Zanjia Electronic Science and Technology HSM-ZJ2014 Hardware Security Module User Manual HSM ZJ2014 x
Zanjia Electronic Science & Technology (Beijing) Co., Ltd. Hardware Security Module HSM ZJ2014 x
2ADTB-HSM-ZJ2014 user manual
Zanjia Electronic Science & Technology (Beijing) Co., LTD HSM-ZJ2014 Guidance Documentation Level 3 Validation November 2013 Copyright©2013,Zanjia Electronic Science & Technology (Beijing) Co., LTD. All rights reserved.This is a private document and cannot be distributed.] Table of Contents 1. Document Overview.......................................................................................................... 1 2. Product Introduction .......................................................................................................... 2 3. 4. 2.1. Major Function ....................................................................................................... 2 2.2. Packing List ............................................................................................................ 2 2.3. Parameter Information ............................................................................................ 3 2.4. Approved Mode of Operation ................................................................................ 4 2.5. Service Delivery Channel ....................................................................................... 5 2.6. Compatible Standard .............................................................................................. 5 2.7. Installation Condition ............................................................................................. 5 2.8. Schematic Diagram ................................................................................................ 6 2.9. Installation Instructions .......................................................................................... 7 HSM Operation Guide....................................................................................................... 8 3.1. Create Crypto Officer ............................................................................................. 8 3.2. Initialize ................................................................................................................ 14 3.2.1. Master Key is Not Generated ........................................................................... 14 3.2.2. Master Key is generated ................................................................................... 21 3.3. Modify Smart Card PIN ....................................................................................... 26 3.4. Shut Down the HSM ............................................................................................ 30 3.5. Error Message....................................................................................................... 31 Remote Management Application ................................................................................... 34 4.1. Crypto Officer Logon User Interface ................................................................... 34 4.2. Device Manager User Interface ............................................................................ 36 4.2.1. User Account and Key Management ................................................................ 37 4.2.2. IP Address Action Table Configuration ........................................................... 59 4.2.3. Network Configuration ..................................................................................... 64 HSM‐ZJ2014Guidance Documentation 4.3. 5. Auditor User Interface .......................................................................................... 65 4.3.1. View Audit Log ................................................................................................ 66 4.3.2. Export Audit Log .............................................................................................. 67 Client Guide .................................................................................................................... 68 5.1. Supported Operating Systems .............................................................................. 69 5.2. Supported PKCS#11 Function ............................................................................. 69 5.2.1 Library Initialization ......................................................................................... 69 5.2.2 Library Finalization .......................................................................................... 69 5.2.3 Get Library Information ................................................................................... 69 5.2.4 Get Function List .............................................................................................. 70 5.2.5 Get Slot List ...................................................................................................... 71 5.2.6 Get Slot Information ......................................................................................... 72 5.2.7 Get Mechanism List.......................................................................................... 73 5.2.8 Get Mechanism Information ............................................................................. 74 5.2.9 Open Session .................................................................................................... 75 5.2.10 Close Session .................................................................................................... 75 5.2.11 Close All Sessions ............................................................................................ 75 5.2.12 Login................................................................................................................. 76 5.2.13 Logout............................................................................................................... 77 5.2.14 Create Object .................................................................................................... 77 5.2.15 Destroy Object .................................................................................................. 79 5.2.16 Get Attribute Value .......................................................................................... 79 5.2.17 Set Attribute Value ........................................................................................... 80 5.2.18 Find Objects Initialization ................................................................................ 81 5.2.19 Find Objects...................................................................................................... 82 5.2.20 Find Objects Finalization.................................................................................. 82 5.2.21 Encryption Initialization ................................................................................... 83 5.2.22 Encrypt ............................................................................................................. 83 5.2.23 Encrypt Update ................................................................................................. 84 5.2.24 Encryption Finalization .................................................................................... 84 Zanjia Electronic Science & Technology (Beijing) Co., LTD4 HSM‐ZJ2014Guidance Documentation 5.2.25 Decryption Initialization ................................................................................... 86 5.2.26 Decrypt ............................................................................................................. 87 5.2.27 Decrypt Update ................................................................................................. 87 5.2.28 Decrypt Finalization ......................................................................................... 88 5.2.29 Hash Initialization............................................................................................. 90 5.2.30 Hash .................................................................................................................. 90 5.2.31 Hash Update ..................................................................................................... 90 5.2.32 Hash Finalization .............................................................................................. 91 5.2.33 Signing Initialization ........................................................................................ 