GmSSL

GmSSL is an open-source cryptographic library that implements the Chinese national cryptographic standards SM2, SM3, SM4, SM9, and ZUC as a unified algorithm suite. It provides a comprehensive set of cryptographic primitives including symmetric and asymmetric encryption, digital signatures, hashing, and key exchange, all built around these national standards for government and enterprise security applications.

The library distinguishes itself through several integration capabilities. It includes an OpenSSL compatibility layer that maps GmSSL functions to OpenSSL API calls, enabling drop-in replacement in applications like Nginx. A hardware abstraction layer provides software interfaces to SDF and SKF cryptographic devices, allowing transparent offloading of operations to PCI-E cards or USB tokens. Multi-language JNI bindings expose the cryptographic APIs to Java, PHP, and Go applications through a compiled shared library.

The library supports a full TLS and TLCP protocol stack with TLS 1.2, 1.3, and TLCP 1.1 using SM-series cipher suites, along with an X.509 certificate engine for creating, parsing, validating, and managing digital certificates and PKI requests. It also includes post-quantum cryptography support with CRYSTALS-Kyber, SPHINCS+, XMSS, and LMS/HSS algorithms. The cross-platform build system compiles for Android/ARM via NDK and Windows via Visual Studio, producing CLI binaries and shared libraries.

Features

Chinese National Standard - Implements Chinese national cryptographic standards SM2, SM3, SM4, SM9, and ZUC as a unified algorithm suite.

SM4 Cipher Modes - Encrypts and decrypts data using the SM4 block cipher in multiple modes including CBC, CTR, GCM, and XTS.

OpenSSL Compatibility Layers - Replacing OpenSSL with GmSSL's cryptographic functions in existing applications like Nginx using a compatibility layer.

SM2 and SM9 Public-Key Cryptography Libraries - Provides SM2 elliptic curve and SM9 identity-based public-key encryption, digital signatures, and key exchange.

TLS and TLCP Protocol Implementations - Supports TLS 1.2, 1.3, and TLCP 1.1 with SM-series cipher suites for secure network communication.

Dual Symmetric and Asymmetric Support - Provides SM4, AES, SM2, SM9, and RSA encryption, signing, key exchange, and hashing via a unified API.

Chinese National Standard Cryptographic Implementations - Implements Chinese national cryptographic standards SM2, SM3, SM4, SM9, and ZUC for encryption, signing, and hashing.

Chinese National Standard Cryptographic Libraries - An open-source cryptographic library implementing Chinese national standards SM2, SM3, SM4, SM9, and ZUC for encryption, signing, and secure communication.

Cryptographic Digests - Hashes arbitrary input data into fixed-size digests using SHA-256 and other algorithms for integrity.

SM3 Hash Implementations - Ships a dedicated library implementing the SM3 hash algorithm for data integrity verification and digital signatures.

SM3 Integrity Hashes - Generates fixed-length hash values using the SM3 cryptographic hash algorithm for data integrity verification.

Cryptographic Key Generation - Derive symmetric keys from passwords using PBKDF2 or HKDF and produce random bytes via a DRBG.

Digital Message Signing - Create and validate digital signatures or MACs over message data using symmetric keys or asymmetric key pairs.

Digital Signatures - Implements digital signature creation and verification using SM2 and RSA algorithms.

SM2 - Ships a dedicated implementation of SM2 digital signatures for government and enterprise use.

SM2 and SM9 - Provides both SM2 and SM9 digital signature algorithms for identity-based and certificate-based signing.

Asymmetric Encryption - Encrypts data with a recipient's public key and decrypts it with the corresponding private key for secure asymmetric communication.

Diffie-Hellman Exchanges - Combine a private key with a peer's public key using DH or ECDH to produce a shared secret for symmetric encryption.

Shared Secret Derivations - Perform a key exchange protocol to produce a shared secret between two parties over an insecure channel.

