diff --git a/include/gmssl/endian.h b/include/gmssl/endian.h
new file mode 100644
index 00000000..590dccfc
--- /dev/null
+++ b/include/gmssl/endian.h
@@ -0,0 +1,116 @@
+/*
+ * Copyright (c) 2014 - 2020 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef GMSSL_ENDIAN_H
+#define GMSSL_ENDIAN_H
+
+
+/* Big Endian R/W */
+
+#define GETU16(p) \
+	((uint16_t)(p)[0] <<  8 | \
+	 (uint16_t)(p)[1])
+
+#define GETU32(p) \
+	((uint32_t)(p)[0] << 24 | \
+	 (uint32_t)(p)[1] << 16 | \
+	 (uint32_t)(p)[2] <<  8 | \
+	 (uint32_t)(p)[3])
+
+#define GETU64(p) \
+	((uint64_t)(p)[0] << 56 | \
+	 (uint64_t)(p)[1] << 48 | \
+	 (uint64_t)(p)[2] << 40 | \
+	 (uint64_t)(p)[3] << 32 | \
+	 (uint64_t)(p)[4] << 24 | \
+	 (uint64_t)(p)[5] << 16 | \
+	 (uint64_t)(p)[6] <<  8 | \
+	 (uint64_t)(p)[7])
+
+
+// 注意：PUTU32(buf, val++) 会出错！
+#define PUTU16(p,V) \
+	((p)[0] = (uint8_t)((V) >> 8), \
+	 (p)[1] = (uint8_t)(V))
+
+#define PUTU32(p,V) \
+	((p)[0] = (uint8_t)((V) >> 24), \
+	 (p)[1] = (uint8_t)((V) >> 16), \
+	 (p)[2] = (uint8_t)((V) >>  8), \
+	 (p)[3] = (uint8_t)(V))
+
+#define PUTU64(p,V) \
+	((p)[0] = (uint8_t)((V) >> 56), \
+	 (p)[1] = (uint8_t)((V) >> 48), \
+	 (p)[2] = (uint8_t)((V) >> 40), \
+	 (p)[3] = (uint8_t)((V) >> 32), \
+	 (p)[4] = (uint8_t)((V) >> 24), \
+	 (p)[5] = (uint8_t)((V) >> 16), \
+	 (p)[6] = (uint8_t)((V) >>  8), \
+	 (p)[7] = (uint8_t)(V))
+
+/* Little Endian R/W */
+
+#define GETU16_LE(p)	(*(const uint16_t *)(p))
+#define GETU32_LE(p)	(*(const uint32_t *)(p))
+#define GETU64_LE(p)	(*(const uint64_t *)(p))
+
+#define PUTU16_LE(p,V)	*(uint16_t *)(p) = (V)
+#define PUTU32_LE(p,V)	*(uint32_t *)(p) = (V)
+#define PUTU64_LE(p,V)	*(uint64_t *)(p) = (V)
+
+/* Rotate */
+
+#define ROL32(a,n)     (((a)<<(n))|(((a)&0xffffffff)>>(32-(n))))
+#define ROL64(a,n)	(((a)<<(n))|((a)>>(64-(n))))
+
+#define ROR32(a,n)	ROL32((a),32-(n))
+#define ROR64(a,n)	ROL64(a,64-n)
+
+
+#endif
diff --git a/include/gmssl/engine.h b/include/gmssl/engine.h
index ca6e5a8f..0b89f84b 100644
--- a/include/gmssl/engine.h
+++ b/include/gmssl/engine.h
@@ -1,75 +1 @@
-/*
- * Copyright (c) 2014 - 2021 The GmSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the GmSSL Project.
- *    (http://gmssl.org/)"
- *
- * 4. The name "GmSSL Project" must not be used to endorse or promote
- *    products derived from this software without prior written
- *    permission. For written permission, please contact
- *    guanzhi1980@gmail.com.
- *
- * 5. Products derived from this software may not be called "GmSSL"
- *    nor may "GmSSL" appear in their names without prior written
- *    permission of the GmSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the GmSSL Project
- *    (http://gmssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef GMSSL_ENGINE_H
-#define GMSSL_ENGINE_H
-
-#include <string.h>
-#include <stdint.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-
-int engine_init(void);
-int engine_get_sign_key(int index);
-int engine_sm2_sign();
-int engine_rand_bytes();
-int engine_info_print();
-int engine_exit(void);
-
-
-
-
-
-
-#ifdef __cplusplus
-}
-#endif
-#endif
diff --git a/include/gmssl/error.h b/include/gmssl/error.h
index 9003a195..499c6633 100644
--- a/include/gmssl/error.h
+++ b/include/gmssl/error.h
@@ -60,6 +60,13 @@ extern "C" {
 #endif
 
 
+#define GMSSL_FMT_BIN	1
+#define GMSSL_FMT_HEX	2
+#define GMSSL_FMT_DER	4
+#define GMSSL_FMT_PEM	8
+
+
+
 #define DEBUG 1
 
 #define error_print() \
diff --git a/include/gmssl/hash_drbg.h b/include/gmssl/hash_drbg.h
index 7f110110..762a4c9e 100644
--- a/include/gmssl/hash_drbg.h
+++ b/include/gmssl/hash_drbg.h
@@ -110,6 +110,7 @@ int hash_drbg_generate(HASH_DRBG *drbg,
 	size_t outlen, uint8_t *out);
 
 
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/include/gmssl/sdf.h b/include/gmssl/sdf.h
new file mode 100644
index 00000000..a35182ec
--- /dev/null
+++ b/include/gmssl/sdf.h
@@ -0,0 +1,88 @@
+/*
+ * Copyright (c) 2014 - 2021 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef GMSSL_SDF_H
+#define GMSSL_SDF_H
+
+#include <string.h>
+#include <stdint.h>
+#include <gmssl/sm2.h>
+
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+typedef struct {
+	void *device_handle;
+	char device_issuer[41];
+	char device_name[17];
+	char device_serial[17];
+} SDF_DEVICE;
+
+typedef struct {
+	void *session_handle;
+	int key_index;
+	SM2_KEY public_key;
+} SDF_KEY;
+
+
+int sdf_open_device(SDF_DEVICE *dev);
+int sdf_print_device_info(FILE *fp, int fmt, int ind, const char *lable, SDF_DEVICE *dev);
+int sdf_rand_bytes(SDF_DEVICE *dev, uint8_t *buf, size_t len);
+int sdf_load_key(SDF_DEVICE *dev, SDF_KEY *key, int index, const char *pass);
+int sdf_sign(SDF_KEY *key, const uint8_t dgst[32], uint8_t *sig, size_t *siglen);
+int sdf_release_key(SDF_KEY *key);
+int sdf_close_device(SDF_DEVICE *dev);
+
+
+#ifdef __cplusplus
+}
+#endif
+#endif
diff --git a/include/gmssl/skf.h b/include/gmssl/skf.h
new file mode 100644
index 00000000..dc2ead19
--- /dev/null
+++ b/include/gmssl/skf.h
@@ -0,0 +1,94 @@
+/*
+ * Copyright (c) 2014 - 2021 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef GMSSL_SKF_H
+#define GMSSL_SKF_H
+
+
+#include <string.h>
+#include <stdint.h>
+#include <gmssl/sm2.h>
+
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+typedef struct {
+	void *handle;
+	char manufacturer[65];
+	char issuer[65];
+	char label[33];
+	char serial[33];
+	uint8_t hardware_version[2];
+	uint8_t firmware_version[2];
+} SKF_DEVICE;
+
+typedef struct {
+	void *app_handle;
+	char app_name[65];
+	void *container_handle;
+	char container_name[65];
+	SM2_KEY public_key;
+} SKF_KEY;
+
+
+int skf_open_device(SKF_DEVICE *dev, const char *devname, const uint8_t *authkey, size_t authkeylen);
+int skf_print_device_info(FILE *fp, int fmt, int ind, const char *lable, SKF_DEVICE *dev);
+int skf_rand_bytes(SKF_DEVICE *dev, uint8_t *buf, size_t len);
+int sdf_load_key(SKF_DEVICE *dev, const char *appname, const char *pass, const char *container_name, SKF_KEY *key);
+int skf_sign(SKF_KEY *key, const uint8_t dgst[32], uint8_t *sig, size_t *siglen);
+int skf_release_key(SKF_KEY *key);
+int skf_close_deivce(SKF_DEVICE *dev);
+
+
+#ifdef __cplusplus
+}
+#endif
+#endif
diff --git a/include/gmssl/zuc.h b/include/gmssl/zuc.h
index b1d429ce..4f526a9e 100644
--- a/include/gmssl/zuc.h
+++ b/include/gmssl/zuc.h
@@ -79,7 +79,7 @@ typedef struct {
 void zuc_init(ZUC_STATE *state, const uint8_t key[ZUC_KEY_SIZE], const uint8_t iv[ZUC_IV_SIZE]);
 void zuc_generate_keystream(ZUC_STATE *state, size_t nwords, ZUC_UINT32 *words);
 ZUC_UINT32 zuc_generate_keyword(ZUC_STATE *state);
-
+void zuc_encrypt(ZUC_STATE *state, const uint8_t *in, size_t inlen, uint8_t *out);
 
 typedef struct ZUC_MAC_CTX_st {
 	ZUC_UINT31 LFSR[16];
@@ -135,6 +135,23 @@ void zuc256_mac_update(ZUC256_MAC_CTX *ctx, const uint8_t *data, size_t len);
 void zuc256_mac_finish(ZUC256_MAC_CTX *ctx, const uint8_t *data, size_t nbits, uint8_t *mac);
 
 
+// Public API
+
+typedef struct {
+	ZUC_STATE zuc_state;
+	uint8_t block[4];
+	size_t block_nbytes;
+} ZUC_CTX;
+
+int zuc_encrypt_init(ZUC_CTX *ctx, const uint8_t key[ZUC_KEY_SIZE], const uint8_t iv[ZUC_IV_SIZE]);
+int zuc_encrypt_update(ZUC_CTX *ctx, const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen);
+int zuc_encrypt_finish(ZUC_CTX *ctx, uint8_t *out, size_t *outlen);
+
+#define zuc_decrypt_init(ctx,key,iv) zuc_encrypt_init(ctx,key,iv)
+#define zuc_decrypt_update(ctx,in,inlen,out,outlen) zuc_encrypt_update(ctx,in,inlen,out,outlen)
+#define zuc_decrypt_finish(ctx,out,outlen) zuc_encrypt_finish(ctx,out,outlen)
+
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/tools/sdfutil/CMakeLists.txt b/tools/sdfutil/CMakeLists.txt
new file mode 100644
index 00000000..58a60318
--- /dev/null
+++ b/tools/sdfutil/CMakeLists.txt
@@ -0,0 +1,23 @@
+cmake_minimum_required(VERSION 3.0)
+project(GmSSL)
+
+set(CMAKE_MACOSX_RPATH 1)
+SET(EXECUTABLE_OUTPUT_PATH ${PROJECT_BINARY_DIR}/bin)
+SET(LIBRARY_OUTPUT_PATH ${PROJECT_BINARY_DIR}/lib)
+
+include_directories(include)
+
+add_library(sdf SHARED sdf_dummy.c)
+SET_TARGET_PROPERTIES(sdf PROPERTIES VERSION 3.0 SOVERSION 3)
+
+add_executable(
+	sdfutil
+	sdfutil.c
+	sdf_lib.c
+	sdf_ext.c
+	sdf_meth.c
+	sdf_sansec.c
+)
+
+INSTALL(TARGETS sdfutil RUNTIME DESTINATION bin)
+
diff --git a/tools/sdfutil/sdf.h b/tools/sdfutil/sdf.h
new file mode 100644
index 00000000..da699665
--- /dev/null
+++ b/tools/sdfutil/sdf.h
@@ -0,0 +1,503 @@
+/*
+ * Copyright (c) 2014 - 2021 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+/*
+ * SDF API is a cryptographic API for PCI-E cards defined in standard
+ * GM/T 0018-2012: Interface Specifications of Cryptography Device Application
+ *
+ * Note: this header file follows the specification of GM/T 0018-2012. As we
+ * know, some vendors provide header files with some differences, especially
+ * the definations of data structures. So be sure to check the file provided by
+ * vendors and compare with this one.
+ *
+ * The implementations of SDF API from different vendors might have different
+ * behaviors on the same function. The comments in this file will show
+ * information and warnings on these issues. If the application developer use
+ * the GmSSL implementation, see `crypto/gmapi/sdf_lcl.h` for more information.
+ */
+
+#ifndef HEADER_SDF_H
+#define HEADER_SDF_H
+
+#include <stdio.h>
+#include "sgd.h"
+
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+
+#pragma pack(1)
+typedef struct DeviceInfo_st {
+	unsigned char IssuerName[40];
+	unsigned char DeviceName[16];
+	unsigned char DeviceSerial[16];	/* 8-char date +
+					 * 3-char batch num +
+					 * 5-char serial num
+					 */
+	unsigned int DeviceVersion;
+	unsigned int StandardVersion;
+	unsigned int AsymAlgAbility[2];	/* AsymAlgAbility[0] = algors
+					 * AsymAlgAbility[1] = modulus lens
+					 */
+	unsigned int SymAlgAbility;
+	unsigned int HashAlgAbility;
+	unsigned int BufferSize;
+} DEVICEINFO;
+
+typedef struct RSArefPublicKey_st {
+	unsigned int bits;
+	unsigned char m[RSAref_MAX_LEN];
+	unsigned char e[RSAref_MAX_LEN];
+} RSArefPublicKey;
+
+typedef struct RSArefPrivateKey_st {
+	unsigned int bits;
+	unsigned char m[RSAref_MAX_LEN];
+	unsigned char e[RSAref_MAX_LEN];
+	unsigned char d[RSAref_MAX_LEN];
+	unsigned char prime[2][RSAref_MAX_PLEN];
+	unsigned char pexp[2][RSAref_MAX_PLEN];
+	unsigned char coef[RSAref_MAX_PLEN];
+} RSArefPrivateKey;
+
+typedef struct ECCrefPublicKey_st {
+	unsigned int bits;
+	unsigned char x[ECCref_MAX_LEN];
+	unsigned char y[ECCref_MAX_LEN];
+} ECCrefPublicKey;
+
+typedef struct ECCrefPrivateKey_st {
+    unsigned int  bits;
+    unsigned char K[ECCref_MAX_LEN];
+} ECCrefPrivateKey;
+
+typedef struct ECCCipher_st {
+	unsigned char x[ECCref_MAX_LEN];
+	unsigned char y[ECCref_MAX_LEN];
+	unsigned char M[32];
+	unsigned int L;
+	unsigned char C[1];
+} ECCCipher;
+
+typedef struct ECCSignature_st {
+	unsigned char r[ECCref_MAX_LEN];
+	unsigned char s[ECCref_MAX_LEN];
+} ECCSignature;
+
+typedef struct SDF_ENVELOPEDKEYBLOB {
+	unsigned long Version;
+	unsigned long ulSymmAlgID;
+	ECCCipher ECCCipehrBlob;
+	ECCrefPublicKey PubKey;
+	unsigned char cbEncryptedPrivKey[64];
+} EnvelopedKeyBlob, *PEnvelopedKeyBlob;
+#pragma pack()
+
+int SDF_OpenDevice(
+	void **phDeviceHandle);
+
+int SDF_CloseDevice(
+	void *hDeviceHandle);
+
+int SDF_OpenSession(
+	void *hDeviceHandle,
+	void **phSessionHandle);
+
+int SDF_CloseSession(
+	void *hSessionHandle);
+
+int SDF_GetDeviceInfo(
+	void *hSessionHandle,
+	DEVICEINFO *pstDeviceInfo);
+
+int SDF_GenerateRandom(
+	void *hSessionHandle,
+	unsigned int uiLength,
+	unsigned char *pucRandom);
+
+int SDF_GetPrivateKeyAccessRight(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	unsigned char *pucPassword,
+	unsigned int uiPwdLength);
+
+int SDF_ReleasePrivateKeyAccessRight(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex);
+
+int SDF_ExportSignPublicKey_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	RSArefPublicKey *pucPublicKey);
+
+int SDF_ExportEncPublicKey_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	RSArefPublicKey *pucPublicKey);
+
+int SDF_GenerateKeyPair_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyBits,
+	RSArefPublicKey *pucPublicKey,
+	RSArefPrivateKey *pucPrivateKey);
+
+int SDF_GenerateKeyWithIPK_RSA(
+	void *hSessionHandle,
+	unsigned int uiIPKIndex,
+	unsigned int uiKeyBits,
+	unsigned char *pucKey,
+	unsigned int *puiKeyLength,
+	void **phKeyHandle);
+
+int SDF_GenerateKeyWithEPK_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyBits,
+	RSArefPublicKey *pucPublicKey,
+	unsigned char *pucKey,
+	unsigned int *puiKeyLength,
+	void **phKeyHandle);
+
+int SDF_ImportKeyWithISK_RSA(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned char *pucKey,
+	unsigned int uiKeyLength,
+	void **phKeyHandle);
+
+int SDF_ExchangeDigitEnvelopeBaseOnRSA(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	RSArefPublicKey *pucPublicKey,
+	unsigned char *pucDEInput,
+	unsigned int uiDELength,
+	unsigned char *pucDEOutput,
+	unsigned int *puiDELength);
+
+int SDF_ExportSignPublicKey_ECC(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	ECCrefPublicKey *pucPublicKey);
+
+int SDF_ExportEncPublicKey_ECC(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	ECCrefPublicKey *pucPublicKey);
+
+int SDF_GenerateKeyPair_ECC(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	unsigned int  uiKeyBits,
+	ECCrefPublicKey *pucPublicKey,
+	ECCrefPrivateKey *pucPrivateKey);
+
+int SDF_GenerateKeyWithIPK_ECC(
+	void *hSessionHandle,
+	unsigned int uiIPKIndex,
+	unsigned int uiKeyBits,
+	ECCCipher *pucKey,
+	void **phKeyHandle);
+
+int SDF_GenerateKeyWithEPK_ECC(
+	void *hSessionHandle,
+	unsigned int uiKeyBits,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	ECCCipher *pucKey,
+	void **phKeyHandle);
+
+int SDF_ImportKeyWithISK_ECC(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	ECCCipher *pucKey,
+	void **phKeyHandle);
+
+int SDF_GenerateAgreementDataWithECC(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned int uiKeyBits,
+	unsigned char *pucSponsorID,
+	unsigned int uiSponsorIDLength,
+	ECCrefPublicKey *pucSponsorPublicKey,
+	ECCrefPublicKey *pucSponsorTmpPublicKey,
+	void **phAgreementHandle);
+
+int SDF_GenerateKeyWithECC(
+	void *hSessionHandle,
+	unsigned char *pucResponseID,
+	unsigned int uiResponseIDLength,
+	ECCrefPublicKey *pucResponsePublicKey,
+	ECCrefPublicKey *pucResponseTmpPublicKey,
+	void *hAgreementHandle,
+	void **phKeyHandle);
+
+int SDF_GenerateAgreementDataAndKeyWithECC(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned int uiKeyBits,
+	unsigned char *pucResponseID,
+	unsigned int uiResponseIDLength,
+	unsigned char *pucSponsorID,
+	unsigned int uiSponsorIDLength,
+	ECCrefPublicKey *pucSponsorPublicKey,
+	ECCrefPublicKey *pucSponsorTmpPublicKey,
+	ECCrefPublicKey *pucResponsePublicKey,
+	ECCrefPublicKey *pucResponseTmpPublicKey,
+	void **phKeyHandle);
+
+int SDF_ExchangeDigitEnvelopeBaseOnECC(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	ECCCipher *pucEncDataIn,
+	ECCCipher *pucEncDataOut);
+
+int SDF_GenerateKeyWithKEK(
+	void *hSessionHandle,
+	unsigned int uiKeyBits,
+	unsigned int uiAlgID,
+	unsigned int uiKEKIndex,
+	unsigned char *pucKey,
+	unsigned int *puiKeyLength,
+	void **phKeyHandle);
+
+int SDF_ImportKeyWithKEK(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	unsigned int uiKEKIndex,
+	unsigned char *pucKey,
+	unsigned int uiKeyLength,
+	void **phKeyHandle);
+
+int SDF_DestroyKey(
+	void *hSessionHandle,
+	void *hKeyHandle);
+
+int SDF_ExternalPublicKeyOperation_RSA(
+	void *hSessionHandle,
+	RSArefPublicKey *pucPublicKey,
+	unsigned char *pucDataInput,
+	unsigned int uiInputLength,
+	unsigned char *pucDataOutput,
+	unsigned int *puiOutputLength);
+
+int SDF_InternalPublicKeyOperation_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	unsigned char *pucDataInput,
+	unsigned int uiInputLength,
+	unsigned char *pucDataOutput,
+	unsigned int *puiOutputLength);
+
+int SDF_InternalPrivateKeyOperation_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	unsigned char *pucDataInput,
+	unsigned int uiInputLength,
+	unsigned char *pucDataOutput,
