Botan  2.12.1
Crypto and TLS for C++11
sm2.cpp
Go to the documentation of this file.
1 /*
2 * SM2 Signatures
3 * (C) 2017,2018 Ribose Inc
4 * (C) 2018 Jack Lloyd
5 *
6 * Botan is released under the Simplified BSD License (see license.txt)
7 */
8 
9 #include <botan/sm2.h>
10 #include <botan/internal/pk_ops_impl.h>
11 #include <botan/internal/point_mul.h>
12 #include <botan/loadstor.h>
13 #include <botan/numthry.h>
14 #include <botan/keypair.h>
15 #include <botan/hash.h>
16 #include <botan/parsing.h>
17 
18 namespace Botan {
19 
20 std::string SM2_PublicKey::algo_name() const
21  {
22  return "SM2";
23  }
24 
26  bool strong) const
27  {
28  if(!public_point().on_the_curve())
29  return false;
30 
31  if(!strong)
32  return true;
33 
34  return KeyPair::signature_consistency_check(rng, *this, "user@example.com,SM3");
35  }
36 
38  const secure_vector<uint8_t>& key_bits) :
39  EC_PrivateKey(alg_id, key_bits)
40  {
41  m_da_inv = domain().inverse_mod_order(m_private_key + 1);
42  }
43 
45  const EC_Group& domain,
46  const BigInt& x) :
47  EC_PrivateKey(rng, domain, x)
48  {
49  m_da_inv = domain.inverse_mod_order(m_private_key + 1);
50  }
51 
52 std::vector<uint8_t> sm2_compute_za(HashFunction& hash,
53  const std::string& user_id,
54  const EC_Group& domain,
55  const PointGFp& pubkey)
56  {
57  if(user_id.size() >= 8192)
58  throw Invalid_Argument("SM2 user id too long to represent");
59 
60  const uint16_t uid_len = static_cast<uint16_t>(8 * user_id.size());
61 
62  hash.update(get_byte(0, uid_len));
63  hash.update(get_byte(1, uid_len));
64  hash.update(user_id);
65 
66  const size_t p_bytes = domain.get_p_bytes();
67 
68  hash.update(BigInt::encode_1363(domain.get_a(), p_bytes));
69  hash.update(BigInt::encode_1363(domain.get_b(), p_bytes));
70  hash.update(BigInt::encode_1363(domain.get_g_x(), p_bytes));
71  hash.update(BigInt::encode_1363(domain.get_g_y(), p_bytes));
72  hash.update(BigInt::encode_1363(pubkey.get_affine_x(), p_bytes));
73  hash.update(BigInt::encode_1363(pubkey.get_affine_y(), p_bytes));
74 
75  std::vector<uint8_t> za(hash.output_length());
76  hash.final(za.data());
77 
78  return za;
79  }
80 
81 namespace {
82 
83 /**
84 * SM2 signature operation
85 */
86 class SM2_Signature_Operation final : public PK_Ops::Signature
87  {
88  public:
89 
90  SM2_Signature_Operation(const SM2_PrivateKey& sm2,
91  const std::string& ident,
92  const std::string& hash) :
93  m_group(sm2.domain()),
94  m_x(sm2.private_value()),
95  m_da_inv(sm2.get_da_inv())
96  {
97  if(hash == "Raw")
98  {
99  // m_hash is null, m_za is empty
100  }
101  else
102  {
104  // ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA)
105  m_za = sm2_compute_za(*m_hash, ident, m_group, sm2.public_point());
106  m_hash->update(m_za);
107  }
108  }
109 
110  size_t signature_length() const override { return 2*m_group.get_order_bytes(); }
111 
112  void update(const uint8_t msg[], size_t msg_len) override
113  {
114  if(m_hash)
115  {
116  m_hash->update(msg, msg_len);
117  }
118  else
119  {
