Botan  2.4.0
Crypto and TLS for C++11
sm2_enc.cpp
Go to the documentation of this file.
1 /*
2 * SM2 Encryption
3 * (C) 2017 Ribose Inc
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #include <botan/sm2_enc.h>
9 #include <botan/pk_ops.h>
10 #include <botan/keypair.h>
11 #include <botan/der_enc.h>
12 #include <botan/ber_dec.h>
13 #include <botan/kdf.h>
14 #include <botan/hash.h>
15 
16 namespace Botan {
17 
19  bool strong) const
20  {
21  if(!public_point().on_the_curve())
22  return false;
23 
24  if(!strong)
25  return true;
26 
27  return KeyPair::encryption_consistency_check(rng, *this, "SM3");
28  }
29 
31  const secure_vector<uint8_t>& key_bits) :
32  EC_PrivateKey(alg_id, key_bits)
33  {
34  }
35 
37  const EC_Group& domain,
38  const BigInt& x) :
39  EC_PrivateKey(rng, domain, x)
40  {
41  }
42 
43 namespace {
44 
45 class SM2_Encryption_Operation final : public PK_Ops::Encryption
46  {
47  public:
48  SM2_Encryption_Operation(const SM2_Encryption_PublicKey& key, const std::string& kdf_hash) :
49  m_p_bytes(key.domain().get_curve().get_p().bytes()),
50  m_order(key.domain().get_order()),
51  m_base_point(key.domain().get_base_point(), m_order),
52  m_public_point(key.public_point(), m_order),
53  m_kdf_hash(kdf_hash)
54  {}
55 
56  size_t max_input_bits() const override
57  {
58  // This is arbitrary, but assumes SM2 is used for key encapsulation
59  return 512;
60  }
61 
62  secure_vector<uint8_t> encrypt(const uint8_t msg[],
63  size_t msg_len,
64  RandomNumberGenerator& rng) override
65  {
66  std::unique_ptr<HashFunction> hash = HashFunction::create_or_throw(m_kdf_hash);
67  std::unique_ptr<KDF> kdf = KDF::create_or_throw("KDF2(" + m_kdf_hash + ")");
68 
69  const BigInt k = BigInt::random_integer(rng, 1, m_order);
70 
71  const PointGFp C1 = m_base_point.blinded_multiply(k, rng);
72  const BigInt x1 = C1.get_affine_x();
73  const BigInt y1 = C1.get_affine_y();
74  std::vector<uint8_t> x1_bytes(m_p_bytes);
75  std::vector<uint8_t> y1_bytes(m_p_bytes);
76  BigInt::encode_1363(x1_bytes.data(), x1_bytes.size(), x1);
77  BigInt::encode_1363(y1_bytes.data(), y1_bytes.size(), y1);
78 
79  const PointGFp kPB = m_public_point.blinded_multiply(k, rng);
80 
81  const BigInt x2 = kPB.get_affine_x();
82  const BigInt y2 = kPB.get_affine_y();
83  std::vector<uint8_t> x2_bytes(m_p_bytes);
84  std::vector<uint8_t> y2_bytes(m_p_bytes);
85  BigInt::encode_1363(x2_bytes.data(), x2_bytes.size(), x2);
86  BigInt::encode_1363(y2_bytes.data(), y2_bytes.size(), y2);
87 
88  secure_vector<uint8_t> kdf_input;
89  kdf_input += x2_bytes;
90  kdf_input += y2_bytes;
91 
92  const secure_vector<uint8_t> kdf_output =
93  kdf->derive_key(msg_len, kdf_input.data(), kdf_input.size());
94 
95  secure_vector<uint8_t> masked_msg(msg_len);
96  xor_buf(masked_msg.data(), msg, kdf_output.data(), msg_len);
97 
98  hash->update(x2_bytes);
99  hash->update(msg, msg_len);
100  hash->update(y2_bytes);
101  std::vector<uint8_t> C3(hash->output_length());
102  hash->final(C3.data());
103 
104  return DER_Encoder()
106  .encode(x1)
107  .encode(y1)
108  .encode(C3, OCTET_STRING)
109  .encode(masked_msg, OCTET_STRING)
110  .end_cons()
111  .get_contents();
112  }
113 
114  private:
115  size_t m_p_bytes;
116  const BigInt& m_order;
117  Blinded_Point_Multiply m_base_point;
