abc/GmSSL
1
0
Fork 0
mirror of https://github.com/guanzhi/GmSSL.git synced 2026-05-06 16:36:16 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add sdfencrypt command

Browse Source
This commit is contained in:
Zhi Guan
2024-06-09 11:17:54 +08:00
parent 368f2e5bdc
commit 9784bbc380
6 changed files with 763 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
CMakeLists.txt
View File

@@ -552,7 +552,7 @@ if (ENABLE_SDF)
src/sdf/sdf_meth.c src/sdf/sdf_meth.c
src/sdf/sdf_ext.c src/sdf/sdf_ext.c
src/sdf/sdf_sansec.c) src/sdf/sdf_sansec.c)
list(APPEND tools tools/sdfinfo.c tools/sdfdigest.c tools/sdfexport.c tools/sdfsign.c tools/sdftest.c) list(APPEND tools tools/sdfinfo.c tools/sdfdigest.c tools/sdfexport.c tools/sdfsign.c tools/sdfencrypt.c tools/sdftest.c)
endif() endif()

26
include/gmssl/sdf.h
View File

@@ -14,6 +14,7 @@
#include <string.h> #include <string.h>
#include <stdint.h> #include <stdint.h>
#include <gmssl/sm2.h> #include <gmssl/sm2.h>
#include <gmssl/sm4.h>
#ifdef __cplusplus #ifdef __cplusplus
@@ -32,6 +33,18 @@ typedef struct {
void *session; void *session;
} SDF_DIGEST_CTX; } SDF_DIGEST_CTX;
typedef struct {
void *session;
void *handle;
} SDF_KEY;
typedef struct {
SDF_KEY key;
uint8_t iv[SM4_BLOCK_SIZE];
uint8_t block[SM4_BLOCK_SIZE];
size_t block_nbytes;
} SDF_CBC_CTX;
typedef struct { typedef struct {
SM2_Z256_POINT public_key; SM2_Z256_POINT public_key;
void *session; void *session;
@@ -44,6 +57,9 @@ typedef struct {
SDF_SIGN_KEY key; SDF_SIGN_KEY key;
} SDF_SIGN_CTX; } SDF_SIGN_CTX;
int sdf_load_library(const char *so_path, const char *vendor); int sdf_load_library(const char *so_path, const char *vendor);
int sdf_open_device(SDF_DEVICE *dev); int sdf_open_device(SDF_DEVICE *dev);
int sdf_print_device_info(FILE *fp, int fmt, int ind, const char *lable, SDF_DEVICE *dev); int sdf_print_device_info(FILE *fp, int fmt, int ind, const char *lable, SDF_DEVICE *dev);
@@ -52,7 +68,17 @@ int sdf_digest_update(SDF_DIGEST_CTX *ctx, const uint8_t *data, size_t datalen);
int sdf_digest_finish(SDF_DIGEST_CTX *ctx, uint8_t dgst[SM3_DIGEST_SIZE]); int sdf_digest_finish(SDF_DIGEST_CTX *ctx, uint8_t dgst[SM3_DIGEST_SIZE]);
int sdf_digest_reset(SDF_DIGEST_CTX *ctx); int sdf_digest_reset(SDF_DIGEST_CTX *ctx);
void sdf_digest_cleanup(SDF_DIGEST_CTX *ctx); void sdf_digest_cleanup(SDF_DIGEST_CTX *ctx);
int sdf_generate_key(SDF_DEVICE *dev, SDF_KEY *key, const SM2_KEY *sm2_key, uint8_t *wrappedkey, size_t *wrappedkey_len);
int sdf_import_key(SDF_DEVICE *dev, unsigned int key_index, const char *pass, const uint8_t *wrappedkey, size_t wrappedkey_len, SDF_KEY *key);
int sdf_cbc_encrypt_init(SDF_CBC_CTX *ctx, const SDF_KEY *key, const uint8_t iv[16]);
int sdf_cbc_encrypt_update(SDF_CBC_CTX *ctx, const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen);
int sdf_cbc_encrypt_finish(SDF_CBC_CTX *ctx, uint8_t *out, size_t *outlen);
int sdf_cbc_decrypt_init(SDF_CBC_CTX *ctx, const SDF_KEY *key, const uint8_t iv[16]);
int sdf_cbc_decrypt_update(SDF_CBC_CTX *ctx, const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen);
int sdf_cbc_decrypt_finish(SDF_CBC_CTX *ctx, uint8_t *out, size_t *outlen);
int sdf_destroy_key(SDF_KEY *key);
