipher(ECCCipher **cipher, size_t ulDataLen);
+int SDF_FreeECCCipher(ECCCipher *cipher);
+int SDF_PrintECCCipher(FILE *out, ECCCipher *cipher);
+int SDF_PrintECCSignature(FILE *out, ECCSignature *sig);
+const char *SDF_GetErrorReason(int err);
+
+
+#ifdef __cplusplus
+}
+#endif
+#endif
diff --git a/src/sdf/sdf_int.h b/src/sdf/sdf_int.h
new file mode 100644
index 00000000..dd0412e9
--- /dev/null
+++ b/src/sdf/sdf_int.h
@@ -0,0 +1,459 @@
+/*
+ * Copyright (c) 2014 - 2021 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef SDFUTIL_SDF_METH_H
+#define SDFUTIL_SDF_METH_H
+
+#include "sdf.h"
+
+typedef int (*SDF_OpenDevice_FuncPtr)(
+	void **phDeviceHandle);
+
+typedef int (*SDF_CloseDevice_FuncPtr)(
+	void *hDeviceHandle);
+
+typedef int (*SDF_OpenSession_FuncPtr)(
+	void *hDeviceHandle,
+	void **phSessionHandle);
+
+typedef int (*SDF_CloseSession_FuncPtr)(
+	void *hSessionHandle);
+
+typedef int (*SDF_GetDeviceInfo_FuncPtr)(
+	void *hSessionHandle,
+	DEVICEINFO *pstDeviceInfo);
+
+typedef int (*SDF_GenerateRandom_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiLength,
+	unsigned char *pucRandom);
+
+typedef int (*SDF_GetPrivateKeyAccessRight_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	unsigned char *pucPassword,
+	unsigned int uiPwdLength);
+
+typedef int (*SDF_ReleasePrivateKeyAccessRight_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex);
+
+typedef int (*SDF_ExportSignPublicKey_RSA_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	RSArefPublicKey *pucPublicKey);
+
+typedef int (*SDF_ExportEncPublicKey_RSA_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	RSArefPublicKey *pucPublicKey);
+
+typedef int (*SDF_GenerateKeyPair_RSA_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiKeyBits,
+	RSArefPublicKey *pucPublicKey,
+	RSArefPrivateKey *pucPrivateKey);
+
+typedef int (*SDF_GenerateKeyWithIPK_RSA_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiIPKIndex,
+	unsigned int uiKeyBits,
+	unsigned char *pucKey,
+	unsigned int *puiKeyLength,
+	void **phKeyHandle);
+
+typedef int (*SDF_GenerateKeyWithEPK_RSA_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiKeyBits,
+	RSArefPublicKey *pucPublicKey,
+	unsigned char *pucKey,
+	unsigned int *puiKeyLength,
+	void **phKeyHandle);
+
+typedef int (*SDF_ImportKeyWithISK_RSA_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned char *pucKey,
+	unsigned int uiKeyLength,
+	void **phKeyHandle);
+
+typedef int (*SDF_ExchangeDigitEnvelopeBaseOnRSA_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	RSArefPublicKey *pucPublicKey,
+	unsigned char *pucDEInput,
+	unsigned int uiDELength,
+	unsigned char *pucDEOutput,
+	unsigned int *puiDELength);
+
+typedef int (*SDF_ExportSignPublicKey_ECC_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	ECCrefPublicKey *pucPublicKey);
+
+typedef int (*SDF_ExportEncPublicKey_ECC_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	ECCrefPublicKey *pucPublicKey);
+
+typedef int (*SDF_GenerateKeyPair_ECC_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	unsigned int  uiKeyBits,
+	ECCrefPublicKey *pucPublicKey,
+	ECCrefPrivateKey *pucPrivateKey);
+
+typedef int (*SDF_GenerateKeyWithIPK_ECC_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiIPKIndex,
+	unsigned int uiKeyBits,
+	ECCCipher *pucKey,
+	void **phKeyHandle);
+
+typedef int (*SDF_GenerateKeyWithEPK_ECC_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiKeyBits,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	ECCCipher *pucKey,
+	void **phKeyHandle);
+
+typedef int (*SDF_ImportKeyWithISK_ECC_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	ECCCipher *pucKey,
+	void **phKeyHandle);
+
+typedef int (*SDF_GenerateAgreementDataWithECC_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned int uiKeyBits,
+	unsigned char *pucSponsorID,
+	unsigned int uiSponsorIDLength,
+	ECCrefPublicKey *pucSponsorPublicKey,
+	ECCrefPublicKey *pucSponsorTmpPublicKey,
+	void **phAgreementHandle);
+
+typedef int (*SDF_GenerateKeyWithECC_FuncPtr)(
+	void *hSessionHandle,
+	unsigned char *pucResponseID,
+	unsigned int uiResponseIDLength,
+	ECCrefPublicKey *pucResponsePublicKey,
+	ECCrefPublicKey *pucResponseTmpPublicKey,
+	void *hAgreementHandle,
+	void **phKeyHandle);
+
+typedef int (*SDF_GenerateAgreementDataAndKeyWithECC_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned int uiKeyBits,
+	unsigned char *pucResponseID,
+	unsigned int uiResponseIDLength,
+	unsigned char *pucSponsorID,
+	unsigned int uiSponsorIDLength,
+	ECCrefPublicKey *pucSponsorPublicKey,
+	ECCrefPublicKey *pucSponsorTmpPublicKey,
+	ECCrefPublicKey *pucResponsePublicKey,
+	ECCrefPublicKey *pucResponseTmpPublicKey,
+	void **phKeyHandle);
+
+typedef int (*SDF_ExchangeDigitEnvelopeBaseOnECC_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	ECCCipher *pucEncDataIn,
+	ECCCipher *pucEncDataOut);
+
+typedef int (*SDF_GenerateKeyWithKEK_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiKeyBits,
+	unsigned int uiAlgID,
+	unsigned int uiKEKIndex,
+	unsigned char *pucKey,
+	unsigned int *puiKeyLength,
+	void **phKeyHandle);
+
+typedef int (*SDF_ImportKeyWithKEK_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	unsigned int uiKEKIndex,
+	unsigned char *pucKey,
+	unsigned int uiKeyLength,
+	void **phKeyHandle);
+
+typedef int (*SDF_DestroyKey_FuncPtr)(
+	void *hSessionHandle,
+	void *hKeyHandle);
+
+typedef int (*SDF_ExternalPublicKeyOperation_RSA_FuncPtr)(
+	void *hSessionHandle,
+	RSArefPublicKey *pucPublicKey,
+	unsigned char *pucDataInput,
+	unsigned int uiInputLength,
+	unsigned char *pucDataOutput,
+	unsigned int *puiOutputLength);
+
+typedef int (*SDF_InternalPublicKeyOperation_RSA_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	unsigned char *pucDataInput,
+	unsigned int uiInputLength,
+	unsigned char *pucDataOutput,
+	unsigned int *puiOutputLength);
+
+typedef int (*SDF_InternalPrivateKeyOperation_RSA_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	unsigned char *pucDataInput,
+	unsigned int uiInputLength,
+	unsigned char *pucDataOutput,
+	unsigned int *puiOutputLength);
+
+typedef int (*SDF_ExternalVerify_ECC_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	unsigned char *pucDataInput,
+	unsigned int uiInputLength,
+	ECCSignature *pucSignature);
+
+typedef int (*SDF_InternalSign_ECC_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	ECCSignature *pucSignature);
+
+typedef int (*SDF_InternalVerify_ECC_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiIPKIndex,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	ECCSignature *pucSignature);
+
+typedef int (*SDF_ExternalEncrypt_ECC_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	ECCCipher *pucEncData);
+
+typedef int (*SDF_ExternalDecrypt_ECC_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	ECCrefPrivateKey *pucPrivateKey,
+	ECCCipher *pucEncData,
+	unsigned char *pucData,
+	unsigned int *puiDataLength);
+
