|
|
||||||||||||
GM/T 0056-2018 PDF EnglishSearch result: GM/T 0056-2018_English: PDF (GM/T0056-2018)
GM/T0056-2018 (GMT0056-2018): PDF in EnglishGM/T 0056-2018 CRYPTOGRAPHY INDUSTRY STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 File No.: 62991-2018 Specification of cryptography application interface with multi-applications equipment ISSUED ON: MAY 02, 2018 IMPLEMENTED ON: MAY 02, 2018 Issued by: State Cryptography Administration Table of Contents Foreword ... 3 Introduction ... 4 1 Scope ... 5 2 Normative references ... 5 3 Terms and definitions ... 6 4 Abbreviations ... 7 5 Multi-applications equipment system framework ... 7 6 Multi-applications equipment’s cryptography application interface call flow .. 8 6.1 Cryptography application interface call flow ... 8 6.2 Cryptographic algorithm capability identity ... 10 6.3 Cryptography application interface specification ... 10 7 Cryptography application interfaces of Java technology solution ... 11 7.1 Introduction ... 11 7.2 Cryptographic algorithm capability identity ... 11 7.3 Cryptography application package definition ... 12 7.4 Cryptography application interface definition ... 12 7.5 Cryptography application class information ... 13 Annex A (Informative) Cryptography application requirements for multi- application security management ... 43 Annex B (Informative) Multi-application security management certificate format ... 50 Bibliography ... 52 Specification of cryptography application interface with multi-applications equipment 1 Scope This Standard specifies the cryptography application interface of SM2/3/4 series of algorithms in multi-applications equipment, including: - defines the identity of SM2/SM3/SM4 algorithms in multi-applications equipment. - defines the cryptography application interface specifications of SM2/SM3/ SM4 algorithms. This Standard is applicable to the development of various multi-applications equipment, and can also be used to guide the cryptography application test of multi-applications equipment. 2 Normative references The following documents are indispensable for the application of this document. For dated references, only the dated version applies to this document. For undated references, the latest edition (including all amendments) applies to this document. GB/T 32905-2016 Information security techniques - SM3 cryptographic hash algorithm GB/T 32907-2016 Information security technology - SM4 block cipher algorithm GB/T 32918 Information security technology - Public key cryptographic algorithm SM2 based on elliptic curves ISO 9797 Information technology - Security techniques - Message authentication codes (MACs) RFC 2898 Specification of PKCS # 5 SM4 algorithm An algorithm defined by GB/T 32907-2016. 3.8 SM9 algorithm A public key cryptographic algorithm based on elliptic curves, using bilinear pairings. 4 Abbreviations For the purpose this document, the following abbreviations apply. AID: Application Identifier AKEY: Auxiliary Key API : Application Programming Interface CBC: Cipher-block chaining COS: Chip Operating System ECB: Electronic Codebook ISO : International Organization for Standardization MAC: Message Authentication Code MKEY: Message Key OFB: Output Feedback 5 Multi-applications equipment system framework Multi-applications equipment is composed of hardware layer, driver layer, OS layer and application layer, as shown in Figure 1. algorithmic capability of the equipment. c) Call the cryptography application interface: If the equipment supports the cryptographic algorithm, the upper computer software calls the user application on the equipment. After the user application receives the call command on the equipment, it processes according to the command. d) Call the cryptography application interface: If the processing of the command requires the use of the cryptography function, the call is made through the cryptography application interface of the equipment’s operating system. e) Return the cryptography application interface call result: After the cryptography application API is called, process by the algorithm and the processing result is returned to the user application on the equipment. f) Return the application call result: The user application on the equipment returns the call result to the upper computer software. The process ends. 6.2 Cryptographic algorithm capability identity Multi-applications equipment shall identify the supported cryptographic algorithm capability so that the outer-equipment entity can know the algorithm supported by the equipment. Since the multi-applications equipment can be implemented by using different technical solutions, such as Java technical solution, C technical solution, etc., the algorithm capability identity of the corresponding technical solutions is described in Clause 7. 