int sdf_export_sign_public_key(SDF_DEVICE *dev, int key_index, SM2_KEY *public_key); int sdf_export_sign_public_key(SDF_DEVICE *dev, int key_index, SM2_KEY *public_key);
int sdf_export_encrypt_public_key(SDF_DEVICE *dev, int key_index, SM2_KEY *public_key);
int sdf_load_sign_key(SDF_DEVICE *dev, SDF_SIGN_KEY *key, int key_index, const char *pass); int sdf_load_sign_key(SDF_DEVICE *dev, SDF_SIGN_KEY *key, int key_index, const char *pass);
int sdf_sign(SDF_SIGN_KEY *key, const uint8_t dgst[32], uint8_t *sig, size_t *siglen); int sdf_sign(SDF_SIGN_KEY *key, const uint8_t dgst[32], uint8_t *sig, size_t *siglen);
int sdf_sign_init(SDF_SIGN_CTX *ctx, const SDF_SIGN_KEY *key, const char *id, size_t idlen); int sdf_sign_init(SDF_SIGN_CTX *ctx, const SDF_SIGN_KEY *key, const char *id, size_t idlen);

481
src/sdf/sdf.c
View File

@@ -13,6 +13,7 @@
#include <stdlib.h> #include <stdlib.h>
#include <gmssl/sdf.h> #include <gmssl/sdf.h>
#include <gmssl/sm2.h> #include <gmssl/sm2.h>
#include <gmssl/sm4.h>
#include <gmssl/error.h> #include <gmssl/error.h>
#include "sdf.h" #include "sdf.h"
#include "sdf_ext.h" #include "sdf_ext.h"
@@ -226,6 +227,445 @@ void sdf_digest_cleanup(SDF_DIGEST_CTX *ctx)
} }
} }
static int sdf_cbc_encrypt_blocks(SDF_KEY *key, uint8_t iv[16], const uint8_t *in, size_t nblocks, uint8_t *out)
{
unsigned int inlen = (unsigned int)(nblocks * 16);
unsigned int outlen = 0;
if (SDF_Encrypt(key->session, key->handle, SGD_SM4_CBC, iv,
(unsigned char *)in, inlen, out, &outlen) != SDR_OK) {
error_print();
return -1;
}
if (outlen != inlen) {
error_print();
return -1;
}
if (outlen) {
if (memcmp(iv, out + outlen - 16, 16) != 0) {
memcpy(iv, out + outlen - 16, 16);
}
}
return 1;
}
static int sdf_cbc_decrypt_blocks(SDF_KEY *key, uint8_t iv[16], const uint8_t *in, size_t nblocks, uint8_t *out)
{
unsigned int inlen = (unsigned int)(nblocks * 16);
unsigned int outlen = 0;
if (SDF_Decrypt(key->session, key->handle, SGD_SM4_CBC,
iv, (unsigned char *)in, inlen, out, &outlen) != SDR_OK) {
error_print();
return -1;
}
if (outlen != inlen) {
error_print();
return -1;
}
if (inlen) {
if (memcmp(iv, in + inlen - 16, 16) != 0) {
memcmp(iv, in + inlen - 16, 16);
}
}
return 1;
}
static int sdf_cbc_padding_encrypt(SDF_KEY *key,
const uint8_t piv[16], const uint8_t *in, size_t inlen,
uint8_t *out, size_t *outlen)
{
uint8_t iv[16];
uint8_t block[16];
size_t rem = inlen % 16;
int padding = 16 - inlen % 16;
memcpy(iv, piv, 16);
if (in) {
memcpy(block, in + inlen - rem, rem);
}
memset(block + rem, padding, padding);
if (inlen/16) {
if (sdf_cbc_encrypt_blocks(key, iv, in, inlen/16, out) != 1) {
error_print();
return -1;
}
out += inlen - rem;
}
if (sdf_cbc_encrypt_blocks(key, iv, block, 1, out) != 1) {
error_print();
return -1;
}
*outlen = inlen - rem + 16;
return 1;
}
static int sdf_cbc_padding_decrypt(SDF_KEY *key,
const uint8_t piv[16], const uint8_t *in, size_t inlen,
uint8_t *out, size_t *outlen)
{
uint8_t iv[16];
uint8_t block[16];
size_t len = sizeof(block);
int padding;
if (inlen%16 != 0 || inlen < 16) {
error_print();
return -1;
}
memcpy(iv, piv, 16);
if (inlen > 16) {
if (sdf_cbc_decrypt_blocks(key, iv, in, inlen/16 - 1, out) != 1) {
error_print();
return -1;
}
}
if (sdf_cbc_decrypt_blocks(key, iv, in + inlen - 16, 1, block) != 1) {
