gmssl

Generate an SM3 hash for a file

$ gmssl sm3 [path/to/file]

$ gmssl sms4 -e -in [path/to/file] -out [path/to/file.sms4]

$ gmssl sms4 -d -in [path/to/file.sms4]

$ gmssl sm2 -genkey -out [path/to/file.pem]

$ gmssl sm2 -pubout -in [path/to/file.pem] -out [path/to/file.pem.pub]

$ gmssl zuc -e -in [path/to/file] -out [path/to/file.zuc]

$ gmssl zuc -d -in [path/to/file.zuc]

$ gmssl version

gmssl <subcommand> [<options>] [<arguments>]

The gmssl command operates by invoking various subcommands, each dedicated to a specific cryptographic task. Options and arguments are specific to the chosen subcommand. To list available subcommands, use gmssl help.

<subcommand>
    Specifies the cryptographic operation to perform (e.g., sm2, sm3, sm4, req, x509, rand, speed, version, help).

-help
    Displays usage information for the specified subcommand or general help if no subcommand is given.

-verbose
    Increases the verbosity of the output, providing more detailed information about the operation.

-engine <id>
    Specifies a cryptographic engine to use for hardware acceleration or specialized operations.

-in <file>
    Specifies the input file for the operation (e.g., data to be encrypted, a certificate, or a key).

-out <file>
    Specifies the output file where the result of the operation will be written (e.g., encrypted data, a generated key, or a hash).

-passin <arg>
    Specifies the source for a password to decrypt input data or a key (e.g., pass:<password>, env:<varname>, file:<filepath>, fd:<number>, stdin).

-passout <arg>
    Specifies the destination for a password to encrypt output data or a key (same formats as -passin).

-encrypt
    Used with certain subcommands (e.g., sm4) to perform encryption.

-decrypt
    Used with certain subcommands (e.g., sm4) to perform decryption.

-digenst <alg>
    Specifies the digest (hash) algorithm to use, such as SM3.

The gmssl command is a versatile command-line utility that provides access to the cryptographic functions of the GMSSL library. It serves a similar purpose to the widely known openssl command, but its primary focus is on implementing and utilizing
Chinese national cryptographic algorithms, including but not limited to
SM2 (elliptic curve public-key cryptography), SM3 (cryptographic hash function), and SM4 (block cipher).

gmssl is used for a wide range of cryptographic operations such as generating keys, encrypting and decrypting data, signing and verifying digital signatures, managing X.509 certificates, and performing cryptographic hash calculations. It is an essential tool for developers and security professionals working with systems that require adherence to Chinese cryptographic standards, often found in government, financial, and critical infrastructure sectors within China.

gmssl's primary focus on Chinese national cryptographic algorithms (SM2, SM3, SM4, etc.) means it may not be directly interoperable with cryptographic systems relying solely on Western standards (e.g., RSA, SHA-256, AES) without explicit bridging or conversion. Its adoption is more prevalent in environments that specifically require compliance with Chinese cryptographic regulations and standards. Users should be aware of the specific algorithm choices and their implications for cross-platform compatibility.

The gmssl command functions as a multiplexer for numerous cryptographic operations. Some of the most frequently used subcommands include:
sm2: For SM2 elliptic curve operations like key generation, encryption/decryption, and digital signatures.
sm3: For generating SM3 hash digests.
sm4: For symmetric encryption and decryption using the SM4 block cipher.
req: For creating and managing Certificate Signing Requests (CSRs) based on SM2 keys.
x509: For managing X.509 certificates, including displaying, verifying, and converting formats.
rand: For generating cryptographically secure pseudo-random bytes.

Unlike openssl, which supports a vast array of international cryptographic algorithms, gmssl is specialized. Its core strength lies in providing native and optimized implementations of Chinese national algorithms. This specialization makes it the go-to tool for developers and organizations that must comply with specific Chinese cryptographic requirements.

The development of GMSSL (and consequently the gmssl command-line tool) stems from China's increasing emphasis on national cryptographic standards to secure its digital infrastructure. As the Chinese cryptographic algorithms (SM series) gained official recognition and became mandatory for certain applications within China, an open-source implementation was needed. GMSSL fills this role, providing a robust library and command-line utility for these standards, paralleling the evolution of OpenSSL for international standards. Its usage has grown with the broader adoption of SM algorithms in various sectors.

openssl(1), sm2(1), sm3(1), sm4(1)