Algorithm Library
OpenSSL Interface
OpenSSL is a common cryptographic algorithm library that supports SM2, SM3, and SM4. You can invoke the encryption and decryption functions of SM cryptographic algorithms through command lines or APIs.
Prerequisites
OpenSSL 1.1.1m-6 or later. You can run the following command to query the OpenSSL version:
$ rpm -qa openssl
openssl-1.1.1m-6.oe2209.x86_64
How to Use
Scenario 1: Using Command Lines to Call Cryptographic Algorithms
Note: Replace data in the following commands with the name of the file to be encyrpted.
SM2 public key algorithm
Generate an SM2 private key.
openssl ecparam -genkey -name SM2 -out priv.key
Generate a public key based on the private key.
$ openssl ec -in priv.key -pubout -out pub.key read EC key writing EC key
Use SM2 to sign the file and set the data digest algorithm to SM3.
openssl dgst -sm3 -sign priv.key -out data.sig data
Use the public key to verify the signature.
$ openssl dgst -sm3 -verify pub.key -signature data.sig data Verified OK
SM3 data digest algorithm
Use SM3 for data digest.
$ openssl dgst -sm3 data SM3(data)= a794922bb9f0a034257f6c7090a3e8429801a42d422c21f1473e83b7f7eac385
SM4 symmetric key algorithm
Use SM4 to encrypt data.
-K
and-iv
specify the key value and initialization vector (IV) value used for encryption, respectively. Generally, the key value and IV value are randomly generated.openssl enc -sm4 -in data -K 123456789ABCDEF0123456789ABCDEF0 -iv 123456789ABCDEF0123456789ABCDEF0 -out data.enc
Use SM4 to decrypt data.
openssl enc -d -sm4 -in data.enc -K 123456789ABCDEF0123456789ABCDEF0 -iv 123456789ABCDEF0123456789ABCDEF0 -out data.raw
Compare the encrypted and decrypted data. The results are consistent.
diff data data.raw
Scenario 2: Using APIs to Call Cryptographic Algorithms
Install openssl-help and run the man
command to query the algorithms.
yum install openssl-help
man sm2
man EVP_sm3
man EVP_sm4_cbc
Kernel Cryptographic API
Overview
Crypto API is a cryptography framework in the Linux kernel, which allows various algorithm implementations to be registered and invoked. Kernel 5.10 provided by openEuler supports SM2, SM3, and SM4, among which SM2 and SM3 are built in the kernel by default and SM4 is provided as a kernel module.
Prerequisites
Kernel 5.10.0-106 or later. You can run the following command to query the kernel version:
$ rpm -qa kernel
kernel-5.10.0-106.1.0.55.oe2209.x86_64
How to Use
Scenario 1: Querying the Cryptographic Algorithms Supported by the Kernel
/proc/crypto lists the registered SM cryptographic algorithms. By default, SM2 and SM3 are loaded.
$ cat /proc/crypto | grep sm3 -A8
name : sm3
driver : sm3-generic
module : kernel
priority : 100
refcnt : 1
selftest : passed
internal : no
type : shash
blocksize : 64
digestsize : 32
$ cat /proc/crypto | grep sm2 -A6
name : sm2
driver : sm2-generic
module : kernel
priority : 100
refcnt : 1
selftest : passed
internal : no
type : akcipher
By default, SM4 is not loaded. You need to insert the corresponding module first.
$ modprobe sm4-generic
$ cat /proc/crypto | grep sm4 -A8
name : sm4
driver : sm4-generic
module : sm4_generic
priority : 100
refcnt : 1
selftest : passed
internal : no
type : cipher
blocksize : 16
min keysize : 16
max keysize : 16
Scenario 2: Calling Algorithm APIs
The method of calling SM cryptographic algorithms is the same as that of calling other algorithms of the same type. For details, see the Linux kernel document.
Scenario 3: Optimizing Algorithm Performance Through Instruction Sets
The crypto framework allows registration of architecture-specific algorithm implementations to optimize algorithm performance through corresponding instruction sets. Currently, the kernel 5.10 of openEuler supports algorithm performance optimization using the following instruction sets.
Driver | Instruction Set | Priority |
---|---|---|
sm4-neon (ecb/cbc/cfb/ctr) | ARM64-NEON | 200 |
sm3-avx | x86-AVX | 300 |
sm4-aesni-avx (ecb/cbc/cfb/ctr) | x86-AVX | 400 |
sm4-aesni-avx 2 (ecb/cbc/cfb/ctr) | x86-AVX2 | 500 |
When multiple instances of the same algorithm are registered, the default algorithm implementation is selected based on the registered priority of each algorithm instance. A larger priority value indicates a higher priority. The priority of a pure software implementation (suffixed by -generic) is fixed to 100. By default, the performance optimization through instruction sets is disabled for the SM cryptographic algorithms and is provided for users in the form of kernel modules. For example, to enable the AVX instruction set optimization for SM3, do as follows:
$ modprobe sm3-avx
$ cat /proc/crypto | grep sm3 -A8
name : sm3
driver : sm3-avx
module : sm3_avx_x86_64
priority : 300
refcnt : 1
selftest : passed
internal : no
type : shash
blocksize : 64
digestsize : 32
......
Notes
- The prerequisite for enabling instruction set optimization for algorithms is that the CPU supports the corresponding instruction set. You can query the instruction set supported by the CPU by viewing /proc/cpuinfo.
- Using an instruction set has certain overhead. Therefore, it cannot be ensured that the performance optimized by the instruction set is higher than that of software implementation in all scenarios.
- Some instruction sets have certain restrictions in optimization. For example, the NEON instruction set can only speed up cryptography that supports parallel computing.