Merge GH #1142 Add SM2 encryption scheme

8 files changed, 415 insertions, 12 deletions

diff --git a/src/lib/ffi/ffi.h b/src/lib/ffi/ffi.h
index 7b14bdbd4..37f38ae1b 100644
--- a/src/lib/ffi/ffi.h
+++ b/src/lib/ffi/ffi.h
@@ -899,6 +899,15 @@ BOTAN_DLL int botan_privkey_load_sm2(botan_privkey_t* key,
                                      const botan_mp_t scalar,
                                      const char* curve_name);
 
+BOTAN_DLL int botan_pubkey_load_sm2_enc(botan_pubkey_t* key,
+                                        const botan_mp_t public_x,
+                                        const botan_mp_t public_y,
+                                        const char* curve_name);
+
+BOTAN_DLL int botan_privkey_load_sm2_enc(botan_privkey_t* key,
+                                         const botan_mp_t scalar,
+                                         const char* curve_name);
+
 /*
 * Public Key Encryption
 */
diff --git a/src/lib/ffi/ffi_pkey_algs.cpp b/src/lib/ffi/ffi_pkey_algs.cpp
index c2ebad80c..844a38846 100644
--- a/src/lib/ffi/ffi_pkey_algs.cpp
+++ b/src/lib/ffi/ffi_pkey_algs.cpp
@@ -37,6 +37,7 @@
 
 #if defined(BOTAN_HAS_SM2)
   #include <botan/sm2.h>
+  #include <botan/sm2_enc.h>
 #endif
 
 #if defined(BOTAN_HAS_ECDH)
@@ -607,6 +608,46 @@ int botan_privkey_load_sm2(botan_privkey_t* key,
 #endif
    }
 
+int botan_pubkey_load_sm2_enc(botan_pubkey_t* key,
+                              const botan_mp_t public_x,
+                              const botan_mp_t public_y,
+                              const char* curve_name)
+   {
+#if defined(BOTAN_HAS_SM2)
+   return ffi_guard_thunk(BOTAN_CURRENT_FUNCTION, [=]() {
+      std::unique_ptr<Botan::SM2_Encryption_PublicKey> p_key;
+      if(!pubkey_load_ec(p_key, safe_get(public_x), safe_get(public_y), curve_name))
+         {
+         *key = new botan_pubkey_struct(p_key.release());
+         return BOTAN_FFI_SUCCESS;
+         }
+      return BOTAN_FFI_ERROR_UNKNOWN_ERROR;
+      });
+#else
+   BOTAN_UNUSED(key, public_x, public_y, curve_name);
+   return BOTAN_FFI_ERROR_NOT_IMPLEMENTED;
+#endif
+   }
+
+int botan_privkey_load_sm2_enc(botan_privkey_t* key,
+                               const botan_mp_t scalar,
+                               const char* curve_name)
+   {
+#if defined(BOTAN_HAS_SM2)
+   return ffi_guard_thunk(BOTAN_CURRENT_FUNCTION, [=]() {
+      std::unique_ptr<Botan::SM2_Encryption_PrivateKey> p_key;
+      int rc = privkey_load_ec(p_key, safe_get(scalar), curve_name);
+
+      if(rc == BOTAN_FFI_SUCCESS)
+         *key = new botan_privkey_struct(p_key.release());
+      return rc;
+      });
+#else
+   BOTAN_UNUSED(key, scalar, curve_name);
+   return BOTAN_FFI_ERROR_NOT_IMPLEMENTED;
+#endif
+   }
+
 /* Ed25519 specific operations */
 
 int botan_privkey_load_ed25519(botan_privkey_t* key,
diff --git a/src/lib/pubkey/pk_algs.cpp b/src/lib/pubkey/pk_algs.cpp
index 34d659c8f..e696b5e74 100644
--- a/src/lib/pubkey/pk_algs.cpp
+++ b/src/lib/pubkey/pk_algs.cpp
@@ -62,6 +62,7 @@
 
