Key Management Tool APIs
To help users customize key management, the key management tool APIs are provided.
- Create a session user.
int ECM_OpenSession(void *hDeviceHandle, void **phSessionHandle);
Table 1 Parameter description Parameter
Description
hDeviceHandle[in]
Handle of the device that has been started.
phSessionHandle[out]
Handle of the session established with the cryptographic device.
Table 2 Return values Return Value
Description
0
Success
Other values
Failure: returning an error code
- Create a device internal key and set the password.
int ECM_GenerateKey(void *hSessionHandle, unsigned int uiKeyIndex, unsigned char *pucPassword, unsigned int uiPwdLength);
Table 3 Parameter description Parameter
Description
hSessionHandle[in]
Handle of the session established with the device.
uiKeyIndex[in]
Index value of the private key stored in the cryptographic device. The value includes the key type and index.
pucPassword[in]
Password for accessing the private key.
uiPwdLength[in]
Length of the password for accessing the private key. The value ranges from 8 to 128 bytes.
Table 4 Return values Return Value
Description
0
Success
Other values
Failure: returning an error code
- uiKeyIndex[in]: 32-bit internal key index information, with the high-order 12 bits indicating the key type and the low-order 20 bits indicating the key index.
The key types include:
- SDF_SM2_SIGN: signature key pair
- SDF_SM2_ENC: encryption key pair
- SDF_SM4: SM4 encryption key
- A user key includes an encryption key pair and a signature key pair. Therefore, this API needs to be called twice to generate a user key.
- uiKeyIndex[in]: 32-bit internal key index information, with the high-order 12 bits indicating the key type and the low-order 20 bits indicating the key index.
- Delete a specified internal key.
int ECM_DeleteKey(void *hSessionHandle, unsigned int uiKeyIndex);
Table 5 Parameter description Parameter
Description
hSessionHandle[in]
Handle of the session established with the device.
uiKeyIndex[in]
Index value of the private key stored in the cryptographic device. The value includes the key type and index.
Table 6 Return values Return Value
Description
0
Success
Other values
Failure: returning an error code
- Query internal key status.
int ECM_QueryKey(void *hSessionHandle, unsigned int uiKeyIndex, unsigned int *uiKeyInfo);
Table 7 Parameter description Parameter
Description
hSessionHandle[in]
Handle of the session established with the device.
uiKeyIndex[in]
Index value of the private key stored in the cryptographic device. The value includes the key type and index.
uiKeyInfo[out]
Internal key information of the cryptographic device.
- 0: Keys exist.
- Other values: Keys do not exist.
Table 8 Return values Return Value
Description
0
Success
Other values
Failure: returning an error code
- Change the password for accessing a specified private key.
int ECM_ChangePassword(void *hSessionHandle, unsigned int uiKeyIndex, unsigned char *prePassword, unsigned int prePasswordLen, unsigned char *newPassword, unsigned int newPasswordLen);
Table 9 Parameter description Parameter
Description
hSessionHandle[in]
Handle of the session established with the device.
uiKeyIndex[in]
Index value of the private key stored in the cryptographic device. The value includes the key type and index.
prePassword[in]
Current password for accessing the private key.
prePasswordLen[in]
Length of the current password for accessing the private key. The value ranges from 8 to 128 bytes.
newPassword[in]
New password for accessing the private key.
newPasswordLen[in]
Length of the new password for accessing the private key. The value ranges from 8 to 128 bytes.
Table 10 Return values Return Value
Description
0
Success
Other values
Failure: returning an error code
- Export the corresponding internal key.
int ECM_ExportKey(void *hSessionHandle, unsigned int uiKeyIndex, unsigned char *keyFileBuffer, unsigned int *keyBufferLength, unsigned char *keySalt);
Table 11 Parameter description Parameter
Description
hSessionHandle[in]
Handle of the session established with the device.
uiKeyIndex[in]
Index value of the private key stored in the cryptographic device. The value includes the key type and index.
keyFileBuffer[out]
Pointer to the buffer for storing the exported internal key ciphertext.
keyBufferLength[out]
Length of the exported internal key ciphertext.
keySalt[in]
Encryption salt value. The length of the value cannot exceed 16 bytes.
Table 12 Return values Return Value
Description
0
Success
Other values
Failure: returning an error code
- Import a key to the specified index.
int ECM_ImportKey(void *hSessionHandle, unsigned int uiKeyIndex, unsigned char *keyFileBuffer, unsigned int keyBufferLength, unsigned char *keySalt);
Table 13 Parameter description Parameter
Description
hSessionHandle[in]
Handle of the session established with the device.
uiKeyIndex[in]
Index value of the private key stored in the cryptographic device. The value includes the key type and index.
keyFileBuffer[in]
Pointer to the buffer for storing the key ciphertext to be imported.
keyBufferLength[out]
Length of the key ciphertext to be imported.
keySalt[in]
Decryption salt value. The length of the value cannot exceed 16 bytes.