92 5.2.34 Signing .............................................................................................................. 93 5.2.35 Signing Update ................................................................................................. 93 5.2.36 Signing Finalization .......................................................................................... 94 5.2.37 Verification Initialization ................................................................................. 95 5.2.38 Verification ....................................................................................................... 95 5.2.39 Verification Update .......................................................................................... 96 5.2.40 Verification Finalization ................................................................................... 96 5.2.41 Take Random number as Seed ......................................................................... 97 5.2.42 Generate Random Number ............................................................................... 98 Zanjia Electronic Science & Technology (Beijing) Co., LTD5 1. Document Overview This is a guidance document developed for HSM-ZJ2014 from Zanjia Electronic Science & Technology (Beijing) Co., LTD. It describes the detailed information of HSM-ZJ2014 and demonstrates how to install and use it after leaving factory. In this document, the HSM-ZJ2014 is also referred to as “the HSM”. Note: This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: HSM‐ZJ2014Guidance Documentation —Reorient or relocate the receiving antenna. —Increase the separation between the equipment and receiver. —Connect the equipment into an outlet on a circuit different from that to which the receiver is connected. —Consult the dealer or an experienced radio/TV technician for help. 2. Product Introduction 2.1. Major Function HSM-ZJ2014 provides cryptographic services, including encryption, decryption, signature generation and verification, and key management service with various hardware protection mechanisms for its security. The HSM also provides standard interfaces of cryptographic services including PKCS #11. In addition, a modular design makes it convenient to integrate HSM-ZJ2014 with existing information systems. 2.2. Packing List Table 1 Packing List of HSM-ZJ2014 Component Quantity HSM-ZJ2014 Directly Connected Ethernet Cable(Grey) Zanjia Electronic Science & Technology (Beijing) Co., LTD2 HSM‐ZJ2014Guidance Documentation Crossover Ethernet Cable(Blue) Fiber Optic Cable Manufacturer's Certificate Packing List Power Line User Guide Crypto Officer Smart Card Product CD Note: this list is only for reference, the packing list in the packing box shall prevail. 2.3. Parameter Information Table 2 Parameter Information of HSM-ZJ2014 Parameter Value 1. Physical Specification 4U Dimensions(Width× Height× Length) 400mm×177mm×490mm 2. Electrical Zanjia Electronic Science & Technology (Beijing) Co., LTD3 HSM‐ZJ2014Guidance Documentation Power Supply 220V, 50Hz Power Dissipation 620W Network Interface RJ-45 10/100/1000Mb ×2 Fiber Optic×2 Network Protocol TCP/IP MTBF >50000 hours 3. Environment Working Temperature 0℃-40℃ Working Humidity 25%-80% Storage Temperature -10℃-55℃ 2.4. Approved Mode of Operation The HSM-ZJ2014provides the following approved mode algorithms: AES (ECB and CBC mode, 128/192/256-bit, encryption and decryption) ECDSA (NIST p256, signature generation/verification) RSA (2048-bit, signature generation/verification) SHA-256 HMAC (HMAC-SHA-256) Zanjia Electronic Science & Technology (Beijing) Co., LTD4 HSM‐ZJ2014Guidance Documentation CTR-DRBG based on 256-bit AES 2.5. Service DeliveryChannel Ethernet:10M/100M/1000M Self-Adapt, 10000M Fiber Optic Based on TCP/IP 2.6. Compatible Standard AES (ECB and CBC mode; 256 bit keys):NIST 197, SP 800-38A; RSA(2048bit): FIPS 186-4, PKCS#1 v2.1; ECDSA(NIST P-256): FIPS 186-4; SHA-256: FIPS 180-4, SP-800-107 Rev.1; HMAC(SHA-256):FIPS 198-1, SP-800-107 Rev.1; DRBG(CTR_DRBGAES256): SP 800-90A; Key Generation: SP 800-133. 2.7. Installation Condition Before Installation,please make sure: 1. The equipment you receive are intact and correspond with Detailed List; 2. Power Switch is OFF; 3. Input voltage keeps within 220V10%. Zanjia Electronic Science & Technology (Beijing) Co., LTD5 HSM‐ZJ2014Guidance Documentation 2.8. Schematic Diagram Front Panel: Figure 1 Front View of HSM-ZJ2014 Rear Panel: Figure 2 Rear View of HSM-ZJ2014 A: Touch Screen B: Smart Card Reader (ID) Zanjia Electronic Science & Technology (Beijing) Co., LTD6 HSM‐ZJ2014Guidance Documentation C: Power Switch D: Smart Card Reader (Key) E: Reset Switch N, O: Power Connectors P: Service Ethernet Port (RJ45) Q: Management Ethernet Port R:Service Ethernet Port (Fiber Optic) 2.9. InstallationInstructions 1. Connect the power supply to the HSM. Note:Before connectingthe power line to the HSM, please make sure power is off first. 2. Connectcable to the HSM. According to your requirement and application scenarios, connect your equipment to the HSM’s RJ45 or Fiber Optic Service Ethernet Port with corresponding cable. 3. Turn on Power Switch, wait until Touch Screen turns to UI below. Note: If any exception occurs, please contact manufacturer. Zanjia Electronic Science & Technology (Beijing) Co., LTD7 HSM‐ZJ2014Guidance Documentation Figure 3 Touch Screen UI of HSM-ZJ2014 3. HSM Operation Guide Crypto Officer Creation, HSM Initialization, Smart Card PIN Modification and HSM Power Off can be executed using Touch Screen. When firstly used after leaving factory, the HSM must create Crypto Officer and be initialized before using. Note: the default 8-digit PINs of all smart cards are “12345678”. 3.1. Create Crypto Officer HSM-ZJ2014 supports 4 types of Crypto Officer, which is shown in the following table. Zanjia Electronic Science & Technology (Beijing) Co., LTD8 HSM‐ZJ2014Guidance Documentation Table 3 Role Description Roles Crypto Officer Description Device Manager: Executes module initialization, device management and key management functions. Functions are available via the Touch Screen or Remote Management Application. The functions related to accessing key can only executed after Authorizer’s authorization. Auditor: Executes log audit functions. Functions are available via Remote Management Application. Auditor can view or export the log. Authorizer: Executes key authorization functions. Functions are available via Remote Management Application. Authorizer can authorize Device Manager’s key management operation. Key Manager: Executes master key export and import functions. Functions are available via Touch Screen and Smart Card Reader. Before coming into use after leaving factory, the HSM needs to generate all Crypto Officers and the corresponding smart cards. Device Manager, Auditor, Authorizer will be generated at first. 5 Key Managers will not be generated until Master Key is generated, whichis shown in Section 4.2.1. After Poweringon, HSM-ZJ2014’sTouch Screen will show as below.Press “Create CO” button to create Device Manager, Auditor, and Authorizer. Zanjia Electronic Science & Technology (Beijing) Co., LTD9 HSM‐ZJ2014Guidance Doccumentation Figu ure 4 Cryypto Officcer Creatiion UI of HSM-ZJ2 2014 Acccording too the message demoonstrated on Touchh Screen, iinsert Dev vice Maanager smart card innto Smartt Card Reeader(ID) and inputt smart caard’s PIN N, then preess “ENTE ER” buttoon. Zanjia Electro onic Science & Technology (Beijing) Co., LTD10 HSM‐ZJ2014Guidance Documentation Figure 5 Device Manager Creation UI of HSM-ZJ2014 Then insert Auditor smart card into Smart Card Reader (ID) and input the smart card PIN, then press “ENTER” button. Zanjia Electronic Science & Technology (Beijing) Co., LTD11 HSM‐ZJ2014Guidance Documentation Figure 6 Auditor Creation UI of HSM-ZJ2014 Finally, insert Authorizer smart card into Smart Card Reader (ID) and input the smart card PIN, then press “ENTER” button. Zanjia Electronic Science & Technology (Beijing) Co., LTD12 HSM‐ZJ2014Guidance Documentation Figure 7 Authorizer Creation UI of HSM-ZJ2014 After Crypto Officers and the corresponding smart cards are generated, Touch Screen will show message “Crypto Officer Smart Card Generated!” Zanjia Electronic Science & Technology (Beijing) Co., LTD13 HSM‐ZJ2014Guidance Documentation Figure 8 Crypto Officer Generated UI of HSM-ZJ2014 3.2. Initialize The HSM needs to be initialized in 2 conditions: First used after leaving factory(or restoring factory setting) Reboot after Master Key is generated The two kinds of initialization have a little difference, which will expressin Section 4.2.1 and Section 4.2.2. 