 #if defined(BOTAN_HAS_SM2)
   #include <botan/sm2.h>
+  #include <botan/sm2_enc.h>
 #endif
 
 #if defined(BOTAN_HAS_OPENSSL)
@@ -141,6 +142,8 @@ load_public_key(const AlgorithmIdentifier& alg_id,
 #if defined(BOTAN_HAS_SM2)
    if(alg_name == "SM2_Sig")
       return std::unique_ptr<Public_Key>(new SM2_Signature_PublicKey(alg_id, key_bits));
+   if(alg_name == "SM2_Enc")
+      return std::unique_ptr<Public_Key>(new SM2_Encryption_PublicKey(alg_id, key_bits));
 #endif
 
 #if defined(BOTAN_HAS_XMSS)
@@ -217,6 +220,8 @@ load_private_key(const AlgorithmIdentifier& alg_id,
 #if defined(BOTAN_HAS_SM2)
    if(alg_name == "SM2_Sig")
       return std::unique_ptr<Private_Key>(new SM2_Signature_PrivateKey(alg_id, key_bits));
+   if(alg_name == "SM2_Enc")
+      return std::unique_ptr<Private_Key>(new SM2_Encryption_PrivateKey(alg_id, key_bits));
 #endif
 
 #if defined(BOTAN_HAS_ELGAMAL)
@@ -232,6 +237,22 @@ load_private_key(const AlgorithmIdentifier& alg_id,
    throw Decoding_Error("Unhandled PK algorithm " + alg_name);
    }
 
+namespace {
+
+std::string default_ec_group_for(const std::string& alg_name)
+   {
+   if(alg_name == "SM2_Enc" || alg_name == "SM2_Sig")
+      return "sm2p256v1";
+   if(alg_name == "GOST-34.10")
+      return "gost_256A";
+   if(alg_name == "ECGDSA")
+      return "brainpool256r1";
+   return "secp256r1";
+
+   }
+
+}
+
 std::unique_ptr<Private_Key>
 create_private_key(const std::string& alg_name,
                    RandomNumberGenerator& rng,
@@ -305,9 +326,10 @@ create_private_key(const std::string& alg_name,
       alg_name == "ECKCDSA" ||
       alg_name == "ECGDSA" ||
       alg_name == "SM2_Sig" ||
+      alg_name == "SM2_Enc" ||
       alg_name == "GOST-34.10")
       {
-      const EC_Group ec_group(params.empty() ? "secp256r1" : params);
+      const EC_Group ec_group(params.empty() ? default_ec_group_for(alg_name) : params);
 
 #if defined(BOTAN_HAS_ECDSA)
       if(alg_name == "ECDSA")
@@ -332,6 +354,8 @@ create_private_key(const std::string& alg_name,
 #if defined(BOTAN_HAS_SM2)
       if(alg_name == "SM2_Sig")
          return std::unique_ptr<Private_Key>(new SM2_Signature_PrivateKey(rng, ec_group));
+      if(alg_name == "SM2_Enc")
+         return std::unique_ptr<Private_Key>(new SM2_Encryption_PrivateKey(rng, ec_group));
 #endif
 
 #if defined(BOTAN_HAS_ECGDSA)
diff --git a/src/lib/pubkey/sm2/info.txt b/src/lib/pubkey/sm2/info.txt
index e94500277..ee74a74a0 100644
--- a/src/lib/pubkey/sm2/info.txt
+++ b/src/lib/pubkey/sm2/info.txt
@@ -1,5 +1,5 @@
 <defines>
-SM2 -> 20170621
+SM2 -> 20170804
 </defines>
 
 <requires>
@@ -10,4 +10,5 @@ keypair
 numbertheory
 rng
 sm3
+kdf2
 </requires>
diff --git a/src/lib/pubkey/sm2/sm2.cpp b/src/lib/pubkey/sm2/sm2.cpp
index 5c5b50792..2882cb0ad 100644
--- a/src/lib/pubkey/sm2/sm2.cpp
+++ b/src/lib/pubkey/sm2/sm2.cpp
@@ -40,12 +40,10 @@ SM2_Signature_PrivateKey::SM2_Signature_PrivateKey(RandomNumberGenerator& rng,
    m_da_inv = inverse_mod(m_private_key + 1, domain.get_order());
    }
 