6.3 Cryptography application interface specification The interface specification that the cryptography shall call shall be defined in the multi-applications equipment to facilitate user application calls on the equipment. Since the security equipment uses different technical solutions in the implementation, such as Java technical solution, C technical solution, etc., the call interface specification of the corresponding technical solutions is described in Clause 7. 7 Cryptography application interfaces of Java technology solution 7.1 Introduction This clause describes the capability identity and application interface specification definition of the SM2/3/4 series of algorithms in multi-applications equipment using the Java technology solution. Applications using the SM2/3/4 series of algorithms can call these application interfaces to use cryptographic functions. The key object in the cryptographic algorithm needs to create a key instance by the GMKeyBuilder.buildKey method, and then set the key value used by the key object by means of setXXX, etc., and the signature algorithm and encryption and decryption algorithm will use these key objects. Symmetric key objects include: SM4Key; asymmetric key objects include: SM2PrivateKey, SM2PublicKey. The signature and verification algorithm is implemented by the GMSignature class. Before using signature and verification algorithm, it is required to get the instance object of the corresponding algorithm by the GMSignature.getlnstance method, and then the corresponding key object is used to achieve the purpose of generating signature data and verifying the signature data. The data encryption and decryption algorithm is implemented by the GMCipher class. Before using the data encryption and decryption algorithm, it is required to get the instance object of the corresponding algorithm by the GMCipher.getInstance method, and then the corresponding key object is used to achieve the purpose of encrypting or decrypting the data. The data hash algorithm is implemented by the GMMessageDigest class. Before using the data hash algorithm, it is required to get the instance object of the SM3 algorithm by the GMMessageDigest.getInstance method, and then the data can be hashed. The GMKeyPair class is defined in the cryptographic algorithm API, for generating an asymmetric key pair (SM2) in the cryptographic algorithm within the equipment. 7.2 Cryptographic algorithm capability identity The definition of multi-applications equipment’s cryptographic algorithm capability identity is shown in Table 1. 7.5.2.2 getA 7.5.2.2.1 Declaration 7.5.2.2.2 Description The method is used to get the data of curve parameter A. The output data length is 32 bytes. The data format is big endian and right aligned, i.e. the least significant bit is the least significant bit of the last byte. 7.5.2.2.3 Parameters buffer - This byte array holds the output data. offset - The starting position of the data in the byte array. 7.5.2.2.4 Return value The data length of curve parameter A, in bytes. 7.5.2.2.5 Throw exception CryptoException.UNINITIALIZED_KEY - This exception is thrown when the key is in an uninitialized state. NullPointerException - This exception is thrown when the keyData parameter is null. ArraylndexOutOfBoundsException - This exception is thrown when the offset parameter is negative or exceeds the buffer array, or when the length of offset plus the curve parameter A exceeds the length of the buffer data. 7.5.2.3 getB 7.5.2.3.1 Declaration 7.5.3.2.2 Description The SM2 private key data got by this method. The output private key reference data length is 32 bytes. The data format is big endian and right aligned, i.e. the least significant bit is the least significant bit of the last byte. 7.5.3.2.3 Parameters buffer - This byte array holds the returned private key data. offset - The starting position of the data in the byte array. 7.5.3.2.4 Return value The length of the private key data in bytes is fixed to 32 in this Specification. 7.5.3.2.5 Throw exception CryptoException.UNINITIALIZED_KEY - This exception is thrown when the key is in an uninitialized state. NullPointerException - This exception is thrown when the buffer parameter is null. ArraylndexOutOfBoundsException - This exception is thrown when the offset parameter is negative or exceeds the buffer array, or when the length of offset plus the key data exceeds the length of the buffer data. 7.5.3.3 setS 7.5.3.3.1 Declaration 7.5.3.3.2 Description This method is used to set the SM2 private key data. The input private key reference data length is 32 bytes. The data format is big endian and right aligned, i.e. the least significant bit is the least significant bit of the last byte. 7.5.3.3.3 Parameters buffer - This byte array holds the private key data to be set. the last 32 bytes is the y coordinate. The data format is big endian and right aligned, i.e. the least significant bit is the least significant bit of the last byte. 7.5.4.2.3 Parameters buffer - This byte array holds the returned public key data. offset - The starting position of the data in the byte array. 7.5........Source: https://www.ChineseStandard.net/PDF.aspx/GMT0056-2018 |