1 /*
2 * Copyright 2014-2022 The GmSSL Project. All Rights Reserved.
3 *
4 * Licensed under the Apache License, Version 2.0 (the License); you may
5 * not use this file except in compliance with the License.
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 */
9
10
11 #include <stdio.h>
12 #include <string.h>
13 #include <stdlib.h>
14 #include <stdint.h>
15 #include <gmssl/mem.h>
16 #include <gmssl/sm3.h>
17 #include <gmssl/sm9.h>
18 #include <gmssl/asn1.h>
19 #include <gmssl/error.h>
20
21
sm9_signature_to_der(const SM9_SIGNATURE * sig,uint8_t ** out,size_t * outlen)22 int sm9_signature_to_der(const SM9_SIGNATURE *sig, uint8_t **out, size_t *outlen)
23 {
24 uint8_t hbuf[32];
25 uint8_t Sbuf[65];
26 size_t len = 0;
27
28 sm9_fn_to_bytes(sig->h, hbuf);
29 sm9_point_to_uncompressed_octets(&sig->S, Sbuf);
30
31 if (asn1_octet_string_to_der(hbuf, sizeof(hbuf), NULL, &len) != 1
32 || asn1_bit_octets_to_der(Sbuf, sizeof(Sbuf), NULL, &len) != 1
33 || asn1_sequence_header_to_der(len, out, outlen) != 1
34 || asn1_octet_string_to_der(hbuf, sizeof(hbuf), out, outlen) != 1
35 || asn1_bit_octets_to_der(Sbuf, sizeof(Sbuf), out, outlen) != 1) {
36 error_print();
37 return -1;
38 }
39 return 1;
40 }
41
sm9_signature_from_der(SM9_SIGNATURE * sig,const uint8_t ** in,size_t * inlen)42 int sm9_signature_from_der(SM9_SIGNATURE *sig, const uint8_t **in, size_t *inlen)
43 {
44 int ret;
45 const uint8_t *d;
46 size_t dlen;
47 const uint8_t *h;
48 size_t hlen;
49 const uint8_t *S;
50 size_t Slen;
51
52 if ((ret = asn1_sequence_from_der(&d, &dlen, in, inlen)) != 1) {
53 if (ret < 0) error_print();
54 return ret;
55 }
56 if (asn1_octet_string_from_der(&h, &hlen, &d, &dlen) != 1
57 || asn1_bit_octets_from_der(&S, &Slen, &d, &dlen) != 1
58 || asn1_check(hlen == 32) != 1
59 || asn1_check(Slen == 65) != 1
60 || asn1_length_is_zero(dlen) != 1) {
61 error_print();
62 return -1;
63 }
64 if (sm9_fn_from_bytes(sig->h, h) != 1
65 || sm9_point_from_uncompressed_octets(&sig->S, S) != 1) {
66 error_print();
67 return -1;
68 }
69 return 1;
70 }
71
sm9_sign_init(SM9_SIGN_CTX * ctx)72 int sm9_sign_init(SM9_SIGN_CTX *ctx)
73 {
74 const uint8_t prefix[1] = { SM9_HASH2_PREFIX };
75 sm3_init(&ctx->sm3_ctx);
76 sm3_update(&ctx->sm3_ctx, prefix, sizeof(prefix));
77 return 1;
78 }
79
sm9_sign_update(SM9_SIGN_CTX * ctx,const uint8_t * data,size_t datalen)80 int sm9_sign_update(SM9_SIGN_CTX *ctx, const uint8_t *data, size_t datalen)
81 {
82 sm3_update(&ctx->sm3_ctx, data, datalen);
83 return 1;
84 }
85