+typedef int (*SDF_InternalEncrypt_ECC_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiIPKIndex,
+	unsigned int uiAlgID,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	ECCCipher *pucEncData);
+
+typedef int (*SDF_InternalDecrypt_ECC_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned int uiAlgID,
+	ECCCipher *pucEncData,
+	unsigned char *pucData,
+	unsigned int *puiDataLength);
+
+typedef int (*SDF_Encrypt_FuncPtr)(
+	void *hSessionHandle,
+	void *hKeyHandle,
+	unsigned int uiAlgID,
+	unsigned char *pucIV,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	unsigned char *pucEncData,
+	unsigned int *puiEncDataLength);
+
+typedef int (*SDF_Decrypt_FuncPtr)(
+	void *hSessionHandle,
+	void *hKeyHandle,
+	unsigned int uiAlgID,
+	unsigned char *pucIV,
+	unsigned char *pucEncData,
+	unsigned int uiEncDataLength,
+	unsigned char *pucData,
+	unsigned int *puiDataLength);
+
+typedef int (*SDF_CalculateMAC_FuncPtr)(
+	void *hSessionHandle,
+	void *hKeyHandle,
+	unsigned int uiAlgID,
+	unsigned char *pucIV,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	unsigned char *pucMAC,
+	unsigned int *puiMACLength);
+
+typedef int (*SDF_HashInit_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	unsigned char *pucID,
+	unsigned int uiIDLength);
+
+typedef int (*SDF_HashUpdate_FuncPtr)(
+	void *hSessionHandle,
+	unsigned char *pucData,
+	unsigned int uiDataLength);
+
+typedef int (*SDF_HashFinal_FuncPtr)(void *hSessionHandle,
+	unsigned char *pucHash,
+	unsigned int *puiHashLength);
+
+typedef int (*SDF_CreateObject_FuncPtr)(
+	void *hSessionHandle,
+	unsigned char *pucFileName,
+	unsigned int uiNameLen,
+	unsigned int uiFileSize);
+
+typedef int (*SDF_ReadObject_FuncPtr)(
+	void *hSessionHandle,
+	unsigned char *pucFileName,
+	unsigned int uiNameLen,
+	unsigned int uiOffset,
+	unsigned int *puiReadLength,
+	unsigned char *pucBuffer);
+
+typedef int (*SDF_WriteObject_FuncPtr)(
+	void *hSessionHandle,
+	unsigned char *pucFileName,
+	unsigned int uiNameLen,
+	unsigned int uiOffset,
+	unsigned int uiWriteLength,
+	unsigned char *pucBuffer);
+
+typedef int (*SDF_DeleteObject_FuncPtr)(
+	void *hSessionHandle,
+	unsigned char *pucFileName,
+	unsigned int uiNameLen);
+
+typedef struct sdf_method_st {
+	char *name;
+	void *dso;
+	SDF_OpenDevice_FuncPtr OpenDevice;
+	SDF_CloseDevice_FuncPtr CloseDevice;
+	SDF_OpenSession_FuncPtr OpenSession;
+	SDF_CloseSession_FuncPtr CloseSession;
+	SDF_GetDeviceInfo_FuncPtr GetDeviceInfo;
+	SDF_GenerateRandom_FuncPtr GenerateRandom;
+	SDF_GetPrivateKeyAccessRight_FuncPtr GetPrivateKeyAccessRight;
+	SDF_ReleasePrivateKeyAccessRight_FuncPtr ReleasePrivateKeyAccessRight;
+	SDF_ExportSignPublicKey_RSA_FuncPtr ExportSignPublicKey_RSA;
+	SDF_ExportEncPublicKey_RSA_FuncPtr ExportEncPublicKey_RSA;
+	SDF_GenerateKeyPair_RSA_FuncPtr GenerateKeyPair_RSA;
+	SDF_GenerateKeyWithIPK_RSA_FuncPtr GenerateKeyWithIPK_RSA;
+	SDF_GenerateKeyWithEPK_RSA_FuncPtr GenerateKeyWithEPK_RSA;
+	SDF_ImportKeyWithISK_RSA_FuncPtr ImportKeyWithISK_RSA;
+	SDF_ExchangeDigitEnvelopeBaseOnRSA_FuncPtr ExchangeDigitEnvelopeBaseOnRSA;
+	SDF_ExportSignPublicKey_ECC_FuncPtr ExportSignPublicKey_ECC;
+	SDF_ExportEncPublicKey_ECC_FuncPtr ExportEncPublicKey_ECC;
+	SDF_GenerateKeyPair_ECC_FuncPtr GenerateKeyPair_ECC;
+	SDF_GenerateKeyWithIPK_ECC_FuncPtr GenerateKeyWithIPK_ECC;
+	SDF_GenerateKeyWithEPK_ECC_FuncPtr GenerateKeyWithEPK_ECC;
+	SDF_ImportKeyWithISK_ECC_FuncPtr ImportKeyWithISK_ECC;
+	SDF_GenerateAgreementDataWithECC_FuncPtr GenerateAgreementDataWithECC;
+	SDF_GenerateKeyWithECC_FuncPtr GenerateKeyWithECC;
+	SDF_GenerateAgreementDataAndKeyWithECC_FuncPtr GenerateAgreementDataAndKeyWithECC;
+	SDF_ExchangeDigitEnvelopeBaseOnECC_FuncPtr ExchangeDigitEnvelopeBaseOnECC;
+	SDF_GenerateKeyWithKEK_FuncPtr GenerateKeyWithKEK;
+	SDF_ImportKeyWithKEK_FuncPtr ImportKeyWithKEK;
+	SDF_DestroyKey_FuncPtr DestroyKey;
+	SDF_ExternalPublicKeyOperation_RSA_FuncPtr ExternalPublicKeyOperation_RSA;
+	SDF_InternalPublicKeyOperation_RSA_FuncPtr InternalPublicKeyOperation_RSA;
+	SDF_InternalPrivateKeyOperation_RSA_FuncPtr InternalPrivateKeyOperation_RSA;
+	SDF_ExternalVerify_ECC_FuncPtr ExternalVerify_ECC;
+	SDF_InternalSign_ECC_FuncPtr InternalSign_ECC;
+	SDF_InternalVerify_ECC_FuncPtr InternalVerify_ECC;
+	SDF_ExternalEncrypt_ECC_FuncPtr ExternalEncrypt_ECC;
+	SDF_ExternalDecrypt_ECC_FuncPtr ExternalDecrypt_ECC;
+	SDF_InternalEncrypt_ECC_FuncPtr InternalEncrypt_ECC;
+	SDF_InternalDecrypt_ECC_FuncPtr InternalDecrypt_ECC;
+	SDF_Encrypt_FuncPtr Encrypt;
+	SDF_Decrypt_FuncPtr Decrypt;
+	SDF_CalculateMAC_FuncPtr CalculateMAC;
+	SDF_HashInit_FuncPtr HashInit;
+	SDF_HashUpdate_FuncPtr HashUpdate;
+	SDF_HashFinal_FuncPtr HashFinal;
+	SDF_CreateObject_FuncPtr CreateObject;
+	SDF_ReadObject_FuncPtr ReadObject;
+	SDF_WriteObject_FuncPtr WriteObject;
+	SDF_DeleteObject_FuncPtr DeleteObject;
+} SDF_METHOD;
+
+SDF_METHOD *SDF_METHOD_load_library(const char *so_path);
+void SDF_METHOD_free(SDF_METHOD *meth);
+
+
+typedef struct sdf_vendor_st {
+	char *name;
+	unsigned int (*cipher_vendor2std)(unsigned int vendor_id);
+	unsigned int (*cipher_std2vendor)(unsigned int std_id);
+	unsigned int (*cipher_cap)(unsigned int vendor_cap);
+	unsigned int (*digest_vendor2std)(unsigned int vendor_id);
+	unsigned int (*digest_std2vendor)(unsigned int std_id);
+	unsigned int (*digest_cap)(unsigned int vendor_cap);
+	unsigned int (*pkey_vendor2std)(unsigned int vendor_id);
+	unsigned int (*pkey_std2vendor)(unsigned int std_id);
+	unsigned int (*pkey_cap)(unsigned int vendor_cap);
+	int (*encode_ecccipher)(const ECCCipher *a, void *buf);
+	int (*decode_ecccipher)(ECCCipher *a, const void *buf);
+	unsigned long (*get_error_reason)(int err);
+} SDF_VENDOR;
+
+
+#endif
diff --git a/src/sdf/sdf_lib.c b/src/sdf/sdf_lib.c
new file mode 100644
index 00000000..b3bd4896
--- /dev/null
+++ b/src/sdf/sdf_lib.c
@@ -0,0 +1,1507 @@
+/* ====================================================================
+ * Copyright (c) 2016 - 2017 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+#include <string.h>
+#include "sdf_ext.h"
+#include "sdf_int.h"
+
+SDF_METHOD *sdf_method = NULL;
+SDF_VENDOR *sdf_vendor = NULL;
+extern SDF_VENDOR sdf_sansec;
+
+
+#define SDFerr(reason) fprintf(stderr,"sdfutil: %s %d: %s %s\n", __FILE__, __LINE__, __FUNCTION__, reason)
+
+
+#define SDF_R_LOAD_LIBRARY_FAILURE	"SDF_R_LOAD_LIBRARY_FAILURE"
+#define SDF_R_NOT_INITIALIZED		"SDF_R_NOT_INITIALIZED"
+#define SDF_R_NOT_SUPPORTED_ECC_ALGOR	"SDF_R_NOT_SUPPORTED_ECC_ALGOR"
+#define SDF_R_NOT_SUPPORTED_CIPHER_ALGOR "SDF_R_NOT_SUPPORTED_CIPHER_ALGOR"
+#define SDF_R_BUFFER_TOO_SMALL		"SDF_R_BUFFER_TOO_SMALL"
+#define SDF_R_NOT_SUPPORTED_PKEY_ALGOR	"SDF_R_NOT_SUPPORTED_PKEY_ALGOR"
+#define SDF_R_NOT_SUPPORTED_DIGEST_ALGOR "SDF_R_NOT_SUPPORTED_DIGEST_ALGOR"
+#define ERR_R_SDF_LIB			"ERR_R_SDF_LIB"
+
+
+
+int SDF_LoadLibrary(char *so_path, char *vendor)
+{
+	if (sdf_method) {
+		SDF_METHOD_free(sdf_method);
+		sdf_method = NULL;
+	}
+