-namespace {
-
-std::vector<uint8_t> compute_za(HashFunction& hash,
-                                const std::string& user_id,
-                                const EC_Group& domain,
-                                const PointGFp& pubkey)
+std::vector<uint8_t> sm2_compute_za(HashFunction& hash,
+                                    const std::string& user_id,
+                                    const EC_Group& domain,
+                                    const PointGFp& pubkey)
    {
    if(user_id.size() >= 8192)
       throw Invalid_Argument("SM2 user id too long to represent");
@@ -71,6 +69,8 @@ std::vector<uint8_t> compute_za(HashFunction& hash,
    return za;
    }
 
+namespace {
+
 /**
 * SM2 signature operation
 */
@@ -88,7 +88,7 @@ class SM2_Signature_Operation : public PK_Ops::Signature
          m_hash(HashFunction::create_or_throw("SM3"))
          {
          // ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA)
-         m_za = compute_za(*m_hash, ident, sm2.domain(), sm2.public_point());
+         m_za = sm2_compute_za(*m_hash, ident, sm2.domain(), sm2.public_point());
          m_hash->update(m_za);
          }
 
@@ -142,7 +142,7 @@ class SM2_Verification_Operation : public PK_Ops::Verification
          m_hash(HashFunction::create_or_throw("SM3"))
          {
          // ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA)
-         m_za = compute_za(*m_hash, ident, sm2.domain(), sm2.public_point());
+         m_za = sm2_compute_za(*m_hash, ident, sm2.domain(), sm2.public_point());
          m_hash->update(m_za);
          }
 
diff --git a/src/lib/pubkey/sm2/sm2.h b/src/lib/pubkey/sm2/sm2.h
index a66654dbd..879e0b95d 100644
--- a/src/lib/pubkey/sm2/sm2.h
+++ b/src/lib/pubkey/sm2/sm2.h
@@ -13,7 +13,7 @@
 namespace Botan {
 
 /**
-* This class represents SM2 Signature Keys
+* This class represents SM2 Signature public keys
 */
 class BOTAN_DLL SM2_Signature_PublicKey : public virtual EC_PublicKey
    {
@@ -56,7 +56,7 @@ class BOTAN_DLL SM2_Signature_PublicKey : public virtual EC_PublicKey
    };
 
 /**
-* This class represents SM2 Private Keys
+* This class represents SM2 Signature private keys
 */
 class BOTAN_DLL SM2_Signature_PrivateKey : public SM2_Signature_PublicKey,
                                            public EC_PrivateKey
@@ -93,6 +93,13 @@ class BOTAN_DLL SM2_Signature_PrivateKey : public SM2_Signature_PublicKey,
       BigInt m_da_inv;
    };
 
+class HashFunction;
+
+std::vector<uint8_t> sm2_compute_za(HashFunction& hash,
+                                    const std::string& user_id,
+                                    const EC_Group& domain,
+                                    const PointGFp& pubkey);
+
 }
 
