Botan 3.5.0
Crypto and TLS for C&
sm2.cpp
Go to the documentation of this file.
1/*
2* SM2 Signatures
3* (C) 2017,2018 Ribose Inc
4* (C) 2018 Jack Lloyd
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/sm2.h>
10
11#include <botan/hash.h>
12#include <botan/numthry.h>
13#include <botan/internal/keypair.h>
14#include <botan/internal/loadstor.h>
15#include <botan/internal/parsing.h>
16#include <botan/internal/pk_ops_impl.h>
17#include <botan/internal/point_mul.h>
18
19namespace Botan {
20
21std::string SM2_PublicKey::algo_name() const {
22 return "SM2";
23}
24
25std::unique_ptr<Public_Key> SM2_PrivateKey::public_key() const {
26 return std::make_unique<SM2_Signature_PublicKey>(domain(), public_point());
27}
28
29bool SM2_PrivateKey::check_key(RandomNumberGenerator& rng, bool strong) const {
30 if(!EC_PrivateKey::check_key(rng, strong)) {
31 return false;
32 }
33
34 // SM2 has an oddity in private key generation when compared to
35 // other EC*DSA style signature algorithms described in ISO14888-3:
36 // the private key x MUST be in ]0, q-1[ instead of ]0, q[.
37 if(m_private_key < 1 || m_private_key >= m_domain_params.get_order() - 1) {
38 return false;
39 }
40
41 if(!strong) {
42 return true;
43 }
44
45 return KeyPair::signature_consistency_check(rng, *this, "user@example.com,SM3");
46}
47
48SM2_PrivateKey::SM2_PrivateKey(const AlgorithmIdentifier& alg_id, std::span<const uint8_t> key_bits) :
49 EC_PrivateKey(alg_id, key_bits) {
50 m_da_inv = domain().inverse_mod_order(m_private_key + 1);
51}
52
53SM2_PrivateKey::SM2_PrivateKey(RandomNumberGenerator& rng, const EC_Group& domain, const BigInt& x) :
54 EC_PrivateKey(rng, domain, x) {
55 m_da_inv = domain.inverse_mod_order(m_private_key + 1);
56}
57
58std::vector<uint8_t> sm2_compute_za(HashFunction& hash,
59 std::string_view user_id,
60 const EC_Group& domain,
61 const EC_Point& pubkey) {
62 if(user_id.size() >= 8192) {
63 throw Invalid_Argument("SM2 user id too long to represent");
64 }
65
66 const uint16_t uid_len = static_cast<uint16_t>(8 * user_id.size());
67
68 hash.update(get_byte<0>(uid_len));
69 hash.update(get_byte<1>(uid_len));
70 hash.update(user_id);
71
72 const size_t p_bytes = domain.get_p_bytes();
73
74 hash.update(domain.get_a().serialize(p_bytes));
75 hash.update(domain.get_b().serialize(p_bytes));
76 hash.update(domain.get_g_x().serialize(p_bytes));
77 hash.update(domain.get_g_y().serialize(p_bytes));
78 hash.update(pubkey.xy_bytes());
79
80 return hash.final<std::vector<uint8_t>>();
81}
82
83namespace {
84
85/**
86* SM2 signature operation
87*/
88class SM2_Signature_Operation final : public PK_Ops::Signature {
89 public:
90 SM2_Signature_Operation(const SM2_PrivateKey& sm2, std::string_view ident, std::string_view hash) :
91 m_group(sm2.domain()), m_x(sm2.private_value()), m_da_inv(sm2.get_da_inv()) {
92 if(hash == "Raw") {
93 // m_hash is null, m_za is empty
94 } else {
95 m_hash = HashFunction::create_or_throw(hash);
96 // ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA)
97 m_za = sm2_compute_za(*m_hash, ident, m_group, sm2.public_point());
98 m_hash->update(m_za);
99 }
100 }
101
102 size_t signature_length() const override { return 2 * m_group.get_order_bytes(); }
103
104 void update(const uint8_t msg[], size_t msg_len) override {
105 if(m_hash) {
106 m_hash->update(msg, msg_len);
107 } else {
108 m_digest.insert(m_digest.end(), msg, msg + msg_len);
109 }
110 }
111
112 secure_vector<uint8_t> sign(RandomNumberGenerator& rng) override;
113
114 std::string hash_function() const override { return m_hash ? m_hash->name() : "Raw"; }
115
116 private:
117 const EC_Group m_group;
118 const BigInt m_x;
119 const BigInt m_da_inv;
120
121 std::vector<uint8_t> m_za;
122 secure_vector<uint8_t> m_digest;
123 std::unique_ptr<HashFunction> m_hash;
124 std::vector<BigInt> m_ws;
125};
126
127secure_vector<uint8_t> SM2_Signature_Operation::sign(RandomNumberGenerator& rng) {
128 BigInt e;
129 if(m_hash) {
130 e = BigInt::from_bytes(m_hash->final());
131 // prepend ZA for next signature if any
132 m_hash->update(m_za);
133 } else {
134 e = BigInt::from_bytes(m_digest);
135 m_digest.clear();
136 }
137
138 const BigInt k = m_group.random_scalar(rng);
139