+	unsigned int *puiOutputLength);
+
+int SDF_ExternalVerify_ECC(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	unsigned char *pucDataInput,
+	unsigned int uiInputLength,
+	ECCSignature *pucSignature);
+
+int SDF_InternalSign_ECC(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	ECCSignature *pucSignature);
+
+int SDF_InternalVerify_ECC(
+	void *hSessionHandle,
+	unsigned int uiIPKIndex,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	ECCSignature *pucSignature);
+
+int SDF_ExternalEncrypt_ECC(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	ECCCipher *pucEncData);
+
+int SDF_InternalEncrypt_ECC(
+	void *hSessionHandle,
+	unsigned int uiIPKIndex,
+	unsigned int uiAlgID,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	ECCCipher *pucEncData);
+
+int SDF_InternalDecrypt_ECC(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned int uiAlgID,
+	ECCCipher *pucEncData,
+	unsigned char *pucData,
+	unsigned int *uiDataLength);
+
+int SDF_Encrypt(
+	void *hSessionHandle,
+	void *hKeyHandle,
+	unsigned int uiAlgID,
+	unsigned char *pucIV,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	unsigned char *pucEncData,
+	unsigned int *puiEncDataLength);
+
+int SDF_Decrypt(
+	void *hSessionHandle,
+	void *hKeyHandle,
+	unsigned int uiAlgID,
+	unsigned char *pucIV,
+	unsigned char *pucEncData,
+	unsigned int uiEncDataLength,
+	unsigned char *pucData,
+	unsigned int *puiDataLength);
+
+int SDF_CalculateMAC(
+	void *hSessionHandle,
+	void *hKeyHandle,
+	unsigned int uiAlgID,
+	unsigned char *pucIV,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	unsigned char *pucMAC,
+	unsigned int *puiMACLength);
+
+int SDF_HashInit(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	unsigned char *pucID,
+	unsigned int uiIDLength);
+
+int SDF_HashUpdate(
+	void *hSessionHandle,
+	unsigned char *pucData,
+	unsigned int uiDataLength);
+
+int SDF_HashFinal(void *hSessionHandle,
+	unsigned char *pucHash,
+	unsigned int *puiHashLength);
+
+int SDF_CreateFile(
+	void *hSessionHandle,
+	unsigned char *pucFileName,
+	unsigned int uiNameLen, /* max 128-byte */
+	unsigned int uiFileSize);
+
+int SDF_ReadFile(
+	void *hSessionHandle,
+	unsigned char *pucFileName,
+	unsigned int uiNameLen,
+	unsigned int uiOffset,
+	unsigned int *puiReadLength,
+	unsigned char *pucBuffer);
+
+int SDF_WriteFile(
+	void *hSessionHandle,
+	unsigned char *pucFileName,
+	unsigned int uiNameLen,
+	unsigned int uiOffset,
+	unsigned int uiWriteLength,
+	unsigned char *pucBuffer);
+
+int SDF_DeleteFile(
+	void *hSessionHandle,
+	unsigned char *pucFileName,
+	unsigned int uiNameLen);
+
+#define SDR_OK			0x0
+#define SDR_BASE		0x01000000
+#define SDR_UNKNOWERR		(SDR_BASE + 0x00000001)
+#define SDR_NOTSUPPORT		(SDR_BASE + 0x00000002)
+#define SDR_COMMFAIL		(SDR_BASE + 0x00000003)
+#define SDR_HARDFAIL		(SDR_BASE + 0x00000004)
+#define SDR_OPENDEVICE		(SDR_BASE + 0x00000005)
+#define SDR_OPENSESSION		(SDR_BASE + 0x00000006)
+#define SDR_PARDENY		(SDR_BASE + 0x00000007)
+#define SDR_KEYNOTEXIST		(SDR_BASE + 0x00000008)
+#define SDR_ALGNOTSUPPORT	(SDR_BASE + 0x00000009)
+#define SDR_ALGMODNOTSUPPORT	(SDR_BASE + 0x0000000A)
+#define SDR_PKOPERR		(SDR_BASE + 0x0000000B)
+#define SDR_SKOPERR		(SDR_BASE + 0x0000000C)
+#define SDR_SIGNERR		(SDR_BASE + 0x0000000D)
+#define SDR_VERIFYERR		(SDR_BASE + 0x0000000E)
+#define SDR_SYMOPERR		(SDR_BASE + 0x0000000F)
+#define SDR_STEPERR		(SDR_BASE + 0x00000010)
+#define SDR_FILESIZEERR		(SDR_BASE + 0x00000011)
+#define SDR_FILENOEXIST		(SDR_BASE + 0x00000012)
+#define SDR_FILEOFSERR		(SDR_BASE + 0x00000013)
+#define SDR_KEYTYPEERR		(SDR_BASE + 0x00000014)
+#define SDR_KEYERR		(SDR_BASE + 0x00000015)
+#define SDR_ENCDATAERR		(SDR_BASE + 0x00000016)
+#define SDR_RANDERR		(SDR_BASE + 0x00000017)
+#define SDR_PRKRERR		(SDR_BASE + 0x00000018)
+#define SDR_MACERR		(SDR_BASE + 0x00000019)
+#define SDR_FILEEXSITS		(SDR_BASE + 0x0000001A)
+#define SDR_FILEWERR		(SDR_BASE + 0x0000001B)
+#define SDR_NOBUFFER		(SDR_BASE + 0x0000001C)
+#define SDR_INARGERR		(SDR_BASE + 0x0000001D)
+#define SDR_OUTARGERR		(SDR_BASE + 0x0000001E)
+
+
+#ifdef __cplusplus
+}
+#endif
+#endif
diff --git a/tools/sdfutil/sdf_dummy.c b/tools/sdfutil/sdf_dummy.c
new file mode 100644
index 00000000..491917ab
--- /dev/null
+++ b/tools/sdfutil/sdf_dummy.c
@@ -0,0 +1,768 @@
+/* ====================================================================
+ * Copyright (c) 2014 - 2021 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "sgd.h"
+#include "sdf.h"
+
+static char *deviceHandle = "SDF Device Handle";
+static char *sessionHandle = "SDF Session Handle";
+static char *keyHandle = "SDF Key Handle";
+static char *agreementHandle = "SDF Agreement Handle";
+
+unsigned char rsaPublicKeyBuf[516] = {
+	0x00,0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0xd5,0x43,0xbf,0x24,0xd2,0x69,0x56,0x21,0x20,0x57,0x8a,0xd8,
+	0x67,0x4f,0xbd,0xd5,0xf5,0x3a,0xf5,0x9e,0xa5,0x87,0x52,0x39,0x47,0xc3,0xce,0x32,
+	0x56,0xb6,0x06,0x2d,0xdc,0x8d,0xc2,0x18,0x53,0x5c,0xb0,0xcb,0xb6,0xe8,0x7c,0x82,
+	0x97,0x38,0xbb,0x85,0x45,0x2e,0xc8,0x24,0x08,0x96,0x9e,0xb0,0x00,0xaf,0xd9,0xa7,
+	0x1f,0x50,0x7f,0xc4,0x93,0x14,0x74,0x9a,0x43,0x8e,0x04,0x95,0xa0,0xd6,0xd9,0xdd,
+	0xb4,0x97,0xb3,0x52,0x93,0xe4,0xbe,0xd1,0x1f,0x8c,0xf9,0xcd,0xe1,0xae,0x54,0xae,
+	0x72,0xdf,0x94,0xe3,0x15,0x6a,0x5c,0x99,0xd6,0x80,0x46,0x94,0xad,0xb3,0x76,0x95,
+	0x4e,0x14,0x8f,0x8f,0xe5,0x55,0xf1,0x3f,0xd0,0xd3,0x96,0x01,0xf6,0x94,0x3e,0x61,
+	0xc1,0x8e,0xb3,0x89,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x01,0x00,0x01,};
+unsigned char rsaPrivateKeyBuf[1412] = {
+	0x00,0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0xd5,0x43,0xbf,0x24,0xd2,0x69,0x56,0x21,0x20,0x57,0x8a,0xd8,
+	0x67,0x4f,0xbd,0xd5,0xf5,0x3a,0xf5,0x9e,0xa5,0x87,0x52,0x39,0x47,0xc3,0xce,0x32,
+	0x56,0xb6,0x06,0x2d,0xdc,0x8d,0xc2,0x18,0x53,0x5c,0xb0,0xcb,0xb6,0xe8,0x7c,0x82,
+	0x97,0x38,0xbb,0x85,0x45,0x2e,0xc8,0x24,0x08,0x96,0x9e,0xb0,0x00,0xaf,0xd9,0xa7,
+	0x1f,0x50,0x7f,0xc4,0x93,0x14,0x74,0x9a,0x43,0x8e,0x04,0x95,0xa0,0xd6,0xd9,0xdd,
+	0xb4,0x97,0xb3,0x52,0x93,0xe4,0xbe,0xd1,0x1f,0x8c,0xf9,0xcd,0xe1,0xae,0x54,0xae,
+	0x72,0xdf,0x94,0xe3,0x15,0x6a,0x5c,0x99,0xd6,0x80,0x46,0x94,0xad,0xb3,0x76,0x95,
+	0x4e,0x14,0x8f,0x8f,0xe5,0x55,0xf1,0x3f,0xd0,0xd3,0x96,0x01,0xf6,0x94,0x3e,0x61,
+	0xc1,0x8e,0xb3,0x89,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x01,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x1e,0xd9,0x55,0xe4,0xf5,0xaa,0xd7,0x12,0xa3,0xa3,0x06,0x2a,
+	0x97,0x87,0x29,0x66,0xb1,0xba,0x7d,0x9d,0x1d,0x44,0x9d,0xd8,0x3b,0x51,0x4f,0x9a,
+	0x68,0x80,0x9c,0x14,0x36,0x3b,0x2b,0x40,0x69,0x8e,0x96,0xe4,0x60,0xe8,0xf0,0x59,
+	0xd3,0x96,0x19,0x4a,0x05,0xdf,0xe6,0x83,0x8f,0xda,0x79,0xc9,0xeb,0xcf,0x84,0x24,
+	0x70,0x9b,0x2c,0x5f,0xf7,0x56,0xe2,0xe0,0xc7,0xfb,0x67,0x92,0xd2,0xf6,0x59,0x19,
+	0xe9,0xdd,0xb4,0x54,0x52,0x0d,0xf8,0xda,0x64,0x67,0xe0,0xb9,0xe6,0x52,0x08,0xff,
+	0x28,0x06,0x89,0x5c,0x2b,0xd5,0x6e,0x21,0xe1,0x6d,0x1d,0xe3,0xf8,0x1e,0x0f,0x20,
+	0x9f,0x0a,0x60,0xd1,0xff,0x4e,0xa2,0x45,0xa1,0xee,0x96,0x90,0xc0,0xc4,0xa8,0x25,
+	0x5a,0xe8,0xe8,0xa1,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0xf5,0xde,0x0d,0x0c,0xc5,0x03,0x53,0x44,0xfa,0x70,0xc7,0x44,
+	0x63,0xf8,0x57,0x7e,0x49,0x76,0xe4,0x7a,0x76,0x01,0x7d,0xda,0x65,0xaa,0x9d,0xbe,
+	0xfe,0x24,0x9b,0x48,0xf9,0xa8,0x18,0x42,0x47,0xf3,0x1a,0x1e,0x61,0xe9,0xb8,0xb3,
+	0x07,0xee,0xfd,0x83,0x2e,0xf2,0xf8,0xb9,0x1f,0x9a,0xee,0xeb,0x21,0xd0,0xc0,0x13,
+	0xa2,0x31,0x33,0xe7,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0xde,0x0d,0xba,0xf3,0x62,0x8f,0x75,0x16,0xe6,0x87,0x72,0xba,
+	0x12,0x6a,0x43,0x5c,0xde,0x22,0x60,0xea,0xef,0x7a,0x7e,0xb6,0x28,0x16,0x4f,0xda,
+	0xe7,0xb8,0xfe,0x48,0x17,0x65,0x1a,0x73,0x38,0x98,0xdb,0xa2,0xda,0x50,0xc8,0x81,
+	0x53,0x07,0x1d,0x0e,0xa7,0x3f,0x48,0x57,0xea,0x5b,0x34,0x64,0x9f,0x0a,0x8b,0x36,
+	0x7e,0x08,0xef,0x0f,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0xa8,0xd9,0xe6,0x7c,0x6e,0x90,0xea,0x0e,0xe5,0x2f,0xae,0xa9,
+	0xf9,0x3e,0x04,0x58,0x66,0x7b,0x90,0x4d,0xc9,0xdd,0x1c,0x61,0x70,0x90,0xcb,0xe4,
+	0xef,0x04,0x94,0xe0,0x79,0x14,0x48,0x14,0xbc,0xf4,0xe7,0x6b,0x16,0x33,0x3c,0xf5,
+	0x36,0xed,0x9a,0x8d,0x0d,0x21,0x30,0x4f,0x72,0xb5,0x24,0x7f,0xb6,0xa9,0x76,0x40,
+	0x05,0x93,0x64,0xe1,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x85,0x35,0x31,0x68,0x9e,0x40,0xb7,0x1a,0x34,0xd3,0x1e,0x84,
+	0xf7,0x55,0x1d,0xf2,0x11,0x24,0x08,0x86,0x07,0x81,0xb1,0x8f,0xee,0xfe,0x6b,0x8b,
+	0x43,0xa5,0x5b,0x8d,0xbd,0xd3,0x1e,0x09,0xee,0xf2,0xec,0x17,0x86,0xe6,0x1d,0x52,
+	0x4f,0x8f,0x9d,0xe3,0xd3,0x7b,0x08,0x18,0x0d,0x74,0x07,0x3b,0x31,0x99,0x6e,0xa8,
+	0x12,0xf5,0xa3,0x0b,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x23,0x60,0x23,0xc4,0x44,0x67,0x91,0xb7,0xde,0x06,0x9a,0x17,
+	0x49,0x3a,0x8e,0x66,0xb4,0x54,0x61,0x4b,0xc4,0x9e,0xf8,0xe6,0xbc,0xf8,0x87,0xef,
+	0x06,0xb5,0x40,0x4b,0xab,0xaf,0xf0,0xa0,0x46,0x43,0xc5,0xbd,0xec,0xff,0x57,0xfd,
+	0x51,0x8a,0x6b,0x7b,0x32,0xee,0xeb,0x2f,0x81,0xd0,0xa0,0xa2,0x09,0x18,0xab,0x5c,
+	0x85,0x1b,0x0f,0x57,};
+unsigned char eccPublicKeyBuf[132] = {
+	0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x0e,0x42,0x92,0x4a,0x1b,0x01,0xb6,0x64,0x89,0x97,0xfb,0x67,
+	0x3f,0xa5,0xa6,0xc4,0xc4,0x82,0xa2,0xfa,0xe6,0x96,0xc9,0x0a,0x37,0xf2,0x44,0x6c,
+	0xac,0x37,0x85,0x67,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0xf8,0xbb,0x32,0x55,0xe2,0x47,0x34,0x9a,0xc9,0xb5,0xdb,0xc7,
+	0x17,0x4a,0xd9,0x84,0xbf,0xc5,0x3e,0x99,0x92,0xc6,0xd8,0x2d,0x6f,0xea,0xff,0x79,
+	0x6b,0xde,0x3d,0x37,};
+unsigned char eccPrivateKeyBuf[68] = {
+	0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+	0x00,0x00,0x00,0x00,0xe6,0x51,0x2e,0xf8,0xca,0x14,0x84,0xa2,0xd9,0x76,0xc9,0x0d,
+	0x37,0x1d,0xf1,0x95,0x49,0xbe,0x83,0x8e,0x70,0x09,0x1d,0x81,0xbd,0x6e,0xd9,0x5c,
+	0xad,0x02,0x19,0x44,};
+
+
+#define SDF_TRACE() fprintf(stderr, "SDF_Dummy->%s\n", __FUNCTION__)
+
+int SDF_OpenDevice(
+	void **phDeviceHandle)
+{
+	if (!phDeviceHandle /* || !(*phDeviceHandle) */)
+		return SDR_INARGERR;
+
+	*phDeviceHandle = deviceHandle;
+	return SDR_OK;
+}
+
+int SDF_CloseDevice(
+	void *hDeviceHandle)
+{
+	return SDR_OK;
+}
+
+int SDF_OpenSession(
+	void *hDeviceHandle,
+	void **phSessionHandle)
+{
+	if (!phSessionHandle  /* || !(*phSessionHandle) */)
+		return SDR_INARGERR;
+	*phSessionHandle = sessionHandle;
+	return SDR_OK;
+}
+
+int SDF_CloseSession(
+	void *hSessionHandle)
+{
+	return SDR_OK;
+}
+
+#define SDF_DEV_DATE		"20140101"
+#define SDF_DEV_BATCH_NUM	"001"
+#define SDF_DEV_SERIAL_NUM	"00123"
+#define SDF_DEV_SERIAL		SDF_DEV_DATE \
+				SDF_DEV_BATCH_NUM \
+				SDF_DEV_SERIAL_NUM
+
+int SDF_GetDeviceInfo(
+	void *hSessionHandle,
+	DEVICEINFO *pstDeviceInfo)
+{
+	if (!pstDeviceInfo)
+		return SDR_INARGERR;
+	memset(pstDeviceInfo, 0, sizeof(*pstDeviceInfo));
+	strncpy((char *)pstDeviceInfo->IssuerName, "GmSSL Project (http://gmssl.org)",
+		sizeof(pstDeviceInfo->IssuerName));
+	strncpy((char *)pstDeviceInfo->DeviceName, "Dummy SDF",
+		sizeof(pstDeviceInfo->DeviceName));
+	strncpy((char *)pstDeviceInfo->DeviceSerial, SDF_DEV_SERIAL,
+		sizeof(pstDeviceInfo->DeviceSerial));
+	pstDeviceInfo->DeviceVersion = 1;
+	pstDeviceInfo->StandardVersion = 1;
+	pstDeviceInfo->AsymAlgAbility[0] = SGD_RSA_SIGN|SGD_RSA_ENC|
+		SGD_SM2_1|SGD_SM2_2|SGD_SM2_3;
+	pstDeviceInfo->AsymAlgAbility[1] = 256|512|1024|2048|4096;
+	pstDeviceInfo->SymAlgAbility = SGD_SM1|SGD_SSF33|SGD_SM4|SGD_ZUC|
+		SGD_ECB|SGD_CBC|SGD_CFB|SGD_OFB|SGD_MAC;
+	pstDeviceInfo->HashAlgAbility = SGD_SM3|SGD_SHA1|SGD_SHA256;
+	pstDeviceInfo->BufferSize = 256*1024;
+	return SDR_OK;
+}
+
+int SDF_GenerateRandom(
+	void *hSessionHandle,
+	unsigned int uiLength,
+	unsigned char *pucRandom)
+{
+	return SDR_OK;
+}
+
+int SDF_GetPrivateKeyAccessRight(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	unsigned char *pucPassword,
+	unsigned int uiPwdLength)
+{
+	return SDR_OK;
+}
+
+int SDF_ReleasePrivateKeyAccessRight(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex)
+{
+	return SDR_OK;
+}
+
+int SDF_ExportSignPublicKey_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	RSArefPublicKey *pucPublicKey)
+{
+	if (!pucPublicKey)
+		return SDR_INARGERR;
+	memcpy(pucPublicKey, rsaPublicKeyBuf, sizeof(*pucPublicKey));
+	return SDR_OK;
+}
+
+int SDF_ExportEncPublicKey_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	RSArefPublicKey *pucPublicKey)
+{
+	if (!pucPublicKey)
+		return SDR_INARGERR;
+	memcpy(pucPublicKey, rsaPublicKeyBuf, sizeof(*pucPublicKey));
+	return SDR_OK;
+}
+
+int SDF_GenerateKeyPair_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyBits,
+	RSArefPublicKey *pucPublicKey,
+	RSArefPrivateKey *pucPrivateKey)
+{
+	if (!pucPublicKey || !pucPrivateKey)
+		return SDR_INARGERR;
+	memcpy(pucPublicKey, rsaPublicKeyBuf, sizeof(*pucPublicKey));
+	memcpy(pucPrivateKey, rsaPrivateKeyBuf, sizeof(*pucPrivateKey));
+	return SDR_OK;
+}
+
+int SDF_GenerateKeyWithIPK_RSA(
+	void *hSessionHandle,
+	unsigned int uiIPKIndex,
+	unsigned int uiKeyBits,
+	unsigned char *pucKey,
+	unsigned int *puiKeyLength,
+	void **phKeyHandle)
+{
+	if (!puiKeyLength)
+		return SDR_INARGERR;
+	*puiKeyLength = 2048/8;
+	if (phKeyHandle && *phKeyHandle)
+		*phKeyHandle = keyHandle;
+	return SDR_OK;
+}
+
+int SDF_GenerateKeyWithEPK_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyBits,
+	RSArefPublicKey *pucPublicKey,
+	unsigned char *pucKey,
+	unsigned int *puiKeyLength,
+	void **phKeyHandle)
+{
+	if (!puiKeyLength)
+		return SDR_INARGERR;
+	*puiKeyLength = 2048/8;
+	if (phKeyHandle && *phKeyHandle)
+		*phKeyHandle = keyHandle;
+	return SDR_OK;
+}
+
+int SDF_ImportKeyWithISK_RSA(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned char *pucKey,
+	unsigned int uiKeyLength,
+	void **phKeyHandle)
+{
+	if (!phKeyHandle || !(*phKeyHandle))
+		return SDR_INARGERR;
+	*phKeyHandle = keyHandle;
+	return SDR_OK;
+}
+
+int SDF_ExchangeDigitEnvelopeBaseOnRSA(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	RSArefPublicKey *pucPublicKey,
+	unsigned char *pucDEInput,
+	unsigned int uiDELength,
+	unsigned char *pucDEOutput,
+	unsigned int *puiDELength)
+{
+	if (!puiDELength)
+		return SDR_INARGERR;
+	*puiDELength = 2048/8;
+	return SDR_OK;
+}
+
+int SDF_ExportSignPublicKey_ECC(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	ECCrefPublicKey *pucPublicKey)
+{
+	if (!pucPublicKey)
+		return SDR_INARGERR;
+	memcpy(pucPublicKey, eccPublicKeyBuf, sizeof(*pucPublicKey));
+	return SDR_OK;
+}
+
+int SDF_ExportEncPublicKey_ECC(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	ECCrefPublicKey *pucPublicKey)
+{
+	if (!pucPublicKey)
+		return SDR_INARGERR;
+	memcpy(pucPublicKey, eccPublicKeyBuf, sizeof(*pucPublicKey));
+	return SDR_OK;
+}
+
+int SDF_GenerateKeyPair_ECC(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	unsigned int  uiKeyBits,
+	ECCrefPublicKey *pucPublicKey,
+	ECCrefPrivateKey *pucPrivateKey)
+{
+	if (!pucPublicKey || !pucPublicKey)
+		return SDR_INARGERR;
+	memcpy(pucPublicKey, eccPublicKeyBuf, sizeof(*pucPublicKey));
+	memcpy(pucPrivateKey, eccPrivateKeyBuf, sizeof(*pucPrivateKey));
+	return SDR_OK;
+}
+
+int SDF_GenerateKeyWithIPK_ECC(
+	void *hSessionHandle,
+	unsigned int uiIPKIndex,
+	unsigned int uiKeyBits,
+	ECCCipher *pucKey,
+	void **phKeyHandle)
+{
+	if (!phKeyHandle || !(*phKeyHandle))
+		return SDR_INARGERR;
+	*phKeyHandle = keyHandle;
+	return SDR_OK;
+}
+
+int SDF_GenerateKeyWithEPK_ECC(
+	void *hSessionHandle,
+	unsigned int uiKeyBits,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	ECCCipher *pucKey,
+	void **phKeyHandle)
+{
+	if (!phKeyHandle || !(*phKeyHandle))
+		return SDR_INARGERR;
+	*phKeyHandle = keyHandle;
+	return SDR_OK;
+}
+
+int SDF_ImportKeyWithISK_ECC(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	ECCCipher *pucKey,
+	void **phKeyHandle)
+{
+	if (!phKeyHandle || !(*phKeyHandle))
+		return SDR_INARGERR;
+	*phKeyHandle = keyHandle;
+	return SDR_OK;
+}
+
+/* 6.3.14 */
+int SDF_GenerateAgreementDataWithECC(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned int uiKeyBits,
+	unsigned char *pucSponsorID,
+	unsigned int uiSponsorIDLength,
+	ECCrefPublicKey *pucSponsorPublicKey,
+	ECCrefPublicKey *pucSponsorTmpPublicKey,
+	void **phAgreementHandle)
+{
+	// any output public key ?
