doxygen/sm2_8cpp_source.html

/*

* SM2 Signatures

* (C) 2017,2018 Ribose Inc

* (C) 2018 Jack Lloyd

*

* Botan is released under the Simplified BSD License (see license.txt)

*/


#include <botan/sm2.h>


#include <botan/hash.h>

#include <botan/numthry.h>

#include <botan/internal/keypair.h>

#include <botan/internal/loadstor.h>

#include <botan/internal/parsing.h>

#include <botan/internal/pk_ops_impl.h>

#include <botan/internal/point_mul.h>


namespace Botan {


std::string SM2_PublicKey::algo_name() const {

   return "SM2";

}


std::unique_ptr<Public_Key> SM2_PrivateKey::public_key() const {

   return std::make_unique<SM2_Signature_PublicKey>(domain(), public_point());

}


bool SM2_PrivateKey::check_key(RandomNumberGenerator& rng, bool strong) const {

   if(!EC_PrivateKey::check_key(rng, strong)) {

      return false;

   }


   // SM2 has an oddity in private key generation when compared to

   // other EC*DSA style signature algorithms described in ISO14888-3:

   // the private key x MUST be in ]0, q-1[ instead of ]0, q[.

   if(m_private_key < 1 || m_private_key >= m_domain_params.get_order() - 1) {

      return false;

   }


   if(!strong) {

      return true;

   }


   return KeyPair::signature_consistency_check(rng, *this, "user@example.com,SM3");

}


SM2_PrivateKey::SM2_PrivateKey(const AlgorithmIdentifier& alg_id, std::span<const uint8_t> key_bits) :

      EC_PrivateKey(alg_id, key_bits) {

   m_da_inv = domain().inverse_mod_order(m_private_key + 1);

}


SM2_PrivateKey::SM2_PrivateKey(RandomNumberGenerator& rng, const EC_Group& domain, const BigInt& x) :

      EC_PrivateKey(rng, domain, x) {

   m_da_inv = domain.inverse_mod_order(m_private_key + 1);

}


std::vector<uint8_t> sm2_compute_za(HashFunction& hash,

                                    std::string_view user_id,

                                    const EC_Group& domain,

                                    const EC_Point& pubkey) {

   if(user_id.size() >= 8192) {

      throw Invalid_Argument("SM2 user id too long to represent");

   }


   const uint16_t uid_len = static_cast<uint16_t>(8 * user_id.size());


   hash.update(get_byte<0>(uid_len));

   hash.update(get_byte<1>(uid_len));

   hash.update(user_id);


   const size_t p_bytes = domain.get_p_bytes();


   hash.update(BigInt::encode_1363(domain.get_a(), p_bytes));

   hash.update(BigInt::encode_1363(domain.get_b(), p_bytes));

   hash.update(BigInt::encode_1363(domain.get_g_x(), p_bytes));

   hash.update(BigInt::encode_1363(domain.get_g_y(), p_bytes));

   hash.update(BigInt::encode_1363(pubkey.get_affine_x(), p_bytes));

   hash.update(BigInt::encode_1363(pubkey.get_affine_y(), p_bytes));


   std::vector<uint8_t> za(hash.output_length());

   hash.final(za.data());


   return za;

}


namespace {


/**

* SM2 signature operation

*/

class SM2_Signature_Operation final : public PK_Ops::Signature {

   public:

      SM2_Signature_Operation(const SM2_PrivateKey& sm2, std::string_view ident, std::string_view hash) :

            m_group(sm2.domain()), m_x(sm2.private_value()), m_da_inv(sm2.get_da_inv()) {

         if(hash == "Raw") {

            // m_hash is null, m_za is empty

         } else {

            m_hash = HashFunction::create_or_throw(hash);

            // ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA)

            m_za = sm2_compute_za(*m_hash, ident, m_group, sm2.public_point());

            m_hash->update(m_za);

         }

      }


      size_t signature_length() const override { return 2 * m_group.get_order_bytes(); }


      void update(const uint8_t msg[], size_t msg_len) override {

         if(m_hash) {

            m_hash->update(msg, msg_len);

         } else {

            m_digest.insert(m_digest.end(), msg, msg + msg_len);

         }

      }


      secure_vector<uint8_t> sign(RandomNumberGenerator& rng) override;


      std::string hash_function() const override { return m_hash ? m_hash->name() : "Raw"; }


   private:

      const EC_Group m_group;

      const BigInt m_x;

      const BigInt m_da_inv;


      std::vector<uint8_t> m_za;

      secure_vector<uint8_t> m_digest;

      std::unique_ptr<HashFunction> m_hash;

      std::vector<BigInt> m_ws;

};


secure_vector<uint8_t> SM2_Signature_Operation::sign(RandomNumberGenerator& rng) {

   BigInt e;

   if(m_hash) {

      e = BigInt::decode(m_hash->final());

      // prepend ZA for next signature if any

      m_hash->update(m_za);

   } else {

      e = BigInt::decode(m_digest);

      m_digest.clear();

