update

2026-05-06 16:36:16 +08:00 · 2015-10-07 15:23:34 +08:00
parent 254a1266d6
commit b4ad0da508
27 changed files with 590 additions and 88 deletions
--- a/7
+++ b/7
@@ -145,12 +145,13 @@ SHLIBDIRS= crypto ssl
 # dirs in crypto to build
 SDIRS=  \
 	objects \
-	md4 md5 sha mdc2 hmac ripemd whrlpool sm3 \
-	des aes rc2 rc4 idea bf cast camellia seed modes sms4 zuc \
+	md4 md5 sha mdc2 hmac ripemd whrlpool \
+	des aes rc2 rc4 idea bf cast camellia seed modes \
 	bn ec rsa dsa ecdsa dh ecdh ecies dso engine \
 	buffer bio stack lhash rand err \
 	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \
-	cms pqueue ts srp cmac
+	cms pqueue ts srp cmac \
+	sm3 sms4 zuc cpk

 # keep in mind that the above list is adjusted by ./Configure
 # according to no-xxx arguments...
--- a/Makefile.bak
+++ b/Makefile.bak
@@ -145,12 +145,14 @@ SHLIBDIRS= crypto ssl
 # dirs in crypto to build
 SDIRS=  \
 	objects \
-	md4 md5 sha mdc2 hmac ripemd whrlpool sm3 \
-	des aes rc2 rc4 idea bf cast camellia seed modes sms4 zuc \
+	md4 md5 sha mdc2 hmac ripemd whrlpool \
+	des aes rc2 rc4 idea bf cast camellia seed modes \
 	bn ec rsa dsa ecdsa dh ecdh ecies dso engine \
 	buffer bio stack lhash rand err \
 	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \
-	cms pqueue ts srp cmac
+	cms pqueue ts srp cmac \
+	sm3 sms4 zuc cpk
+
 # keep in mind that the above list is adjusted by ./Configure
 # according to no-xxx arguments...

--- a/Makefile.org
+++ b/Makefile.org
@@ -143,12 +143,14 @@ SHLIBDIRS= crypto ssl
 # dirs in crypto to build
 SDIRS=  \
 	objects \
-	md2 md4 md5 sha mdc2 hmac ripemd whrlpool sm3 \
-	des aes rc2 rc4 rc5 idea bf cast camellia seed modes sms4 zuc \
+	md2 md4 md5 sha mdc2 hmac ripemd whrlpool \
+	des aes rc2 rc4 rc5 idea bf cast camellia seed modes \
 	bn ec rsa dsa ecdsa dh ecdh ecies dso engine \
 	buffer bio stack lhash rand err \
 	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \
-	cms pqueue ts jpake srp store cmac
+	cms pqueue ts jpake srp store cmac \
+	sm3 sms4 zuc cpk
+
 # keep in mind that the above list is adjusted by ./Configure
 # according to no-xxx arguments...