error_print();
return -1;
}
padding = block[15];
if (padding < 1 || padding > 16) {
error_print();
return -1;
}
len -= padding;
memcpy(out + inlen - 16, block, len);
*outlen = inlen - padding;
return 1;
}
int sdf_generate_key(SDF_DEVICE *dev, SDF_KEY *key,
const SM2_KEY *sm2_key, uint8_t *wrappedkey, size_t *wrappedkey_len)
{
void *hSession;
void *hKey;
ECCrefPublicKey eccPublicKey;
ECCCipher eccCipher;
const uint8_t zeros[ECCref_MAX_LEN - 32] = {0};
SM2_POINT point;
SM2_CIPHERTEXT ciphertext;
int ret;
if (!dev || !key || !sm2_key || !wrappedkey_len) {
error_print();
return -1;
}
if (!dev->handle) {
error_print();
return -1;
}
if (!wrappedkey) {
*wrappedkey_len = SM2_MAX_CIPHERTEXT_SIZE;
return 1;
}
// SM2_KEY => ECCrefPublicKey
sm2_z256_point_to_bytes(&sm2_key->public_key, (uint8_t *)&point);
eccPublicKey.bits = 256;
memset(eccPublicKey.x, 0, sizeof(zeros));
memcpy(eccPublicKey.x + sizeof(zeros), point.x, 32);
memset(eccPublicKey.y, 0, sizeof(zeros));
memcpy(eccPublicKey.y + sizeof(zeros), point.y, 32);
// SDF_GenerateKeyWithEPK_ECC
if (SDF_OpenSession(dev->handle, &hSession) != SDR_OK) {
error_print();
return -1;
}
if (SDF_GenerateKeyWithEPK_ECC(hSession, 128, SGD_SM2_3, &eccPublicKey, &eccCipher, &hKey) != SDR_OK) {
(void)SDF_CloseSession(hSession);
error_print();
return -1;
}
// ECCCipher => SM2_CIPHERTEXT
if (eccCipher.L > SM2_MAX_PLAINTEXT_SIZE
|| memcmp(eccCipher.x, zeros, sizeof(zeros)) != 0
|| memcmp(eccCipher.y, zeros, sizeof(zeros)) != 0) {
(void)SDF_DestroyKey(hSession, hKey);
(void)SDF_CloseSession(hSession);
error_print();
return -1;
}
memcpy(ciphertext.point.x, eccCipher.x + sizeof(zeros), 32);
memcpy(ciphertext.point.y, eccCipher.y + sizeof(zeros), 32);
memcpy(ciphertext.hash, eccCipher.M, 32);
memcpy(ciphertext.ciphertext, eccCipher.C, eccCipher.L);
ciphertext.ciphertext_size = eccCipher.L;
// SM2_CIPHERTEXT => DER
*wrappedkey_len = 0;
if (sm2_ciphertext_to_der(&ciphertext, &wrappedkey, wrappedkey_len) != 1) {
(void)SDF_DestroyKey(hSession, hKey);
(void)SDF_CloseSession(hSession);
error_print();
return -1;
}
key->session = hSession;
key->handle = hKey;
return 1;
}
int sdf_destroy_key(SDF_KEY *key)
{
if (key) {
if (key->session && key->handle) {
if (SDF_DestroyKey(key->session, key->handle) != SDR_OK) {
error_print();
return -1;
}
key->session = NULL;
key->handle = NULL;
}
if (key->session || key->handle) {
error_print();
return -1;
}
}
return 1;
}
int sdf_import_key(SDF_DEVICE *dev, unsigned int key_index, const char *pass,
const uint8_t *wrappedkey, size_t wrappedkey_len, SDF_KEY *key)
{
void *hSession;
void *hKey;
ECCCipher eccCipher;
const uint8_t zeros[ECCref_MAX_LEN - 32] = {0};
SM2_POINT point;
SM2_CIPHERTEXT ciphertext;
int ret;
if (!dev || !pass || !wrappedkey || !wrappedkey_len) {
error_print();
return -1;
}
if (!dev->handle) {
error_print();
return -1;
}
// SM2_CIPHERTEXT <= DER
if (sm2_ciphertext_from_der(&ciphertext, &wrappedkey, &wrappedkey_len) != 1) {
error_print();
return -1;
}
if (wrappedkey_len != 0) {
error_print();
return -1;
}
// ECCCipher <= SM2_CIPHERTEXT
memset(eccCipher.x, 0, sizeof(zeros));
memcpy(eccCipher.x + sizeof(zeros), ciphertext.point.x, 32);
memset(eccCipher.y, 0, sizeof(zeros));