Table 14 Return values Return Value
Description
0
Success
Other values
Failure: returning an error code
- Restore factory settings.
int ECM_FactoryReset();
Table 15 Return values Return Value
Description
0
Success
Other values
Failure: returning an error code
- Import a key in plaintext to the device.
int ECM_ImportKeyPair_ECC(void* hSessionHandle, unsigned int uiKeyIndex, unsigned char *pucPassword, unsigned int uiPwdLength, ECCrefPublicKey* pucPublicKey, ECCrefPrivateKey* pucPrivateKey);
Table 16 Parameter description Parameter
Description
void *hSessionHandle[in]
Session handle.
unsigned int uiKeyIndex[in]
Index of the internal key.
unsigned char *prePassword[in]
Key password.
unsigned int prePasswordLen[in]
Password length.
ECCrefPublicKey* pucPublicKey[in]
Public key structure of the device internal key.
ECCrefPrivateKey* pucPrivateKey[in]
Private key structure of the device internal key.
Table 17 Return values Return Value
Description
0
Success
Other values
Failure: returning an error code
1. This API imports the plaintext ECC public and private key structures input by a user to the cryptographic module. The public and private key pairs must match. Otherwise, a failure message is returned.
2. The key password must meet the strength requirements. For details, see Special Specifications.
3. Keys with the same index cannot be imported repeatedly.
- Import a KEK in plaintext.
int ECM_ImportKEK(void* hSessionHandle, unsigned int uiKeyIndex, unsigned char *pucPassword, unsigned int uiPwdLength, unsigned char *KEKBuf, unsigned int KEKLen);
Table 18 Parameter description Parameter
Description
void *hSessionHandle[in]
Session handle.
unsigned int uiKeyIndex[in]
Index of the internal key.
unsigned char *prePassword[in]
Key password.
unsigned int prePasswordLen[in]
Password length.
unsigned int *KEKBuf[in]
Imported KEK content.
unsigned int KEKLen[in]
Length of the imported KEK (16 bytes).
Table 19 Return values Return Value
Description
0
Success
Other values
Failure: returning an error code
1. The length of plaintext KEKs input by users is fixed at 16 bytes.
2. The key password must meet the strength requirements. For details, see Special Specifications.
3. Keys with the same index cannot be imported repeatedly.
- Import a device internal key in the digital envelope format.
int ECM_ImportKeyWithEnvelop(void *hSessionHandle, unsigned int uiKeyIndex, unsigned char *pucPassword, unsigned int pucPasswordLen, ECCEnvelopedKey *pucEnvelopKey);
Table 20 Parameter description Parameter
Description
void *hSessionHandle[in]
Session handle.
unsigned int uiKeyIndex[in]
Index of the internal key to be imported.
unsigned char *pucPassword[in]
Key password.
unsigned int pucPasswordLen[in]
Password length.
ECCEnvelopedKey *pucEnvelopKey[in]
Input parameter for importing a digital envelope. The digital envelope must be encrypted using the public key corresponding to key 0 of the device.
Table 21 Return values Return Value
Description
0
Success
Other values
Failure: returning an error code
1. This API decrypts the digital envelope input by a user using the private key corresponding to key 0 and imports the decrypted digital envelope to the cryptographic module as the key content at the specified index.
2. The key password must meet the strength requirements. For details, see Special Specifications.
3. Keys with the same index cannot be imported repeatedly. If a key corresponding to the index already exists, the import fails.
Export a device internal key in the digital envelope format.
int ECM_ExportKeyWithEnvelop(void *hSessionHandle, unsigned int uiKeyIndex, unsignedchar*pucPassword, unsigned int pucPasswordLen, ECCrefPublicKey *pucPublicKey, ECCEnvelopedKey *pucEnvelopKey);
Table 22 Parameter description Parameter
Description
void *hSessionHandle[in]
Session handle.
unsigned int uiKeyIndex[in]
Index of the internal key to be exported.
unsigned char *prePassword[in]
Password of the internal key to be exported.
unsigned int prePasswordLen[in]
Password length.
ECCrefPublicKey* pucPublicKey[in]
Public key structure for encrypting the digital envelope.
ECCEnvelopedKey *pucEnvelopKey[out]
Exported digital envelope.
Table 23 Return values Return Value
Description
0
Success
Other values
Failure: returning an error code
Before exporting a digital envelope, check whether the entered password matches the specified index. If so, use the input public key to encrypt and generate the digital envelope. If the key corresponding to the index does not exist on the device, a failure message is returned.
Specification Restrictions
Applications integrated with these APIs must be executed by user root and can run on the host and VMs.