/src/botan/src/lib/pubkey/sm2/sm2.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * SM2 Signatures |
3 | | * (C) 2017,2018 Ribose Inc |
4 | | * (C) 2018 Jack Lloyd |
5 | | * |
6 | | * Botan is released under the Simplified BSD License (see license.txt) |
7 | | */ |
8 | | |
9 | | #include <botan/sm2.h> |
10 | | #include <botan/internal/pk_ops_impl.h> |
11 | | #include <botan/internal/point_mul.h> |
12 | | #include <botan/internal/loadstor.h> |
13 | | #include <botan/numthry.h> |
14 | | #include <botan/internal/keypair.h> |
15 | | #include <botan/hash.h> |
16 | | #include <botan/internal/parsing.h> |
17 | | |
18 | | namespace Botan { |
19 | | |
20 | | std::string SM2_PublicKey::algo_name() const |
21 | 0 | { |
22 | 0 | return "SM2"; |
23 | 0 | } |
24 | | |
25 | | std::unique_ptr<Public_Key> SM2_PrivateKey::public_key() const |
26 | 0 | { |
27 | 0 | return std::make_unique<SM2_Signature_PublicKey>(domain(), public_point()); |
28 | 0 | } |
29 | | |
30 | | bool SM2_PrivateKey::check_key(RandomNumberGenerator& rng, |
31 | | bool strong) const |
32 | 0 | { |
33 | 0 | if(!public_point().on_the_curve()) |
34 | 0 | return false; |
35 | | |
36 | 0 | if(!strong) |
37 | 0 | return true; |
38 | | |
39 | 0 | return KeyPair::signature_consistency_check(rng, *this, "user@example.com,SM3"); |
40 | 0 | } |
41 | | |
42 | | SM2_PrivateKey::SM2_PrivateKey(const AlgorithmIdentifier& alg_id, |
43 | | const secure_vector<uint8_t>& key_bits) : |
44 | | EC_PrivateKey(alg_id, key_bits) |
45 | 0 | { |
46 | 0 | m_da_inv = domain().inverse_mod_order(m_private_key + 1); |
47 | 0 | } Unexecuted instantiation: Botan::SM2_PrivateKey::SM2_PrivateKey(Botan::AlgorithmIdentifier const&, std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> > const&) Unexecuted instantiation: Botan::SM2_PrivateKey::SM2_PrivateKey(Botan::AlgorithmIdentifier const&, std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> > const&) |
48 | | |
49 | | SM2_PrivateKey::SM2_PrivateKey(RandomNumberGenerator& rng, |
50 | | const EC_Group& domain, |
51 | | const BigInt& x) : |
52 | | EC_PrivateKey(rng, domain, x) |
53 | 0 | { |
54 | 0 | m_da_inv = domain.inverse_mod_order(m_private_key + 1); |
55 | 0 | } Unexecuted instantiation: Botan::SM2_PrivateKey::SM2_PrivateKey(Botan::RandomNumberGenerator&, Botan::EC_Group const&, Botan::BigInt const&) Unexecuted instantiation: Botan::SM2_PrivateKey::SM2_PrivateKey(Botan::RandomNumberGenerator&, Botan::EC_Group const&, Botan::BigInt const&) |
56 | | |
57 | | std::vector<uint8_t> sm2_compute_za(HashFunction& hash, |
58 | | const std::string& user_id, |
59 | | const EC_Group& domain, |
60 | | const PointGFp& pubkey) |
61 | 0 | { |
62 | 0 | if(user_id.size() >= 8192) |
63 | 0 | throw Invalid_Argument("SM2 user id too long to represent"); |
64 | | |
65 | 0 | const uint16_t uid_len = static_cast<uint16_t>(8 * user_id.size()); |
66 | |
|
67 | 0 | hash.update(get_byte<0>(uid_len)); |
68 | 0 | hash.update(get_byte<1>(uid_len)); |
69 | 0 | hash.update(user_id); |
70 | |
|
71 | 0 | const size_t p_bytes = domain.get_p_bytes(); |
72 | |
|
73 | 0 | hash.update(BigInt::encode_1363(domain.get_a(), p_bytes)); |
74 | 0 | hash.update(BigInt::encode_1363(domain.get_b(), p_bytes)); |
75 | 0 | hash.update(BigInt::encode_1363(domain.get_g_x(), p_bytes)); |
76 | 0 | hash.update(BigInt::encode_1363(domain.get_g_y(), p_bytes)); |
77 | 0 | hash.update(BigInt::encode_1363(pubkey.get_affine_x(), p_bytes)); |
78 | 0 | hash.update(BigInt::encode_1363(pubkey.get_affine_y(), p_bytes)); |
79 | |
|
80 | 0 | std::vector<uint8_t> za(hash.output_length()); |
81 | 0 | hash.final(za.data()); |
82 | |
