Coverage Report

Created: 2025-06-22 06:56

/src/openssl/crypto/sm2/sm2_sign.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved.
3
 * Copyright 2017 Ribose Inc. All Rights Reserved.
4
 * Ported from Ribose contributions from Botan.
5
 *
6
 * Licensed under the Apache License 2.0 (the "License").  You may not use
7
 * this file except in compliance with the License.  You can obtain a copy
8
 * in the file LICENSE in the source distribution or at
9
 * https://www.openssl.org/source/license.html
10
 */
11
12
#include "internal/deprecated.h"
13
14
#include "crypto/sm2.h"
15
#include "crypto/sm2err.h"
16
#include "crypto/ec.h" /* ossl_ec_group_do_inverse_ord() */
17
#include "internal/numbers.h"
18
#include <openssl/err.h>
19
#include <openssl/evp.h>
20
#include <openssl/bn.h>
21
#include <string.h>
22
23
int ossl_sm2_compute_z_digest(uint8_t *out,
24
                              const EVP_MD *digest,
25
                              const uint8_t *id,
26
                              const size_t id_len,
27
                              const EC_KEY *key)
28
0
{
29
0
    int rc = 0;
30
0
    const EC_GROUP *group = EC_KEY_get0_group(key);
31
0
    const EC_POINT *pubkey = EC_KEY_get0_public_key(key);
32
0
    BN_CTX *ctx = NULL;
33
0
    EVP_MD_CTX *hash = NULL;
34
0
    BIGNUM *p = NULL;
35
0
    BIGNUM *a = NULL;
36
0
    BIGNUM *b = NULL;
37
0
    BIGNUM *xG = NULL;
38
0
    BIGNUM *yG = NULL;
39
0
    BIGNUM *xA = NULL;
40
0
    BIGNUM *yA = NULL;
41
0
    int p_bytes = 0;
42
0
    uint8_t *buf = NULL;
43
0
    uint16_t entl = 0;
44
0
    uint8_t e_byte = 0;
45
46
    /* SM2 Signatures require a public key, check for it */
47
0
    if (pubkey == NULL) {
48
0
        ERR_raise(ERR_LIB_SM2, ERR_R_PASSED_NULL_PARAMETER);
49
0
        goto done;
50
0
    }
51
52
0
    hash = EVP_MD_CTX_new();
53
0
    if (hash == NULL) {
54
0
        ERR_raise(ERR_LIB_SM2, ERR_R_EVP_LIB);
55
0
        goto done;
56
0
    }
57
0
    ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(key));
58
0
    if (ctx == NULL) {
59
0
        ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB);
60
0
        goto done;
61
0
    }
62
63
0
    p = BN_CTX_get(ctx);
64
0
    a = BN_CTX_get(ctx);
65
0
    b = BN_CTX_get(ctx);
66
0
    xG = BN_CTX_get(ctx);
67
0
    yG = BN_CTX_get(ctx);
68
0
    xA = BN_CTX_get(ctx);
69
0
    yA = BN_CTX_get(ctx);
70
71
0
    if (yA == NULL) {
72
0
        ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB);
73
0
        goto done;
74
0
    }
75
76
0
    if (!EVP_DigestInit(hash, digest)) {
77
0
        ERR_raise(ERR_LIB_SM2, ERR_R_EVP_LIB);
78
0
        goto done;
79
0
    }
80
81
    /* Z = h(ENTL || ID || a || b || xG || yG || xA || yA) */
82
83
0
    if (id_len >= (UINT16_MAX / 8)) {
84
        /* too large */
85
0
        ERR_raise(ERR_LIB_SM2, SM2_R_ID_TOO_LARGE);
86
0
        goto done;
87
0
    }
88
89
0
    entl = (uint16_t)(8 * id_len);
90
91
0
    e_byte = entl >> 8;
92
0
    if (!EVP_DigestUpdate(hash, &e_byte, 1)) {
93
0
        ERR_raise(ERR_LIB_SM2, ERR_R_EVP_LIB);
94
0
        goto done;
95
0
    }
96
0
    e_byte = entl & 0xFF;
97
0
    if (!EVP_DigestUpdate(hash, &e_byte, 1)) {
98
0
        ERR_raise(ERR_LIB_SM2, ERR_R_EVP_LIB);
99
0
        goto done;
100
0
    }
101
102
0
    if (id_len > 0 && !EVP_DigestUpdate(hash, id, id_len)) {
103
0
        ERR_raise(ERR_LIB_SM2, ERR_R_EVP_LIB);
104
0
        goto done;
105
0
    }
106
107
0
    if (!EC_GROUP_get_curve(group, p, a, b, ctx)) {
108
0
        ERR_raise(ERR_LIB_SM2, ERR_R_EC_LIB);
109
0
        goto done;
110
0
    }
111