+	if (!phAgreementHandle || !(*phAgreementHandle))
+		return SDR_INARGERR;
+	*phAgreementHandle = agreementHandle;
+	return SDR_OK;
+}
+
+/* 6.3.15 */
+int SDF_GenerateKeyWithECC(
+	void *hSessionHandle,
+	unsigned char *pucResponseID,
+	unsigned int uiResponseIDLength,
+	ECCrefPublicKey *pucResponsePublicKey,
+	ECCrefPublicKey *pucResponseTmpPublicKey,
+	void *hAgreementHandle,
+	void **phKeyHandle)
+{
+	if (!phKeyHandle || !(*phKeyHandle))
+		return SDR_INARGERR;
+	*phKeyHandle = keyHandle;
+	return SDR_OK;
+}
+
+/* 6.3.16 */
+int SDF_GenerateAgreementDataAndKeyWithECC(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned int uiKeyBits,
+	unsigned char *pucResponseID,
+	unsigned int uiResponseIDLength,
+	unsigned char *pucSponsorID,
+	unsigned int uiSponsorIDLength,
+	ECCrefPublicKey *pucSponsorPublicKey,
+	ECCrefPublicKey *pucSponsorTmpPublicKey,
+	ECCrefPublicKey *pucResponsePublicKey,
+	ECCrefPublicKey *pucResponseTmpPublicKey,
+	void **phKeyHandle)
+{
+	// any output
+	if (!phKeyHandle || !(*phKeyHandle))
+		return SDR_INARGERR;
+	*phKeyHandle = keyHandle;
+	return SDR_OK;
+}
+
+int SDF_ExchangeDigitEnvelopeBaseOnECC(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	ECCCipher *pucEncDataIn,
+	ECCCipher *pucEncDataOut)
+{
+	return SDR_OK;
+}
+
+int SDF_GenerateKeyWithKEK(
+	void *hSessionHandle,
+	unsigned int uiKeyBits,
+	unsigned int uiAlgID,
+	unsigned int uiKEKIndex,
+	unsigned char *pucKey,
+	unsigned int *puiKeyLength,
+	void **phKeyHandle)
+{
+	if (!phKeyHandle || !(*phKeyHandle))
+		return SDR_INARGERR;
+	*phKeyHandle = keyHandle;
+	return SDR_OK;
+}
+
+int SDF_ImportKeyWithKEK(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	unsigned int uiKEKIndex,
+	unsigned char *pucKey,
+	unsigned int uiKeyLength,
+	void **phKeyHandle)
+{
+	if (!phKeyHandle || !(*phKeyHandle))
+		return SDR_INARGERR;
+	*phKeyHandle = keyHandle;
+	return SDR_OK;
+}
+
+int SDF_DestroyKey(
+	void *hSessionHandle,
+	void *hKeyHandle)
+{
+	return SDR_OK;
+}
+
+int SDF_ExternalPublicKeyOperation_RSA(
+	void *hSessionHandle,
+	RSArefPublicKey *pucPublicKey,
+	unsigned char *pucDataInput,
+	unsigned int uiInputLength,
+	unsigned char *pucDataOutput,
+	unsigned int *puiOutputLength)
+{
+	if (!puiOutputLength)
+		return SDR_INARGERR;
+	*puiOutputLength = 2048/8;
+	return SDR_OK;
+}
+
+int SDF_ExternalPrivateKeyOperation_RSA(
+	void *hSessionHandle,
+	RSArefPrivateKey *pucPrivateKey,
+	unsigned char *pucDataInput,
+	unsigned int uiInputLength,
+	unsigned char *pucDataOutput,
+	unsigned int *puiOutputLength)
+{
+	if (!puiOutputLength)
+		return SDR_INARGERR;
+	*puiOutputLength = 2048/8;
+	return SDR_OK;
+}
+
+int SDF_InternalPrivateKeyOperation_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	unsigned char *pucDataInput,
+	unsigned int uiInputLength,
+	unsigned char *pucDataOutput,
+	unsigned int *puiOutputLength)
+{
+	if (!puiOutputLength)
+		return SDR_INARGERR;
+	*puiOutputLength = 2048/8;
+	return SDR_OK;
+}
+
+int SDF_ExternalVerify_ECC(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	unsigned char *pucDataInput,
+	unsigned int uiInputLength,
+	ECCSignature *pucSignature)
+{
+	return SDR_OK;
+}
+
+int SDF_InternalSign_ECC(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	ECCSignature *pucSignature)
+{
+	return SDR_OK;
+}
+
+int SDF_InternalVerify_ECC(
+	void *hSessionHandle,
+	unsigned int uiIPKIndex,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	ECCSignature *pucSignature)
+{
+	return SDR_OK;
+}
+
+int SDF_ExternalEncrypt_ECC(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	ECCCipher *pucEncData)
+{
+	if (!pucEncData)
+		return SDR_INARGERR;
+	pucEncData->L = uiDataLength;
+	return SDR_OK;
+}
+
+int SDF_Encrypt(
+	void *hSessionHandle,
+	void *hKeyHandle,
+	unsigned int uiAlgID,
+	unsigned char *pucIV,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	unsigned char *pucEncData,
+	unsigned int *puiEncDataLength)
+{
+	if (!puiEncDataLength)
+		return SDR_INARGERR;
+	*puiEncDataLength = uiDataLength;
+	return SDR_OK;
+}
+
+int SDF_Decrypt(
+	void *hSessionHandle,
+	void *hKeyHandle,
+	unsigned int uiAlgID,
+	unsigned char *pucIV,
+	unsigned char *pucEncData,
+	unsigned int uiEncDataLength,
+	unsigned char *pucData,
+	unsigned int *puiDataLength)
+{
+	if (!puiDataLength)
+		return SDR_INARGERR;
+	*puiDataLength = uiEncDataLength;
+	return SDR_OK;
+}
+
+int SDF_CalculateMAC(
+	void *hSessionHandle,
+	void *hKeyHandle,
+	unsigned int uiAlgID,
+	unsigned char *pucIV,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	unsigned char *pucMAC,
+	unsigned int *puiMACLength)
+{
+	if (!puiMACLength)
+		return SDR_INARGERR;
+	*puiMACLength = 16; /* CBC-MAC length */
+	return SDR_OK;
+}
+
+int SDF_HashInit(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	unsigned char *pucID,
+	unsigned int uiIDLength)
+{
+	return SDR_OK;
+}
+
+int SDF_HashUpdate(
+	void *hSessionHandle,
+	unsigned char *pucData,
+	unsigned int uiDataLength)
+{
+	return SDR_OK;
+}
+
+int SDF_HashFinal(void *hSessionHandle,
+	unsigned char *pucHash,
+	unsigned int *puiHashLength)
+{
+	if (!puiHashLength)
+		return SDR_INARGERR;
+	*puiHashLength = 32;
+	return SDR_OK;
+}
+
+int SDF_CreateFile(
+	void *hSessionHandle,
+	unsigned char *pucFileName,
+	unsigned int uiNameLen,
+	unsigned int uiFileSize)
+{
+	return SDR_OK;
+}
+
+int SDF_ReadFile(
+	void *hSessionHandle,
+	unsigned char *pucFileName,
+	unsigned int uiNameLen,
+	unsigned int uiOffset,
+	unsigned int *puiReadLength,
+	unsigned char *pucBuffer)
+{
+	if (!puiReadLength)
+		return SDR_INARGERR;
+	return SDR_OK;
+}
+
+int SDF_WriteFile(
+	void *hSessionHandle,
+	unsigned char *pucFileName,
+	unsigned int uiNameLen,
+	unsigned int uiOffset,
+	unsigned int uiWriteLength,
+	unsigned char *pucBuffer)
+{
+	return SDR_OK;
+}
+
+int SDF_DeleteFile(
+	void *hSessionHandle,
+	unsigned char *pucFileName,
+	unsigned int uiNameLen)
+{
+	return SDR_OK;
+}
diff --git a/tools/sdfutil/sdf_ext.c b/tools/sdfutil/sdf_ext.c
new file mode 100644
index 00000000..25c2ead7
--- /dev/null
+++ b/tools/sdfutil/sdf_ext.c
@@ -0,0 +1,331 @@
+/* ====================================================================
+ * Copyright (c) 2016 - 2017 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <limits.h>
+#include "sdf_int.h"
+#include "sdf_sansec.h"
+
+
+
+int format_bytes(FILE *out, int indent, int format, const uint8_t *data, size_t datalen)
+{
+	return 0;
+}
+
+#define SDFerr(a,b)
+
+
+typedef struct {
+	ULONG id;
+	char *name;
+} table_item_t;
+
+static table_item_t sdf_cipher_caps[] = {
+	{ SGD_SM1_ECB, "sm1-ecb" },
+	{ SGD_SM1_CBC, "sm1-cbc" },
+	{ SGD_SM1_CFB, "sm1-cfb" },
+	{ SGD_SM1_OFB, "sm1-ofb128" },
+	{ SGD_SM1_MAC, "cbcmac-sm1" },
+	{ SGD_SSF33_ECB, "ssf33-ecb" },
+	{ SGD_SSF33_CBC, "ssf33-cbc" },
+	{ SGD_SSF33_CFB, "ssf33-cfb" },
+	{ SGD_SSF33_OFB, "ssf33-ofb128" },
+	{ SGD_SSF33_MAC, "cbcmac-ssf33" },
+	{ SGD_SM4_ECB, "sms4-ecb" },
+	{ SGD_SM4_CBC, "sms4-cbc" },
+	{ SGD_SM4_CFB, "sms4-cfb" },
+	{ SGD_SM4_OFB, "sms4-ofb128" },
+	{ SGD_SM4_MAC, "cbcmac-sms4" },
+	{ SGD_ZUC_EEA3, "zuc_128eea3" },
+	{ SGD_ZUC_EIA3, "zuc_128eia3" }
+};
+
+static table_item_t sdf_digest_caps[] = {
+	{ SGD_SM3,  "sm3" },
+	{ SGD_SHA1, "sha1" },
+	{ SGD_SHA256, "sha256" },
+};
+
+static table_item_t sdf_pkey_caps[] = {
+	{ SGD_RSA_SIGN, "rsa" },
+	{ SGD_RSA_ENC, "rsaEncryption" },
+	{ SGD_SM2_1, "sm2sign" },
+	{ SGD_SM2_2, "sm2exchange" },
+	{ SGD_SM2_3, "sm2encrypt" }
+};
+
+int SDF_PrintDeviceInfo(FILE *out, DEVICEINFO *pstDeviceInfo)
+{
+	size_t i, n;
+	DEVICEINFO buf;
+	DEVICEINFO *devInfo = &buf;
+
+	memcpy(devInfo, pstDeviceInfo, sizeof(DEVICEINFO));
+	devInfo->IssuerName[39] = 0;
+	devInfo->DeviceName[15] = 0;
+	devInfo->DeviceSerial[15] = 0;
+
+	fprintf(out, "  %-18s : %s\n", "Device Name", devInfo->DeviceName);
+	fprintf(out, "  %-18s : %s\n", "Serial Number", devInfo->DeviceSerial);
+	fprintf(out, "  %-18s : %s\n", "Issuer", devInfo->IssuerName);
+	fprintf(out, "  %-18s : %u\n", "Hardware Version", devInfo->DeviceVersion);
+	fprintf(out, "  %-18s : %u\n", "Standard Version", devInfo->StandardVersion);
+	fprintf(out, "  %-18s : ", "Public Key Algors");
+	for (i = n = 0; i < sizeof(sdf_pkey_caps)/sizeof(sdf_pkey_caps[0]); i++) {
+		if ((devInfo->AsymAlgAbility[0] & sdf_pkey_caps[i].id) ==
+			sdf_pkey_caps[i].id) {
+			fprintf(out, "%s%s", n ? "," : "", sdf_pkey_caps[i].name);
+			n++;
+		}
+	}
+	fprintf(out, "\n");
+
+	fprintf(out, "  %-18s : ", "Ciphers");
+	for (i = n = 0; i < sizeof(sdf_cipher_caps)/sizeof(sdf_cipher_caps[0]); i++) {
+		if ((devInfo->SymAlgAbility & sdf_cipher_caps[i].id) ==
+			sdf_cipher_caps[i].id) {
+			fprintf(out, "%s%s", n ? "," : "", sdf_cipher_caps[i].name);
+			n++;
+		}
+	}
+	fprintf(out, "\n");
+
+	fprintf(out, "  %-18s : ", "Digests");
+	for (i = n = 0; i < sizeof(sdf_digest_caps)/sizeof(sdf_digest_caps[0]); i++) {
+		if ((devInfo->HashAlgAbility & sdf_digest_caps[i].id) ==
+			sdf_digest_caps[i].id) {
+			fprintf(out, "%s%s", n ? "," : "", sdf_digest_caps[i].name);
+			n++;
+		}
+	}
+	fprintf(out, "\n");
+	fprintf(out, "\n");
+
+	return SDR_OK;
+}
+
+int SDF_PrintRSAPublicKey(FILE *out, RSArefPublicKey *blob)
+{
+	(void)fprintf(out, "bits: %d\n", blob->bits);
+	(void)fprintf(out, "m:\n    ");
+	(void)format_bytes(out, 4, 16, blob->m, sizeof(blob->m));
+	(void)fprintf(out, "\n");
+	(void)fprintf(out, "e:\n    ");
+	(void)format_bytes(out, 4, 16, blob->e, sizeof(blob->e));
+	(void)fprintf(out, "\n");
+	return SDR_OK;
+}
+
+int SDF_PrintRSAPrivateKey(FILE *bio, RSArefPrivateKey *blob)
+{
+	(void)fprintf(bio, "bits: %d", blob->bits);
+	(void)fprintf(bio, "\n%s:\n    ", "m");
+	(void)format_bytes(bio, 4, 16, blob->m, sizeof(blob->m));
+	(void)fprintf(bio, "\n%s:\n    ", "e");
+	(void)format_bytes(bio, 4, 16, blob->e, sizeof(blob->e));
+	(void)fprintf(bio, "\n%s:\n    ", "d");
+	(void)format_bytes(bio, 4, 16, blob->d, sizeof(blob->d));
+	(void)fprintf(bio, "\n%s:\n    ", "prime[0]");
+	(void)format_bytes(bio, 4, 16, blob->prime[0], sizeof(blob->prime[0]));
+	(void)fprintf(bio, "\n%s:\n    ", "prime[1]");
+	(void)format_bytes(bio, 4, 16, blob->prime[1], sizeof(blob->prime[1]));
+	(void)fprintf(bio, "\n%s:\n    ", "pexp[0]");
+	(void)format_bytes(bio, 4, 16, blob->pexp[0], sizeof(blob->pexp[0]));
+	(void)fprintf(bio, "\n%s:\n    ", "pexp[1]");
+	(void)format_bytes(bio, 4, 16, blob->pexp[1], sizeof(blob->pexp[1]));
+	(void)fprintf(bio, "\n%s:\n    ", "coef");
+	(void)format_bytes(bio, 4, 16, blob->coef, sizeof(blob->coef));
+	(void)fprintf(bio, "\n");
+
+	return SDR_OK;
+}
+
+int SDF_PrintECCPublicKey(FILE *bio, ECCrefPublicKey *blob)
+{
+	(void)fprintf(bio, "bits: %d", blob->bits);
+	(void)fprintf(bio, "\n%s:\n    ", "x");
+	(void)format_bytes(bio, 4, 16, blob->x, sizeof(blob->x));
+	(void)fprintf(bio, "\n%s:\n    ", "y");
+	(void)format_bytes(bio, 4, 16, blob->y, sizeof(blob->y));
+	(void)fprintf(bio, "\n");
+
+	return SDR_OK;
+}
+
+int SDF_PrintECCPrivateKey(FILE *bio, ECCrefPrivateKey *blob)
+{
+	(void)fprintf(bio, "bits: %d", blob->bits);
+	(void)fprintf(bio, "\n%s:\n    ", "K");
+	(void)format_bytes(bio, 4, 16, blob->K, sizeof(blob->K));
+	(void)fprintf(bio, "\n");
+
+	return SDR_OK;
+}
+
+int SDF_PrintECCCipher(FILE *bio, ECCCipher *blob)
+{
+	(void)fprintf(bio, "%s:\n    ", "x");
+	(void)format_bytes(bio, 4, 16, blob->x, sizeof(blob->x));
+	(void)fprintf(bio, "\n%s:\n    ", "y");
+	(void)format_bytes(bio, 4, 16, blob->y, sizeof(blob->y));
+	(void)fprintf(bio, "\n%s:\n    ", "M");
+	(void)format_bytes(bio, 4, 16, blob->M, sizeof(blob->M));
+	(void)fprintf(bio, "\nL: %d", blob->L);
+	(void)fprintf(bio, "\n%s:\n    ", "C");
+	(void)format_bytes(bio, 4, 16, blob->C, sizeof(blob->C));
+	(void)fprintf(bio, "\n");
+
+	return SDR_OK;
+}
+
+int SDF_PrintECCSignature(FILE *bio, ECCSignature *blob)
+{
+	(void)fprintf(bio, "%s:\n    ", "r");
+	(void)format_bytes(bio, 4, 16, blob->r, sizeof(blob->r));
+	(void)fprintf(bio, "\n%s:\n    ", "s");
+	(void)format_bytes(bio, 4, 16, blob->s, sizeof(blob->s));
+	(void)fprintf(bio, "\n");
+
+	return SDR_OK;
+}
+
+int SDF_ImportKey(
+	void *hSessionHandle,
+	unsigned char *pucKey,
+	unsigned int uiKeyLength,
+	void **phKeyHandle)
+{
+	(void)hSessionHandle;
+	(void)pucKey;
+	(void)uiKeyLength;
+	(void)phKeyHandle;
+	SDFerr(SDF_F_SDF_IMPORTKEY, SDF_R_NOT_IMPLEMENTED);
+	return SDR_NOTSUPPORT;
+}
+
+int SDF_NewECCCipher(ECCCipher **cipher, size_t ulDataLen)
+{
+	ECCCipher *ecc_cipher = NULL;
+	size_t len;
+
+	if (!cipher) {
+		SDFerr(SDF_F_SDF_NEWECCCIPHER, ERR_R_PASSED_NULL_PARAMETER);
+		return SDR_INARGERR;
+	}
+
+	if (!ulDataLen || ulDataLen > INT_MAX) {
+		SDFerr(SDF_F_SDF_NEWECCCIPHER,
+			SDF_R_INVALID_SM2_CIPHERTEXT_LENGTH);
+		return SDR_INARGERR;
+	}
+
+	len = sizeof(ECCCipher) - 1 + ulDataLen;
+	if (len < sizeof(SANSEC_ECCCipher)) {
+		len = sizeof(SANSEC_ECCCipher);
+	}
+
+	if (!(ecc_cipher = malloc(len))) {
+		SDFerr(SDF_F_SDF_NEWECCCIPHER, ERR_R_MALLOC_FAILURE);
+		return SDR_NOBUFFER;
+	}
+	memset(ecc_cipher, 0, sizeof(*ecc_cipher));
+
+	ecc_cipher->L = (unsigned int)ulDataLen;
+
+	*cipher = ecc_cipher;
+	return SDR_OK;
+}
+
+int SDF_FreeECCCipher(ECCCipher *cipher)
+{
+	free(cipher);
+	return SDR_OK;
+}
+
+const char *SDF_GetErrorReason(int err)
+{
+	switch (err) {
+	case SDR_OK: return "SDR_OK";
+	case SDR_BASE: return "SDR_BASE";
+	case SDR_UNKNOWERR: return "SDR_UNKNOWERR";
+	case SDR_NOTSUPPORT: return "SDR_NOTSUPPORT";
+	case SDR_COMMFAIL: return "SDR_COMMFAIL";
+	case SDR_HARDFAIL: return "SDR_HARDFAIL";
+	case SDR_OPENDEVICE: return "SDR_OPENDEVICE";
+	case SDR_OPENSESSION: return "SDR_OPENSESSION";
+	case SDR_PARDENY: return "SDR_PARDENY";
+	case SDR_KEYNOTEXIST: return "SDR_KEYNOTEXIST";
+	case SDR_ALGNOTSUPPORT: return "SDR_ALGNOTSUPPORT";
+	case SDR_ALGMODNOTSUPPORT: return "SDR_ALGMODNOTSUPPORT";
+	case SDR_PKOPERR: return "SDR_PKOPERR";
+	case SDR_SKOPERR: return "SDR_SKOPERR";
+	case SDR_SIGNERR: return "SDR_SIGNERR";
+	case SDR_VERIFYERR: return "SDR_VERIFYERR";
+	case SDR_SYMOPERR: return "SDR_SYMOPERR";
+	case SDR_STEPERR: return "SDR_STEPERR";
+	case SDR_FILESIZEERR: return "SDR_FILESIZEERR";
+	case SDR_FILENOEXIST: return "SDR_FILENOEXIST";
+	case SDR_FILEOFSERR: return "SDR_FILEOFSERR";
+	case SDR_KEYTYPEERR: return "SDR_KEYTYPEERR";
+	case SDR_KEYERR: return "SDR_KEYERR";
+	case SDR_ENCDATAERR: return "SDR_ENCDATAERR";
+	case SDR_RANDERR: return "SDR_RANDERR";
+	case SDR_PRKRERR: return "SDR_PRKRERR";
+	case SDR_MACERR: return "SDR_MACERR";
+	case SDR_FILEEXSITS: return "SDR_FILEEXSITS";
+	case SDR_FILEWERR: return "SDR_FILEWERR";
+	case SDR_NOBUFFER: return "SDR_NOBUFFER";
+	case SDR_INARGERR: return "SDR_INARGERR";
+	case SDR_OUTARGERR: return "SDR_OUTARGERR";
+	}
+	return "(unknown)";
+}
diff --git a/tools/sdfutil/sdf_ext.h b/tools/sdfutil/sdf_ext.h
new file mode 100644
index 00000000..b7cfb493
--- /dev/null
+++ b/tools/sdfutil/sdf_ext.h
@@ -0,0 +1,92 @@
+/*
+ * Copyright (c) 2014 - 2021 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef SDFUTIL_SDF_EXT_H
+#define SDFUTIL_SDF_EXT_H
+
+
+#include <stdio.h>
+#include <stdint.h>
+#include "sgd.h"
+#include "sdf.h"
+
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+#define SDF_MIN_KEY_INDEX	  1 /* defined by GM/T 0018 */
+#define SDF_MAX_KEY_INDEX	 32 /* defined by GmSSL */
+#define SDF_MIN_PASSWORD_LENGTH	  8 /* defined by GM/T 0018 */