3.2.1. Master Key is NotGenerated When first coming into use after leaving factory, the HSM’s master key is Zanjia Electronic Science & Technology (Beijing) Co., LTD14 HSM‐ZJ2014Guidance Documentation not generated yet. Therefore, Master Key shouldbe generated using the internal RNG and split into 5 shares, andthese 5 shares will be stored into 5 Key Manager smart cards. Press “INITIALIZE”button, according to the message (Figure 9), firstly insert the Device Manager smart card into Smart Card Reader(ID) and input the corresponding PIN to authenticate Device Manager. Figure 9Device Manager Authentication in Initialization After authenticating Device Manager successfully, insert 5 Key Manager smart cards into Smart Card Reader(Key) in order, and input the smart card PIN, then Press “ENTER” button (Figure 10 -Figure 14). Zanjia Electronic Science & Technology (Beijing) Co., LTD15 HSM‐ZJ2014Guidance Documentation Figure 10Key Manager Authentication in Initialization-1 Zanjia Electronic Science & Technology (Beijing) Co., LTD16 HSM‐ZJ2014Guidance Documentation Figure 11Key Manager Authentication in Initialization-2 Zanjia Electronic Science & Technology (Beijing) Co., LTD17 HSM‐ZJ2014Guidance Documentation Figure 12Key Manager Authentication in Initialization-3 Zanjia Electronic Science & Technology (Beijing) Co., LTD18 HSM‐ZJ2014Guidance Documentation Figure 13Key Manager Authentication in Initialization-4 Zanjia Electronic Science & Technology (Beijing) Co., LTD19 HSM‐ZJ2014Guidance Documentation Figure 14Key Manager Authentication in Initialization-5 After 5 shares are stored into 5 Key Manager smart cards, Touch Screen will show message “Master Key Generated! Pressbutton to choose operation. ” Zanjia Electronic Science & Technology (Beijing) Co., LTD20 HSM‐ZJ2014Guidance Documentation Figure 15Initialization Finished 3.2.2. Master Key is generated If Master Key has already been stored into 5 Key Manager smart cards, when power on, the HSM needs to combine Master Key using 3 Key Manager smart cards. Press “INITIALIZE” button, according to the message(Figure 16), first insert the Device Manager smart card into Smart Card Reader (ID) and input the corresponding PIN to authenticate Device Manager. Zanjia Electronic Science & Technology (Beijing) Co., LTD21 HSM‐ZJ2014Guidance Documentation Figure 16 Device Manager Authentication in Initialization After authenticating Device Manager, insert 3 Key Manager smart cards into Smart Card Reader(Key) in order, and input the smart card PIN(Figure 17 - Figure 19). Zanjia Electronic Science & Technology (Beijing) Co., LTD22 HSM‐ZJ2014Guidance Documentation Figure 17 Key Manager Authentication in Initialization-1 Zanjia Electronic Science & Technology (Beijing) Co., LTD23 HSM‐ZJ2014Guidance Documentation Figure 18 Key Manager Authentication in Initialization-2 Zanjia Electronic Science & Technology (Beijing) Co., LTD24 HSM‐ZJ2014Guidance Documentation Figure 19 Key Manager Authentication in Initialization-3 After 3 shares are imported into HSM, Master Key will be recovered and Touch Screen will show message“Master Key Imported! Pressbutton to Choose Operation.” (Figure 20) Zanjia Electronic Science & Technology (Beijing) Co., LTD25 HSM‐ZJ2014Guidance Documentation Figure 20 Initialization Finished 3.3. Modify Smart Card PIN It is highly recommended that you modify Smart Card PIN immediately Smart Card is created. If you want to change smart card PIN, please press “CHANGE PIN” button. According to the message (Figure 21), insert the smart card that needs PIN modification into Smart Card Reader(ID) and input the old PIN to authenticate smart card. Zanjia Electronic Science & Technology (Beijing) Co., LTD26 HSM‐ZJ2014Guidance Documentation Figure 21 PIN Modification - Input Old PIN After inputting the old PIN, according to the message, input and confirm the new PIN (Figure 22&Figure 23). Zanjia Electronic Science & Technology (Beijing) Co., LTD27 HSM‐ZJ2014Guidance Documentation Figure 22 PIN Modification - Input New PIN Zanjia Electronic Science & Technology (Beijing) Co., LTD28 HSM‐ZJ2014Guidance Documentation Figure 23 PIN Modification - Confirm New PIN After the PIN is modified successfully, Touch Screen will show message“PIN Modification Succeeds!”(Figure 24) Zanjia Electronic Science & Technology (Beijing) Co., LTD29 HSM‐ZJ2014Guidance Documentation Figure 24 PIN Modification Succeeds 3.4. Shut Down the HSM Press “SHUT DOWN” button. According to the message (Figure 25), press“ENTER”button to shut down the HSM. If you need not to shut down the HSM right now, press “CANCEL” button to cancel “SHUT DOWN” operation. Zanjia Electronic Science & Technology (Beijing) Co., LTD30 HSM‐ZJ2014Guidance Documentation Figure 25 Shut Down the HSM 3.5. Error Message The following table describes the error message shown on the Touch Screen, gives the probable reason and the solution. Table 4 Error Message Description Reason Error Message Fail to Create Device Manager! 1. There is no card in Smart Card Reader(ID); Fail to Create Auditor! 2. The PIN which you input is not correct. Solution Make sure you insert card in Smart Card Reader(ID), and input correct PIN. Fail to Create Zanjia Electronic Science & Technology (Beijing) Co., LTD31 HSM‐ZJ2014Guidance Documentation Authorizer! Authentication Failed, please Insert Device Manager Key Card, and Input PIN again (8): Cannot Get Smart Card UID 1. There is no card in Smart Card Reader(ID); 2. The card in Smart Card Reader(ID) is not Device Manager Smart card; 3. The PIN which you input is not correct. 1. There is no card in Smart Card Reader(Key); 2. The card inserted is invalid. The Smart Card has The Smart Card has been inserted before. been inserted before! Master Key Recovery Failed! Make sure you insert Device Manager Smart card in Smart Card Reader(ID), and input correct PIN. Make sure you insert HSM-matched card in Smart Card Reader(ID). Insert other card that has not been inserted before. Master Key combined with 3 1. Master Key Smart Card does not match with its hash. 2. Make sure Smart Card that you insert is Master Key Smart Card. Carry out INITIALIZE again. Contact manufacturer. The two new PINs which Two PINs is Inconsistent, Please you input are inconsistent input new PIN again (8): You should retype in new PIN twice and make sure the two PINs are consistent. 1. There is no card in Smart Card Reader(ID); 2. The old PIN which you input is not correct. 3. The card inserted is invalid. Press “CHANGE PIN” button again to carry on PIN modification and make sure you insert card into the Smart Card Reader(ID) and input correct PIN. PIN modification failed! Sensor Triggered, Key Service Stops! Sensor is triggered. 1. Restore to Factory Setting and reboot. Zanjia Electronic Science & Technology (Beijing) Co., LTD32 HSM‐ZJ2014Guidance Documentation 2. Device Key Broken, Key Service Stops! Device Key is broken. Contact manufacturer. 1. Restore to Factory Setting, and reboot. 2. Contact manufacturer. Factory Setting Over, Please Reboot! HSM is in Factory Setting state. Reboot. Known Answer Test for Cryptographic Algorithm fails. The results of Known Answer Test for Cryptographic Algorithm is inconsistent with known results. 1. Reboot. 2. Contact manufacturer. Known Answer Test for Keyed Hashing Algorithm fails. The results of Known Answer Test for Keyed Hashing Algorithm is inconsistent with known results. 1. Reboot. 2. Contact manufacturer. Known Answer Test for Embedded Cryptographic Algorithm is fails. The results of Known Answer Test for Embedded Cryptographic Algorithm is inconsistent with known results. 1. Reboot. 2. Contact manufacturer. Protection Card Test fails. The protection card state is inconsistent with the expected state. 1. Reboot. 2. Contact manufacturer. RNG Test fails. The random number bits 1. generated by DRBG of HSM 2. do not pass the random number test. Reboot. Operating System Test fails. The operating system state is 1. inconsistent with the 2. expected state Reboot. Hardware Test fails. The hardware state is inconsistent with the expected stat. 1. Reboot. 