Botan  2.7.0
Crypto and TLS for C++11
sm2.cpp
Go to the documentation of this file.
1 /*
2 * SM2 Signatures
3 * (C) 2017 Ribose Inc
4 * (C) 2018 Jack Lloyd
5 *
6 * Botan is released under the Simplified BSD License (see license.txt)
7 */
8 
9 #include <botan/sm2.h>
10 #include <botan/internal/pk_ops_impl.h>
11 #include <botan/internal/point_mul.h>
12 #include <botan/numthry.h>
13 #include <botan/keypair.h>
14 #include <botan/hash.h>
15 
16 namespace Botan {
17 
19  bool strong) const
20  {
21  if(!public_point().on_the_curve())
22  return false;
23 
24  if(!strong)
25  return true;
26 
27  return KeyPair::signature_consistency_check(rng, *this, "SM3");
28  }
29 
31  const secure_vector<uint8_t>& key_bits) :
32  EC_PrivateKey(alg_id, key_bits)
33  {
34  m_da_inv = domain().inverse_mod_order(m_private_key + 1);
35  }
36 
38  const EC_Group& domain,
39  const BigInt& x) :
40  EC_PrivateKey(rng, domain, x)
41  {
42  m_da_inv = domain.inverse_mod_order(m_private_key + 1);
43  }
44 
45 std::vector<uint8_t> sm2_compute_za(HashFunction& hash,
46  const std::string& user_id,
47  const EC_Group& domain,
48  const PointGFp& pubkey)
49  {
50  if(user_id.size() >= 8192)
51  throw Invalid_Argument("SM2 user id too long to represent");
52 
53  const uint16_t uid_len = static_cast<uint16_t>(8 * user_id.size());
54 
55  hash.update(get_byte(0, uid_len));
56  hash.update(get_byte(1, uid_len));
57  hash.update(user_id);
58 
59  const size_t p_bytes = domain.get_p_bytes();
60 
61  hash.update(BigInt::encode_1363(domain.get_a(), p_bytes));
62  hash.update(BigInt::encode_1363(domain.get_b(), p_bytes));
63  hash.update(BigInt::encode_1363(domain.get_g_x(), p_bytes));
64  hash.update(BigInt::encode_1363(domain.get_g_y(), p_bytes));
65  hash.update(BigInt::encode_1363(pubkey.get_affine_x(), p_bytes));
66  hash.update(BigInt::encode_1363(pubkey.get_affine_y(), p_bytes));
67 
68  std::vector<uint8_t> za(hash.output_length());
69  hash.final(za.data());
70 
71  return za;
72  }
73 
74 namespace {
75 
76 /**
77 * SM2 signature operation
78 */
79 class SM2_Signature_Operation final : public PK_Ops::Signature
80  {
81  public:
82 
83  SM2_Signature_Operation(const SM2_Signature_PrivateKey& sm2,
84  const std::string& ident,
85  const std::string& hash) :
86  m_group(sm2.domain()),
87  m_x(sm2.private_value()),
88  m_da_inv(sm2.get_da_inv()),
89  m_hash(HashFunction::create_or_throw(hash))
90  {
91  // ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA)
92  m_za = sm2_compute_za(*m_hash, ident, m_group, sm2.public_point());
93  m_hash->update(m_za);
94  }
95 
96  void update(const uint8_t msg[], size_t msg_len) override
97  {
98  m_hash->update(msg, msg_len);
99  }
100 
101  secure_vector<uint8_t> sign(RandomNumberGenerator& rng) override;
102 
103  private:
104  const EC_Group m_group;
105  const BigInt& m_x;
106  const BigInt& m_da_inv;
107 
108  std::vector<uint8_t> m_za;
109  std::unique_ptr<HashFunction> m_hash;
110  std::vector<BigInt> m_ws;
111  };
112 
113 secure_vector<uint8_t>
114 SM2_Signature_Operation::sign(RandomNumberGenerator& rng)
115  {
116  const BigInt e = BigInt::decode(m_hash->final());
117 
118  const BigInt k = m_group.random_scalar(rng);
119 
120  const BigInt r = m_group.mod_order(
121  m_group.blinded_base_point_multiply_x(k, rng, m_ws) + e);
122  const BigInt s = m_group.multiply_mod_order(m_da_inv, (k - r*m_x));
123 
124  // prepend ZA for next signature if any
125  m_hash->update(m_za);
126 
127  return BigInt::encode_fixed_length_int_pair(r, s, m_group.get_order().bytes());
128  }
129 
130 /**
131 * SM2 verification operation
132 */
133 class SM2_Verification_Operation final : public PK_Ops::Verification
134  {
135  public:
136  SM2_Verification_Operation(const SM2_Signature_PublicKey& sm2,
137  const std::string& ident,
138  const std::string& hash) :
139  m_group(sm2.domain()),
140  m_gy_mul(m_group.get_base_point(), sm2.public_point()),
141  m_hash(HashFunction::create_or_throw(hash))
142  {
143  // ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA)
144  m_za = sm2_compute_za(*m_hash, ident, m_group, sm2.public_point());
145  m_hash->update(m_za);
146  }
147 
148  void update(const uint8_t msg[], size_t msg_len) override
149  {
150  m_hash->update(msg, msg_len);
151  }
152 
153  bool is_valid_signature(const uint8_t sig[], size_t sig_len) override;
154  private:
155  const EC_Group m_group;
156  const PointGFp_Multi_Point_Precompute m_gy_mul;
157  std::vector<uint8_t> m_za;
158  std::unique_ptr<HashFunction> m_hash;
159  };
160 
161 bool SM2_Verification_Operation::is_valid_signature(const uint8_t sig[], size_t sig_len)
162  {
163  const BigInt e = BigInt::decode(m_hash->final());
164 
165  // Update for next verification
166  m_hash->update(m_za);
167 
168  if(sig_len != m_group.get_order().bytes()*2)
169  return false;
170 
171  const BigInt r(sig, sig_len / 2);
172  const BigInt s(sig + sig_len / 2, sig_len / 2);
173 
174  if(r <= 0 || r >= m_group.get_order() || s <= 0 || s >= m_group.get_order())
175  return false;
176 
177  const BigInt t = m_group.mod_order(r + s);
178 
179  if(t == 0)
180  return false;
181 
182  const PointGFp R = m_gy_mul.multi_exp(s, t);
183 
184  // ???