sm9_sign_finish(SM9_SIGN_CTX * ctx,const SM9_SIGN_KEY * key,uint8_t * sig,size_t * siglen)86 int sm9_sign_finish(SM9_SIGN_CTX *ctx, const SM9_SIGN_KEY *key, uint8_t *sig, size_t *siglen)
87 {
88 SM9_SIGNATURE signature;
89
90 if (sm9_do_sign(key, &ctx->sm3_ctx, &signature) != 1) {
91 error_print();
92 return -1;
93 }
94 *siglen = 0;
95 if (sm9_signature_to_der(&signature, &sig, siglen) != 1) {
96 error_print();
97 return -1;
98 }
99 return 1;
100 }
101
sm9_do_sign(const SM9_SIGN_KEY * key,const SM3_CTX * sm3_ctx,SM9_SIGNATURE * sig)102 int sm9_do_sign(const SM9_SIGN_KEY *key, const SM3_CTX *sm3_ctx, SM9_SIGNATURE *sig)
103 {
104 sm9_fn_t r;
105 sm9_fp12_t g;
106 uint8_t wbuf[32 * 12];
107 SM3_CTX ctx = *sm3_ctx;
108 SM3_CTX tmp_ctx;
109 uint8_t ct1[4] = {0,0,0,1};
110 uint8_t ct2[4] = {0,0,0,2};
111 uint8_t Ha[64];
112
113 // A1: g = e(P1, Ppubs)
114 sm9_pairing(g, &key->Ppubs, SM9_P1);
115
116 do {
117 // A2: rand r in [1, N-1]
118 if (sm9_fn_rand(r) != 1) {
119 error_print();
120 return -1;
121 }
122 //sm9_fn_from_hex(r, "00033C8616B06704813203DFD00965022ED15975C662337AED648835DC4B1CBE"); // for testing
123
124 // A3: w = g^r
125 sm9_fp12_pow(g, g, r);
126 sm9_fp12_to_bytes(g, wbuf);
127
128 // A4: h = H2(M || w, N)
129 sm3_update(&ctx, wbuf, sizeof(wbuf));
130 tmp_ctx = ctx;
131 sm3_update(&ctx, ct1, sizeof(ct1));
132 sm3_finish(&ctx, Ha);
133 sm3_update(&tmp_ctx, ct2, sizeof(ct2));
134 sm3_finish(&tmp_ctx, Ha + 32);
135 sm9_fn_from_hash(sig->h, Ha);
136
137 // A5: l = (r - h) mod N, if l = 0, goto A2
138 sm9_fn_sub(r, r, sig->h);
139
140 } while (sm9_fn_is_zero(r));
141
142 // A6: S = l * dsA
143 sm9_point_mul(&sig->S, r, &key->ds);
144
145 gmssl_secure_clear(&r, sizeof(r));
146 gmssl_secure_clear(&g, sizeof(g));
147 gmssl_secure_clear(wbuf, sizeof(wbuf));
148 gmssl_secure_clear(&tmp_ctx, sizeof(tmp_ctx));
149 gmssl_secure_clear(Ha, sizeof(Ha));
150
151 return 1;
152 }
153
sm9_verify_init(SM9_SIGN_CTX * ctx)154 int sm9_verify_init(SM9_SIGN_CTX *ctx)
155 {
156 const uint8_t prefix[1] = { SM9_HASH2_PREFIX };
157 sm3_init(&ctx->sm3_ctx);
158 sm3_update(&ctx->sm3_ctx, prefix, sizeof(prefix));
159 return 1;
160 }
161
sm9_verify_update(SM9_SIGN_CTX * ctx,const uint8_t * data,size_t datalen)162 int sm9_verify_update(SM9_SIGN_CTX *ctx, const uint8_t *data, size_t datalen)
163 {
164 sm3_update(&ctx->sm3_ctx, data, datalen);
165 return 1;
166 }
167
sm9_verify_finish(SM9_SIGN_CTX * ctx,const uint8_t * sig,size_t siglen,const SM9_SIGN_MASTER_KEY * mpk,const char * id,size_t idlen)168 int sm9_verify_finish(SM9_SIGN_CTX *ctx, const uint8_t *sig, size_t siglen,