120  m_digest.insert(m_digest.end(), msg, msg + msg_len);
121  }
122  }
123 
124  secure_vector<uint8_t> sign(RandomNumberGenerator& rng) override;
125 
126  private:
127  const EC_Group m_group;
128  const BigInt& m_x;
129  const BigInt& m_da_inv;
130 
131  std::vector<uint8_t> m_za;
132  secure_vector<uint8_t> m_digest;
133  std::unique_ptr<HashFunction> m_hash;
134  std::vector<BigInt> m_ws;
135  };
136 
137 secure_vector<uint8_t>
138 SM2_Signature_Operation::sign(RandomNumberGenerator& rng)
139  {
140  BigInt e;
141  if(m_hash)
142  {
143  e = BigInt::decode(m_hash->final());
144  // prepend ZA for next signature if any
145  m_hash->update(m_za);
146  }
147  else
148  {
149  e = BigInt::decode(m_digest);
150  m_digest.clear();
151  }
152 
153  const BigInt k = m_group.random_scalar(rng);
154 
155  const BigInt r = m_group.mod_order(
156  m_group.blinded_base_point_multiply_x(k, rng, m_ws) + e);
157  const BigInt s = m_group.multiply_mod_order(m_da_inv, m_group.mod_order(k - r*m_x));
158 
159  return BigInt::encode_fixed_length_int_pair(r, s, m_group.get_order().bytes());
160  }
161 
162 /**
163 * SM2 verification operation
164 */
165 class SM2_Verification_Operation final : public PK_Ops::Verification
166  {
167  public:
168  SM2_Verification_Operation(const SM2_PublicKey& sm2,
169  const std::string& ident,
170  const std::string& hash) :
171  m_group(sm2.domain()),
172  m_gy_mul(m_group.get_base_point(), sm2.public_point())
173  {
174  if(hash == "Raw")
175  {
176  // m_hash is null, m_za is empty
177  }
178  else
179  {
181  // ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA)
182  m_za = sm2_compute_za(*m_hash, ident, m_group, sm2.public_point());
183  m_hash->update(m_za);
184  }
185  }
186 
187  void update(const uint8_t msg[], size_t msg_len) override
188  {
189  if(m_hash)
190  {
191  m_hash->update(msg, msg_len);
192  }
193  else
194  {
195  m_digest.insert(m_digest.end(), msg, msg + msg_len);
196  }
197  }
198 
199  bool is_valid_signature(const uint8_t sig[], size_t sig_len) override;
200  private:
201  const EC_Group m_group;
202  const PointGFp_Multi_Point_Precompute m_gy_mul;
203  secure_vector<uint8_t> m_digest;
204  std::vector<uint8_t> m_za;
205  std::unique_ptr<HashFunction> m_hash;
206  };
207 
208 bool SM2_Verification_Operation::is_valid_signature(const uint8_t sig[], size_t sig_len)
209  {
210  BigInt e;
211  if(m_hash)
212  {
213  e = BigInt::decode(m_hash->final());
214  // prepend ZA for next signature if any
215  m_hash->update(m_za);
216  }
217  else
218  {
219  e = BigInt::decode(m_digest);
220  m_digest.clear();
221  }
222 
223  if(sig_len != m_group.get_order().bytes()*2)
224  return false;
225 
226  const BigInt r(sig, sig_len / 2);
227  const BigInt s(sig + sig_len / 2, sig_len / 2);
228 
229  if(r <= 0 || r >= m_group.get_order() || s <= 0 || s >= m_group.get_order())
230  return false;
231 
232  const BigInt t = m_group.mod_order(r + s);
233 
234  if(t == 0)
235  return false;
236 
237  const PointGFp R = m_gy_mul.multi_exp(s, t);
238 
239  // ???
