Coverage Report

Created: 2020-05-23 13:54

/src/botan/src/lib/pubkey/sm2/sm2.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* SM2 Signatures
3
* (C) 2017,2018 Ribose Inc
4
* (C) 2018 Jack Lloyd
5
*
6
* Botan is released under the Simplified BSD License (see license.txt)
7
*/
8
9
#include <botan/sm2.h>
10
#include <botan/internal/pk_ops_impl.h>
11
#include <botan/internal/point_mul.h>
12
#include <botan/loadstor.h>
13
#include <botan/numthry.h>
14
#include <botan/keypair.h>
15
#include <botan/hash.h>
16
#include <botan/parsing.h>
17
18
namespace Botan {
19
20
std::string SM2_PublicKey::algo_name() const
21
0
   {
22
0
   return "SM2";
23
0
   }
24
25
bool SM2_PrivateKey::check_key(RandomNumberGenerator& rng,
26
                               bool strong) const
27
0
   {
28
0
   if(!public_point().on_the_curve())
29
0
      return false;
30
0
31
0
   if(!strong)
32
0
      return true;
33
0
34
0
   return KeyPair::signature_consistency_check(rng, *this, "user@example.com,SM3");
35
0
   }
36
37
SM2_PrivateKey::SM2_PrivateKey(const AlgorithmIdentifier& alg_id,
38
                               const secure_vector<uint8_t>& key_bits) :
39
   EC_PrivateKey(alg_id, key_bits)
40
0
   {
41
0
   m_da_inv = domain().inverse_mod_order(m_private_key + 1);
42
0
   }
Unexecuted instantiation: Botan::SM2_PrivateKey::SM2_PrivateKey(Botan::AlgorithmIdentifier const&, std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> > const&)
Unexecuted instantiation: Botan::SM2_PrivateKey::SM2_PrivateKey(Botan::AlgorithmIdentifier const&, std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> > const&)
43
44
SM2_PrivateKey::SM2_PrivateKey(RandomNumberGenerator& rng,
45
                               const EC_Group& domain,
46
                               const BigInt& x) :
47
   EC_PrivateKey(rng, domain, x)
48
0
   {
49
0
   m_da_inv = domain.inverse_mod_order(m_private_key + 1);
50
0
   }
Unexecuted instantiation: Botan::SM2_PrivateKey::SM2_PrivateKey(Botan::RandomNumberGenerator&, Botan::EC_Group const&, Botan::BigInt const&)
Unexecuted instantiation: Botan::SM2_PrivateKey::SM2_PrivateKey(Botan::RandomNumberGenerator&, Botan::EC_Group const&, Botan::BigInt const&)
51
52
std::vector<uint8_t> sm2_compute_za(HashFunction& hash,
53
                                    const std::string& user_id,
54
                                    const EC_Group& domain,
55
                                    const PointGFp& pubkey)
56
0
   {
57
0
   if(user_id.size() >= 8192)
58
0
      throw Invalid_Argument("SM2 user id too long to represent");
59
0
60
0
   const uint16_t uid_len = static_cast<uint16_t>(8 * user_id.size());
61
0
62
0
   hash.update(get_byte(0, uid_len));
63
0
   hash.update(get_byte(1, uid_len));
64
0
   hash.update(user_id);
65
0
66
0
   const size_t p_bytes = domain.get_p_bytes();
67
0
68
0
   hash.update(BigInt::encode_1363(domain.get_a(), p_bytes));
69
0
   hash.update(BigInt::encode_1363(domain.get_b(), p_bytes));
70
0
   hash.update(BigInt::encode_1363(domain.get_g_x(), p_bytes));
71
0
   hash.update(BigInt::encode_1363(domain.get_g_y(), p_bytes));
72
0
   hash.update(BigInt::encode_1363(pubkey.get_affine_x(), p_bytes));
73
0
   hash.update(BigInt::encode_1363(pubkey.get_affine_y(), p_bytes));
74
0
75
0
   std::vector<uint8_t> za(hash.output_length());
76
0
   hash.final(za.data());
77
0
78
0
   return za;
79
0
   }
80
81
namespace {
82
83
/**
84
* SM2 signature operation
85
*/
86
class SM2_Signature_Operation final : public PK_Ops::Signature
87
   {
88
   public:
89
90