+	if (!(sdf_method = SDF_METHOD_load_library(so_path))) {
+		SDFerr(SDF_R_LOAD_LIBRARY_FAILURE);
+		return SDR_BASE;
+	}
+
+	if (vendor) {
+		if (strcmp(vendor, sdf_sansec.name) == 0) {
+			sdf_vendor = &sdf_sansec;
+		}
+	}
+
+	return SDR_OK;
+}
+
+int SDF_UnloadLibrary(void)
+{
+	SDF_METHOD_free(sdf_method);
+	sdf_method = NULL;
+	sdf_vendor = NULL;
+	return SDR_OK;
+}
+
+int SDF_OpenDevice(
+	void **phDeviceHandle)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method  || !sdf_method->OpenDevice) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->OpenDevice(
+		phDeviceHandle)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_CloseDevice(
+	void *hDeviceHandle)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->CloseDevice) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->CloseDevice(
+		hDeviceHandle)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_OpenSession(
+	void *hDeviceHandle,
+	void **phSessionHandle)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->OpenSession) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->OpenSession(
+		hDeviceHandle,
+		phSessionHandle)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_CloseSession(
+	void *hSessionHandle)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->CloseSession) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->CloseSession(
+		hSessionHandle)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_GetDeviceInfo(
+	void *hSessionHandle,
+	DEVICEINFO *pstDeviceInfo)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->GetDeviceInfo) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->GetDeviceInfo(
+		hSessionHandle,
+		pstDeviceInfo)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_GenerateRandom(
+	void *hSessionHandle,
+	unsigned int uiLength,
+	unsigned char *pucRandom)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->GenerateRandom) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->GenerateRandom(
+		hSessionHandle,
+		uiLength,
+		pucRandom)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_GetPrivateKeyAccessRight(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	unsigned char *pucPassword,
+	unsigned int uiPwdLength)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->GetPrivateKeyAccessRight) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->GetPrivateKeyAccessRight(
+		hSessionHandle,
+		uiKeyIndex,
+		pucPassword,
+		uiPwdLength)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_ReleasePrivateKeyAccessRight(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->ReleasePrivateKeyAccessRight) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->ReleasePrivateKeyAccessRight(
+		hSessionHandle,
+		uiKeyIndex)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_ExportSignPublicKey_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	RSArefPublicKey *pucPublicKey)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->ExportSignPublicKey_RSA) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->ExportSignPublicKey_RSA(
+		hSessionHandle,
+		uiKeyIndex,
+		pucPublicKey)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_ExportEncPublicKey_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	RSArefPublicKey *pucPublicKey)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->ExportEncPublicKey_RSA) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->ExportEncPublicKey_RSA(
+		hSessionHandle,
+		uiKeyIndex,
+		pucPublicKey)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_GenerateKeyPair_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyBits,
+	RSArefPublicKey *pucPublicKey,
+	RSArefPrivateKey *pucPrivateKey)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->GenerateKeyPair_RSA) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->GenerateKeyPair_RSA(
+		hSessionHandle,
+		uiKeyBits,
+		pucPublicKey,
+		pucPrivateKey)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_GenerateKeyWithIPK_RSA(
+	void *hSessionHandle,
+	unsigned int uiIPKIndex,
+	unsigned int uiKeyBits,
+	unsigned char *pucKey,
+	unsigned int *puiKeyLength,
+	void **phKeyHandle)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->GenerateKeyWithIPK_RSA) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->GenerateKeyWithIPK_RSA(
+		hSessionHandle,
+		uiIPKIndex,
+		uiKeyBits,
+		pucKey,
+		puiKeyLength,
+		phKeyHandle)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_GenerateKeyWithEPK_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyBits,
+	RSArefPublicKey *pucPublicKey,
+	unsigned char *pucKey,
+	unsigned int *puiKeyLength,
+	void **phKeyHandle)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->GenerateKeyWithEPK_RSA) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->GenerateKeyWithEPK_RSA(
+		hSessionHandle,
+		uiKeyBits,
+		pucPublicKey,
+		pucKey,
+		puiKeyLength,
+		phKeyHandle)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_ImportKeyWithISK_RSA(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned char *pucKey,
+	unsigned int uiKeyLength,
+	void **phKeyHandle)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->ImportKeyWithISK_RSA) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->ImportKeyWithISK_RSA(
+		hSessionHandle,
+		uiISKIndex,
+		pucKey,
+		uiKeyLength,
+		phKeyHandle)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_ExchangeDigitEnvelopeBaseOnRSA(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	RSArefPublicKey *pucPublicKey,
+	unsigned char *pucDEInput,
+	unsigned int uiDELength,
+	unsigned char *pucDEOutput,
+	unsigned int *puiDELength)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->ExchangeDigitEnvelopeBaseOnRSA) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->ExchangeDigitEnvelopeBaseOnRSA(
+		hSessionHandle,
+		uiKeyIndex,
+		pucPublicKey,
+		pucDEInput,
+		uiDELength,
+		pucDEOutput,
+		puiDELength)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_ExportSignPublicKey_ECC(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	ECCrefPublicKey *pucPublicKey)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->ExportSignPublicKey_ECC) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->ExportSignPublicKey_ECC(
+		hSessionHandle,
+		uiKeyIndex,
+		pucPublicKey)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_ExportEncPublicKey_ECC(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	ECCrefPublicKey *pucPublicKey)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->ExportEncPublicKey_ECC) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->ExportEncPublicKey_ECC(
+		hSessionHandle,
+		uiKeyIndex,
+		pucPublicKey)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_GenerateKeyPair_ECC(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	unsigned int  uiKeyBits,
+	ECCrefPublicKey *pucPublicKey,
+	ECCrefPrivateKey *pucPrivateKey)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->GenerateKeyPair_ECC) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if (sdf_vendor) {
