MCPcopy Index your code
hub / github.com/Tencent/TencentKonaSMSuite

github.com/Tencent/TencentKonaSMSuite @v1.0.22

Chat with this repo
repository ↗ · DeepWiki ↗ · release v1.0.22 ↗ · + Follow
10,694 symbols 36,091 edges 812 files 3,009 documented · 28%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

Release Maven Central

English | 中文

Tencent Kona SM Suite

Overview

Tencent Kona SM Suite is a set of Java security providers, which service the ShangMi applications in Java ecosystem. This suite contains six providers:

  • KonaCrypto,which implements SM2, SM3 and SM4 algorithms based on Java Cryptography Architecture. This provider is pure Java, so supports all main stream operating system platforms.
  • KonaCrypto-Native,which implements as the same features as KonaCrypto does. However, it is based on JNI and OpenSSL and supports only Linux x86_64/aarch64 platforms. This provider can automatically manage JNI native memory based on PhantomReference.
  • KonaCrypto-NativeOneShot,which is almost the same as KonaCrypto-Native, but cannot automatically manage JNI native memory.
  • KonaPKIX,which supports ShangMi algorithms on loading certificate and certificate chain verification. It also can load and write keystores containing ShangMi certificates. This provider depends on KonaCrypto or KonaCrypto-Native. Additionally, it provides two utility classes:
  • KeyTool, which is the same as keytool in JDK, can generate private keys, and create certificates and keystores. It can use PBEWithHmacSM3AndSM4 to encrypt private keys and keystores, and use HmacPBESM3 to validate the integrity of keystores.
  • KeyStoreTool, which can import the existing PEM-encoded private keys and certificates to keystores.
  • KonaSSL implements China's Transport Layer Cryptographic Protocol (TLCP), and also applies ShangMi algorithms to TLS 1.3 based on RFC 8998. It depends on KonaCrypto or KonaCrypto-Native, and KonaPKIX.
  • Kona, which wraps all the features in KonaCryptoKonaPKIX and KonaSSL, so it has to depend on one or more of them.

This project provides a Spring Boot module, exactly kona-demo, as a server-side demo. This module demonstrates the approach on integrating Tencent Kona SM Suite to the 3rd-party web servers, including Jetty and Tomcat. But this module is not one of the artifacts of this project. In addition, the test set in kona-ssl module provides the demon on integrating with Netty, gRPC, Apache HttpClient and OkHttp.

System requirements

Operating systems

Tencent Kona SM Suite can run on any operating systems that can run JDK.

JDK

Tencent Kona SM Suite supports all the JDK long-term supported (LTS) releases, namely 8, 11, 17, 21 and 25.

Please note Tencent Kona SM Suite is already signed by Oracle-issued JCE code signing certificate, so it also can run on Oracle JDK.

We are pleased to recommend Tencent's OpenJDK distributions, namely Tencent Kona JDKs, which provide 4 long term supported (LTS) versions 8, 11, 17 and 21. They support Linux, macOS and Windows operating systems, and x86_64 and aarch64 CPUs. The latest Tencent Kona JDK 8 and 17 already supports ShangMi algorithms, TLCP and RFC 8998 specification natively.

Android

By default, Tencent Kona SM Suite does not depend on any JDK internal API implementations, so it also can run on Android platform.

Installation

All the artifacts (jar files) in Tencent Kona SM Suite are already uploaded to the Maven Central repository. Generally, it just needs to declare the artifacts as dependencies in the project build scripts. For example, a Gradle script can declare the dependencies as the below,

repositories {
    mavenCentral()
}

dependencies {
    implementation("com.tencent.kona:kona-crypto:<version>")
    implementation("com.tencent.kona:kona-pkix:<version>")
    implementation("com.tencent.kona:kona-ssl:<version>")
    implementation("com.tencent.kona:kona-provider:<version>")
}

