Botan 3.0.0-alpha0
Crypto and TLS for C&
sm2.cpp
Go to the documentation of this file.
1/*
2* SM2 Signatures
3* (C) 2017,2018 Ribose Inc
4* (C) 2018 Jack Lloyd
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/sm2.h>
10#include <botan/internal/pk_ops_impl.h>
11#include <botan/internal/point_mul.h>
12#include <botan/internal/loadstor.h>
13#include <botan/numthry.h>
14#include <botan/internal/keypair.h>
15#include <botan/hash.h>
16#include <botan/internal/parsing.h>
17
18namespace Botan {
19
20std::string SM2_PublicKey::algo_name() const
21 {
22 return "SM2";
23 }
24
25std::unique_ptr<Public_Key> SM2_PrivateKey::public_key() const
26 {
27 return std::make_unique<SM2_Signature_PublicKey>(domain(), public_point());
28 }
29
30bool SM2_PrivateKey::check_key(RandomNumberGenerator& rng,
31 bool strong) const
32 {
33 if(!public_point().on_the_curve())
34 return false;
35
36 if(!strong)
37 return true;
38
39 return KeyPair::signature_consistency_check(rng, *this, "user@example.com,SM3");
40 }
41
42SM2_PrivateKey::SM2_PrivateKey(const AlgorithmIdentifier& alg_id,
43 const secure_vector<uint8_t>& key_bits) :
44 EC_PrivateKey(alg_id, key_bits)
45 {
46 m_da_inv = domain().inverse_mod_order(m_private_key + 1);
47 }
48
49SM2_PrivateKey::SM2_PrivateKey(RandomNumberGenerator& rng,
50 const EC_Group& domain,
51 const BigInt& x) :
52 EC_PrivateKey(rng, domain, x)
53 {
54 m_da_inv = domain.inverse_mod_order(m_private_key + 1);
55 }
56
57std::vector<uint8_t> sm2_compute_za(HashFunction& hash,
58 const std::string& user_id,
59 const EC_Group& domain,
60 const PointGFp& pubkey)
61 {
62 if(user_id.size() >= 8192)
63 throw Invalid_Argument("SM2 user id too long to represent");
64
65 const uint16_t uid_len = static_cast<uint16_t>(8 * user_id.size());
66
67 hash.update(get_byte<0>(uid_len));
68 hash.update(get_byte<1>(uid_len));
69 hash.update(user_id);
70
71 const size_t p_bytes = domain.get_p_bytes();
72
73 hash.update(BigInt::encode_1363(domain.get_a(), p_bytes));
74 hash.update(BigInt::encode_1363(domain.get_b(), p_bytes));
75 hash.update(BigInt::encode_1363(domain.get_g_x(), p_bytes));
76 hash.update(BigInt::encode_1363(domain.get_g_y(), p_bytes));
77 hash.update(BigInt::encode_1363(pubkey.get_affine_x(), p_bytes));
78 hash.update(BigInt::encode_1363(pubkey.get_affine_y(), p_bytes));
79
80 std::vector<uint8_t> za(hash.output_length());
81 hash.final(za.data());
82
83 return za;
84 }
85
86namespace {
87
88/**
89* SM2 signature operation
90*/
91class SM2_Signature_Operation final : public PK_Ops::Signature
92 {
93 public:
94
95 SM2_Signature_Operation(const SM2_PrivateKey& sm2,
96 const std::string& ident,
97 const std::string& hash) :
98 m_group(sm2.domain()),
99 m_x(sm2.private_value()),
100 m_da_inv(sm2.get_da_inv())
101 {
102 if(hash == "Raw")
103 {
104 // m_hash is null, m_za is empty
105 }
106 else
107 {
108 m_hash = HashFunction::create_or_throw(hash);
109 // ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA)
110 m_za = sm2_compute_za(*m_hash, ident, m_group, sm2.public_point());
111 m_hash->update(m_za);
112 }
113 }
114
115 size_t signature_length() const override { return 2*m_group.get_order_bytes(); }