+		if (!(uiAlgID = sdf_vendor->pkey_std2vendor(uiAlgID))) {
+			SDFerr(SDF_R_NOT_SUPPORTED_ECC_ALGOR);
+			return SDR_ALGNOTSUPPORT;
+		}
+	}
+
+	if ((ret = sdf_method->GenerateKeyPair_ECC(
+		hSessionHandle,
+		uiAlgID,
+		uiKeyBits,
+		pucPublicKey,
+		pucPrivateKey)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_GenerateKeyWithIPK_ECC(
+	void *hSessionHandle,
+	unsigned int uiIPKIndex,
+	unsigned int uiKeyBits,
+	ECCCipher *pucKey,
+	void **phKeyHandle)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->GenerateKeyWithIPK_ECC) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->GenerateKeyWithIPK_ECC(
+		hSessionHandle,
+		uiIPKIndex,
+		uiKeyBits,
+		pucKey,
+		phKeyHandle)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_GenerateKeyWithEPK_ECC(
+	void *hSessionHandle,
+	unsigned int uiKeyBits,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	ECCCipher *pucKey,
+	void **phKeyHandle)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->GenerateKeyWithEPK_ECC) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if (sdf_vendor) {
+		if (!(uiAlgID = sdf_vendor->cipher_std2vendor(uiAlgID))) {
+			SDFerr(SDF_R_NOT_SUPPORTED_CIPHER_ALGOR);
+			return SDR_ALGNOTSUPPORT;
+		}
+	}
+
+	if ((ret = sdf_method->GenerateKeyWithEPK_ECC(
+		hSessionHandle,
+		uiKeyBits,
+		uiAlgID,
+		pucPublicKey,
+		pucKey,
+		phKeyHandle)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_ImportKeyWithISK_ECC(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	ECCCipher *pucKey,
+	void **phKeyHandle)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->ImportKeyWithISK_ECC) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->ImportKeyWithISK_ECC(
+		hSessionHandle,
+		uiISKIndex,
+		pucKey,
+		phKeyHandle)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_GenerateAgreementDataWithECC(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned int uiKeyBits,
+	unsigned char *pucSponsorID,
+	unsigned int uiSponsorIDLength,
+	ECCrefPublicKey *pucSponsorPublicKey,
+	ECCrefPublicKey *pucSponsorTmpPublicKey,
+	void **phAgreementHandle)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->GenerateAgreementDataWithECC) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->GenerateAgreementDataWithECC(
+		hSessionHandle,
+		uiISKIndex,
+		uiKeyBits,
+		pucSponsorID,
+		uiSponsorIDLength,
+		pucSponsorPublicKey,
+		pucSponsorTmpPublicKey,
+		phAgreementHandle)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_GenerateKeyWithECC(
+	void *hSessionHandle,
+	unsigned char *pucResponseID,
+	unsigned int uiResponseIDLength,
+	ECCrefPublicKey *pucResponsePublicKey,
+	ECCrefPublicKey *pucResponseTmpPublicKey,
+	void *hAgreementHandle,
+	void **phKeyHandle)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->GenerateKeyWithECC) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->GenerateKeyWithECC(
+		hSessionHandle,
+		pucResponseID,
+		uiResponseIDLength,
+		pucResponsePublicKey,
+		pucResponseTmpPublicKey,
+		hAgreementHandle,
+		phKeyHandle)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_GenerateAgreementDataAndKeyWithECC(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned int uiKeyBits,
+	unsigned char *pucResponseID,
+	unsigned int uiResponseIDLength,
+	unsigned char *pucSponsorID,
+	unsigned int uiSponsorIDLength,
+	ECCrefPublicKey *pucSponsorPublicKey,
+	ECCrefPublicKey *pucSponsorTmpPublicKey,
+	ECCrefPublicKey *pucResponsePublicKey,
+	ECCrefPublicKey *pucResponseTmpPublicKey,
+	void **phKeyHandle)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->GenerateAgreementDataAndKeyWithECC) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->GenerateAgreementDataAndKeyWithECC(
+		hSessionHandle,
+		uiISKIndex,
+		uiKeyBits,
+		pucResponseID,
+		uiResponseIDLength,
+		pucSponsorID,
+		uiSponsorIDLength,
+		pucSponsorPublicKey,
+		pucSponsorTmpPublicKey,
+		pucResponsePublicKey,
+		pucResponseTmpPublicKey,
+		phKeyHandle)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_ExchangeDigitEnvelopeBaseOnECC(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	ECCCipher *pucEncDataIn,
+	ECCCipher *pucEncDataOut)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->ExchangeDigitEnvelopeBaseOnECC) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if (sdf_vendor) {
+		if (!(uiAlgID = sdf_vendor->cipher_std2vendor(uiAlgID))) {
+			SDFerr(SDF_R_NOT_SUPPORTED_CIPHER_ALGOR);
+			return SDR_ALGNOTSUPPORT;
+		}
+	}
+
+	if ((ret = sdf_method->ExchangeDigitEnvelopeBaseOnECC(
+		hSessionHandle,
+		uiKeyIndex,
+		uiAlgID,
+		pucPublicKey,
+		pucEncDataIn,
+		pucEncDataOut)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_GenerateKeyWithKEK(
+	void *hSessionHandle,
+	unsigned int uiKeyBits,
+	unsigned int uiAlgID,
+	unsigned int uiKEKIndex,
+	unsigned char *pucKey,
+	unsigned int *puiKeyLength,
+	void **phKeyHandle)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->GenerateKeyWithKEK) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if (sdf_vendor) {
+		if (!(uiAlgID = sdf_vendor->cipher_std2vendor(uiAlgID))) {
+			SDFerr(SDF_R_NOT_SUPPORTED_CIPHER_ALGOR);
+			return SDR_ALGNOTSUPPORT;
+		}
+	}
+
+	if ((ret = sdf_method->GenerateKeyWithKEK(
+		hSessionHandle,
+		uiKeyBits,
+		uiAlgID,
+		uiKEKIndex,
+		pucKey,
+		puiKeyLength,
+		phKeyHandle)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_ImportKeyWithKEK(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	unsigned int uiKEKIndex,
+	unsigned char *pucKey,
+	unsigned int uiKeyLength,
+	void **phKeyHandle)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->ImportKeyWithKEK) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if (sdf_vendor) {
+		if (!(uiAlgID = sdf_vendor->cipher_std2vendor(uiAlgID))) {
+			SDFerr(SDF_R_NOT_SUPPORTED_CIPHER_ALGOR);
+			return SDR_ALGNOTSUPPORT;
+		}
+	}
+
+	if ((ret = sdf_method->ImportKeyWithKEK(
+		hSessionHandle,
+		uiAlgID,
+		uiKEKIndex,
+		pucKey,
+		uiKeyLength,
+		phKeyHandle)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_DestroyKey(
+	void *hSessionHandle,
+	void *hKeyHandle)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->DestroyKey) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->DestroyKey(
+		hSessionHandle,
+		hKeyHandle)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_ExternalPublicKeyOperation_RSA(
+	void *hSessionHandle,
+	RSArefPublicKey *pucPublicKey,
+	unsigned char *pucDataInput,
+	unsigned int uiInputLength,
+	unsigned char *pucDataOutput,
+	unsigned int *puiOutputLength)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->ExternalPublicKeyOperation_RSA) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->ExternalPublicKeyOperation_RSA(
+		hSessionHandle,
+		pucPublicKey,
+		pucDataInput,
+		uiInputLength,
+		pucDataOutput,
+		puiOutputLength)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_InternalPublicKeyOperation_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	unsigned char *pucDataInput,
+	unsigned int uiInputLength,