Note that, it is unnecessary to put all the providers into the classpath. Please declare the dependencies as you need. For example, if only need the ShangMi crypto algorithms and want to use provider Kona, the dependency declaration may look like the followings,

dependencies {
    implementation("com.tencent.kona:kona-crypto:<version>")
    implementation("com.tencent.kona:kona-provider:<version>")
}

Build

Tencent Kona SM Suite uses Gradle to build this project. And the build script uses Kotlin DSL. This Gradle project contains four subprojects, namely kona-cryptokona-pkixkona-ssl and kona-provider. They respectively correspond to the four providers, namely KonaCrypto and KonaCrypto-NativeKonaPKIXKonaSSL and Kona.

A typical way to build this project just usts the following command:

./gradlew build

It will compile the source codes, execute unit tests and finally make the jar files. It also can just build a subproject, like the below,

./gradlew :kona-pkix:build

Contributing

Welcome to evolve and maintain Tencent Kona SM Suite with us together. Please read CONTRIBUTING.md for the details on reporting bugs, reporting security vulnerabilities, raising requirements and contributing codes.

License

Tencent Kona SM Suite is licensed under GNU GPL v2.0 license with classpath exception. For more details, please read the attached license text.

FAQ

Q: Why may SM2 Cipher throw exception java.security.InvalidKeyException: Illegal key size or default parameters?

A: Before JDK 8u161, JDKs don't support stronger algorithm and longer key length by default. These JDKs don't support 256-bit key, like AES-256. SM2 encryption algorithm just needs 256-bit keys, so it is also affected by this limit. For the solution details, please refer to this Stack Overflow question.

Q: Can support ECC_SM4_GCM_SM3 and ECDHE_SM4_GCM_SM3 in TLS 1.2?

A: There is no any RFC specification introducing these cipher suites to TLS 1.2, so it cannot support them in this protocol. However, this project supports TLS_SM4_GCM_SM3 in TLS 1.3 based on RFC 8998.

Q: Is GMSSL or GMSSL 1.1 supported?

A: China's specification GB/T 38636-2020 defined the TLS-liked protocol as Transport layer cryptography protocol, so the protocol name in this project isTLCP, and the version is 1.1. Certainly, TLCP or TLCP 1.1 is GMSSL orGMSSL 1.1.

Q: Why cannot run the tests in this project with Oracle JDK?

A: Oracle JDK requires a JCE implementation (here is KoneCrypto or KonaCrypto-Native) must be signed and the associated certificate must be issued by Oracle JCE Code Signing CA. When directly executing the tests with the project source, KonaCrypto and KonaCrypto-Native Provider are not signed yet, so they cannot run on Oracle JDK. But note that, the artifacts in Maven Central repository are already signed and surely can run on Oracle JDK.

Q: Is this project related to BouncyCastle?

A: The earlier versions of this project used the SM algorithms from BouncyCastle, but since version 1.0.5, this project doesn't depend on BouncyCastle anymore. Both of the components comply with China's specification, so they can interoperate with each other. In addition, please note BouncyCastle doesn't support SM protocols, including TLCP and TLS 1.3/RFC 8998.

Q: How old JDK 8 released can be supported?

A: Different scenarios require different JDK 8 releases. - Only need SM algorithms and/or TLCP protocol, at most 8u141 (even older versions) is required. - If it requires ALPN extension in TLCP protocol, the required oldest version is 8u251. - In order to apply TLS 1.3/RFC 8998, the required oldest version is 8u261.

In addition, your problems may be already raised by others. Before open a new issue, please look through the existing questions.