--- a/apps/Makefile
+++ b/apps/Makefile
@@ -946,6 +946,7 @@ speed.o: ../include/openssl/lhash.h ../include/openssl/md4.h
 speed.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
 speed.o: ../include/openssl/sm3.h ../include/openssl/sms4.h
 speed.o: ../include/openssl/zuc.h
+speed.o: ../include/openssl/cpk.h
 speed.o: ../include/openssl/modes.h ../include/openssl/obj_mac.h
 speed.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
 speed.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
--- a/apps/ca-gencert-engine.sh
+++ b/apps/ca-gencert-engine.sh
@@ -0,0 +1,70 @@
+#!/bin/bash
+
+PIN=123456
+PUK=654321
+P11LIB=/usr/local/lib/opensc-pkcs11.so
+REQFILE=req.pem
+USERNAME="John Doe"
+
+echo " *** Erase card ***"
+pkcs15-init --erase-card --verbose
+
+echo " *** Initialization ***"
+pkcs15-init				\
+	--create-pkcs15			\
+	--profile pkcs15+onepin 	\
+	--pin $PIN 			\
+	--puk $PUK			\
+	--label "Personal Crypto Token"	\
+	--verbose
+
+echo " *** Generate Key Pair ***"
+pkcs11-tool 				\
+	--keypairgen			\
+	--module $P11LIB		\
+	--login --pin $PIN		\
+	--key-type rsa:2048		\
+	--usage-sign			\
+	--subject $USERNAME		\
+	--label "Private Key"
+
+KEYID=`pkcs11-tool --module $P11LIB --list-objects | grep "ID"  | awk '{ print $2}'`
+
+
+echo " *** Generate Certificate Request ***"
+openssl req				\
+	-new				\
+	-engine pkcs11 			\
+	-config openssl.conf		\
+	-keyform engine			\
+	-key 1:$KEYID			\
+	-subj "/C=CN/ST=Beijing/L=Beijing/O=PKU/OU=Infosec/CN=$1/emailAddress=$1@pku.edu.cn"	\
+	-out $REQFILE
+
+openssl req -in $REQFILE -text
+
+CERTFILE=user.pem
+CERTDER=user.der
+
+echo " *** Sign Certificate ***"
+openssl ca -batch -out $CERTFILE -notext -outdir . -infiles $REQFILE
+openssl x509 -in $CERTFILE -outform DER -out $CERTDER
+
+echo " *** Import Certificate to Token ***"
+pkcs11-tool --write-object $CERTDER	\
+	--module $P11LIB		\
+	--login --pin $PIN		\
+	--label Certificate		\
+	--type cert			
+
+echo " *** Show Token Info ***"
+pkcs11-tool --list-token-slots		\
+	--module $P11LIB
+
+pkcs11-tool --list-objects		\
+	--module $P11LIB		\
+	--login --pin $PIN	
+
+openssl x509 -in $CERTFILE -text -noout
+
+
--- a/apps/ca-gencert.sh
+++ b/apps/ca-gencert.sh
@@ -0,0 +1,17 @@
+#!/bin/bash -x
+
+CURVE=secp192k1
+KEY_FILE=user.key
+REQ_FILE=user.req
+CERT_FILE=user.pem
+
+#openssl ecparam -genkey -name $CURVE -text -out $KEY_FILE
+openssl genrsa 1024 -text > $KEY_FILE
+openssl req -new -key $KEY_FILE -out $REQ_FILE
+openssl ca -out $CERT_FILE  -outdir . -infiles $REQ_FILE
+openssl pkcs12 -export -out user.pfx -in $CERT_FILE -inkey $KEY_FILE -certfile .demoCA/cacert.pem
+
+#rm -f $KEY_FILE
+#rm -f $REQ_FILE
+#rm -f $CERT_FILE
+
--- a/apps/ca-key.pem
+++ b/apps/ca-key.pem
