1
/
de
7
PayPal, credit cards. Download editable-PDF and invoice in 1 second!
GM/T 0093-2020 English PDF (GMT0093-2020)
GM/T 0093-2020 English PDF (GMT0093-2020)
Prix habituel
$320.00 USD
Prix habituel
Prix promotionnel
$320.00 USD
Prix unitaire
/
par
Frais d'expédition calculés à l'étape de paiement.
Impossible de charger la disponibilité du service de retrait
Delivery: 3 seconds. Download true-PDF + Invoice.
Get QUOTATION in 1-minute: Click GM/T 0093-2020
Historical versions: GM/T 0093-2020
Preview True-PDF (Reload/Scroll if blank)
GM/T 0093-2020: Certificate and key exchange format specification
GM/T 0093-2020
GM
CRYPTOGRAPHIC INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
CCS L 80
Certificate and key exchange format specification
ISSUED ON: DECEMBER 28, 2020
IMPLEMENTED ON: JULY 01, 2021
Issued by: National Cryptography Administration
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 6
2 Normative references ... 6
3 Terms and definitions ... 6
4 Abbreviations ... 8
5 OID definition ... 8
6 Definition of basic type ... 9
6.1 CKX type ... 9
6.2 AuthenticatedSafe type ... 11
6.3 SafeContents type ... 12
6.4 SafeBag type ... 13
7 Basic process of certificate and key exchange ... 16
7.1 Create CKX data unit ... 16
7.2 Import keys and certificates from a CKX data unit ... 17
8 Extended attributes ... 17
Appendix A (Normative) ASN.1 syntax notation ... 18
Appendix B (Informative) Import and export example of double certificate and
private key ... 22
References ... 30
Certificate and key exchange format specification
1 Scope
This document specifies the transmission syntax of information, such as
certificates and keys, including private keys, certificates, certificate revocation
lists, various forms of secret values, as well as their extended standardized
packaging.
This document is suitable for application scenarios, where personal SM2
algorithm certificates and keys and other information are migrated between
different platforms.
2 Normative references
The contents of the following documents constitute the indispensable clauses
of this document through normative references in the text. Among them, for
dated reference documents, only the version corresponding to that date is
applicable to this document; for undated reference documents, the latest
version (including all amendments) is applicable to this document.
GB/T 15852.2-2012 Information technology - Security techniques - Message
Authentication Codes (MACs) - Part 2: Mechanisms using a dedicated hash-
function
GB/T 35275-2017 Information security technology - SM2 cryptographic
algorithm encrypted signature message syntax specification
GB/T 35276-2017 Information security technology - SM2 cryptography
algorithm usage specification
GB/T 33560-2017 Information security technology - Cryptographic
application identifier criterion specification
GM/T 0091-2020 Password-based key derivation specification
GM/Z 4001 Cryptographic terms
3 Terms and definitions
The terms and definitions, which are defined in GM/Z 4001 and GM/T 0091-
2020, are applicable to this document.
encryptedContent field to be the BER encoding of the encrypted SCi
(note that it shall include the octet stream of the label and length bytes).
3) If SCi uses public key for encryption, create an EnvelopedData type
ContentInfo instance CIi, essentially the same way as EncryptedData
ContentInfo in b)2).
c) Arrange CIi’s in SEQUENCE, to generate an instance of
AuthenticatedSafe.
d) Generate a ContentInfo instance T whose content type is Data. The
content of the Data octet stream is the BER encoding of the
AuthenticatedSafe value (octet stream including tag, length, value).
e) For integrity protection.
1) If CKX PDU uses digital signature for authentication, generate a
ContentInfo instance C of SignedData type. The contentInfo field of
SignedData in C is T. C is an instance of the ContentInfo field in the top-
level CKX structure.
2) If CKX PDU uses HMAC for authentication, use SM3 cryptographic
hash algorithm to calculate the Data content in T, to obtain HMAC (that
is, exclude tags and length bytes from the octet stream). If public key
authentication is used, this is also the initial calculation of the hash
value in e)1).
7.2 Import keys and certificates from a CKX data unit
Importing from CKX is the opposite of the process of creating a CKX. Generally
speaking, when an application imports keys from CKX, etc., all irrelevant object
identifiers shall be ignored. Sometimes, users need to be reminded to provide
certain object identifiers.
8 Extended attributes
This document provides the exchange format of certificates and keys. When
this information is stored in a directory service, it shall use the userCKX attribute.
The type is defined as follows:
confidentiality protection password may be same as OR different from the
integrity protection password. The confidentiality protection and integrity
protection in this Appendix assume that the same password is set.
B.2 explains the process of deriving CKX PDU from dual certificate and private
key. B.3 explains the process of importing dual certificate and private key from
CKX PDU. B.4 explains the grammatical format of CKX PDU from outer layer
to inner layer.