+	unsigned char *pucDataOutput,
+	unsigned int *puiOutputLength)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->InternalPublicKeyOperation_RSA) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->InternalPublicKeyOperation_RSA(
+		hSessionHandle,
+		uiKeyIndex,
+		pucDataInput,
+		uiInputLength,
+		pucDataOutput,
+		puiOutputLength)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_InternalPrivateKeyOperation_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	unsigned char *pucDataInput,
+	unsigned int uiInputLength,
+	unsigned char *pucDataOutput,
+	unsigned int *puiOutputLength)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->InternalPrivateKeyOperation_RSA) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->InternalPrivateKeyOperation_RSA(
+		hSessionHandle,
+		uiKeyIndex,
+		pucDataInput,
+		uiInputLength,
+		pucDataOutput,
+		puiOutputLength)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_ExternalVerify_ECC(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	unsigned char *pucDataInput,
+	unsigned int uiInputLength,
+	ECCSignature *pucSignature)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->ExternalVerify_ECC) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if (sdf_vendor) {
+		if (!(uiAlgID = sdf_vendor->pkey_std2vendor(uiAlgID))) {
+			SDFerr(SDF_R_NOT_SUPPORTED_PKEY_ALGOR);
+			return SDR_ALGNOTSUPPORT;
+		}
+	}
+
+	if ((ret = sdf_method->ExternalVerify_ECC(
+		hSessionHandle,
+		uiAlgID,
+		pucPublicKey,
+		pucDataInput,
+		uiInputLength,
+		pucSignature)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_InternalSign_ECC(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	ECCSignature *pucSignature)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->InternalSign_ECC) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->InternalSign_ECC(
+		hSessionHandle,
+		uiISKIndex,
+		pucData,
+		uiDataLength,
+		pucSignature)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_InternalVerify_ECC(
+	void *hSessionHandle,
+	unsigned int uiIPKIndex,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	ECCSignature *pucSignature)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->InternalVerify_ECC) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->InternalVerify_ECC(
+		hSessionHandle,
+		uiIPKIndex,
+		pucData,
+		uiDataLength,
+		pucSignature)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_ExternalEncrypt_ECC(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	ECCCipher *pucEncData)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->ExternalEncrypt_ECC) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if (sdf_vendor) {
+		if (!(uiAlgID = sdf_vendor->pkey_std2vendor(uiAlgID))) {
+			SDFerr(SDF_R_NOT_SUPPORTED_PKEY_ALGOR);
+			return SDR_ALGNOTSUPPORT;
+		}
+	}
+
+	if ((ret = sdf_method->ExternalEncrypt_ECC(
+		hSessionHandle,
+		uiAlgID,
+		pucPublicKey,
+		pucData,
+		uiDataLength,
+		pucEncData)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_InternalEncrypt_ECC(
+	void *hSessionHandle,
+	unsigned int uiIPKIndex,
+	unsigned int uiAlgID,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	ECCCipher *pucEncData)
+{
+	int ret = SDR_UNKNOWERR;
+	ECCCipher *buf = pucEncData;
+
+	if (!sdf_method || !sdf_method->InternalEncrypt_ECC) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if (pucEncData->L < uiDataLength) {
+		SDFerr(SDF_R_BUFFER_TOO_SMALL);
+		return SDR_NOBUFFER;
+	}
+
+	if (sdf_vendor && sdf_vendor->decode_ecccipher) {
+		if (SDF_NewECCCipher(&buf, uiDataLength) != SDR_OK) {
+			SDFerr(ERR_R_SDF_LIB);
+			return SDR_UNKNOWERR;
+		}
+	}
+
+	if (sdf_vendor && sdf_vendor->pkey_std2vendor) {
+		if (!(uiAlgID = sdf_vendor->pkey_std2vendor(uiAlgID))) {
+			SDFerr(SDF_R_NOT_SUPPORTED_PKEY_ALGOR);
+			ret = SDR_ALGNOTSUPPORT;
+			goto end;
+		}
+	}
+
+	if ((ret = sdf_method->InternalEncrypt_ECC(
+		hSessionHandle,
+		uiIPKIndex,
+		uiAlgID,
+		pucData,
+		uiDataLength,
+		buf)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		goto end;
+	}
+
+	if (sdf_vendor && sdf_vendor->decode_ecccipher) {
+		if (!sdf_vendor->decode_ecccipher(pucEncData, buf)) {
+			SDFerr(ERR_R_SDF_LIB);
+			ret = SDR_UNKNOWERR;
+			goto end;
+		}
+	}
+
+	/*
+	{
+		int i;
+		unsigned char *p = (unsigned char *)pucEncData;
+		for (i = 0; i < sizeof(ECCCipher) -1 + uiDataLength; i++) {
+			printf("%02x", p[i]);
+		}
+		printf("\n");
+	}
+	*/
+
+	ret = SDR_OK;
+
+end:
+	if (sdf_vendor && sdf_vendor->decode_ecccipher && buf) {
+		SDF_FreeECCCipher(buf);
+	}
+	return ret;
+}
+
+int SDF_InternalDecrypt_ECC(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned int uiAlgID,
+	ECCCipher *pucEncData,
+	unsigned char *pucData,
+	unsigned int *uiDataLength)
+{
+	int ret = SDR_UNKNOWERR;
+	ECCCipher *buf = pucEncData;
+
+	if (!sdf_method || !sdf_method->InternalDecrypt_ECC) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if (sdf_vendor && sdf_vendor->pkey_std2vendor) {
+		if (!(uiAlgID = sdf_vendor->pkey_std2vendor(uiAlgID))) {
+			SDFerr(SDF_R_NOT_SUPPORTED_PKEY_ALGOR);
+			return SDR_ALGNOTSUPPORT;
+		}
+	}
+
+	if (sdf_vendor && sdf_vendor->encode_ecccipher) {
+		if (SDF_NewECCCipher(&buf, pucEncData->L) != SDR_OK) {
+			SDFerr(ERR_R_SDF_LIB);
+			return SDR_UNKNOWERR;
+		}
+
+		if (!sdf_vendor->encode_ecccipher(pucEncData, buf)) {
+			SDFerr(ERR_R_SDF_LIB);
+			ret = SDR_UNKNOWERR;
+			goto end;
+		}
+	}
+
+	if ((ret = sdf_method->InternalDecrypt_ECC(
+		hSessionHandle,
+		uiISKIndex,
+		uiAlgID,
+		buf,
+		pucData,
+		uiDataLength)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		goto end;
+	}
+
+end:
+	if (sdf_vendor && sdf_vendor->encode_ecccipher && buf) {
+		SDF_FreeECCCipher(buf);
+	}
+	return ret;
+}
+
+int SDF_Encrypt(
+	void *hSessionHandle,
+	void *hKeyHandle,
+	unsigned int uiAlgID,
+	unsigned char *pucIV,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	unsigned char *pucEncData,
+	unsigned int *puiEncDataLength)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->Encrypt) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if (sdf_vendor) {
+		if (!(uiAlgID = sdf_vendor->cipher_std2vendor(uiAlgID))) {
+			SDFerr(SDF_R_NOT_SUPPORTED_CIPHER_ALGOR);
+			return SDR_ALGNOTSUPPORT;
+		}
+	}
+
+	if ((ret = sdf_method->Encrypt(
+		hSessionHandle,
+		hKeyHandle,
+		uiAlgID,
+		pucIV,
+		pucData,
+		uiDataLength,
+		pucEncData,
+		puiEncDataLength)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_Decrypt(
+	void *hSessionHandle,
+	void *hKeyHandle,
+	unsigned int uiAlgID,
+	unsigned char *pucIV,
+	unsigned char *pucEncData,
+	unsigned int uiEncDataLength,
+	unsigned char *pucData,
+	unsigned int *puiDataLength)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->Decrypt) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if (sdf_vendor) {
+		if (!(uiAlgID = sdf_vendor->cipher_std2vendor(uiAlgID))) {
+			SDFerr(SDF_R_NOT_SUPPORTED_CIPHER_ALGOR);
+			return SDR_ALGNOTSUPPORT;
+		}
+	}
+
+	if ((ret = sdf_method->Decrypt(