169 const SM9_SIGN_MASTER_KEY *mpk, const char *id, size_t idlen)
170 {
171 int ret;
172 SM9_SIGNATURE signature;
173
174 if (sm9_signature_from_der(&signature, &sig, &siglen) != 1
175 || asn1_length_is_zero(siglen) != 1) {
176 error_print();
177 return -1;
178 }
179
180 if ((ret = sm9_do_verify(mpk, id, idlen, &ctx->sm3_ctx, &signature)) < 0) {
181 error_print();
182 return -1;
183 }
184 return ret;
185 }
186
sm9_do_verify(const SM9_SIGN_MASTER_KEY * mpk,const char * id,size_t idlen,const SM3_CTX * sm3_ctx,const SM9_SIGNATURE * sig)187 int sm9_do_verify(const SM9_SIGN_MASTER_KEY *mpk, const char *id, size_t idlen,
188 const SM3_CTX *sm3_ctx, const SM9_SIGNATURE *sig)
189 {
190 sm9_fn_t h1;
191 sm9_fn_t h2;
192 sm9_fp12_t g;
193 sm9_fp12_t t;
194 sm9_fp12_t u;
195 sm9_fp12_t w;
196 SM9_TWIST_POINT P;
197 uint8_t wbuf[32 * 12];
198 SM3_CTX ctx = *sm3_ctx;
199 SM3_CTX tmp_ctx;
200 uint8_t ct1[4] = {0,0,0,1};
201 uint8_t ct2[4] = {0,0,0,2};
202 uint8_t Ha[64];
203
204 // B1: check h in [1, N-1]
205
206 // B2: check S in G1
207
208 // B3: g = e(P1, Ppubs)
209 sm9_pairing(g, &mpk->Ppubs, SM9_P1);
210
211 // B4: t = g^h
212 sm9_fp12_pow(t, g, sig->h);
213
214 // B5: h1 = H1(ID || hid, N)
215 sm9_hash1(h1, id, idlen, SM9_HID_SIGN);
216
217 // B6: P = h1 * P2 + Ppubs
218 sm9_twist_point_mul_generator(&P, h1);
219 sm9_twist_point_add_full(&P, &P, &mpk->Ppubs);
220
221 // B7: u = e(S, P)
222 sm9_pairing(u, &P, &sig->S);
223
224 // B8: w = u * t
225 sm9_fp12_mul(w, u, t);
226 sm9_fp12_to_bytes(w, wbuf);
227
228 // B9: h2 = H2(M || w, N), check h2 == h
229 sm3_update(&ctx, wbuf, sizeof(wbuf));
230 tmp_ctx = ctx;
231 sm3_update(&ctx, ct1, sizeof(ct1));
232 sm3_finish(&ctx, Ha);
233 sm3_update(&tmp_ctx, ct2, sizeof(ct2));
234 sm3_finish(&tmp_ctx, Ha + 32);
235 sm9_fn_from_hash(h2, Ha);
236 if (sm9_fn_equ(h2, sig->h) != 1) {
237 return 0;
238 }
239
240 return 1;
241 }
242
sm9_kem_encrypt(const SM9_ENC_MASTER_KEY * mpk,const char * id,size_t idlen,size_t klen,uint8_t * kbuf,SM9_POINT * C)243 int sm9_kem_encrypt(const SM9_ENC_MASTER_KEY *mpk, const char *id, size_t idlen,
244 size_t klen, uint8_t *kbuf, SM9_POINT *C)
245 {
246 sm9_fn_t r;
247 sm9_fp12_t w;
248 uint8_t wbuf[32 * 12];
249 uint8_t cbuf[65];
250 SM3_KDF_CTX kdf_ctx;
251
252 // A1: Q = H1(ID||hid,N) * P1 + Ppube
253 sm9_hash1(r, id, idlen, SM9_HID_ENC);
254 sm9_point_mul(C, r, SM9_P1);
255 sm9_point_add(C, C, &mpk->Ppube);
256
257 do {
258 // A2: rand r in [1, N-1]
259 if (sm9_fn_rand(r) != 1) {
260 error_print();
261 return -1;
262 }
263
