/src/botan/src/lib/pubkey/sm2/sm2.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * SM2 Signatures |
3 | | * (C) 2017,2018 Ribose Inc |
4 | | * (C) 2018 Jack Lloyd |
5 | | * |
6 | | * Botan is released under the Simplified BSD License (see license.txt) |
7 | | */ |
8 | | |
9 | | #include <botan/sm2.h> |
10 | | #include <botan/internal/pk_ops_impl.h> |
11 | | #include <botan/internal/point_mul.h> |
12 | | #include <botan/loadstor.h> |
13 | | #include <botan/numthry.h> |
14 | | #include <botan/keypair.h> |
15 | | #include <botan/hash.h> |
16 | | #include <botan/parsing.h> |
17 | | |
18 | | namespace Botan { |
19 | | |
20 | | std::string SM2_PublicKey::algo_name() const |
21 | 0 | { |
22 | 0 | return "SM2"; |
23 | 0 | } |
24 | | |
25 | | bool SM2_PrivateKey::check_key(RandomNumberGenerator& rng, |
26 | | bool strong) const |
27 | 0 | { |
28 | 0 | if(!public_point().on_the_curve()) |
29 | 0 | return false; |
30 | 0 | |
31 | 0 | if(!strong) |
32 | 0 | return true; |
33 | 0 | |
34 | 0 | return KeyPair::signature_consistency_check(rng, *this, "user@example.com,SM3"); |
35 | 0 | } |
36 | | |
37 | | SM2_PrivateKey::SM2_PrivateKey(const AlgorithmIdentifier& alg_id, |
38 | | const secure_vector<uint8_t>& key_bits) : |
39 | | EC_PrivateKey(alg_id, key_bits) |
40 | 0 | { |
41 | 0 | m_da_inv = domain().inverse_mod_order(m_private_key + 1); |
42 | 0 | } Unexecuted instantiation: Botan::SM2_PrivateKey::SM2_PrivateKey(Botan::AlgorithmIdentifier const&, std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> > const&) Unexecuted instantiation: Botan::SM2_PrivateKey::SM2_PrivateKey(Botan::AlgorithmIdentifier const&, std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> > const&) |
43 | | |
44 | | SM2_PrivateKey::SM2_PrivateKey(RandomNumberGenerator& rng, |
45 | | const EC_Group& domain, |
46 | | const BigInt& x) : |
47 | | EC_PrivateKey(rng, domain, x) |
48 | 0 | { |
49 | 0 | m_da_inv = domain.inverse_mod_order(m_private_key + 1); |
50 | 0 | } Unexecuted instantiation: Botan::SM2_PrivateKey::SM2_PrivateKey(Botan::RandomNumberGenerator&, Botan::EC_Group const&, Botan::BigInt const&) Unexecuted instantiation: Botan::SM2_PrivateKey::SM2_PrivateKey(Botan::RandomNumberGenerator&, Botan::EC_Group const&, Botan::BigInt const&) |
51 | | |
52 | | std::vector<uint8_t> sm2_compute_za(HashFunction& hash, |
53 | | const std::string& user_id, |
54 | | const EC_Group& domain, |
55 | | const PointGFp& pubkey) |
56 | 0 | { |
57 | 0 | if(user_id.size() >= 8192) |
58 | 0 | throw Invalid_Argument("SM2 user id too long to represent"); |
59 | 0 | |
60 | 0 | const uint16_t uid_len = static_cast<uint16_t>(8 * user_id.size()); |
61 | 0 |
|
62 | 0 | hash.update(get_byte(0, uid_len)); |
63 | 0 | hash.update(get_byte(1, uid_len)); |
64 | 0 | hash.update(user_id); |
65 | 0 |
|
66 | 0 | const size_t p_bytes = domain.get_p_bytes(); |
67 | 0 |
|
68 | 0 | hash.update(BigInt::encode_1363(domain.get_a(), p_bytes)); |
69 | 0 | hash.update(BigInt::encode_1363(domain.get_b(), p_bytes)); |
70 | 0 | hash.update(BigInt::encode_1363(domain.get_g_x(), p_bytes)); |
71 | 0 | hash.update(BigInt::encode_1363(domain.get_g_y(), p_bytes)); |
72 | 0 | hash.update(BigInt::encode_1363(pubkey.get_affine_x(), p_bytes)); |
73 | 0 | hash.update(BigInt::encode_1363(pubkey.get_affine_y(), p_bytes)); |
74 | 0 |
|
75 | 0 | std::vector<uint8_t> za(hash.output_length()); |
76 | 0 | hash.final(za.data()); |
77 | 0 |
|
78 | 0 | return za; |
79 | 0 | } |
80 | | |
81 | | namespace { |
82 | | |
83 | | /** |
84 | | * SM2 signature operation |
85 | | */ |