|
83 | 0 | return za; |
84 | 0 | } |
85 | | |
86 | | namespace { |
87 | | |
88 | | /** |
89 | | * SM2 signature operation |
90 | | */ |
91 | | class SM2_Signature_Operation final : public PK_Ops::Signature |
92 | | { |
93 | | public: |
94 | | |
95 | | SM2_Signature_Operation(const SM2_PrivateKey& sm2, |
96 | | const std::string& ident, |
97 | | const std::string& hash) : |
98 | | m_group(sm2.domain()), |
99 | | m_x(sm2.private_value()), |
100 | | m_da_inv(sm2.get_da_inv()) |
101 | 0 | { |
102 | 0 | if(hash == "Raw") |
103 | 0 | { |
104 | | // m_hash is null, m_za is empty |
105 | 0 | } |
106 | 0 | else |
107 | 0 | { |
108 | 0 | m_hash = HashFunction::create_or_throw(hash); |
109 | | // ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA) |
110 | 0 | m_za = sm2_compute_za(*m_hash, ident, m_group, sm2.public_point()); |
111 | 0 | m_hash->update(m_za); |
112 | 0 | } |
113 | 0 | } |
114 | | |
115 | 0 | size_t signature_length() const override { return 2*m_group.get_order_bytes(); } |
116 | | |
117 | | void update(const uint8_t msg[], size_t msg_len) override |
118 | 0 | { |
119 | 0 | if(m_hash) |
120 | 0 | { |
121 | 0 | m_hash->update(msg, msg_len); |
122 | 0 | } |
123 | 0 | else |
124 | 0 | { |
125 | 0 | m_digest.insert(m_digest.end(), msg, msg + msg_len); |
126 | 0 | } |
127 | 0 | } |
128 | | |
129 | | secure_vector<uint8_t> sign(RandomNumberGenerator& rng) override; |
130 | | |
131 | | private: |
132 | | const EC_Group m_group; |
133 | | const BigInt& m_x; |
134 | | const BigInt& m_da_inv; |
135 | | |
136 | | std::vector<uint8_t> m_za; |
137 | | secure_vector<uint8_t> m_digest; |
138 | | std::unique_ptr<HashFunction> m_hash; |
139 | | std::vector<BigInt> m_ws; |
140 | | }; |
141 | | |
142 | | secure_vector<uint8_t> |
143 | | SM2_Signature_Operation::sign(RandomNumberGenerator& rng) |
144 | 0 | { |
145 | 0 | BigInt e; |
146 | 0 | if(m_hash) |
147 | 0 | { |
148 | 0 | e = BigInt::decode(m_hash->final()); |
149 | | // prepend ZA for next signature if any |
150 | 0 | m_hash->update(m_za); |
151 | 0 | } |
152 | 0 | else |
153 | 0 | { |
154 | 0 | e = BigInt::decode(m_digest); |
155 | 0 | m_digest.clear(); |
156 | 0 | } |
157 | |
|
158 | 0 | const BigInt k = m_group.random_scalar(rng); |
159 | |
|
160 | 0 | const BigInt r = m_group.mod_order( |
161 | 0 | m_group.blinded_base_point_multiply_x(k, rng, m_ws) + e); |
162 | 0 | const BigInt s = m_group.multiply_mod_order(m_da_inv, m_group.mod_order(k - r*m_x)); |
163 | |
|
164 | 0 | return BigInt::encode_fixed_length_int_pair(r, s, m_group.get_order().bytes()); |
165 | 0 | } |
166 | | |
167 | | /** |
168 | | * SM2 verification operation |
169 | | */ |
170 | | class SM2_Verification_Operation final : public PK_Ops::Verification |
171 | | { |
172 | | public: |
173 | | SM2_Verification_Operation(const SM2_PublicKey& sm2, |
174 | | const std::string& ident, |
175 | | const std::string& hash) : |
176 | | m_group(sm2.domain()), |
177 | | m_gy_mul(m_group.get_base_point(), sm2.public_point()) |
178 | 0 | { |
179 | 0 | if(hash == "Raw") |
180 | 0 | { |
181 | | // m_hash is null, m_za is empty |
182 | 0 | } |
183 | 0 | else |
184 | 0 | { |
185 | 0 | m_hash = HashFunction::create_or_throw(hash); |
186 | | // ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA) |
187 | 0 | m_za = sm2_compute_za(*m_hash, ident, m_group, sm2.public_point()); |
188 | 0 | m_hash->update(m_za); |
189 | 0 | } |
190 | 0 | } |
191 | | |
192 | | void update(const uint8_t msg[], size_t msg_len) override |
193 | 0 | { |
194 | 0 | if(m_hash) |
195 | 0 | { |
196 | 0 | m_hash->update(msg, msg_len); |
197 | 0 | } |
198 | 0 | else |
199 | 0 | { |