@@ -1,15 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQCju6PLddelT+nIMm07GQwmYa/eZ2JWbsmt2gotSCqM7asFp425
-gxSK4jqhhT62UPpqDBEwvQ+fYkVv3RV0r9ReuZGv12NoS4fXsQgqO17lHA7Od0Kd
-2yNwJjKh44MxPKDt2o8iQMyZE0zlHnEFNpsP4COLTDNC6ljEEu5bk8uPsQIDAQAB
-AoGAVZmpFZsDZfr0l2S9tLLwpjRWNOlKATQkno6q2WesT0eGLQufTciY+c8ypfU6
-hyio8r5iUl/VhhdjhAtKx1mRpiotftHo/eYf8rtsrnprOnWG0bWjLjtIoMbcxGn2
-J3bN6LJmbJMjDs0eJ3KnTu646F3nDUw2oGAwmpzKXA1KAP0CQQDRvQhxk2D3Pehs
-HvG665u2pB5ipYQngEFlZO7RHJZzJOZEWSLuuMqaF/7pTfA5jiBvWqCgJeCRRInL
-21ru4dlPAkEAx9jj7BgKn5TYnMoBSSe0afjsV9oApVpN1Nacb1YDtCwy+scp3++s
-nFxlv98wxIlSdpwMUn+AUWfjiWR7Tu/G/wJBAJ/KjwZIrFVxewP0x2ILYsTRYLzz
-MS4PDsO7FB+I0i7DbBOifXS2oNSpd3I0CNMwrxFnUHzynpbOStVfN3ZL5w0CQQCa
-pwFahxBRhkJKsxhjoFJBX9yl75JoY4Wvm5Tbo9ih6UJaRx3kqfkN14L2BKYcsZgb
-KY9vmDOYy6iNfjDeWTfJAkBkfPUb8oTJ/nSP5zN6sqGxSY4krc4xLxpRmxoJ8HL2
-XfhqXkTzbU13RX9JJ/NZ8vQN9Vm2NhxRGJocQkmcdVtJ
-----END RSA PRIVATE KEY-----
--- a/apps/ca-req.pem
+++ b/apps/ca-req.pem
@@ -1,11 +0,0 @@
-----BEGIN CERTIFICATE REQUEST-----
-MIIBmTCCAQICAQAwWzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQx
-GjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYDVQQDExJUZXN0IENBICgx
-MDI0IGJpdCkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKO7o8t116VP6cgy
-bTsZDCZhr95nYlZuya3aCi1IKoztqwWnjbmDFIriOqGFPrZQ+moMETC9D59iRW/d
-FXSv1F65ka/XY2hLh9exCCo7XuUcDs53Qp3bI3AmMqHjgzE8oO3ajyJAzJkTTOUe
-cQU2mw/gI4tMM0LqWMQS7luTy4+xAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAKlk7
-cxu9gCJN3/iQFyJXQ6YphaiQAT5VBXTx9ftRrQIjA3vxlDzPWGDy+V5Tqa7h8PtR
-5Bn00JShII2zf0hjyjKils6x/UkWmjEiwSiFp4hR70iE8XwSNEHY2P6j6nQEIpgW
-kbfgmmUqk7dl2V+ossTJ80B8SBpEhrn81V/cHxA=
-----END CERTIFICATE REQUEST-----
--- a/apps/ca-setup.sh
+++ b/apps/ca-setup.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+CURVE=prime256v1
+DIR=demoCA
+
+rm -fr $DIR
+mkdir $DIR
+mkdir $DIR/certs
+mkdir $DIR/crl
+mkdir $DIR/newcerts
+mkdir $DIR/private/
+touch $DIR/index.txt
+touch $DIR/crlnumber
+touch $DIR/private/.rand
+echo 01 > $DIR/serial
+
+#openssl ecparam -genkey -name $CURVE -text -out $DIR/private/cakey.pem
+
+openssl genrsa 2048 -text > $DIR/private/cakey.pem
+openssl req -new -x509 -days 3650 -key $DIR/private/cakey.pem -out $DIR/cacert.pem
+openssl x509 -text -noout -in $DIR/cacert.pem
+
--- a/apps/ca-show-token-info.sh
+++ b/apps/ca-show-token-info.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+PIN=123456
+PUK=654321
+P11LIB=/usr/local/lib/opensc-pkcs11.so
+
+pkcs11-tool --list-token-slots --module $P11LIB
+pkcs11-tool --list-objects		\
+	--module $P11LIB		\
+	--login --pin $PIN
+
--- a/apps/progs.h
+++ b/apps/progs.h
@@ -1,6 +1,52 @@
 /* apps/progs.h */
 /* automatically generated by progs.pl for openssl.c */