+		hSessionHandle,
+		hKeyHandle,
+		uiAlgID,
+		pucIV,
+		pucEncData,
+		uiEncDataLength,
+		pucData,
+		puiDataLength)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_CalculateMAC(
+	void *hSessionHandle,
+	void *hKeyHandle,
+	unsigned int uiAlgID,
+	unsigned char *pucIV,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	unsigned char *pucMAC,
+	unsigned int *puiMACLength)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->CalculateMAC) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if (sdf_vendor) {
+		if (!(uiAlgID = sdf_vendor->cipher_std2vendor(uiAlgID))) {
+			SDFerr(SDF_R_NOT_SUPPORTED_CIPHER_ALGOR);
+			return SDR_ALGNOTSUPPORT;
+		}
+	}
+
+	if ((ret = sdf_method->CalculateMAC(
+		hSessionHandle,
+		hKeyHandle,
+		uiAlgID,
+		pucIV,
+		pucData,
+		uiDataLength,
+		pucMAC,
+		puiMACLength)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_HashInit(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	unsigned char *pucID,
+	unsigned int uiIDLength)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->HashInit) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if (sdf_vendor) {
+		if (!(uiAlgID = sdf_vendor->digest_std2vendor(uiAlgID))) {
+			SDFerr(SDF_R_NOT_SUPPORTED_DIGEST_ALGOR);
+			return SDR_ALGNOTSUPPORT;
+		}
+	}
+
+	if ((ret = sdf_method->HashInit(
+		hSessionHandle,
+		uiAlgID,
+		pucPublicKey,
+		pucID,
+		uiIDLength)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_HashUpdate(
+	void *hSessionHandle,
+	unsigned char *pucData,
+	unsigned int uiDataLength)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->HashUpdate) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->HashUpdate(
+		hSessionHandle,
+		pucData,
+		uiDataLength)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_HashFinal(
+	void *hSessionHandle,
+	unsigned char *pucHash,
+	unsigned int *puiHashLength)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->HashFinal) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->HashFinal(
+		hSessionHandle,
+		pucHash,
+		puiHashLength)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_CreateFile(
+	void *hSessionHandle,
+	unsigned char *pucFileName,
+	unsigned int uiNameLen,
+	unsigned int uiFileSize)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->CreateObject) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->CreateObject(
+		hSessionHandle,
+		pucFileName,
+		uiNameLen,
+		uiFileSize)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_ReadFile(
+	void *hSessionHandle,
+	unsigned char *pucFileName,
+	unsigned int uiNameLen,
+	unsigned int uiOffset,
+	unsigned int *puiReadLength,
+	unsigned char *pucBuffer)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->ReadObject) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->ReadObject(
+		hSessionHandle,
+		pucFileName,
+		uiNameLen,
+		uiOffset,
+		puiReadLength,
+		pucBuffer)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_WriteFile(
+	void *hSessionHandle,
+	unsigned char *pucFileName,
+	unsigned int uiNameLen,
+	unsigned int uiOffset,
+	unsigned int uiWriteLength,
+	unsigned char *pucBuffer)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->WriteObject) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->WriteObject(
+		hSessionHandle,
+		pucFileName,
+		uiNameLen,
+		uiOffset,
+		uiWriteLength,
+		pucBuffer)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_DeleteFile(
+	void *hSessionHandle,
+	unsigned char *pucFileName,
+	unsigned int uiNameLen)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->DeleteObject) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->DeleteObject(
+		hSessionHandle,
+		pucFileName,
+		uiNameLen)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
diff --git a/src/sdf/sdf_meth.c b/src/sdf/sdf_meth.c
new file mode 100644
index 00000000..c172777c
--- /dev/null
+++ b/src/sdf/sdf_meth.c
@@ -0,0 +1,143 @@
+/* ====================================================================
+ * Copyright (c) 2016 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <dlfcn.h>
+#include "sdf_int.h"
+
+#define SDFerr(a,b)
+
+#define SDF_METHOD_BIND_FUNCTION_EX(func,name) \
+	sdf->func = (SDF_##func##_FuncPtr)dlsym(sdf->dso, "SDF_"#name)
+
+#define SDF_METHOD_BIND_FUNCTION(func) \
+	SDF_METHOD_BIND_FUNCTION_EX(func,func)
+
+SDF_METHOD *SDF_METHOD_load_library(const char *so_path)
+{
+	SDF_METHOD *ret = NULL;
+	SDF_METHOD *sdf = NULL;
+
+	if (!(sdf = malloc(sizeof(*sdf)))) {
+		SDFerr(SDF_F_SDF_METHOD_LOAD_LIBRARY, ERR_R_MALLOC_FAILURE);
+		goto end;
+	}
+	memset(sdf, 0, sizeof(*sdf));
+
+	if (!(sdf->dso = dlopen(so_path, 0))) {
+		SDFerr(SDF_F_SDF_METHOD_LOAD_LIBRARY, SDF_R_DSO_LOAD_FAILURE);
+		goto end;
+	}
+
+	SDF_METHOD_BIND_FUNCTION(OpenDevice);
+	SDF_METHOD_BIND_FUNCTION(CloseDevice);
+	SDF_METHOD_BIND_FUNCTION(OpenSession);
+	SDF_METHOD_BIND_FUNCTION(CloseSession);
+	SDF_METHOD_BIND_FUNCTION(GetDeviceInfo);
+	SDF_METHOD_BIND_FUNCTION(GenerateRandom);
+	SDF_METHOD_BIND_FUNCTION(GetPrivateKeyAccessRight);
+	SDF_METHOD_BIND_FUNCTION(ReleasePrivateKeyAccessRight);
+	SDF_METHOD_BIND_FUNCTION(ExportSignPublicKey_RSA);
+	SDF_METHOD_BIND_FUNCTION(ExportEncPublicKey_RSA);
+	SDF_METHOD_BIND_FUNCTION(GenerateKeyPair_RSA);
+	SDF_METHOD_BIND_FUNCTION(GenerateKeyWithIPK_RSA);
+	SDF_METHOD_BIND_FUNCTION(GenerateKeyWithEPK_RSA);
+	SDF_METHOD_BIND_FUNCTION(ImportKeyWithISK_RSA);
+	SDF_METHOD_BIND_FUNCTION(ExchangeDigitEnvelopeBaseOnRSA);
+	SDF_METHOD_BIND_FUNCTION(ExportSignPublicKey_ECC);
+	SDF_METHOD_BIND_FUNCTION(ExportEncPublicKey_ECC);
+	SDF_METHOD_BIND_FUNCTION(GenerateKeyPair_ECC);
+	SDF_METHOD_BIND_FUNCTION(GenerateKeyWithIPK_ECC);
+	SDF_METHOD_BIND_FUNCTION(GenerateKeyWithEPK_ECC);
+	SDF_METHOD_BIND_FUNCTION(ImportKeyWithISK_ECC);
+	SDF_METHOD_BIND_FUNCTION(GenerateAgreementDataWithECC);
+	SDF_METHOD_BIND_FUNCTION(GenerateKeyWithECC);
+	SDF_METHOD_BIND_FUNCTION(GenerateAgreementDataAndKeyWithECC);
+	SDF_METHOD_BIND_FUNCTION(ExchangeDigitEnvelopeBaseOnECC);
+	SDF_METHOD_BIND_FUNCTION(GenerateKeyWithKEK);
+	SDF_METHOD_BIND_FUNCTION(ImportKeyWithKEK);
+	SDF_METHOD_BIND_FUNCTION(DestroyKey);
+	SDF_METHOD_BIND_FUNCTION(ExternalPublicKeyOperation_RSA);
+	//SDF_METHOD_BIND_FUNCTION(InternalPublicKeyOperation_RSA);
+	SDF_METHOD_BIND_FUNCTION(InternalPrivateKeyOperation_RSA);
+	SDF_METHOD_BIND_FUNCTION(ExternalVerify_ECC);
+	SDF_METHOD_BIND_FUNCTION(InternalSign_ECC);
+	SDF_METHOD_BIND_FUNCTION(InternalVerify_ECC);
+	SDF_METHOD_BIND_FUNCTION(ExternalEncrypt_ECC);
+	//SDF_METHOD_BIND_FUNCTION(ExternalDecrypt_ECC);
+	SDF_METHOD_BIND_FUNCTION(InternalEncrypt_ECC);
+	SDF_METHOD_BIND_FUNCTION(InternalDecrypt_ECC);
+	SDF_METHOD_BIND_FUNCTION(Encrypt);
+	SDF_METHOD_BIND_FUNCTION(Decrypt);
+	SDF_METHOD_BIND_FUNCTION(CalculateMAC);
+	SDF_METHOD_BIND_FUNCTION(HashInit);
+	SDF_METHOD_BIND_FUNCTION(HashUpdate);
+	SDF_METHOD_BIND_FUNCTION(HashFinal);
+	SDF_METHOD_BIND_FUNCTION_EX(CreateObject,CreateFile);
+	SDF_METHOD_BIND_FUNCTION_EX(ReadObject,ReadFile);