118  Blinded_Point_Multiply m_public_point;
119  const std::string m_kdf_hash;
120  };
121 
122 class SM2_Decryption_Operation final : public PK_Ops::Decryption
123  {
124  public:
125  SM2_Decryption_Operation(const SM2_Encryption_PrivateKey& key,
127  const std::string& kdf_hash) :
128  m_key(key),
129  m_rng(rng),
130  m_kdf_hash(kdf_hash)
131  {}
132 
133  secure_vector<uint8_t> decrypt(uint8_t& valid_mask,
134  const uint8_t ciphertext[],
135  size_t ciphertext_len) override
136  {
137  const BigInt& cofactor = m_key.domain().get_cofactor();
138  const size_t p_bytes = m_key.domain().get_curve().get_p().bytes();
139 
140  valid_mask = 0x00;
141 
142  std::unique_ptr<HashFunction> hash = HashFunction::create_or_throw(m_kdf_hash);
143  std::unique_ptr<KDF> kdf = KDF::create_or_throw("KDF2(" + m_kdf_hash + ")");
144 
145  // Too short to be valid - no timing problem from early return
146  if(ciphertext_len < 1 + p_bytes*2 + hash->output_length())
147  {
148  return secure_vector<uint8_t>();
149  }
150 
151  BigInt x1, y1;
152  secure_vector<uint8_t> C3, masked_msg;
153 
154  BER_Decoder(ciphertext, ciphertext_len)
156  .decode(x1)
157  .decode(y1)
158  .decode(C3, OCTET_STRING)
159  .decode(masked_msg, OCTET_STRING)
160  .end_cons()
161  .verify_end();
162 
163  const PointGFp C1(m_key.domain().get_curve(), x1, y1);
164  if(!C1.on_the_curve())
165  return secure_vector<uint8_t>();
166 
167  Blinded_Point_Multiply C1_mul(C1, m_key.domain().get_order());
168 
169  if(cofactor > 1 && C1_mul.blinded_multiply(cofactor, m_rng).is_zero())
170  {
171  return secure_vector<uint8_t>();
172  }
173 
174  const PointGFp dbC1 = C1_mul.blinded_multiply(m_key.private_value(), m_rng);
175 
176  const BigInt x2 = dbC1.get_affine_x();
177  const BigInt y2 = dbC1.get_affine_y();
178 
179  std::vector<uint8_t> x2_bytes(p_bytes);
180  std::vector<uint8_t> y2_bytes(p_bytes);
181  BigInt::encode_1363(x2_bytes.data(), x2_bytes.size(), x2);
182  BigInt::encode_1363(y2_bytes.data(), y2_bytes.size(), y2);
183 
184  secure_vector<uint8_t> kdf_input;
185  kdf_input += x2_bytes;
186  kdf_input += y2_bytes;
187 
188  const secure_vector<uint8_t> kdf_output =
189  kdf->derive_key(masked_msg.size(), kdf_input.data(), kdf_input.size());
190 
191  xor_buf(masked_msg.data(), kdf_output.data(), kdf_output.size());
192 
193  hash->update(x2_bytes);
194  hash->update(masked_msg);
195  hash->update(y2_bytes);
196  secure_vector<uint8_t> u = hash->final();
197 
198  if(constant_time_compare(u.data(), C3.data(), hash->output_length()) == false)
199  return secure_vector<uint8_t>();
200 
201  valid_mask = 0xFF;
202  return masked_msg;
203  }
204  private:
205  const SM2_Encryption_PrivateKey& m_key;
206  RandomNumberGenerator& m_rng;
207  const std::string m_kdf_hash;
208  };
209 
210 }
211 
212 std::unique_ptr<PK_Ops::Encryption>
214  const std::string& params,
215  const std::string& provider) const
216  {
217  if(provider == "base" || provider.empty())
218  {
219  const std::string kdf_hash = (params.empty() ? "SM3" : params);
220  return std::unique_ptr<PK_Ops::Encryption>(new SM2_Encryption_Operation(*this, kdf_hash));
221  }
222 
223  throw Provider_Not_Found(algo_name(), provider);
224  }
225 
226 std::unique_ptr<PK_Ops::Decryption>
228  const std::string& params,