B.2 Export CKX PDU from dual certificate and private key
Take the creation of the CKX PDU of the dual certificate and the corresponding
private key as an example, from the inner layer to the outer layer, the steps are
as follows.
a) Create two instances SC_sign and SC_enc for SafeContents in ASN.1.
Each instance contains two instances of the SafeBag type. The two
SafeBag type instances of SC_sign are set to SB_sign_cert and
SB_sign_shroudedKey, where SB_sign_cert is the CertBag type;
SB_sign_shroudedKey is the ShroudedKeyBag type. Two instances of
SC_enc are set as SB_enc_cert and SB_enc_shroudedKey, where
SB_enc_cert is the CertBag type; SB_enc_shroudedKey is the
ShroudedKeyBag type. Note that the CKX PDU in this instance contains
two instances: SC_sign and SC_enc, of SafeContents.
b) For SC_sign or SC_enc, according to the different encryption options
selected.
1) SC_sign uses password encryption to create an instance CI_sign of the
ContentInfo of the EncryptedData type. The contentType of the
encryptedContentInfo field of CI_sign is the Data type; the
encryptedContent field is set to be the BER encoding of the encrypted
SC_sign (note that it shall include the octet stream of label and length
byte). Among them, SC_sign is the BER code of the ordered sequence
of SB_sign_cert and SB_sign_shroudedKey.
2) SC_enc uses password for encryption, to create an instance CI_enc of
the ContentInfo of the EncryptedData type. The contentType of the
encryptedContentInfo field of CI_enc is Data type; the
encryptedContent field is set to be the BER code of the encrypted
SC_enc (note that it shall include the octet stream of the label and
length bytes). Among them, SC_enc is the BER code of the ordered
sequence of SB_enc_cert and SB_enc_shroudedKey.
c) Arrange CI_sign and CI_enc in SEQUENCE, to generate an instance of
AuthenticatedSafe.
d) Generate a ContentInfo instance T, whose content type is Data. The
content of the Data octet stream is the BER code of the AuthenticatedSafe
value (octet stream including tag, length, value).
e) For integrity protection, CKX PDU passes HMAC authentication, uses
SM3 algorithm to calculate the Data content in T, obtains HMAC (that is,
excludes tags and length bytes in the octet stream).
B.3 Import dual certificate and private key from CKX PDU
Importing dual certificates and private keys from CKX is basically the opposite
of the process of creating a CKX. From the outer layer to the inner layer, the
steps are as follows.
a) For integrity protection, take out the ContentInfo instance T and the
MacData instance from the CKX PDU. For the Data content in T (excluding
the tag and length bytes in the oct...
Get QUOTATION in 1-minute: Click GM/T 0093-2020
Historical versions: GM/T 0093-2020
Preview True-PDF (Reload/Scroll if blank)
GM/T 0093-2020: Certificate and key exchange format specification
GM/T 0093-2020
GM
CRYPTOGRAPHIC INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
CCS L 80
Certificate and key exchange format specification
ISSUED ON: DECEMBER 28, 2020
IMPLEMENTED ON: JULY 01, 2021
Issued by: National Cryptography Administration
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 6
2 Normative references ... 6
3 Terms and definitions ... 6
4 Abbreviations ... 8
5 OID definition ... 8
6 Definition of basic type ... 9
6.1 CKX type ... 9
6.2 AuthenticatedSafe type ... 11
6.3 SafeContents type ... 12
6.4 SafeBag type ... 13
7 Basic process of certificate and key exchange ... 16
7.1 Create CKX data unit ... 16
7.2 Import keys and certificates from a CKX data unit ... 17
8 Extended attributes ... 17
Appendix A (Normative) ASN.1 syntax notation ... 18
Appendix B (Informative) Import and export example of double certificate and
private key ... 22
References ... 30
Certificate and key exchange format specification
1 Scope
This document specifies the transmission syntax of information, such as
certificates and keys, including private keys, certificates, certificate revocation
lists, various forms of secret values, as well as their extended standardized
packaging.
This document is suitable for application scenarios, where personal SM2
algorithm certificates and keys and other information are migrated between
different platforms.
2 Normative references
The contents of the following documents constitute the indispensable clauses
of this document through normative references in the text. Among them, for
dated reference documents, only the version corresponding to that date is
applicable to this document; for undated reference documents, the latest
version (including all amendments) is applicable to this document.
