10#include <botan/ber_dec.h>
11#include <botan/der_enc.h>
12#include <botan/hash.h>
14#include <botan/pk_ops.h>
15#include <botan/internal/ct_utils.h>
16#include <botan/internal/fmt.h>
17#include <botan/internal/point_mul.h>
23class SM2_Encryption_Operation
final :
public PK_Ops::Encryption {
26 RandomNumberGenerator& rng,
27 std::string_view kdf_hash) :
28 m_group(key.domain()), m_ws(EC_Point::WORKSPACE_SIZE), m_mul_public_point(key.public_point(), rng, m_ws) {
31 const std::string kdf_name =
fmt(
"KDF2({})", kdf_hash);
35 size_t max_input_bits()
const override {
40 size_t ciphertext_length(
size_t ptext_len)
const override {
41 const size_t elem_size = m_group.get_order_bytes();
42 const size_t der_overhead = 16;
44 return der_overhead + 2 * elem_size + m_hash->output_length() + ptext_len;
47 secure_vector<uint8_t>
encrypt(
const uint8_t msg[],
size_t msg_len, RandomNumberGenerator& rng)
override {
48 const size_t p_bytes = m_group.get_p_bytes();
50 const BigInt k = m_group.random_scalar(rng);
52 const EC_Point C1 = m_group.blinded_base_point_multiply(k, rng, m_ws);
53 const BigInt x1 = C1.get_affine_x();
54 const BigInt y1 = C1.get_affine_y();
55 std::vector<uint8_t> x1_bytes(p_bytes);
56 std::vector<uint8_t> y1_bytes(p_bytes);
60 const EC_Point kPB = m_mul_public_point.mul(k, rng, m_group.get_order(), m_ws);
62 const BigInt x2 = kPB.get_affine_x();
63 const BigInt y2 = kPB.get_affine_y();
64 std::vector<uint8_t> x2_bytes(p_bytes);
65 std::vector<uint8_t> y2_bytes(p_bytes);
69 secure_vector<uint8_t> kdf_input;
70 kdf_input += x2_bytes;
71 kdf_input += y2_bytes;
73 const secure_vector<uint8_t> kdf_output = m_kdf->derive_key(msg_len, kdf_input.data(), kdf_input.size());
75 secure_vector<uint8_t> masked_msg(msg_len);
76 xor_buf(masked_msg.data(), msg, kdf_output.data(), msg_len);
78 m_hash->update(x2_bytes);
79 m_hash->update(msg, msg_len);
80 m_hash->update(y2_bytes);
81 std::vector<uint8_t> C3(m_hash->output_length());
82 m_hash->final(C3.data());
95 const EC_Group m_group;
96 std::unique_ptr<HashFunction> m_hash;
97 std::unique_ptr<KDF> m_kdf;
98 std::vector<BigInt> m_ws;
99 EC_Point_Var_Point_Precompute m_mul_public_point;
102class SM2_Decryption_Operation
final :
public PK_Ops::Decryption {
105 RandomNumberGenerator& rng,
106 std::string_view kdf_hash) :
107 m_key(key), m_rng(rng) {
110 const std::string kdf_name =
fmt(
"KDF2({})", kdf_hash);
114 size_t plaintext_length(
size_t ptext_len)
const override {
119 const size_t elem_size = m_key.domain().get_order_bytes();
121 if(ptext_len < 2 * elem_size + m_hash->output_length()) {
125 return ptext_len - (2 * elem_size + m_hash->output_length());
128 secure_vector<uint8_t>
decrypt(uint8_t& valid_mask,
const uint8_t ciphertext[],
size_t ciphertext_len)
override {
129 const EC_Group& group = m_key.domain();
130 const BigInt& cofactor = group.get_cofactor();
131 const size_t p_bytes = group.get_p_bytes();
136 if(ciphertext_len < 1 + p_bytes * 2 + m_hash->output_length()) {
137 return secure_vector<uint8_t>();
141 secure_vector<uint8_t> C3, masked_msg;
143 BER_Decoder(ciphertext, ciphertext_len)
152 std::vector<uint8_t> recode_ctext;
153 DER_Encoder(recode_ctext)