Extension points exported contracts — how you extend this code

GCMOperation (Interface)
Interface to organize encryption and decryption operations in the proper order for GHASH and GCTR. [17 implementers]
kona-crypto/src/main/java/com/tencent/kona/crypto/provider/GaloisCounterMode.java
ThrowingRunnable (Interface)
Interface same as java.lang.Runnable but with method run() able to throw any Throwable. [26 implementers]
kona-ssl/src/test/java/com/tencent/kona/ssl/common/Utils.java
ThrowingRunnable (Interface)
Interface same as java.lang.Runnable but with method run() able to throw any Throwable. [26 implementers]
kona-pkix/src/test/java/com/tencent/kona/pkix/common/Utils.java
GCM (Interface)
This interface allows GHASH.java and GCTR.java to easily operate to better operate with GaloisCounterMode.java [17 implementers]
kona-crypto/src/main/java/com/tencent/kona/crypto/provider/GCM.java
TlsMasterSecret (Interface)
An SSL/TLS master secret key. It is a SecretKey that optionally contains protocol version information that [5 implementers]
kona-ssl/src/main/java/com/tencent/kona/sun/security/internal/interfaces/TlsMasterSecret.java
GeneralNameInterface (Interface)
This interface specifies the abstract methods which have to be implemented by all the members of the GeneralNames ASN.1 [18 …
kona-pkix/src/main/java/com/tencent/kona/sun/security/x509/GeneralNameInterface.java
DerEncoder (Interface)
Interface to an object that knows how to write its own DER encoding to an output stream. @author D. N. Hoover [118 implementers]
kona-crypto/src/main/java/com/tencent/kona/sun/security/util/DerEncoder.java
Peer (Interface)
(no doc) [9 implementers]
kona-ssl/src/test/java/com/tencent/kona/ssl/interop/Peer.java

Core symbols most depended-on inside this repo

add
called by 766
kona-crypto/src/main/java/com/tencent/kona/sun/security/util/math/IntegerModuloP.java
println
called by 715
kona-crypto/src/main/java/com/tencent/kona/sun/security/util/Debug.java
isOn
called by 637
kona-pkix/src/main/java/com/tencent/kona/sun/security/util/SSLLogger.java
toString
called by 583
kona-ssl/src/main/java/com/tencent/kona/sun/security/ssl/SSLStringizer.java
fatal
called by 536
kona-ssl/src/main/java/com/tencent/kona/sun/security/ssl/TransportContext.java
fine
called by 439
kona-pkix/src/main/java/com/tencent/kona/sun/security/util/SSLLogger.java
getInstance
called by 342
kona-crypto/src/main/java/com/tencent/kona/sun/security/util/Debug.java
put
called by 333
kona-ssl/src/main/java/com/tencent/kona/sun/security/ssl/SSLSessionContextImpl.java

Shape

Method 8,750
Class 1,658
Function 136
Enum 76
Interface 74

Languages

Java95%
C++4%
C1%
Kotlin1%

Modules by API surface

kona-crypto/src/main/jni/include/jni.h260 symbols
kona-ssl/src/main/java/com/tencent/kona/sun/security/ssl/SSLCipher.java167 symbols
kona-ssl/src/main/java/com/tencent/kona/sun/security/ssl/SSLContextImpl.java125 symbols
kona-pkix/src/main/java/com/tencent/kona/sun/security/tools/keytool/Main.java112 symbols
kona-crypto/src/main/jni/include/openssl/types.h107 symbols
kona-ssl/src/main/java/com/tencent/kona/sun/security/ssl/SSLSessionImpl.java83 symbols
kona-pkix/src/main/java/com/tencent/kona/sun/security/util/Cache.java81 symbols
kona-ssl/src/main/java/com/tencent/kona/sun/security/ssl/SSLSocketImpl.java71 symbols
kona-crypto/src/main/java/com/tencent/kona/crypto/provider/nativeImpl/NativeCrypto.java69 symbols
kona-crypto/src/main/java/com/tencent/kona/crypto/provider/GaloisCounterMode.java69 symbols
kona-pkix/src/main/java/com/tencent/kona/sun/security/x509/X509CertImpl.java68 symbols
kona-ssl/src/main/java/com/tencent/kona/sun/security/ssl/Authenticator.java67 symbols

For agents

$ claude mcp add TencentKonaSMSuite \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact