A secure SSL VPN gateway communication method incorporating post-quantum cryptography technology
By introducing the PQC algorithm and modifying the handshake protocol in the SSL VPN system, and combining it with the SM2 algorithm, the security problem of the SSL VPN system under the threat of quantum computing was solved, realizing key negotiation and identity authentication resistant to quantum attacks, and improving communication security.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- HEBEI PRIME NUMBER INFORMATION SECURITY CO LTD
- Filing Date
- 2025-07-23
- Publication Date
- 2026-06-26
AI Technical Summary
Existing SSL VPN systems have insufficient security in key negotiation and identity authentication when facing quantum computing threats. In particular, classic algorithms such as SM2 and RSA are at risk of being cracked, and existing national cryptographic algorithms are not effective against quantum computing.
By employing fusion-based quantum cryptography, the PQC algorithm is introduced into the SSL VPN system to modify the handshake protocol. A series of hybrid digital certificates and key exchange algorithms are used, combined with the SM2 algorithm, to achieve quantum-resistant key negotiation and authentication. This includes configuring hybrid signatures, encrypted digital certificates and key pairs using PQC and SM2 algorithms, and optimizing the cipher suites and handshake message structure.
It significantly improves communication security, enables quantum-resistant key negotiation and authentication, while maintaining interoperability with standard SSL VPNs.
Smart Images

Figure CN120602209B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of network security technology, and specifically to an SSL VPN security gateway communication method that integrates quantum cryptography technology. Background Technology
[0002] The handshake protocol in the classic SSL VPN technical specification involves the following processes:
[0003] a) Exchange hello messages to negotiate cipher suites, exchange random numbers, and decide whether to reuse the session;
[0004] b) Exchange necessary parameters and negotiate the pre-master key;
[0005] c) Exchange certificates or IBC information to verify the other party;
[0006] d) Generate the master key using the pre-master key and the exchanged random numbers;
[0007] e) Provide security parameters to the recording layer;
[0008] f) Verify the consistency of the security parameters calculated by both parties, and the authenticity and completeness of the handshake process.
[0009] like Figure 1 As shown, the client sends a "client hello" message to the server. The server should respond with a "server hello" message; otherwise, a fatal error is generated and the connection is closed. The client and server hello messages are used by the client and server to negotiate SM2-based cryptographic algorithms and determine secure transmission capabilities, including protocol version, session identifier, cipher suite attributes, and to generate and exchange random numbers. Following the client and server hello messages is the authentication and key exchange process, including server certificate and server key exchange, and client certificate and client key exchange.
[0010] After sending the hello message, the server sends its own certificate message, a server-side key exchange message, and if it needs to verify the client's identity, it sends a certificate request message to the client, followed by a server-side hello completion message, indicating that the hello message phase is complete and the server awaits a response from the client. If the server sent a certificate request message, the client should return a certificate message. The client then sends a key exchange message, the content of which depends on the key exchange algorithm negotiated between the client's hello message and the server's hello message. If the client sent a certificate message, it should also send a digitally signed certificate verification message for the server to verify the client's identity.
[0011] Current SSL VPN systems commonly employ public-key algorithms such as SM2 and RSA for key negotiation. However, with the development of quantum computing technology, these algorithms face the risk of being cracked. While post-quantum cryptography (PQC) technology has made theoretical progress, its application in practical network devices such as SSL VPNs still faces challenges such as protocol compatibility and performance optimization. Furthermore, existing technologies, such as the national cryptographic algorithms defined in GM / T 0024 "SSL VPN Technical Specification," have not yet considered the requirements for quantum computing resistance. Summary of the Invention
[0012] The technical problem to be solved by the present invention is to provide an SSL VPN security gateway communication method that integrates quantum cryptography technology to achieve key negotiation and identity authentication resistant to quantum attacks, thereby significantly improving communication security.
[0013] To solve the above-mentioned technical problems, the technical solution adopted by the present invention is as follows.
[0014] A communication method for an SSL VPN security gateway incorporating post-quantum cryptography technology includes the following steps:
[0015] S1. The client and server are respectively configured with a serial hybrid signature digital certificate containing SM2 algorithm and PQC algorithm, a serial hybrid encryption digital certificate, and the corresponding PQC encryption key pair private key, PQC signature key pair private key, SM2 encryption key pair private key and SM2 signature key pair private key;
[0016] S2. Add a hybrid algorithm cipher suite using SM2 and PQC algorithms to the client's cipher suite list and force it to be at the top of the priority list;
[0017] S3. By modifying the message structure in the handshake protocol to use a serial hybrid encrypted digital certificate, PQC algorithm processing is added to the original national cryptographic algorithm to achieve quantum-resistant key negotiation.
[0018] Preferably, the PQC algorithm in step S1 includes, but is not limited to, the key encapsulation algorithm based on lattice cryptography: ML-KEM, and the digital signature algorithm based on lattice cryptography: ML-DSA; the PQC digital certificate used by the PQC algorithm is a standard X.509 format certificate, and the PQC digital certificate uses a new OID identifier hybrid algorithm; the public key value is made by concatenating the PQC public key value and the SM2 public key value, with the PQC public key value first and the SM2 public key value second; the signature value is made by concatenating the PQC signature value and the SM2 signature value, with the PQC signature value first and the SM2 signature value second.
[0019] Preferably, the hybrid algorithm cryptographic suite in step S2 is ECC_MLDSA_MLKEM_SM4_SM3, wherein ECC_MLDSA_MLKEM is a key exchange algorithm combining the SM2 algorithm with the ML-DSA and ML-KEM algorithms, SM4 is an encryption algorithm, and SM3 is a verification algorithm.
[0020] Preferably, step S3 includes modifying the seven types of messages in the handshake protocol using the PQC algorithm. The seven types of messages include client hello message, server hello message, certificate message, server key exchange message, certificate request message, client key exchange message, and certificate verification message.
[0021] Preferably, the client hello message adds a hybrid algorithm cipher suite ECC_MLDSA_MLKEM_SM4_SM3 with a value of {0xe0,0x63}; the server hello message selects a hybrid algorithm cipher suite.
[0022] Preferably, the certificate message is in the format of a serialized hybrid digital certificate, which includes a serialized hybrid signature digital certificate and a serialized hybrid encryption digital certificate. The serialized hybrid signature digital certificate contains a PQC signature key pair public key and an SM2 signature key pair public key, and the serialized hybrid encryption digital certificate contains a PQC encryption key pair public key and an SM2 encryption key pair public key.
[0023] Preferably, the signature processing of the server key exchange message adopts a dual signature mechanism, specifically: the server signs the random numbers of both parties and the server's encryption certificate first using the PQC algorithm and then using the SM2 algorithm.
[0024] Preferably, the certificate request message is set as a mandatory message, and the newly added sm2_pqc_sign certificate type requires the client to provide a serialized hybrid signature digital certificate.
[0025] Preferably, the pre-master key generation of the client key exchange message includes:
[0026] The client uses the server's PQC encryption key to generate a 32-byte shared key Ski and ciphertext Skiic from the public key;
[0027] Then concatenate the 2-byte client_version, 14-byte random, and ciphertext Skic, encrypt the entire string using the server's SM2 encryption key against the public key, and send it to the server.
[0028] The client concatenates the 2-byte client_version, 14-byte random, and 32-byte Ski to form a 48-byte pre-master key;
[0029] The process by which the server obtains the plaintext of the pre-master key includes:
[0030] The server first uses the server's SM2 encryption key to decrypt the outer layer of the private key, obtaining client_version, random, and Skid;
[0031] Use the server's PQC encryption key to decrypt the private key to obtain Ski;
[0032] Finally, client_version, random, and Ski are concatenated to generate a 48-byte pre-master key.
[0033] Preferably, the certificate verification message specifically includes:
[0034] The client first hashes all handshake messages from the client's hello message to the certificate verification message using the SM3 algorithm; then it signs the private key with the client's PQC signing key and the client's SM2 signing key respectively; then it concatenates the PQC signature and SM2 signature, with the PQC signature first and the SM2 signature last; finally, it writes the concatenated message into the certificate verification message and sends it to the server.
[0035] After receiving the certificate verification message, the server needs to verify the client's dual signature, which specifically includes: the server using the client's PQC signing key to verify the PQC signature against the public key, and then using the client's SM2 signing key to verify the SM2 signature against the public key.
[0036] Due to the adoption of the above technical solutions, the technical progress achieved by this invention is as follows.
[0037] This invention, by adding the PQC algorithm and modifying the handshake protocol to the original national cryptographic algorithm, can achieve quantum attack-resistant key negotiation and identity authentication, significantly improving communication security, while maintaining interoperability with standard SSL VPN. Attached Figure Description
[0038] Figure 1 A flowchart of the handshake message in the existing classic SSL VPN technical specification;
[0039] Figure 2 This is an architecture diagram of an SSL VPN security gateway system that applies the fusion quantum cryptography technology of this invention. Detailed Implementation
[0040] The present invention will now be described in further detail with reference to the accompanying drawings and specific embodiments.
[0041] A communication method for an SSL VPN security gateway incorporating post-quantum cryptography technology includes the following steps:
[0042] S1. The client and server are respectively configured with a serial hybrid signature digital certificate containing SM2 algorithm and PQC algorithm, a serial hybrid encryption digital certificate, and the corresponding PQC encryption key pair private key, PQC signature key pair private key, SM2 encryption key pair private key, and SM2 signature key pair private key.
[0043] The PQC algorithm includes, but is not limited to, the ML-KEM key encapsulation algorithm based on lattice cryptography, and the ML-DSA digital signature algorithm based on lattice cryptography. The PQC digital certificate used by the PQC algorithm is a standard X.509 format certificate, and the PQC digital certificate uses a new OID identifier hybrid algorithm. The public key value is made by concatenating the PQC public key value and the SM2 public key value, with the PQC public key value first and the SM2 public key value second. The signature value is made by concatenating the PQC signature value and the SM2 signature value, with the PQC signature value first and the SM2 signature value second.
[0044] The two parties involved in the handshake protocol, the client (Initiator) and the server (Responder), each need a concatenated hybrid signature digital certificate, a concatenated hybrid encryption digital certificate, and corresponding private keys for the PQC encryption key pair, PQC signing key pair, SM2 encryption key pair, and SM2 signing key pair. The client's PQC encryption key pair public key is contained in the concatenated hybrid encryption digital certificate and is denoted as EncPubKey. I The private key of the PQC encryption key pair is denoted as EncPriKey. I The client's PQC signing key pair public key is contained in the concatenated hybrid signature digital certificate, denoted as SignPubKey. I The PQC signature key pair private key is denoted as SignPriKey. I The server-side PQC encryption key pair public key is contained in the concatenated hybrid encryption digital certificate, denoted as EncPubKey. R The private key of the PQC encryption key pair is denoted as EncPriKey. R The server-side PQC signature key pair public key is included in the concatenated hybrid signature digital certificate, denoted as SignPubKey. R The PQC signature key pair private key is denoted as SignPriKey. R .
[0045] S2. Add a hybrid algorithm cipher suite using SM2 and PQC algorithms to the client's cipher suite list and force it to be at the top priority.
[0046] The hybrid algorithm cryptographic suite is ECC_MLDSA_MLKEM_SM4_SM3, where ECC_MLDSA_MLKEM is a key exchange algorithm that combines the SM2 algorithm with the ML-DSA and ML-KEM algorithms, SM4 is the encryption algorithm, and SM3 is the verification algorithm.
[0047] S3. By modifying the message structure in the handshake protocol to use a serial hybrid encrypted digital certificate, PQC algorithm processing is added to the original national cryptographic algorithm to achieve quantum-resistant key negotiation.
[0048] The handshake message flow involves nine message types: ClientHello, ServerHello, Certificate, ServerKeyExchange, CertificateRequest, ServerHelloDone, CertificateVerify, ClientKeyExchange, and Finished. This step primarily involves modifying seven message types in the handshake protocol using the PQC algorithm. These seven message types include ClientHello, ServerHello, Certificate, ServerKeyExchange, CertificateRequest, CertificateVerify, and ClientKeyExchange. The formats and processing methods of other messages remain consistent with GM / T 0024 "SSL VPN Technical Specification". Details are as follows:
[0049] (1) ClientHello message
[0050] The following are the newly added hybrid algorithm cryptographic suites:
[0051] name Key exchange encryption check value ECC_MLDSA_MLKEM_SM4_SM3 ECC_MLDSA_MLKEM SM4 SM3 {0xe0,0x63}
[0052] (2) ServerHello message
[0053] The server selects a cipher suite from the client's hello message, specifically a mixed algorithm cipher suite.