264 // A3: C1 = r * Q
265 sm9_point_mul(C, r, C);
266 sm9_point_to_uncompressed_octets(C, cbuf);
267
268 // A4: g = e(Ppube, P2)
269 sm9_pairing(w, SM9_P2, &mpk->Ppube);
270
271 // A5: w = g^r
272 sm9_fp12_pow(w, w, r);
273 sm9_fp12_to_bytes(w, wbuf);
274
275 // A6: K = KDF(C || w || ID_B, klen), if K == 0, goto A2
276 sm3_kdf_init(&kdf_ctx, klen);
277 sm3_kdf_update(&kdf_ctx, cbuf + 1, 64);
278 sm3_kdf_update(&kdf_ctx, wbuf, sizeof(wbuf));
279 sm3_kdf_update(&kdf_ctx, (uint8_t *)id, idlen);
280 sm3_kdf_finish(&kdf_ctx, kbuf);
281
282 } while (mem_is_zero(kbuf, klen) == 1);
283
284 gmssl_secure_clear(&r, sizeof(r));
285 gmssl_secure_clear(&w, sizeof(w));
286 gmssl_secure_clear(wbuf, sizeof(wbuf));
287 gmssl_secure_clear(&kdf_ctx, sizeof(kdf_ctx));
288
289 // A7: output (K, C)
290 return 1;
291 }
292
sm9_kem_decrypt(const SM9_ENC_KEY * key,const char * id,size_t idlen,const SM9_POINT * C,size_t klen,uint8_t * kbuf)293 int sm9_kem_decrypt(const SM9_ENC_KEY *key, const char *id, size_t idlen, const SM9_POINT *C,
294 size_t klen, uint8_t *kbuf)
295 {
296 sm9_fp12_t w;
297 uint8_t wbuf[32 * 12];
298 uint8_t cbuf[65];
299 SM3_KDF_CTX kdf_ctx;
300
301 // B1: check C in G1
302 sm9_point_to_uncompressed_octets(C, cbuf);
303
304 // B2: w = e(C, de);
305 sm9_pairing(w, &key->de, C);
306 sm9_fp12_to_bytes(w, wbuf);
307
308 // B3: K = KDF(C || w || ID, klen)
309 sm3_kdf_init(&kdf_ctx, klen);
310 sm3_kdf_update(&kdf_ctx, cbuf + 1, 64);
311 sm3_kdf_update(&kdf_ctx, wbuf, sizeof(wbuf));
312 sm3_kdf_update(&kdf_ctx, (uint8_t *)id, idlen);
313 sm3_kdf_finish(&kdf_ctx, kbuf);
314
315 if (mem_is_zero(kbuf, klen)) {
316 error_print();
317 return -1;
318 }
319
320 gmssl_secure_clear(&w, sizeof(w));
321 gmssl_secure_clear(wbuf, sizeof(wbuf));
322 gmssl_secure_clear(&kdf_ctx, sizeof(kdf_ctx));
323
324 // B4: output K
325 return 1;
326 }
327
sm9_do_encrypt(const SM9_ENC_MASTER_KEY * mpk,const char * id,size_t idlen,const uint8_t * in,size_t inlen,SM9_POINT * C1,uint8_t * c2,uint8_t c3[SM3_HMAC_SIZE])328 int sm9_do_encrypt(const SM9_ENC_MASTER_KEY *mpk, const char *id, size_t idlen,
329 const uint8_t *in, size_t inlen,
330 SM9_POINT *C1, uint8_t *c2, uint8_t c3[SM3_HMAC_SIZE])
331 {
332 SM3_HMAC_CTX hmac_ctx;
333 uint8_t K[inlen + 32];
334
335 if (sm9_kem_encrypt(mpk, id, idlen, sizeof(K), K, C1) != 1) {
336 error_print();
337 return -1;
338 }
339 gmssl_memxor(c2, K, in, inlen);
340
341 //sm3_hmac(K + inlen, 32, c2, inlen, c3);
342 sm3_hmac_init(&hmac_ctx, K + inlen, SM3_HMAC_SIZE);
343 sm3_hmac_update(&hmac_ctx, c2, inlen);