   }


   const BigInt k = m_group.random_scalar(rng);


   const BigInt r = m_group.mod_order(m_group.blinded_base_point_multiply_x(k, rng, m_ws) + e);

   const BigInt s = m_group.multiply_mod_order(m_da_inv, m_group.mod_order(k - r * m_x));


   return BigInt::encode_fixed_length_int_pair(r, s, m_group.get_order().bytes());

}


/**

* SM2 verification operation

*/

class SM2_Verification_Operation final : public PK_Ops::Verification {

   public:

      SM2_Verification_Operation(const SM2_PublicKey& sm2, std::string_view ident, std::string_view hash) :

            m_group(sm2.domain()), m_gy_mul(m_group.get_base_point(), sm2.public_point()) {

         if(hash == "Raw") {

            // m_hash is null, m_za is empty

         } else {

            m_hash = HashFunction::create_or_throw(hash);

            // ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA)

            m_za = sm2_compute_za(*m_hash, ident, m_group, sm2.public_point());

            m_hash->update(m_za);

         }

      }


      void update(const uint8_t msg[], size_t msg_len) override {

         if(m_hash) {

            m_hash->update(msg, msg_len);

         } else {

            m_digest.insert(m_digest.end(), msg, msg + msg_len);

         }

      }


      bool is_valid_signature(const uint8_t sig[], size_t sig_len) override;


      std::string hash_function() const override { return m_hash ? m_hash->name() : "Raw"; }


   private:

      const EC_Group m_group;

      const EC_Point_Multi_Point_Precompute m_gy_mul;

      secure_vector<uint8_t> m_digest;

      std::vector<uint8_t> m_za;

      std::unique_ptr<HashFunction> m_hash;

};


bool SM2_Verification_Operation::is_valid_signature(const uint8_t sig[], size_t sig_len) {

   BigInt e;

   if(m_hash) {

      e = BigInt::decode(m_hash->final());

      // prepend ZA for next signature if any

      m_hash->update(m_za);

   } else {

      e = BigInt::decode(m_digest);

      m_digest.clear();

   }


   if(sig_len != m_group.get_order().bytes() * 2) {

      return false;

   }


   const BigInt r(sig, sig_len / 2);

   const BigInt s(sig + sig_len / 2, sig_len / 2);


   if(r <= 0 || r >= m_group.get_order() || s <= 0 || s >= m_group.get_order()) {

      return false;

   }


   const BigInt t = m_group.mod_order(r + s);


   if(t == 0) {

      return false;

   }


   const EC_Point R = m_gy_mul.multi_exp(s, t);


   // ???

   if(R.is_zero()) {

      return false;

   }


   return (m_group.mod_order(R.get_affine_x() + e) == r);

}


void parse_sm2_param_string(std::string_view params, std::string& userid, std::string& hash) {

   // GM/T 0009-2012 specifies this as the default userid

   const std::string default_userid = "1234567812345678";


   // defaults:

   userid = default_userid;

   hash = "SM3";


   /*

   * SM2 parameters have the following possible formats:

   * Ident [since 2.2.0]

   * Ident,Hash [since 2.3.0]

   */


   auto comma = params.find(',');

   if(comma == std::string::npos) {

      userid = params;

   } else {

      userid = params.substr(0, comma);

      hash = params.substr(comma + 1, std::string::npos);

   }

}


}  // namespace


std::unique_ptr<Private_Key> SM2_PublicKey::generate_another(RandomNumberGenerator& rng) const {

   return std::make_unique<SM2_PrivateKey>(rng, domain());

}


std::unique_ptr<PK_Ops::Verification> SM2_PublicKey::create_verification_op(std::string_view params,

                                                                            std::string_view provider) const {

   if(provider == "base" || provider.empty()) {

      std::string userid, hash;

      parse_sm2_param_string(params, userid, hash);

      return std::make_unique<SM2_Verification_Operation>(*this, userid, hash);

   }


   throw Provider_Not_Found(algo_name(), provider);

}


std::unique_ptr<PK_Ops::Signature> SM2_PrivateKey::create_signature_op(RandomNumberGenerator& /*rng*/,

                                                                       std::string_view params,

                                                                       std::string_view provider) const {

   if(provider == "base" || provider.empty()) {

      std::string userid, hash;

      parse_sm2_param_string(params, userid, hash);

      return std::make_unique<SM2_Signature_Operation>(*this, userid, hash);

   }


   throw Provider_Not_Found(algo_name(), provider);

}


}  // namespace Botan

Botan::AlgorithmIdentifier
Definition asn1_obj.h:440

Botan::BigInt
Definition bigint.h:26

Botan::BigInt::encode_1363
static secure_vector< uint8_t > encode_1363(const BigInt &n, size_t bytes)
Definition big_code.cpp:105

Botan::BigInt::bytes
size_t bytes() const
Definition bigint.cpp:277

Botan::Buffered_Computation::update
void update(const uint8_t in[], size_t length)
Definition buf_comp.h:35