229  const std::string& provider) const
230  {
231  if(provider == "base" || provider.empty())
232  {
233  const std::string kdf_hash = (params.empty() ? "SM3" : params);
234  return std::unique_ptr<PK_Ops::Decryption>(new SM2_Decryption_Operation(*this, rng, kdf_hash));
235  }
236 
237  throw Provider_Not_Found(algo_name(), provider);
238  }
239 
240 }
const PointGFp & get_base_point() const
Definition: ec_group.h:96
static std::unique_ptr< HashFunction > create_or_throw(const std::string &algo_spec, const std::string &provider="")
Definition: hash.cpp:345
bool check_key(RandomNumberGenerator &rng, bool) const override
Definition: sm2_enc.cpp:18
const PointGFp & public_point() const
Definition: ecc_key.h:57
secure_vector< uint8_t > get_contents()
Definition: der_enc.cpp:123
bool is_zero() const
Definition: bigint.h:255
bool constant_time_compare(const uint8_t x[], const uint8_t y[], size_t len)
Definition: mem_ops.cpp:44
BER_Decoder & decode(bool &v)
Definition: ber_dec.cpp:355
std::unique_ptr< PK_Ops::Encryption > create_encryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const override
Definition: sm2_enc.cpp:213
static BigInt random_integer(RandomNumberGenerator &rng, const BigInt &min, const BigInt &max)
Definition: big_rand.cpp:45
DER_Encoder & end_cons()
Definition: der_enc.cpp:146
bool encryption_consistency_check(RandomNumberGenerator &rng, const Private_Key &private_key, const Public_Key &public_key, const std::string &padding)
Definition: keypair.cpp:19
std::unique_ptr< PK_Ops::Decryption > create_decryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const override
Definition: sm2_enc.cpp:227
SM2_Encryption_PrivateKey(const AlgorithmIdentifier &alg_id, const secure_vector< uint8_t > &key_bits)
Definition: sm2_enc.cpp:30
std::string algo_name() const override
Definition: sm2_enc.h:44
BigInt get_affine_x() const
Definition: point_gfp.cpp:389
BigInt get_affine_y() const
Definition: point_gfp.cpp:401
DER_Encoder & encode(bool b)
Definition: der_enc.cpp:202
void xor_buf(uint8_t out[], const uint8_t in[], size_t length)
Definition: mem_ops.h:163
BER_Decoder & end_cons()
Definition: ber_dec.cpp:265
std::string decrypt(const uint8_t input[], size_t input_len, const std::string &passphrase)
Definition: cryptobox.cpp:162
const EC_Group & domain() const
Definition: ecc_key.h:72
BER_Decoder start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
Definition: ber_dec.cpp:251
Definition: alg_id.cpp:13
size_t bytes() const
Definition: bigint.cpp:175
const BigInt & get_order() const
Definition: ec_group.h:102
BER_Decoder & verify_end()
Definition: ber_dec.cpp:176
DER_Encoder & start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
Definition: der_enc.cpp:136
static secure_vector< uint8_t > encode_1363(const BigInt &n, size_t bytes)
Definition: big_code.cpp:82
const CurveGFp & get_curve() const
Definition: ec_group.h:90
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:88
const BigInt & get_p() const
Definition: curve_gfp.h:91
static std::unique_ptr< KDF > create_or_throw(const std::string &algo_spec, const std::string &provider="")
Definition: kdf.cpp:221
MechanismType hash
std::string encrypt(const uint8_t input[], size_t input_len, const std::string &passphrase, RandomNumberGenerator &rng)
Definition: cryptobox.cpp:43