Botan  2.7.0
Crypto and TLS for C++11
sm2_enc.cpp
Go to the documentation of this file.
1 /*
2 * SM2 Encryption
3 * (C) 2017 Ribose Inc
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #include <botan/sm2_enc.h>
9 #include <botan/internal/point_mul.h>
10 #include <botan/pk_ops.h>
11 #include <botan/keypair.h>
12 #include <botan/der_enc.h>
13 #include <botan/ber_dec.h>
14 #include <botan/kdf.h>
15 #include <botan/hash.h>
16 
17 namespace Botan {
18 
20  bool strong) const
21  {
22  if(!public_point().on_the_curve())
23  return false;
24 
25  if(!strong)
26  return true;
27 
28  return KeyPair::encryption_consistency_check(rng, *this, "SM3");
29  }
30 
32  const secure_vector<uint8_t>& key_bits) :
33  EC_PrivateKey(alg_id, key_bits)
34  {
35  }
36 
38  const EC_Group& domain,
39  const BigInt& x) :
40  EC_PrivateKey(rng, domain, x)
41  {
42  }
43 
44 namespace {
45 
46 class SM2_Encryption_Operation final : public PK_Ops::Encryption
47  {
48  public:
49  SM2_Encryption_Operation(const SM2_Encryption_PublicKey& key,
51  const std::string& kdf_hash) :
52  m_group(key.domain()),
53  m_kdf_hash(kdf_hash),
54  m_ws(PointGFp::WORKSPACE_SIZE),
55  m_mul_public_point(key.public_point(), rng, m_ws)
56  {}
57 
58  size_t max_input_bits() const override
59  {
60  // This is arbitrary, but assumes SM2 is used for key encapsulation
61  return 512;
62  }
63 
64  secure_vector<uint8_t> encrypt(const uint8_t msg[],
65  size_t msg_len,
66  RandomNumberGenerator& rng) override
67  {
68  std::unique_ptr<HashFunction> hash = HashFunction::create_or_throw(m_kdf_hash);
69  std::unique_ptr<KDF> kdf = KDF::create_or_throw("KDF2(" + m_kdf_hash + ")");
70 
71  const size_t p_bytes = m_group.get_p_bytes();
72 
73  const BigInt k = m_group.random_scalar(rng);
74 
75  const PointGFp C1 = m_group.blinded_base_point_multiply(k, rng, m_ws);
76  const BigInt x1 = C1.get_affine_x();
77  const BigInt y1 = C1.get_affine_y();
78  std::vector<uint8_t> x1_bytes(p_bytes);
79  std::vector<uint8_t> y1_bytes(p_bytes);
80  BigInt::encode_1363(x1_bytes.data(), x1_bytes.size(), x1);
81  BigInt::encode_1363(y1_bytes.data(), y1_bytes.size(), y1);
82 
83  const PointGFp kPB = m_mul_public_point.mul(k, rng, m_group.get_order(), m_ws);
84 
85  const BigInt x2 = kPB.get_affine_x();
86  const BigInt y2 = kPB.get_affine_y();
87  std::vector<uint8_t> x2_bytes(p_bytes);
88  std::vector<uint8_t> y2_bytes(p_bytes);
89  BigInt::encode_1363(x2_bytes.data(), x2_bytes.size(), x2);
90  BigInt::encode_1363(y2_bytes.data(), y2_bytes.size(), y2);
91 
92  secure_vector<uint8_t> kdf_input;
93  kdf_input += x2_bytes;
94  kdf_input += y2_bytes;
95 
96  const secure_vector<uint8_t> kdf_output =
97  kdf->derive_key(msg_len, kdf_input.data(), kdf_input.size());
98 
99  secure_vector<uint8_t> masked_msg(msg_len);
100  xor_buf(masked_msg.data(), msg, kdf_output.data(), msg_len);
101 
102  hash->update(x2_bytes);
103  hash->update(msg, msg_len);
104  hash->update(y2_bytes);
105  std::vector<uint8_t> C3(hash->output_length());
106  hash->final(C3.data());
107 
108  return DER_Encoder()
109  .start_cons(SEQUENCE)
110  .encode(x1)
111  .encode(y1)
112  .encode(C3, OCTET_STRING)
113  .encode(masked_msg, OCTET_STRING)
114  .end_cons()
115  .get_contents();
116  }
117 
118  private:
119  const EC_Group m_group;
120  const std::string m_kdf_hash;
121 
122  std::vector<BigInt> m_ws;
123  PointGFp_Var_Point_Precompute m_mul_public_point;
124  };
125 
126 class SM2_Decryption_Operation final : public PK_Ops::Decryption
127  {
128  public:
129  SM2_Decryption_Operation(const SM2_Encryption_PrivateKey& key,
130  RandomNumberGenerator& rng,
131  const std::string& kdf_hash) :
132  m_key(key),
133  m_rng(rng),
134  m_kdf_hash(kdf_hash)
135  {}
136 
137  secure_vector<uint8_t> decrypt(uint8_t& valid_mask,
138  const uint8_t ciphertext[],
139  size_t ciphertext_len) override
140  {
141  const EC_Group& group = m_key.domain();
142  const BigInt& cofactor = group.get_cofactor();
143  const size_t p_bytes = group.get_p_bytes();
144 
145  valid_mask = 0x00;
146 
147  std::unique_ptr<HashFunction> hash = HashFunction::create_or_throw(m_kdf_hash);
148  std::unique_ptr<KDF> kdf = KDF::create_or_throw("KDF2(" + m_kdf_hash + ")");
149 
150  // Too short to be valid - no timing problem from early return
151  if(ciphertext_len < 1 + p_bytes*2 + hash->output_length())
152  {
153  return secure_vector<uint8_t>();
154  }
155 
156  BigInt x1, y1;
