Support SM2 raw signatures

Where SM2 signs a hash input provided by the application.

This is a contribution by Ribose Inc (@riboseinc)

1 files changed, 101 insertions, 57 deletions

diff --git a/src/lib/pubkey/sm2/sm2.cpp b/src/lib/pubkey/sm2/sm2.cpp
index 45b14dac6..cf08d0f1c 100644
--- a/src/lib/pubkey/sm2/sm2.cpp
+++ b/src/lib/pubkey/sm2/sm2.cpp
@@ -1,6 +1,6 @@
 /*
 * SM2 Signatures
-* (C) 2017 Ribose Inc
+* (C) 2017,2018 Ribose Inc
 * (C) 2018 Jack Lloyd
 *
 * Botan is released under the Simplified BSD License (see license.txt)
@@ -12,6 +12,7 @@
 #include <botan/numthry.h>
 #include <botan/keypair.h>
 #include <botan/hash.h>
+#include <botan/parsing.h>
 
 namespace Botan {
 
@@ -90,19 +91,33 @@ class SM2_Signature_Operation final : public PK_Ops::Signature
                               const std::string& hash) :
          m_group(sm2.domain()),
          m_x(sm2.private_value()),
-         m_da_inv(sm2.get_da_inv()),
-         m_hash(HashFunction::create_or_throw(hash))
+         m_da_inv(sm2.get_da_inv())
          {
-         // ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA)
-         m_za = sm2_compute_za(*m_hash, ident, m_group, sm2.public_point());
-         m_hash->update(m_za);
+         if(hash == "Raw")
+            {
+            // m_hash is null, m_za is empty
+            }
+         else
+            {
+            m_hash = HashFunction::create_or_throw(hash);
+            // ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA)
+            m_za = sm2_compute_za(*m_hash, ident, m_group, sm2.public_point());
+            m_hash->update(m_za);
+            }
          }
 
       size_t signature_length() const override { return 2*m_group.get_order_bytes(); }
 
       void update(const uint8_t msg[], size_t msg_len) override
          {
-         m_hash->update(msg, msg_len);
+         if(m_hash)
+            {
+            m_hash->update(msg, msg_len);
+            }
+         else
+            {
+            m_digest.insert(m_digest.end(), msg, msg + msg_len);
+            }
          }
 
       secure_vector<uint8_t> sign(RandomNumberGenerator& rng) override;
@@ -113,6 +128,7 @@ class SM2_Signature_Operation final : public PK_Ops::Signature
       const BigInt& m_da_inv;
 
       std::vector<uint8_t> m_za;
+      secure_vector<uint8_t> m_digest;
       std::unique_ptr<HashFunction> m_hash;
       std::vector<BigInt> m_ws;
    };
@@ -120,7 +136,18 @@ class SM2_Signature_Operation final : public PK_Ops::Signature
 secure_vector<uint8_t>
 SM2_Signature_Operation::sign(RandomNumberGenerator& rng)
    {
-   const BigInt e = BigInt::decode(m_hash->final());
+   BigInt e;
+   if(m_hash)
+      {
+      e = BigInt::decode(m_hash->final());
+      // prepend ZA for next signature if any
+      m_hash->update(m_za);
+      }
+   else
+      {
+      e = BigInt::decode(m_digest);
+      m_digest.clear();
+      }
 
    const BigInt k = m_group.random_scalar(rng);
 
@@ -128,9 +155,6 @@ SM2_Signature_Operation::sign(RandomNumberGenerator& rng)
       m_group.blinded_base_point_multiply_x(k, rng, m_ws) + e);
    const BigInt s = m_group.multiply_mod_order(m_da_inv, (k - r*m_x));
 
-   // prepend ZA for next signature if any
-   m_hash->update(m_za);
-
    return BigInt::encode_fixed_length_int_pair(r, s, m_group.get_order().bytes());
    }
 
