Botan  2.6.0
Crypto and TLS for C++11
sm2.cpp
Go to the documentation of this file.
1 /*
2 * SM2 Signatures
3 * (C) 2017 Ribose Inc
4 * (C) 2018 Jack Lloyd
5 *
6 * Botan is released under the Simplified BSD License (see license.txt)
7 */
8 
9 #include <botan/sm2.h>
10 #include <botan/internal/pk_ops_impl.h>
11 #include <botan/numthry.h>
12 #include <botan/keypair.h>
13 #include <botan/hash.h>
14 
15 namespace Botan {
16 
18  bool strong) const
19  {
20  if(!public_point().on_the_curve())
21  return false;
22 
23  if(!strong)
24  return true;
25 
26  return KeyPair::signature_consistency_check(rng, *this, "SM3");
27  }
28 
30  const secure_vector<uint8_t>& key_bits) :
31  EC_PrivateKey(alg_id, key_bits)
32  {
33  m_da_inv = inverse_mod(m_private_key + 1, domain().get_order());
34  }
35 
37  const EC_Group& domain,
38  const BigInt& x) :
39  EC_PrivateKey(rng, domain, x)
40  {
41  m_da_inv = inverse_mod(m_private_key + 1, domain.get_order());
42  }
43 
44 std::vector<uint8_t> sm2_compute_za(HashFunction& hash,
45  const std::string& user_id,
46  const EC_Group& domain,
47  const PointGFp& pubkey)
48  {
49  if(user_id.size() >= 8192)
50  throw Invalid_Argument("SM2 user id too long to represent");
51 
52  const uint16_t uid_len = static_cast<uint16_t>(8 * user_id.size());
53 
54  hash.update(get_byte(0, uid_len));
55  hash.update(get_byte(1, uid_len));
56  hash.update(user_id);
57 
58  const size_t p_bytes = domain.get_p_bytes();
59 
60  hash.update(BigInt::encode_1363(domain.get_a(), p_bytes));
61  hash.update(BigInt::encode_1363(domain.get_b(), p_bytes));
62  hash.update(BigInt::encode_1363(domain.get_g_x(), p_bytes));
63  hash.update(BigInt::encode_1363(domain.get_g_y(), p_bytes));
64  hash.update(BigInt::encode_1363(pubkey.get_affine_x(), p_bytes));
65  hash.update(BigInt::encode_1363(pubkey.get_affine_y(), p_bytes));
66 
67  std::vector<uint8_t> za(hash.output_length());
68  hash.final(za.data());
69 
70  return za;
71  }
72 
73 namespace {
74 
75 /**
76 * SM2 signature operation
77 */
78 class SM2_Signature_Operation final : public PK_Ops::Signature
79  {
80  public:
81 
82  SM2_Signature_Operation(const SM2_Signature_PrivateKey& sm2,
83  const std::string& ident,
84  const std::string& hash) :
85  m_group(sm2.domain()),
86  m_x(sm2.private_value()),
87  m_da_inv(sm2.get_da_inv()),
88  m_hash(HashFunction::create_or_throw(hash))
89  {
90  // ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA)
91  m_za = sm2_compute_za(*m_hash, ident, m_group, sm2.public_point());
92  m_hash->update(m_za);
93  }
94 
95  void update(const uint8_t msg[], size_t msg_len) override
96  {
97  m_hash->update(msg, msg_len);
98  }
99 
100  secure_vector<uint8_t> sign(RandomNumberGenerator& rng) override;
101 
102  private:
103  const EC_Group m_group;
104  const BigInt& m_x;
105  const BigInt& m_da_inv;
106 
107  std::vector<uint8_t> m_za;
108  std::unique_ptr<HashFunction> m_hash;
109  std::vector<BigInt> m_ws;
110  };
111 
112 secure_vector<uint8_t>
113 SM2_Signature_Operation::sign(RandomNumberGenerator& rng)
114  {
115  const BigInt e = BigInt::decode(m_hash->final());
116 
117  const BigInt k = m_group.random_scalar(rng);
118 
119  const BigInt r = m_group.mod_order(
120  m_group.blinded_base_point_multiply_x(k, rng, m_ws) + e);
121  const BigInt s = m_group.multiply_mod_order(m_da_inv, (k - r*m_x));
122 
123  // prepend ZA for next signature if any
124  m_hash->update(m_za);
125 
126  return BigInt::encode_fixed_length_int_pair(r, s, m_group.get_order().bytes());
127  }
128 
129 /**
130 * SM2 verification operation
131 */
132 class SM2_Verification_Operation final : public PK_Ops::Verification
133  {
134  public:
135  SM2_Verification_Operation(const SM2_Signature_PublicKey& sm2,
136  const std::string& ident,
137  const std::string& hash) :
138  m_group(sm2.domain()),
139  m_public_point(sm2.public_point()),
140  m_hash(HashFunction::create_or_throw(hash))
141  {
142  // ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA)
143  m_za = sm2_compute_za(*m_hash, ident, m_group, m_public_point);
144  m_hash->update(m_za);
145  }
146 
147  void update(const uint8_t msg[], size_t msg_len) override
148  {
149  m_hash->update(msg, msg_len);
150  }
151 
152  bool is_valid_signature(const uint8_t sig[], size_t sig_len) override;
153  private:
154  const EC_Group m_group;
155  const PointGFp& m_public_point;
156  std::vector<uint8_t> m_za;
157  std::unique_ptr<HashFunction> m_hash;
158  };
159 
160 bool SM2_Verification_Operation::is_valid_signature(const uint8_t sig[], size_t sig_len)
161  {
162  const BigInt e = BigInt::decode(m_hash->final());
163 
164  // Update for next verification
165  m_hash->update(m_za);
166 
167  if(sig_len != m_group.get_order().bytes()*2)
168  return false;
169 
170  const BigInt r(sig, sig_len / 2);
171  const BigInt s(sig + sig_len / 2, sig_len / 2);
172 
173  if(r <= 0 || r >= m_group.get_order() || s <= 0 || s >= m_group.get_order())
174  return false;
175 
176  const BigInt t = m_group.mod_order(r + s);
177 
178  if(t == 0)
179  return false;
180 
181  const PointGFp R = m_group.point_multiply(s, m_public_point, t);
182 
183  // ???