+extern int verify_main(int argc,char *argv[]);
+extern int asn1parse_main(int argc,char *argv[]);
+extern int req_main(int argc,char *argv[]);
+extern int dgst_main(int argc,char *argv[]);
+extern int dh_main(int argc,char *argv[]);
+extern int dhparam_main(int argc,char *argv[]);
+extern int enc_main(int argc,char *argv[]);
+extern int passwd_main(int argc,char *argv[]);
+extern int gendh_main(int argc,char *argv[]);
+extern int errstr_main(int argc,char *argv[]);
+extern int ca_main(int argc,char *argv[]);
+extern int crl_main(int argc,char *argv[]);
+extern int rsa_main(int argc,char *argv[]);
+extern int rsautl_main(int argc,char *argv[]);
+extern int dsa_main(int argc,char *argv[]);
+extern int dsaparam_main(int argc,char *argv[]);
+extern int ec_main(int argc,char *argv[]);
+extern int ecparam_main(int argc,char *argv[]);
+extern int x509_main(int argc,char *argv[]);
+extern int genrsa_main(int argc,char *argv[]);
+extern int gendsa_main(int argc,char *argv[]);
+extern int genpkey_main(int argc,char *argv[]);
+extern int s_server_main(int argc,char *argv[]);
+extern int s_client_main(int argc,char *argv[]);
+extern int speed_main(int argc,char *argv[]);
+extern int s_time_main(int argc,char *argv[]);
+extern int version_main(int argc,char *argv[]);
+extern int pkcs7_main(int argc,char *argv[]);
+extern int cms_main(int argc,char *argv[]);
+extern int crl2pkcs7_main(int argc,char *argv[]);
+extern int sess_id_main(int argc,char *argv[]);
+extern int ciphers_main(int argc,char *argv[]);
+extern int nseq_main(int argc,char *argv[]);
+extern int pkcs12_main(int argc,char *argv[]);
+extern int pkcs8_main(int argc,char *argv[]);
+extern int pkey_main(int argc,char *argv[]);
+extern int pkeyparam_main(int argc,char *argv[]);
+extern int pkeyutl_main(int argc,char *argv[]);
+extern int spkac_main(int argc,char *argv[]);
+extern int smime_main(int argc,char *argv[]);
+extern int rand_main(int argc,char *argv[]);
+extern int engine_main(int argc,char *argv[]);
+extern int ocsp_main(int argc,char *argv[]);
+extern int prime_main(int argc,char *argv[]);
+extern int ts_main(int argc,char *argv[]);
+extern int srp_main(int argc,char *argv[]);

 #define FUNC_TYPE_GENERAL	1
 #define FUNC_TYPE_MD		2
@@ -17,6 +63,94 @@ typedef struct {
 DECLARE_LHASH_OF(FUNCTION);