+#define SDF_MAX_PASSWORD_LENGTH	255 /* defined by GmSSL */
+#define SDF_MAX_FILE_SIZE	(256 * 1024)
+
+
+
+int SDF_LoadLibrary(char *so_path, char *vendor);
+int SDF_UnloadLibrary(void);
+int SDF_ImportKey(void *hSessionHandle, unsigned char *pucKey,
+	unsigned int uiKeyLength, void **phKeyHandle);
+
+int SDF_PrintDeviceInfo(FILE *out, DEVICEINFO *devInfo);
+int SDF_PrintRSAPublicKey(FILE *out, RSArefPublicKey *ref);
+int SDF_PrintRSAPrivateKey(FILE *out, RSArefPrivateKey *ref);
+int SDF_PrintECCPublicKey(FILE *out, ECCrefPublicKey *ref);
+int SDF_PrintECCPrivateKey(FILE *out, ECCrefPrivateKey *ref);
+int SDF_NewECCCipher(ECCCipher **cipher, size_t ulDataLen);
+int SDF_FreeECCCipher(ECCCipher *cipher);
+int SDF_PrintECCCipher(FILE *out, ECCCipher *cipher);
+int SDF_PrintECCSignature(FILE *out, ECCSignature *sig);
+const char *SDF_GetErrorReason(int err);
+
+
+#ifdef __cplusplus
+}
+#endif
+#endif
diff --git a/tools/sdfutil/sdf_int.h b/tools/sdfutil/sdf_int.h
new file mode 100644
index 00000000..dd0412e9
--- /dev/null
+++ b/tools/sdfutil/sdf_int.h
@@ -0,0 +1,459 @@
+/*
+ * Copyright (c) 2014 - 2021 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef SDFUTIL_SDF_METH_H
+#define SDFUTIL_SDF_METH_H
+
+#include "sdf.h"
+
+typedef int (*SDF_OpenDevice_FuncPtr)(
+	void **phDeviceHandle);
+
+typedef int (*SDF_CloseDevice_FuncPtr)(
+	void *hDeviceHandle);
+
+typedef int (*SDF_OpenSession_FuncPtr)(
+	void *hDeviceHandle,
+	void **phSessionHandle);
+
+typedef int (*SDF_CloseSession_FuncPtr)(
+	void *hSessionHandle);
+
+typedef int (*SDF_GetDeviceInfo_FuncPtr)(
+	void *hSessionHandle,
+	DEVICEINFO *pstDeviceInfo);
+
+typedef int (*SDF_GenerateRandom_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiLength,
+	unsigned char *pucRandom);
+
+typedef int (*SDF_GetPrivateKeyAccessRight_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	unsigned char *pucPassword,
+	unsigned int uiPwdLength);
+
+typedef int (*SDF_ReleasePrivateKeyAccessRight_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex);
+
+typedef int (*SDF_ExportSignPublicKey_RSA_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	RSArefPublicKey *pucPublicKey);
+
+typedef int (*SDF_ExportEncPublicKey_RSA_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	RSArefPublicKey *pucPublicKey);
+
+typedef int (*SDF_GenerateKeyPair_RSA_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiKeyBits,
+	RSArefPublicKey *pucPublicKey,
+	RSArefPrivateKey *pucPrivateKey);
+
+typedef int (*SDF_GenerateKeyWithIPK_RSA_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiIPKIndex,
+	unsigned int uiKeyBits,
+	unsigned char *pucKey,
+	unsigned int *puiKeyLength,
+	void **phKeyHandle);
+
+typedef int (*SDF_GenerateKeyWithEPK_RSA_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiKeyBits,
+	RSArefPublicKey *pucPublicKey,
+	unsigned char *pucKey,
+	unsigned int *puiKeyLength,
+	void **phKeyHandle);
+
+typedef int (*SDF_ImportKeyWithISK_RSA_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned char *pucKey,
+	unsigned int uiKeyLength,
+	void **phKeyHandle);
+
+typedef int (*SDF_ExchangeDigitEnvelopeBaseOnRSA_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	RSArefPublicKey *pucPublicKey,
+	unsigned char *pucDEInput,
+	unsigned int uiDELength,
+	unsigned char *pucDEOutput,
+	unsigned int *puiDELength);
+
+typedef int (*SDF_ExportSignPublicKey_ECC_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	ECCrefPublicKey *pucPublicKey);
+
+typedef int (*SDF_ExportEncPublicKey_ECC_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	ECCrefPublicKey *pucPublicKey);
+
+typedef int (*SDF_GenerateKeyPair_ECC_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	unsigned int  uiKeyBits,
+	ECCrefPublicKey *pucPublicKey,
+	ECCrefPrivateKey *pucPrivateKey);
+
+typedef int (*SDF_GenerateKeyWithIPK_ECC_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiIPKIndex,
+	unsigned int uiKeyBits,
+	ECCCipher *pucKey,
+	void **phKeyHandle);
+
+typedef int (*SDF_GenerateKeyWithEPK_ECC_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiKeyBits,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	ECCCipher *pucKey,
+	void **phKeyHandle);
+
+typedef int (*SDF_ImportKeyWithISK_ECC_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	ECCCipher *pucKey,
+	void **phKeyHandle);
+
+typedef int (*SDF_GenerateAgreementDataWithECC_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned int uiKeyBits,
+	unsigned char *pucSponsorID,
+	unsigned int uiSponsorIDLength,
+	ECCrefPublicKey *pucSponsorPublicKey,
+	ECCrefPublicKey *pucSponsorTmpPublicKey,
+	void **phAgreementHandle);
+
+typedef int (*SDF_GenerateKeyWithECC_FuncPtr)(
+	void *hSessionHandle,
+	unsigned char *pucResponseID,
+	unsigned int uiResponseIDLength,
+	ECCrefPublicKey *pucResponsePublicKey,
+	ECCrefPublicKey *pucResponseTmpPublicKey,
+	void *hAgreementHandle,
+	void **phKeyHandle);
+
+typedef int (*SDF_GenerateAgreementDataAndKeyWithECC_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned int uiKeyBits,
+	unsigned char *pucResponseID,
+	unsigned int uiResponseIDLength,
+	unsigned char *pucSponsorID,
+	unsigned int uiSponsorIDLength,
+	ECCrefPublicKey *pucSponsorPublicKey,
+	ECCrefPublicKey *pucSponsorTmpPublicKey,
+	ECCrefPublicKey *pucResponsePublicKey,
+	ECCrefPublicKey *pucResponseTmpPublicKey,
+	void **phKeyHandle);
+
+typedef int (*SDF_ExchangeDigitEnvelopeBaseOnECC_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	ECCCipher *pucEncDataIn,
+	ECCCipher *pucEncDataOut);
+
+typedef int (*SDF_GenerateKeyWithKEK_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiKeyBits,
+	unsigned int uiAlgID,
+	unsigned int uiKEKIndex,
+	unsigned char *pucKey,
+	unsigned int *puiKeyLength,
+	void **phKeyHandle);
+
+typedef int (*SDF_ImportKeyWithKEK_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	unsigned int uiKEKIndex,
+	unsigned char *pucKey,
+	unsigned int uiKeyLength,
+	void **phKeyHandle);
+
+typedef int (*SDF_DestroyKey_FuncPtr)(
+	void *hSessionHandle,
+	void *hKeyHandle);
+
+typedef int (*SDF_ExternalPublicKeyOperation_RSA_FuncPtr)(
+	void *hSessionHandle,
+	RSArefPublicKey *pucPublicKey,
+	unsigned char *pucDataInput,
+	unsigned int uiInputLength,
+	unsigned char *pucDataOutput,
+	unsigned int *puiOutputLength);
+
+typedef int (*SDF_InternalPublicKeyOperation_RSA_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	unsigned char *pucDataInput,
+	unsigned int uiInputLength,
+	unsigned char *pucDataOutput,
+	unsigned int *puiOutputLength);
+
+typedef int (*SDF_InternalPrivateKeyOperation_RSA_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	unsigned char *pucDataInput,
+	unsigned int uiInputLength,
+	unsigned char *pucDataOutput,
+	unsigned int *puiOutputLength);
+
+typedef int (*SDF_ExternalVerify_ECC_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	unsigned char *pucDataInput,
+	unsigned int uiInputLength,
+	ECCSignature *pucSignature);
+
+typedef int (*SDF_InternalSign_ECC_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	ECCSignature *pucSignature);
+
+typedef int (*SDF_InternalVerify_ECC_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiIPKIndex,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	ECCSignature *pucSignature);
+
+typedef int (*SDF_ExternalEncrypt_ECC_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	ECCCipher *pucEncData);
+
+typedef int (*SDF_ExternalDecrypt_ECC_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	ECCrefPrivateKey *pucPrivateKey,
+	ECCCipher *pucEncData,
+	unsigned char *pucData,
+	unsigned int *puiDataLength);
+
+typedef int (*SDF_InternalEncrypt_ECC_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiIPKIndex,
+	unsigned int uiAlgID,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	ECCCipher *pucEncData);
+
+typedef int (*SDF_InternalDecrypt_ECC_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned int uiAlgID,
+	ECCCipher *pucEncData,
+	unsigned char *pucData,
+	unsigned int *puiDataLength);
+
+typedef int (*SDF_Encrypt_FuncPtr)(
+	void *hSessionHandle,
+	void *hKeyHandle,
+	unsigned int uiAlgID,
+	unsigned char *pucIV,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	unsigned char *pucEncData,
+	unsigned int *puiEncDataLength);
+
+typedef int (*SDF_Decrypt_FuncPtr)(
+	void *hSessionHandle,
+	void *hKeyHandle,
+	unsigned int uiAlgID,
+	unsigned char *pucIV,
+	unsigned char *pucEncData,
+	unsigned int uiEncDataLength,
+	unsigned char *pucData,
+	unsigned int *puiDataLength);
+
+typedef int (*SDF_CalculateMAC_FuncPtr)(
+	void *hSessionHandle,
+	void *hKeyHandle,
+	unsigned int uiAlgID,
+	unsigned char *pucIV,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	unsigned char *pucMAC,
+	unsigned int *puiMACLength);
+
+typedef int (*SDF_HashInit_FuncPtr)(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	unsigned char *pucID,
+	unsigned int uiIDLength);
+
+typedef int (*SDF_HashUpdate_FuncPtr)(
+	void *hSessionHandle,
+	unsigned char *pucData,
+	unsigned int uiDataLength);
+
+typedef int (*SDF_HashFinal_FuncPtr)(void *hSessionHandle,
+	unsigned char *pucHash,
+	unsigned int *puiHashLength);
+
+typedef int (*SDF_CreateObject_FuncPtr)(
+	void *hSessionHandle,
+	unsigned char *pucFileName,
+	unsigned int uiNameLen,
+	unsigned int uiFileSize);
+
+typedef int (*SDF_ReadObject_FuncPtr)(
+	void *hSessionHandle,
+	unsigned char *pucFileName,
+	unsigned int uiNameLen,
+	unsigned int uiOffset,
+	unsigned int *puiReadLength,
+	unsigned char *pucBuffer);
+
+typedef int (*SDF_WriteObject_FuncPtr)(
+	void *hSessionHandle,
+	unsigned char *pucFileName,
+	unsigned int uiNameLen,
+	unsigned int uiOffset,
+	unsigned int uiWriteLength,
+	unsigned char *pucBuffer);
+
+typedef int (*SDF_DeleteObject_FuncPtr)(
+	void *hSessionHandle,
+	unsigned char *pucFileName,
+	unsigned int uiNameLen);
+
+typedef struct sdf_method_st {
+	char *name;
+	void *dso;
+	SDF_OpenDevice_FuncPtr OpenDevice;
+	SDF_CloseDevice_FuncPtr CloseDevice;
+	SDF_OpenSession_FuncPtr OpenSession;
+	SDF_CloseSession_FuncPtr CloseSession;
+	SDF_GetDeviceInfo_FuncPtr GetDeviceInfo;
+	SDF_GenerateRandom_FuncPtr GenerateRandom;
+	SDF_GetPrivateKeyAccessRight_FuncPtr GetPrivateKeyAccessRight;
+	SDF_ReleasePrivateKeyAccessRight_FuncPtr ReleasePrivateKeyAccessRight;
+	SDF_ExportSignPublicKey_RSA_FuncPtr ExportSignPublicKey_RSA;
+	SDF_ExportEncPublicKey_RSA_FuncPtr ExportEncPublicKey_RSA;
+	SDF_GenerateKeyPair_RSA_FuncPtr GenerateKeyPair_RSA;
+	SDF_GenerateKeyWithIPK_RSA_FuncPtr GenerateKeyWithIPK_RSA;
+	SDF_GenerateKeyWithEPK_RSA_FuncPtr GenerateKeyWithEPK_RSA;
+	SDF_ImportKeyWithISK_RSA_FuncPtr ImportKeyWithISK_RSA;
+	SDF_ExchangeDigitEnvelopeBaseOnRSA_FuncPtr ExchangeDigitEnvelopeBaseOnRSA;
+	SDF_ExportSignPublicKey_ECC_FuncPtr ExportSignPublicKey_ECC;
+	SDF_ExportEncPublicKey_ECC_FuncPtr ExportEncPublicKey_ECC;
+	SDF_GenerateKeyPair_ECC_FuncPtr GenerateKeyPair_ECC;
+	SDF_GenerateKeyWithIPK_ECC_FuncPtr GenerateKeyWithIPK_ECC;
+	SDF_GenerateKeyWithEPK_ECC_FuncPtr GenerateKeyWithEPK_ECC;
+	SDF_ImportKeyWithISK_ECC_FuncPtr ImportKeyWithISK_ECC;
+	SDF_GenerateAgreementDataWithECC_FuncPtr GenerateAgreementDataWithECC;
+	SDF_GenerateKeyWithECC_FuncPtr GenerateKeyWithECC;
+	SDF_GenerateAgreementDataAndKeyWithECC_FuncPtr GenerateAgreementDataAndKeyWithECC;
+	SDF_ExchangeDigitEnvelopeBaseOnECC_FuncPtr ExchangeDigitEnvelopeBaseOnECC;
+	SDF_GenerateKeyWithKEK_FuncPtr GenerateKeyWithKEK;
+	SDF_ImportKeyWithKEK_FuncPtr ImportKeyWithKEK;
+	SDF_DestroyKey_FuncPtr DestroyKey;
+	SDF_ExternalPublicKeyOperation_RSA_FuncPtr ExternalPublicKeyOperation_RSA;
+	SDF_InternalPublicKeyOperation_RSA_FuncPtr InternalPublicKeyOperation_RSA;
+	SDF_InternalPrivateKeyOperation_RSA_FuncPtr InternalPrivateKeyOperation_RSA;
+	SDF_ExternalVerify_ECC_FuncPtr ExternalVerify_ECC;
+	SDF_InternalSign_ECC_FuncPtr InternalSign_ECC;
+	SDF_InternalVerify_ECC_FuncPtr InternalVerify_ECC;
+	SDF_ExternalEncrypt_ECC_FuncPtr ExternalEncrypt_ECC;
+	SDF_ExternalDecrypt_ECC_FuncPtr ExternalDecrypt_ECC;
+	SDF_InternalEncrypt_ECC_FuncPtr InternalEncrypt_ECC;
+	SDF_InternalDecrypt_ECC_FuncPtr InternalDecrypt_ECC;
+	SDF_Encrypt_FuncPtr Encrypt;
+	SDF_Decrypt_FuncPtr Decrypt;
+	SDF_CalculateMAC_FuncPtr CalculateMAC;
+	SDF_HashInit_FuncPtr HashInit;
+	SDF_HashUpdate_FuncPtr HashUpdate;
+	SDF_HashFinal_FuncPtr HashFinal;
+	SDF_CreateObject_FuncPtr CreateObject;
+	SDF_ReadObject_FuncPtr ReadObject;
+	SDF_WriteObject_FuncPtr WriteObject;
+	SDF_DeleteObject_FuncPtr DeleteObject;
+} SDF_METHOD;
+
+SDF_METHOD *SDF_METHOD_load_library(const char *so_path);
+void SDF_METHOD_free(SDF_METHOD *meth);
+
+
+typedef struct sdf_vendor_st {
+	char *name;
+	unsigned int (*cipher_vendor2std)(unsigned int vendor_id);
+	unsigned int (*cipher_std2vendor)(unsigned int std_id);
+	unsigned int (*cipher_cap)(unsigned int vendor_cap);
+	unsigned int (*digest_vendor2std)(unsigned int vendor_id);
+	unsigned int (*digest_std2vendor)(unsigned int std_id);
+	unsigned int (*digest_cap)(unsigned int vendor_cap);
+	unsigned int (*pkey_vendor2std)(unsigned int vendor_id);
+	unsigned int (*pkey_std2vendor)(unsigned int std_id);
+	unsigned int (*pkey_cap)(unsigned int vendor_cap);
+	int (*encode_ecccipher)(const ECCCipher *a, void *buf);
+	int (*decode_ecccipher)(ECCCipher *a, const void *buf);
+	unsigned long (*get_error_reason)(int err);
+} SDF_VENDOR;
+
+
+#endif
diff --git a/tools/sdfutil/sdf_lib.c b/tools/sdfutil/sdf_lib.c
new file mode 100644
index 00000000..b3bd4896
--- /dev/null
+++ b/tools/sdfutil/sdf_lib.c
@@ -0,0 +1,1507 @@
+/* ====================================================================
+ * Copyright (c) 2016 - 2017 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+#include <string.h>
+#include "sdf_ext.h"
+#include "sdf_int.h"
+
+SDF_METHOD *sdf_method = NULL;
+SDF_VENDOR *sdf_vendor = NULL;
+extern SDF_VENDOR sdf_sansec;
+
+
+#define SDFerr(reason) fprintf(stderr,"sdfutil: %s %d: %s %s\n", __FILE__, __LINE__, __FUNCTION__, reason)
+
+
+#define SDF_R_LOAD_LIBRARY_FAILURE	"SDF_R_LOAD_LIBRARY_FAILURE"
+#define SDF_R_NOT_INITIALIZED		"SDF_R_NOT_INITIALIZED"
+#define SDF_R_NOT_SUPPORTED_ECC_ALGOR	"SDF_R_NOT_SUPPORTED_ECC_ALGOR"
+#define SDF_R_NOT_SUPPORTED_CIPHER_ALGOR "SDF_R_NOT_SUPPORTED_CIPHER_ALGOR"
+#define SDF_R_BUFFER_TOO_SMALL		"SDF_R_BUFFER_TOO_SMALL"
+#define SDF_R_NOT_SUPPORTED_PKEY_ALGOR	"SDF_R_NOT_SUPPORTED_PKEY_ALGOR"
+#define SDF_R_NOT_SUPPORTED_DIGEST_ALGOR "SDF_R_NOT_SUPPORTED_DIGEST_ALGOR"
+#define ERR_R_SDF_LIB			"ERR_R_SDF_LIB"
+
+
+
+int SDF_LoadLibrary(char *so_path, char *vendor)
+{
+	if (sdf_method) {
+		SDF_METHOD_free(sdf_method);
+		sdf_method = NULL;
+	}
+
+	if (!(sdf_method = SDF_METHOD_load_library(so_path))) {
+		SDFerr(SDF_R_LOAD_LIBRARY_FAILURE);
+		return SDR_BASE;
+	}
+
+	if (vendor) {
+		if (strcmp(vendor, sdf_sansec.name) == 0) {
+			sdf_vendor = &sdf_sansec;
+		}
+	}
+
+	return SDR_OK;
+}
+
+int SDF_UnloadLibrary(void)
+{
+	SDF_METHOD_free(sdf_method);
+	sdf_method = NULL;
+	sdf_vendor = NULL;
+	return SDR_OK;
+}
+
+int SDF_OpenDevice(
+	void **phDeviceHandle)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method  || !sdf_method->OpenDevice) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->OpenDevice(
+		phDeviceHandle)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_CloseDevice(
+	void *hDeviceHandle)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->CloseDevice) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->CloseDevice(