86 | | class SM2_Signature_Operation final : public PK_Ops::Signature |
87 | | { |
88 | | public: |
89 | | |
90 | | SM2_Signature_Operation(const SM2_PrivateKey& sm2, |
91 | | const std::string& ident, |
92 | | const std::string& hash) : |
93 | | m_group(sm2.domain()), |
94 | | m_x(sm2.private_value()), |
95 | | m_da_inv(sm2.get_da_inv()) |
96 | 0 | { |
97 | 0 | if(hash == "Raw") |
98 | 0 | { |
99 | 0 | // m_hash is null, m_za is empty |
100 | 0 | } |
101 | 0 | else |
102 | 0 | { |
103 | 0 | m_hash = HashFunction::create_or_throw(hash); |
104 | 0 | // ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA) |
105 | 0 | m_za = sm2_compute_za(*m_hash, ident, m_group, sm2.public_point()); |
106 | 0 | m_hash->update(m_za); |
107 | 0 | } |
108 | 0 | } |
109 | | |
110 | 0 | size_t signature_length() const override { return 2*m_group.get_order_bytes(); } |
111 | | |
112 | | void update(const uint8_t msg[], size_t msg_len) override |
113 | 0 | { |
114 | 0 | if(m_hash) |
115 | 0 | { |
116 | 0 | m_hash->update(msg, msg_len); |
117 | 0 | } |
118 | 0 | else |
119 | 0 | { |
120 | 0 | m_digest.insert(m_digest.end(), msg, msg + msg_len); |
121 | 0 | } |
122 | 0 | } |
123 | | |
124 | | secure_vector<uint8_t> sign(RandomNumberGenerator& rng) override; |
125 | | |
126 | | private: |
127 | | const EC_Group m_group; |
128 | | const BigInt& m_x; |
129 | | const BigInt& m_da_inv; |
130 | | |
131 | | std::vector<uint8_t> m_za; |
132 | | secure_vector<uint8_t> m_digest; |
133 | | std::unique_ptr<HashFunction> m_hash; |
134 | | std::vector<BigInt> m_ws; |
135 | | }; |
136 | | |
137 | | secure_vector<uint8_t> |
138 | | SM2_Signature_Operation::sign(RandomNumberGenerator& rng) |
139 | 0 | { |
140 | 0 | BigInt e; |
141 | 0 | if(m_hash) |
142 | 0 | { |
143 | 0 | e = BigInt::decode(m_hash->final()); |
144 | 0 | // prepend ZA for next signature if any |
145 | 0 | m_hash->update(m_za); |
146 | 0 | } |
147 | 0 | else |
148 | 0 | { |
149 | 0 | e = BigInt::decode(m_digest); |
150 | 0 | m_digest.clear(); |
151 | 0 | } |
152 | 0 |
|
153 | 0 | const BigInt k = m_group.random_scalar(rng); |
154 | 0 |
|
155 | 0 | const BigInt r = m_group.mod_order( |
156 | 0 | m_group.blinded_base_point_multiply_x(k, rng, m_ws) + e); |
157 | 0 | const BigInt s = m_group.multiply_mod_order(m_da_inv, m_group.mod_order(k - r*m_x)); |
158 | 0 |
|
159 | 0 | return BigInt::encode_fixed_length_int_pair(r, s, m_group.get_order().bytes()); |
160 | 0 | } |
161 | | |
162 | | /** |
163 | | * SM2 verification operation |
164 | | */ |
165 | | class SM2_Verification_Operation final : public PK_Ops::Verification |
166 | | { |
167 | | public: |
168 | | SM2_Verification_Operation(const SM2_PublicKey& sm2, |
169 | | const std::string& ident, |
170 | | const std::string& hash) : |
171 | | m_group(sm2.domain()), |
172 | | m_gy_mul(m_group.get_base_point(), sm2.public_point()) |
173 | 0 | { |
174 | 0 | if(hash == "Raw") |
175 | 0 | { |
176 | 0 | // m_hash is null, m_za is empty |
177 | 0 | } |
178 | 0 | else |
179 | 0 | { |
180 | 0 | m_hash = HashFunction::create_or_throw(hash); |
181 | 0 | // ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA) |
182 | 0 | m_za = sm2_compute_za(*m_hash, ident, m_group, sm2.public_point()); |
183 | 0 | m_hash->update(m_za); |
184 | 0 | } |
185 | 0 | } |
186 | | |
187 | | void update(const uint8_t msg[], size_t msg_len) override |
188 | 0 | { |
189 | 0 | if(m_hash) |
190 | 0 | { |
191 | 0 | m_hash->update(msg, msg_len); |
192 | 0 | } |
193 | 0 | else |
194 | 0 | { |
195 | 0 | m_digest.insert(m_digest.end(), msg, msg + msg_len); |
196 | 0 | } |
197 | 0 | } |
198 | | |