157  secure_vector<uint8_t> C3, masked_msg;
158 
159  BER_Decoder(ciphertext, ciphertext_len)
160  .start_cons(SEQUENCE)
161  .decode(x1)
162  .decode(y1)
163  .decode(C3, OCTET_STRING)
164  .decode(masked_msg, OCTET_STRING)
165  .end_cons()
166  .verify_end();
167 
168  PointGFp C1 = group.point(x1, y1);
169  C1.randomize_repr(m_rng);
170 
171  if(!C1.on_the_curve())
172  return secure_vector<uint8_t>();
173 
174  if(cofactor > 1 && (C1 * cofactor).is_zero())
175  {
176  return secure_vector<uint8_t>();
177  }
178 
179  const PointGFp dbC1 = group.blinded_var_point_multiply(
180  C1, m_key.private_value(), m_rng, m_ws);
181 
182  const BigInt x2 = dbC1.get_affine_x();
183  const BigInt y2 = dbC1.get_affine_y();
184 
185  std::vector<uint8_t> x2_bytes(p_bytes);
186  std::vector<uint8_t> y2_bytes(p_bytes);
187  BigInt::encode_1363(x2_bytes.data(), x2_bytes.size(), x2);
188  BigInt::encode_1363(y2_bytes.data(), y2_bytes.size(), y2);
189 
190  secure_vector<uint8_t> kdf_input;
191  kdf_input += x2_bytes;
192  kdf_input += y2_bytes;
193 
194  const secure_vector<uint8_t> kdf_output =
195  kdf->derive_key(masked_msg.size(), kdf_input.data(), kdf_input.size());
196 
197  xor_buf(masked_msg.data(), kdf_output.data(), kdf_output.size());
198 
199  hash->update(x2_bytes);
200  hash->update(masked_msg);
201  hash->update(y2_bytes);
202  secure_vector<uint8_t> u = hash->final();
203 
204  if(constant_time_compare(u.data(), C3.data(), hash->output_length()) == false)
205  return secure_vector<uint8_t>();
206 
207  valid_mask = 0xFF;
208  return masked_msg;
209  }
210  private:
211  const SM2_Encryption_PrivateKey& m_key;
212  RandomNumberGenerator& m_rng;
213  const std::string m_kdf_hash;
214  std::vector<BigInt> m_ws;
215  };
216 
217 }
218 
219 std::unique_ptr<PK_Ops::Encryption>
221  const std::string& params,
222  const std::string& provider) const
223  {
224  if(provider == "base" || provider.empty())
225  {
226  const std::string kdf_hash = (params.empty() ? "SM3" : params);
227  return std::unique_ptr<PK_Ops::Encryption>(new SM2_Encryption_Operation(*this, rng, kdf_hash));
228  }
229 
230  throw Provider_Not_Found(algo_name(), provider);
231  }
232 
233 std::unique_ptr<PK_Ops::Decryption>
235  const std::string& params,
236  const std::string& provider) const
237  {
238  if(provider == "base" || provider.empty())
239  {
240  const std::string kdf_hash = (params.empty() ? "SM3" : params);
241  return std::unique_ptr<PK_Ops::Decryption>(new SM2_Decryption_Operation(*this, rng, kdf_hash));
242  }
243 
244  throw Provider_Not_Found(algo_name(), provider);
245  }
246 
247 }
static std::unique_ptr< HashFunction > create_or_throw(const std::string &algo_spec, const std::string &provider="")
Definition: hash.cpp:345
bool check_key(RandomNumberGenerator &rng, bool) const override
Definition: sm2_enc.cpp:19
const PointGFp & public_point() const
Definition: ecc_key.h:57
bool constant_time_compare(const uint8_t x[], const uint8_t y[], size_t len)
Definition: mem_ops.cpp:51
std::unique_ptr< PK_Ops::Encryption > create_encryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const override
Definition: sm2_enc.cpp:220
bool encryption_consistency_check(RandomNumberGenerator &rng, const Private_Key &private_key, const Public_Key &public_key, const std::string &padding)
Definition: keypair.cpp:19
std::unique_ptr< PK_Ops::Decryption > create_decryption_op(RandomNumberGenerator &rng, const std::string &params, const std::string &provider) const override
Definition: sm2_enc.cpp:234
SM2_Encryption_PrivateKey(const AlgorithmIdentifier &alg_id, const secure_vector< uint8_t > &key_bits)
Definition: sm2_enc.cpp:31
std::string algo_name() const override
Definition: sm2_enc.h:44
void xor_buf(uint8_t out[], const uint8_t in[], size_t length)
Definition: mem_ops.h:174
std::string decrypt(const uint8_t input[], size_t input_len, const std::string &passphrase)
Definition: cryptobox.cpp:162
Definition: alg_id.cpp:13
static secure_vector< uint8_t > encode_1363(const BigInt &n, size_t bytes)
Definition: big_code.cpp:82
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:88
static std::unique_ptr< KDF > create_or_throw(const std::string &algo_spec, const std::string &provider="")
Definition: kdf.cpp:222
const RSA_PrivateKey & m_key
Definition: rsa.cpp:277
MechanismType hash
std::string encrypt(const uint8_t input[], size_t input_len, const std::string &passphrase, RandomNumberGenerator &rng)
Definition: cryptobox.cpp:43