116
117 void update(const uint8_t msg[], size_t msg_len) override
118 {
119 if(m_hash)
120 {
121 m_hash->update(msg, msg_len);
122 }
123 else
124 {
125 m_digest.insert(m_digest.end(), msg, msg + msg_len);
126 }
127 }
128
129 secure_vector<uint8_t> sign(RandomNumberGenerator& rng) override;
130
131 private:
132 const EC_Group m_group;
133 const BigInt& m_x;
134 const BigInt& m_da_inv;
135
136 std::vector<uint8_t> m_za;
137 secure_vector<uint8_t> m_digest;
138 std::unique_ptr<HashFunction> m_hash;
139 std::vector<BigInt> m_ws;
140 };
141
142secure_vector<uint8_t>
143SM2_Signature_Operation::sign(RandomNumberGenerator& rng)
144 {
145 BigInt e;
146 if(m_hash)
147 {
148 e = BigInt::decode(m_hash->final());
149 // prepend ZA for next signature if any
150 m_hash->update(m_za);
151 }
152 else
153 {
154 e = BigInt::decode(m_digest);
155 m_digest.clear();
156 }
157
158 const BigInt k = m_group.random_scalar(rng);
159
160 const BigInt r = m_group.mod_order(
161 m_group.blinded_base_point_multiply_x(k, rng, m_ws) + e);
162 const BigInt s = m_group.multiply_mod_order(m_da_inv, m_group.mod_order(k - r*m_x));
163
164 return BigInt::encode_fixed_length_int_pair(r, s, m_group.get_order().bytes());
165 }
166
167/**
168* SM2 verification operation
169*/
170class SM2_Verification_Operation final : public PK_Ops::Verification
171 {
172 public:
173 SM2_Verification_Operation(const SM2_PublicKey& sm2,
174 const std::string& ident,
175 const std::string& hash) :
176 m_group(sm2.domain()),
177 m_gy_mul(m_group.get_base_point(), sm2.public_point())
178 {
179 if(hash == "Raw")
180 {
181 // m_hash is null, m_za is empty
182 }
183 else
184 {
185 m_hash = HashFunction::create_or_throw(hash);
186 // ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA)
187 m_za = sm2_compute_za(*m_hash, ident, m_group, sm2.public_point());
188 m_hash->update(m_za);
189 }
190 }
191
192 void update(const uint8_t msg[], size_t msg_len) override
193 {
194 if(m_hash)
195 {
196 m_hash->update(msg, msg_len);
197 }
198 else
199 {
200 m_digest.insert(m_digest.end(), msg, msg + msg_len);
201 }
202 }
203
204 bool is_valid_signature(const uint8_t sig[], size_t sig_len) override;
205 private:
206 const EC_Group m_group;
207 const PointGFp_Multi_Point_Precompute m_gy_mul;
208 secure_vector<uint8_t> m_digest;
209 std::vector<uint8_t> m_za;
210 std::unique_ptr<HashFunction> m_hash;
211 };
212
213bool SM2_Verification_Operation::is_valid_signature(const uint8_t sig[], size_t sig_len)
214 {
215 BigInt e;
216 if(m_hash)
217 {
218 e = BigInt::decode(m_hash->final());
219 // prepend ZA for next signature if any
220 m_hash->update(m_za);
221 }
222 else
223 {
224 e = BigInt::decode(m_digest);
225 m_digest.clear();
226 }
227
228 if(sig_len != m_group.get_order().bytes()*2)
229 return false;
230
231 const BigInt r(sig, sig_len / 2);
232 const BigInt s(sig + sig_len / 2, sig_len / 2);
233
234 if(r <= 0 || r >= m_group.get_order() || s <= 0 || s >= m_group.get_order())
235 return false;
236
237 const BigInt t = m_group.mod_order(r + s);
238
239 if(t == 0)
240 return false;
241
242 const PointGFp R = m_gy_mul.multi_exp(s, t);
243
244 // ???