memcpy(eccCipher.y + sizeof(zeros), ciphertext.point.y, 32);
memcpy(eccCipher.C, ciphertext.ciphertext, ciphertext.ciphertext_size);
eccCipher.L = ciphertext.ciphertext_size;
// SDF_ImportKeyWithISK_ECC
if (SDF_OpenSession(dev->handle, &hSession) != SDR_OK) {
error_print();
return -1;
}
if (SDF_GetPrivateKeyAccessRight(hSession, key_index, (unsigned char *)pass, (unsigned int)strlen(pass)) != SDR_OK) {
(void)SDF_CloseSession(hSession);
error_print();
return -1;
}
if (SDF_ImportKeyWithISK_ECC(hSession, key_index, &eccCipher, &hKey) != SDR_OK) {
(void)SDF_CloseSession(hSession);
error_print();
return -1;
}
if (SDF_ReleasePrivateKeyAccessRight(hSession, (unsigned int)key_index) != SDR_OK) {
(void)SDF_CloseSession(hSession);
error_print();
return -1;
}
key->session = hSession;
key->handle = hKey;
return 1;
}
int sdf_cbc_encrypt_init(SDF_CBC_CTX *ctx, const SDF_KEY *key, const uint8_t iv[16])
{
if (!ctx || !key || !iv) {
error_print();
return -1;
}
if (!key->session || !key->handle) {
error_print();
return -1;
}
ctx->key = *key;
memcpy(ctx->iv, iv, SM4_BLOCK_SIZE);
memset(ctx->block, 0, SM4_BLOCK_SIZE);
ctx->block_nbytes = 0;
return 1;
}
int sdf_cbc_encrypt_update(SDF_CBC_CTX *ctx,
const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen)
{
size_t left;
size_t nblocks;
size_t len;
if (!ctx || !in || !out || !outlen) {
error_print();
return -1;
}
if (ctx->block_nbytes >= SM4_BLOCK_SIZE) {
error_print();
return -1;
}
*outlen = 0;
if (ctx->block_nbytes) {
left = SM4_BLOCK_SIZE - ctx->block_nbytes;
if (inlen < left) {
memcpy(ctx->block + ctx->block_nbytes, in, inlen);
ctx->block_nbytes += inlen;
return 1;
}
memcpy(ctx->block + ctx->block_nbytes, in, left);
if (sdf_cbc_encrypt_blocks(&ctx->key, ctx->iv, ctx->block, 1, out) != 1) {
error_print();
return -1;
}
in += left;
inlen -= left;
out += SM4_BLOCK_SIZE;
*outlen += SM4_BLOCK_SIZE;
}
if (inlen >= SM4_BLOCK_SIZE) {
nblocks = inlen / SM4_BLOCK_SIZE;
len = nblocks * SM4_BLOCK_SIZE;
if (sdf_cbc_encrypt_blocks(&ctx->key, ctx->iv, in, nblocks, out) != 1) {
error_print();
return -1;
}
in += len;
inlen -= len;
out += len;
*outlen += len;
}
if (inlen) {
memcpy(ctx->block, in, inlen);
}
ctx->block_nbytes = inlen;
return 1;
}
int sdf_cbc_encrypt_finish(SDF_CBC_CTX *ctx, uint8_t *out, size_t *outlen)
{
if (!ctx || !out || !outlen) {
error_print();
return -1;
}
if (ctx->block_nbytes >= SM4_BLOCK_SIZE) {
error_print();
return -1;
}
if (sdf_cbc_padding_encrypt(&ctx->key, ctx->iv, ctx->block, ctx->block_nbytes, out, outlen) != 1) {
error_print();
return -1;
}
return 1;
}
int sdf_cbc_decrypt_init(SDF_CBC_CTX *ctx, const SDF_KEY *key, const uint8_t iv[16])
{
if (!ctx || !key || !iv) {
error_print();
return -1;
}
if (!key->session || !key->handle) {
error_print();
return -1;
}
ctx->key = *key;
memcpy(ctx->iv, iv, SM4_BLOCK_SIZE);
memset(ctx->block, 0, SM4_BLOCK_SIZE);
ctx->block_nbytes = 0;
return 1;
}
int sdf_cbc_decrypt_update(SDF_CBC_CTX *ctx,
const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen)
{
size_t left, len, nblocks;
if (!ctx || !in || !out || !outlen) {
error_print();
return -1;
}
if (ctx->block_nbytes > SM4_BLOCK_SIZE) {
error_print();
return -1;
}
*outlen = 0;
if (ctx->block_nbytes) {