184  if(R.is_zero())
185  return false;
186 
187  return (m_group.mod_order(R.get_affine_x() + e) == r);
188  }
189 
190 }
191 
192 std::unique_ptr<PK_Ops::Verification>
194  const std::string& provider) const
195  {
196  if(provider == "base" || provider.empty())
197  {
198  std::string userid = "";
199  std::string hash = "SM3";
200 
201  auto comma = params.find(',');
202  if(comma == std::string::npos)
203  userid = params;
204  else
205  {
206  userid = params.substr(0, comma);
207  hash = params.substr(comma+1, std::string::npos);
208  }
209 
210  if (userid.empty())
211  {
212  // GM/T 0009-2012 specifies this as the default userid
213  userid = "1234567812345678";
214  }
215 
216  return std::unique_ptr<PK_Ops::Verification>(new SM2_Verification_Operation(*this, userid, hash));
217  }
218 
219  throw Provider_Not_Found(algo_name(), provider);
220  }
221 
222 std::unique_ptr<PK_Ops::Signature>
224  const std::string& params,
225  const std::string& provider) const
226  {
227  if(provider == "base" || provider.empty())
228  {
229  std::string userid = "";
230  std::string hash = "SM3";
231 
232  auto comma = params.find(',');
233  if(comma == std::string::npos)
234  userid = params;
235  else
236  {
237  userid = params.substr(0, comma);
238  hash = params.substr(comma+1, std::string::npos);
239  }
240 
241  if (userid.empty())
242  {
243  // GM/T 0009-2012 specifies this as the default userid
244  userid = "1234567812345678";
245  }
246 
247  return std::unique_ptr<PK_Ops::Signature>(new SM2_Signature_Operation(*this, userid, hash));
248  }
249 
250  throw Provider_Not_Found(algo_name(), provider);
251  }
252 
253 }
BigInt m_private_key
Definition: ecc_key.h:167
size_t get_p_bytes() const
Definition: ec_group.cpp:407
std::string algo_name() const override
Definition: sm2.h:44
const BigInt & get_order() const
Definition: ec_group.cpp:442
const PointGFp & public_point() const
Definition: ecc_key.h:57
std::vector< uint8_t > sm2_compute_za(HashFunction &hash, const std::string &user_id, const EC_Group &domain, const PointGFp &pubkey)
Definition: sm2.cpp:44
BigInt get_affine_x() const
Definition: point_gfp.cpp:491
BigInt get_affine_y() const
Definition: point_gfp.cpp:510
bool signature_consistency_check(RandomNumberGenerator &rng, const Private_Key &private_key, const Public_Key &public_key, const std::string &padding)
Definition: keypair.cpp:49
const EC_Group & domain() const
Definition: ecc_key.h:72
BigInt inverse_mod(const BigInt &n, const BigInt &mod)
Definition: numthry.cpp:279
Definition: alg_id.cpp:13
const BigInt & get_b() const
Definition: ec_group.cpp:432
const BigInt & get_g_x() const
Definition: ec_group.cpp:447
const BigInt & get_a() const
Definition: ec_group.cpp:427
const BigInt & get_g_y() const
Definition: ec_group.cpp:452
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const override
Definition: sm2.cpp:223
static secure_vector< uint8_t > encode_1363(const BigInt &n, size_t bytes)
Definition: big_code.cpp:82
uint8_t get_byte(size_t byte_num, T input)
Definition: loadstor.h:39
SM2_Signature_PrivateKey(const AlgorithmIdentifier &alg_id, const secure_vector< uint8_t > &key_bits)
Definition: sm2.cpp:29
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:88
static secure_vector< uint8_t > encode_fixed_length_int_pair(const BigInt &n1, const BigInt &n2, size_t bytes)
Definition: big_code.cpp:103
bool check_key(RandomNumberGenerator &rng, bool) const override
Definition: sm2.cpp:17
std::unique_ptr< PK_Ops::Verification > create_verification_op(const std::string &params, const std::string &provider) const override
Definition: sm2.cpp:193
MechanismType hash
static BigInt decode(const uint8_t buf[], size_t length, Base base=Binary)
Definition: big_code.cpp:114