344 sm3_hmac_finish(&hmac_ctx, c3);
345 gmssl_secure_clear(&hmac_ctx, sizeof(hmac_ctx));
346 return 1;
347 }
348
sm9_do_decrypt(const SM9_ENC_KEY * key,const char * id,size_t idlen,const SM9_POINT * C1,const uint8_t * c2,size_t c2len,const uint8_t c3[SM3_HMAC_SIZE],uint8_t * out)349 int sm9_do_decrypt(const SM9_ENC_KEY *key, const char *id, size_t idlen,
350 const SM9_POINT *C1, const uint8_t *c2, size_t c2len, const uint8_t c3[SM3_HMAC_SIZE],
351 uint8_t *out)
352 {
353 SM3_HMAC_CTX hmac_ctx;
354 uint8_t k[c2len + SM3_HMAC_SIZE];
355 uint8_t mac[SM3_HMAC_SIZE];
356
357 if (sm9_kem_decrypt(key, id, idlen, C1, sizeof(k), k) != 1) {
358 error_print();
359 return -1;
360 }
361 //sm3_hmac(k + c2len, SM3_HMAC_SIZE, c2, c2len, mac);
362 sm3_hmac_init(&hmac_ctx, k + c2len, SM3_HMAC_SIZE);
363 sm3_hmac_update(&hmac_ctx, c2, c2len);
364 sm3_hmac_finish(&hmac_ctx, mac);
365 gmssl_secure_clear(&hmac_ctx, sizeof(hmac_ctx));
366
367 if (gmssl_secure_memcmp(c3, mac, sizeof(mac)) != 0) {
368 error_print();
369 return -1;
370 }
371 gmssl_memxor(out, k, c2, c2len);
372 return 1;
373 }
374
375 #define SM9_ENC_TYPE_XOR 0
376 #define SM9_ENC_TYPE_ECB 1
377 #define SM9_ENC_TYPE_CBC 2
378 #define SM9_ENC_TYPE_OFB 4
379 #define SM9_ENC_TYPE_CFB 8
380
381 /*
382 SM9Cipher ::= SEQUENCE {
383 EnType INTEGER, -- 0 for XOR
384 C1 BIT STRING, -- uncompressed octets of ECPoint
385 C3 OCTET STRING, -- 32 bytes HMAC-SM3 tag
386 CipherText OCTET STRING,
387 }
388 */
sm9_ciphertext_to_der(const SM9_POINT * C1,const uint8_t * c2,size_t c2len,const uint8_t c3[SM3_HMAC_SIZE],uint8_t ** out,size_t * outlen)389 int sm9_ciphertext_to_der(const SM9_POINT *C1, const uint8_t *c2, size_t c2len,
390 const uint8_t c3[SM3_HMAC_SIZE], uint8_t **out, size_t *outlen)
391 {
392 int en_type = SM9_ENC_TYPE_XOR;
393 uint8_t c1[65];
394 size_t len = 0;
395
396 if (sm9_point_to_uncompressed_octets(C1, c1) != 1) {
397 error_print();
398 return -1;
399 }
400 if (asn1_int_to_der(en_type, NULL, &len) != 1
401 || asn1_bit_octets_to_der(c1, sizeof(c1), NULL, &len) != 1
402 || asn1_octet_string_to_der(c3, SM3_HMAC_SIZE, NULL, &len) != 1
403 || asn1_octet_string_to_der(c2, c2len, NULL, &len) != 1
404 || asn1_sequence_header_to_der(len, out, outlen) != 1
405 || asn1_int_to_der(en_type, out, outlen) != 1
406 || asn1_bit_octets_to_der(c1, sizeof(c1), out, outlen) != 1
407 || asn1_octet_string_to_der(c3, SM3_HMAC_SIZE, out, outlen) != 1
408 || asn1_octet_string_to_der(c2, c2len, out, outlen) != 1) {
409 error_print();
410 return -1;
411 }
412 return 1;
413 }
414