+	SDF_METHOD_BIND_FUNCTION_EX(WriteObject,WriteFile);
+	SDF_METHOD_BIND_FUNCTION_EX(DeleteObject,DeleteFile);
+
+	ret = sdf;
+	sdf = NULL;
+
+end:
+	SDF_METHOD_free(sdf);
+	return ret;
+}
+
+void SDF_METHOD_free(SDF_METHOD *meth)
+{
+	if (meth) free(meth->dso);
+	free(meth);
+}
+
+
diff --git a/src/sdf/sdf_sansec.c b/src/sdf/sdf_sansec.c
new file mode 100644
index 00000000..c562c53e
--- /dev/null
+++ b/src/sdf/sdf_sansec.c
@@ -0,0 +1,305 @@
+/* ====================================================================
+ * Copyright (c) 2016 - 2017 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+#include <string.h>
+#include "sdf.h"
+#include "sdf_int.h"
+#include "sdf_sansec.h"
+
+
+#define SDFerr(a,b)
+
+typedef struct {
+	unsigned int std_id;
+	unsigned int vendor_id;
+} SDF_ALGOR_PAIR;
+
+static SDF_ALGOR_PAIR sansec_ciphers[] = {
+	{ SGD_SM1, SANSEC_SM1 },
+	{ SGD_SM1_ECB, SANSEC_SM1_ECB },
+	{ SGD_SM1_CBC, SANSEC_SM1_CBC },
+	{ SGD_SM1_CFB, SANSEC_SM1_CFB },
+	{ SGD_SM1_OFB, SANSEC_SM1_OFB },
+	{ SGD_SM1_MAC, SANSEC_SM1_MAC },
+	{ SGD_SM4, SANSEC_SM4 },
+	{ SGD_SM4_ECB, SANSEC_SM4_ECB },
+	{ SGD_SM4_CBC, SANSEC_SM4_CBC },
+	{ SGD_SM4_CFB, SANSEC_SM4_CFB },
+	{ SGD_SM4_OFB, SANSEC_SM4_OFB },
+	{ SGD_SM4_MAC, SANSEC_SM4_MAC },
+	{ SGD_SSF33, SANSEC_SSF33 },
+	{ SGD_SSF33_ECB, SANSEC_SSF33_ECB },
+	{ SGD_SSF33_CBC, SANSEC_SSF33_CBC },
+	{ SGD_SSF33_CFB, SANSEC_SSF33_CFB },
+	{ SGD_SSF33_OFB, SANSEC_SSF33_OFB },
+	{ SGD_SSF33_MAC, SANSEC_SSF33_MAC },
+	{ 0, SANSEC_AES },
+	{ 0, SANSEC_AES_ECB },
+	{ 0, SANSEC_AES_CBC },
+	{ 0, SANSEC_AES_CFB },
+	{ 0, SANSEC_AES_OFB },
+	{ 0, SANSEC_AES_MAC },
+	{ 0, SANSEC_DES },
+	{ 0, SANSEC_DES_ECB },
+	{ 0, SANSEC_DES_CBC },
+	{ 0, SANSEC_DES_CFB },
+	{ 0, SANSEC_DES_OFB },
+	{ 0, SANSEC_DES_MAC },
+	{ 0, SANSEC_3DES },
+	{ 0, SANSEC_3DES_ECB },
+	{ 0, SANSEC_3DES_CBC },
+	{ 0, SANSEC_3DES_CFB },
+	{ 0, SANSEC_3DES_OFB },
+	{ 0, SANSEC_3DES_MAC },
+};
+
+static unsigned int sansec_cipher_vendor2std(unsigned int vendor_id)
+{
+	size_t i;
+	for (i = 0; i < sizeof(sansec_ciphers)/sizeof(sansec_ciphers[0]); i++) {
+		if (vendor_id == sansec_ciphers[i].vendor_id) {
+			return sansec_ciphers[i].std_id;
+		}
+	}
+	return 0;
+}
+
+static unsigned int sansec_cipher_std2vendor(unsigned int std_id)
+{
+	size_t i;
+	for (i = 0; i < sizeof(sansec_ciphers)/sizeof(sansec_ciphers[0]); i++) {
+		if (std_id == sansec_ciphers[i].std_id) {
+			return sansec_ciphers[i].vendor_id;
+		}
+	}
+	return 0;
+}
+
+static unsigned int sansec_cipher_cap(unsigned int vendor_cap)
+{
+	unsigned int std_cap = 0;
+	size_t i;
+
+	for (i = 0; i < sizeof(sansec_ciphers)/sizeof(sansec_ciphers[0]); i++) {
+		if (vendor_cap & sansec_ciphers[i].vendor_id) {
+			std_cap |= sansec_ciphers[i].std_id;
+		}
+	}
+
+	return std_cap;
+}
+
+static SDF_ALGOR_PAIR sansec_digests[] = {
+	{ SGD_SM3, SANSEC_SM3 },
+	{ SGD_SHA1, SANSEC_SHA1 },
+	{ SGD_SHA256, SANSEC_SHA256 },
+	{ 0, SANSEC_SHA512 },
+	{ 0, SANSEC_SHA384 },
+	{ 0, SANSEC_SHA224 },
+	{ 0, SANSEC_MD5 },
+};
+
+static unsigned int sansec_digest_vendor2std(unsigned int vendor_id)
+{
+	size_t i;
+	for (i = 0; i < sizeof(sansec_digests)/sizeof(sansec_digests[0]); i++) {
+		if (vendor_id == sansec_digests[i].vendor_id) {
+			return sansec_digests[i].std_id;
+		}
+	}
+	return 0;
+}
+
+static unsigned int sansec_digest_std2vendor(unsigned int std_id)
+{
+	size_t i;
+	for (i = 0; i < sizeof(sansec_digests)/sizeof(sansec_digests[0]); i++) {
+		if (std_id == sansec_digests[i].std_id) {
+			return sansec_digests[i].vendor_id;
+		}
+	}
+	return 0;
+}
+
+static unsigned int sansec_digest_cap(unsigned int vendor_cap)
+{
+	unsigned int std_cap = 0;
+	size_t i;
+
+	for (i = 0; i < sizeof(sansec_digests)/sizeof(sansec_digests[0]); i++) {
+		if (vendor_cap & sansec_digests[i].vendor_id) {
+			std_cap |= sansec_digests[i].std_id;
+		}
+	}
+
+	return std_cap;
+}
+
+static SDF_ALGOR_PAIR sansec_pkeys[] = {
+	{ SGD_RSA,SANSEC_RSA },
+	{ SGD_RSA_SIGN,SANSEC_RSA_SIGN },
+	{ SGD_RSA_ENC,SANSEC_RSA_ENC },
+	{ SGD_SM2,SANSEC_SM2 },
+	{ SGD_SM2_1,SANSEC_SM2_1 },
+	{ SGD_SM2_2,SANSEC_SM2_2 },
+	{ SGD_SM2_3,SANSEC_SM2_3 },
+};
+
+static unsigned int sansec_pkey_vendor2std(unsigned int vendor_id)
+{
+	size_t i;
+	for (i = 0; i < sizeof(sansec_pkeys)/sizeof(sansec_pkeys[0]); i++) {
+		if (vendor_id == sansec_pkeys[i].vendor_id) {
+			return sansec_pkeys[i].std_id;
+		}
+	}
+	return 0;
+}
+
+static unsigned int sansec_pkey_std2vendor(unsigned int std_id)
+{
+	size_t i;
+	for (i = 0; i < sizeof(sansec_pkeys)/sizeof(sansec_pkeys[0]); i++) {
+		if (std_id == sansec_pkeys[i].std_id) {
+			return sansec_pkeys[i].vendor_id;
+		}
+	}
+	return 0;
+}
+
+static unsigned int sansec_pkey_cap(unsigned int vendor_cap)
+{
+	unsigned int std_cap = 0;
+	size_t i;
+
+	for (i = 0; i < sizeof(sansec_pkeys)/sizeof(sansec_pkeys[0]); i++) {
+		if (vendor_cap & sansec_pkeys[i].vendor_id) {
+			std_cap |= sansec_pkeys[i].std_id;
+		}
+	}
+
+	return std_cap;
+}
+
+static int sansec_encode_ecccipher(const ECCCipher *ec, void *vendor)
+{
+	int ret;
+	SANSEC_ECCCipher *sansec = vendor;
+	ret = sizeof(SANSEC_ECCCipher);
+
+	if (ec->L > sizeof(sansec->C)) {
+		SDFerr(SDF_F_SANSEC_ENCODE_ECCCIPHER,
+			SDF_R_INVALID_SANSEC_ECCCIPHER_LENGTH);
+		return 0;
+	}
+
+	if (vendor) {
+		sansec->clength = ec->L;
+		memcpy(sansec->x, ec->x, sizeof(ec->x));
+		memcpy(sansec->y, ec->y, sizeof(ec->y));
+		memcpy(sansec->M, ec->M, sizeof(ec->M));
+		memset(sansec->M + sizeof(ec->M), 0, sizeof(sansec->M) - sizeof(ec->M));
+		memcpy(sansec->C, ec->C, ec->L);
+		memset(sansec->C + ec->L, 0, sizeof(sansec->C) - ec->L);
+	}
+
+	return ret;
+}
+
+static int sansec_decode_ecccipher(ECCCipher *ec, const void *vendor)
+{
+	int ret;
+	const SANSEC_ECCCipher *sansec = vendor;
+	ret = sizeof(ECCCipher) -1 + sansec->clength;
+
+	if (sansec->clength > sizeof(sansec->C)) {
+		SDFerr(SDF_F_SANSEC_DECODE_ECCCIPHER,
+			SDF_R_INVALID_SANSEC_ECCCIPHER_LENGTH);
+		return 0;
+	}
+
+	if (ec) {
+		memcpy(ec->x, sansec->x, sizeof(ec->x));
+		memcpy(ec->y, sansec->y, sizeof(ec->y));
+		memcpy(ec->M, sansec->M, sizeof(ec->M));
+		ec->L = sansec->clength;
+		memcpy(ec->C, sansec->C, sansec->clength);
+	}
+
+	return ret;
+}
+
+static unsigned long sansec_get_error_reason(int err)
+{
+/*
+	size_t i = 0;
+	for (i = 0; i < OSSL_NELEM(sansec_errors); i++) {
+		if (err == sansec_errors[i].err) {
+			return sansec_errors[i].reason;
+		}
+	}
+*/
+	return 0;
+}
+
+SDF_VENDOR sdf_sansec = {
+	"sansec",
+	sansec_cipher_vendor2std,
+	sansec_cipher_std2vendor,
+	sansec_cipher_cap,
+	sansec_digest_vendor2std,
+	sansec_digest_std2vendor,
+	sansec_digest_cap,
+	sansec_pkey_vendor2std,
+	sansec_pkey_std2vendor,
+	sansec_pkey_cap,
+	sansec_encode_ecccipher,
+	sansec_decode_ecccipher,
+	sansec_get_error_reason,
+};
diff --git a/src/sdf/sdf_sansec.h b/src/sdf/sdf_sansec.h
new file mode 100644
index 00000000..369fbb62
--- /dev/null
