F.38. lt_sm

F.38.1. What is lt_sm?
F.38.2. function usage
F.38.3. key management

F.38.1. What is lt_sm?

The lt_sm extension provides SM cryptographic functions for LightDB, including sm2, sm3, sm4 algorithms. Data can be encrypted and decrypted using the above algorithm.

Notice the current lt_sm extension is an experimental trial version.

F.38.2. function usage

F.38.2.1. SM2

SM2 is asymmetric encryption, there is a pair of keys, the private key is used for encryption, and the public key is used for decryption.

SM2 has a total of four functions:

  • gm_sm2_genprikey(local_storage bool) return text generate the SM2 private key for encrypting data. The input parameter true indicates that the key is stored in the database, and the return value is true at this time. The input parameter false indicates that the key is imported from the outside when the database is restarted, and the return value is the private key string of text type.

        -- Generate SM2 private key using local storage
        SELECT gm_sm2_genprikey(true);
         gm_sm2_genprikey
        ------------------
         true
    
        -- Generate SM2 private key using external import
        SELECT gm_sm2_genprikey(false);
                                 gm_sm2_genprikey
        ------------------------------------------------------------------
         -----BEGIN EC PRIVATE KEY-----                                  +
         MHcCAQEEIMattGsrutK0T7YFtJ/nRL3HzUTSoBuW+l78TYuthSEXoAoGCCqBHM9V+
         AYItoUQDQgAEv12xwVT9SD4/qOqB8EYZkbMyl2APj3sOBHq0krHUSlQ0UbVOcJls+
         v1JkxGQSJ+EGXbmuhRErwiAu9gTd8+umlw==                            +
         -----END EC PRIVATE KEY-----                                    +
                        
  • gm_sm2_genpubkey((local_storage bool) return text generate the SM2 public key for decrypting data. The input parameter true indicates that the key is stored in the database, and the return value is true at this time. The input parameter false indicates that the key is imported from the outside when the database is restarted, and the return value is the private key string of text type. Note that the private key must be generated using the gm_sm2_genprikey() function before the public key can be generated using this function.

        -- Generate SM2 public key using local storage
        SELECT gm_sm2_genpubkey(true);
         gm_sm2_genprikey
        ------------------
         true
    
        -- Generate SM2 public key using external import
        SELECT gm_sm2_genpubkey(false);
                                 gm_sm2_genpubkey
        ------------------------------------------------------------------
         -----BEGIN PUBLIC KEY-----                                      +
         MFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAEv12xwVT9SD4/qOqB8EYZkbMyl2AP+
         j3sOBHq0krHUSlQ0UbVOcJlsv1JkxGQSJ+EGXbmuhRErwiAu9gTd8+umlw==    +
         -----END PUBLIC KEY-----                                        +
                        
  • gm_sm2_encrypt(plaintext bytea) return bytea encrypt plaintext into ciphertext, input parameter as plaintext and return value as ciphertext.

        -- Encrypt plaintext to generate ciphertext
        select gm_sm2_encrypt('恒生电子LightDB_001');
                                                                                                                           gm_sm2_encrypt
        ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
         \x043f115fde4ad84ca331e6d6edbeb806d09ffa6094f8d52a57a39c7c6c587bcd06eb72146f3d503923af813fa67de1c5f484e5b657c83d9f332b9263d08d6b2a42ae6bd733bec7f6b17ebc74783ebc7eba0dff68b269edfa44a54751527f7204d4e30a2ddb44ebbb5ea1864657e86225100b00e581ac6e84
                        
  • gm_sm2_decrypt(ciphertext bytea) return bytea decrypt the ciphertext into plaintext, the input parameter is the ciphertext and the return value is the plaintext.

        -- Decrypt ciphertext to generate plaintext
        select gm_sm2_decrypt('\x043f115fde4ad84ca331e6d6edbeb806d09ffa6094f8d52a57a39c7c6c587bcd06eb72146f3d503923af813fa67de1c5f484e5b657c83d9f332b9263d08d6b2a42ae6bd733bec7f6b17ebc74783ebc7eba0dff68b269edfa44a54751527f7204d4e30a2ddb44ebbb5ea1864657e86225100b00e581ac6e84');
                          gm_sm2_decrypt
        --------------------------------------------------
         \xe68192e7949fe794b5e5ad904c6967687444425f303031
    
        -- Convert the decrypted binary plaintext to display
        select convert_from('\xe68192e7949fe794b5e5ad904c6967687444425f303031', 'SQL_ASCII');
            convert_from
        ---------------------
         恒生电子LightDB_001
                        

F.38.2.2. SM3

SM3 is a cryptographic hash algorithm, mainly used for digital signature and verification, message authentication code generation and verification, random number generation, etc.

