🇨🇳 GMSM Toolkit ☭

Multi-purpose cross-platform cryptography tool for asymmetric/symmetric encryption, digital signature, cipher-based message authentication code (CMAC), hash digest, hash-based message authentication code (HMAC) and PBKDF2 function.

SM2/SM3/SM4 Chinese National Standard Algorithms:

• GM/T 0003-2012 - SM2 Public key algorithm 256-bit.
• GM/T 0004-2012 - SM3 Message digest algorithm. 256-bit hash value.
• GM/T 0002-2012 - SM4 128-bit block cipher with 128-bit key.
• GM/T 0001-2012 - ZUC Zu Chongzhi stream cipher 128/256-bit key.

Modes of operation:

• GCM: Galois/Counter Mode (AEAD) (default)
• CTR: Counter Mode
• OFB: Output Feedback Mode

Cryptographic Functions:

• Asymmetric Encryption
• Symmetric Encryption + AEAD mode
• Digital Signature (ECDSA)
• Shared Key Agreement (ECDH)
• Recusive Hash Digest + Check
• CMAC (Cipher-based message authentication code)
• HMAC (Hash-based message authentication code)
• HKDF (HMAC-based key derivation function)
• PBKDF2 (Password-based key derivation function 2)
• TLS 1.2 (Transport Layer Security)

Non-Cryptographic Functions:

• Shred: Data sanitization method
• Bin to Hex/Hex to Bin string conversion
• Random Art (Public key Fingerprint)

Usage 用法:

 -bits int
       Bit-length. (for DERIVE, PBKDF2 and RAND) (default 128)
 -check string
       Check hashsum file. ('-' for STDIN)
 -crypt string
       Encrypt/Decrypt with SM4 symmetric block cipher.
 -digest string
       Target file/wildcard to generate hashsum list. ('-' for STDIN)
 -hex string
       Encode/Decode [e|d] binary string to hex format and vice-versa.
 -hkdf
       HMAC-based key derivation function.
 -info string
       Associated data, additional info. (for HKDF and AEAD encryption)
 -iter int
       Iterations. (for PBKDF2 and SHRED commands) (default 1)
 -iv string
       Initialization vector. (for symmetric encryption)
 -key string
       Private/Public key, Secret key or Password.
 -keygen
       Generate asymmetric EC-SM2 keypair.
 -mac string
       Compute Cipher-based/Hash-based message authentication code.
 -mode string
       Mode of operation: GCM, CTR or OFB. (default "GCM")
 -pbkdf2
       Password-based key derivation function.
 -pkeyutl string
       DERIVE shared secret, ENCRYPT/DECRYPT with asymmetric algorithm.
 -pub string
       Remote's side public key/remote's side public IP/local port.
 -rand
       Generate random cryptographic key.
 -recursive
       Process directories recursively.
 -salt string
       Salt. (for PBKDF2 and HKDF commands)
 -shred string
       Files/Path/Wildcard to apply data sanitization method.
 -sign
       Sign with PrivateKey.
 -signature string
       Input signature. (for verification only)
 -tcp string
       Encrypted TCP/IP Transfer Protocol. [dump|send|ip|listen|dial]
 -verify
       Verify with PublicKey.
 -version
       Print version information.

Examples:

Asymmetric SM2 keypair generation:

./gmsmtk -keygen

Derive shared secret key (SM2-ECDH):

./gmsmtk -pkeyutl derive_a -key $PrivateKeyB -pub $PublicKeyA [-info RandA;RandB] [-bits 64|128|256]
./gmsmtk -pkeyutl derive_b -key $PrivateKeyA -pub $PublicKeyB [-info RandA;RandB] [-bits 64|128|256]

Derive shared secret key (ECDH Non-standard):

./gmsmtk -pkeyutl derive -key $PrivateKey -pub $PublicKey [-bits 64|128|256]

Signature (SM2-ECDSA):

./gmsmtk -sign -key $PrivateKey < file.ext > sign.txt
sign=$(cat sign.txt)
./gmsmtk -verify -key $PublicKey -signature $sign < file.ext
echo $?

Asymmetric encryption/decryption with SM2 algorithm:

./gmsmtk -pkeyutl enc -key $PublicKey < plaintext.ext > ciphertext.ext
./gmsmtk -pkeyutl dec -key $PrivateKey < ciphertext.ext > plaintext.ext

Symmetric encryption/decryption with SM4 block cipher:

./gmsmtk -crypt enc -key $128bitkey < plaintext.ext > ciphertext.ext
./gmsmtk -crypt dec -key $128bitkey < ciphertext.ext > plaintext.ext

CMAC-SM4 (cipher-based message authentication code):

./gmsmtk -mac cmac -key $64bitkey < file.ext
./gmsmtk -mac cmac -key $64bitkey -signature $128bitmac < file.ext

Symmetric encryption/decryption with ZUC stream cipher:

./gmsmtk -crypt eea128 -key $128bitkey < plaintext.ext > ciphertext.ext
./gmsmtk -crypt eea128 -key $128bitkey < ciphertext.ext > plaintext.ext

MAC-EIA3 (3GPP message authentication code):

./gmsmtk -mac eia128 -key $128bitkey < file.ext
./gmsmtk -mac eia128 -key $128bitkey -signature $32bitmac < file.ext

SM3 hashsum (list):

./gmsmtk -digest "*.*" [-recursive]

SM3 hashsum (single):

./gmsmtk -digest - < file.ext

HMAC-SM3 (hash-based message authentication code):

./gmsmtk -mac hmac -key $128bitkey < file.ext
./gmsmtk -mac hmac -key $128bitkey -signature $256bitmac < file.ext

PBKDF2 (password-based key derivation function 2):

./gmsmtk -pbkdf2 -key "pass" -iter 10000 -salt "salt"

Note:

The PBKDF2 function can be combined with the CRYPT and HMAC commands:

./gmsmtk -crypt enc -pbkdf2 -key "pass" < plaintext.ext > ciphertext.ext
./gmsmtk -mac hmac -pbkdf2 -key "pass" -iter 10000 -salt "salt" < file.ext

Shred (Data sanitization method, 25 iterations):

Prevents data recovery using standard recovery tools.

./gmsmtk -shred "keypair.ini" -iter 25

Bin to Hex/Hex to Bin:

./gmsmtk -hex enc < File.ext > File.hex
./gmsmtk -hex dec < File.hex > File.ext
./gmsmtk -hex dump < File.ext

TCP/IP w/ TLS Layer Dump/Send:

./gmsmtk -tcp ip > PublicIP.txt
./gmsmtk -tcp dump [-pub "8081"] > Token.jwt
./gmsmtk -tcp send [-pub "127.0.0.1:8081"] < Token.jwt

TCP/IP w/ TLS Layer Listen/Dial:

./gmsmtk -tcp listen [-pub "8081"]
./gmsmtk -tcp dial [-pub "127.0.0.1:8081"]

Random Art (Public Key Fingerprint):

./gmsmtk -key $pubkey

License

This project is licensed under the ISC License.

Industrial-Grade Reliability. Copyright (c) 2020-2021 ALBANESE 研究实验室.