2. Contact manufacturer. Network The network configuration is 1. Contact manufacturer. Contact manufacturer. Reboot. Zanjia Electronic Science & Technology (Beijing) Co., LTD33 HSM‐ZJ2014Guidance Documentation Configuration Test fails. inconsistent with the expected configuration. Application Integrity Test fails. If the hash value of application is inconsistent with the known hash value. 2. Contact manufacturer. 1. Reboot. 2. Contact manufacturer. 4. Remote Management Application Remote Management Application is an application developed for HSM-ZJ2014 and used for managing the HSM. It needs to run on an individual computer. Before running Remote Management Application, please make sure your PC or laptop meets requirements below: OS: Windows Vista/7/8,32/64 bit Dynamic link libraries (*.dll) in product CD has been copied to the file folder where Remote Management Application installs. 4.1. Crypto Officer Logon User Interface Before using Remote Management Application, please connect your computer where runs Remote Management Application to the HSM’s Management Port and configure your network adaptor as following: Zanjia Electronic Science & Technology (Beijing) Co., LTD34 HSM‐ZJ2014Guidance Documentation Figure 26 Network Configuration Launch Remote Management Application, then Crypto Officer Logon User Interface (Figure 27) will show up. Figure 27 Crypto Officer Logon User Interface Zanjia Electronic Science & Technology (Beijing) Co., LTD35 HSM‐ZJ2014Guidance Documentation In this UI, you should firstly choose Crypto Officer Type, then insert the corresponding smart card, input its PIN and Management Port IP address, then press “Logon”. After authenticating Crypto Officer’s identity, UI will turn to the corresponding Crypto Officer UI. 4.2. Device Manager User Interface In Crypto Officer Logon User Interface (Figure 28), choose “Device Manager” as Crypto Officer Type, then insert Device Manager smart card, input its PIN and Management Port IP address (Default is172.20.0.1, generally it needs not to modify), then press “Logon”. Figure 28 Device Manager Logon Interface After authenticating Device Manager’s identity, UI will turn to Device Manager UI. Zanjia Electronic Science & Technology (Beijing) Co., LTD36 HSM‐ZJ2014Guidance Documentation Figure 29 Device Manager UI 4.2.1. User Account and Key Management 4.2.1.1. Create User Account In Device Manager UI, press “CreateUser” button, the following UI will show up. Zanjia Electronic Science & Technology (Beijing) Co., LTD37 HSM‐ZJ2014Guidance Documentation Figure 30 User Account Creation Insert Authorizer smart card into Smart Card Reader (ID) and input the corresponding PIN, then input and confirm the user password, then press “CreateUser”. If the user is created successfully, the following UI will show up. The default key algorithm of the user key is RSA (2048-bit), ECDSA (NIST p256) can be also chosen as the user key algorithm. Figure 31 User Account Creation Succeeds Zanjia Electronic Science & Technology (Beijing) Co., LTD38 HSM‐ZJ2014Guidance Documentation User ID is assigned by the HSM. Each user has 2 default RSA/ECDSA keys, which cannot be deleted. 4.2.1.2. Delete User Account Figure 32 User Account Deletion In Device Manager UI, pick the target user which needs to be deleted and press “DeleteUser” button, the following dialog will show up. Zanjia Electronic Science & Technology (Beijing) Co., LTD39 HSM‐ZJ2014Guidance Documentation Figure 33 User Account Deletion Confirm According to the dialog (Figure 33), insert Authorizer smart card into Smart Card Reader (ID) and input the corresponding PIN, then press “ENTER” to confirm user deletion, otherwise press “CANCEL” to cancel. If the user is deleted successfully, the following dialog will show up. Figure 34 User Deletion Succeeds 4.2.1.3. Create Key In Device Manager UI, press “CreateUser” button, the following UI will show up. Zanjia Electronic Science & Technology (Beijing) Co., LTD40 HSM‐ZJ2014Guidance Documentation Figure 35 User Key Creation When creating key, the key value can be generated by internal RNG or imported by 2 shares that Device Manager inputs. 4.2.1.3.1. Generate from Internal RNG Create Key UI’s default page is “Internal RNG”, which is shown as below. Zanjia Electronic Science & Technology (Beijing) Co., LTD41 HSM‐ZJ2014Guidance Documentation Figure 36 Key Creation via Internal RNG In this page (Figure 36), insert Authorizer smart card into Smart Card Reader (ID) and input the corresponding PIN, type in User ID which the key belongs to, choose Key Algorithm, Key Usage and Key Memo (optional), then Press “CreateKey” button. If the key is created successfully, the following dialog will show up. Zanjia Electronic Science & Technology (Beijing) Co., LTD42 HSM‐ZJ2014Guidance Documentation Figure 37 Key Creation Succeeds Note that Key ID is assigned by HSM. 4.2.1.3.2. Import from Key Shares In Create Key UI, choose page “Import via Slices”. UI below will show up. Zanjia Electronic Science & Technology (Beijing) Co., LTD43 HSM‐ZJ2014Guidance Documentation Figure 38Key Creation from Shares In this pageFigure 38, insert Authorizer smart card into Smart Card Reader (ID) and input the corresponding PIN, type in User ID which the key belongs to, choose Key Algorithm and Key Memo (optional), then Press “CreateKey” button. Zanjia Electronic Science & Technology (Beijing) Co., LTD44 HSM‐ZJ2014Guidance Documentation Figure 39 Key Creation from Shares If the key is created successfully, the following dialog will show up. Figure 40 Key Creation Succeeds Zanjia Electronic Science & Technology (Beijing) Co., LTD45 HSM‐ZJ2014Guidance Documentation Key ID is assigned by HSM. 4.2.1.4. View Key Click key in the left tree view, the corresponding key information will show as below. Figure 41View Key Information 4.2.1.5. Update Key In Device Manager UI (Figure 29),pick the target key and press “UpdateKey” button, below UI will show up. Zanjia Electronic Science & Technology (Beijing) Co., LTD46 HSM‐ZJ2014Guidance Documentation Figure 42 Key Update Insert Authorizer smart card into Smart Card Reader (ID) and input the corresponding PIN first. The key information which can be updated is Key Usage and Memo. You can input new information inthe correspondingedit box or tick the corresponding checkbox. Moreover, if you want to update Key Value, you can tick the “Update Key Value” checkbox. Then press “UpdateKey” button. If the key or key information is updated successfully, the following UI will show up. Zanjia Electronic Science & Technology (Beijing) Co., LTD47 HSM‐ZJ2014Guidance Documentation Figure 43 Key Update Succeeds 4.2.1.6. Delete Key In Device Manager UI, pick the target key which needs to be deleted and press “DeleteKey” button, the following dialog will show up. Figure 44 Key Deletion According to the dialog, insert Authorizer smart card into Smart Card Reader (ID) and input the corresponding PIN, then press “Enter” to confirm user deletion, otherwise press “Cancel” to cancel. If the key is deleted successfully, the following dialog will show up. Zanjia Electronic Science & Technology (Beijing) Co., LTD48 HSM‐ZJ2014Guidance Documentation Figure 45 Key Deletion Succeeds 4.2.1.7. Key Backup and Restore Management Press “BackupKey” button, the following Backup Management UI will show up. Figure 46 Key Backup and Recovery UI 4.2.1.7.1. Backup Key File In Backup Management UI (Figure 46), insert Authorizer smart card into Smart Card Reader (ID) and input the corresponding PIN, then press “Backup” button. The following UI (Figure 47) will show up, which Zanjia Electronic Science & Technology (Beijing) Co., LTD49 HSM‐ZJ2014Guidance Documentation allows to select the file path to store the Key Backup file. Figure 47 Select File Path to Store Key Backup File After selecting the file path,the RMA will try to backup Key File. If succeeds, the following dialog will show up, which indicates the Key file has been backed up successfully and showsthe location of the key backup file. Figure 48 Key FileBackup Succeeds Zanjia Electronic Science & Technology (Beijing) Co., LTD50 HSM‐ZJ2014Guidance Documentation 4.2.1.7.2. Restore Key File In Backup Management UI (Figure 46), insert Authorizer smart card into Smart Card Reader (ID) and input the corresponding PIN, then press “Restore” button. If authenticating Authorizer successfully, the following dialog (Figure 49) will show up, where you can choose the Key-backup file location. Figure 49 Key File Restoration After choosing Key-backup file, press “Open”. If restoring Key File successfully, the following dialog will show up and