 FUNCTION functions[] = {
+	{FUNC_TYPE_GENERAL,"verify",verify_main},
+	{FUNC_TYPE_GENERAL,"asn1parse",asn1parse_main},
+	{FUNC_TYPE_GENERAL,"req",req_main},
+	{FUNC_TYPE_GENERAL,"dgst",dgst_main},
+#ifndef OPENSSL_NO_DH
+	{FUNC_TYPE_GENERAL,"dh",dh_main},
+#endif
+#ifndef OPENSSL_NO_DH
+	{FUNC_TYPE_GENERAL,"dhparam",dhparam_main},
+#endif
+	{FUNC_TYPE_GENERAL,"enc",enc_main},
+	{FUNC_TYPE_GENERAL,"passwd",passwd_main},
+#ifndef OPENSSL_NO_DH
+	{FUNC_TYPE_GENERAL,"gendh",gendh_main},
+#endif
+	{FUNC_TYPE_GENERAL,"errstr",errstr_main},
+	{FUNC_TYPE_GENERAL,"ca",ca_main},
+	{FUNC_TYPE_GENERAL,"crl",crl_main},
+#ifndef OPENSSL_NO_RSA
+	{FUNC_TYPE_GENERAL,"rsa",rsa_main},
+#endif
+#ifndef OPENSSL_NO_RSA
+	{FUNC_TYPE_GENERAL,"rsautl",rsautl_main},
+#endif
+#ifndef OPENSSL_NO_DSA
+	{FUNC_TYPE_GENERAL,"dsa",dsa_main},
+#endif
+#ifndef OPENSSL_NO_DSA
+	{FUNC_TYPE_GENERAL,"dsaparam",dsaparam_main},
+#endif
+#ifndef OPENSSL_NO_EC
+	{FUNC_TYPE_GENERAL,"ec",ec_main},
+#endif
+#ifndef OPENSSL_NO_EC
+	{FUNC_TYPE_GENERAL,"ecparam",ecparam_main},
+#endif
+	{FUNC_TYPE_GENERAL,"x509",x509_main},
+#ifndef OPENSSL_NO_RSA
+	{FUNC_TYPE_GENERAL,"genrsa",genrsa_main},
+#endif
+#ifndef OPENSSL_NO_DSA
+	{FUNC_TYPE_GENERAL,"gendsa",gendsa_main},
+#endif
+	{FUNC_TYPE_GENERAL,"genpkey",genpkey_main},
+#if !defined(OPENSSL_NO_SOCK)
+	{FUNC_TYPE_GENERAL,"s_server",s_server_main},
+#endif
+#if !defined(OPENSSL_NO_SOCK)
+	{FUNC_TYPE_GENERAL,"s_client",s_client_main},
+#endif
+#ifndef OPENSSL_NO_SPEED
+	{FUNC_TYPE_GENERAL,"speed",speed_main},
+#endif
+#if !defined(OPENSSL_NO_SOCK)
+	{FUNC_TYPE_GENERAL,"s_time",s_time_main},
+#endif
+	{FUNC_TYPE_GENERAL,"version",version_main},
+	{FUNC_TYPE_GENERAL,"pkcs7",pkcs7_main},
+#ifndef OPENSSL_NO_CMS
+	{FUNC_TYPE_GENERAL,"cms",cms_main},
+#endif
+	{FUNC_TYPE_GENERAL,"crl2pkcs7",crl2pkcs7_main},
+	{FUNC_TYPE_GENERAL,"sess_id",sess_id_main},
+#if !defined(OPENSSL_NO_SOCK)
+	{FUNC_TYPE_GENERAL,"ciphers",ciphers_main},
+#endif
+	{FUNC_TYPE_GENERAL,"nseq",nseq_main},
+#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_SHA1)
+	{FUNC_TYPE_GENERAL,"pkcs12",pkcs12_main},
+#endif
+	{FUNC_TYPE_GENERAL,"pkcs8",pkcs8_main},
+	{FUNC_TYPE_GENERAL,"pkey",pkey_main},
+	{FUNC_TYPE_GENERAL,"pkeyparam",pkeyparam_main},
+	{FUNC_TYPE_GENERAL,"pkeyutl",pkeyutl_main},
+	{FUNC_TYPE_GENERAL,"spkac",spkac_main},
+	{FUNC_TYPE_GENERAL,"smime",smime_main},
+	{FUNC_TYPE_GENERAL,"rand",rand_main},
+#ifndef OPENSSL_NO_ENGINE
+	{FUNC_TYPE_GENERAL,"engine",engine_main},
+#endif
+#ifndef OPENSSL_NO_OCSP
+	{FUNC_TYPE_GENERAL,"ocsp",ocsp_main},
+#endif
+	{FUNC_TYPE_GENERAL,"prime",prime_main},
+	{FUNC_TYPE_GENERAL,"ts",ts_main},
+#ifndef OPENSSL_NO_SRP
+	{FUNC_TYPE_GENERAL,"srp",srp_main},
+#endif
 #ifndef OPENSSL_NO_MD2
 	{FUNC_TYPE_MD,"md2",dgst_main},
 #endif
--- a/apps/sm2-cert.pem
+++ b/apps/sm2-cert.pem
--- a/apps/sm2-key.pem
+++ b/apps/sm2-key.pem
--- a/build-mac.sh
+++ b/build-mac.sh
@@ -1,14 +0,0 @@
-#!/bin/bash
-
-./Configure darwin64-x86_64-cc --prefix=/usr/local --openssldir=/usr/local/openssl
-make
-sudo make install
-
-
-
-# build libp11
-# $ ./bootstrap
-# $ LIBP11_CFLAGS='-I/usr/local/include'; export LIBP11_CFLAGS 
-# $ LIBP11_LIBS='-L/usr/local/lib -lp11'; export LIBP11_LIBS 
-# $ ./configure
-
--- a/crypto/cpk/Makefile
+++ b/crypto/cpk/Makefile
@@ -0,0 +1,78 @@
+#
+# crypto/cpk/Makefile
+#
+
+DIR=	cpk
+TOP=	../..
+CC=	cc
+INCLUDES= -I.. -I$(TOP) -I../../include
+CFLAG=-g -Wall
+MAKEFILE=	Makefile
+AR=		ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=cpktest.c
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=	cpk_lib.c cpk_map.c cpk_kap.c cpk_asn1.c cpk_prn.c cpk_err.c
+LIBOBJ=	cpk_lib.o cpk_map.o cpk_kap.o cpk_asn1.o cpk_prn.o cpk_err.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= cpk.h
+HEADER= $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:	lib
+
+lib:	$(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	$(RANLIB) $(LIB) || echo Never mind.
+	@touch lib
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
+
+links:
+	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@headerlist="$(EXHEADER)"; for i in $$headerlist; \
+	do  \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	done;
+
+tags:
+	ctags $(SRC)
+
+tests:
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+update: depend
+
+depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
+	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
--- a/crypto/cpk/cpk.h
+++ b/crypto/cpk/cpk.h
@@ -4,7 +4,7 @@
 #include <openssl/err.h>
 #include <openssl/x509.h>
 #include <openssl/ossl_typ.h>
-#include "ecies.h"
+#include <openssl/ecies.h>