199 | | bool is_valid_signature(const uint8_t sig[], size_t sig_len) override; |
200 | | private: |
201 | | const EC_Group m_group; |
202 | | const PointGFp_Multi_Point_Precompute m_gy_mul; |
203 | | secure_vector<uint8_t> m_digest; |
204 | | std::vector<uint8_t> m_za; |
205 | | std::unique_ptr<HashFunction> m_hash; |
206 | | }; |
207 | | |
208 | | bool SM2_Verification_Operation::is_valid_signature(const uint8_t sig[], size_t sig_len) |
209 | 0 | { |
210 | 0 | BigInt e; |
211 | 0 | if(m_hash) |
212 | 0 | { |
213 | 0 | e = BigInt::decode(m_hash->final()); |
214 | 0 | // prepend ZA for next signature if any |
215 | 0 | m_hash->update(m_za); |
216 | 0 | } |
217 | 0 | else |
218 | 0 | { |
219 | 0 | e = BigInt::decode(m_digest); |
220 | 0 | m_digest.clear(); |
221 | 0 | } |
222 | 0 |
|
223 | 0 | if(sig_len != m_group.get_order().bytes()*2) |
224 | 0 | return false; |
225 | 0 | |
226 | 0 | const BigInt r(sig, sig_len / 2); |
227 | 0 | const BigInt s(sig + sig_len / 2, sig_len / 2); |
228 | 0 |
|
229 | 0 | if(r <= 0 || r >= m_group.get_order() || s <= 0 || s >= m_group.get_order()) |
230 | 0 | return false; |
231 | 0 | |
232 | 0 | const BigInt t = m_group.mod_order(r + s); |
233 | 0 |
|
234 | 0 | if(t == 0) |
235 | 0 | return false; |
236 | 0 | |
237 | 0 | const PointGFp R = m_gy_mul.multi_exp(s, t); |
238 | 0 |
|
239 | 0 | // ??? |
240 | 0 | if(R.is_zero()) |
241 | 0 | return false; |
242 | 0 | |
243 | 0 | return (m_group.mod_order(R.get_affine_x() + e) == r); |
244 | 0 | } |
245 | | |
246 | | void parse_sm2_param_string(const std::string& params, |
247 | | std::string& userid, |
248 | | std::string& hash) |
249 | 0 | { |
250 | 0 | // GM/T 0009-2012 specifies this as the default userid |
251 | 0 | const std::string default_userid = "1234567812345678"; |
252 | 0 |
|
253 | 0 | // defaults: |
254 | 0 | userid = default_userid; |
255 | 0 | hash = "SM3"; |
256 | 0 |
|
257 | 0 | /* |
258 | 0 | * SM2 parameters have the following possible formats: |
259 | 0 | * Ident [since 2.2.0] |
260 | 0 | * Ident,Hash [since 2.3.0] |
261 | 0 | */ |
262 | 0 |
|
263 | 0 | auto comma = params.find(','); |
264 | 0 | if(comma == std::string::npos) |
265 | 0 | { |
266 | 0 | userid = params; |
267 | 0 | } |
268 | 0 | else |
269 | 0 | { |
270 | 0 | userid = params.substr(0, comma); |
271 | 0 | hash = params.substr(comma+1, std::string::npos); |
272 | 0 | } |
273 | 0 | } |
274 | | |
275 | | } |
276 | | |
277 | | std::unique_ptr<PK_Ops::Verification> |
278 | | SM2_PublicKey::create_verification_op(const std::string& params, |
279 | | const std::string& provider) const |
280 | 0 | { |
281 | 0 | if(provider == "base" || provider.empty()) |
282 | 0 | { |
283 | 0 | std::string userid, hash; |
284 | 0 | parse_sm2_param_string(params, userid, hash); |
285 | 0 | return std::unique_ptr<PK_Ops::Verification>(new SM2_Verification_Operation(*this, userid, hash)); |
286 | 0 | } |
287 | 0 | |
288 | 0 | throw Provider_Not_Found(algo_name(), provider); |
289 | 0 | } |
290 | | |
291 | | std::unique_ptr<PK_Ops::Signature> |
292 | | SM2_PrivateKey::create_signature_op(RandomNumberGenerator& /*rng*/, |
293 | | const std::string& params, |
294 | | const std::string& provider) const |
295 | 0 | { |
296 | 0 | if(provider == "base" || provider.empty()) |
297 | 0 | { |
298 | 0 | std::string userid, hash; |
299 | 0 | parse_sm2_param_string(params, userid, hash); |
300 | 0 | return std::unique_ptr<PK_Ops::Signature>(new SM2_Signature_Operation(*this, userid, hash)); |
301 | 0 | } |
302 | 0 | |
303 | 0 | throw Provider_Not_Found(algo_name(), provider); |
304 | 0 | } |
305 | | |
306 | | } |