185  if(R.is_zero())
186  return false;
187 
188  return (m_group.mod_order(R.get_affine_x() + e) == r);
189  }
190 
191 }
192 
193 std::unique_ptr<PK_Ops::Verification>
195  const std::string& provider) const
196  {
197  if(provider == "base" || provider.empty())
198  {
199  std::string userid = "";
200  std::string hash = "SM3";
201 
202  auto comma = params.find(',');
203  if(comma == std::string::npos)
204  userid = params;
205  else
206  {
207  userid = params.substr(0, comma);
208  hash = params.substr(comma+1, std::string::npos);
209  }
210 
211  if (userid.empty())
212  {
213  // GM/T 0009-2012 specifies this as the default userid
214  userid = "1234567812345678";
215  }
216 
217  return std::unique_ptr<PK_Ops::Verification>(new SM2_Verification_Operation(*this, userid, hash));
218  }
219 
220  throw Provider_Not_Found(algo_name(), provider);
221  }
222 
223 std::unique_ptr<PK_Ops::Signature>
225  const std::string& params,
226  const std::string& provider) const
227  {
228  if(provider == "base" || provider.empty())
229  {
230  std::string userid = "";
231  std::string hash = "SM3";
232 
233  auto comma = params.find(',');
234  if(comma == std::string::npos)
235  userid = params;
236  else
237  {
238  userid = params.substr(0, comma);
239  hash = params.substr(comma+1, std::string::npos);
240  }
241 
242  if (userid.empty())
243  {
244  // GM/T 0009-2012 specifies this as the default userid
245  userid = "1234567812345678";
246  }
247 
248  return std::unique_ptr<PK_Ops::Signature>(new SM2_Signature_Operation(*this, userid, hash));
249  }
250 
251  throw Provider_Not_Found(algo_name(), provider);
252  }
253 
254 }
BigInt m_private_key
Definition: ecc_key.h:167
size_t get_p_bytes() const
Definition: ec_group.cpp:465
std::string algo_name() const override
Definition: sm2.h:44
PointGFp multi_exp(const BigInt &k1, const BigInt &k2) const
Definition: point_mul.cpp:341
const PointGFp & public_point() const
Definition: ecc_key.h:57
std::vector< uint8_t > sm2_compute_za(HashFunction &hash, const std::string &user_id, const EC_Group &domain, const PointGFp &pubkey)
Definition: sm2.cpp:45
BigInt get_affine_x() const
Definition: point_gfp.cpp:501
BigInt get_affine_y() const
Definition: point_gfp.cpp:520
bool signature_consistency_check(RandomNumberGenerator &rng, const Private_Key &private_key, const Public_Key &public_key, const std::string &padding)
Definition: keypair.cpp:49
const EC_Group & domain() const
Definition: ecc_key.h:72
Definition: alg_id.cpp:13
const BigInt & get_b() const
Definition: ec_group.cpp:490
const BigInt & get_g_x() const
Definition: ec_group.cpp:505
const BigInt & get_a() const
Definition: ec_group.cpp:485
const BigInt & get_g_y() const
Definition: ec_group.cpp:510
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const override
Definition: sm2.cpp:224
static secure_vector< uint8_t > encode_1363(const BigInt &n, size_t bytes)
Definition: big_code.cpp:82
uint8_t get_byte(size_t byte_num, T input)
Definition: loadstor.h:39
SM2_Signature_PrivateKey(const AlgorithmIdentifier &alg_id, const secure_vector< uint8_t > &key_bits)
Definition: sm2.cpp:30
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:88
static secure_vector< uint8_t > encode_fixed_length_int_pair(const BigInt &n1, const BigInt &n2, size_t bytes)
Definition: big_code.cpp:103
bool check_key(RandomNumberGenerator &rng, bool) const override
Definition: sm2.cpp:18
std::unique_ptr< PK_Ops::Verification > create_verification_op(const std::string &params, const std::string &provider) const override
Definition: sm2.cpp:194
MechanismType hash
static BigInt decode(const uint8_t buf[], size_t length, Base base=Binary)
Definition: big_code.cpp:114
BigInt inverse_mod_order(const BigInt &x) const
Definition: ec_group.cpp:540