 #endif
diff --git a/src/lib/pubkey/sm2/sm2_enc.cpp b/src/lib/pubkey/sm2/sm2_enc.cpp
new file mode 100644
index 000000000..a832dd1ac
--- /dev/null
+++ b/src/lib/pubkey/sm2/sm2_enc.cpp
@@ -0,0 +1,231 @@
+/*
+* SM2 Encryption
+* (C) 2017 Ribose Inc
+*
+* Botan is released under the Simplified BSD License (see license.txt)
+*/
+
+#include <botan/sm2_enc.h>
+#include <botan/pk_ops.h>
+#include <botan/keypair.h>
+#include <botan/kdf.h>
+#include <botan/hash.h>
+
+namespace Botan {
+
+bool SM2_Encryption_PrivateKey::check_key(RandomNumberGenerator& rng,
+                                         bool strong) const
+   {
+   if(!public_point().on_the_curve())
+      return false;
+
+   if(!strong)
+      return true;
+
+   return KeyPair::encryption_consistency_check(rng, *this, "SM3");
+   }
+
+SM2_Encryption_PrivateKey::SM2_Encryption_PrivateKey(const AlgorithmIdentifier& alg_id,
+                                                     const secure_vector<uint8_t>& key_bits) :
+   EC_PrivateKey(alg_id, key_bits)
+   {
+   }
+
+SM2_Encryption_PrivateKey::SM2_Encryption_PrivateKey(RandomNumberGenerator& rng,
+                                                     const EC_Group& domain,
+                                                     const BigInt& x) :
+   EC_PrivateKey(rng, domain, x)
+   {
+   }
+
+namespace {
+
+class SM2_Encryption_Operation : public PK_Ops::Encryption
+   {
+   public:
+      SM2_Encryption_Operation(const SM2_Encryption_PublicKey& key) :
+         m_p_bytes(key.domain().get_curve().get_p().bytes()),
+         m_order(key.domain().get_order()),
+         m_base_point(key.domain().get_base_point(), m_order),
+         m_public_point(key.public_point(), m_order)
+         {}
+
+      size_t max_input_bits() const override
+         {
+         // This is arbitrary, but assumes SM2 is used for key encapsulation
+         return 512;
+         }
+
+      secure_vector<uint8_t> encrypt(const uint8_t msg[],
+                                     size_t msg_len,
+                                     RandomNumberGenerator& rng) override
+         {
+         std::unique_ptr<HashFunction> hash = HashFunction::create("SM3");
+         std::unique_ptr<KDF> kdf = KDF::create("KDF2(SM3)");
+
+         secure_vector<uint8_t> ciphertext;
+         ciphertext.reserve(1 + m_p_bytes*2 + msg_len + hash->output_length());
+
+         const BigInt k = BigInt::random_integer(rng, 1, m_order);
+
+         const PointGFp C1 = m_base_point.blinded_multiply(k, rng);
+         const BigInt x1 = C1.get_affine_x();
+         const BigInt y1 = C1.get_affine_y();
+         std::vector<uint8_t> x1_bytes(m_p_bytes);
+         std::vector<uint8_t> y1_bytes(m_p_bytes);
+         BigInt::encode_1363(x1_bytes.data(), x1_bytes.size(), x1);
+         BigInt::encode_1363(y1_bytes.data(), y1_bytes.size(), y1);
+
+         const PointGFp kPB = m_public_point.blinded_multiply(k, rng);
+
+         const BigInt x2 = kPB.get_affine_x();
+         const BigInt y2 = kPB.get_affine_y();
+         std::vector<uint8_t> x2_bytes(m_p_bytes);
+         std::vector<uint8_t> y2_bytes(m_p_bytes);
+         BigInt::encode_1363(x2_bytes.data(), x2_bytes.size(), x2);
+         BigInt::encode_1363(y2_bytes.data(), y2_bytes.size(), y2);
+
+         secure_vector<uint8_t> kdf_input;
+         kdf_input += x2_bytes;
+         kdf_input += y2_bytes;
+
+         const secure_vector<uint8_t> kdf_output =
+            kdf->derive_key(msg_len, kdf_input.data(), kdf_input.size());
+
+         secure_vector<uint8_t> masked_msg(msg_len);
+         xor_buf(masked_msg.data(), msg, kdf_output.data(), msg_len);
+
+         hash->update(x2_bytes);
+         hash->update(msg, msg_len);
+         hash->update(y2_bytes);