 #ifdef  __cplusplus
 extern "C" {
--- a/crypto/cpk/cpktest.c
+++ b/crypto/cpk/cpktest.c
@@ -0,0 +1,169 @@
+#include <stdio.h>
+#include <string.h>
+#include <assert.h>
+#include <openssl/ec.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/objects.h>
+#include "cpk.h"
+#include "kdf.h"
+#include "ecies.h"
+
+
+const char *id_short = "id";
+const char *id_long = 
+		"123456789022345678903234567890423456789052345678906234567890"
+		"123456789022345678903234567890423456789052345678906234567890";
+
+
+
+int EVP_PKEY_print_fp(const EVP_PKEY *pkey, FILE *fp)
+{
+	ASN1_PCTX *ctx = ASN1_PCTX_new();
+	BIO *bio = BIO_new_fp(fp, BIO_NOCLOSE);
+
+	EVP_PKEY_print_params(bio, pkey, 0, ctx);	
+	EVP_PKEY_print_public(bio, pkey, 0, ctx);
+	EVP_PKEY_print_private(bio, pkey, 0, NULL);
+
+	return 0;
+}
+
+int main(int argc, char **argv)
+{
+	int r, i;
+	KDF_FUNC kdf = NULL;
+	EC_GROUP *ec_group = NULL;
+	EC_KEY *ec_key = NULL;
+	EVP_PKEY *pkey = NULL;
+	EVP_PKEY *pub_key = NULL;
+	EVP_PKEY *priv_key = NULL;
+	X509_ALGOR *map = NULL;
+	CPK_MASTER_SECRET *master = NULL;
+	CPK_PUBLIC_PARAMS *params = NULL;
+	BIO *bio_out = NULL;
+	unsigned char *buf = NULL;
+	unsigned char *p;
+	const unsigned char *cp;
+	int len;
+
+	/* init openssl global functions */
+	ERR_load_crypto_strings();
+	OpenSSL_add_all_algorithms();
+
+	/* prepare cpk setup parameters */
+	ec_key = EC_KEY_new_by_curve_name(OBJ_sn2nid("prime192v1"));
+	assert(ec_key != NULL);
+
+	EC_GROUP_set_asn1_flag((EC_GROUP *)EC_KEY_get0_group(ec_key), OPENSSL_EC_NAMED_CURVE);
+	r = EC_KEY_generate_key(ec_key);
+	assert(r == 1);
+
+	pkey = EVP_PKEY_new();
+	assert(pkey != NULL);
+	r = EVP_PKEY_set1_EC_KEY(pkey, ec_key);
+	assert(r == 1);
+	map = CPK_MAP_new_default();
+	assert(map != NULL);
+
+
+	//EVP_PKEY_print_fp(pkey, stdout);
+
+	/* generate master_secret and public_params */
+	master = CPK_MASTER_SECRET_create("domainid", pkey, map);
+	OPENSSL_assert(master);
+
+	bio_out = BIO_new_fp(stdout, BIO_NOCLOSE);
+	OPENSSL_assert(bio_out);
+
+	r = CPK_MASTER_SECRET_print(bio_out, master, 0, 0);
+	assert(r == 1);
+
+	EVP_PKEY_free(pkey);
+	pkey = NULL;
+	pkey = CPK_MASTER_SECRET_extract_private_key(master, "id");
+	assert(pkey != NULL);
+	EVP_PKEY_free(pkey);
+	//pkey = CPK_MASTER_SECRET_extract_private_key(master, NULL);
+	//assert(pkey == NULL);
+	pkey = CPK_MASTER_SECRET_extract_private_key(master, id_long);
+	assert(pkey != NULL);
+	printf("EVP_PKEY of '%s':\n", id_long);
+	EVP_PKEY_print_fp(pkey, stdout);
+	printf("\n");
+	
+	params = CPK_MASTER_SECRET_extract_public_params(master);
+	assert(params);
+	r = CPK_PUBLIC_PARAMS_print(bio_out, params, 0, 0);
+	assert(r == 1);
+	printf("\n");
+
+	printf("test CPK_PUBLIC_PARAMS_extract_public_key()\n");
+	pub_key = CPK_PUBLIC_PARAMS_extract_public_key(params, id_short);
+	assert(pub_key != NULL);
+	EVP_PKEY_free(pub_key);
+
+	pub_key = CPK_PUBLIC_PARAMS_extract_public_key(params, id_long);
+	assert(pub_key != NULL);
+	printf("Public Key of '%s':\n", id_long);
+	EVP_PKEY_print_fp(pkey, stdout);
+	printf("\n");
+
+	
+	r = CPK_MASTER_SECRET_validate_public_params(master, params);
+	assert(r == 1);
+	if (priv_key) EVP_PKEY_free(priv_key);
+	priv_key = CPK_MASTER_SECRET_extract_private_key(master, "identity");
+	assert(priv_key);
+	r = CPK_PUBLIC_PARAMS_validate_private_key(params, "identity", priv_key);
+	assert(r == 1);
+	r = CPK_PUBLIC_PARAMS_validate_private_key(params, "id", priv_key);
+	assert(r == 0);
+
+	/* der encoding and decoding */
+	len = i2d_CPK_MASTER_SECRET(master, NULL);
+	assert(len > 0);
+	if (buf != NULL) OPENSSL_free(buf);
+	buf = OPENSSL_malloc(len);
+	assert(buf != NULL);
+	p = buf;
+	len = i2d_CPK_MASTER_SECRET(master, &p);
+	assert(len > 0);
+	assert(p - buf == len);
+
+	cp = buf;
+	if (master) CPK_MASTER_SECRET_free(master);
+	master = NULL;
+	master = d2i_CPK_MASTER_SECRET(NULL, &cp, len);
+	assert(master != NULL);
+	r = CPK_MASTER_SECRET_validate_public_params(master, params);
+	assert(r == 1);
+
+	kdf = KDF_get_x9_63(EVP_sha1());
+	assert(kdf != NULL);
+
+
+	if (priv_key != NULL) EVP_PKEY_free(priv_key);
+	priv_key = CPK_MASTER_SECRET_extract_private_key(master, "Alice");
+	assert(priv_key != NULL);
+
+	if (buf != NULL) OPENSSL_free(buf);
+	buf = OPENSSL_malloc(1024);
+	assert(buf != NULL);
+	r = CPK_PUBLIC_PARAMS_compute_share_key(params, buf, 64, "Bob", priv_key, kdf);
+	for (i = 0; i < 64; i++) printf("%02x", buf[i]); printf("\n");
+
+	if (priv_key != NULL)
+		EVP_PKEY_free(priv_key);
+	priv_key = CPK_MASTER_SECRET_extract_private_key(master, "Bob");
+	assert(priv_key != NULL);
+	r = CPK_PUBLIC_PARAMS_compute_share_key(params, buf, 64, "Alice", priv_key, kdf);
+	for (i = 0; i < 64; i++) printf("%02x", buf[i]); printf("\n");
+
+
+	printf("ok\n");
+	
+	return 0;
+}
+
+
--- a/crypto/evp/e_zuc.c
+++ b/crypto/evp/e_zuc.c
@@ -12,14 +12,14 @@
 static int zuc_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 	const unsigned char *iv, int enc)
 {
-	//ZUC_set_key((ZUC_KEY *)&ctx->cipher_data, EVP_CIPHER_CTX_key_length(ctx), key);
+	ZUC_set_key((ZUC_KEY *)&ctx->cipher_data, EVP_CIPHER_CTX_key_length(ctx), key);
 	return 1;
 }