161 if(recode_ctext.size() != ciphertext_len) {
162 return secure_vector<uint8_t>();
165 if(
CT::is_equal(recode_ctext.data(), ciphertext, ciphertext_len).as_bool() ==
false) {
166 return secure_vector<uint8_t>();
169 EC_Point C1 = group.point(x1, y1);
170 C1.randomize_repr(m_rng);
173 if(!C1.on_the_curve()) {
174 return secure_vector<uint8_t>();
177 if(cofactor > 1 && (C1 * cofactor).is_zero()) {
178 return secure_vector<uint8_t>();
181 const EC_Point dbC1 = group.blinded_var_point_multiply(C1, m_key.private_value(), m_rng, m_ws);
183 const BigInt x2 = dbC1.get_affine_x();
184 const BigInt y2 = dbC1.get_affine_y();
186 secure_vector<uint8_t> x2_bytes(p_bytes);
187 secure_vector<uint8_t> y2_bytes(p_bytes);
191 secure_vector<uint8_t> kdf_input;
192 kdf_input += x2_bytes;
193 kdf_input += y2_bytes;
195 const secure_vector<uint8_t> kdf_output =
196 m_kdf->derive_key(masked_msg.size(), kdf_input.data(), kdf_input.size());
198 xor_buf(masked_msg.data(), kdf_output.data(), kdf_output.size());
200 m_hash->update(x2_bytes);
201 m_hash->update(masked_msg);
202 m_hash->update(y2_bytes);
203 secure_vector<uint8_t> u = m_hash->final();
205 if(!
CT::is_equal(u.data(), C3.data(), m_hash->output_length()).as_bool()) {
206 return secure_vector<uint8_t>();
215 RandomNumberGenerator& m_rng;
216 std::vector<BigInt> m_ws;
217 std::unique_ptr<HashFunction> m_hash;
218 std::unique_ptr<KDF> m_kdf;
224 std::string_view params,
225 std::string_view provider)
const {
226 if(provider ==
"base" || provider.empty()) {
228 return std::make_unique<SM2_Encryption_Operation>(*
this, rng,
"SM3");
230 return std::make_unique<SM2_Encryption_Operation>(*
this, rng, params);
238 std::string_view params,
239 std::string_view provider)
const {
240 if(provider ==
"base" || provider.empty()) {
242 return std::make_unique<SM2_Decryption_Operation>(*
this, rng,
"SM3");
244 return std::make_unique<SM2_Decryption_Operation>(*
this, rng, params);
static secure_vector< uint8_t > encode_1363(const BigInt &n, size_t bytes)
static std::unique_ptr< HashFunction > create_or_throw(std::string_view algo_spec, std::string_view provider="")
static std::unique_ptr< KDF > create_or_throw(std::string_view algo_spec, std::string_view provider="")
std::unique_ptr< PK_Ops::Decryption > create_decryption_op(RandomNumberGenerator &rng, std::string_view params, std::string_view provider) const override
std::unique_ptr< PK_Ops::Encryption > create_encryption_op(RandomNumberGenerator &rng, std::string_view params, std::string_view provider) const override
std::string algo_name() const override
int(* final)(unsigned char *, CTX *)
constexpr CT::Mask< T > is_equal(const T x[], const T y[], size_t len)
std::string encrypt(const uint8_t input[], size_t input_len, std::string_view passphrase, RandomNumberGenerator &rng)
std::string decrypt(const uint8_t input[], size_t input_len, std::string_view passphrase)
SM2_PublicKey SM2_Encryption_PublicKey
std::string fmt(std::string_view format, const T &... args)
SM2_PrivateKey SM2_Encryption_PrivateKey
constexpr void xor_buf(ranges::contiguous_output_range< uint8_t > auto &&out, ranges::contiguous_range< uint8_t > auto &&in)