Botan 2.19.2
Crypto and TLS for C&
sm2.cpp
Go to the documentation of this file.
1/*
2* SM2 Signatures
3* (C) 2017,2018 Ribose Inc
4* (C) 2018 Jack Lloyd
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/sm2.h>
10#include <botan/internal/pk_ops_impl.h>
11#include <botan/internal/point_mul.h>
12#include <botan/loadstor.h>
13#include <botan/numthry.h>
14#include <botan/keypair.h>
15#include <botan/hash.h>
16#include <botan/parsing.h>
17
18namespace Botan {
19
20std::string SM2_PublicKey::algo_name() const
21 {
22 return "SM2";
23 }
24
26 bool strong) const
27 {
28 if(!public_point().on_the_curve())
29 return false;
30
31 if(!strong)
32 return true;
33
34 return KeyPair::signature_consistency_check(rng, *this, "user@example.com,SM3");
35 }
36
38 const secure_vector<uint8_t>& key_bits) :
39 EC_PrivateKey(alg_id, key_bits)
40 {
41 m_da_inv = domain().inverse_mod_order(m_private_key + 1);
42 }
43
45 const EC_Group& domain,
46 const BigInt& x) :
47 EC_PrivateKey(rng, domain, x)
48 {
50 }
51
52std::vector<uint8_t> sm2_compute_za(HashFunction& hash,
53 const std::string& user_id,
54 const EC_Group& domain,
55 const PointGFp& pubkey)
56 {
57 if(user_id.size() >= 8192)
58 throw Invalid_Argument("SM2 user id too long to represent");
59
60 const uint16_t uid_len = static_cast<uint16_t>(8 * user_id.size());
61
62 hash.update(get_byte(0, uid_len));
63 hash.update(get_byte(1, uid_len));
64 hash.update(user_id);
65
66 const size_t p_bytes = domain.get_p_bytes();
67
68 hash.update(BigInt::encode_1363(domain.get_a(), p_bytes));
69 hash.update(BigInt::encode_1363(domain.get_b(), p_bytes));
70 hash.update(BigInt::encode_1363(domain.get_g_x(), p_bytes));
71 hash.update(BigInt::encode_1363(domain.get_g_y(), p_bytes));
72 hash.update(BigInt::encode_1363(pubkey.get_affine_x(), p_bytes));
73 hash.update(BigInt::encode_1363(pubkey.get_affine_y(), p_bytes));
74
75 std::vector<uint8_t> za(hash.output_length());
76 hash.final(za.data());
77
78 return za;
79 }
80
81namespace {
82
83/**
84* SM2 signature operation
85*/
86class SM2_Signature_Operation final : public PK_Ops::Signature
87 {
88 public:
89
90 SM2_Signature_Operation(const SM2_PrivateKey& sm2,
91 const std::string& ident,
92 const std::string& hash) :
93 m_group(sm2.domain()),
94 m_x(sm2.private_value()),
95 m_da_inv(sm2.get_da_inv())
96 {
97 if(hash == "Raw")
98 {
99 // m_hash is null, m_za is empty
100 }
101 else
102 {
104 // ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA)
105 m_za = sm2_compute_za(*m_hash, ident, m_group, sm2.public_point());
106 m_hash->update(m_za);
107 }
108 }
109
110 size_t signature_length() const override { return 2*m_group.get_order_bytes(); }
111
112 void update(const uint8_t msg[], size_t msg_len) override
113 {
114 if(m_hash)
115 {
116 m_hash->update(msg, msg_len);
117 }
118 else
119 {
120 m_digest.insert(m_digest.end(), msg, msg + msg_len);
