Skip to product information
1 of 12

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GM/T 0063-2018 English PDF (GMT0063-2018)

GM/T 0063-2018 English PDF (GMT0063-2018)

Regular price $495.00 USD
Regular price Sale price $495.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GM/T 0063-2018 to get it for Purchase Approval, Bank TT...

GM/T 0063-2018: Cryptography application interface test specification for cryptographic smart token

This standard specifies the interface testing environment, test content, test method of cryptographic smart token. This standard applies to test of application interface of cryptographic smart token. It may also be used to guide the development and use of cryptographic smart token.
GM/T 0063-2018
CRYPTOGRAPHIC INDUSTRY STANDARD
OF THE PEOPLE REPUBLIC OF CHINA
ICS 35.040
L 80
Record number: 64814-2018
GB/T 0063-2018
Cryptography application interface test specification
for cryptographic smart token
ISSUED ON: AUGUST 20, 2018
IMPLEMENTED ON: AUGUST 20, 2018
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions ... 5
4 Abbreviations ... 7
5 Descriptions of submitted-for-inspection materials ... 7
6 Testing environment ... 8
6.1 Topology of testing environment ... 8
6.2 Testing instruments ... 9
6.3 Testing software ... 9
7 Test content ... 10
7.1 Testing of application function ... 10
7.2 Testing of interface function ... 10
7.3 Security testing ... 11
7.4 Compatibility testing ... 11
7.5 Interoperability testing ... 11
8 Testing methods ... 11
8.1 Testing of application function ... 11
8.2 Testing of interface function ... 20
8.3 Security testing ... 76
8.4 Compatibility testing ... 83
8.5 Interoperability testing ... 84
Cryptography application interface test specification
for cryptographic smart token
1 Scope
This standard specifies the interface testing environment, test content, test method of cryptographic smart token.
This standard applies to test of application interface of cryptographic smart token. It may also be used to guide the development and use of cryptographic smart token.
2 Normative references
The following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) are applicable to this standard.
GB/T 25064 Information security technology - Public key infrastructure - Electronic signature formats specification
GB/T 32905-2016 Information security technology SM3 cryptographic hash
algorithm
GB/T 32907-2016 Information security technology - SM4 block cipher
algorithm
GB/T 32915 Information security technology - Binary sequence randomness testing method
GB/T 32918-2016 Information security techniques - Elliptic curve public - key cryptography
GB/T 33560 Information security technology - Cryptographic application
identifier criterion specification
GB/T 35275 Information security technology - SM2 cryptographic algorithm encrypted signature message syntax specification
GB/T 35276 Information security technology - SM2 cryptography algorithm Test whether the application interface of cryptographic smart token
supports the certificate application protocol between the client and the RA as specified by GM/T 0014.
Testing conditions:
The device is connected, the pre-determined application is turned on, the pre-determined container already exists.
Testing process:
a) Application of SM2 certificate
Step 1: Call the SKF_OpenApplication interface to open the pre-
determined application.
Step 2: Call the SKF_OpenContainer interface to open the pre-determined container.
Step 3: Call the SKF_VerifyPIN interface to verify the user PIN.
Step 4: Call the SKF_GenECCKeyPair interface to generate an SM2
signature key pair in the pre-determined container.
Step 5: Call the SKF_ExportPublicKey interface to export the public key of the SM2 signature key pair.
Step 6: Call the SKF_ECCSignData interface to calculate the signature.
The input data is the result of pre-processing of the data to be signed by the SM2 signature according to GB/T 35276. The data to be signed is the CertReqMessages message as specified by GM/T 0014, wherein the
publicKey field is the public key as derived in step 5.
b) Application of RSA certificate
Step 1: Call the SKF_OpenApplication interface to open the pre-
determined application.
Step 2: Call the SKF_OpenContainer interface to open the pre-determined container.
Step 3: Call the SKF_VerifyPIN interface to verify the user PIN.
Step 4: Call the SKF_GenRSAKeyPair interface to generate an RSA
signature key pair in the pre-determined container. The key length is not less than 2048 bits.
Step 5: Call the SKF_EXportPublicKey interface to export the public key Test whether the application interface of cryptographic smart token
supports certificate update.
Testing conditions:
The device is connected, the pre-determined application is open, there is a signature key pair in the pre-determined container.
Testing process:
a) Update of SM2 certificate
Step 1: Call the SKF_OpenApplication interface to open the pre-
determined application.
Step 2: Call the SKF_VerifyPIN interface to verify the user PIN.
Step 3: Call the SKF_CreateContainer interface to create a container in the pre-determined application.
Step 4: Call the SKF_GenECCKeyPair interface and generate the SM2
signature key pair in the container created in step 3.
Step 5: Call the SKF_ExportPublicKey interface to export the public key of the SM2 signature key pair generated in step 4.
Step 6: Call the SKF_OpenContainer interface to open the pre-determined container.
Step 7: Call the SKF_ECCSignData interface to sign the calculation by the use of the signature key of the pre-determined container. The input data is the result of the pre-processing of the data to be signed by SM2 signature according to GB/T 35276. The data to be signed is the CertReqMessages
message as specified in GM/T 0014, wherein the publicKey field is the
public key as derived in step 5.
b) Update of RSA certificate
Step 1: Call the SKF_OpenApplication interface to open the pre-
determined application.
Step 2: Call the SKF_VerifyPIN interface to verify the user PIN.
Step 3: Call the SKF_CreateContainer interface to create a container in the pre-determined application.
Step 4: Call the SKF_GenRSAKeyPair interface to generate an RSA
signature key pair in the container created in step 3. The key length is not format of which shall comply with GM/T 0015.
b) Import of SM2 signature certificate
Step 1: Call the SKF_OpenApplication interface to open the pre-
determined application.
Step 2: Call the SKF_OpenContainer interface to open the pre-determined container.
Step 3: Call the SKF_VerifyPIN interface to verify the user PIN.
Step 4: Call the SKF_ImportCertificate interface to import the signed digital certificate to the pre-determined container. The digital certificate contains the signature public key in the pre-determined container, the format of which shall conform to GM/T 0015.
c) Import of RSA encryption certificate
Step 1: Call the SKF_OpenApplication interface to open the pre-
determined application.
Step 2: Call the SKF_OpenContainer interface to open the pre-determined container.
Step 3: Call the SKF_VerifyPIN interface to verify the user PIN.
Step 4: Adjust the SKF_ImportRSAKeyPair interface to import the RSA
encryption key pair in the pre-determined container. The key length is not less than 2048 bits.
Step 5: Call the SKF_ImportCertificate interface to import the encrypted digital certificate to the pre-determined container. The digital certificate contains the encrypted public key in the pre-determined container; its
format shall conform to GB/T 25064.
d) Import of RSA signature certificate
Step 1: Call the SKF_OpenApplication interface to open the pre-
determined application.
Step 2: Call the SKF_OpenContainer interface to open the pre-determined container.
Step 3: Call the SKF_VerifyPIN interface to verify the user PIN.
Step 4: Call the SKF_ImportCertificate interface to import the signed digital certificate to the pre-determined container. The digital certificate contains Step 3: Call the SKF_VerifyPIN interface to verify the user PIN.
Step 4: Call the SKF_RSASignData interface to generate an electronic
stamp signature value. The input data conforms to the data format
requirements for electronic signature of GM/T 0031. The digital certificate contained therein is the signature certificate in the pre-determined
container.
Qualification criteria:
Get the electronic stamp signature value. It shall follow the GM/T 0031 to pack it to form the electronic stamp signature data. The electronic stamp data shall be verified according to GM/T 0031.
8.1.6 Generation of digital envelope
Testing purposes:
Test whether the application interface of cryptographic smart token
supports the generation of digital envelopes.
Testing conditions:
The device is connected, the pre-determined app is open, the pre-
determined container already exists.
Testing process:
a) SM2 digital envelope
Step 1: Call the SKF_OpenApplication interface to open the pre-
determined application.
Step 2: Call the SKF_OpenContainer interface to open the pre-determined container.
Step 3: Call the SKF_VerifyPIN interface to verify the user PIN.
Step 4: Call the SKF_ECCExportSessionKey interface. When the call is
made, the pre-determined SM2 public key is passed in, the session key is encrypted, the ciphertext is exported.