245 if(R.is_zero())
246 return false;
247
248 return (m_group.mod_order(R.get_affine_x() + e) == r);
249 }
250
251void parse_sm2_param_string(const std::string& params,
252 std::string& userid,
253 std::string& hash)
254 {
255 // GM/T 0009-2012 specifies this as the default userid
256 const std::string default_userid = "1234567812345678";
257
258 // defaults:
259 userid = default_userid;
260 hash = "SM3";
261
262 /*
263 * SM2 parameters have the following possible formats:
264 * Ident [since 2.2.0]
265 * Ident,Hash [since 2.3.0]
266 */
267
268 auto comma = params.find(',');
269 if(comma == std::string::npos)
270 {
271 userid = params;
272 }
273 else
274 {
275 userid = params.substr(0, comma);
276 hash = params.substr(comma+1, std::string::npos);
277 }
278 }
279
280}
281
282std::unique_ptr<PK_Ops::Verification>
283SM2_PublicKey::create_verification_op(const std::string& params,
284 const std::string& provider) const
285 {
286 if(provider == "base" || provider.empty())
287 {
288 std::string userid, hash;
289 parse_sm2_param_string(params, userid, hash);
290 return std::make_unique<SM2_Verification_Operation>(*this, userid, hash);
291 }
292
293 throw Provider_Not_Found(algo_name(), provider);
294 }
295
296std::unique_ptr<PK_Ops::Signature>
297SM2_PrivateKey::create_signature_op(RandomNumberGenerator& /*rng*/,
298 const std::string& params,
299 const std::string& provider) const
300 {
301 if(provider == "base" || provider.empty())
302 {
303 std::string userid, hash;
304 parse_sm2_param_string(params, userid, hash);
305 return std::make_unique<SM2_Signature_Operation>(*this, userid, hash);
306 }
307
308 throw Provider_Not_Found(algo_name(), provider);
309 }
310
311}
Botan::BigInt::decode
static BigInt decode(const uint8_t buf[], size_t length)
Definition: bigint.h:790
Botan::BigInt::encode_fixed_length_int_pair
static secure_vector< uint8_t > encode_fixed_length_int_pair(const BigInt &n1, const BigInt &n2, size_t bytes)
Definition: big_code.cpp:128
Botan::BigInt::encode_1363
static secure_vector< uint8_t > encode_1363(const BigInt &n, size_t bytes)
Definition: big_code.cpp:106
Botan::EC_Group
Definition: ec_group.h:50
Botan::EC_Group::get_b
const BigInt & get_b() const
Definition: ec_group.cpp:539
Botan::EC_Group::get_a
const BigInt & get_a() const
Definition: ec_group.cpp:534
Botan::EC_Group::get_g_y
const BigInt & get_g_y() const
Definition: ec_group.cpp:559
Botan::EC_Group::get_g_x
const BigInt & get_g_x() const
Definition: ec_group.cpp:554
Botan::EC_Group::inverse_mod_order
BigInt inverse_mod_order(const BigInt &x) const
Definition: ec_group.cpp:589
Botan::EC_Group::get_p_bytes
size_t get_p_bytes() const
Definition: ec_group.cpp:514
Botan::EC_PrivateKey
Definition: ecc_key.h:125
Botan::EC_PrivateKey::m_private_key
BigInt m_private_key
Definition: ecc_key.h:168
Botan::EC_PublicKey::domain
const EC_Group & domain() const
Definition: ecc_key.h:56
Botan::EC_PublicKey::public_point
const PointGFp & public_point() const
Definition: ecc_key.h:41
Botan::HashFunction::create_or_throw
static std::unique_ptr< HashFunction > create_or_throw(const std::string &algo_spec, const std::string &provider="")
Definition: hash.cpp:312
Botan::Invalid_Argument
Definition: exceptn.h:133
Botan::PointGFp_Multi_Point_Precompute::multi_exp
PointGFp multi_exp(const BigInt &k1, const BigInt &k2) const
Definition: point_mul.cpp:377
Botan::PointGFp::get_affine_y
BigInt get_affine_y() const
Definition: point_gfp.cpp:523
Botan::PointGFp::get_affine_x
BigInt get_affine_x() const
Definition: point_gfp.cpp:504
Botan::Provider_Not_Found
Definition: exceptn.h:267
Botan::SM2_PrivateKey::public_key
std::unique_ptr< Public_Key > public_key() const override
Definition: sm2.cpp:25
Botan::SM2_PrivateKey::create_signature_op
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const override
Definition: sm2.cpp:297
Botan::SM2_PrivateKey::check_key
bool check_key(RandomNumberGenerator &rng, bool) const override
Definition: sm2.cpp:30
Botan::SM2_PrivateKey::SM2_PrivateKey
SM2_PrivateKey(const AlgorithmIdentifier &alg_id, const secure_vector< uint8_t > &key_bits)
Definition: sm2.cpp:42
Botan::SM2_PublicKey::create_verification_op
std::unique_ptr< PK_Ops::Verification > create_verification_op(const std::string &params, const std::string &provider) const override
Definition: sm2.cpp:283
Botan::SM2_PublicKey::algo_name
std::string algo_name() const override
Definition: sm2.cpp:20
update
int(* update)(CTX *, const void *, CC_LONG len)
Definition: commoncrypto_hash.cpp:28
final
int(* final)(unsigned char *, CTX *)
Definition: commoncrypto_hash.cpp:29
Botan::KeyPair::signature_consistency_check
bool signature_consistency_check(RandomNumberGenerator &rng, const Private_Key &private_key, const Public_Key &public_key, const std::string &padding)
Definition: keypair.cpp:47
Botan
Definition: alg_id.cpp:13
Botan::sm2_compute_za
std::vector< uint8_t > sm2_compute_za(HashFunction &hash, const std::string &user_id, const EC_Group &domain, const PointGFp &pubkey)
Definition: sm2.cpp:57
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:65
hash
MechanismType hash
Definition: p11_mechanism.cpp:67
Generated by doxygen 1.9.3