sm9_ciphertext_from_der(SM9_POINT * C1,const uint8_t ** c2,size_t * c2len,const uint8_t ** c3,const uint8_t ** in,size_t * inlen)415 int sm9_ciphertext_from_der(SM9_POINT *C1, const uint8_t **c2, size_t *c2len,
416 const uint8_t **c3, const uint8_t **in, size_t *inlen)
417 {
418 int ret;
419 const uint8_t *d;
420 size_t dlen;
421 int en_type;
422 const uint8_t *c1;
423 size_t c1len;
424 size_t c3len;
425
426 if ((ret = asn1_sequence_from_der(&d, &dlen, in, inlen)) != 1) {
427 if (ret < 0) error_print();
428 return ret;
429 }
430 if (asn1_int_from_der(&en_type, &d, &dlen) != 1
431 || asn1_bit_octets_from_der(&c1, &c1len, &d, &dlen) != 1
432 || asn1_octet_string_from_der(c3, &c3len, &d, &dlen) != 1
433 || asn1_octet_string_from_der(c2, c2len, &d, &dlen) != 1
434 || asn1_length_is_zero(dlen) != 1) {
435 error_print();
436 return -1;
437 }
438 if (en_type != SM9_ENC_TYPE_XOR) {
439 error_print();
440 return -1;
441 }
442 if (c1len != 65) {
443 error_print();
444 return -1;
445 }
446 if (c3len != SM3_HMAC_SIZE) {
447 error_print();
448 return -1;
449 }
450 if (sm9_point_from_uncompressed_octets(C1, c1) != 1) {
451 error_print();
452 return -1;
453 }
454 return 1;
455 }
456
sm9_encrypt(const SM9_ENC_MASTER_KEY * mpk,const char * id,size_t idlen,const uint8_t * in,size_t inlen,uint8_t * out,size_t * outlen)457 int sm9_encrypt(const SM9_ENC_MASTER_KEY *mpk, const char *id, size_t idlen,
458 const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen)
459 {
460 SM9_POINT C1;
461 uint8_t c2[inlen];
462 uint8_t c3[SM3_HMAC_SIZE];
463
464 if (sm9_do_encrypt(mpk, id, idlen, in, inlen, &C1, c2, c3) != 1) {
465 error_print();
466 return -1;
467 }
468 *outlen = 0;
469 if (sm9_ciphertext_to_der(&C1, c2, inlen, c3, &out, outlen) != 1) { // FIXME: when out == NULL
470 error_print();
471 return -1;
472 }
473 return 1;
474 }
475
sm9_decrypt(const SM9_ENC_KEY * key,const char * id,size_t idlen,const uint8_t * in,size_t inlen,uint8_t * out,size_t * outlen)476 int sm9_decrypt(const SM9_ENC_KEY *key, const char *id, size_t idlen,
477 const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen)
478 {
479 SM9_POINT C1;
480 const uint8_t *c2;
481 size_t c2len;
482 const uint8_t *c3;
483
484 if (sm9_ciphertext_from_der(&C1, &c2, &c2len, &c3, &in, &inlen) != 1
485 || asn1_length_is_zero(inlen) != 1) {
486 error_print();
487 return -1;
488 }
489 *outlen = c2len;
490 if (!out) {
491 return 1;
492 }
493 if (sm9_do_decrypt(key, id, idlen, &C1, c2, c2len, c3, out) != 1) {
494 error_print();
495 return -1;
496 }
497 return 1;
498 }
499