[0054] (3) Certificate message
[0055] The certificate message is in the format of a serialized hybrid digital certificate. The serialized hybrid digital certificate includes a serialized hybrid signature digital certificate and a serialized hybrid encryption digital certificate. The serialized hybrid signature digital certificate contains a PQC signature key pair public key and an SM2 signature key pair public key, and the serialized hybrid encryption digital certificate contains a PQC encryption key pair public key and an SM2 encryption key pair public key.
[0056] (4) ServerKeyExchange message
[0057] The server-side key exchange message signature processing employs a double-signature mechanism: the server first signs the random numbers from both parties and the server's encrypted certificate using the PQC algorithm, and then signs them using the SM2 algorithm. The calculation process is as follows:
[0058] signed_params=PQC_SecKey_Sign(client_random|server_random|CERT_enc_r_b, SignPriKey R )|Asymmetric_Sign(client_random|server_random|CERT_enc_r_b,priv_r).
[0059] Wherein, PQC_SecKey_Sign represents the PQC private key signing method; client_random is a random number generated by the client; server_random is a random number generated by the server; CERT_enc_r_b is a derived value of the server's PQC encryption certificate CERT_enc_r; Asymmetric_Sign represents the classic asymmetric signature algorithm; and priv_r is the server's SM2 signature key pair private key.
[0060] The client uses the server's signature public key to verify the signature, first verifying the PQC algorithm signature, and then verifying the SM2 algorithm signature.
[0061] (5) CertificateRequest message
[0062] In the SSL_VPN technical specification, this message is optional, but it is required to obtain the client's PQC algorithm certificate.
[0063] List of certificate types required from the client
[0064] The certificate_types section needs to add a new chained hybrid signature digital certificate type (sm2_pqc_sign), which will require clients to provide chained hybrid signature digital certificates.
[0065] (6) ClientKeyExchange message
[0066] This message contains a pre-master key, which is generated as follows:
[0067] Skic=PQC_PubKey_Enc(Ski, EncPubKey R )
[0068] PQCEncryptedPreMasterSecret=Asymmetric_Encrypt(client_version|random|Skic,pub_r);
[0069] PreMasterSecret= client_version|random|Ski;
[0070] Here, client_version is 2 bytes, random is a random number of 14 bytes, Ski is a 32-byte shared key generated by PQC, generating a total of 48 bytes of pre-master key, Asymmetric_Encrypt represents classic asymmetric algorithm encryption, pub_r is the server's SM2 encryption key pair public key, and PQC_PubKey_Enc represents the key encryption method based on PQC public key encryption.
[0071] Specifically:
[0072] The client uses the server's PQC encryption key to generate a 32-byte shared key Ski and ciphertext Skiic from the public key.
[0073] Then concatenate the 2-byte client_version, 14-byte random, and ciphertext Skic, encrypt the entire string using the server's SM2 encryption key against the public key, and send it to the server.
[0074] The client concatenates the 2-byte client_version, 14-byte random, and 32-byte Ski to form a 48-byte pre-master key.
[0075] The process by which the server obtains the plaintext of the pre-master key includes:
[0076] The server first uses the server's SM2 encryption key to decrypt the outer layer of the private key, obtaining client_version, random, and Skid;
[0077] Use the server's PQC encryption key to decrypt the private key to obtain Ski;
[0078] Finally, client_version, random, and Ski are concatenated to generate a 48-byte pre-master key.
[0079] (7) CertificateVerify message
[0080] The certificate verification message is as follows:
[0081] Signature=PQC_SecKey_Sign(SM3(Handshake),SignPriKey I )|Asymmetric_Sign(SM3(handshake-messages),priv_i).
[0082] Here, Handshake refers to the logical set of all handshake protocol messages from ClientHello up to the current message; handshake-messages is the binary data stream form of Handshake; and priv_i is the client's SM2 signature key pair private key.
[0083] The client first uses the SM3 algorithm to calculate the hash value of all handshake messages from the client's hello message to the certificate verification message; then it signs the private key with the client's PQC signing key and the client's SM2 signing key respectively; then it concatenates the PQC signature and SM2 signature, with the PQC signature first and the SM2 signature last; finally, it writes the concatenated message into the certificate verification message and sends it to the server.