SM3 has a total of one function:

  • gm_sm3_encrypt(plaintext bytea) return bytea encrypt plaintext message to digest message, the input parameter is the plaintext message and the return value is the digest message.

        -- plaintext message to generate digest message
        select gm_sm3_encrypt('LightDB_002');
                                   gm_sm3_encrypt
        --------------------------------------------------------------------
         \x9de35b686bec17533e9ded7abfb039320bb08abbcec74eb0f44cf52b09e255c1
                        

F.38.2.3. SM4

SM4 is symmetric encryption, using CTR-128bit mode, there is a key for encryption and decryption.

SM4 has a total of three functions:

  • gm_sm4_genkey((local_storage bool) return text generate the SM4 key for encrypting and decrypting data. The input parameter true indicates that the key is stored in the database, and the return value is true at this time. The input parameter false indicates that the key is imported from the outside when the database is restarted, and the return value is the key string of text type.

        -- Generate SM4 key using local storage
        select gm_sm4_genkey(true);
         gm_sm4_genkey
        ---------------
         true
    
         -- Generate SM4 key using external import
         select gm_sm4_genkey(false);
                   gm_sm4_genkey
         ----------------------------------
          A98B1904E5A74CDA5B2135519B941703
                        
  • gm_sm4_encrypt(plaintext bytea) return bytea encrypt plaintext into ciphertext, input parameter as plaintext and return value as ciphertext.

        -- Encrypt plaintext to generate ciphertext
        select gm_sm4_encrypt('恒生电子LightDB_003');
                          gm_sm4_encrypt
        --------------------------------------------------
         \x33e7117d0ce6f38ec2b78bfab08b991628771bedeeecf8
                        
  • gm_sm4_decrypt(ciphertext bytea) return bytea decrypt the ciphertext into plaintext, the input parameter is the ciphertext and the return value is the plaintext.

        -- Decrypt ciphertext to generate plaintext
        select gm_sm4_decrypt('\x33e7117d0ce6f38ec2b78bfab08b991628771bedeeecf8');
                          gm_sm4_decrypt
        --------------------------------------------------
         \xe68192e7949fe794b5e5ad904c6967687444425f303033
    
        -- Convert the decrypted binary plaintext to display
        select convert_from('\xe68192e7949fe794b5e5ad904c6967687444425f303033', 'SQL_ASCII');
            convert_from
        ---------------------
         恒生电子LightDB_003
                        

F.38.3. key management

lt_sm support two key management methods:

  • The key is stored locally, and the input parameter is true in the use key generation function. After the key is generated, the encryption and decryption functions can be used.

  • The key is imported from outside, and the input parameter of the generate key function is false. If the database is restarted, support for external import of key files.

        -- When using lt_ctl, specify the -Y parameter to pass in the key file
        lt_ctl -D ./data -Y ./keyfile start
                    

    Among them, the key file needs to contain the keywords of username, database, sm2 private key, sm2 public key, sm4 key, use : separate keyword and value:

        -- key file format, the corresponding pre-keyword and ':' must contain
        username:lightdb
        database:postgres
        sm2 private key:-----BEGIN EC PRIVATE KEY-----
        MHcCAQEEIC4cBmYiht3Kf4e/xQMNR3C2pLkafZ8Lm9lUxae937SjoAoGCCqBHM9V
        AYItoUQDQgAEdqAwhgrpt7NNBVKWuyXy8ltIlcl1YQhyum1GE3G4QK3lfVBCgSYF
        O5+fNfThT1ppVC+Q11wJ/QJmciYVEDzY8A==
        -----END EC PRIVATE KEY-----
        sm2 public key:-----BEGIN PUBLIC KEY-----
        MFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAEdqAwhgrpt7NNBVKWuyXy8ltIlcl1
        YQhyum1GE3G4QK3lfVBCgSYFO5+fNfThT1ppVC+Q11wJ/QJmciYVEDzY8A==
        -----END PUBLIC KEY-----
        sm4 key:2DB5E313E60A123DBB1A517B5355A7AC