      SM2_Signature_Operation(const SM2_PrivateKey& sm2,
91
                              const std::string& ident,
92
                              const std::string& hash) :
93
         m_group(sm2.domain()),
94
         m_x(sm2.private_value()),
95
         m_da_inv(sm2.get_da_inv())
96
0
         {
97
0
         if(hash == "Raw")
98
0
            {
99
0
            // m_hash is null, m_za is empty
100
0
            }
101
0
         else
102
0
            {
103
0
            m_hash = HashFunction::create_or_throw(hash);
104
0
            // ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA)
105
0
            m_za = sm2_compute_za(*m_hash, ident, m_group, sm2.public_point());
106
0
            m_hash->update(m_za);
107
0
            }
108
0
         }
109
110
0
      size_t signature_length() const override { return 2*m_group.get_order_bytes(); }
111
112
      void update(const uint8_t msg[], size_t msg_len) override
113
0
         {
114
0
         if(m_hash)
115
0
            {
116
0
            m_hash->update(msg, msg_len);
117
0
            }
118
0
         else
119
0
            {
120
0
            m_digest.insert(m_digest.end(), msg, msg + msg_len);
121
0
            }
122
0
         }
123
124
      secure_vector<uint8_t> sign(RandomNumberGenerator& rng) override;
125
126
   private:
127
      const EC_Group m_group;
128
      const BigInt& m_x;
129
      const BigInt& m_da_inv;
130
131
      std::vector<uint8_t> m_za;
132
      secure_vector<uint8_t> m_digest;
133
      std::unique_ptr<HashFunction> m_hash;
134
      std::vector<BigInt> m_ws;
135
   };
136
137
secure_vector<uint8_t>
138
SM2_Signature_Operation::sign(RandomNumberGenerator& rng)
139
0
   {
140
0
   BigInt e;
141
0
   if(m_hash)
142
0
      {
143
0
      e = BigInt::decode(m_hash->final());
144
0
      // prepend ZA for next signature if any
145
0
      m_hash->update(m_za);
146
0
      }
147
0
   else
148
0
      {
149
0
      e = BigInt::decode(m_digest);
150
0
      m_digest.clear();
151
0
      }
152
0
153
0
   const BigInt k = m_group.random_scalar(rng);
154
0
155
0
   const BigInt r = m_group.mod_order(
156
0
      m_group.blinded_base_point_multiply_x(k, rng, m_ws) + e);
157
0
   const BigInt s = m_group.multiply_mod_order(m_da_inv, m_group.mod_order(k - r*m_x));
158
0
159
0
   return BigInt::encode_fixed_length_int_pair(r, s, m_group.get_order().bytes());
160
0
   }
161
162
/**
163
* SM2 verification operation
164
*/
165
class SM2_Verification_Operation final : public PK_Ops::Verification
166
   {
167
   public:
168
      SM2_Verification_Operation(const SM2_PublicKey& sm2,
169
                                 const std::string& ident,
170
                                 const std::string& hash) :
171
         m_group(sm2.domain()),
172
         m_gy_mul(m_group.get_base_point(), sm2.public_point())
173
0
         {
174
0
         if(hash == "Raw")
175
0
            {
176
0
            // m_hash is null, m_za is empty
177
0
            }
178
0
         else
179
0
            {
180
0
            m_hash = HashFunction::create_or_throw(hash);
181
0
            // ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA)
182
0
            m_za = sm2_compute_za(*m_hash, ident, m_group, sm2.public_point());
183
0
            m_hash->update(m_za);
184
0
            }
185
0
         }
186
187
      void update(const uint8_t msg[], size_t msg_len) override
188
0
         {
189
0
         if(m_hash)
190
0
            {
191
0
            m_hash->update(msg, msg_len);
192
0
            }
193
0
         else
194
0
            {
195
0