200 | 0 | m_digest.insert(m_digest.end(), msg, msg + msg_len); |
201 | 0 | } |
202 | 0 | } |
203 | | |
204 | | bool is_valid_signature(const uint8_t sig[], size_t sig_len) override; |
205 | | private: |
206 | | const EC_Group m_group; |
207 | | const PointGFp_Multi_Point_Precompute m_gy_mul; |
208 | | secure_vector<uint8_t> m_digest; |
209 | | std::vector<uint8_t> m_za; |
210 | | std::unique_ptr<HashFunction> m_hash; |
211 | | }; |
212 | | |
213 | | bool SM2_Verification_Operation::is_valid_signature(const uint8_t sig[], size_t sig_len) |
214 | 0 | { |
215 | 0 | BigInt e; |
216 | 0 | if(m_hash) |
217 | 0 | { |
218 | 0 | e = BigInt::decode(m_hash->final()); |
219 | | // prepend ZA for next signature if any |
220 | 0 | m_hash->update(m_za); |
221 | 0 | } |
222 | 0 | else |
223 | 0 | { |
224 | 0 | e = BigInt::decode(m_digest); |
225 | 0 | m_digest.clear(); |
226 | 0 | } |
227 | |
|
228 | 0 | if(sig_len != m_group.get_order().bytes()*2) |
229 | 0 | return false; |
230 | | |
231 | 0 | const BigInt r(sig, sig_len / 2); |
232 | 0 | const BigInt s(sig + sig_len / 2, sig_len / 2); |
233 | |
|
234 | 0 | if(r <= 0 || r >= m_group.get_order() || s <= 0 || s >= m_group.get_order()) |
235 | 0 | return false; |
236 | | |
237 | 0 | const BigInt t = m_group.mod_order(r + s); |
238 | |
|
239 | 0 | if(t == 0) |
240 | 0 | return false; |
241 | | |
242 | 0 | const PointGFp R = m_gy_mul.multi_exp(s, t); |
243 | | |
244 | | // ??? |
245 | 0 | if(R.is_zero()) |
246 | 0 | return false; |
247 | | |
248 | 0 | return (m_group.mod_order(R.get_affine_x() + e) == r); |
249 | 0 | } |
250 | | |
251 | | void parse_sm2_param_string(const std::string& params, |
252 | | std::string& userid, |
253 | | std::string& hash) |
254 | 0 | { |
255 | | // GM/T 0009-2012 specifies this as the default userid |
256 | 0 | const std::string default_userid = "1234567812345678"; |
257 | | |
258 | | // defaults: |
259 | 0 | userid = default_userid; |
260 | 0 | hash = "SM3"; |
261 | | |
262 | | /* |
263 | | * SM2 parameters have the following possible formats: |
264 | | * Ident [since 2.2.0] |
265 | | * Ident,Hash [since 2.3.0] |
266 | | */ |
267 | |
|
268 | 0 | auto comma = params.find(','); |
269 | 0 | if(comma == std::string::npos) |
270 | 0 | { |
271 | 0 | userid = params; |
272 | 0 | } |
273 | 0 | else |
274 | 0 | { |
275 | 0 | userid = params.substr(0, comma); |
276 | 0 | hash = params.substr(comma+1, std::string::npos); |
277 | 0 | } |
278 | 0 | } |
279 | | |
280 | | } |
281 | | |
282 | | std::unique_ptr<PK_Ops::Verification> |
283 | | SM2_PublicKey::create_verification_op(const std::string& params, |
284 | | const std::string& provider) const |
285 | 0 | { |
286 | 0 | if(provider == "base" || provider.empty()) |
287 | 0 | { |
288 | 0 | std::string userid, hash; |
289 | 0 | parse_sm2_param_string(params, userid, hash); |
290 | 0 | return std::make_unique<SM2_Verification_Operation>(*this, userid, hash); |
291 | 0 | } |
292 | | |
293 | 0 | throw Provider_Not_Found(algo_name(), provider); |
294 | 0 | } |
295 | | |
296 | | std::unique_ptr<PK_Ops::Signature> |
297 | | SM2_PrivateKey::create_signature_op(RandomNumberGenerator& /*rng*/, |
298 | | const std::string& params, |
299 | | const std::string& provider) const |
300 | 0 | { |
301 | 0 | if(provider == "base" || provider.empty()) |
302 | 0 | { |
303 | 0 | std::string userid, hash; |
304 | 0 | parse_sm2_param_string(params, userid, hash); |
305 | 0 | return std::make_unique<SM2_Signature_Operation>(*this, userid, hash); |
306 | 0 | } |
307 | | |
308 | 0 | throw Provider_Not_Found(algo_name(), provider); |
309 | 0 | } |
310 | | |
311 | | } |