Botan::Buffered_Computation::output_length
virtual size_t output_length() const =0

Botan::Buffered_Computation::final
void final(uint8_t out[])
Definition buf_comp.h:70

Botan::EC_Group
Definition ec_group.h:48

Botan::EC_Group::blinded_base_point_multiply_x
BigInt blinded_base_point_multiply_x(const BigInt &k, RandomNumberGenerator &rng, std::vector< BigInt > &ws) const
Definition ec_group.cpp:581

Botan::EC_Group::get_b
const BigInt & get_b() const
Definition ec_group.cpp:500

Botan::EC_Group::get_a
const BigInt & get_a() const
Definition ec_group.cpp:496

Botan::EC_Group::get_g_y
const BigInt & get_g_y() const
Definition ec_group.cpp:516

Botan::EC_Group::mod_order
BigInt mod_order(const BigInt &x) const
Definition ec_group.cpp:524

Botan::EC_Group::multiply_mod_order
BigInt multiply_mod_order(const BigInt &x, const BigInt &y) const
Definition ec_group.cpp:532

Botan::EC_Group::get_order
const BigInt & get_order() const
Definition ec_group.cpp:508

Botan::EC_Group::get_g_x
const BigInt & get_g_x() const
Definition ec_group.cpp:512

Botan::EC_Group::inverse_mod_order
BigInt inverse_mod_order(const BigInt &x) const
Definition ec_group.cpp:540

Botan::EC_Group::get_p_bytes
size_t get_p_bytes() const
Definition ec_group.cpp:480

Botan::EC_Group::random_scalar
BigInt random_scalar(RandomNumberGenerator &rng) const
Definition ec_group.cpp:592

Botan::EC_Point_Multi_Point_Precompute::multi_exp
EC_Point multi_exp(const BigInt &k1, const BigInt &k2) const
Definition point_mul.cpp:348

Botan::EC_Point
Definition ec_point.h:33

Botan::EC_Point::get_affine_x
BigInt get_affine_x() const
Definition ec_point.cpp:469

Botan::EC_Point::get_affine_y
BigInt get_affine_y() const
Definition ec_point.cpp:489

Botan::EC_PrivateKey
Definition ecc_key.h:122

Botan::EC_PrivateKey::m_private_key
BigInt m_private_key
Definition ecc_key.h:171

Botan::EC_PrivateKey::check_key
bool check_key(RandomNumberGenerator &rng, bool strong) const override
Definition ecc_key.cpp:161

Botan::EC_PublicKey::domain
const EC_Group & domain() const
Definition ecc_key.h:54

Botan::EC_PublicKey::m_domain_params
EC_Group m_domain_params
Definition ecc_key.h:108

Botan::EC_PublicKey::public_point
const EC_Point & public_point() const
Definition ecc_key.h:40

Botan::HashFunction
Definition hash.h:21

Botan::HashFunction::create_or_throw
static std::unique_ptr< HashFunction > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition hash.cpp:298

Botan::Invalid_Argument
Definition exceptn.h:131

Botan::Provider_Not_Found
Definition exceptn.h:262

Botan::RandomNumberGenerator
Definition rng.h:30

Botan::SM2_PrivateKey::public_key
std::unique_ptr< Public_Key > public_key() const override
Definition sm2.cpp:25

Botan::SM2_PrivateKey::create_signature_op
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, std::string_view params, std::string_view provider) const override
Definition sm2.cpp:265

Botan::SM2_PrivateKey::check_key
bool check_key(RandomNumberGenerator &rng, bool) const override
Definition sm2.cpp:29

Botan::SM2_PrivateKey::SM2_PrivateKey
SM2_PrivateKey(const AlgorithmIdentifier &alg_id, std::span< const uint8_t > key_bits)
Definition sm2.cpp:48

Botan::SM2_PublicKey::create_verification_op
std::unique_ptr< PK_Ops::Verification > create_verification_op(std::string_view params, std::string_view provider) const override
Definition sm2.cpp:254

Botan::SM2_PublicKey::generate_another
std::unique_ptr< Private_Key > generate_another(RandomNumberGenerator &rng) const final
Definition sm2.cpp:250

Botan::SM2_PublicKey::algo_name
std::string algo_name() const override
Definition sm2.cpp:21

update
int(* update)(CTX *, const void *, CC_LONG len)
Definition commoncrypto_hash.cpp:28

final
int(* final)(unsigned char *, CTX *)
Definition commoncrypto_hash.cpp:29

Botan::KeyPair::signature_consistency_check
bool signature_consistency_check(RandomNumberGenerator &rng, const Private_Key &private_key, const Public_Key &public_key, std::string_view padding)
Definition keypair.cpp:49

Botan
Definition alg_id.cpp:13

Botan::sm2_compute_za
std::vector< uint8_t > sm2_compute_za(HashFunction &hash, std::string_view user_id, const EC_Group &domain, const EC_Point &pubkey)
Definition sm2.cpp:58