            m_digest.insert(m_digest.end(), msg, msg + msg_len);
196
0
            }
197
0
         }
198
199
      bool is_valid_signature(const uint8_t sig[], size_t sig_len) override;
200
   private:
201
      const EC_Group m_group;
202
      const PointGFp_Multi_Point_Precompute m_gy_mul;
203
      secure_vector<uint8_t> m_digest;
204
      std::vector<uint8_t> m_za;
205
      std::unique_ptr<HashFunction> m_hash;
206
   };
207
208
bool SM2_Verification_Operation::is_valid_signature(const uint8_t sig[], size_t sig_len)
209
0
   {
210
0
   BigInt e;
211
0
   if(m_hash)
212
0
      {
213
0
      e = BigInt::decode(m_hash->final());
214
0
      // prepend ZA for next signature if any
215
0
      m_hash->update(m_za);
216
0
      }
217
0
   else
218
0
      {
219
0
      e = BigInt::decode(m_digest);
220
0
      m_digest.clear();
221
0
      }
222
0
223
0
   if(sig_len != m_group.get_order().bytes()*2)
224
0
      return false;
225
0
226
0
   const BigInt r(sig, sig_len / 2);
227
0
   const BigInt s(sig + sig_len / 2, sig_len / 2);
228
0
229
0
   if(r <= 0 || r >= m_group.get_order() || s <= 0 || s >= m_group.get_order())
230
0
      return false;
231
0
232
0
   const BigInt t = m_group.mod_order(r + s);
233
0
234
0
   if(t == 0)
235
0
      return false;
236
0
237
0
   const PointGFp R = m_gy_mul.multi_exp(s, t);
238
0
239
0
   // ???
240
0
   if(R.is_zero())
241
0
      return false;
242
0
243
0
   return (m_group.mod_order(R.get_affine_x() + e) == r);
244
0
   }
245
246
void parse_sm2_param_string(const std::string& params,
247
                            std::string& userid,
248
                            std::string& hash)
249
0
   {
250
0
   // GM/T 0009-2012 specifies this as the default userid
251
0
   const std::string default_userid = "1234567812345678";
252
0
253
0
   // defaults:
254
0
   userid = default_userid;
255
0
   hash = "SM3";
256
0
257
0
   /*
258
0
   * SM2 parameters have the following possible formats:
259
0
   * Ident [since 2.2.0]
260
0
   * Ident,Hash [since 2.3.0]
261
0
   */
262
0
263
0
   auto comma = params.find(',');
264
0
   if(comma == std::string::npos)
265
0
      {
266
0
      userid = params;
267
0
      }
268
0
   else
269
0
      {
270
0
      userid = params.substr(0, comma);
271
0
      hash = params.substr(comma+1, std::string::npos);
272
0
      }
273
0
   }
274
275
}
276
277
std::unique_ptr<PK_Ops::Verification>
278
SM2_PublicKey::create_verification_op(const std::string& params,
279
                                      const std::string& provider) const
280
0
   {
281
0
   if(provider == "base" || provider.empty())
282
0
      {
283
0
      std::string userid, hash;
284
0
      parse_sm2_param_string(params, userid, hash);
285
0
      return std::unique_ptr<PK_Ops::Verification>(new SM2_Verification_Operation(*this, userid, hash));
286
0
      }
287
0
288
0
   throw Provider_Not_Found(algo_name(), provider);
289
0
   }
290
291
std::unique_ptr<PK_Ops::Signature>
292
SM2_PrivateKey::create_signature_op(RandomNumberGenerator& /*rng*/,
293
                                    const std::string& params,
294
                                    const std::string& provider) const
295
0
   {
296
0
   if(provider == "base" || provider.empty())
297
0
      {
298
0
      std::string userid, hash;
299
0
      parse_sm2_param_string(params, userid, hash);
300
0
      return std::unique_ptr<PK_Ops::Signature>(new SM2_Signature_Operation(*this, userid, hash));
301
0
      }
302
0
303
0
   throw Provider_Not_Found(algo_name(), provider);
304
0
   }
305
306
}