left = SM4_BLOCK_SIZE - ctx->block_nbytes;
if (inlen <= left) {
memcpy(ctx->block + ctx->block_nbytes, in, inlen);
ctx->block_nbytes += inlen;
return 1;
}
memcpy(ctx->block + ctx->block_nbytes, in, left);
if (sdf_cbc_decrypt_blocks(&ctx->key, ctx->iv, ctx->block, 1, out) != 1) {
error_print();
return -1;
}
in += left;
inlen -= left;
out += SM4_BLOCK_SIZE;
*outlen += SM4_BLOCK_SIZE;
}
if (inlen > SM4_BLOCK_SIZE) {
nblocks = (inlen-1) / SM4_BLOCK_SIZE;
len = nblocks * SM4_BLOCK_SIZE;
if (sdf_cbc_decrypt_blocks(&ctx->key, ctx->iv, in, nblocks, out) != 1) {
error_print();
return -1;
}
in += len;
inlen -= len;
out += len;
*outlen += len;
}
memcpy(ctx->block, in, inlen);
ctx->block_nbytes = inlen;
return 1;
}
int sdf_cbc_decrypt_finish(SDF_CBC_CTX *ctx, uint8_t *out, size_t *outlen)
{
if (!ctx || !out || !outlen) {
error_print();
return -1;
}
if (ctx->block_nbytes != SM4_BLOCK_SIZE) {
error_print();
return -1;
}
if (sdf_cbc_padding_decrypt(&ctx->key, ctx->iv, ctx->block, SM4_BLOCK_SIZE, out, outlen) != 1) {
error_print();
return -1;
}
return 1;
}
int sdf_export_sign_public_key(SDF_DEVICE *dev, int key_index, SM2_KEY *sm2_key) int sdf_export_sign_public_key(SDF_DEVICE *dev, int key_index, SM2_KEY *sm2_key)
{ {
void *hSession; void *hSession;
@@ -255,6 +695,35 @@ int sdf_export_sign_public_key(SDF_DEVICE *dev, int key_index, SM2_KEY *sm2_key)
return 1; return 1;
} }
int sdf_export_encrypt_public_key(SDF_DEVICE *dev, int key_index, SM2_KEY *sm2_key)
{
void *hSession;
ECCrefPublicKey eccPublicKey;
if (!dev || !sm2_key) {
error_print();
return -1;
}
if (SDF_OpenSession(dev->handle, &hSession) != SDR_OK) {
error_print();
return -1;
}
if (SDF_ExportEncPublicKey_ECC(hSession, key_index, &eccPublicKey) != SDR_OK) {
(void)SDF_CloseSession(hSession);
error_print();
return -1;
}
(void)SDF_CloseSession(hSession);
memset(sm2_key, 0, sizeof(SM2_KEY));
if (SDF_ECCrefPublicKey_to_SM2_Z256_POINT(&eccPublicKey, &sm2_key->public_key) != SDR_OK) {
error_print();
return -1;
}
return 1;
}
int sdf_load_sign_key(SDF_DEVICE *dev, SDF_SIGN_KEY *key, int key_index, const char *pass) int sdf_load_sign_key(SDF_DEVICE *dev, SDF_SIGN_KEY *key, int key_index, const char *pass)
{ {
void *hSession = NULL; void *hSession = NULL;
@@ -396,10 +865,14 @@ int sdf_release_key(SDF_SIGN_KEY *key)
int sdf_close_device(SDF_DEVICE *dev) int sdf_close_device(SDF_DEVICE *dev)
{ {
if (SDF_CloseDevice(dev->handle) != SDR_OK) { if (dev) {
error_print(); if (dev->handle) {
return -1; if (SDF_CloseDevice(dev->handle) != SDR_OK) {
error_print();
return -1;
}
memset(dev, 0, sizeof(*dev));
}
} }
memset(dev, 0, sizeof(SDF_DEVICE));
return 1; return 1;
} }

4
tools/gmssl.c
View File

@@ -70,6 +70,7 @@ extern int sdfinfo_main(int argc, char **argv);
extern int sdfdigest_main(int argc, char **argv); extern int sdfdigest_main(int argc, char **argv);
extern int sdfexport_main(int argc, char **argv); extern int sdfexport_main(int argc, char **argv);
extern int sdfsign_main(int argc, char **argv); extern int sdfsign_main(int argc, char **argv);
extern int sdfencrypt_main(int argc, char **argv);
extern int sdftest_main(int argc, char **argv); extern int sdftest_main(int argc, char **argv);
#endif #endif
#ifdef ENABLE_SKF #ifdef ENABLE_SKF