+++ b/src/sdf/sdf_sansec.h
@@ -0,0 +1,192 @@
+/* ====================================================================
+ * Copyright (c) 2016 - 2017 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+#ifndef SDFUTIL_SDF_SANSEC_H
+#define SDFUTIL_SDF_SANSEC_H
+
+#include "../sgd.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define SANSEC_SM1		(SGD_SM1)
+#define SANSEC_SM1_ECB		(SANSEC_SM1|SGD_ECB)
+#define SANSEC_SM1_CBC		(SANSEC_SM1|SGD_CBC)
+#define SANSEC_SM1_CFB		(SANSEC_SM1|SGD_CFB)
+#define SANSEC_SM1_OFB		(SANSEC_SM1|SGD_OFB)
+#define SANSEC_SM1_MAC		(SANSEC_SM1|SGD_MAC)
+
+#define SANSEC_SM4		0x00002000
+#define SANSEC_SM4_ECB		(SANSEC_SM4|SGD_ECB)
+#define SANSEC_SM4_CBC		(SANSEC_SM4|SGD_CBC)
+#define SANSEC_SM4_CFB		(SANSEC_SM4|SGD_CFB)
+#define SANSEC_SM4_OFB		(SANSEC_SM4|SGD_OFB)
+#define SANSEC_SM4_MAC		(SANSEC_SM4|SGD_MAC)
+
+#define SANSEC_SSF33		(SGD_SSF33)
+#define SANSEC_SSF33_ECB	(SANSEC_SSF33|SGD_ECB)
+#define SANSEC_SSF33_CBC	(SANSEC_SSF33|SGD_CBC)
+#define SANSEC_SSF33_CFB	(SANSEC_SSF33|SGD_CFB)
+#define SANSEC_SSF33_OFB	(SANSEC_SSF33|SGD_OFB)
+#define SANSEC_SSF33_MAC	(SANSEC_SSF33|SGD_MAC)
+
+#define SANSEC_AES		0x00000400
+#define SANSEC_AES_ECB		(SANSEC_AES|SGD_ECB)
+#define SANSEC_AES_CBC		(SANSEC_AES|SGD_CBC)
+#define SANSEC_AES_CFB		(SANSEC_AES|SGD_CFB)
+#define SANSEC_AES_OFB		(SANSEC_AES|SGD_OFB)
+#define SANSEC_AES_MAC		(SANSEC_AES|SGD_MAC)
+
+#define SANSEC_DES		0x00004000
+#define SANSEC_DES_ECB		(SANSEC_DES|SGD_ECB)
+#define SANSEC_DES_CBC		(SANSEC_DES|SGD_CBC)
+#define SANSEC_DES_CFB		(SANSEC_DES|SGD_CFB)
+#define SANSEC_DES_OFB		(SANSEC_DES|SGD_OFB)
+#define SANSEC_DES_MAC		(SANSEC_DES|SGD_MAC)
+
+#define SANSEC_3DES		0x00000800
+#define SANSEC_3DES_ECB		(SANSEC_3DES|SGD_ECB)
+#define SANSEC_3DES_CBC		(SANSEC_3DES|SGD_CBC)
+#define SANSEC_3DES_CFB		(SANSEC_3DES|SGD_CFB)
+#define SANSEC_3DES_OFB		(SANSEC_3DES|SGD_OFB)
+#define SANSEC_3DES_MAC		(SANSEC_3DES|SGD_MAC)
+
+#define SANSEC_SM3		(SGD_SM3)
+#define SANSEC_SHA1		(SGD_SHA1)
+#define SANSEC_SHA256		(SGD_SHA256)
+#define SANSEC_SHA512		0x00000008
+#define SANSEC_SHA384		0x00000010
+#define SANSEC_SHA224		0x00000020
+#define SANSEC_MD5		0x00000080
+
+#define SANSEC_RSA		(SGD_RSA)
+#define SANSEC_RSA_SIGN		(SGD_RSA_SIGN)
+#define SANSEC_RSA_ENC		0x00010200
+#define SANSEC_SM2		(SGD_SM2)
+#define SANSEC_SM2_1		(SGD_SM2_1)
+#define SANSEC_SM2_2		(SGD_SM2_2)
+#define SANSEC_SM2_3		(SGD_SM2_3)
+
+#define SANSEC_BASE				(SDR_BASE + 0x00010000)
+#define SANSEC_INVALID_USER			(SANSEC_BASE + 0x00000001)
+#define SANSEC_INVALID_AUTHENCODE		(SANSEC_BASE + 0x00000002)
+#define SANSEC_PROTOCOL_VERSION_ERROR		(SANSEC_BASE + 0x00000003)
+#define SANSEC_INVALID_COMMAND			(SANSEC_BASE + 0x00000004)
+#define SANSEC_INVALID_PARAMETERS		(SANSEC_BASE + 0x00000005)
+#define SANSEC_FILE_ALREADY_EXIST		(SANSEC_BASE + 0x00000006)
+#define SANSEC_SYNC_ERROR			(SANSEC_BASE + 0x00000007)
+#define SANSEC_SYNC_LOGIN_ERROR			(SANSEC_BASE + 0x00000008)
+#define SANSEC_SOCKET_TIMEOUT			(SANSEC_BASE + 0x00000100)
+#define SANSEC_CONNECT_ERROR			(SANSEC_BASE + 0x00000101)
+#define SANSEC_SET_SOCKET_OPTION_ERROR		(SANSEC_BASE + 0x00000102)
+#define SANSEC_SOCKET_SEND_ERROR		(SANSEC_BASE + 0x00000104)
+#define SANSEC_SOCKET_RECV_ERROR		(SANSEC_BASE + 0x00000105)
+#define SANSEC_SOCKET_RECV_0			(SANSEC_BASE + 0x00000106)
+#define SANSEC_SEM_TIMEOUT			(SANSEC_BASE + 0x00000200)
+#define SANSEC_NO_AVAILABLE_HSM			(SANSEC_BASE + 0x00000201)
+#define SANSEC_NO_AVAILABLE_CSM			(SANSEC_BASE + 0x00000202)
+#define SANSEC_CONFIG_ERROR			(SANSEC_BASE + 0x00000301)
+#define SANSEC_CARD_BASE			(SDR_BASE + 0x00020000)
+#define SANSEC_CARD_UNKNOW_ERROR		(SANSEC_CARD_BASE + 0x00000001)
+#define SANSEC_CARD_NOT_SUPPORTED		(SANSEC_CARD_BASE + 0x00000002)
+#define SANSEC_CARD_COMMMUCATION_FAILED		(SANSEC_CARD_BASE + 0x00000003)
+#define SANSEC_CARD_HARDWARE_FAILURE		(SANSEC_CARD_BASE + 0x00000004)
+#define SANSEC_CARD_OPEN_DEVICE_FAILED		(SANSEC_CARD_BASE + 0x00000005)
+#define SANSEC_CARD_OPEN_SESSION_FAILED		(SANSEC_CARD_BASE + 0x00000006)
+#define SANSEC_CARD_PRIVATE_KEY_ACCESS_DENYED	(SANSEC_CARD_BASE + 0x00000007)
+#define SANSEC_CARD_KEY_NOT_EXIST		(SANSEC_CARD_BASE + 0x00000008)
+#define SANSEC_CARD_ALGOR_NOT_SUPPORTED		(SANSEC_CARD_BASE + 0x00000009)
+#define SANSEC_CARD_ALG_MODE_NOT_SUPPORTED	(SANSEC_CARD_BASE + 0x00000010)
+#define SANSEC_CARD_PUBLIC_KEY_OPERATION_ERROR	(SANSEC_CARD_BASE + 0x00000011)
+#define SANSEC_CARD_PRIVATE_KEY_OPERATION_ERROR	(SANSEC_CARD_BASE + 0x00000012)
+#define SANSEC_CARD_SIGN_ERROR			(SANSEC_CARD_BASE + 0x00000013)
+#define SANSEC_CARD_VERIFY_ERROR		(SANSEC_CARD_BASE + 0x00000014)
+#define SANSEC_CARD_SYMMETRIC_ALGOR_ERROR	(SANSEC_CARD_BASE + 0x00000015)
+#define SANSEC_CARD_STEP_ERROR			(SANSEC_CARD_BASE + 0x00000016)
+#define SANSEC_CARD_FILE_SIZE_ERROR		(SANSEC_CARD_BASE + 0x00000017)
+#define SANSEC_CARD_FILE_NOT_EXIST		(SANSEC_CARD_BASE + 0x00000018)
+#define SANSEC_CARD_FILE_OFFSET_ERROR		(SANSEC_CARD_BASE + 0x00000019)
+#define SANSEC_CARD_KEY_TYPE_ERROR		(SANSEC_CARD_BASE + 0x00000020)
+#define SANSEC_CARD_KEY_ERROR			(SANSEC_CARD_BASE + 0x00000021)
+#define SANSEC_CARD_BUFFER_TOO_SMALL		(SANSEC_CARD_BASE + 0x00000101)
+#define SANSEC_CARD_DATA_PADDING_ERROR		(SANSEC_CARD_BASE + 0x00000102)
+#define SANSEC_CARD_DATA_SIZE			(SANSEC_CARD_BASE + 0x00000103)
+#define SANSEC_CARD_CRYPTO_NOT_INITED		(SANSEC_CARD_BASE + 0x00000104)
+#define SANSEC_CARD_MANAGEMENT_DENYED		(SANSEC_CARD_BASE + 0x00001001)
+#define SANSEC_CARD_OPERATION_DENYED		(SANSEC_CARD_BASE + 0x00001002)
+#define SANSEC_CARD_DEVICE_STATUS_ERROR		(SANSEC_CARD_BASE + 0x00001003)
+#define SANSEC_CARD_LOGIN_ERROR			(SANSEC_CARD_BASE + 0x00001011)
+#define SANSEC_CARD_USERID_ERROR		(SANSEC_CARD_BASE + 0x00001012)
+#define SANSEC_CARD_PARAMENT_ERROR		(SANSEC_CARD_BASE + 0x00001013)
+#define SANSEC_CARD_MANAGEMENT_DENYED_05	(SANSEC_CARD_BASE + 0x00000801)
+#define SANSEC_CARD_OPERATION_DENYED_05		(SANSEC_CARD_BASE + 0x00000802)
+#define SANSEC_CARD_DEVICE_STATUS_ERROR_05	(SANSEC_CARD_BASE + 0x00000803)
+#define SANSEC_CARD_LOGIN_ERROR_05		(SANSEC_CARD_BASE + 0x00000811)
+#define SANSEC_CARD_USERID_ERROR_05		(SANSEC_CARD_BASE + 0x00000812)
+#define SANSEC_CARD_PARAMENT_ERROR_05		(SANSEC_CARD_BASE + 0x00000813)
+#define SANSEC_CARD_READER_BASE			(SDR_BASE + 0x00030000)
+#define SANSEC_CARD_READER_PIN_ERROR		(SANSEC_CARD_READER_BASE + 0x000063CE)
+#define SANSEC_CARD_READER_NO_CARD		(SANSEC_CARD_READER_BASE + 0x0000FF01)
+#define SANSEC_CARD_READER_CARD_INSERT		(SANSEC_CARD_READER_BASE + 0x0000FF02)
+#define SANSEC_CARD_READER_CARD_INSERT_TYPE 	(SANSEC_CARD_READER_BASE + 0x0000FF03)
+
+#pragma pack(1)
+typedef struct {
+	unsigned int  clength;
+	unsigned char x[ECCref_MAX_LEN];
+	unsigned char y[ECCref_MAX_LEN];
+	unsigned char C[136];
+	unsigned char M[ECCref_MAX_LEN];
+} SANSEC_ECCCipher;
+#pragma pack()
+
+#ifdef __cplusplus
+}
+#endif
+#endif