240  if(R.is_zero())
241  return false;
242 
243  return (m_group.mod_order(R.get_affine_x() + e) == r);
244  }
245 
246 void parse_sm2_param_string(const std::string& params,
247  std::string& userid,
248  std::string& hash)
249  {
250  // GM/T 0009-2012 specifies this as the default userid
251  const std::string default_userid = "1234567812345678";
252 
253  // defaults:
254  userid = default_userid;
255  hash = "SM3";
256 
257  /*
258  * SM2 parameters have the following possible formats:
259  * Ident [since 2.2.0]
260  * Ident,Hash [since 2.3.0]
261  */
262 
263  auto comma = params.find(',');
264  if(comma == std::string::npos)
265  {
266  userid = params;
267  }
268  else
269  {
270  userid = params.substr(0, comma);
271  hash = params.substr(comma+1, std::string::npos);
272  }
273  }
274 
275 }
276 
277 std::unique_ptr<PK_Ops::Verification>
278 SM2_PublicKey::create_verification_op(const std::string& params,
279  const std::string& provider) const
280  {
281  if(provider == "base" || provider.empty())
282  {
283  std::string userid, hash;
284  parse_sm2_param_string(params, userid, hash);
285  return std::unique_ptr<PK_Ops::Verification>(new SM2_Verification_Operation(*this, userid, hash));
286  }
287 
288  throw Provider_Not_Found(algo_name(), provider);
289  }
290 
291 std::unique_ptr<PK_Ops::Signature>
293  const std::string& params,
294  const std::string& provider) const
295  {
296  if(provider == "base" || provider.empty())
297  {
298  std::string userid, hash;
299  parse_sm2_param_string(params, userid, hash);
300  return std::unique_ptr<PK_Ops::Signature>(new SM2_Signature_Operation(*this, userid, hash));
301  }
302 
303  throw Provider_Not_Found(algo_name(), provider);
304  }
305 
306 }
BigInt m_private_key
Definition: ecc_key.h:167
size_t get_p_bytes() const
Definition: ec_group.cpp:443
PointGFp multi_exp(const BigInt &k1, const BigInt &k2) const
Definition: point_mul.cpp:379
static std::unique_ptr< HashFunction > create_or_throw(const std::string &algo_spec, const std::string &provider="")
Definition: hash.cpp:344
const PointGFp & public_point() const
Definition: ecc_key.h:57
int(* final)(unsigned char *, CTX *)
constexpr uint8_t get_byte(size_t byte_num, T input)
Definition: loadstor.h:41
std::vector< uint8_t > sm2_compute_za(HashFunction &hash, const std::string &user_id, const EC_Group &domain, const PointGFp &pubkey)
Definition: sm2.cpp:52
SM2_PrivateKey(const AlgorithmIdentifier &alg_id, const secure_vector< uint8_t > &key_bits)
Definition: sm2.cpp:37
BigInt get_affine_x() const
Definition: point_gfp.cpp:499
std::unique_ptr< PK_Ops::Verification > create_verification_op(const std::string &params, const std::string &provider) const override
Definition: sm2.cpp:278
BigInt get_affine_y() const
Definition: point_gfp.cpp:518
bool signature_consistency_check(RandomNumberGenerator &rng, const Private_Key &private_key, const Public_Key &public_key, const std::string &padding)
Definition: keypair.cpp:49
const EC_Group & domain() const
Definition: ecc_key.h:72
Definition: alg_id.cpp:13
std::string algo_name() const override
Definition: sm2.cpp:20
const BigInt & get_b() const
Definition: ec_group.cpp:468
const BigInt & get_g_x() const
Definition: ec_group.cpp:483
const BigInt & get_a() const
Definition: ec_group.cpp:463
const BigInt & get_g_y() const
Definition: ec_group.cpp:488
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const override
Definition: sm2.cpp:292
int(* update)(CTX *, const void *, CC_LONG len)
bool check_key(RandomNumberGenerator &rng, bool) const override
Definition: sm2.cpp:25
static BigInt decode(const uint8_t buf[], size_t length)
Definition: bigint.h:798
static secure_vector< uint8_t > encode_1363(const BigInt &n, size_t bytes)
Definition: big_code.cpp:111
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:65
static secure_vector< uint8_t > encode_fixed_length_int_pair(const BigInt &n1, const BigInt &n2, size_t bytes)
Definition: big_code.cpp:133
MechanismType hash
BigInt inverse_mod_order(const BigInt &x) const
Definition: ec_group.cpp:518