indicate Key File is restored successfully. Zanjia Electronic Science & Technology (Beijing) Co., LTD51 HSM‐ZJ2014Guidance Documentation Figure 50 Key Restoration Succeeds 4.2.1.7.3 Export and Import Key File Key Export and Import function allow backing up Key File from one HSM to the others. For convenience,we take the source HSM as A, the destination HSM as B. 1. Connect HSM A using Remote Management Application. In Backup Management UI shown in Figure 46, insert Authorizer smart card into Smart Card Reader (ID) and input the corresponding PIN, then press “Export” button. If authenticating Authorizer successfully, Key Export Guide UI will show up (Figure 51).Before exporting key, 3 Key Managers of HSM A should be authenticated first. According to the message, insert 3 A’s Key Manager smart cards into Smart Card Reader(Key)in order, and input the smart card PIN (Figure 51 - Figure 53). Zanjia Electronic Science & Technology (Beijing) Co., LTD52 HSM‐ZJ2014Guidance Documentation Figure 51 Key Export Guide – 1-1 Figure 52 Key Export Guide – 1-2 Zanjia Electronic Science & Technology (Beijing) Co., LTD53 HSM‐ZJ2014Guidance Documentation Figure 53 Key Export Guide – 1-3 After authenticating HSM A’s 3 Key Manager, you need to import B’s Master Key to trans-encrypt A’s Key File. According to the message, insert 3 B’s Key Manager smart cards into Smart Card Reader (Key) in order and input the smart card PIN (Figure 54 - Figure 56). Figure 54 Key Export Guide – 2-1 Zanjia Electronic Science & Technology (Beijing) Co., LTD54 HSM‐ZJ2014Guidance Documentation Figure 55 Key Export Guide – 2-2 Figure 56 Key Export Guide – 2-3 Then the following UI (Figure 57) will show up, which allows to select the file path to store the Key Backup file. Zanjia Electronic Science & Technology (Beijing) Co., LTD55 HSM‐ZJ2014Guidance Documentation Figure 57 Select File Path to Store Key Backup File If exporting Key File successfully, the following dialog will show up, which indicates the Key file has been backed up successfully and shows the location of the key backup file. Figure 58 Key File Export Succeeds 2. Launch HSM B, connect it with Remote Management Application and enter Backup Management UI shown in Figure 46.Then insert Zanjia Electronic Science & Technology (Beijing) Co., LTD56 HSM‐ZJ2014Guidance Documentation Authorizer smart card into Smart Card Reader (ID) and input the corresponding PIN, then press “Import” button. If authenticating Authorizer successfully, the following dialog will show up, where you can choose the location of the Key-backup File. Figure 59 Location of Key Backup File Choose Key-backup File, then press “Open”, if importing key file successfully, the dialog below will show up. Zanjia Electronic Science & Technology (Beijing) Co., LTD57 HSM‐ZJ2014Guidance Documentation Figure 60 Key File Import Succeeds In this way, the Key file has been successfully imported from HSM A to B. 4.2.1.8. Zeroize All Users and Keys In Device Manager UI (Figure 29), press “Delete All” button, and the following dialog will show up. Figure 61 User and Key Zeroization According to the dialog (Figure 61), insert Authorizer smart card into Smart Card Reader (ID) and input the corresponding PIN, then press “ENTER” to confirm user deletion, otherwise press “CANCEL”. If all keys are deleted successfully, the following dialog will show up. Zanjia Electronic Science & Technology (Beijing) Co., LTD58 HSM‐ZJ2014Guidance Documentation Figure 62 User and Key Zeroization 4.2.2. IP Address Action Table Configuration IP Address Action Table is used for allowing HSM to provide cryptographic service only for the specific IP address range. Any host whose IP address is not in IP Address Action Table is unable to access HSM for cryptographic service. In Device Manager UI(Figure 29), press “SystemConfig” button, System Configuration UI will show up. Zanjia Electronic Science & Technology (Beijing) Co., LTD59 HSM‐ZJ2014Guidance Documentation Figure 63 System Configuration Press “IPAccessCtrl” button, the following UI will show up. You can determine the range of IP address that can access the HSM for cryptographic service. Zanjia Electronic Science & Technology (Beijing) Co., LTD60 HSM‐ZJ2014Guidance Documentation Figure 64 IP Access Control UI 4.2.2.1. Append IP Address Action Table Entry In IP Access Control UI (Figure 64), Input the start IP and end IP of IP Address Action Table entry. Zanjia Electronic Science & Technology (Beijing) Co., LTD61 HSM‐ZJ2014Guidance Documentation Figure 65Add IP Access Control Then press “Append”. If appending IP Access Action Table entry successfully, the following dialog will show up, which showsIP Access Action Table Entry is appended successfully. Figure 66Add IP Address Action Table Entry Succeeds Zanjia Electronic Science & Technology (Beijing) Co., LTD62 HSM‐ZJ2014Guidance Documentation 4.2.2.2. Delete IP Address Action Table Entry Pick the target IP Address Action Table Entry, then press “Delete” button. Figure 67 IP Address Deletion If deleting IP Access Action Table entry successfully, the following dialog will show up, which indicates IP Access Action Table entry is deleted successfully. Zanjia Electronic Science & Technology (Beijing) Co., LTD63 HSM‐ZJ2014Guidance Documentation Figure 68 IP Address Deletion Succeeds 4.2.3. Network Configuration In Device Manager UI(Figure 69), press “SystemConfig” button, System Configuration UI will show up. Figure 69 System Configuration UI Zanjia Electronic Science & Technology (Beijing) Co., LTD64 HSM‐ZJ2014Guidance Documentation Pick the target Network Interface, then press “Configuration” button. The following UI will show up. Figure 70 Network Configuration Input IP address, net mask and default gateway then press “Enter”. 4.3. Auditor User Interface In Crypto Officer Logon User Interface, choose “Auditor” as Crypto Officer Type, then insert Auditor smart card, input its PIN and the Management Port IP address, press “Logon”. Zanjia Electronic Science & Technology (Beijing) Co., LTD65 HSM‐ZJ2014Guidance Documentation Figure 71 Crypto Officer Logon User Interface After authenticating Auditor’s identity, UI will turn to Auditor UI. Figure 72 Auditor UI 4.3.1. View Audit Log Choose start date and end date of the Audit Log that Auditor want to view, Zanjia Electronic Science & Technology (Beijing) Co., LTD66 HSM‐ZJ2014Guidance Documentation then press “View Log”. If viewing Audit Log successfully, the Audit Log records will show as below. Figure 73 Audit Log 4.3.2. Export Audit Log Choose start date and end date of the Audit Log that Auditor want to export, then press “Export Log”. If exporting Audit Log successfully, the following dialog will show up, which indicates that Audit Log is exported successfully. Zanjia Electronic Science & Technology (Beijing) Co., LTD67 HSM‐ZJ2014Guidance Documentation Figure 74 Export Audit Log The format of Audit Log exported shows as below. Figure 75 Audit Log 5. Client Guide When the user account and key are created in HSM-ZJ2014, users can access cryptographic service through software librarywhich is developed for the HSM and compiled according to PKCS#11 standard. Zanjia Electronic Science & Technology (Beijing) Co., LTD68 HSM‐ZJ2014Guidance Documentation 5.1. Supported Operating Systems We provide 2 versions of the library, which can run respectively on Linux 2.6.0 or later and Windows Vista/7/8. 