+         std::vector<uint8_t> C3(hash->output_length());
+         hash->final(C3.data());
+
+         ciphertext.push_back(0x04);
+         ciphertext += x1_bytes;
+         ciphertext += y1_bytes;
+         ciphertext += masked_msg;
+         ciphertext += C3;
+
+         return ciphertext;
+         }
+
+   private:
+      size_t m_p_bytes;
+      const BigInt& m_order;
+      Blinded_Point_Multiply m_base_point;
+      Blinded_Point_Multiply m_public_point;
+   };
+
+class SM2_Decryption_Operation : public PK_Ops::Decryption
+   {
+   public:
+      SM2_Decryption_Operation(const SM2_Encryption_PrivateKey& key,
+                               RandomNumberGenerator& rng) :
+         m_key(key),
+         m_rng(rng)
+         {}
+
+      secure_vector<uint8_t> decrypt(uint8_t& valid_mask,
+                                     const uint8_t ciphertext[],
+                                     size_t ciphertext_len) override
+         {
+         const BigInt& cofactor = m_key.domain().get_cofactor();
+         const size_t p_bytes = m_key.domain().get_curve().get_p().bytes();
+
+         valid_mask = 0;
+
+         std::unique_ptr<HashFunction> hash = HashFunction::create("SM3");
+
+         // Too short to be valid - no timing problem from early return
+         if(ciphertext_len < 1 + p_bytes*2 + hash->output_length())
+            {
+            return secure_vector<uint8_t>();
+            }
+
+         if(ciphertext[0] != 0x04)
+            {
+            return secure_vector<uint8_t>();
+            }
+
+         const PointGFp C1 = OS2ECP(ciphertext, 1 + p_bytes*2, m_key.domain().get_curve());
+         // OS2ECP verifies C1 is on the curve
+
+         Blinded_Point_Multiply C1_mul(C1, m_key.domain().get_order());
+
+         if(cofactor > 1 && C1_mul.blinded_multiply(cofactor, m_rng).is_zero())
+            {
+            return secure_vector<uint8_t>();
+            }
+
+         const PointGFp dbC1 = C1_mul.blinded_multiply(m_key.private_value(), m_rng);
+
+         const BigInt x2 = dbC1.get_affine_x();
+         const BigInt y2 = dbC1.get_affine_y();
+
+         std::vector<uint8_t> x2_bytes(p_bytes);
+         std::vector<uint8_t> y2_bytes(p_bytes);
+         BigInt::encode_1363(x2_bytes.data(), x2_bytes.size(), x2);
+         BigInt::encode_1363(y2_bytes.data(), y2_bytes.size(), y2);
+
+         secure_vector<uint8_t> kdf_input;
+         kdf_input += x2_bytes;
+         kdf_input += y2_bytes;
+
+         const size_t msg_len = ciphertext_len - (1 + p_bytes*2 + hash->output_length());
+
+         std::unique_ptr<KDF> kdf = KDF::create("KDF2(SM3)");
+         const secure_vector<uint8_t> kdf_output =
+            kdf->derive_key(msg_len, kdf_input.data(), kdf_input.size());
+
+         secure_vector<uint8_t> msg(msg_len);
+         xor_buf(msg.data(), ciphertext + (1+p_bytes*2), kdf_output.data(), msg_len);
+
+         hash->update(x2_bytes);
+         hash->update(msg);
+         hash->update(y2_bytes);
+         secure_vector<uint8_t> u = hash->final();
+
+         if(same_mem(u.data(), ciphertext + (1+p_bytes*2+msg_len), hash->output_length()) == false)
+            return secure_vector<uint8_t>();
+
+         valid_mask = 0xFF;
+         return msg;
+         }
+   private:
+      const SM2_Encryption_PrivateKey& m_key;
+      RandomNumberGenerator& m_rng;
+      const std::string m_ident;
+   };
+
+}
+
+std::unique_ptr<PK_Ops::Encryption>
+SM2_Encryption_PublicKey::create_encryption_op(RandomNumberGenerator& /*rng*/,
+                                               const std::string& params,
+                                               const std::string& provider) const
+   {
+   if(provider == "base" || provider.empty())
+      {
+      if(params == "")