[0084] The SM3 calculation covers all handshake-related messages from the client's hello message up to this message (excluding this message itself), including the type and length fields of the handshake messages. This is in accordance with the SSL / VPN technical specification.
[0085] After receiving the certificate verification message, the server needs to verify the client's dual signature. Specifically, the server uses the client's PQC signing key to verify the PQC signature against the public key, and then uses the client's SM2 signing key to verify the SM2 signature against the public key.
[0086] The client and server use the pre-master key to calculate the master key and working key respectively, and the usage method is performed in accordance with the requirements of the standard specification.
[0087] An SSL VPN security gateway system integrating post-quantum cryptography technology is implemented based on an SSL VPN security gateway communication method integrating post-quantum cryptography technology. It is an upgrade and transformation based on the existing standard SSL VPN security gateway. The upgraded functions include: a handshake protocol integrating SM2 algorithm and PQC algorithm, and import and export functions of PQC digital certificate.
[0088] The handshake protocol that integrates the SM2 and PQC algorithms mainly embeds the PQC algorithm into existing technical specifications, uses a hybrid PQC algorithm digital certificate, and the PQC algorithm digital certificate is a standard X.509 format certificate. The PQC digital certificate uses a new OID identifier hybrid algorithm. The public key value is a concatenation of the PQC public key value and the SM2 public key value, with the PQC public key value first and the SM2 public key value second. The signature value is a concatenation of the PQC signature value and the SM2 signature value, with the PQC signature value first and the SM2 signature value second.
[0089] The import / export function of PQC digital certificates mainly imports the hybrid PQC digital certificate and its accompanying private key into the PQCSSL VPN security gateway, thereby enabling key negotiation that combines the SM2 and PQC algorithms.
[0090] Combination Figure 2 As shown, this system includes a database module, a cryptographic module, a device management service, an SSL VPN module, and a key negotiation module. The output of the database module is connected to the input of the device management service; the output of the cryptographic module is connected to the inputs of the device management service, the SSL VPN module, and the key negotiation module, respectively; the output of the key negotiation module is connected to the input of the SSL VPN module; and the output of the SSL VPN module is connected to the input of the device management service.
[0091] The database module is a data storage module used to store data generated by the management system.
[0092] The cryptographic module includes classical cryptographic algorithms and post-quantum cryptographic algorithms. Classical cryptographic algorithms are used for classical static key management and the logical implementation of classical cryptographic algorithms; post-quantum cryptographic algorithms are used to implement post-quantum cryptographic algorithms, and for the storage and use of post-quantum keys.
[0093] The device management module is a human-machine interface module used to manage the SSL VPN security gateway's parameters, enabled functions, and access roles. It connects to the database module, storing data generated during operations. It also connects to the cryptography module, providing both classical and post-quantum cryptographic algorithms for the device management functionality.
[0094] The SSL VPN module is an upgrade based on an open-source project, primarily used to establish secure encrypted communication tunnels over public networks. Its core functions include remote access (such as secure employee connections to the company intranet) and site-to-site interconnection (such as cross-regional network communication). It supports TCP / UDP protocols, using UDP by default for improved efficiency, and can stably penetrate NAT and firewall environments. Data encapsulation is achieved through virtual network interface cards (TUN / TAP modes). TUN mode handles IP layer data, while TAP mode supports full Ethernet frame transmission, adapting to different scenario requirements.
[0095] The key negotiation module implements the handshake protocol, completing key negotiation and certificate verification. Compared to standard SSL VPNs, it adds PQC algorithm processing to the original national cryptographic algorithm, which improves the security of the SSL VPN key negotiation process while maintaining compatibility with SSL VPN protocol specifications, and possesses quantum resistance characteristics.