5.2. Supported PKCS#11 Function 5.2.1 Library Initialization Function Prototype CK_RVC_Initialize(CK_VOID_PTR pInitArgs); Description Initial PKCS#11library Parameter pInitArgs Can only be NULL Return Value CKR_OK Success Non-CKR_OK Fail, return error code. 5.2.2 Library Finalization Function Prototype CK_RVC_Finalize(CK_VOID_PTR pReserved); Description Clean up application space Parameter pReserved Reserved, Can only be NULL Return Value CKR_OK Success Non-CKR_OK Fail, return error code. 5.2.3 Get Library Information Function Prototype CK_RVC_GetInfo(CK_INFO_PTR pInfo); Description Get Library Information Parameter pInfo Point to Library Information Zanjia Electronic Science & Technology (Beijing) Co., LTD69 HSM‐ZJ2014Guidance Documentation Return Value CKR_OK Success Non-CKR_OK Fail, return error code. CK_INFO info; CK_RV rv; rv = C_Initialize((CK_VOID_PTR) NULL); assert(rv == CKR_OK); rv = C_GetInfo(&info); assert(rv == CKR_OK); if (info.version.major == 2) { Example /* Do lots of interesting cryptographic things with the token */ rv = C_Finalize(NULL_PTR); assert(rv == CKR_OK); 5.2.4 Get Function List Function Prototype CK_RVC_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList); Description Get Library Information Parameter ppFunctionList Pointer to Pointer to Library List Return Value CKR_OK Success Non-CKR_OK Fail, return error code. CK_FUNCTION_LIST_PTR pFunctionList; CK_C_Initialize pC_Initialize; CK_RV rv; Example /* It's OK to call C_GetFunctionList before calling C_Initialize */ rv = C_GetFunctionList(&pFunctionList); assert(rv == CKR_OK); Zanjia Electronic Science & Technology (Beijing) Co., LTD70 HSM‐ZJ2014Guidance Documentation pC_Initialize = pFunctionList->C_Initialize; /* Call the C_Initialize function in the library */ rv = (*pC_Initialize) (NULL_PTR); 5.2.5 Get Slot List Function Prototype CK_RVC_GetSlotList(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount); Description Get slot. If pSlotList is NULL, pulCount returns space size that slot list consumes. Parameter Return Value tokenPresent Boolean value, return TRUE, If slot List only contains present token, otherwise, return FALSE. pSlotList Pointer to Slot List pulCount Pointer to Number of Slots CKR_OK Success Non-CKR_OK Fail, return error code. CK_ULONG ulSlotCount, ulSlotWithTokenCount; CK_SLOT_ID_PTR pSlotList, pSlotWithTokenList; CK_RV rv; /* Get list of all slots */ rv = C_GetSlotList(CK_FALSE, NULL_PTR, &ulSlotCount); if (rv == CKR_OK) { Example pSlotList = (CK_SLOT_ID_PTR) malloc(ulSlotCount * sizeof(CK_SLOT_ID)); rv = C_GetSlotList(CK_FALSE, pSlotList, &ulSlotCount); if (rv == CKR_OK) { /* Now use that list of all slots */ ..} free(pSlotList); Zanjia Electronic Science & Technology (Beijing) Co., LTD71 HSM‐ZJ2014Guidance Documentation /* Get list of all slots with a token present */ pSlotWithTokenList = (CK_SLOT_ID_PTR) malloc(0); ulSlotWithTokenCount = 0; while (1) { rv = C_GetSlotList(CK_TRUE, pSlotWithTokenList, ulSlotWithTokenCount); if (rv != CKR_BUFFER_TOO_SMALL) break; pSlotWithTokenList = realloc(pSlotWithTokenList, ulSlotWithTokenList * sizeof(CK_SLOT_ID)); if (rv == CKR_OK) { /* Now use that list of all slots with a token present */ free(pSlotWithTokenList); 5.2.6 Get Slot Information Function Prototype CK_RVC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo); Description Get Slot Information slotID Slot ID pInfo Pointer to Slot Information Return Value CKR_OK Success Non-CKR_OK Fail, return error code. Example CK_ULONG ulCount; Parameter Zanjia Electronic Science & Technology (Beijing) Co., LTD72 HSM‐ZJ2014Guidance Documentation CK_SLOT_ID_PTR pSlotList; CK_SLOT_INFO slotInfo; CK_TOKEN_INFO tokenInfo; CK_RV rv; rv = C_GetSlotList(CK_FALSE, NULL_PTR, &ulCount); if ((rv == CKR_OK) && (ulCount > 0)) { pSlotList = (CK_SLOT_ID_PTR) malloc(ulCount * sizeof(CK_SLOT_ID)); rv = C_GetSlotList(CK_FALSE, pSlotList, &ulCount); assert(rv == CKR_OK); /* Get slot information for first slot */ rv = C_GetSlotInfo(pSlotList[0], &slotInfo); assert(rv == CKR_OK); ..free(pSlotList); 5.2.7 Function Prototype Get Mechanism List CK_RVC_GetMechanismList(CK_SLOT_ID slotID, CK_MECHANISM_TYPE_PTR pMechanismList, CK_ULONG_PTR pulCount); Description Parameter Return Value Get Mechanism List slotID Slot ID pMechanismList Pointer to Mechanism List pulCount Pointer to Number of the Mechanisms in the List CKR_OK Success Non-CKR_OK Fail, return error code. CK_SLOT_ID slotID; Example CK_ULONG ulCount; CK_MECHANISM_TYPE_PTR pMechanismList; Zanjia Electronic Science & Technology (Beijing) Co., LTD73 HSM‐ZJ2014Guidance Documentation CK_RV rv; rv = C_GetMechanismList(slotID, NULL_PTR, &ulCount); if ((rv == CKR_OK) && (ulCount > 0)) { pMechanismList = (CK_MECHANISM_TYPE_PTR) malloc(ulCount * sizeof(CK_MECHANISM_TYPE)); rv = C_GetMechanismList(slotID, pMechanismList, &ulCount); if (rv == CKR_OK) { ..} free(pMechanismList); 5.2.8 Get Mechanism Information Function Prototype CK_RVC_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type, CK_MECHANISM_INFO_PTR pInfo); Description Get Mechanism Information Parameter Return Value slotID Slot ID type Mechanism Type pInfo Pointer toMechanism Information CKR_OK Success Non-CKR_OK Fail, return error code. CK_SLOT_ID slotID; CK_MECHANISM_INFO info; CK_RV rv; Example /* Get information about the CKM_RSA mechanism for this token */ rv = C_GetMechanismInfo(slotID, CKM_RSA, &info); if (rv == CKR_OK) { Zanjia Electronic Science & Technology (Beijing) Co., LTD74 HSM‐ZJ2014Guidance Documentation if (info.flags&CKF_DIGEST) { ..} 5.2.9 Open Session Function Prototype CK_RVC_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags, CK_VOID_PTR pApplication, CK_NOTIFY Notify, CK_SESSION_HANDLE_PTR phSession); Description Open Session slotID Slot ID type Session Type pApplication Pointer to Parameters of Callback Function Notify Callback Function phSession Pointer to Session Handle Return Value CKR_OK Success Non-CKR_OK Fail, return error code. 5.2.10 Close Session Parameter Function Prototype CK_RVC_CloseSession(CK_SESSION_HANDLE hSession); Description Close Session Parameter hSession Session Handle Return Value CKR_OK Success Non-CKR_OK Fail, return error code. 5.2.11 Function Prototype Close All Sessions CK_RVC_CloseAllSessions(CK_SLOT_ID slotID); Zanjia Electronic Science & Technology (Beijing) Co., LTD75 HSM‐ZJ2014Guidance Documentation Description Close All Sessions Parameter slotID slotID Return Value CKR_OK Success Non-CKR_OK Fail, return error code. CK_SLOT_ID slotID; CK_BYTE application; CK_NOTIFY MyNotify; CK_SESSION_HANDLE hSession; CK_RV rv; Example application = 17; MyNotify = &EncryptionSessionCallback; rv = C_OpenSession(slotID, CKF_SERIAL_SESSION | CKF_RW_SESSION, (CK_VOID_PTR) & application, MyNotify, &hSession); if (rv == CKR_OK) { ..C_CloseSession(hSession); rv = C_CloseAllSessions(slotID); 5.2.12 Function Prototype Login CK_RVC_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen); Description Parameter Login hSession Session Handle userType User Type, supports only Type USER. pPin Pointer to address that stores PIN, PIN is make up of Zanjia Electronic Science & Technology (Beijing) Co., LTD76 HSM‐ZJ2014Guidance Documentation 8 or less digits. Return Value 5.2.13 ulPinLen Length of PIN CKR_OK Success Non-CKR_OK Fail, return error code. Logout Function Prototype CK_RVC_Logout(CK_SESSION_HANDLEhSession); Description Close Session Parameter hSession Session Handle Return Value CKR_OK Success Non-CKR_OK Fail, return error code. CK_SESSION_HANDLE hSession; CK_UTF8CHAR userPIN[] = { "MyPIN" }; CK_RV rv; rv = C_Login(hSession, CKU_USER, userPIN, sizeof(userPIN) - 1); Example if (rv == CKR_OK) { ..rv == C_Logout(hSession); if (rv == CKR_OK) { ..} 5.2.14 Create Object Function Prototype CK_RVC_CreateObject(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE_PTRphObject); Description Create Object Zanjia Electronic Science & Technology (Beijing) Co., LTD77 HSM‐ZJ2014Guidance Documentation hSession Session Handle pTemplate Pointer to Template ulCount The number of templates phObject Pointer to Object Handle CKR_OK Success Non-CKR_OK Fail, return error code. Parameter Return Value CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hKey; CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY; CK_KEY_TYPE keyType = CKK_RSA; CK_BBOOLtrue = CK_TRUE; CK_ATTRIBUTE keyTemplate[] = { {CKA_CLASS, &keyClass, sizeof(keyClass)} {CKA_KEY_TYPE, &keyType, sizeof(keyType)} {CKA_POINT, point, sizeof(point)} Example }; CK_RV rv; /* Create an RSA public key object */ rv = C_CreateObject(hSession, &keyTemplate, 3, &hKey); if (rv == CKR_OK) { Zanjia Electronic Science & Technology (Beijing) Co., LTD78 HSM‐ZJ2014Guidance Documentation 5.2.15 Function Prototype Description Destroy Object CK_RVC_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject); Destroy Object hSession Session Handle hObject Object Handle CKR_OK Success Non-CKR_OK Fail, return error code. Parameter Return Value 5.2.16 Function Prototype Get Attribute Value CK_RVC_GetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount); Description Get Attribute Value hSession Session Handle hObject Object Handle pTemplate Pointer to Template List ulCount Number of Templates CKR_OK Success Non-CKR_OK Fail, return error code. Parameter Return Value CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hObject; Example CK_BYTE point; CK_ATTRIBUTEtemplate[] = { {CKA_POINT, NULL_PTR, 0} Zanjia Electronic Science & Technology (Beijing) Co., LTD79 HSM‐ZJ2014Guidance Documentation }; CK_RV rv; rv = C_GetAttributeValue(hSession, hObject, &template, 1); if (rv == CKR_OK) { point = (CK_BYTE_PTR) malloc(template[0].ulValueLen); template[0].pValue = point; /* template[0].ulValueLen was set by C_GetAttributeValue */ rv = C_GetAttributeValue(hSession, hObject, &template, 1); if (rv == CKR_OK) { ..