National Standard Secure Communication Implementations - Implements Chinese national cryptographic standards SM2, SM3, SM4, SM9, and ZUC for encrypted communication and digital signatures.

TLS Implementations - Secures network communications by implementing SSL/TLS protocols with Chinese national standard cipher suites.

General-Purpose Hashing - Computes hash digests using SM3, SHA-256, and MD5 for data integrity and authentication.

Integrity Verifications - Produces fixed-size fingerprints using SM3, SHA-1, and SHA-2 for data integrity verification.

SM3 Hash Computations - Computes cryptographic hashes of input data using the SM3 algorithm, producing a fixed-size digest.

Key Pair Generations - Create public/private key pairs for algorithms like EC, DSA, and DH, supporting operations such as signing and key agreement.

General TLS Connection Establishment - Negotiate encrypted communication channels using SSL/TLS protocols.

SM4 Implementations - A symmetric encryption library supporting SM4 in multiple modes including CBC, CTR, GCM, and XTS for data confidentiality.

Symmetric Encryption - Protect data using a shared key and initialization vector with algorithms like AES in CBC mode, applying PKCS padding by default.

Hybrid Encryption Schemes - Performs encryption and decryption using Chinese national standard cryptographic algorithms SM2 and SM4.

Hardware Security Module Lifecycles - Generate, store, and manage cryptographic keys through hardware security modules or key management services.

X.509 Certificate Parsers - Creates, signs, verifies, and manages X.509 certificates, CRLs, and PKI requests.

SDF and SKF Device Interfaces - Interfaces with SDF and SKF cryptographic hardware devices such as PCI-E cards and USB tokens.

National Standard Crypto Device Communication - Communicates with Chinese national standard SDF and SKF cryptographic hardware devices such as PCI-E cards and USB tokens.

Hardware Abstraction Layers - Provides a software interface to SDF and SKF cryptographic devices, offloading operations to PCI-E cards or USB tokens.

National Standard Crypto Hardware Interfaces - Accesses national-standard SDF and SKF cryptographic hardware accelerators through a software abstraction layer.

PKCS and CMS Message Processors - Encode, decode, and transform PKCS and CMS structured messages.

Multi-Language Bindings - Integrating cryptographic functions into applications via API bindings for Java, PHP, and Go.

Authenticated Encryption - Provides both confidentiality and integrity by encrypting data and appending a MAC tag with optional associated data.

Certificate Lifecycle Management - Creates, parses, and validates X.509 digital certificates, certificate revocation lists, and certificate signing requests.

Boneh-Boyen Identity-Based Encryptions - Uses the Boneh-Boyen IBE scheme to encrypt data so only a recipient with a specific identity can decrypt it.

Hardware Key Storage - Keeps private keys inside USB keys, PCI cards, or cryptographic devices so they never leave secure hardware.

SDF and SKF Abstraction Layers - Provides a software abstraction layer for SDF and SKF cryptographic hardware accelerators and secure key storage.

SM2 Hardware Signing - Performs SM2 signing inside a cryptographic device using a private key that cannot be exported.

National Standard Hardware Accelerators - Offloads SM1 and SSF33 cipher computations to dedicated hardware devices to reduce CPU load.

Hardware Security Module Integrations - Interacts with Chinese national standard SKF and SDF cryptographic hardware devices for secure key operations.

X.509 Certificate Parsing and Validation - Creates, parses, validates, and manages digital certificates, CRLs, and PKI requests with full lifecycle support.

Message Authentication Codes - Generate and verify a keyed hash to authenticate a message and detect tampering.

Key Derivation Functions - Generates secret keys from a password or shared secret using PBKDF2 or HKDF key derivation functions.

Post-Quantum Algorithm Executions - Performs key encapsulation and hash-based signing using CRYSTALS-Kyber, SPHINCS+, XMSS, and LMS/HSS algorithms.

guanzhiGmSSL

Features

Star history