@@ -133,6 +134,7 @@ static const char *options =
" sdfdigest Generate SM3 hash with SDF device\n" " sdfdigest Generate SM3 hash with SDF device\n"
" sdfexport Export SM2 signing public key from SDF device\n" " sdfexport Export SM2 signing public key from SDF device\n"
" sdfsign Generate SM2 signature with SDF internal private key\n" " sdfsign Generate SM2 signature with SDF internal private key\n"
" sdfencrypt SM2/SM4-CBC hybrid encryption with SDF device\n"
" sdftest Test vendor's SDF library and device\n" " sdftest Test vendor's SDF library and device\n"
#endif #endif
#ifdef ENABLE_SKF #ifdef ENABLE_SKF
@@ -291,6 +293,8 @@ int main(int argc, char **argv)
return sdfexport_main(argc, argv); return sdfexport_main(argc, argv);
} else if (!strcmp(*argv, "sdfsign")) { } else if (!strcmp(*argv, "sdfsign")) {
return sdfsign_main(argc, argv); return sdfsign_main(argc, argv);
} else if (!strcmp(*argv, "sdfencrypt")) {
return sdfencrypt_main(argc, argv);
} else if (!strcmp(*argv, "sdftest")) { } else if (!strcmp(*argv, "sdftest")) {
return sdftest_main(argc, argv); return sdftest_main(argc, argv);
#endif #endif

224
tools/sdfencrypt.c Executable file
View File

@@ -0,0 +1,224 @@
/*
* Copyright 2014-2024 The GmSSL Project. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the License); you may
* not use this file except in compliance with the License.
*
* http://www.apache.org/licenses/LICENSE-2.0
*/
#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>
#include <gmssl/sdf.h>
#include <gmssl/mem.h>
#include <gmssl/hex.h>
#include <gmssl/sm2.h>
#include <gmssl/x509.h>
#include <gmssl/rand.h>
#include <gmssl/error.h>
static const char *usage = "-lib so_path (-pubkey pem | -cert pem) [-in file] [-out file]";
static const char *options =
"\n"
"Options\n"
"\n"
" -lib so_path Vendor's SDF dynamic library\n"
" -pubkey pem Recepient's public key file in PEM format\n"
" -cert pem Recipient's certificate in PEM format\n"
" -in file | stdin Input data\n"
" -out file | stdout Output data\n"
"\n"
"Examples\n"
"\n"
" $ TEXT=`gmssl rand -outlen 20 -hex`\n"
" $ gmssl sdfexport -encrypt -key 1 -lib libsoftsdf.so -out sm2encpub.pem\n"
" $ echo -n $TEXT | gmssl sdfencrypt -lib libsoftsdf.so -pubkey sm2encpub.pem -out sdf_ciphertext.bin\n"
" $ gmssl sdfdecrypt -lib libsoftsdf.so -key 1 -pass P@ssw0rd -in sdf_ciphertext.bin\n"
"\n";
int sdfencrypt_main(int argc, char **argv)
{
int ret = 1;
char *prog = argv[0];
char *lib = NULL;
char *pubkeyfile = NULL;
char *certfile = NULL;
char *infile = NULL;
char *outfile = NULL;
FILE *pubkeyfp = NULL;
FILE *certfp = NULL;
FILE *infp = stdin;
FILE *outfp = stdout;
SM2_KEY sm2_pub;
uint8_t cert[1024];
size_t certlen;
uint8_t iv[16];
uint8_t buf[4096];
size_t inlen;
size_t outlen;
SDF_DEVICE dev;
SDF_KEY key;
SDF_CBC_CTX ctx;
memset(&dev, 0, sizeof(dev));
memset(&key, 0, sizeof(key));
memset(&ctx, 0, sizeof(ctx));
argc--;
argv++;
if (argc < 1) {
fprintf(stderr, "usage: gmssl %s %s\n", prog, usage);
return 1;
}
while (argc > 0) {
if (!strcmp(*argv, "-help")) {
printf("usage: gmssl %s %s\n", prog, usage);
printf("%s\n", options);
ret = 0;
goto end;
goto end;
} else if (!strcmp(*argv, "-lib")) {
if (--argc < 1) goto bad;
lib = *(++argv);