} free(point); 5.2.17 Function Prototype Set Attribute Value CK_RVC_SetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount); Description Set hSession Session Handle hObject Object Handle pTemplate Pointer to Template List ulCount Number of Templates Parameter Zanjia Electronic Science & Technology (Beijing) Co., LTD80 HSM‐ZJ2014Guidance Documentation Return Value CKR_OK Success Non-CKR_OK Fail, return error code. CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hObject; CK_UTF8CHAR label[] = { "New label" }; CK_ATTRIBUTEtemplate[] = { CKA_LABEL, label, sizeof(label) - 1 }; Example CK_RV rv; rv = C_SetAttributeValue(hSession, hObject, &template, 1); if (rv == CKR_OK) { 5.2.18 Function Prototype Description Parameter Return Find Objects Initialization CK_RVC_FindObjectsInit(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount); Find Objects Initialization hSession Session Handle pTemplate Pointer to Template List ulCount Number of Templates CKR_OK Success Zanjia Electronic Science & Technology (Beijing) Co., LTD81 HSM‐ZJ2014Guidance Documentation Value 5.2.19 Function Prototype Non-CKR_OK Fail, return error code. Find Objects CK_RVC_FindObjects(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE_PTR phObject, CK_ULONG ulMaxObjectCount, CK_ULONG_PTR pulObjectCount); Description Find Object hSession Session Handle phObject Pointer to Object Handle ulMaxObjectCount Max number of Objects returned pulObjectCount Pointer to Actual number of Objects returned CKR_OK Success Non-CKR_OK Fail, return error code. Parameter Return Value 5.2.20 Find Objects Finalization Function Prototype CK_RVC_FindObjectsFinal(CK_SESSION_HANDLE hSession); Description Finalize Find Object operation Parameter hSession Session Handle Return Value CKR_OK Success Non-CKR_OK Fail, return error code. CK_ATTRIBUTE priKeysTemplate[] = { {CKA_CLASS, &priKeys, sizeof(priKeys)}, }; Example rc =FunctionPtr->C_FindObjectsInit(hSession, priKeysTemplate, 1); if (rc != CKR_OK) { printf("error FindObjectsInit\n"); Zanjia Electronic Science & Technology (Beijing) Co., LTD82 HSM‐ZJ2014Guidance Documentation rc = FunctionPtr->C_FindObjects(hSession, &priKeys_h, 1, &ulObjectCount); rc = FunctionPtr->C_FindObjectsFinal(hSession); 5.2.21 Encryption Initialization Function Prototype CK_RVC_EncryptInit(CK_SESSION_HANDLE hSession, Description Initialize Encryption Parameter Return Value 5.2.22 Function Prototype CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey); hSession Session Handle pMechanism Pointer to Mechanism hKey Key Handle CKR_OK Success Non-CKR_OK Fail, return error code. Encrypt CK_RVC_Encrypt(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen, CK_BYTE_PTR pEncryptedData, CK_ULONG_PTR pulEncryptedDataLen); Description Parameter Return Encrypt hSession Session Handle pData Pointer to Plain Data ulDataLen Length of Plain Data pEncryptedData Pointer to Cipher Data Buffer pulEncryptedDataLen Pointer to Length of Cipher Data Buffer CKR_OK Success Zanjia Electronic Science & Technology (Beijing) Co., LTD83 HSM‐ZJ2014Guidance Documentation Value 5.2.23 Function Prototype Non-CKR_OK Fail, return error code. Encrypt Update CK_RVC_EncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen, CK_BYTE_PTR pEncryptedPart, CK_ULONG_PTR pulEncryptedPartLen); Description Parameter Return Value 5.2.24 Function Prototype Encrypt Update hSession Session Handle pPart Pointer to AdditionalPlain Data ulPartLen Length of AdditionalPlain Data pEncryptedPart Pointer to Cipher Data Buffer pulEncryptedPartLen Pointer to Length of Cipher Data Buffer CKR_OK Success Non-CKR_OK Fail, return error code. Encryption Finalization CK_RVC_EncryptFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pLastEncryptedPart, CK_ULONG_PTR pulLastEncryptedPartLen); Description Parameter Return Value Finalize Encryption hSession Session Handle pLastEncryptedPart Pointer to Last Cipher Data pulLastEncryptedPartLen Pointer to Length of Last Cipher Data CKR_OK Success Non-CKR_OK Fail, return error code. Zanjia Electronic Science & Technology (Beijing) Co., LTD84 HSM‐ZJ2014Guidance Documentation #define PLAINTEXT_BUF_SZ 200 #define CIPHERTEXT_BUF_SZ 256 CK_ULONG firstPieceLen, secondPieceLen; CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hKey; CK_BYTE iv[8]; CK_MECHANISM mechanism = { CKM_AES_ECB, iv, sizeof(iv) }; CK_BYTE data[PLAINTEXT_BUF_SZ]; CK_BYTE encryptedData[CIPHERTEXT_BUF_SZ]; CK_ULONG ulEncryptedData1Len; CK_ULONG ulEncryptedData2Len; Example CK_ULONG ulEncryptedData3Len; CK_RV rv; firstPieceLen = 90; secondPieceLen = PLAINTEXT_BUF_SZ - firstPieceLen; rv = C_EncryptInit(hSession, &mechanism, hKey); if (rv == CKR_OK) { /* Encrypt first piece */ ulEncryptedData1Len = sizeof(encryptedData); rv = C_EncryptUpdate(hSession, &data[0], firstPieceLen, &encryptedData[0], &ulEncryptedData1Len); if (rv != CKR_OK) { ..} Zanjia Electronic Science & Technology (Beijing) Co., LTD85 HSM‐ZJ2014Guidance Documentation /* Encrypt second piece */ ulEncryptedData2Len = sizeof(encryptedData) - ulEncryptedData1Len; rv = C_EncryptUpdate(hSession, &data[firstPieceLen], secondPieceLen, &encryptedData[ulEncryptedData1Len], &ulEncryptedData2Len); if (rv != CKR_OK) { ..} /* Get last little encrypted bit */ ulEncryptedData3Len = sizeof(encryptedData) - ulEncryptedData1Len - ulEncryptedData2Len; rv = C_EncryptFinal(hSession, &encryptedData[ulEncryptedData1Len + ulEncryptedData2Len], &ulEncryptedData3Len); if (rv != CKR_OK) { ..} 5.2.25 Decryption Initialization Function Prototype CK_RVC_DecryptInit(CK_SESSION_HANDLE hSession, Description Decryption Initialization Parameter CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey); hSession Session Handle pMechanism Pointer to Mechanism hKey Key Handle Zanjia Electronic Science & Technology (Beijing) Co., LTD86 HSM‐ZJ2014Guidance Documentation Return Value 5.2.26 Function Prototype CKR_OK Success Non-CKR_OK Fail, return error code. Decrypt CK_RVC_Decrypt(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pEncryptedData, CK_ULONG ulEncryptedDataLen, CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen); Description Parameter Return Value 5.2.27 Function Prototype Decrypt hSession Session Handle pEncryptedData Pointer to Cipher Data ulEncryptedDataLen Length of Cipher Data pData Pointer to Plain Data Buffer pulDataLen Pointer to Length of Plain Data Buffer CKR_OK Success Non-CKR_OK Fail, return error code. Decrypt Update CK_RVC_DecryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pEncryptedPart, CK_ULONG ulEncryptedPartLen, CK_BYTE_PTR pPart, CK_ULONG_PTR pulPartLen); Description Parameter Decrypt Update hSession Session Handle pEncryptedPart Pointer to CipherData ulEncryptedPartLen Length of Cipher Data Zanjia Electronic Science & Technology (Beijing) Co., LTD87 HSM‐ZJ2014Guidance Documentation Return Value 5.2.28 Function Prototype pPart Pointer to AdditionalPlain Data Buffer pulPartLen Pointer to Length of AdditionalPlain Data Buffer CKR_OK Success Non-CKR_OK Fail, return error code. Decrypt Finalization CK_RVC_DecryptFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pLastPart, CK_ULONG_PTR pulLastPartLen); Description Parameter Return Value Decrypt Finalization hSession Session Handle pLastPart Pointer to Last Plain Data pulLastPartLen Pointer to Length of Last Plain Data CKR_OK Success Non-CKR_OK Fail, return error code. #define CIPHERTEXT_BUF_SZ 256 #define PLAINTEXT_BUF_SZ 256 CK_ULONG firstEncryptedPieceLen, secondEncryptedPieceLen; CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hKey; CK_BYTE iv[8]; Example CK_MECHANISM mechanism = { CKM_AES_ECB, iv, sizeof(iv) }; CK_BYTE data[PLAINTEXT_BUF_SZ]; CK_BYTE encryptedData[CIPHERTEXT_BUF_SZ]; CK_ULONG ulData1Len, ulData2Len, ulData3Len; Zanjia Electronic Science & Technology (Beijing) Co., LTD88 HSM‐ZJ2014Guidance Documentation CK_RV rv; firstEncryptedPieceLen = 90; secondEncryptedPieceLen = CIPHERTEXT_BUF_SZ - firstEncryptedPieceLen; rv = C_DecryptInit(hSession, &mechanism, hKey); if (rv == CKR_OK) { /* Decrypt first piece */ ulData1Len = sizeof(data); rv = C_DecryptUpdate(hSession, &encryptedData[0], firstEncryptedPieceLen, &data[0], &ulData1Len); if (rv != CKR_OK) { ..