+		hDeviceHandle)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_OpenSession(
+	void *hDeviceHandle,
+	void **phSessionHandle)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->OpenSession) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->OpenSession(
+		hDeviceHandle,
+		phSessionHandle)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_CloseSession(
+	void *hSessionHandle)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->CloseSession) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->CloseSession(
+		hSessionHandle)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_GetDeviceInfo(
+	void *hSessionHandle,
+	DEVICEINFO *pstDeviceInfo)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->GetDeviceInfo) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->GetDeviceInfo(
+		hSessionHandle,
+		pstDeviceInfo)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_GenerateRandom(
+	void *hSessionHandle,
+	unsigned int uiLength,
+	unsigned char *pucRandom)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->GenerateRandom) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->GenerateRandom(
+		hSessionHandle,
+		uiLength,
+		pucRandom)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_GetPrivateKeyAccessRight(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	unsigned char *pucPassword,
+	unsigned int uiPwdLength)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->GetPrivateKeyAccessRight) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->GetPrivateKeyAccessRight(
+		hSessionHandle,
+		uiKeyIndex,
+		pucPassword,
+		uiPwdLength)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_ReleasePrivateKeyAccessRight(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->ReleasePrivateKeyAccessRight) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->ReleasePrivateKeyAccessRight(
+		hSessionHandle,
+		uiKeyIndex)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_ExportSignPublicKey_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	RSArefPublicKey *pucPublicKey)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->ExportSignPublicKey_RSA) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->ExportSignPublicKey_RSA(
+		hSessionHandle,
+		uiKeyIndex,
+		pucPublicKey)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_ExportEncPublicKey_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	RSArefPublicKey *pucPublicKey)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->ExportEncPublicKey_RSA) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->ExportEncPublicKey_RSA(
+		hSessionHandle,
+		uiKeyIndex,
+		pucPublicKey)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_GenerateKeyPair_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyBits,
+	RSArefPublicKey *pucPublicKey,
+	RSArefPrivateKey *pucPrivateKey)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->GenerateKeyPair_RSA) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->GenerateKeyPair_RSA(
+		hSessionHandle,
+		uiKeyBits,
+		pucPublicKey,
+		pucPrivateKey)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_GenerateKeyWithIPK_RSA(
+	void *hSessionHandle,
+	unsigned int uiIPKIndex,
+	unsigned int uiKeyBits,
+	unsigned char *pucKey,
+	unsigned int *puiKeyLength,
+	void **phKeyHandle)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->GenerateKeyWithIPK_RSA) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->GenerateKeyWithIPK_RSA(
+		hSessionHandle,
+		uiIPKIndex,
+		uiKeyBits,
+		pucKey,
+		puiKeyLength,
+		phKeyHandle)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_GenerateKeyWithEPK_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyBits,
+	RSArefPublicKey *pucPublicKey,
+	unsigned char *pucKey,
+	unsigned int *puiKeyLength,
+	void **phKeyHandle)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->GenerateKeyWithEPK_RSA) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->GenerateKeyWithEPK_RSA(
+		hSessionHandle,
+		uiKeyBits,
+		pucPublicKey,
+		pucKey,
+		puiKeyLength,
+		phKeyHandle)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_ImportKeyWithISK_RSA(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned char *pucKey,
+	unsigned int uiKeyLength,
+	void **phKeyHandle)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->ImportKeyWithISK_RSA) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->ImportKeyWithISK_RSA(
+		hSessionHandle,
+		uiISKIndex,
+		pucKey,
+		uiKeyLength,
+		phKeyHandle)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_ExchangeDigitEnvelopeBaseOnRSA(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	RSArefPublicKey *pucPublicKey,
+	unsigned char *pucDEInput,
+	unsigned int uiDELength,
+	unsigned char *pucDEOutput,
+	unsigned int *puiDELength)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->ExchangeDigitEnvelopeBaseOnRSA) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->ExchangeDigitEnvelopeBaseOnRSA(
+		hSessionHandle,
+		uiKeyIndex,
+		pucPublicKey,
+		pucDEInput,
+		uiDELength,
+		pucDEOutput,
+		puiDELength)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_ExportSignPublicKey_ECC(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	ECCrefPublicKey *pucPublicKey)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->ExportSignPublicKey_ECC) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->ExportSignPublicKey_ECC(
+		hSessionHandle,
+		uiKeyIndex,
+		pucPublicKey)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_ExportEncPublicKey_ECC(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	ECCrefPublicKey *pucPublicKey)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->ExportEncPublicKey_ECC) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->ExportEncPublicKey_ECC(
+		hSessionHandle,
+		uiKeyIndex,
+		pucPublicKey)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_GenerateKeyPair_ECC(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	unsigned int  uiKeyBits,
+	ECCrefPublicKey *pucPublicKey,
+	ECCrefPrivateKey *pucPrivateKey)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->GenerateKeyPair_ECC) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if (sdf_vendor) {
+		if (!(uiAlgID = sdf_vendor->pkey_std2vendor(uiAlgID))) {
+			SDFerr(SDF_R_NOT_SUPPORTED_ECC_ALGOR);
+			return SDR_ALGNOTSUPPORT;
+		}
+	}
+
+	if ((ret = sdf_method->GenerateKeyPair_ECC(
+		hSessionHandle,
+		uiAlgID,
+		uiKeyBits,
+		pucPublicKey,
+		pucPrivateKey)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_GenerateKeyWithIPK_ECC(
+	void *hSessionHandle,
+	unsigned int uiIPKIndex,
+	unsigned int uiKeyBits,
+	ECCCipher *pucKey,
+	void **phKeyHandle)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->GenerateKeyWithIPK_ECC) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->GenerateKeyWithIPK_ECC(
+		hSessionHandle,
+		uiIPKIndex,
+		uiKeyBits,
+		pucKey,
+		phKeyHandle)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_GenerateKeyWithEPK_ECC(
+	void *hSessionHandle,
+	unsigned int uiKeyBits,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	ECCCipher *pucKey,
+	void **phKeyHandle)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->GenerateKeyWithEPK_ECC) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if (sdf_vendor) {
+		if (!(uiAlgID = sdf_vendor->cipher_std2vendor(uiAlgID))) {
+			SDFerr(SDF_R_NOT_SUPPORTED_CIPHER_ALGOR);
+			return SDR_ALGNOTSUPPORT;
+		}
+	}
+
+	if ((ret = sdf_method->GenerateKeyWithEPK_ECC(
+		hSessionHandle,
+		uiKeyBits,
+		uiAlgID,
+		pucPublicKey,
+		pucKey,
+		phKeyHandle)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_ImportKeyWithISK_ECC(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	ECCCipher *pucKey,
+	void **phKeyHandle)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->ImportKeyWithISK_ECC) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->ImportKeyWithISK_ECC(
+		hSessionHandle,
+		uiISKIndex,
+		pucKey,
+		phKeyHandle)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_GenerateAgreementDataWithECC(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned int uiKeyBits,
+	unsigned char *pucSponsorID,
+	unsigned int uiSponsorIDLength,
+	ECCrefPublicKey *pucSponsorPublicKey,
+	ECCrefPublicKey *pucSponsorTmpPublicKey,
+	void **phAgreementHandle)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->GenerateAgreementDataWithECC) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->GenerateAgreementDataWithECC(
+		hSessionHandle,
+		uiISKIndex,
+		uiKeyBits,
+		pucSponsorID,
+		uiSponsorIDLength,
+		pucSponsorPublicKey,
+		pucSponsorTmpPublicKey,
+		phAgreementHandle)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_GenerateKeyWithECC(
+	void *hSessionHandle,
+	unsigned char *pucResponseID,
+	unsigned int uiResponseIDLength,
+	ECCrefPublicKey *pucResponsePublicKey,
+	ECCrefPublicKey *pucResponseTmpPublicKey,
+	void *hAgreementHandle,
+	void **phKeyHandle)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->GenerateKeyWithECC) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->GenerateKeyWithECC(
+		hSessionHandle,
+		pucResponseID,
+		uiResponseIDLength,
+		pucResponsePublicKey,
+		pucResponseTmpPublicKey,
+		hAgreementHandle,
+		phKeyHandle)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_GenerateAgreementDataAndKeyWithECC(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned int uiKeyBits,
+	unsigned char *pucResponseID,
+	unsigned int uiResponseIDLength,
+	unsigned char *pucSponsorID,
+	unsigned int uiSponsorIDLength,
+	ECCrefPublicKey *pucSponsorPublicKey,
+	ECCrefPublicKey *pucSponsorTmpPublicKey,
+	ECCrefPublicKey *pucResponsePublicKey,
+	ECCrefPublicKey *pucResponseTmpPublicKey,
+	void **phKeyHandle)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->GenerateAgreementDataAndKeyWithECC) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->GenerateAgreementDataAndKeyWithECC(
+		hSessionHandle,
+		uiISKIndex,
+		uiKeyBits,
+		pucResponseID,
+		uiResponseIDLength,
+		pucSponsorID,
+		uiSponsorIDLength,
+		pucSponsorPublicKey,
+		pucSponsorTmpPublicKey,
+		pucResponsePublicKey,
+		pucResponseTmpPublicKey,
+		phKeyHandle)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_ExchangeDigitEnvelopeBaseOnECC(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	ECCCipher *pucEncDataIn,
+	ECCCipher *pucEncDataOut)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->ExchangeDigitEnvelopeBaseOnECC) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if (sdf_vendor) {
+		if (!(uiAlgID = sdf_vendor->cipher_std2vendor(uiAlgID))) {
+			SDFerr(SDF_R_NOT_SUPPORTED_CIPHER_ALGOR);
+			return SDR_ALGNOTSUPPORT;
+		}
+	}
+
+	if ((ret = sdf_method->ExchangeDigitEnvelopeBaseOnECC(
+		hSessionHandle,
+		uiKeyIndex,
+		uiAlgID,
+		pucPublicKey,
+		pucEncDataIn,
+		pucEncDataOut)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_GenerateKeyWithKEK(
+	void *hSessionHandle,
+	unsigned int uiKeyBits,
+	unsigned int uiAlgID,
+	unsigned int uiKEKIndex,
+	unsigned char *pucKey,
+	unsigned int *puiKeyLength,
+	void **phKeyHandle)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->GenerateKeyWithKEK) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if (sdf_vendor) {
+		if (!(uiAlgID = sdf_vendor->cipher_std2vendor(uiAlgID))) {
+			SDFerr(SDF_R_NOT_SUPPORTED_CIPHER_ALGOR);
+			return SDR_ALGNOTSUPPORT;
+		}
+	}
+
+	if ((ret = sdf_method->GenerateKeyWithKEK(
+		hSessionHandle,
+		uiKeyBits,
+		uiAlgID,
+		uiKEKIndex,
+		pucKey,
+		puiKeyLength,
+		phKeyHandle)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_ImportKeyWithKEK(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	unsigned int uiKEKIndex,
+	unsigned char *pucKey,
+	unsigned int uiKeyLength,
+	void **phKeyHandle)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->ImportKeyWithKEK) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if (sdf_vendor) {
+		if (!(uiAlgID = sdf_vendor->cipher_std2vendor(uiAlgID))) {
+			SDFerr(SDF_R_NOT_SUPPORTED_CIPHER_ALGOR);
+			return SDR_ALGNOTSUPPORT;
+		}
+	}
+
+	if ((ret = sdf_method->ImportKeyWithKEK(
+		hSessionHandle,
+		uiAlgID,
+		uiKEKIndex,
+		pucKey,
+		uiKeyLength,
+		phKeyHandle)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_DestroyKey(
+	void *hSessionHandle,
+	void *hKeyHandle)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->DestroyKey) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->DestroyKey(
+		hSessionHandle,
+		hKeyHandle)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_ExternalPublicKeyOperation_RSA(
+	void *hSessionHandle,
+	RSArefPublicKey *pucPublicKey,
+	unsigned char *pucDataInput,
+	unsigned int uiInputLength,
+	unsigned char *pucDataOutput,
+	unsigned int *puiOutputLength)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->ExternalPublicKeyOperation_RSA) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->ExternalPublicKeyOperation_RSA(
+		hSessionHandle,
+		pucPublicKey,
+		pucDataInput,
+		uiInputLength,
+		pucDataOutput,
+		puiOutputLength)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_InternalPublicKeyOperation_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	unsigned char *pucDataInput,
+	unsigned int uiInputLength,
+	unsigned char *pucDataOutput,
+	unsigned int *puiOutputLength)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->InternalPublicKeyOperation_RSA) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->InternalPublicKeyOperation_RSA(
+		hSessionHandle,
+		uiKeyIndex,
+		pucDataInput,
+		uiInputLength,
+		pucDataOutput,
+		puiOutputLength)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_InternalPrivateKeyOperation_RSA(
+	void *hSessionHandle,
+	unsigned int uiKeyIndex,
+	unsigned char *pucDataInput,
+	unsigned int uiInputLength,
+	unsigned char *pucDataOutput,
+	unsigned int *puiOutputLength)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->InternalPrivateKeyOperation_RSA) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->InternalPrivateKeyOperation_RSA(
+		hSessionHandle,
+		uiKeyIndex,
+		pucDataInput,
+		uiInputLength,
+		pucDataOutput,
+		puiOutputLength)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_ExternalVerify_ECC(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	unsigned char *pucDataInput,
+	unsigned int uiInputLength,
+	ECCSignature *pucSignature)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->ExternalVerify_ECC) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if (sdf_vendor) {
+		if (!(uiAlgID = sdf_vendor->pkey_std2vendor(uiAlgID))) {
+			SDFerr(SDF_R_NOT_SUPPORTED_PKEY_ALGOR);
+			return SDR_ALGNOTSUPPORT;
+		}
+	}
+
+	if ((ret = sdf_method->ExternalVerify_ECC(
+		hSessionHandle,
+		uiAlgID,
+		pucPublicKey,
+		pucDataInput,
+		uiInputLength,
+		pucSignature)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_InternalSign_ECC(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	ECCSignature *pucSignature)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->InternalSign_ECC) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->InternalSign_ECC(
+		hSessionHandle,
+		uiISKIndex,
+		pucData,
+		uiDataLength,
+		pucSignature)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_InternalVerify_ECC(
+	void *hSessionHandle,
+	unsigned int uiIPKIndex,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	ECCSignature *pucSignature)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->InternalVerify_ECC) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->InternalVerify_ECC(
