SM2/SM4 Mechanisms

This section describes the C-based PKCS#11 interface to the SM2/SM4 functions in the HSM firmware. Although PKCS#11 constitutes the core client-side API to the HSM, it is expected that other API layers (like Java) will be required in order to support the customers’ application environment. These APIs are yet to be defined.

NOTE    This feature requires minimum Luna HSM Firmware 7.4.2 (Luna HSM Firmware 7.7.0 for Luna PCIe HSM 7) and Luna HSM Client 10.2.0 (or a patched Luna HSM Client 7.4.0). You require a backup HSM with minimum Luna Backup HSM 7 Firmware 7.7.1 to back up these objects.

>SM2

>SM4

SM2

Generate Key Pair

Generate a keypair of type CKK_SM2.

CK_BYTE sm2p256v1[] =  { 0x06, 0x08, 0x2A, 0x81, 0x1C, 0xCF, 0x55, 0x01, 0x82, 0x2D };

CK_RV C_GenerateKeyPair(
CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism, 		// CKM_SM2_KEY_PAIR_GEN
CK_ATTRIBUTE_PTR pPublicKeyTemplate, 	// eg CKA_EC_PARAMS with curve sm2p256v1 or any other curve
CK_ULONG ulPublicKeyAttributeCount,
CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
CK_ULONG ulPrivateKeyAttributeCount,
CK_OBJECT_HANDLE_PTR phPublicKey,
CK_OBJECT_HANDLE_PTR phPrivateKey
);

Sign

Use the C_Sign* family of functions.

typedef struct CK_SM2DSA_PARAMS {
   CK_MECHANISM_TYPE zhashAlg; 	// eg CKM_SM3
   CK_ULONG ulUserIdLen;
   CK_VOID_PTR pUserId;
} CK_SM2DSA_PARAMS;

CK_RV C_SignInit(
CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism, 		// eg CKM_SM3_SM2DSA with CK_SM2DSA_PARAMS
CK_OBJECT_HANDLE hKey
);

CK_RV C_Sign(
CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pData,
CK_ULONG ulDataLen,
CK_BYTE_PTR pSignature,
CK_ULONG_PTR pulSignatureLen
);

Also supported:

>C_SignUpdate, C_SignFinal for multi-part operations

>C_VerifyInit, C_Verify for verifying (single-part operations)

>C_VerifyUpdate, C_VerifyFinal for verifying (multi-part operations)

Available mechanisms for signing include:

>CKM_SM2DSA

>CKM_SM3_SM2DSA

>CKM_SHA1_SM2DSA

>CKM_SHA224_SM2DSA

>CKM_SHA256_SM2DSA

>CKM_SHA384_SM2DSA

>CKM_SHA512_SM2DSA

Available mechanisms for field zHashAlg include:

>CKM_SM3

>CKM_SHA1

>CKM_SHA224

>CKM_SHA256

>CKM_SHA384

>CKM_SHA512

SM4

Generate Key

Generate a secret key of type CKK_SM4.

CK_RV C_GenerateKey(
CK_SESSION_HANDLE hSession
CK_MECHANISM_PTR pMechanism, 		// CKM_SM4_KEY_GEN
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulCount,
CK_OBJECT_HANDLE_PTR phKey
);

Encrypt

Use the C_Encrypt* family of functions.

CK_RV C_EncryptInit(
CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism, 		// eg CKM_SM4_CBC_PAD with InitializationVector [16 bytes]
CK_OBJECT_HANDLE hKey
);

CK_RV C_Encrypt(
CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pData,
CK_ULONG ulDataLen,
CK_BYTE_PTR pEncryptedData,
CK_ULONG_PTR pulEncryptedDataLen
);

Also supported:

>C_EncryptUpdate, C_EncryptFinal for multi-part operations

>C_DecryptInit, C_Decrypt for decrypting (single-part operations)

>C_DecryptUpdate, C_DecryptFinal for decrypting (multi-part operations)

Available mechanisms for encryption include:

>CKM_SM4_ECB

>CKM_SM4_CBC

>CKM_SM4_CBC_PAD