112
0
    p_bytes = BN_num_bytes(p);
113
0
    buf = OPENSSL_zalloc(p_bytes);
114
0
    if (buf == NULL)
115
0
        goto done;
116
117
0
    if (BN_bn2binpad(a, buf, p_bytes) < 0
118
0
            || !EVP_DigestUpdate(hash, buf, p_bytes)
119
0
            || BN_bn2binpad(b, buf, p_bytes) < 0
120
0
            || !EVP_DigestUpdate(hash, buf, p_bytes)
121
0
            || !EC_POINT_get_affine_coordinates(group,
122
0
                                                EC_GROUP_get0_generator(group),
123
0
                                                xG, yG, ctx)
124
0
            || BN_bn2binpad(xG, buf, p_bytes) < 0
125
0
            || !EVP_DigestUpdate(hash, buf, p_bytes)
126
0
            || BN_bn2binpad(yG, buf, p_bytes) < 0
127
0
            || !EVP_DigestUpdate(hash, buf, p_bytes)
128
0
            || !EC_POINT_get_affine_coordinates(group,
129
0
                                                pubkey,
130
0
                                                xA, yA, ctx)
131
0
            || BN_bn2binpad(xA, buf, p_bytes) < 0
132
0
            || !EVP_DigestUpdate(hash, buf, p_bytes)
133
0
            || BN_bn2binpad(yA, buf, p_bytes) < 0
134
0
            || !EVP_DigestUpdate(hash, buf, p_bytes)
135
0
            || !EVP_DigestFinal(hash, out, NULL)) {
136
0
        ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR);
137
0
        goto done;
138
0
    }
139
140
0
    rc = 1;
141
142
0
 done:
143
0
    OPENSSL_free(buf);
144
0
    BN_CTX_free(ctx);
145
0
    EVP_MD_CTX_free(hash);
146
0
    return rc;
147
0
}
148
149
static BIGNUM *sm2_compute_msg_hash(const EVP_MD *digest,
150
                                    const EC_KEY *key,
151
                                    const uint8_t *id,
152
                                    const size_t id_len,
153
                                    const uint8_t *msg, size_t msg_len)
154
0
{
155
0
    EVP_MD_CTX *hash = EVP_MD_CTX_new();
156
0
    const int md_size = EVP_MD_get_size(digest);
157
0
    uint8_t *z = NULL;
158
0
    BIGNUM *e = NULL;
159
0
    EVP_MD *fetched_digest = NULL;
160
0
    OSSL_LIB_CTX *libctx = ossl_ec_key_get_libctx(key);
161
0
    const char *propq = ossl_ec_key_get0_propq(key);
162
163
0
    if (md_size <= 0) {
164
0
        ERR_raise(ERR_LIB_SM2, SM2_R_INVALID_DIGEST);
165
0
        goto done;
166
0
    }
167
0
    if (hash == NULL) {
168
0
        ERR_raise(ERR_LIB_SM2, ERR_R_EVP_LIB);
169
0
        goto done;
170
0
    }
171
172
0
    z = OPENSSL_zalloc(md_size);
173
0
    if (z == NULL)
174
0
        goto done;
175
176
0
    fetched_digest = EVP_MD_fetch(libctx, EVP_MD_get0_name(digest), propq);
177
0
    if (fetched_digest == NULL) {
178
0
        ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR);
179
0
        goto done;
180
0
    }
181
182
0
    if (!ossl_sm2_compute_z_digest(z, fetched_digest, id, id_len, key)) {
183
        /* SM2err already called */
184
0
        goto done;
185
0
    }
186
187
0
    if (!EVP_DigestInit(hash, fetched_digest)
188
0
            || !EVP_DigestUpdate(hash, z, md_size)
189
0
            || !EVP_DigestUpdate(hash, msg, msg_len)
190
               /* reuse z buffer to hold H(Z || M) */
191
0
            || !EVP_DigestFinal(hash, z, NULL)) {
192
0
        ERR_raise(ERR_LIB_SM2, ERR_R_EVP_LIB);
193
0
        goto done;
194
0
    }
195
196
0
    e = BN_bin2bn(z, md_size, NULL);
197
0
    if (e == NULL)
198
0
        ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR);
199
200
0
 done:
201
0
    EVP_MD_free(fetched_digest);
202
0
    OPENSSL_free(z);
203
0
    EVP_MD_CTX_free(hash);