} /* Decrypt second piece */ ulData2Len = sizeof(data) - ulData1Len; rv = C_DecryptUpdate(hSession, &encryptedData[firstEncryptedPieceLen], secondEncryptedPieceLen, &data[ulData1Len], &ulData2Len); if (rv != CKR_OK) { ..} /* Get last little decrypted bit */ ulData3Len = sizeof(data) - ulData1Len - ulData2Len; rv = C_DecryptFinal(hSession, &data[ulData1Len + ulData2Len], &ulData3Len); if (rv != CKR_OK) { ..} Zanjia Electronic Science & Technology (Beijing) Co., LTD89 HSM‐ZJ2014Guidance Documentation 5.2.29 Function Prototype Description Hash Initialization CK_RVC_DigestInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism); Hash Initialization hSession Session Handle pMechanism Pointer to Mechanism CKR_OK Success Non-CKR_OK Fail, return error code. Parameter Return Value 5.2.30 Function Prototype Hash CK_RVC_Digest(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen, CK_BYTE_PTR pDigest, CK_ULONG_PTR pulDigestLen); Description Hash hSession Session Handle pData Pointer to Data to be hashed ulDataLen Length of Data to be hashed pDigest Pointer to Digest Data Buffer pulDigestLen Pointer to Length of Digest Data Buffer Return Value CKR_OK Success Non-CKR_OK Fail, return error code. 5.2.31 Hash Update Parameter Function CK_RVC_DigestUpdate(CK_SESSION_HANDLE hSession, Zanjia Electronic Science & Technology (Beijing) Co., LTD90 HSM‐ZJ2014Guidance Documentation Prototype CK_BYTE_PTRpPart, CK_ULONG ulPartLen); Description Parameter Return Value 5.2.32 Function Prototype Hash Update hSession Session Handle pPart Pointer to Additional Data Buffer to be hashed ulPartLen Length of Data Buffer to be hashed CKR_OK Success Non-CKR_OK Fail, return error code. Hash Finalization CK_RVC_DigestFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest, CK_ULONG_PTR pulDigestLen); Description Parameter Return Value Hash Finalizaion hSession Session Handle pDigest Pointer to Last Digest Data pulDigestLen Pointer to Length of Last Digest Data CKR_OK Success Non-CKR_OK Fail, return error code. CK_SESSION_HANDLE hSession; CK_MECHANISM mechanism = { CKM_SM3, NULL_PTR, 0 }; Example CK_BYTE data[] = {... }; CK_BYTE digest[32]; CK_ULONG ulDigestLen; Zanjia Electronic Science & Technology (Beijing) Co., LTD91 HSM‐ZJ2014Guidance Documentation CK_RV rv; rv = C_DigestInit(hSession, &mechanism); if (rv != CKR_OK) { rv = C_DigestUpdate(hSession, data, sizeof(data)); if (rv != CKR_OK) { rv = C_DigestKey(hSession, hKey); if (rv != CKR_OK) { ulDigestLen = sizeof(digest); rv = C_DigestFinal(hSession, digest, &ulDigestLen); 5.2.33 Function Prototype Signing Initialization CK_RVC_SignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey); Zanjia Electronic Science & Technology (Beijing) Co., LTD92 HSM‐ZJ2014Guidance Documentation Description Parameter Return Value 5.2.34 Function Prototype Signing Initialization hSession Session Handle pMechanism Pointer to Mechanism hKey Key Handle CKR_OK Success Non-CKR_OK Fail, return error code. Signing CK_RVC_Sign(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen); Description Parameter Return Value 5.2.35 Function Prototype Signing hSession Session Handle pData Pointer to Data to be signed ulDataLen Length of Data to be signed pSignature Pointer to Signed Data pulSignatureLen Pointer to Length of Signed Data Buffer CKR_OK Success Non-CKR_OK Fail, return error code. Signing Update CK_RVC_SignUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen); Description Signing Update Parameter hSession Session Handle Zanjia Electronic Science & Technology (Beijing) Co., LTD93 HSM‐ZJ2014Guidance Documentation Return Value 5.2.36 Function Prototype pPart Pointer to Additional Data Buffer to be signed ulPartLen Length of Data Buffer to be signed CKR_OK Success Non-CKR_OK Fail, return error code. Signing Finalization CK_RVC_SignFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen); Description Parameter Return Value Signing Finalization hSession Session Handle pSignature Pointer to Last Signed Data pulSignatureLen Pointer to Length of Last Signed Data CKR_OK Success Non-CKR_OK Fail, return error code. CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hKey; CK_MECHANISM mechanism = { CKM_RSA, NULL_PTR, 0 }; CK_BYTE data[] = {... }; Example CK_BYTE mac[64]; CK_ULONG ulMacLen; CK_RV rv; rv = C_SignInit(hSession, &mechanism, hKey); Zanjia Electronic Science & Technology (Beijing) Co., LTD94 HSM‐ZJ2014Guidance Documentation if (rv == CKR_OK) { rv = C_SignUpdate(hSession, data, sizeof(data)); ..ulMacLen = sizeof(mac); rv = C_SignFinal(hSession, mac, &ulMacLen); 5.2.37 Function Prototype Verification Initialization CK_RVC_VerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey); Description Initialize Verification hSession Session Handle pMechanism Pointer to Mechanism hKey Key Handle Return Value CKR_OK Success Non-CKR_OK Fail, return error code. 5.2.38 Verification Parameter Function Prototype CK_RVC_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen); Description Verification Parameter hSession Session Handle Zanjia Electronic Science & Technology (Beijing) Co., LTD95 HSM‐ZJ2014Guidance Documentation Return Value 5.2.39 Function Prototype pData Pointer to Source Datato be verified ulDataLen Length of Source Data to be verified pSignature Pointer to Signed Data Buffer to be verified ulSignatureLen Length of Signed Data Buffer to be verified CKR_OK Success,Verification Passed CKR_SIGNATURE_INVALID Success,Signature Invalid Non-CKR_OK Fail, return error code. Verification Update CK_RVC_VerifyUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen); Description Parameter Return Value 5.2.40 Function Prototype Verification Update hSession Session Handle pPart Pointer to Additional Data Buffer to be verified ulPartLen Length of Data Buffer to be verified CKR_OK Success Non-CKR_OK Fail, return error code. Verification Finalization CK_RVC_VerifyFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTRpSignature, CK_ULONG ulSignatureLen); Description Verification Finalization hSession Session Handle pSignature Pointer to Last Data to be verified Parameter Zanjia Electronic Science & Technology (Beijing) Co., LTD96 HSM‐ZJ2014Guidance Documentation Return Value ulSignatureLen Length of Last Data to be verified CKR_OK Success,Verification Passed CKR_SIGNATURE_INVALID Success,Signature Invalid Non-CKR_OK Fail, return error code. CK_SESSION_HANDLE hSession; CK_OBJECT_HANDLE hKey; CK_MECHANISM mechanism = { CKM_RSA, NULL_PTR, 0 }; CK_BYTE data[] = {... }; CK_BYTE mac[64]; CK_RV rv; Example rv = C_VerifyInit(hSession, &mechanism, hKey); if (rv == CKR_OK) { rv = C_VerifyUpdate(hSession, data, sizeof(data)); ..rv = C_VerifyFinal(hSession, mac, sizeof(mac)); 5.2.41 Function Prototype Take Random number as Seed CK_RVC_SeedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed, CK_ULONG ulSeedLen); Description Take Random number as Seed Zanjia Electronic Science & Technology (Beijing) Co., LTD97 HSM‐ZJ2014Guidance Documentation Parameter Return Value 5.2.42 Function Prototype hSession Session Handle pSeed Pointer to Seed ulSeedLen Length of Seed CKR_OK Success Non-CKR_OK Fail, return error code. Generate Random Number CK_RVC_GenerateRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pRandomData, CK_ULONG ulRandomLen); Description Parameter Return Value Generate Random Number hSession Session Handle pRandomData Pointer to Random Number ulRandomLen Length of Random Number CKR_OK Success Non-CKR_OK Fail, return error code. CK_SESSION_HANDLE hSession; CK_BYTE seed[] = {... }; CK_BYTE randomData[] = {... }; CK_RV rv; Example rv = C_SeedRandom(hSession, seed, sizeof(seed)); if (rv != CKR_OK) { Zanjia Electronic Science & Technology (Beijing) Co., LTD98 HSM‐ZJ2014Guidance Documentation rv = C_GenerateRandom(hSession, randomData, sizeof(randomData)); if (rv == CKR_OK) { Zanjia Electronic Science & Technology (Beijing) Co., LTD99
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.5 Linearized : Yes Author : Vivian Create Date : 2015:04:14 14:43:36+08:00 Modify Date : 2015:04:14 14:43:36+08:00 XMP Toolkit : Adobe XMP Core 4.2.1-c041 52.342996, 2008/05/07-20:48:00 Creator Tool : PScript5.dll Version 5.2.2 Producer : Acrobat Distiller 9.0.0 (Windows) Format : application/pdf Title : Microsoft Word - HSM-ZJ2014 user manual.docx Creator : Vivian Document ID : uuid:57c06395-80b5-4816-a7f0-3949f553d376 Instance ID : uuid:e5477d3b-5d32-43da-9815-9b3165a73913 Page Count : 103EXIF Metadata provided by EXIF.tools