121 }
122 }
123
124 secure_vector<uint8_t> sign(RandomNumberGenerator& rng) override;
125
126 private:
127 const EC_Group m_group;
128 const BigInt& m_x;
129 const BigInt& m_da_inv;
130
131 std::vector<uint8_t> m_za;
132 secure_vector<uint8_t> m_digest;
133 std::unique_ptr<HashFunction> m_hash;
134 std::vector<BigInt> m_ws;
135 };
136
137secure_vector<uint8_t>
138SM2_Signature_Operation::sign(RandomNumberGenerator& rng)
139 {
140 BigInt e;
141 if(m_hash)
142 {
143 e = BigInt::decode(m_hash->final());
144 // prepend ZA for next signature if any
145 m_hash->update(m_za);
146 }
147 else
148 {
149 e = BigInt::decode(m_digest);
150 m_digest.clear();
151 }
152
153 const BigInt k = m_group.random_scalar(rng);
154
155 const BigInt r = m_group.mod_order(
156 m_group.blinded_base_point_multiply_x(k, rng, m_ws) + e);
157 const BigInt s = m_group.multiply_mod_order(m_da_inv, m_group.mod_order(k - r*m_x));
158
159 return BigInt::encode_fixed_length_int_pair(r, s, m_group.get_order().bytes());
160 }
161
162/**
163* SM2 verification operation
164*/
165class SM2_Verification_Operation final : public PK_Ops::Verification
166 {
167 public:
168 SM2_Verification_Operation(const SM2_PublicKey& sm2,
169 const std::string& ident,
170 const std::string& hash) :
171 m_group(sm2.domain()),
172 m_gy_mul(m_group.get_base_point(), sm2.public_point())
173 {
174 if(hash == "Raw")
175 {
176 // m_hash is null, m_za is empty
177 }
178 else
179 {
181 // ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA)
182 m_za = sm2_compute_za(*m_hash, ident, m_group, sm2.public_point());
183 m_hash->update(m_za);
184 }
185 }
186
187 void update(const uint8_t msg[], size_t msg_len) override
188 {
189 if(m_hash)
190 {
191 m_hash->update(msg, msg_len);
192 }
193 else
194 {
195 m_digest.insert(m_digest.end(), msg, msg + msg_len);
196 }
197 }
198
199 bool is_valid_signature(const uint8_t sig[], size_t sig_len) override;
200 private:
201 const EC_Group m_group;
202 const PointGFp_Multi_Point_Precompute m_gy_mul;
203 secure_vector<uint8_t> m_digest;
204 std::vector<uint8_t> m_za;
205 std::unique_ptr<HashFunction> m_hash;
206 };
207
208bool SM2_Verification_Operation::is_valid_signature(const uint8_t sig[], size_t sig_len)
209 {
210 BigInt e;
211 if(m_hash)
212 {
213 e = BigInt::decode(m_hash->final());
214 // prepend ZA for next signature if any
215 m_hash->update(m_za);
216 }
217 else
218 {
219 e = BigInt::decode(m_digest);
220 m_digest.clear();
221 }
222
223 if(sig_len != m_group.get_order().bytes()*2)
224 return false;
225
226 const BigInt r(sig, sig_len / 2);
227 const BigInt s(sig + sig_len / 2, sig_len / 2);
228
229 if(r <= 0 || r >= m_group.get_order() || s <= 0 || s >= m_group.get_order())
230 return false;
231
232 const BigInt t = m_group.mod_order(r + s);
233
234 if(t == 0)
235 return false;
236
237 const PointGFp R = m_gy_mul.multi_exp(s, t);
238
239 // ???