Step 5: Call the SKF_EncryptInit interface to initialize the encryption. The key handle passed in at the time of the call is the key handle output in step 4.
Step 6: Call the SKF_Encrypt interface to encrypt the pre-determined data. The algorithm identifier entered during the call shall comply with the
determined container.
Testing process:
Step 1: Call the SKF_OpenApplication interface to open the pre-
determined application.
Step 2: Call the SKF_OpenContainer interface to open the pre-determined container.
Step 3: Call the SKF_VerifyPIN interface to verify the user PIN.
Step 4: Call the SKF_ImportSessionKey interface to import the session
key. The input data is the RecipientInfo::encryptedKey field in the digital envelope.
Step 5: Call the SKF_DecryptInit interface to initialize decryption. The key handle passed in at the time of the call is the key handle output in step 4, the algorithm identifier comes from the EncryptedContentInfo::
contentEncryptionAlgorithm field in the digital envelope.
Step 6: Call the SKF_Decrypt interface to decrypt the
EncryptedContentInfo::encryptedContent field in the digital envelope.
Qualification criteria:
The decryption result is the same as the pre-determined data.
8.2 Testing of interface function
8.2.1 Device management
8.2.1.1 Event of waiting for device plug-unplug
Testing purposes:
Test whether it can get the device plug-in event and device name.
Testing conditions:
No.
Testing process:
- Testing under normal condition
Step 1: Start the thread and call the SKF_WaitForDevEvent interface.
Test whether it can get the list of devices in the current system.
Testing conditions:
No.
Testing process:
- Testing under normal conditions
Step 1: If no device is inserted, call the SKF_EnumDev interface and set bPresent=FALSE, to get a list of device names supported by the driver.
The total number of device lists is N.
Step 2: Insert 1 ~ N devices, call the SKF_EnumDev interface, set
bPresent=TRUE, to get the list of device names currently inserted.
- Testing under abnormal conditions
??When calling this interface by an illegal parameter, it shall return an error code.
??When the space allocated to the device name list is less than the return data length, it shall return an error code.
Qualification criteria:
For testing under normal conditions, the list of device names as obtained matches the inserted device information. Meanwhile when setting
szNameList = NULL in step 2, it shall be able to return the size of
required memory space size by pulSize.
For the testing under abnormal conditions, it obtains the expected results. 8.2.1.4 Connecting devices
Testing purposes:
Detect the function of the interface to connect device.
Testing conditions:
The device with the pre-determined name has been inserted.
Testing process:
- Testing under normal conditions
Step 1: Call the SKF_ConnectDev interface, to connect the device with
Testing purposes:
Test the function of interface lock device.
Testing conditions:
The device is connected.
Testing process:
- Testing under normal conditions
Step 1: Create two threads A and B.
Step 2: Thread A calls the SKF_LockDev interface, to lock the device
by a pre-determined time value.
Step 3: Thread A calls the SKF_Transmit interface, to send an
instruction conforming to GM/T 0017. The returned result data shall
conform to the GM/T 0017.
Step 4: Thread B calls the SKF_Transmit interface, to send an
instruction conforming to GM/T 0017, which shall not be successful
within the pre-determined time.
Step 5: Thread A calls the SKF_UnlockDev interface, to unlock the
device.
Step 6: Thread B calls the SKF_Transmit interface, to send an
instruction conforming to GM/T 0017. The returned result data shall
conform to the GM/T 0017.
- Testing under abnormal conditions
When calling this interface by an illegal parameter, it shall return an error code.
Qualification criteria:
Both the testing under normal conditions and the testing under abnormal conditions obtained the expected results.
8.2.1.10 Unlocking the device
Testing purposes:
Test the function of the interface unlocking device.
Testing conditions:
Both the testing under normal conditions and the testing under abnormal conditions obtain the expected results.
8.2.2 Access control
8.2.2.1 Modifying the authentication key of device
Testing purposes:
Test if the device?€?s authentication key can be modified correctly.
Testing conditions:
The device is connected.
Testing process:
- Testing under normal conditions
Step 1: Use the original device?€?s authentication key to call the
SKF_DevAuth interface to complete device authentication.