 static int zuc_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 	const unsigned char *in, size_t inlen)
 {
-	//ZUC_encrypt((ZUC_KEY *)&ctx->cipher_data, inlen, in, out);
+	ZUC_encrypt((ZUC_KEY *)&ctx->cipher_data, inlen, in, out);
 	return 1;
 }

--- a/crypto/sm2/sm2test.c
+++ b/crypto/sm2/sm2test.c
@@ -112,3 +112,32 @@ int main()
 	return 0;
 }

+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/ec.h>
+#include <openssl/err.h>
+#include <openssl/ecdsa.h>
+#include <openssl/objects.h>
+
+int main(int argc, char **argv)
+{
+	int ok;
+	EC_KEY *ec_key;
+	ECDSA_SIG *sig;
+	unsigned char dgst[32];
+
+	ec_key = EC_KEY_new_by_curve_name(NID_sm2p256v1);
+	OPENSSL_assert(ec_key);
+
+	ok = EC_KEY_generate_key(ec_key);
+	OPENSSL_assert(ok);
+
+	sig = ECDSA_do_sign(dgst, 32, ec_key);
+	ok = ECDSA_do_verify(dgst, 32, sig, ec_key);
+
+	printf("ok = %d\n", ok);
+
+	return 0;
+}
+
--- a/crypto/zuc/zuc.c
+++ b/crypto/zuc/zuc.c
@@ -200,12 +200,27 @@ void ZUC_set_key(ZUC_KEY *key, const unsigned char *k, const unsigned char *iv)
 		LFSRWithInitialisationMode(key, w >> 1);
 		nCount--;
 	}
+
+	/* set buffer */
+	key->buflen = 0;
 }

 void ZUC_encrypt(ZUC_KEY *key, size_t inlen, const unsigned char *in, unsigned char *out)
 {
 #if 0
 	int i;
+
+	if (key->buflen) {
+		int len = inlen < 4 - key->buflen ? inlen : 4 - key->buflen;
+		memcpy(key->buf + key->buflen, in, len);
+		inlen -= len;
+
+		if (key->buflen == 4) {
+		}
+	}
+	if (inlen < 4) {
+	}
+
 	BitReorganization(key);
 	F(key); /* discard the output of F */
 	LFSRWithWorkMode(key);
@@ -216,6 +231,6 @@ void ZUC_encrypt(ZUC_KEY *key, size_t inlen, const unsigned char *in, unsigned c
 		pKeystream[i] = F(key) ^ key->BRC_X3;
 		LFSRWithWorkMode(key);
 	}
-#endif 
+#endif
 }

--- a/crypto/zuc/zuc.h
+++ b/crypto/zuc/zuc.h
@@ -36,6 +36,10 @@ typedef struct {
 	uint32_t BRC_X1;
 	uint32_t BRC_X2;
 	uint32_t BRC_X3;
+
+	/* word buffer */
+	unsigned char buf[4];
+	int buflen;
 } ZUC_KEY;


--- a/include/openssl/cpk.h
+++ b/include/openssl/cpk.h
@@ -0,0 +1 @@
+../../crypto/cpk/cpk.h
--- a/sm2test.c
+++ b/sm2test.c
@@ -1,29 +0,0 @@
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <openssl/ec.h>
-#include <openssl/err.h>
-#include <openssl/ecdsa.h>
-#include <openssl/objects.h>
-
-int main(int argc, char **argv)
-{
-	int ok;
-	EC_KEY *ec_key;
-	ECDSA_SIG *sig;
-	unsigned char dgst[32];
-
-	ec_key = EC_KEY_new_by_curve_name(NID_sm2p256v1);
-	OPENSSL_assert(ec_key);
-
-	ok = EC_KEY_generate_key(ec_key);
-	OPENSSL_assert(ok);
-
-	sig = ECDSA_do_sign(dgst, 32, ec_key);
-	ok = ECDSA_do_verify(dgst, 32, sig, ec_key);
-
-	printf("ok = %d\n", ok);
-
-	return 0;
-}
-
--- a/test/cpktest.c
+++ b/test/cpktest.c
@@ -0,0 +1 @@
+../crypto/cpk/cpktest.c
--- a/util/mk1mf.pl
+++ b/util/mk1mf.pl
@@ -121,6 +121,8 @@ and [options] can be one of
 	no-ec					- No EC
 	no-ecdsa				- No ECDSA
 	no-ecdh					- No ECDH
+	no-ecies				- No ECIES
+	no-cpk					- No CPK
 	no-engine				- No engine
 	no-hw					- No hw
 	nasm 					- Use NASM for x86 asm
@@ -296,6 +298,8 @@ $cflags.= " -DZLIB_SHARED" if $zlib_opt == 2;
 $cflags.=" -DOPENSSL_NO_SM3"  if $no_sm3;
 $cflags.=" -DOPENSSL_NO_SMS4" if $no_sms4;
 $cflags.=" -DOPENSSL_NO_ZUC" if $no_zuc;
+$cflags.=" -DOPENSSL_NO_ECIES" if $no_ecies;
+$cflags.=" -DOPENSSL_NO_CPK" if $no_cpk;