240 if(R.is_zero())
241 return false;
242
243 return (m_group.mod_order(R.get_affine_x() + e) == r);
244 }
245
246void parse_sm2_param_string(const std::string& params,
247 std::string& userid,
248 std::string& hash)
249 {
250 // GM/T 0009-2012 specifies this as the default userid
251 const std::string default_userid = "1234567812345678";
252
253 // defaults:
254 userid = default_userid;
255 hash = "SM3";
256
257 /*
258 * SM2 parameters have the following possible formats:
259 * Ident [since 2.2.0]
260 * Ident,Hash [since 2.3.0]
261 */
262
263 auto comma = params.find(',');
264 if(comma == std::string::npos)
265 {
266 userid = params;
267 }
268 else
269 {
270 userid = params.substr(0, comma);
271 hash = params.substr(comma+1, std::string::npos);
272 }
273 }
274
275}
276
277std::unique_ptr<PK_Ops::Verification>
279 const std::string& provider) const
280 {
281 if(provider == "base" || provider.empty())
282 {
283 std::string userid, hash;
284 parse_sm2_param_string(params, userid, hash);
285 return std::unique_ptr<PK_Ops::Verification>(new SM2_Verification_Operation(*this, userid, hash));
286 }
287
288 throw Provider_Not_Found(algo_name(), provider);
289 }
290
291std::unique_ptr<PK_Ops::Signature>
293 const std::string& params,
294 const std::string& provider) const
295 {
296 if(provider == "base" || provider.empty())
297 {
298 std::string userid, hash;
299 parse_sm2_param_string(params, userid, hash);
300 return std::unique_ptr<PK_Ops::Signature>(new SM2_Signature_Operation(*this, userid, hash));
301 }
302
303 throw Provider_Not_Found(algo_name(), provider);
304 }
305
306}
static BigInt decode(const uint8_t buf[], size_t length)
Definition: bigint.h:805
static secure_vector< uint8_t > encode_fixed_length_int_pair(const BigInt &n1, const BigInt &n2, size_t bytes)
Definition: big_code.cpp:133
static secure_vector< uint8_t > encode_1363(const BigInt &n, size_t bytes)
Definition: big_code.cpp:111
const BigInt & get_b() const
Definition: ec_group.cpp:499
const BigInt & get_a() const
Definition: ec_group.cpp:494
const BigInt & get_g_y() const
Definition: ec_group.cpp:519
const BigInt & get_g_x() const
Definition: ec_group.cpp:514
BigInt inverse_mod_order(const BigInt &x) const
Definition: ec_group.cpp:549
size_t get_p_bytes() const
Definition: ec_group.cpp:474
BigInt m_private_key
Definition: ecc_key.h:167
const EC_Group & domain() const
Definition: ecc_key.h:72
const PointGFp & public_point() const
Definition: ecc_key.h:57
static std::unique_ptr< HashFunction > create_or_throw(const std::string &algo_spec, const std::string &provider="")
Definition: hash.cpp:329
PointGFp multi_exp(const BigInt &k1, const BigInt &k2) const
Definition: point_mul.cpp:394
BigInt get_affine_y() const
Definition: point_gfp.cpp:524
BigInt get_affine_x() const
Definition: point_gfp.cpp:505
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const override
Definition: sm2.cpp:292
bool check_key(RandomNumberGenerator &rng, bool) const override
Definition: sm2.cpp:25
SM2_PrivateKey(const AlgorithmIdentifier &alg_id, const secure_vector< uint8_t > &key_bits)
Definition: sm2.cpp:37
std::unique_ptr< PK_Ops::Verification > create_verification_op(const std::string &params, const std::string &provider) const override
Definition: sm2.cpp:278
std::string algo_name() const override
Definition: sm2.cpp:20
int(* update)(CTX *, const void *, CC_LONG len)
int(* final)(unsigned char *, CTX *)
bool signature_consistency_check(RandomNumberGenerator &rng, const Private_Key &private_key, const Public_Key &public_key, const std::string &padding)
Definition: keypair.cpp:49
Definition: alg_id.cpp:13
std::vector< uint8_t > sm2_compute_za(HashFunction &hash, const std::string &user_id, const EC_Group &domain, const PointGFp &pubkey)
Definition: sm2.cpp:52
constexpr uint8_t get_byte(size_t byte_num, T input)
Definition: loadstor.h:41
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:65
MechanismType hash