204
0
    return e;
205
0
}
206
207
static ECDSA_SIG *sm2_sig_gen(const EC_KEY *key, const BIGNUM *e)
208
0
{
209
0
    const BIGNUM *dA = EC_KEY_get0_private_key(key);
210
0
    const EC_GROUP *group = EC_KEY_get0_group(key);
211
0
    const BIGNUM *order = EC_GROUP_get0_order(group);
212
0
    ECDSA_SIG *sig = NULL;
213
0
    EC_POINT *kG = NULL;
214
0
    BN_CTX *ctx = NULL;
215
0
    BIGNUM *k = NULL;
216
0
    BIGNUM *rk = NULL;
217
0
    BIGNUM *r = NULL;
218
0
    BIGNUM *s = NULL;
219
0
    BIGNUM *x1 = NULL;
220
0
    BIGNUM *tmp = NULL;
221
0
    OSSL_LIB_CTX *libctx = ossl_ec_key_get_libctx(key);
222
223
0
    kG = EC_POINT_new(group);
224
0
    if (kG == NULL) {
225
0
        ERR_raise(ERR_LIB_SM2, ERR_R_EC_LIB);
226
0
        goto done;
227
0
    }
228
0
    ctx = BN_CTX_new_ex(libctx);
229
0
    if (ctx == NULL) {
230
0
        ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB);
231
0
        goto done;
232
0
    }
233
234
0
    BN_CTX_start(ctx);
235
0
    k = BN_CTX_get(ctx);
236
0
    rk = BN_CTX_get(ctx);
237
0
    x1 = BN_CTX_get(ctx);
238
0
    tmp = BN_CTX_get(ctx);
239
0
    if (tmp == NULL) {
240
0
        ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB);
241
0
        goto done;
242
0
    }
243
244
    /*
245
     * These values are returned and so should not be allocated out of the
246
     * context
247
     */
248
0
    r = BN_new();
249
0
    s = BN_new();
250
251
0
    if (r == NULL || s == NULL) {
252
0
        ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB);
253
0
        goto done;
254
0
    }
255
256
    /*
257
     * A3: Generate a random number k in [1,n-1] using random number generators;
258
     * A4: Compute (x1,y1)=[k]G, and convert the type of data x1 to be integer
259
     *     as specified in clause 4.2.8 of GM/T 0003.1-2012;
260
     * A5: Compute r=(e+x1) mod n. If r=0 or r+k=n, then go to A3;
261
     * A6: Compute s=(1/(1+dA)*(k-r*dA)) mod n. If s=0, then go to A3;
262
     * A7: Convert the type of data (r,s) to be bit strings according to the details
263
     *     in clause 4.2.2 of GM/T 0003.1-2012. Then the signature of message M is (r,s).
264
     */
265
0
    for (;;) {
266
0
        if (!BN_priv_rand_range_ex(k, order, 0, ctx)) {
267
0
            ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR);
268
0
            goto done;
269
0
        }
270
271
0
        if (!EC_POINT_mul(group, kG, k, NULL, NULL, ctx)
272
0
                || !EC_POINT_get_affine_coordinates(group, kG, x1, NULL,
273
0
                                                    ctx)
274
0
                || !BN_mod_add(r, e, x1, order, ctx)) {
275
0
            ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR);
276
0
            goto done;
277
0
        }
278
279
        /* try again if r == 0 or r+k == n */
280
0
        if (BN_is_zero(r))
281
0
            continue;
282
283
0
        if (!BN_add(rk, r, k)) {
284
0
            ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR);
285
0
            goto done;
286
0
        }
287
288
0
        if (BN_cmp(rk, order) == 0)
289
0
            continue;
290
291
0
        if (!BN_add(s, dA, BN_value_one())
292
0
                || !ossl_ec_group_do_inverse_ord(group, s, s, ctx)
293
0
                || !BN_mod_mul(tmp, dA, r, order, ctx)
294
0
                || !BN_sub(tmp, k, tmp)
295
0
                || !BN_mod_mul(s, s, tmp, order, ctx)) {
296
0
            ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB);
297
0
            goto done;
298
0
        }
299
300
        /* try again if s == 0 */
301