Claims
1. A communication method for an SSL VPN security gateway integrating post-quantum cryptography technology, characterized in that: Includes the following steps: S1. The client and server are respectively configured with a serial hybrid signature digital certificate containing SM2 algorithm and PQC algorithm, a serial hybrid encryption digital certificate, and the corresponding PQC encryption key pair private key, PQC signature key pair private key, SM2 encryption key pair private key and SM2 signature key pair private key; S2. Add a hybrid algorithm cipher suite using SM2 and PQC algorithms to the client's cipher suite list and force it to be at the top of the priority list; S3. By modifying the message structure in the handshake protocol to use a serial hybrid encrypted digital certificate, PQC algorithm processing is added to the original national cryptographic algorithm to achieve quantum-resistant key negotiation; Step S3 includes modifying the seven types of messages in the handshake protocol using the PQC algorithm. The seven types of messages include client hello message, server hello message, certificate message, server key exchange message, certificate request message, client key exchange message, and certificate verification message. The pre-master key generation of the client key exchange message includes: The client uses the server's PQC encryption key to generate a 32-byte shared key Ski and ciphertext Skiic from the public key; Then concatenate the 2-byte client_version, 14-byte random, and ciphertext Skic, encrypt the entire string using the server's SM2 encryption key against the public key, and send it to the server. The client concatenates the 2-byte client_version, 14-byte random, and 32-byte Ski to form a 48-byte pre-master key; The process by which the server obtains the plaintext of the pre-master key includes: The server first uses the server's SM2 encryption key to decrypt the outer layer of the private key, obtaining client_version, random, and Skid; Use the server's PQC encryption key to decrypt Skiic with the private key to obtain Ski; Finally, client_version, random, and Ski are concatenated to generate a 48-byte premaster key; The certificate verification message is specifically as follows: The client first hashes all handshake messages from the client's hello message to the certificate verification message using the SM3 algorithm; then it signs the private key with the client's PQC signing key and the client's SM2 signing key respectively; then it concatenates the PQC signature and SM2 signature, with the PQC signature first and the SM2 signature last; finally, it writes the concatenated message into the certificate verification message and sends it to the server. After receiving the certificate verification message, the server needs to verify the client's dual signature, which specifically includes: the server using the client's PQC signing key to verify the PQC signature against the public key, and then using the client's SM2 signing key to verify the SM2 signature against the public key.
2. The SSL VPN security gateway communication method integrating quantum cryptography technology according to claim 1, characterized in that: The PQC algorithm in step S1 includes, but is not limited to, the key encapsulation algorithm based on lattice cryptography: ML-KEM, and the digital signature algorithm based on lattice cryptography: ML-DSA; the PQC digital certificate used by the PQC algorithm is a standard X.509 format certificate, and the PQC digital certificate uses a new OID identifier hybrid algorithm; The public key value is made by concatenating the PQC public key value and the SM2 public key value, with the PQC public key value first and the SM2 public key value second; the signature value is made by concatenating the PQC signature value and the SM2 signature value, with the PQC signature value first and the SM2 signature value second.
3. The SSL VPN security gateway communication method integrating quantum cryptography technology according to claim 2, characterized in that: In step S2, the hybrid algorithm cryptographic suite is ECC_MLDSA_MLKEM_SM4_SM3, where ECC_MLDSA_MLKEM is a key exchange algorithm that combines the SM2 algorithm with the ML-DSA and ML-KEM algorithms, SM4 is an encryption algorithm, and SM3 is a verification algorithm.
4. The SSL VPN security gateway communication method integrating quantum cryptography technology according to claim 1, characterized in that: The client's hello message adds a hybrid algorithm cipher suite ECC_MLDSA_MLKEM_SM4_SM3 with a value of {0xe0,0x63}; the server's hello message selects a hybrid algorithm cipher suite.
5. The SSL VPN security gateway communication method integrating quantum cryptography technology according to claim 1, characterized in that: The certificate message is in the format of a serialized hybrid digital certificate, which includes a serialized hybrid signature digital certificate and a serialized hybrid encryption digital certificate. The serialized hybrid signature digital certificate contains a PQC signature key pair public key and an SM2 signature key pair public key, and the serialized hybrid encryption digital certificate contains a PQC encryption key pair public key and an SM2 encryption key pair public key.
6. The SSL VPN security gateway communication method integrating quantum cryptography technology according to claim 1, characterized in that: The signature processing of the server key exchange message adopts a dual signature mechanism, specifically: the server signs the random numbers of both parties and the server's encryption certificate, first using the PQC algorithm and then using the SM2 algorithm.
7. The SSL VPN security gateway communication method integrating quantum cryptography technology according to claim 1, characterized in that: The certificate request message is now a mandatory message, and the newly added sm2_pqc_sign certificate type requires the client to provide a serialized hybrid signature digital certificate.