+         return std::unique_ptr<PK_Ops::Encryption>(new SM2_Encryption_Operation(*this));
+      }
+
+   throw Provider_Not_Found(algo_name(), provider);
+   }
+
+std::unique_ptr<PK_Ops::Decryption>
+SM2_Encryption_PrivateKey::create_decryption_op(RandomNumberGenerator& rng,
+                                                const std::string& params,
+                                                const std::string& provider) const
+   {
+   if(provider == "base" || provider.empty())
+      {
+      if(params == "")
+         return std::unique_ptr<PK_Ops::Decryption>(new SM2_Decryption_Operation(*this, rng));
+      }
+
+   throw Provider_Not_Found(algo_name(), provider);
+   }
+
+}
diff --git a/src/lib/pubkey/sm2/sm2_enc.h b/src/lib/pubkey/sm2/sm2_enc.h
new file mode 100644
index 000000000..f8da6a27f
--- /dev/null
+++ b/src/lib/pubkey/sm2/sm2_enc.h
@@ -0,0 +1,90 @@
+/*
+* SM2 Encryption
+* (C) 2017 Ribose Inc
+*
+* Botan is released under the Simplified BSD License (see license.txt)
+*/
+
+#ifndef BOTAN_SM2_ENC_KEY_H__
+#define BOTAN_SM2_ENC_KEY_H__
+
+#include <botan/ecc_key.h>
+
+namespace Botan {
+
+/**
+* This class represents a public key used for SM2 encryption
+*/
+class BOTAN_DLL SM2_Encryption_PublicKey : public virtual EC_PublicKey
+   {
+   public:
+
+      /**
+      * Create a public key from a given public point.
+      * @param dom_par the domain parameters associated with this key
+      * @param public_point the public point defining this key
+      */
+      SM2_Encryption_PublicKey(const EC_Group& dom_par,
+                               const PointGFp& public_point) :
+         EC_PublicKey(dom_par, public_point) {}
+
+      /**
+      * Load a public key.
+      * @param alg_id the X.509 algorithm identifier
+      * @param key_bits DER encoded public key bits
+      */
+      SM2_Encryption_PublicKey(const AlgorithmIdentifier& alg_id,
+                              const std::vector<uint8_t>& key_bits) :
+         EC_PublicKey(alg_id, key_bits) {}
+
+      /**
+      * Get this keys algorithm name.
+      * @result this keys algorithm name
+      */
+      std::string algo_name() const override { return "SM2_Enc"; }
+
+      std::unique_ptr<PK_Ops::Encryption>
+         create_encryption_op(RandomNumberGenerator& rng,
+                              const std::string& params,
+                              const std::string& provider) const override;
+   protected:
+      SM2_Encryption_PublicKey() = default;
+   };
+
+/**
+* This class represents a private key used for SM2 encryption
+*/
+class BOTAN_DLL SM2_Encryption_PrivateKey : public SM2_Encryption_PublicKey,
+                                            public EC_PrivateKey
+   {
+   public:
+
+      /**
+      * Load a private key
+      * @param alg_id the X.509 algorithm identifier
+      * @param key_bits ECPrivateKey bits
+      */
+      SM2_Encryption_PrivateKey(const AlgorithmIdentifier& alg_id,
+                                const secure_vector<uint8_t>& key_bits);
+
+      /**
+      * Create a private key.
+      * @param rng a random number generator
+      * @param domain parameters to used for this key
+      * @param x the private key (if zero, generate a new random key)
+      */
+      SM2_Encryption_PrivateKey(RandomNumberGenerator& rng,
+                                const EC_Group& domain,
+                                const BigInt& x = 0);
+
+      bool check_key(RandomNumberGenerator& rng, bool) const override;
+
+      std::unique_ptr<PK_Ops::Decryption>
+         create_decryption_op(RandomNumberGenerator& rng,
+                              const std::string& params,
+                              const std::string& provider) const override;
+   };
+
+}
+
+#endif