0
        if (BN_is_zero(s))
302
0
            continue;
303
304
0
        sig = ECDSA_SIG_new();
305
0
        if (sig == NULL) {
306
0
            ERR_raise(ERR_LIB_SM2, ERR_R_ECDSA_LIB);
307
0
            goto done;
308
0
        }
309
310
         /* takes ownership of r and s */
311
0
        ECDSA_SIG_set0(sig, r, s);
312
0
        break;
313
0
    }
314
315
0
 done:
316
0
    if (sig == NULL) {
317
0
        BN_free(r);
318
0
        BN_free(s);
319
0
    }
320
321
0
    BN_CTX_free(ctx);
322
0
    EC_POINT_free(kG);
323
0
    return sig;
324
0
}
325
326
static int sm2_sig_verify(const EC_KEY *key, const ECDSA_SIG *sig,
327
                          const BIGNUM *e)
328
0
{
329
0
    int ret = 0;
330
0
    const EC_GROUP *group = EC_KEY_get0_group(key);
331
0
    const BIGNUM *order = EC_GROUP_get0_order(group);
332
0
    BN_CTX *ctx = NULL;
333
0
    EC_POINT *pt = NULL;
334
0
    BIGNUM *t = NULL;
335
0
    BIGNUM *x1 = NULL;
336
0
    const BIGNUM *r = NULL;
337
0
    const BIGNUM *s = NULL;
338
0
    OSSL_LIB_CTX *libctx = ossl_ec_key_get_libctx(key);
339
340
0
    ctx = BN_CTX_new_ex(libctx);
341
0
    if (ctx == NULL) {
342
0
        ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB);
343
0
        goto done;
344
0
    }
345
0
    BN_CTX_start(ctx);
346
0
    t = BN_CTX_get(ctx);
347
0
    x1 = BN_CTX_get(ctx);
348
0
    if (x1 == NULL) {
349
0
        ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB);
350
0
        goto done;
351
0
    }
352
353
0
    pt = EC_POINT_new(group);
354
0
    if (pt == NULL) {
355
0
        ERR_raise(ERR_LIB_SM2, ERR_R_EC_LIB);
356
0
        goto done;
357
0
    }
358
359
    /*
360
     * B1: verify whether r' in [1,n-1], verification failed if not
361
     * B2: verify whether s' in [1,n-1], verification failed if not
362
     * B3: set M'~=ZA || M'
363
     * B4: calculate e'=Hv(M'~)
364
     * B5: calculate t = (r' + s') modn, verification failed if t=0
365
     * B6: calculate the point (x1', y1')=[s']G + [t]PA
366
     * B7: calculate R=(e'+x1') modn, verification pass if yes, otherwise failed
367
     */
368
369
0
    ECDSA_SIG_get0(sig, &r, &s);
370
371
0
    if (BN_cmp(r, BN_value_one()) < 0
372
0
            || BN_cmp(s, BN_value_one()) < 0
373
0
            || BN_cmp(order, r) <= 0
374
0
            || BN_cmp(order, s) <= 0) {
375
0
        ERR_raise(ERR_LIB_SM2, SM2_R_BAD_SIGNATURE);
376
0
        goto done;
377
0
    }
378
379
0
    if (!BN_mod_add(t, r, s, order, ctx)) {
380
0
        ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB);
381
0
        goto done;
382
0
    }
383
384
0
    if (BN_is_zero(t)) {
385
0
        ERR_raise(ERR_LIB_SM2, SM2_R_BAD_SIGNATURE);
386
0
        goto done;
387
0
    }
388
389
0
    if (!EC_POINT_mul(group, pt, s, EC_KEY_get0_public_key(key), t, ctx)
390
0
            || !EC_POINT_get_affine_coordinates(group, pt, x1, NULL, ctx)) {
391
0
        ERR_raise(ERR_LIB_SM2, ERR_R_EC_LIB);
392
0
        goto done;
393
0
    }
394
395
0
    if (!BN_mod_add(t, e, x1, order, ctx)) {
396
0
        ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB);
397
0
        goto done;
398
0
    }
399
400
0
    if (BN_cmp(r, t) == 0)
401
0
        ret = 1;
402
403
0
 done:
404
0
    BN_CTX_end(ctx);
405
0
    EC_POINT_free(pt);
406
0
    BN_CTX_free(ctx);
407
0
    return ret;
408
0
}
409
410
ECDSA_SIG *ossl_sm2_do_sign(const EC_KEY *key,
411
                            const EVP_MD *digest,
412
                            const uint8_t *id,
413
                            const size_t id_len,
414