140 const BigInt r = m_group.mod_order(m_group.blinded_base_point_multiply_x(k, rng, m_ws) + e);
141 const BigInt s = m_group.multiply_mod_order(m_da_inv, m_group.mod_order(k - r * m_x));
142
143 return BigInt::encode_fixed_length_int_pair(r, s, m_group.get_order_bytes());
144}
145
146/**
147* SM2 verification operation
148*/
149class SM2_Verification_Operation final : public PK_Ops::Verification {
150 public:
151 SM2_Verification_Operation(const SM2_PublicKey& sm2, std::string_view ident, std::string_view hash) :
152 m_group(sm2.domain()), m_gy_mul(m_group.get_base_point(), sm2.public_point()) {
153 if(hash == "Raw") {
154 // m_hash is null, m_za is empty
155 } else {
156 m_hash = HashFunction::create_or_throw(hash);
157 // ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA)
158 m_za = sm2_compute_za(*m_hash, ident, m_group, sm2.public_point());
159 m_hash->update(m_za);
160 }
161 }
162
163 void update(const uint8_t msg[], size_t msg_len) override {
164 if(m_hash) {
165 m_hash->update(msg, msg_len);
166 } else {
167 m_digest.insert(m_digest.end(), msg, msg + msg_len);
168 }
169 }
170
171 bool is_valid_signature(const uint8_t sig[], size_t sig_len) override;
172
173 std::string hash_function() const override { return m_hash ? m_hash->name() : "Raw"; }
174
175 private:
176 const EC_Group m_group;
177 const EC_Point_Multi_Point_Precompute m_gy_mul;
178 secure_vector<uint8_t> m_digest;
179 std::vector<uint8_t> m_za;
180 std::unique_ptr<HashFunction> m_hash;
181};
182
183bool SM2_Verification_Operation::is_valid_signature(const uint8_t sig[], size_t sig_len) {
184 BigInt e;
185 if(m_hash) {
186 e = BigInt::from_bytes(m_hash->final());
187 // prepend ZA for next signature if any
188 m_hash->update(m_za);
189 } else {
190 e = BigInt::from_bytes(m_digest);
191 m_digest.clear();
192 }
193
194 if(sig_len != m_group.get_order_bytes() * 2) {
195 return false;
196 }
197
198 const BigInt r(sig, sig_len / 2);
199 const BigInt s(sig + sig_len / 2, sig_len / 2);
200
201 if(r <= 0 || r >= m_group.get_order() || s <= 0 || s >= m_group.get_order()) {
202 return false;
203 }
204
205 const BigInt t = m_group.mod_order(r + s);
206
207 if(t == 0) {
208 return false;
209 }
210
211 const EC_Point R = m_gy_mul.multi_exp(s, t);
212
213 // ???
214 if(R.is_zero()) {
215 return false;
216 }
217
218 return (m_group.mod_order(R.get_affine_x() + e) == r);
219}
220
221void parse_sm2_param_string(std::string_view params, std::string& userid, std::string& hash) {
222 // GM/T 0009-2012 specifies this as the default userid
223 const std::string default_userid = "1234567812345678";
224
225 // defaults:
226 userid = default_userid;
227 hash = "SM3";
228
229 /*
230 * SM2 parameters have the following possible formats:
231 * Ident [since 2.2.0]
232 * Ident,Hash [since 2.3.0]
233 */
234
235 auto comma = params.find(',');
236 if(comma == std::string::npos) {
237 userid = params;
238 } else {
239 userid = params.substr(0, comma);
240 hash = params.substr(comma + 1, std::string::npos);
241 }
242}
243
244} // namespace
245
246std::unique_ptr<Private_Key> SM2_PublicKey::generate_another(RandomNumberGenerator& rng) const {
247 return std::make_unique<SM2_PrivateKey>(rng, domain());
248}
249
250std::unique_ptr<PK_Ops::Verification> SM2_PublicKey::create_verification_op(std::string_view params,
251 std::string_view provider) const {
252 if(provider == "base" || provider.empty()) {
253 std::string userid, hash;
254 parse_sm2_param_string(params, userid, hash);
255 return std::make_unique<SM2_Verification_Operation>(*this, userid, hash);
256 }
257
258 throw Provider_Not_Found(algo_name(), provider);
259}
260
261std::unique_ptr<PK_Ops::Signature> SM2_PrivateKey::create_signature_op(RandomNumberGenerator& /*rng*/,
262 std::string_view params,
263 std::string_view provider) const {
264 if(provider == "base" || provider.empty()) {
265 std::string userid, hash;
266 parse_sm2_param_string(params, userid, hash);
267 return std::make_unique<SM2_Signature_Operation>(*this, userid, hash);
268 }
269
270 throw Provider_Not_Found(algo_name(), provider);
271}
272
273} // namespace Botan
Botan::BigInt::serialize
T serialize(size_t len) const
Definition bigint.h:711
Botan::Buffered_Computation::update
void update(const uint8_t in[], size_t length)