} else if (!strcmp(*argv, "-pubkey")) {
if (certfile) {
fprintf(stderr, "gmssl %s: options '-pubkey' '-cert' conflict\n", prog);
goto end;
}
if (--argc < 1) goto bad;
pubkeyfile = *(++argv);
if (!(pubkeyfp = fopen(pubkeyfile, "rb"))) {
fprintf(stderr, "gmssl %s: open '%s' failure : %s\n", prog, pubkeyfile, strerror(errno));
goto end;
}
} else if (!strcmp(*argv, "-cert")) {
if (pubkeyfile) {
fprintf(stderr, "gmssl %s: options '-pubkey' '-cert' conflict\n", prog);
goto end;
}
if (--argc < 1) goto bad;
certfile = *(++argv);
if (!(certfp = fopen(certfile, "rb"))) {
fprintf(stderr, "gmssl %s: open '%s' failure : %s\n", prog, certfile, strerror(errno));
goto end;
}
} else if (!strcmp(*argv, "-in")) {
if (--argc < 1) goto bad;
infile = *(++argv);
if (!(infp = fopen(infile, "rb"))) {
fprintf(stderr, "gmssl %s: open '%s' failure : %s\n", prog, infile, strerror(errno));
goto end;
}
} else if (!strcmp(*argv, "-out")) {
if (--argc < 1) goto bad;
outfile = *(++argv);
if (!(outfp = fopen(outfile, "wb"))) {
fprintf(stderr, "gmssl %s: open '%s' failure : %s\n", prog, outfile, strerror(errno));
goto end;
}
} else {
fprintf(stderr, "gmssl %s: illegal option `%s`\n", prog, *argv);
goto end;
bad:
fprintf(stderr, "gmssl %s: `%s` option value missing\n", prog, *argv);
goto end;
}
argc--;
argv++;
}
// load library and open device
if (!lib) {
fprintf(stderr, "gmssl %s: '-lib' option required\n", prog);
goto end;
}
if (sdf_load_library(lib, NULL) != 1) {
fprintf(stderr, "gmssl %s: load library failure\n", prog);
goto end;
}
if (sdf_open_device(&dev) != 1) {
fprintf(stderr, "gmssl %s: open device failure\n", prog);
goto end;
}
// get public key
if (pubkeyfile) {
if (sm2_public_key_info_from_pem(&sm2_pub, pubkeyfp) != 1) {
fprintf(stderr, "gmssl %s: parse public key failed\n", prog);
goto end;
}
} else if (certfile) {
if (x509_cert_from_pem(cert, &certlen, sizeof(cert), certfp) != 1) {
fprintf(stderr, "gmssl %s: parse certificate from PEM failed\n", prog);
goto end;
}
if (x509_cert_get_subject_public_key(cert, certlen, &sm2_pub) != 1) {
fprintf(stderr, "gmssl %s: parse certificate failed\n", prog);
goto end;
}
} else {
fprintf(stderr, "gmssl %s: '-pubkey' or '-cert' option required\n", prog);
goto end;
}
// generate key and output wrapped key in DER(SM2_CIPHERTEXT) format
if (sdf_generate_key(&dev, &key, &sm2_pub, buf, &outlen) != 1) {
error_print();
goto end;
}
if (fwrite(buf, 1, outlen, outfp) != outlen) {
fprintf(stderr, "gmssl %s: output failure : %s\n", prog, strerror(errno));
goto end;
}
// output IV
rand_bytes(iv, 16);
if (fwrite(iv, 1, 16, outfp) != 16) {
fprintf(stderr, "gmssl %s: output failure : %s\n", prog, strerror(errno));
goto end;
}
// encrypt and output ciphertext
if (sdf_cbc_encrypt_init(&ctx, &key, iv) != 1) {
error_print();
goto end;
}
while ((inlen = fread(buf, 1, sizeof(buf), infp)) > 0) {
if (sdf_cbc_encrypt_update(&ctx, buf, inlen, buf, &outlen) != 1) {
error_print();
goto end;
}
if (fwrite(buf, 1, outlen, outfp) != outlen) {
fprintf(stderr, "gmssl %s: output failure : %s\n", prog, strerror(errno));
goto end;
}
}
if (sdf_cbc_encrypt_finish(&ctx, buf, &outlen) != 1) {
error_print();
goto end;
}
if (fwrite(buf, 1, outlen, outfp) != outlen) {