                            const uint8_t *msg, size_t msg_len)
415
0
{
416
0
    BIGNUM *e = NULL;
417
0
    ECDSA_SIG *sig = NULL;
418
419
0
    e = sm2_compute_msg_hash(digest, key, id, id_len, msg, msg_len);
420
0
    if (e == NULL) {
421
        /* SM2err already called */
422
0
        goto done;
423
0
    }
424
425
0
    sig = sm2_sig_gen(key, e);
426
427
0
 done:
428
0
    BN_free(e);
429
0
    return sig;
430
0
}
431
432
int ossl_sm2_do_verify(const EC_KEY *key,
433
                       const EVP_MD *digest,
434
                       const ECDSA_SIG *sig,
435
                       const uint8_t *id,
436
                       const size_t id_len,
437
                       const uint8_t *msg, size_t msg_len)
438
0
{
439
0
    BIGNUM *e = NULL;
440
0
    int ret = 0;
441
442
0
    e = sm2_compute_msg_hash(digest, key, id, id_len, msg, msg_len);
443
0
    if (e == NULL) {
444
        /* SM2err already called */
445
0
        goto done;
446
0
    }
447
448
0
    ret = sm2_sig_verify(key, sig, e);
449
450
0
 done:
451
0
    BN_free(e);
452
0
    return ret;
453
0
}
454
455
int ossl_sm2_internal_sign(const unsigned char *dgst, int dgstlen,
456
                           unsigned char *sig, unsigned int *siglen,
457
                           EC_KEY *eckey)
458
0
{
459
0
    BIGNUM *e = NULL;
460
0
    ECDSA_SIG *s = NULL;
461
0
    int sigleni;
462
0
    int ret = -1;
463
464
0
    if (sig == NULL) {
465
0
        ERR_raise(ERR_LIB_SM2, ERR_R_PASSED_NULL_PARAMETER);
466
0
        goto done;
467
0
    }
468
469
0
    e = BN_bin2bn(dgst, dgstlen, NULL);
470
0
    if (e == NULL) {
471
0
       ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB);
472
0
       goto done;
473
0
    }
474
475
0
    s = sm2_sig_gen(eckey, e);
476
0
    if (s == NULL) {
477
0
        ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR);
478
0
        goto done;
479
0
    }
480
481
0
    sigleni = i2d_ECDSA_SIG(s, &sig);
482
0
    if (sigleni < 0) {
483
0
       ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR);
484
0
       goto done;
485
0
    }
486
0
    *siglen = (unsigned int)sigleni;
487
488
0
    ret = 1;
489
490
0
 done:
491
0
    ECDSA_SIG_free(s);
492
0
    BN_free(e);
493
0
    return ret;
494
0
}
495
496
int ossl_sm2_internal_verify(const unsigned char *dgst, int dgstlen,
497
                             const unsigned char *sig, int sig_len,
498
                             EC_KEY *eckey)
499
0
{
500
0
    ECDSA_SIG *s = NULL;
501
0
    BIGNUM *e = NULL;
502
0
    const unsigned char *p = sig;
503
0
    unsigned char *der = NULL;
504
0
    int derlen = -1;
505
0
    int ret = -1;
506
507
0
    s = ECDSA_SIG_new();
508
0
    if (s == NULL) {
509
0
        ERR_raise(ERR_LIB_SM2, ERR_R_ECDSA_LIB);
510
0
        goto done;
511
0
    }
512
0
    if (d2i_ECDSA_SIG(&s, &p, sig_len) == NULL) {
513
0
        ERR_raise(ERR_LIB_SM2, SM2_R_INVALID_ENCODING);
514
0
        goto done;
515
0
    }
516
    /* Ensure signature uses DER and doesn't have trailing garbage */
517
0
    derlen = i2d_ECDSA_SIG(s, &der);
518
0
    if (derlen != sig_len || memcmp(sig, der, derlen) != 0) {
519
0
        ERR_raise(ERR_LIB_SM2, SM2_R_INVALID_ENCODING);
520
0
        goto done;
521
0
    }
522
523
0
    e = BN_bin2bn(dgst, dgstlen, NULL);
524
0
    if (e == NULL) {
525
0
        ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB);
526
0
        goto done;
527
0
    }
528
529
0
    ret = sm2_sig_verify(eckey, s, e);
530
531
0
 done:
532
0
    OPENSSL_free(der);
533
0
    BN_free(e);
534
0
    ECDSA_SIG_free(s);
535
0
    return ret;
536
0
}