GB/T 15852.2-2012 Information technology - Security techniques - Message
Authentication Codes (MACs) - Part 2: Mechanisms using a dedicated hash-
function
GB/T 35275-2017 Information security technology - SM2 cryptographic
algorithm encrypted signature message syntax specification
GB/T 35276-2017 Information security technology - SM2 cryptography
algorithm usage specification
GB/T 33560-2017 Information security technology - Cryptographic
application identifier criterion specification
GM/T 0091-2020 Password-based key derivation specification
GM/Z 4001 Cryptographic terms
3 Terms and definitions
The terms and definitions, which are defined in GM/Z 4001 and GM/T 0091-
2020, are applicable to this document.
encryptedContent field to be the BER encoding of the encrypted SCi
(note that it shall include the octet stream of the label and length bytes).
3) If SCi uses public key for encryption, create an EnvelopedData type
ContentInfo instance CIi, essentially the same way as EncryptedData
ContentInfo in b)2).
c) Arrange CIi’s in SEQUENCE, to generate an instance of
AuthenticatedSafe.
d) Generate a ContentInfo instance T whose content type is Data. The
content of the Data octet stream is the BER encoding of the
AuthenticatedSafe value (octet stream including tag, length, value).
e) For integrity protection.
1) If CKX PDU uses digital signature for authentication, generate a
ContentInfo instance C of SignedData type. The contentInfo field of
SignedData in C is T. C is an instance of the ContentInfo field in the top-
level CKX structure.
2) If CKX PDU uses HMAC for authentication, use SM3 cryptographic
hash algorithm to calculate the Data content in T, to obtain HMAC (that
is, exclude tags and length bytes from the octet stream). If public key
authentication is used, this is also the initial calculation of the hash
value in e)1).
7.2 Import keys and certificates from a CKX data unit
Importing from CKX is the opposite of the process of creating a CKX. Generally
speaking, when an application imports keys from CKX, etc., all irrelevant object
identifiers shall be ignored. Sometimes, users need to be reminded to provide
certain object identifiers.
8 Extended attributes
This document provides the exchange format of certificates and keys. When
this information is stored in a directory service, it shall use the userCKX attribute.
The type is defined as follows:
confidentiality protection password may be same as OR different from the
integrity protection password. The confidentiality protection and integrity
protection in this Appendix assume that the same password is set.
B.2 explains the process of deriving CKX PDU from dual certificate and private
key. B.3 explains the process of importing dual certificate and private key from
CKX PDU. B.4 explains the grammatical format of CKX PDU from outer layer
to inner layer.
B.2 Export CKX PDU from dual certificate and private key
Take the creation of the CKX PDU of the dual certificate and the corresponding
private key as an example, from the inner layer to the outer layer, the steps are
as follows.
a) Create two instances SC_sign and SC_enc for SafeContents in ASN.1.
Each instance contains two instances of the SafeBag type. The two
SafeBag type instances of SC_sign are set to SB_sign_cert and
SB_sign_shroudedKey, where SB_sign_cert is the CertBag type;
SB_sign_shroudedKey is the ShroudedKeyBag type. Two instances of
SC_enc are set as SB_enc_cert and SB_enc_shroudedKey, where
SB_enc_cert is the CertBag type; SB_enc_shroudedKey is the
ShroudedKeyBag type. Note that the CKX PDU in this instance contains
two instances: SC_sign and SC_enc, of SafeContents.
b) For SC_sign or SC_enc, according to the different encryption options
selected.
1) SC_sign uses password encryption to create an instance CI_sign of the
ContentInfo of the EncryptedData type. The contentType of the
encryptedContentInfo field of CI_sign is the Data type; the
encryptedContent field is set to be the BER encoding of the encrypted
SC_sign (note that it shall include the octet stream of label and length
byte). Among them, SC_sign is the BER code of the ordered sequence
of SB_sign_cert and SB_sign_shroudedKey.
2) SC_enc uses password for encryption, to create an instance CI_enc of
the ContentInfo of the EncryptedData type. The contentType of the
encryptedContentInfo field of CI_enc is Data type; the
encryptedContent field is set to be the BER code of the encrypted
SC_enc (note that it shall include the octet stream of the label and
length bytes). Among them, SC_enc is the BER code of the ordered
sequence of SB_enc_cert and SB_enc_shroudedKey.
c) Arrange CI_sign and CI_enc in SEQUENCE, to generate an instance of
AuthenticatedSafe.
d) Generate a ContentInfo instance T, whose content type is Data. The
content of the Data octet stream is the BER code of the AuthenticatedSafe
value (octet stream including tag, length, value).
e) For integrity protection, CKX PDU passes HMAC authentication, uses
SM3 algorithm to calculate the Data content in T, obtains HMAC (that is,
excludes tags and length bytes in the octet stream).
B.3 Import dual certificate and private key from CKX PDU
Importing dual certificates and private keys from CKX is basically the opposite
of the process of creating a CKX. From the outer layer to the inner layer, the
steps are as follows.
a) For integrity protection, take out the ContentInfo instance T and the
MacData instance from the CKX PDU. For the Data content in T (excluding
the tag and length bytes in the oct...
Share