+		hSessionHandle,
+		uiIPKIndex,
+		pucData,
+		uiDataLength,
+		pucSignature)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_ExternalEncrypt_ECC(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	ECCCipher *pucEncData)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->ExternalEncrypt_ECC) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if (sdf_vendor) {
+		if (!(uiAlgID = sdf_vendor->pkey_std2vendor(uiAlgID))) {
+			SDFerr(SDF_R_NOT_SUPPORTED_PKEY_ALGOR);
+			return SDR_ALGNOTSUPPORT;
+		}
+	}
+
+	if ((ret = sdf_method->ExternalEncrypt_ECC(
+		hSessionHandle,
+		uiAlgID,
+		pucPublicKey,
+		pucData,
+		uiDataLength,
+		pucEncData)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_InternalEncrypt_ECC(
+	void *hSessionHandle,
+	unsigned int uiIPKIndex,
+	unsigned int uiAlgID,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	ECCCipher *pucEncData)
+{
+	int ret = SDR_UNKNOWERR;
+	ECCCipher *buf = pucEncData;
+
+	if (!sdf_method || !sdf_method->InternalEncrypt_ECC) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if (pucEncData->L < uiDataLength) {
+		SDFerr(SDF_R_BUFFER_TOO_SMALL);
+		return SDR_NOBUFFER;
+	}
+
+	if (sdf_vendor && sdf_vendor->decode_ecccipher) {
+		if (SDF_NewECCCipher(&buf, uiDataLength) != SDR_OK) {
+			SDFerr(ERR_R_SDF_LIB);
+			return SDR_UNKNOWERR;
+		}
+	}
+
+	if (sdf_vendor && sdf_vendor->pkey_std2vendor) {
+		if (!(uiAlgID = sdf_vendor->pkey_std2vendor(uiAlgID))) {
+			SDFerr(SDF_R_NOT_SUPPORTED_PKEY_ALGOR);
+			ret = SDR_ALGNOTSUPPORT;
+			goto end;
+		}
+	}
+
+	if ((ret = sdf_method->InternalEncrypt_ECC(
+		hSessionHandle,
+		uiIPKIndex,
+		uiAlgID,
+		pucData,
+		uiDataLength,
+		buf)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		goto end;
+	}
+
+	if (sdf_vendor && sdf_vendor->decode_ecccipher) {
+		if (!sdf_vendor->decode_ecccipher(pucEncData, buf)) {
+			SDFerr(ERR_R_SDF_LIB);
+			ret = SDR_UNKNOWERR;
+			goto end;
+		}
+	}
+
+	/*
+	{
+		int i;
+		unsigned char *p = (unsigned char *)pucEncData;
+		for (i = 0; i < sizeof(ECCCipher) -1 + uiDataLength; i++) {
+			printf("%02x", p[i]);
+		}
+		printf("\n");
+	}
+	*/
+
+	ret = SDR_OK;
+
+end:
+	if (sdf_vendor && sdf_vendor->decode_ecccipher && buf) {
+		SDF_FreeECCCipher(buf);
+	}
+	return ret;
+}
+
+int SDF_InternalDecrypt_ECC(
+	void *hSessionHandle,
+	unsigned int uiISKIndex,
+	unsigned int uiAlgID,
+	ECCCipher *pucEncData,
+	unsigned char *pucData,
+	unsigned int *uiDataLength)
+{
+	int ret = SDR_UNKNOWERR;
+	ECCCipher *buf = pucEncData;
+
+	if (!sdf_method || !sdf_method->InternalDecrypt_ECC) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if (sdf_vendor && sdf_vendor->pkey_std2vendor) {
+		if (!(uiAlgID = sdf_vendor->pkey_std2vendor(uiAlgID))) {
+			SDFerr(SDF_R_NOT_SUPPORTED_PKEY_ALGOR);
+			return SDR_ALGNOTSUPPORT;
+		}
+	}
+
+	if (sdf_vendor && sdf_vendor->encode_ecccipher) {
+		if (SDF_NewECCCipher(&buf, pucEncData->L) != SDR_OK) {
+			SDFerr(ERR_R_SDF_LIB);
+			return SDR_UNKNOWERR;
+		}
+
+		if (!sdf_vendor->encode_ecccipher(pucEncData, buf)) {
+			SDFerr(ERR_R_SDF_LIB);
+			ret = SDR_UNKNOWERR;
+			goto end;
+		}
+	}
+
+	if ((ret = sdf_method->InternalDecrypt_ECC(
+		hSessionHandle,
+		uiISKIndex,
+		uiAlgID,
+		buf,
+		pucData,
+		uiDataLength)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		goto end;
+	}
+
+end:
+	if (sdf_vendor && sdf_vendor->encode_ecccipher && buf) {
+		SDF_FreeECCCipher(buf);
+	}
+	return ret;
+}
+
+int SDF_Encrypt(
+	void *hSessionHandle,
+	void *hKeyHandle,
+	unsigned int uiAlgID,
+	unsigned char *pucIV,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	unsigned char *pucEncData,
+	unsigned int *puiEncDataLength)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->Encrypt) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if (sdf_vendor) {
+		if (!(uiAlgID = sdf_vendor->cipher_std2vendor(uiAlgID))) {
+			SDFerr(SDF_R_NOT_SUPPORTED_CIPHER_ALGOR);
+			return SDR_ALGNOTSUPPORT;
+		}
+	}
+
+	if ((ret = sdf_method->Encrypt(
+		hSessionHandle,
+		hKeyHandle,
+		uiAlgID,
+		pucIV,
+		pucData,
+		uiDataLength,
+		pucEncData,
+		puiEncDataLength)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_Decrypt(
+	void *hSessionHandle,
+	void *hKeyHandle,
+	unsigned int uiAlgID,
+	unsigned char *pucIV,
+	unsigned char *pucEncData,
+	unsigned int uiEncDataLength,
+	unsigned char *pucData,
+	unsigned int *puiDataLength)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->Decrypt) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if (sdf_vendor) {
+		if (!(uiAlgID = sdf_vendor->cipher_std2vendor(uiAlgID))) {
+			SDFerr(SDF_R_NOT_SUPPORTED_CIPHER_ALGOR);
+			return SDR_ALGNOTSUPPORT;
+		}
+	}
+
+	if ((ret = sdf_method->Decrypt(
+		hSessionHandle,
+		hKeyHandle,
+		uiAlgID,
+		pucIV,
+		pucEncData,
+		uiEncDataLength,
+		pucData,
+		puiDataLength)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_CalculateMAC(
+	void *hSessionHandle,
+	void *hKeyHandle,
+	unsigned int uiAlgID,
+	unsigned char *pucIV,
+	unsigned char *pucData,
+	unsigned int uiDataLength,
+	unsigned char *pucMAC,
+	unsigned int *puiMACLength)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->CalculateMAC) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if (sdf_vendor) {
+		if (!(uiAlgID = sdf_vendor->cipher_std2vendor(uiAlgID))) {
+			SDFerr(SDF_R_NOT_SUPPORTED_CIPHER_ALGOR);
+			return SDR_ALGNOTSUPPORT;
+		}
+	}
+
+	if ((ret = sdf_method->CalculateMAC(
+		hSessionHandle,
+		hKeyHandle,
+		uiAlgID,
+		pucIV,
+		pucData,
+		uiDataLength,
+		pucMAC,
+		puiMACLength)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_HashInit(
+	void *hSessionHandle,
+	unsigned int uiAlgID,
+	ECCrefPublicKey *pucPublicKey,
+	unsigned char *pucID,
+	unsigned int uiIDLength)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->HashInit) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if (sdf_vendor) {
+		if (!(uiAlgID = sdf_vendor->digest_std2vendor(uiAlgID))) {
+			SDFerr(SDF_R_NOT_SUPPORTED_DIGEST_ALGOR);
+			return SDR_ALGNOTSUPPORT;
+		}
+	}
+
+	if ((ret = sdf_method->HashInit(
+		hSessionHandle,
+		uiAlgID,
+		pucPublicKey,
+		pucID,
+		uiIDLength)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_HashUpdate(
+	void *hSessionHandle,
+	unsigned char *pucData,
+	unsigned int uiDataLength)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->HashUpdate) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->HashUpdate(
+		hSessionHandle,
+		pucData,
+		uiDataLength)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_HashFinal(
+	void *hSessionHandle,
+	unsigned char *pucHash,
+	unsigned int *puiHashLength)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->HashFinal) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->HashFinal(
+		hSessionHandle,
+		pucHash,
+		puiHashLength)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_CreateFile(
+	void *hSessionHandle,
+	unsigned char *pucFileName,
+	unsigned int uiNameLen,
+	unsigned int uiFileSize)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->CreateObject) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->CreateObject(
+		hSessionHandle,
+		pucFileName,
+		uiNameLen,
+		uiFileSize)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_ReadFile(
+	void *hSessionHandle,
+	unsigned char *pucFileName,
+	unsigned int uiNameLen,
+	unsigned int uiOffset,
+	unsigned int *puiReadLength,
+	unsigned char *pucBuffer)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->ReadObject) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->ReadObject(
+		hSessionHandle,
+		pucFileName,
+		uiNameLen,
+		uiOffset,
+		puiReadLength,
+		pucBuffer)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_WriteFile(
+	void *hSessionHandle,
+	unsigned char *pucFileName,
+	unsigned int uiNameLen,
+	unsigned int uiOffset,
+	unsigned int uiWriteLength,
+	unsigned char *pucBuffer)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->WriteObject) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->WriteObject(
+		hSessionHandle,
+		pucFileName,
+		uiNameLen,
+		uiOffset,
+		uiWriteLength,
+		pucBuffer)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
+
+int SDF_DeleteFile(
+	void *hSessionHandle,
+	unsigned char *pucFileName,
+	unsigned int uiNameLen)
+{
+	int ret = SDR_UNKNOWERR;
+
+	if (!sdf_method || !sdf_method->DeleteObject) {
+		SDFerr(SDF_R_NOT_INITIALIZED);
+		return SDR_NOTSUPPORT;
+	}
+
+	if ((ret = sdf_method->DeleteObject(
+		hSessionHandle,
+		pucFileName,
+		uiNameLen)) != SDR_OK) {
+		SDFerr(SDF_GetErrorReason(ret));
+		return ret;
+	}
+
+	return SDR_OK;
+}
diff --git a/tools/sdfutil/sdf_meth.c b/tools/sdfutil/sdf_meth.c
new file mode 100644
index 00000000..c172777c
--- /dev/null
+++ b/tools/sdfutil/sdf_meth.c
@@ -0,0 +1,143 @@
+/* ====================================================================
+ * Copyright (c) 2016 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <dlfcn.h>
+#include "sdf_int.h"
+
+#define SDFerr(a,b)
+
+#define SDF_METHOD_BIND_FUNCTION_EX(func,name) \
+	sdf->func = (SDF_##func##_FuncPtr)dlsym(sdf->dso, "SDF_"#name)
+
+#define SDF_METHOD_BIND_FUNCTION(func) \
+	SDF_METHOD_BIND_FUNCTION_EX(func,func)
+
+SDF_METHOD *SDF_METHOD_load_library(const char *so_path)
+{
+	SDF_METHOD *ret = NULL;
+	SDF_METHOD *sdf = NULL;
+
+	if (!(sdf = malloc(sizeof(*sdf)))) {
+		SDFerr(SDF_F_SDF_METHOD_LOAD_LIBRARY, ERR_R_MALLOC_FAILURE);
+		goto end;
+	}
+	memset(sdf, 0, sizeof(*sdf));
+
+	if (!(sdf->dso = dlopen(so_path, 0))) {
+		SDFerr(SDF_F_SDF_METHOD_LOAD_LIBRARY, SDF_R_DSO_LOAD_FAILURE);
+		goto end;
+	}
+
+	SDF_METHOD_BIND_FUNCTION(OpenDevice);
+	SDF_METHOD_BIND_FUNCTION(CloseDevice);
+	SDF_METHOD_BIND_FUNCTION(OpenSession);
+	SDF_METHOD_BIND_FUNCTION(CloseSession);
+	SDF_METHOD_BIND_FUNCTION(GetDeviceInfo);
+	SDF_METHOD_BIND_FUNCTION(GenerateRandom);
+	SDF_METHOD_BIND_FUNCTION(GetPrivateKeyAccessRight);
+	SDF_METHOD_BIND_FUNCTION(ReleasePrivateKeyAccessRight);
+	SDF_METHOD_BIND_FUNCTION(ExportSignPublicKey_RSA);
+	SDF_METHOD_BIND_FUNCTION(ExportEncPublicKey_RSA);
+	SDF_METHOD_BIND_FUNCTION(GenerateKeyPair_RSA);
+	SDF_METHOD_BIND_FUNCTION(GenerateKeyWithIPK_RSA);
+	SDF_METHOD_BIND_FUNCTION(GenerateKeyWithEPK_RSA);
+	SDF_METHOD_BIND_FUNCTION(ImportKeyWithISK_RSA);
+	SDF_METHOD_BIND_FUNCTION(ExchangeDigitEnvelopeBaseOnRSA);
+	SDF_METHOD_BIND_FUNCTION(ExportSignPublicKey_ECC);
+	SDF_METHOD_BIND_FUNCTION(ExportEncPublicKey_ECC);
+	SDF_METHOD_BIND_FUNCTION(GenerateKeyPair_ECC);
+	SDF_METHOD_BIND_FUNCTION(GenerateKeyWithIPK_ECC);
+	SDF_METHOD_BIND_FUNCTION(GenerateKeyWithEPK_ECC);
+	SDF_METHOD_BIND_FUNCTION(ImportKeyWithISK_ECC);
+	SDF_METHOD_BIND_FUNCTION(GenerateAgreementDataWithECC);
+	SDF_METHOD_BIND_FUNCTION(GenerateKeyWithECC);
+	SDF_METHOD_BIND_FUNCTION(GenerateAgreementDataAndKeyWithECC);
+	SDF_METHOD_BIND_FUNCTION(ExchangeDigitEnvelopeBaseOnECC);
+	SDF_METHOD_BIND_FUNCTION(GenerateKeyWithKEK);
+	SDF_METHOD_BIND_FUNCTION(ImportKeyWithKEK);
+	SDF_METHOD_BIND_FUNCTION(DestroyKey);
+	SDF_METHOD_BIND_FUNCTION(ExternalPublicKeyOperation_RSA);
+	//SDF_METHOD_BIND_FUNCTION(InternalPublicKeyOperation_RSA);
+	SDF_METHOD_BIND_FUNCTION(InternalPrivateKeyOperation_RSA);
+	SDF_METHOD_BIND_FUNCTION(ExternalVerify_ECC);
+	SDF_METHOD_BIND_FUNCTION(InternalSign_ECC);
+	SDF_METHOD_BIND_FUNCTION(InternalVerify_ECC);
+	SDF_METHOD_BIND_FUNCTION(ExternalEncrypt_ECC);
+	//SDF_METHOD_BIND_FUNCTION(ExternalDecrypt_ECC);
+	SDF_METHOD_BIND_FUNCTION(InternalEncrypt_ECC);
+	SDF_METHOD_BIND_FUNCTION(InternalDecrypt_ECC);
+	SDF_METHOD_BIND_FUNCTION(Encrypt);
+	SDF_METHOD_BIND_FUNCTION(Decrypt);
+	SDF_METHOD_BIND_FUNCTION(CalculateMAC);
+	SDF_METHOD_BIND_FUNCTION(HashInit);
+	SDF_METHOD_BIND_FUNCTION(HashUpdate);
+	SDF_METHOD_BIND_FUNCTION(HashFinal);
+	SDF_METHOD_BIND_FUNCTION_EX(CreateObject,CreateFile);
+	SDF_METHOD_BIND_FUNCTION_EX(ReadObject,ReadFile);
+	SDF_METHOD_BIND_FUNCTION_EX(WriteObject,WriteFile);
+	SDF_METHOD_BIND_FUNCTION_EX(DeleteObject,DeleteFile);
+
+	ret = sdf;
+	sdf = NULL;
+
+end:
+	SDF_METHOD_free(sdf);
+	return ret;
+}
+
+void SDF_METHOD_free(SDF_METHOD *meth)
+{
+	if (meth) free(meth->dso);
+	free(meth);
+}
+
+
diff --git a/tools/sdfutil/sdf_sansec.c b/tools/sdfutil/sdf_sansec.c
new file mode 100644
index 00000000..c562c53e
--- /dev/null
+++ b/tools/sdfutil/sdf_sansec.c
@@ -0,0 +1,305 @@
+/* ====================================================================
+ * Copyright (c) 2016 - 2017 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+#include <string.h>
+#include "sdf.h"
+#include "sdf_int.h"
+#include "sdf_sansec.h"
+
+
+#define SDFerr(a,b)
+
+typedef struct {
+	unsigned int std_id;
+	unsigned int vendor_id;
+} SDF_ALGOR_PAIR;
+
+static SDF_ALGOR_PAIR sansec_ciphers[] = {
+	{ SGD_SM1, SANSEC_SM1 },
+	{ SGD_SM1_ECB, SANSEC_SM1_ECB },
+	{ SGD_SM1_CBC, SANSEC_SM1_CBC },
+	{ SGD_SM1_CFB, SANSEC_SM1_CFB },
+	{ SGD_SM1_OFB, SANSEC_SM1_OFB },
+	{ SGD_SM1_MAC, SANSEC_SM1_MAC },
+	{ SGD_SM4, SANSEC_SM4 },
+	{ SGD_SM4_ECB, SANSEC_SM4_ECB },
+	{ SGD_SM4_CBC, SANSEC_SM4_CBC },
+	{ SGD_SM4_CFB, SANSEC_SM4_CFB },
+	{ SGD_SM4_OFB, SANSEC_SM4_OFB },
+	{ SGD_SM4_MAC, SANSEC_SM4_MAC },
+	{ SGD_SSF33, SANSEC_SSF33 },
+	{ SGD_SSF33_ECB, SANSEC_SSF33_ECB },
+	{ SGD_SSF33_CBC, SANSEC_SSF33_CBC },
+	{ SGD_SSF33_CFB, SANSEC_SSF33_CFB },
+	{ SGD_SSF33_OFB, SANSEC_SSF33_OFB },
+	{ SGD_SSF33_MAC, SANSEC_SSF33_MAC },
+	{ 0, SANSEC_AES },
+	{ 0, SANSEC_AES_ECB },
+	{ 0, SANSEC_AES_CBC },
+	{ 0, SANSEC_AES_CFB },
+	{ 0, SANSEC_AES_OFB },
+	{ 0, SANSEC_AES_MAC },
+	{ 0, SANSEC_DES },
+	{ 0, SANSEC_DES_ECB },
+	{ 0, SANSEC_DES_CBC },
+	{ 0, SANSEC_DES_CFB },
+	{ 0, SANSEC_DES_OFB },
+	{ 0, SANSEC_DES_MAC },
+	{ 0, SANSEC_3DES },
+	{ 0, SANSEC_3DES_ECB },
+	{ 0, SANSEC_3DES_CBC },
+	{ 0, SANSEC_3DES_CFB },
+	{ 0, SANSEC_3DES_OFB },
+	{ 0, SANSEC_3DES_MAC },
+};
+
+static unsigned int sansec_cipher_vendor2std(unsigned int vendor_id)
+{
+	size_t i;
+	for (i = 0; i < sizeof(sansec_ciphers)/sizeof(sansec_ciphers[0]); i++) {
+		if (vendor_id == sansec_ciphers[i].vendor_id) {
+			return sansec_ciphers[i].std_id;
+		}
+	}
+	return 0;
+}
+
+static unsigned int sansec_cipher_std2vendor(unsigned int std_id)
+{
+	size_t i;
+	for (i = 0; i < sizeof(sansec_ciphers)/sizeof(sansec_ciphers[0]); i++) {
+		if (std_id == sansec_ciphers[i].std_id) {
+			return sansec_ciphers[i].vendor_id;
+		}
+	}
+	return 0;
+}
+
+static unsigned int sansec_cipher_cap(unsigned int vendor_cap)
+{
+	unsigned int std_cap = 0;
+	size_t i;
+
+	for (i = 0; i < sizeof(sansec_ciphers)/sizeof(sansec_ciphers[0]); i++) {
+		if (vendor_cap & sansec_ciphers[i].vendor_id) {
+			std_cap |= sansec_ciphers[i].std_id;
+		}
+	}
+
+	return std_cap;
+}
+
+static SDF_ALGOR_PAIR sansec_digests[] = {
+	{ SGD_SM3, SANSEC_SM3 },
+	{ SGD_SHA1, SANSEC_SHA1 },
+	{ SGD_SHA256, SANSEC_SHA256 },
+	{ 0, SANSEC_SHA512 },
+	{ 0, SANSEC_SHA384 },
+	{ 0, SANSEC_SHA224 },
+	{ 0, SANSEC_MD5 },
+};
+
+static unsigned int sansec_digest_vendor2std(unsigned int vendor_id)
+{
+	size_t i;
+	for (i = 0; i < sizeof(sansec_digests)/sizeof(sansec_digests[0]); i++) {
+		if (vendor_id == sansec_digests[i].vendor_id) {
+			return sansec_digests[i].std_id;
+		}
+	}
+	return 0;
+}
+
+static unsigned int sansec_digest_std2vendor(unsigned int std_id)
+{
+	size_t i;
+	for (i = 0; i < sizeof(sansec_digests)/sizeof(sansec_digests[0]); i++) {
+		if (std_id == sansec_digests[i].std_id) {
+			return sansec_digests[i].vendor_id;