 if ($no_static_engine)
 	{
@@ -921,6 +925,8 @@ sub var_add
 	@a=grep(!/(^sm3)|(_sm3$)/,@a) if $no_sm3;
 	@a=grep(!/(^sms4)|(_sms4$)/,@a) if $no_sms4;
 	@a=grep(!/(^zuc)|(_zuc$)/,@a) if $no_zuc;
+	@a=grep(!/(^ecies)|(_ecies$)/,@a) if $no_ecies;
+	@a=grep(!/(^cpk)|(_cpk$)/,@a) if $no_cpk;

 	grep($_="$dir/$_",@a);
 	@a=grep(!/(^|\/)s_/,@a) if $no_sock;
@@ -1252,6 +1258,8 @@ sub read_options
 		"no-sm3" => \$no_sm3,
 		"no-sms4" => \$no_sms4,
 		"no-zuc" => \$no_zuc
+		"no-ecies" => \$no_ecies
+		"no-cpk" => \$no_cpk
 		);

 	if (exists $valid_options{$_})
--- a/util/mkdef.pl
+++ b/util/mkdef.pl
@@ -146,7 +146,7 @@ my $no_rfc3779; my $no_psk; my $no_tlsext; my $no_cms; my $no_capieng;
 my $no_jpake; my $no_srp; my $no_ssl2; my $no_ec2m; my $no_nistp_gcc; 
 my $no_nextprotoneg; my $no_sctp; my $no_srtp; my $no_ssl_trace;
 my $no_unit_test; my $no_ssl3_method;
-my $no_sm3; my $no_sms4; my $no_zuc;
+my $no_sm3; my $no_sms4; my $no_zuc; my $no_ecies; my $no_cpk;

 my $fips;

@@ -252,6 +252,8 @@ foreach (@ARGV, split(/ /, $options))
 	elsif (/^no-sm3$/)	{ $no_sm3=1; }
 	elsif (/^no-sms4$/)	{ $no_sms4=1; }
 	elsif (/^no-zuc$/)	{ $no_zuc=1; }
+	elsif (/^no-ecies$/)	{ $no_ecies=1; }
+	elsif (/^no-cpk$/)	{ $no_cpk=1; }
 	}


@@ -319,8 +321,6 @@ $crypto.=" crypto/dsa/dsa.h" ; # unless $no_dsa;
 $crypto.=" crypto/dh/dh.h" ; # unless $no_dh;
 $crypto.=" crypto/ec/ec.h" ; # unless $no_ec;
 $crypto.=" crypto/ecdsa/ecdsa.h" ; # unless $no_ecdsa;
-$crypto.=" crypto/ecies/ecies.h" ;
-$crypto.=" crypto/ecies/kdf.h" ;
 $crypto.=" crypto/ecdh/ecdh.h" ; # unless $no_ecdh;
 $crypto.=" crypto/hmac/hmac.h" ; # unless $no_hmac;
 $crypto.=" crypto/cmac/cmac.h" ; # unless $no_hmac;
@@ -360,9 +360,12 @@ $crypto.=" crypto/jpake/jpake.h";
 $crypto.=" crypto/modes/modes.h";
 $crypto.=" crypto/srp/srp.h";

-$crypto.=" crypto/sm3/sm3.h" ; # unless $no_sm3;
-$crypto.=" crypto/sms4/sms4.h" ; # unless $no_sms4;
-$crypto.=" crypto/zuc/zuc.h" ; # unless $no_zuc;
+$crypto.=" crypto/sm3/sm3.h"; # unless $no_sm3;
+$crypto.=" crypto/sms4/sms4.h"; # unless $no_sms4;
+$crypto.=" crypto/zuc/zuc.h"; # unless $no_zuc;
+$crypto.=" crypto/ecies/ecies.h";
+$crypto.=" crypto/ecies/kdf.h";
+$crypto.=" crypto/ecies/cpk.h";

 my $symhacks="crypto/symhacks.h";

@@ -1240,6 +1243,8 @@ sub is_valid
 			if ($keyword eq "SM3" && $no_sm3) { return 0; }
 			if ($keyword eq "SMS4" && $no_sms4) { return 0; }
 			if ($keyword eq "ZUC" && $no_zuc) { return 0; }
+			if ($keyword eq "ECIES" && $no_ecies) { return 0; }
+			if ($keyword eq "CPK" && $no_cpk) { return 0; }

 			# Nothing recognise as true
 			return 1;
--- a/util/mkfiles.pl
+++ b/util/mkfiles.pl
@@ -40,6 +40,7 @@ my @dirs = (
 "crypto/ecdh",
 "crypto/ecdsa",
 "crypto/ecies",
+"crypto/cpk",
 "crypto/buffer",
 "crypto/bio",
 "crypto/stack",