Definition buf_comp.h:35
Botan::Buffered_Computation::final
void final(uint8_t out[])
Definition buf_comp.h:70
Botan::EC_Group
Definition ec_group.h:48
Botan::EC_Group::blinded_base_point_multiply_x
BigInt blinded_base_point_multiply_x(const BigInt &k, RandomNumberGenerator &rng, std::vector< BigInt > &ws) const
Definition ec_group.cpp:648
Botan::EC_Group::get_b
const BigInt & get_b() const
Definition ec_group.cpp:563
Botan::EC_Group::get_a
const BigInt & get_a() const
Definition ec_group.cpp:559
Botan::EC_Group::get_g_y
const BigInt & get_g_y() const
Definition ec_group.cpp:579
Botan::EC_Group::mod_order
BigInt mod_order(const BigInt &x) const
Definition ec_group.cpp:587
Botan::EC_Group::multiply_mod_order
BigInt multiply_mod_order(const BigInt &x, const BigInt &y) const
Definition ec_group.cpp:599
Botan::EC_Group::get_order
const BigInt & get_order() const
Definition ec_group.cpp:571
Botan::EC_Group::get_g_x
const BigInt & get_g_x() const
Definition ec_group.cpp:575
Botan::EC_Group::inverse_mod_order
BigInt inverse_mod_order(const BigInt &x) const
Definition ec_group.cpp:607
Botan::EC_Group::get_p_bytes
size_t get_p_bytes() const
Definition ec_group.cpp:543
Botan::EC_Group::random_scalar
BigInt random_scalar(RandomNumberGenerator &rng) const
Definition ec_group.cpp:659
Botan::EC_Group::get_order_bytes
size_t get_order_bytes() const
Definition ec_group.cpp:551
Botan::EC_Point_Multi_Point_Precompute::multi_exp
EC_Point multi_exp(const BigInt &k1, const BigInt &k2) const
Definition point_mul.cpp:320
Botan::EC_Point
Definition ec_point.h:33
Botan::EC_Point::xy_bytes
secure_vector< uint8_t > xy_bytes() const
Definition ec_point.cpp:482
Botan::EC_PrivateKey
Definition ecc_key.h:124
Botan::EC_PrivateKey::m_private_key
BigInt m_private_key
Definition ecc_key.h:173
Botan::EC_PrivateKey::check_key
bool check_key(RandomNumberGenerator &rng, bool strong) const override
Definition ecc_key.cpp:171
Botan::EC_PublicKey::domain
const EC_Group & domain() const
Definition ecc_key.h:56
Botan::EC_PublicKey::m_domain_params
EC_Group m_domain_params
Definition ecc_key.h:110
Botan::EC_PublicKey::public_point
const EC_Point & public_point() const
Definition ecc_key.h:40
Botan::HashFunction::create_or_throw
static std::unique_ptr< HashFunction > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition hash.cpp:298
Botan::Invalid_Argument
Definition exceptn.h:131
Botan::Provider_Not_Found
Definition exceptn.h:262
Botan::SM2_PrivateKey::public_key
std::unique_ptr< Public_Key > public_key() const override
Definition sm2.cpp:25
Botan::SM2_PrivateKey::create_signature_op
std::unique_ptr< PK_Ops::Signature > create_signature_op(RandomNumberGenerator &rng, std::string_view params, std::string_view provider) const override
Definition sm2.cpp:261
Botan::SM2_PrivateKey::check_key
bool check_key(RandomNumberGenerator &rng, bool) const override
Definition sm2.cpp:29
Botan::SM2_PrivateKey::SM2_PrivateKey
SM2_PrivateKey(const AlgorithmIdentifier &alg_id, std::span< const uint8_t > key_bits)
Definition sm2.cpp:48
Botan::SM2_PublicKey::create_verification_op
std::unique_ptr< PK_Ops::Verification > create_verification_op(std::string_view params, std::string_view provider) const override
Definition sm2.cpp:250
Botan::SM2_PublicKey::generate_another
std::unique_ptr< Private_Key > generate_another(RandomNumberGenerator &rng) const final
Definition sm2.cpp:246
Botan::SM2_PublicKey::algo_name
std::string algo_name() const override
Definition sm2.cpp:21
update
int(* update)(CTX *, const void *, CC_LONG len)
Definition commoncrypto_hash.cpp:28
final
int(* final)(unsigned char *, CTX *)
Definition commoncrypto_hash.cpp:29
Botan::KeyPair::signature_consistency_check
bool signature_consistency_check(RandomNumberGenerator &rng, const Private_Key &private_key, const Public_Key &public_key, std::string_view padding)
Definition keypair.cpp:49
Botan::get_byte
constexpr uint8_t get_byte(T input)
Definition loadstor.h:75
Botan::sm2_compute_za
std::vector< uint8_t > sm2_compute_za(HashFunction &hash, std::string_view user_id, const EC_Group &domain, const EC_Point &pubkey)
Definition sm2.cpp:58
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:61
Generated by doxygen 1.11.0