+		}
+	}
+	return 0;
+}
+
+static unsigned int sansec_digest_cap(unsigned int vendor_cap)
+{
+	unsigned int std_cap = 0;
+	size_t i;
+
+	for (i = 0; i < sizeof(sansec_digests)/sizeof(sansec_digests[0]); i++) {
+		if (vendor_cap & sansec_digests[i].vendor_id) {
+			std_cap |= sansec_digests[i].std_id;
+		}
+	}
+
+	return std_cap;
+}
+
+static SDF_ALGOR_PAIR sansec_pkeys[] = {
+	{ SGD_RSA,SANSEC_RSA },
+	{ SGD_RSA_SIGN,SANSEC_RSA_SIGN },
+	{ SGD_RSA_ENC,SANSEC_RSA_ENC },
+	{ SGD_SM2,SANSEC_SM2 },
+	{ SGD_SM2_1,SANSEC_SM2_1 },
+	{ SGD_SM2_2,SANSEC_SM2_2 },
+	{ SGD_SM2_3,SANSEC_SM2_3 },
+};
+
+static unsigned int sansec_pkey_vendor2std(unsigned int vendor_id)
+{
+	size_t i;
+	for (i = 0; i < sizeof(sansec_pkeys)/sizeof(sansec_pkeys[0]); i++) {
+		if (vendor_id == sansec_pkeys[i].vendor_id) {
+			return sansec_pkeys[i].std_id;
+		}
+	}
+	return 0;
+}
+
+static unsigned int sansec_pkey_std2vendor(unsigned int std_id)
+{
+	size_t i;
+	for (i = 0; i < sizeof(sansec_pkeys)/sizeof(sansec_pkeys[0]); i++) {
+		if (std_id == sansec_pkeys[i].std_id) {
+			return sansec_pkeys[i].vendor_id;
+		}
+	}
+	return 0;
+}
+
+static unsigned int sansec_pkey_cap(unsigned int vendor_cap)
+{
+	unsigned int std_cap = 0;
+	size_t i;
+
+	for (i = 0; i < sizeof(sansec_pkeys)/sizeof(sansec_pkeys[0]); i++) {
+		if (vendor_cap & sansec_pkeys[i].vendor_id) {
+			std_cap |= sansec_pkeys[i].std_id;
+		}
+	}
+
+	return std_cap;
+}
+
+static int sansec_encode_ecccipher(const ECCCipher *ec, void *vendor)
+{
+	int ret;
+	SANSEC_ECCCipher *sansec = vendor;
+	ret = sizeof(SANSEC_ECCCipher);
+
+	if (ec->L > sizeof(sansec->C)) {
+		SDFerr(SDF_F_SANSEC_ENCODE_ECCCIPHER,
+			SDF_R_INVALID_SANSEC_ECCCIPHER_LENGTH);
+		return 0;
+	}
+
+	if (vendor) {
+		sansec->clength = ec->L;
+		memcpy(sansec->x, ec->x, sizeof(ec->x));
+		memcpy(sansec->y, ec->y, sizeof(ec->y));
+		memcpy(sansec->M, ec->M, sizeof(ec->M));
+		memset(sansec->M + sizeof(ec->M), 0, sizeof(sansec->M) - sizeof(ec->M));
+		memcpy(sansec->C, ec->C, ec->L);
+		memset(sansec->C + ec->L, 0, sizeof(sansec->C) - ec->L);
+	}
+
+	return ret;
+}
+
+static int sansec_decode_ecccipher(ECCCipher *ec, const void *vendor)
+{
+	int ret;
+	const SANSEC_ECCCipher *sansec = vendor;
+	ret = sizeof(ECCCipher) -1 + sansec->clength;
+
+	if (sansec->clength > sizeof(sansec->C)) {
+		SDFerr(SDF_F_SANSEC_DECODE_ECCCIPHER,
+			SDF_R_INVALID_SANSEC_ECCCIPHER_LENGTH);
+		return 0;
+	}
+
+	if (ec) {
+		memcpy(ec->x, sansec->x, sizeof(ec->x));
+		memcpy(ec->y, sansec->y, sizeof(ec->y));
+		memcpy(ec->M, sansec->M, sizeof(ec->M));
+		ec->L = sansec->clength;
+		memcpy(ec->C, sansec->C, sansec->clength);
+	}
+
+	return ret;
+}
+
+static unsigned long sansec_get_error_reason(int err)
+{
+/*
+	size_t i = 0;
+	for (i = 0; i < OSSL_NELEM(sansec_errors); i++) {
+		if (err == sansec_errors[i].err) {
+			return sansec_errors[i].reason;
+		}
+	}
+*/
+	return 0;
+}
+
+SDF_VENDOR sdf_sansec = {
+	"sansec",
+	sansec_cipher_vendor2std,
+	sansec_cipher_std2vendor,
+	sansec_cipher_cap,
+	sansec_digest_vendor2std,
+	sansec_digest_std2vendor,
+	sansec_digest_cap,
+	sansec_pkey_vendor2std,
+	sansec_pkey_std2vendor,
+	sansec_pkey_cap,
+	sansec_encode_ecccipher,
+	sansec_decode_ecccipher,
+	sansec_get_error_reason,
+};
diff --git a/tools/sdfutil/sdf_sansec.h b/tools/sdfutil/sdf_sansec.h
new file mode 100644
index 00000000..6cd34d70
--- /dev/null
+++ b/tools/sdfutil/sdf_sansec.h
@@ -0,0 +1,192 @@
+/* ====================================================================
+ * Copyright (c) 2016 - 2017 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+#ifndef SDFUTIL_SDF_SANSEC_H
+#define SDFUTIL_SDF_SANSEC_H
+
+#include "sgd.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define SANSEC_SM1		(SGD_SM1)
+#define SANSEC_SM1_ECB		(SANSEC_SM1|SGD_ECB)
+#define SANSEC_SM1_CBC		(SANSEC_SM1|SGD_CBC)
+#define SANSEC_SM1_CFB		(SANSEC_SM1|SGD_CFB)
+#define SANSEC_SM1_OFB		(SANSEC_SM1|SGD_OFB)
+#define SANSEC_SM1_MAC		(SANSEC_SM1|SGD_MAC)
+
+#define SANSEC_SM4		0x00002000
+#define SANSEC_SM4_ECB		(SANSEC_SM4|SGD_ECB)
+#define SANSEC_SM4_CBC		(SANSEC_SM4|SGD_CBC)
+#define SANSEC_SM4_CFB		(SANSEC_SM4|SGD_CFB)
+#define SANSEC_SM4_OFB		(SANSEC_SM4|SGD_OFB)
+#define SANSEC_SM4_MAC		(SANSEC_SM4|SGD_MAC)
+
+#define SANSEC_SSF33		(SGD_SSF33)
+#define SANSEC_SSF33_ECB	(SANSEC_SSF33|SGD_ECB)
+#define SANSEC_SSF33_CBC	(SANSEC_SSF33|SGD_CBC)
+#define SANSEC_SSF33_CFB	(SANSEC_SSF33|SGD_CFB)
+#define SANSEC_SSF33_OFB	(SANSEC_SSF33|SGD_OFB)
+#define SANSEC_SSF33_MAC	(SANSEC_SSF33|SGD_MAC)
+
+#define SANSEC_AES		0x00000400
+#define SANSEC_AES_ECB		(SANSEC_AES|SGD_ECB)
+#define SANSEC_AES_CBC		(SANSEC_AES|SGD_CBC)
+#define SANSEC_AES_CFB		(SANSEC_AES|SGD_CFB)
+#define SANSEC_AES_OFB		(SANSEC_AES|SGD_OFB)
+#define SANSEC_AES_MAC		(SANSEC_AES|SGD_MAC)
+
+#define SANSEC_DES		0x00004000
+#define SANSEC_DES_ECB		(SANSEC_DES|SGD_ECB)
+#define SANSEC_DES_CBC		(SANSEC_DES|SGD_CBC)
+#define SANSEC_DES_CFB		(SANSEC_DES|SGD_CFB)
+#define SANSEC_DES_OFB		(SANSEC_DES|SGD_OFB)
+#define SANSEC_DES_MAC		(SANSEC_DES|SGD_MAC)
+
+#define SANSEC_3DES		0x00000800
+#define SANSEC_3DES_ECB		(SANSEC_3DES|SGD_ECB)
+#define SANSEC_3DES_CBC		(SANSEC_3DES|SGD_CBC)
+#define SANSEC_3DES_CFB		(SANSEC_3DES|SGD_CFB)
+#define SANSEC_3DES_OFB		(SANSEC_3DES|SGD_OFB)
+#define SANSEC_3DES_MAC		(SANSEC_3DES|SGD_MAC)
+
+#define SANSEC_SM3		(SGD_SM3)
+#define SANSEC_SHA1		(SGD_SHA1)
+#define SANSEC_SHA256		(SGD_SHA256)
+#define SANSEC_SHA512		0x00000008
+#define SANSEC_SHA384		0x00000010
+#define SANSEC_SHA224		0x00000020
+#define SANSEC_MD5		0x00000080
+
+#define SANSEC_RSA		(SGD_RSA)
+#define SANSEC_RSA_SIGN		(SGD_RSA_SIGN)
+#define SANSEC_RSA_ENC		0x00010200
+#define SANSEC_SM2		(SGD_SM2)
+#define SANSEC_SM2_1		(SGD_SM2_1)
+#define SANSEC_SM2_2		(SGD_SM2_2)
+#define SANSEC_SM2_3		(SGD_SM2_3)
+
+#define SANSEC_BASE				(SDR_BASE + 0x00010000)
+#define SANSEC_INVALID_USER			(SANSEC_BASE + 0x00000001)
+#define SANSEC_INVALID_AUTHENCODE		(SANSEC_BASE + 0x00000002)
+#define SANSEC_PROTOCOL_VERSION_ERROR		(SANSEC_BASE + 0x00000003)
+#define SANSEC_INVALID_COMMAND			(SANSEC_BASE + 0x00000004)
+#define SANSEC_INVALID_PARAMETERS		(SANSEC_BASE + 0x00000005)
+#define SANSEC_FILE_ALREADY_EXIST		(SANSEC_BASE + 0x00000006)
+#define SANSEC_SYNC_ERROR			(SANSEC_BASE + 0x00000007)
+#define SANSEC_SYNC_LOGIN_ERROR			(SANSEC_BASE + 0x00000008)
+#define SANSEC_SOCKET_TIMEOUT			(SANSEC_BASE + 0x00000100)
+#define SANSEC_CONNECT_ERROR			(SANSEC_BASE + 0x00000101)
+#define SANSEC_SET_SOCKET_OPTION_ERROR		(SANSEC_BASE + 0x00000102)
+#define SANSEC_SOCKET_SEND_ERROR		(SANSEC_BASE + 0x00000104)
+#define SANSEC_SOCKET_RECV_ERROR		(SANSEC_BASE + 0x00000105)
+#define SANSEC_SOCKET_RECV_0			(SANSEC_BASE + 0x00000106)
+#define SANSEC_SEM_TIMEOUT			(SANSEC_BASE + 0x00000200)
+#define SANSEC_NO_AVAILABLE_HSM			(SANSEC_BASE + 0x00000201)
+#define SANSEC_NO_AVAILABLE_CSM			(SANSEC_BASE + 0x00000202)
+#define SANSEC_CONFIG_ERROR			(SANSEC_BASE + 0x00000301)
+#define SANSEC_CARD_BASE			(SDR_BASE + 0x00020000)
+#define SANSEC_CARD_UNKNOW_ERROR		(SANSEC_CARD_BASE + 0x00000001)
+#define SANSEC_CARD_NOT_SUPPORTED		(SANSEC_CARD_BASE + 0x00000002)
+#define SANSEC_CARD_COMMMUCATION_FAILED		(SANSEC_CARD_BASE + 0x00000003)
+#define SANSEC_CARD_HARDWARE_FAILURE		(SANSEC_CARD_BASE + 0x00000004)
+#define SANSEC_CARD_OPEN_DEVICE_FAILED		(SANSEC_CARD_BASE + 0x00000005)
+#define SANSEC_CARD_OPEN_SESSION_FAILED		(SANSEC_CARD_BASE + 0x00000006)
+#define SANSEC_CARD_PRIVATE_KEY_ACCESS_DENYED	(SANSEC_CARD_BASE + 0x00000007)
+#define SANSEC_CARD_KEY_NOT_EXIST		(SANSEC_CARD_BASE + 0x00000008)
+#define SANSEC_CARD_ALGOR_NOT_SUPPORTED		(SANSEC_CARD_BASE + 0x00000009)
+#define SANSEC_CARD_ALG_MODE_NOT_SUPPORTED	(SANSEC_CARD_BASE + 0x00000010)
+#define SANSEC_CARD_PUBLIC_KEY_OPERATION_ERROR	(SANSEC_CARD_BASE + 0x00000011)
+#define SANSEC_CARD_PRIVATE_KEY_OPERATION_ERROR	(SANSEC_CARD_BASE + 0x00000012)
+#define SANSEC_CARD_SIGN_ERROR			(SANSEC_CARD_BASE + 0x00000013)
+#define SANSEC_CARD_VERIFY_ERROR		(SANSEC_CARD_BASE + 0x00000014)
+#define SANSEC_CARD_SYMMETRIC_ALGOR_ERROR	(SANSEC_CARD_BASE + 0x00000015)
+#define SANSEC_CARD_STEP_ERROR			(SANSEC_CARD_BASE + 0x00000016)
+#define SANSEC_CARD_FILE_SIZE_ERROR		(SANSEC_CARD_BASE + 0x00000017)
+#define SANSEC_CARD_FILE_NOT_EXIST		(SANSEC_CARD_BASE + 0x00000018)
+#define SANSEC_CARD_FILE_OFFSET_ERROR		(SANSEC_CARD_BASE + 0x00000019)
+#define SANSEC_CARD_KEY_TYPE_ERROR		(SANSEC_CARD_BASE + 0x00000020)
+#define SANSEC_CARD_KEY_ERROR			(SANSEC_CARD_BASE + 0x00000021)
+#define SANSEC_CARD_BUFFER_TOO_SMALL		(SANSEC_CARD_BASE + 0x00000101)
+#define SANSEC_CARD_DATA_PADDING_ERROR		(SANSEC_CARD_BASE + 0x00000102)
+#define SANSEC_CARD_DATA_SIZE			(SANSEC_CARD_BASE + 0x00000103)
+#define SANSEC_CARD_CRYPTO_NOT_INITED		(SANSEC_CARD_BASE + 0x00000104)
+#define SANSEC_CARD_MANAGEMENT_DENYED		(SANSEC_CARD_BASE + 0x00001001)
+#define SANSEC_CARD_OPERATION_DENYED		(SANSEC_CARD_BASE + 0x00001002)
+#define SANSEC_CARD_DEVICE_STATUS_ERROR		(SANSEC_CARD_BASE + 0x00001003)
+#define SANSEC_CARD_LOGIN_ERROR			(SANSEC_CARD_BASE + 0x00001011)
+#define SANSEC_CARD_USERID_ERROR		(SANSEC_CARD_BASE + 0x00001012)
+#define SANSEC_CARD_PARAMENT_ERROR		(SANSEC_CARD_BASE + 0x00001013)
+#define SANSEC_CARD_MANAGEMENT_DENYED_05	(SANSEC_CARD_BASE + 0x00000801)
+#define SANSEC_CARD_OPERATION_DENYED_05		(SANSEC_CARD_BASE + 0x00000802)
+#define SANSEC_CARD_DEVICE_STATUS_ERROR_05	(SANSEC_CARD_BASE + 0x00000803)
+#define SANSEC_CARD_LOGIN_ERROR_05		(SANSEC_CARD_BASE + 0x00000811)
+#define SANSEC_CARD_USERID_ERROR_05		(SANSEC_CARD_BASE + 0x00000812)
+#define SANSEC_CARD_PARAMENT_ERROR_05		(SANSEC_CARD_BASE + 0x00000813)
+#define SANSEC_CARD_READER_BASE			(SDR_BASE + 0x00030000)
+#define SANSEC_CARD_READER_PIN_ERROR		(SANSEC_CARD_READER_BASE + 0x000063CE)
+#define SANSEC_CARD_READER_NO_CARD		(SANSEC_CARD_READER_BASE + 0x0000FF01)
+#define SANSEC_CARD_READER_CARD_INSERT		(SANSEC_CARD_READER_BASE + 0x0000FF02)
+#define SANSEC_CARD_READER_CARD_INSERT_TYPE 	(SANSEC_CARD_READER_BASE + 0x0000FF03)
+
+#pragma pack(1)
+typedef struct {
+	unsigned int  clength;
+	unsigned char x[ECCref_MAX_LEN];
+	unsigned char y[ECCref_MAX_LEN];
+	unsigned char C[136];
+	unsigned char M[ECCref_MAX_LEN];
+} SANSEC_ECCCipher;
+#pragma pack()
+
+#ifdef __cplusplus
+}
+#endif
+#endif
diff --git a/tools/sdfutil/sdfutil.c b/tools/sdfutil/sdfutil.c
new file mode 100644
index 00000000..248a3b48
--- /dev/null
+++ b/tools/sdfutil/sdfutil.c
@@ -0,0 +1,364 @@
+/*
+ * Copyright (c) 2014 - 2021 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+
+# include <stdio.h>
+# include <stdlib.h>
+# include <string.h>
+#include "sdf.h"
+#include "sdf_ext.h"
+
+
+# define OP_NONE		0
+# define OP_PRINTDEVINFO	1
+# define OP_PRINTSM2SIGN	2
+# define OP_PRINTSM2ENC		3
+# define OP_PRINTRSASIGN	4
+# define OP_PRINTRSAENC		5
+# define OP_ACCESSKEY		6
+# define OP_IMPORTOBJ		7
+# define OP_EXPORTOBJ 		8
+# define OP_DELOBJ 		9
+
+
+void print_usage(FILE *out, const char *prog)
+{
+	fprintf(out, "Usage: %s commands\n", prog);
+	fprintf(out, "\n");
+	fprintf(out, "Commands:\n");
+	fprintf(out, "  -help           print the usage message\n");
+	fprintf(out, "  -lib            Vendor's SDF dynamic library\n");
+	fprintf(out, "  -vendor         Vendor name\n");
+	fprintf(out, "  -printdevinfo   Print device information\n");
+	fprintf(out, "  -printsm2sign   Print SM2 signing key with key index\n");
+	fprintf(out, "  -printsm2enc    Print SM2 encryption key with key index\n");
+	fprintf(out, "  -printrsasign   Print RSA signing key with key index\n");
+	fprintf(out, "  -printrsaenc    Print RSA encryption key with key index\n");
+	fprintf(out, "  -accesskey      Access private key with the key index number\n");
+	fprintf(out, "  -pass           Passphrase source for accessing private key\n");
+	fprintf(out, "  -importobj      Import data object into device\n");
+	fprintf(out, "  -exportobj      Export data object from device\n");
+	fprintf(out, "  -delobj         Delete data object from device\n");
+	fprintf(out, "  -in             File to be imported from\n");
+	fprintf(out, "  -out            File to be exported to\n");
+
+}
+
+int main(int argc, char **argv)
+{
+	int ret = 1;
+	char *infile = NULL, *outfile = NULL, *prog;
+	char *objname = NULL, *passarg = NULL, *pass = NULL;
+	FILE *in = NULL, *out = NULL;
+	char *lib = NULL, *vendor = NULL;
+	unsigned char buf[SDF_MAX_FILE_SIZE];
+	unsigned int ulen;
+	int len, key_idx = -1;
+
+	int o;
+	int op = OP_NONE;
+	void *hDev = NULL;
+	void *hSession = NULL;
+
+	argc--;
+	argv++;
+	while (argc >= 1) {
+		if (!strcmp(*argv, "-help")) {
+opthelp:
+			print_usage(stdout, prog);
+			goto end;
+
+		} else if (!strcmp(*argv, "-lib")) {
+			if (--argc < 1) goto bad;
+			lib = *(++argv);
+
+		} else if (!strcmp(*argv, "-vendor")) {
+			if (--argc < 1) goto bad;
+			vendor = *(++argv);
+
+		} else if (!strcmp(*argv, "-printdevinfo")) {
+			if (op)
+				goto opthelp;
+			op = OP_PRINTDEVINFO;
+			if (--argc < 1) goto bad;
+			key_idx = atoi(*(++argv));
+
+		} else if (!strcmp(*argv, "-printsm2sign")) {
+			if (op)
+				goto opthelp;
+			op = OP_PRINTSM2SIGN;
+			if (--argc < 1) goto bad;
+			key_idx = atoi(*(++argv));
+
+		} else if (!strcmp(*argv, "-printsm2enc")) {
+			if (op)
+				goto opthelp;
+			op = OP_PRINTSM2ENC;
+			if (--argc < 1) goto bad;
+			key_idx = atoi(*(++argv));
+
+		} else if (!strcmp(*argv, "-printrsasign")) {
+			if (op)
+				goto opthelp;
+			op = OP_PRINTRSASIGN;
+			if (--argc < 1) goto bad;
+			key_idx = atoi(*(++argv));
+
+		} else if (!strcmp(*argv, "-printrsaenc")) {
+			if (op)
+				goto opthelp;
+			op = OP_PRINTRSAENC;
+			if (--argc < 1) goto bad;
+			key_idx = atoi(*(++argv));
+
+		} else if (!strcmp(*argv, "-accesskey")) {
+			if (--argc < 1) goto bad;
+			key_idx = atoi(*(++argv));
+
+		} else if (!strcmp(*argv, "-pass")) {
+			if (--argc < 1) goto bad;
+			pass = *(++argv);
+
+		} else if (!strcmp(*argv, "-importobj")) {
+			if (op)
+				goto opthelp;
+			op = OP_IMPORTOBJ;
+			if (--argc < 1) goto bad;
+			objname = *(++argv);
+
+		} else if (!strcmp(*argv, "-exportobj")) {
+			if (op)
+				goto opthelp;
+			op = OP_EXPORTOBJ;
+			if (--argc < 1) goto bad;
+			objname = *(++argv);
+
+		} else if (!strcmp(*argv, "-delobj")) {
+			if (op)
+				goto opthelp;
+			op = OP_DELOBJ;
+			if (--argc < 1) goto bad;
+			objname = *(++argv);
+
+		} else if (!strcmp(*argv, "-in")) {
+			if (--argc < 1) goto bad;
+			infile = *(++argv);
+
+		} else if (!strcmp(*argv, "-out")) {
+			if (--argc < 1) goto bad;
+			outfile = *(++argv);
+
+		} else {
+			break;
+		}
+
+		argc--;
+		argv++;
+	}
+
+
+	if (argc != 0)
+		goto opthelp;
+
+	if (!lib) {
+		fprintf(stderr, "Option '-lib' required\n");
+		goto opthelp;
+	}
+	if (SDF_LoadLibrary(lib, vendor) != SDR_OK) {
+		//ERR_print_errors(stderr);
+		goto end;
+	}
+
+	if (op == OP_NONE) {
+		ret = 0;
+		goto end;
+	}
+
+	if (SDF_OpenDevice(&hDev) != SDR_OK
+		|| SDF_OpenSession(hDev, &hSession) != SDR_OK) {
+		//ERR_print_errors(stderr);
+		goto end;
+	}
+
+	switch (op) {
+	case OP_PRINTDEVINFO:
+	case OP_PRINTSM2SIGN:
+	case OP_PRINTSM2ENC:
+	case OP_PRINTRSASIGN:
+	case OP_PRINTRSAENC:
+		if (!(out = fopen(outfile, "w"))) {
+			goto opthelp;
+		}
+		break;
+	}
+
+	switch (op) {
+	case OP_PRINTSM2SIGN:
+	case OP_PRINTSM2ENC:
+	case OP_PRINTRSASIGN:
+	case OP_PRINTRSAENC:
+	case OP_ACCESSKEY:
+		if (key_idx < SDF_MIN_KEY_INDEX || key_idx > SDF_MAX_KEY_INDEX) {
+			fprintf(stderr, "Invalid key index\n");
+			goto end;
+		}
+		break;
+	}
+
+	if (op == OP_PRINTDEVINFO) {
+		DEVICEINFO devInfo;
+		if (SDF_GetDeviceInfo(hSession, &devInfo) != SDR_OK
+			|| SDF_PrintDeviceInfo(out, &devInfo) != SDR_OK) {
+			//ERR_print_errors(stderr);
+			goto end;
+		}
+
+	} else if (op == OP_PRINTSM2SIGN || op == OP_PRINTSM2ENC) {
+		ECCrefPublicKey publicKey;
+		if (op == OP_PRINTSM2SIGN) {
+			if (SDF_ExportSignPublicKey_ECC(hSession,
+				key_idx, &publicKey) != SDR_OK) {
+				//ERR_print_errors(stderr);
+				goto end;
+			}
+			fprintf(out, "SM2 Signing Public Key:\n");
+		} else {
+			if (SDF_ExportEncPublicKey_ECC(hSession,
+				key_idx, &publicKey) != SDR_OK) {
+				//ERR_print_errors(stderr);
+				goto end;
+			}
+			fprintf(out, "SM2 Encryption Public Key:\n");
+		}
+		if (SDF_PrintECCPublicKey(out, &publicKey) != SDR_OK) {
+			//ERR_print_errors(stderr);
+			goto end;
+		}
+
+	} else if (op == OP_PRINTRSASIGN || op == OP_PRINTRSAENC) {
+		RSArefPublicKey publicKey;
+		if (op == OP_PRINTRSASIGN) {
+			if (SDF_ExportSignPublicKey_RSA(hSession,
+				key_idx, &publicKey) != SDR_OK) {
+				//ERR_print_errors(stderr);
+				goto end;
+			}
+			fprintf(out, "RSA Signing Public Key:\n");
+		} else {
+			if (SDF_ExportEncPublicKey_RSA(hSession,
+				key_idx, &publicKey) != SDR_OK) {
+				//ERR_print_errors(stderr);
+				goto end;
+			}
+			fprintf(out, "RSA Encryption Public Key:\n");
+		}
+		if (SDF_PrintRSAPublicKey(out, &publicKey) != SDR_OK) {
+			//ERR_print_errors(stderr);
+			goto end;
+		}
+
+	} else if (op == OP_ACCESSKEY) {
+		if (SDF_GetPrivateKeyAccessRight(hSession, (unsigned int)key_idx,
+			(unsigned char *)pass, strlen(pass)) != SDR_OK) {
+			return 0;
+		}
+		(void)SDF_ReleasePrivateKeyAccessRight(hSession, (unsigned int)key_idx);
+		fprintf(stderr, "Access private key %d success\n", key_idx);
+
+	} else if (op == OP_IMPORTOBJ) {
+		if (!(in = fopen(infile, "r"))) {
+			goto opthelp;
+		}
+		if ((len = fread(buf, 1, SDF_MAX_FILE_SIZE, in)) < 0) {
+			fprintf(stderr, "Error reading data object content\n");
+			goto end;
+		}
+		if (SDF_CreateFile(hSession, (unsigned char *)objname, strlen(objname), len) != SDR_OK
+			|| SDF_WriteFile(hSession, (unsigned char *)objname, strlen(objname), 0, len, buf) != SDR_OK) {
+			//ERR_print_errors(stderr);
+			goto end;
+		}
+		fprintf(stderr, "Object '%s' (%d bytes) created\n", objname, len);
+
+	} else if (op == OP_EXPORTOBJ) {
+		if (!(out = fopen(outfile, "w"))) {
+			goto opthelp;
+		}
+		if (SDF_ReadFile(hSession, (unsigned char *)objname, strlen(objname), 0, &ulen, buf) != SDR_OK
+			|| fwrite(buf, 1, ulen, out) != ulen) {
+			//ERR_print_errors(stderr);
+			goto end;
+		}
+		fprintf(stderr, "Object '%s' (%u bytes) exported\n", objname, ulen);
+
+	} else if (op == OP_DELOBJ) {
+		if (SDF_DeleteFile(hSession, (unsigned char *)objname, strlen(objname)) != SDR_OK) {
+			//ERR_print_errors(stderr);
+			goto end;
+		}
+		fprintf(stderr, "Object '%s' deleted\n", objname);
+
+	} else {
+		goto end;
+	}
+
+	ret = 0;
+
+bad:
+	fprintf(stderr, "%s: commands should not be used together\n", prog);
+
+
+end:
+	fclose(in);
+	fclose(out);
+
+	if (hSession) (void)SDF_CloseSession(hSession);
+	if (hDev) (void)SDF_CloseDevice(hDev);
+	if (lib) SDF_UnloadLibrary();
+	return ret;
+}
diff --git a/tools/sdfutil/sgd.h b/tools/sdfutil/sgd.h
new file mode 100644
index 00000000..b94f685c
--- /dev/null
+++ b/tools/sdfutil/sgd.h
@@ -0,0 +1,435 @@
+/*
+ * Copyright (c) 2015 - 2022 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+/*
+ * this header file is based on the standard GM/T 0006-2012
+ * Cryptographic Application Identifier Criterion Specification
+ */
+
+#ifndef SDFUTIL_SGD_H
+#define SDFUTIL_SGD_H
+
+
+#include <stdint.h>
+
+
+/* block cipher modes */
+#define SGD_ECB			0x01
+#define SGD_CBC			0x02
+#define SGD_CFB			0x04
+#define SGD_OFB			0x08
+#define SGD_MAC			0x10
+
+/* stream cipher modes */
+#define SGD_EEA3		0x01
+#define SGD_EIA3		0x02
+
+/* ciphers */
+#define SGD_SM1			0x00000100
+#define SGD_SSF33		0x00000200
+#define SGD_SM4			0x00000400
+#define SGD_ZUC			0x00000800
+
+/* ciphers with modes */
+#define SGD_SM1_ECB		(SGD_SM1|SGD_ECB)
+#define SGD_SM1_CBC		(SGD_SM1|SGD_CBC)
+#define SGD_SM1_CFB		(SGD_SM1|SGD_CFB)
+#define SGD_SM1_OFB		(SGD_SM1|SGD_OFB)
+#define SGD_SM1_MAC		(SGD_SM1|SGD_MAC)
+#define SGD_SSF33_ECB		(SGD_SSF33|SGD_ECB)
+#define SGD_SSF33_CBC		(SGD_SSF33|SGD_CBC)
+#define SGD_SSF33_CFB		(SGD_SSF33|SGD_CFB)
+#define SGD_SSF33_OFB		(SGD_SSF33|SGD_OFB)
+#define SGD_SSF33_MAC		(SGD_SSF33|SGD_MAC)
+#define SGD_SM4_ECB		(SGD_SM4|SGD_ECB)
+#define SGD_SM4_CBC		(SGD_SM4|SGD_CBC)
+#define SGD_SM4_CFB		(SGD_SM4|SGD_CFB)
+#define SGD_SM4_OFB		(SGD_SM4|SGD_OFB)
+#define SGD_SM4_MAC		(SGD_SM4|SGD_MAC)
+#define SGD_ZUC_EEA3		(SGD_ZUC|SGD_EEA3)
+#define SGD_ZUC_EIA3		(SGD_ZUC|SGD_EIA3)
+
+/* public key usage */
+#define SGD_PK_SIGN		0x0100
+#define SGD_PK_DH		0x0200
+#define SGD_PK_ENC		0x0400
+
+/* public key types */
+#define SGD_RSA			0x00010000
+#define SGD_RSA_SIGN		(SGD_RSA|SGD_PK_SIGN)
+#define SGD_RSA_ENC		(SGD_RSA|SGD_PK_ENC)
+#define SGD_SM2			0x00020000
+#define SGD_SM2_1		(SGD_SM2|SGD_PK_SIGN)
+#define SGD_SM2_2		(SGD_SM2|SGD_PK_DH)
+#define SGD_SM2_3		(SGD_SM2|SGD_PK_ENC)
+
+/* hash */
+#define SGD_SM3			0x00000001
+#define SGD_SHA1		0x00000002
+#define SGD_SHA256		0x00000004
+#define SGD_HASH_FROM		0x00000008
+#define SGD_HASH_TO		0x000000FF
+
+/* signatue schemes */
+#define SGD_SM3_RSA		(SGD_SM3|SGD_RSA)
+#define SGD_SHA1_RSA		(SGD_SHA1|SGD_RSA)
+#define SGD_SHA256_RSA		(SGD_SHA256|SGD_RSA)
+#define SGD_SM3_SM2		(SGD_SM3|SGD_SM2)
+#define SGD_SIG_FROM		0x00040000
+#define SGD_SIG_TO		0x800000FF
+
+/* data types */
+typedef char			SGD_CHAR;
+typedef char			SGD_INT8;
+typedef int16_t			SGD_INT16;
+typedef int32_t			SGD_INT32;
+typedef int64_t			SGD_INT64;
+typedef unsigned char		SGD_UCHAR;
+typedef uint8_t			SGD_UINT8;
+typedef uint16_t		SGD_UINT16;
+typedef uint32_t		SGD_UINT32;
+typedef uint64_t		SGD_UINT64;
+typedef uint32_t		SGD_RV;
+typedef void *			SGD_OBJ;
+typedef int32_t			SGD_BOOL;
+
+#define SGD_TRUE		0x00000001
+#define SGD_FALSE		0x00000000
+
+#define SGD_KEY_INDEX		0x00000101
+#define SGD_SECRET_KEY		0x00000102
+#define SGD_PUBLIC_KEY_SIGN	0x00000103
+#define SGD_PUBLIC_KEY_ENCRYPT	0x00000104
+#define SGD_PRIVATE_KEY_SIGN	0x00000105
+#define SGD_PRIVATE_KEY_ENCRYPT	0x00000106
+#define SGD_KEY_COMPONENT	0x00000107
+#define SGD_PASSWORD		0x00000108
+#define SGD_PUBLIC_KEY_CERT	0x00000109
+#define SGD_ATTRIBUTE_CERT	0x1000010A
+#define SGD_SIGNATURE_DATA	0x10000111
+#define SGD_ENVELOPE_DATA	0x10000112
+#define SGD_RANDOM_DATA		0x10000113
+#define SGD_PLAIN_DATA		0x10000114
+#define SGD_CIPHER_DATA		0x10000115
+#define SGD_DIGEST_DATA		0x10000116
+#define SGD_USER_DATA		0x10000117
+
+/* certificate */
+#define SGD_CERT_VERSION			0x00000001
+#define SGD_CERT_SERIAL				0x00000002
+#define SGD_CERT_ISSUER				0x00000005
+#define SGD_CERT_VALID_TIME			0x00000006
+#define SGD_CERT_SUBJECT			0x00000007
+#define SGD_CERT_DER_PUBLIC_KEY			0x00000008
+#define SGD_CERT_DER_EXTENSIONS			0x00000009
+#define SGD_EXT_AUTHORITYKEYIDENTIFIER_INFO	0x00000011
+#define SGD_EXT_SUBJECTKEYIDENTIFIER_INFO	0x00000012
+#define SGD_EXT_KEYUSAGE_INFO			0x00000013
+#define SGD_EXT_PRIVATEKEYUSAGEPERIOD_INFO	0x00000014
+#define SGD_EXT_CERTIFICATEPOLICIES_INFO	0x00000015
+#define SGD_EXT_POLICYMAPPINGS_INFO		0x00000016
+#define SGD_EXT_BASICCONSTRAINTS_INFO		0x00000017
+#define SGD_EXT_POLICYCONSTRAINTS_INFO		0x00000018
+#define SGD_EXT_EXTKEYUSAGE_INFO		0x00000019
+#define SGD_EXT_CRLDISTRIBUTIONPOINTS_INFO	0x0000001A
+#define SGD_EXT_NETSCAPE_CERT_TYPE_INFO		0x0000001B
+#define SGD_EXT_SELFDEFINED_EXTENSION_INFO	0x0000001C
+#define SGD_CERT_ISSUER_CN			0x00000021
+#define SGD_CERT_ISSUER_O			0x00000022
+#define SGD_CERT_ISSUER_OU			0x00000023
+#define SGD_CERT_SUBJECT_CN			0x00000031
+#define SGD_CERT_SUBJECT_O			0x00000032
+#define SGD_CERT_SUBJECT_OU			0x00000033
+#define SGD_CERT_SUBJECT_EMAIL			0x00000034
+#define SGD_CERT_NOTBEFORE_TIME			0x00000035
+#define SGD_CERT_NOTAFTER_TIME			0x00000036
+
+/* timestamp info */
+#define SGD_TIME_OF_STAMP		0x00000201
+#define SGD_CN_OF_TSSIGNER		0x00000202 /* Common Name of TS Signer */
+#define SGD_ORININAL_DATA		0x00000203
+#define SGD_CERT_OF_TSSSERVER		0x00000204
+#define SGD_GERTCHAIN_OF_TSSERVER	0x00000205
+#define SGD_SOURCE_OF_TIME		0x00000206
+#define SGD_TIME_PRECISION		0x00000207
+#define SGD_RESPONSE_TYPE		0x00000208
+#define SGD_SUBJECT_COUNTRY_OF_TSSIGNER	0x00000209
+#define SGD_SUBJECT_ORGNIZATION_OF_TSSIGNER 0x0000020A
+#define SGD_SUJECT_CITY_OF_TSSIGNER	0x0000020B
+#define SGD_SUBJECT_EMAIL_OF_TSSIGNER	0x0000020C
+
+/* single sign-on */
+#define SGD_SP_ID			0x00000001
+#define SGD_SP_USER_ID			0x00000002
+#define SGD_IDP_ID			0x00000003
+#define SGD_IDP_USER_ID			0x00000004
+
+/* data encoding */
+#define SGD_ENCODING_RAW		0x00000000
+#define SGD_ENCODING_DER		0x01000000
+#define SGD_ENCODING_BASE64		0x02000000
+#define SGD_ENCODING_PEM		0x03000000
+#define SGD_ENCODING_TXT		0x04000000
+
+/* APIs */
+#define SGD_PROTOCOL_CSP		1 /* Microsoft CryptoAPI */
+#define SGD_PROTOCOL_PKCS11		2 /* PKCS#11 */
+#define SGD_PROTOCOL_SDS		3 /* SDF API */
+#define SGD_PROTOCOL_UKEY		4 /* SKF API */
+#define SGD_PROTOCOL_CNG		5 /* Microsoft CryptoAPI Next Gen */
+#define SGD_PROTOCOL_GCS		6 /* */
+
+/* certificate validation */
+#define SGD_CRL_VERIFY			1
+#define SGD_OCSP_VEIFY			2
+
+/* role */
+#define SGD_ROLE_SUPER_MANAGER		0x00000001
+#define SGD_ROLE_MANAGER		0x00000002
+#define SGD_ROLE_AUDIT_MANAGER		0x00000003
+#define SGD_ROLE_AUDITOR		0x00000004
+#define SGD_ROLE_OPERATOR		0x00000005
+#define SGD_ROLE_USER			0x00000006
+
+/* user operations */
+#define SGD_OPERATION_SIGNIN		0x00000001
+#define SGD_OPERATION_SIGNOUT		0x00000002
+#define SGD_OPERATION_CREATE		0x00000003
+#define SGD_OPERATION_DELETE		0x00000004
+#define SGD_OPERATION_MODIFY		0x00000005
+#define SGD_OPERATION_CHG_PWD		0x00000006
+#define SGD_OPERATION_AUTHORIZATION	0x00000007
+
+/* user operation results */
+#define SGD_OPERATION_SUCCESS		0x00000000
+
+/* key types */
+#define SGD_MAIN_KEY			0x00000101
+#define SGD_DEVICE_KEYS			0x00000102
+#define SGD_USER_KEYS			0x00000103
+#define SGD_KEY				0x00000104
+#define SGD_SESSION_KEY			0x00000105
+#define SGD_PRIKEY_PASSWD		0x00000106
+#define SGD_COMPARTITION_KEY		0x00000107
+
+/* key operations */
+#define SGD_KEY_GENERATION		0x00000101
+#define SGD_KEY_DISPENSE		0x00000102
+#define SGD_KEY_IMPORT			0x00000103
+#define SGD_KEY_EXPORT			0x00000104
+#define SGD_KEY_DIVISION		0x00000105
+#define SGD_KEY_COMPOSE			0x00000106
+#define SGD_KEY_RENEWAL			0x00000107
+#define SGD_KEY_BACKUP			0x00000108
+#define SGD_KEY_RESTORE			0x00000109
+#define SGD_KEY_DESTORY			0x0000010A
+
+/* system operations */
+#define SGD_SYSTEM_INIT			0x00000201
+#define SGD_SYSTEM_START		0x00000202
+#define SGD_SYSTEM_SHUT			0x00000203
+#define SGD_SYSTEM_RESTART		0x00000204
+#define SGD_SYSTEM_QUERY		0x00000205
+#define SGD_SYSTEM_BACKUP		0x00000206
+#define SGD_SYSTEM_RESTORE		0x00000207
+
+/* device info */
+#define SGD_DEVICE_SORT			0x00000201
+#define SGD_DEVICE_TYPE			0x00000202
+#define SGD_DEVICE_NAME			0x00000203
+#define SGD_DEVICE_MANUFACTURER		0x00000204
+#define SGD_DEVICE_HARDWARE_VERSION	0x00000205
+#define SGD_DEVICE_SOFTWARE_VERSION	0x00000206
+#define SGD_DEVICE_STANDARD_VERSION	0x00000207
+#define SGD_DEVICE_SERIAL_NUMBER	0x00000208
+#define SGD_DEVICE_SUPPORT_SYMM_ALG	0x00000209
+#define SGD_DEVICE_SUPPORT_PKEY_ALG	0x0000020A
+#define SGD_DEVICE_SUPPORT_HASH_ALG	0x0000020B
+#define SGD_DEVICE_SUPPORT_STORAGE_SPACE 0x0000020C
+#define SGD_DEVICE_SUPPORT_FREE_SPACE	0x0000020D
+#define SGD_DEVICE_RUNTIME		0x0000020E
+#define SGD_DEVICE_USED_TIMES		0x0000020F
+#define SGD_DEVICE_LOCATION		0x00000210
+#define SGD_DEVICE_DESCRIPTION		0x00000211
+#define SGD_DEVICE_MANAGER_INFO		0x00000212
+#define SGD_DEVICE_MAX_DATA_SIZE	0x00000213
+
+/* device types */
+#define SGD_DEVICE_SORT_SJ		0x02000000 /* Server */
+#define SGD_DEVICE_SORT_SK		0x03000000 /* PCI-E Card */
+#define SGD_DEVICE_SORT_SM		0x04000000 /* USB-Key and SmartCard */
+
+/* device functionality */
+#define SGD_DEVICE_SORT_FE		0x00000100 /* encryption */
+#define SGD_DEVICE_SORT_FA		0x00000200 /* authentication */
+#define SGD_DEVICE_SORT_FM		0x00000300 /* key management */
+
+/* device status */
+#define SGD_STATUS_INIT			0x00000201
+#define SGD_STATUS_READY		0x00000202
+#define SGD_STATUS_EXCEPTION		0x00000203
+
+/* SKF */
+#ifndef WIN32
+typedef signed char		INT8;
+typedef signed short		INT16;
+typedef signed int		INT32;
+typedef unsigned char		UINT8;
+typedef unsigned short		UINT16;
+typedef unsigned int		UINT32;
+typedef long			BOOL;
+typedef UINT8			BYTE;
+typedef UINT8			CHAR;
+typedef INT16			SHORT;
+typedef UINT16			USHORT;
+# ifndef SGD_NATIVE_LONG
+typedef INT32			LONG;
+typedef UINT32			ULONG;
+# else
+typedef long			LONG;
+typedef unsigned long		ULONG;
+# endif
+typedef UINT32			UINT;
+typedef UINT16			WORD;
+typedef UINT32			DWORD;
+typedef UINT32			FLAGS;
+typedef CHAR *			LPSTR;
+typedef void *			HANDLE;
+#else
+#ifndef _WINDEF_H
+typedef signed char		INT8;
+typedef signed short		INT16;
+typedef signed int		INT32;
+typedef unsigned char		UINT8;
+typedef unsigned short		UINT16;
+typedef unsigned int		UINT32;
+typedef long			BOOL;
+typedef UINT8			BYTE;
+typedef UINT8			CHAR;
+typedef INT16			SHORT;
+typedef UINT16			USHORT;
+# ifndef SGD_NATIVE_LONG
+typedef INT32			LONG;
+typedef UINT32			ULONG;
+# else
+typedef long			LONG;
+typedef unsigned long		ULONG;
+# endif
+typedef UINT32			UINT;
+typedef UINT16			WORD;
+typedef UINT32			DWORD;
+typedef UINT32			FLAGS;
+typedef CHAR *			LPSTR;
+typedef void *			HANDLE;
+#endif
+#endif
+
+typedef HANDLE DEVHANDLE;
+typedef HANDLE HAPPLICATION;
+typedef HANDLE HSESSION;
+typedef HANDLE HCONTAINER;
+
+#ifndef FALSE
+#define FALSE			0x00000000
+#endif
+
+#ifndef TRUE
+#define TRUE			0x00000001
+#endif
+
+#ifdef WIN32
+#define DEVAPI __stdcall
+#else
+#define DEVAPI
+#endif
+
+#ifndef ADMIN_TYPE
+#define ADMIN_TYPE			0
+#endif
+
+#ifndef USER_TYPE
+#define USER_TYPE			1
+#endif
+
+#define MAX_RSA_MODULUS_LEN		256
+#define MAX_RSA_EXPONENT_LEN		4
+#define ECC_MAX_XCOORDINATE_BITS_LEN	512
+#define ECC_MAX_YCOORDINATE_BITS_LEN	512
+#define ECC_MAX_MODULUS_BITS_LEN	512
+
+#define MAX_IV_LEN			32
+
+#define MAX_FILE_NAME_SIZE		32
+#define MAX_FILE_CONTAINER_NAME_SIZE	64
+
+#define SECURE_NEVER_ACCOUNT		0x00000000
+#define SECURE_ADM_ACCOUNT		0x00000001
+#define SECURE_USER_ACCOUNT		0x00000010
+#define SECURE_ANYONE_ACCOUNT		0x000000FF
+
+
+/* SDF */
+
+#define RSAref_MAX_BITS			2048
+#define RSAref_MAX_LEN			((RSAref_MAX_BITS + 7) / 8)
+#define RSAref_MAX_PBITS		((RSAref_MAX_BITS + 1) / 2)
+#define RSAref_MAX_PLEN			((RSAref_MAX_PBITS + 7)/ 8)
+
+#ifdef SGD_MAX_ECC_BITS_256
+#define ECCref_MAX_BITS			256
+#else
+#define ECCref_MAX_BITS			512
+#endif
+#define ECCref_MAX_LEN			((ECCref_MAX_BITS+7) / 8)
+
+
+/* SAF */
+#define SGD_MAX_COUNT		64
+#define SGD_MAX_NAME_SIZE	256
+
+
+#endif