fprintf(stderr, "gmssl %s: output failure : %s\n", prog, strerror(errno));
goto end;
}
ret = 0;
end:
(void)sdf_destroy_key(&key);
(void)sdf_close_device(&dev);
(void)sdf_unload_library();
gmssl_secure_clear(iv, sizeof(iv));
gmssl_secure_clear(&ctx, sizeof(ctx));
if (infile && infp) fclose(infp);
if (outfile && outfp) fclose(outfp);
return ret;
}

36
tools/sdfexport.c
View File

@@ -16,19 +16,22 @@
#include <gmssl/sdf.h> #include <gmssl/sdf.h>
static const char *usage = "-lib so_path -key num [-out file]"; static const char *usage = "-lib so_path {-sign|-encrypt} -key num [-out file]";
static const char *options = static const char *options =
"\n" "\n"
"Options\n" "Options\n"
"\n" "\n"
" -lib so_path Vendor's SDF dynamic library\n" " -lib so_path Vendor's SDF dynamic library\n"
" -sign Export signing public key\n"
" -encrypt Export encryption public key\n"
" -key num Private key index number\n" " -key num Private key index number\n"
" -out file | stdout Output public key in PEM format\n" " -out file | stdout Output public key in PEM format\n"
"\n" "\n"
"Examples\n" "Examples\n"
"\n" "\n"
" $ gmssl sdfexport -key 1 -out sm2signpub.pem\n" " $ gmssl sdfexport -sign -key 1 -out sm2signpub.pem\n"
" $ gmssl sdfexport -encrypt -key 1 -out sm2signpub.pem\n"
"\n"; "\n";
@@ -62,6 +65,18 @@ int sdfexport_main(int argc, char **argv)
} else if (!strcmp(*argv, "-lib")) { } else if (!strcmp(*argv, "-lib")) {
if (--argc < 1) goto bad; if (--argc < 1) goto bad;
lib = *(++argv); lib = *(++argv);
} else if (!strcmp(*argv, "-sign")) {
if (enc_public_key) {
fprintf(stderr, "gmssl %s: '-sign' and '-encrypt' should not used together\n", prog);
goto end;
}
sign_public_key = 1;
} else if (!strcmp(*argv, "-encrypt")) {
if (sign_public_key) {
fprintf(stderr, "gmssl %s: '-sign' and '-encrypt' should not used together\n", prog);
goto end;
}
enc_public_key = 1;
} else if (!strcmp(*argv, "-key")) { } else if (!strcmp(*argv, "-key")) {
if (--argc < 1) goto bad; if (--argc < 1) goto bad;
index = atoi(*(++argv)); index = atoi(*(++argv));
@@ -92,6 +107,10 @@ bad:
fprintf(stderr, "gmssl %s: option '-lib' required\n", prog); fprintf(stderr, "gmssl %s: option '-lib' required\n", prog);
goto end; goto end;
} }
if (!sign_public_key && !enc_public_key) {
fprintf(stderr, "gmssl %s: '-sign' or '-encrypt' option required\n", prog);
goto end;
}
if (index < 0) { if (index < 0) {
fprintf(stderr, "gmssl %s: '-index' option required\n", prog); fprintf(stderr, "gmssl %s: '-index' option required\n", prog);
goto end; goto end;
@@ -106,9 +125,16 @@ bad:
goto end; goto end;
} }
if (sdf_export_sign_public_key(&dev, index, &sm2_key) != 1) { if (sign_public_key) {
fprintf(stderr, "%s: load sign key failed\n", prog); if (sdf_export_sign_public_key(&dev, index, &sm2_key) != 1) {
goto end; fprintf(stderr, "%s: load sign key failed\n", prog);
goto end;
}
} else {
if (sdf_export_encrypt_public_key(&dev, index, &sm2_key) != 1) {
fprintf(stderr, "%s: load sign key failed\n", prog);
goto end;
}
} }
if (sm2_public_key_info_to_pem(&sm2_key, outfp) != 1) { if (sm2_public_key_info_to_pem(&sm2_key, outfp) != 1) {
fprintf(stderr, "gmssl %s: output public key to PEM failed\n", prog); fprintf(stderr, "gmssl %s: output public key to PEM failed\n", prog);