Step 2: Use the new device?€?s authentication key different from the
original device?€?s authentication key to call the
SKF_ChangeDevAuthKey interface, to modify the device?€?s
authentication key.
Step 3: Use the original device?€?s authentication key to call the
SKF_DevAuth interface, which shall not be successful.
Step 4: Use the original device?€?s authentication key to call the
SKF_ChangeDevAuthKey interface, which shall not be successful.
Step 5: Use the new device?€?s authentication key to call the
SKF_DevAuth interface, which shall be successful.
Step 6: Use the original device?€?s authentication key to call the
SKF_ChangeDevAuthKey interface, which shall be successful.
- Testing under abnormal conditions
When calling this interface by an illegal parameter, it shall return an error code.
Qualification criteria:
Both the testing under normal conditions and the testing under abnormal conditions obtain the expected results.
and administrator PIN are not locked.
Testing process:
- Testing under normal conditions
Step 1: Use the correct original PIN to call the SKF_ChangePIN
interface, set a new PIN and the new PIN shall be different from the
original PIN.
Step 2: Use the correct new PIN to call the SKF_VerifyPIN interface,
to verify the PIN, which shall be successful.
Step 3: After the PIN is successfully modified, call SKF_GetPINInfo to
obtain the current remaining retries, which shall be same as the
maximum number of retries.
- Testing under abnormal conditions
??When calling this interface by an illegal parameter, it shall return an error code.
??When using a PIN less than 6 digits in length, it shall return an error code.
??When using the wrong original PIN to modify, it shall return the error code as well as the number of error retries.
??When using the wrong original PIN to modify, until the PIN code is
locked; then when using the correct PIN to modify, it shall return an
error code.
Qualification criteria:
Both the testing under normal condition test and the testing under
abnormal condition obtain the expected results.
8.2.2.4 Obtaining PIN information
Testing purposes:
Test if the PIN information under the pre-determined application can be correctly obtained.
Testing conditions:
The device is connected and the pre-determined application is open.
Testing process:
Testing process:
- Testing under normal conditions
a) Verify user PIN:
Step 1: Use the correct user PIN to implement the certificate
application in 8.1.1, which shall be successful.
Step 2: Use the wrong user PIN to perform the certificate
application in 8.1.1, which shall not be successful.
b) Verify the administrator PIN:
Step 1: Call the SKF_CreateFile interface to create a file, which
shall not be successful
Step 2: Use the correct administrator PIN to call the SKF_VerifyPIN
interface.
Step 3: Call the SKF_CreateFile interface to create a file, which
shall be successful.
Step 4: Use the wrong administrator PIN to call the SKF_VerifyPIN
interface.
Step 5: Call the SKF_CreateFile interface to create a file, which
shall not be successful.
- Testing under abnormal conditions
??When calling this interface by an illegal parameter, it shall return an error code.
??When using a PIN less than 6 digits in length, it shall return an error code.
??When using the wrong PIN authentication, it shall return an error code as well as the number of error retries.
??Use the wrong PIN authentication until the PIN code is locked; when
using the correct PIN authentication again, it shall return an error
code.
??Before calling the SKF_ClearSecureState interface in the step 3, call
the SKF_CreateFile interface, the step 3 shall not be successful.
Qualification criteria:
Testing purposes:
Test if the security status of the intended application can be correctly cleared.
Testing conditions:
The device is connected and the pre-determined application is open.
Testing process:
This test is tested as a part of 8.2.2.5.
Qualification criteria:
It obtains the expected results by the testing.
8.2.3 Application management
8.2.3.1 Creating an application
Testing purposes:
Test whether the application is created correctly on the device.
Testing conditions:
The device is connected and device privileges have been obtained.
Testing process:
- Testing under normal conditions
Step 1: Call the SKF_EnumApplication interface to obtain a list of
application names in the device.
Step 2: Call the SKF_GetDevInfo interface, to get device information.
Step 3: Call the SKF_CreateApplication interface, to create an
application with a different name from the list in step 1.
Step 4: Call the SKF_GetDevInfo interface, to get the device
information. The available space for the user in the device information shall be no larger than the available space for the user as obtained in step 2.
Step 5: Call the SKF_EnumApplication interface, to obtain a list of
application names in the device. This list includes the app...

View full details