@@ -144,33 +168,56 @@ class SM2_Verification_Operation final : public PK_Ops::Verification
                                  const std::string& ident,
                                  const std::string& hash) :
          m_group(sm2.domain()),
-         m_gy_mul(m_group.get_base_point(), sm2.public_point()),
-         m_hash(HashFunction::create_or_throw(hash))
+         m_gy_mul(m_group.get_base_point(), sm2.public_point())
          {
-         // ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA)
-         m_za = sm2_compute_za(*m_hash, ident, m_group, sm2.public_point());
-         m_hash->update(m_za);
+         if(hash == "Raw")
+            {
+            // m_hash is null, m_za is empty
+            }
+         else
+            {
+            m_hash = HashFunction::create_or_throw(hash);
+            // ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA)
+            m_za = sm2_compute_za(*m_hash, ident, m_group, sm2.public_point());
+            m_hash->update(m_za);
+            }
          }
 
       void update(const uint8_t msg[], size_t msg_len) override
          {
-         m_hash->update(msg, msg_len);
+         if(m_hash)
+            {
+            m_hash->update(msg, msg_len);
+            }
+         else
+            {
+            m_digest.insert(m_digest.end(), msg, msg + msg_len);
+            }
          }
 
       bool is_valid_signature(const uint8_t sig[], size_t sig_len) override;
    private:
       const EC_Group m_group;
       const PointGFp_Multi_Point_Precompute m_gy_mul;
+      secure_vector<uint8_t> m_digest;
       std::vector<uint8_t> m_za;
       std::unique_ptr<HashFunction> m_hash;
    };
 
 bool SM2_Verification_Operation::is_valid_signature(const uint8_t sig[], size_t sig_len)
    {
-   const BigInt e = BigInt::decode(m_hash->final());
-
-   // Update for next verification
-   m_hash->update(m_za);
+   BigInt e;
+   if(m_hash)
+      {
+      e = BigInt::decode(m_hash->final());
+      // prepend ZA for next signature if any
+      m_hash->update(m_za);
+      }
+   else
+      {
+      e = BigInt::decode(m_digest);
+      m_digest.clear();
+      }
 
    if(sig_len != m_group.get_order().bytes()*2)
       return false;
@@ -195,6 +242,35 @@ bool SM2_Verification_Operation::is_valid_signature(const uint8_t sig[], size_t
    return (m_group.mod_order(R.get_affine_x() + e) == r);
    }
 
+void parse_sm2_param_string(const std::string& params,
+                            std::string& userid,
+                            std::string& hash)
+   {
+   // GM/T 0009-2012 specifies this as the default userid
+   const std::string default_userid = "1234567812345678";
+
+   // defaults:
+   userid = default_userid;
+   hash = "SM3";
+
+   /*
+   * SM2 parameters have the following possible formats:
+   * Ident [since 2.2.0]
+   * Ident,Hash [since 2.3.0]
+   */
+
+   auto comma = params.find(',');
+   if(comma == std::string::npos)
+      {
+      userid = params;
+      }
+   else
+      {
+      userid = params.substr(0, comma);
+      hash = params.substr(comma+1, std::string::npos);
+      }
+   }
+
 }
 
 std::unique_ptr<PK_Ops::Verification>
@@ -203,24 +279,8 @@ SM2_PublicKey::create_verification_op(const std::string& params,
    {
    if(provider == "base" || provider.empty())
       {
-      std::string userid = "";
-      std::string hash = "SM3";
-
-      auto comma = params.find(',');
-      if(comma == std::string::npos)
-         userid = params;
-      else
-         {
-         userid = params.substr(0, comma);
-         hash = params.substr(comma+1, std::string::npos);
-         }
-
-      if (userid.empty())
-         {
-         // GM/T 0009-2012 specifies this as the default userid
-         userid = "1234567812345678";
-         }
-
+      std::string userid, hash;
+      parse_sm2_param_string(params, userid, hash);
       return std::unique_ptr<PK_Ops::Verification>(new SM2_Verification_Operation(*this, userid, hash));
       }
 
@@ -234,24 +294,8 @@ SM2_PrivateKey::create_signature_op(RandomNumberGenerator& /*rng*/,
    {
    if(provider == "base" || provider.empty())
       {
-      std::string userid = "";
-      std::string hash = "SM3";
-
-      auto comma = params.find(',');
-      if(comma == std::string::npos)
-         userid = params;
-      else
-         {
-         userid = params.substr(0, comma);
-         hash = params.substr(comma+1, std::string::npos);
-         }
-
-      if (userid.empty())
-         {
-         // GM/T 0009-2012 specifies this as the default userid
-         userid = "1234567812345678";
-         }
-
+      std::string userid, hash;
+      parse_sm2_param_string(params, userid, hash);
       return std::unique_ptr<PK_Ops::Signature>(new SM2_Signature_Operation(*this, userid, hash));
       }