aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2017-08-04 15:22:33 -0400
committerJack Lloyd <[email protected]>2017-08-04 15:22:33 -0400
commit87fcd69b587ccd60c5f248b40003cf9a0a558a53 (patch)
treec558cab7be5e591a36d74c3f8948c018a1c89bb7 /src
parent58b1f7cc90b3e5c8a4bbff7adf2c001db0ef4d21 (diff)
Add SM2 encryption scheme
This is a contribution from Ribose Inc (@riboseinc)
Diffstat (limited to 'src')
-rw-r--r--src/lib/pubkey/sm2/info.txt3
-rw-r--r--src/lib/pubkey/sm2/sm2.cpp16
-rw-r--r--src/lib/pubkey/sm2/sm2.h11
-rw-r--r--src/lib/pubkey/sm2/sm2_enc.cpp231
-rw-r--r--src/lib/pubkey/sm2/sm2_enc.h90
-rw-r--r--src/tests/data/pubkey/sm2_enc.vec14
-rw-r--r--src/tests/test_pubkey.cpp5
-rw-r--r--src/tests/test_pubkey.h6
-rw-r--r--src/tests/test_sm2.cpp49
-rw-r--r--src/tests/unit_ecc.cpp4
10 files changed, 414 insertions, 15 deletions
diff --git a/src/lib/pubkey/sm2/info.txt b/src/lib/pubkey/sm2/info.txt
index e94500277..ee74a74a0 100644
--- a/src/lib/pubkey/sm2/info.txt
+++ b/src/lib/pubkey/sm2/info.txt
@@ -1,5 +1,5 @@
<defines>
-SM2 -> 20170621
+SM2 -> 20170804
</defines>
<requires>
@@ -10,4 +10,5 @@ keypair
numbertheory
rng
sm3
+kdf2
</requires>
diff --git a/src/lib/pubkey/sm2/sm2.cpp b/src/lib/pubkey/sm2/sm2.cpp
index 5c5b50792..2882cb0ad 100644
--- a/src/lib/pubkey/sm2/sm2.cpp
+++ b/src/lib/pubkey/sm2/sm2.cpp
@@ -40,12 +40,10 @@ SM2_Signature_PrivateKey::SM2_Signature_PrivateKey(RandomNumberGenerator& rng,
m_da_inv = inverse_mod(m_private_key + 1, domain.get_order());
}
-namespace {
-
-std::vector<uint8_t> compute_za(HashFunction& hash,
- const std::string& user_id,
- const EC_Group& domain,
- const PointGFp& pubkey)
+std::vector<uint8_t> sm2_compute_za(HashFunction& hash,
+ const std::string& user_id,
+ const EC_Group& domain,
+ const PointGFp& pubkey)
{
if(user_id.size() >= 8192)
throw Invalid_Argument("SM2 user id too long to represent");
@@ -71,6 +69,8 @@ std::vector<uint8_t> compute_za(HashFunction& hash,
return za;
}
+namespace {
+
/**
* SM2 signature operation
*/
@@ -88,7 +88,7 @@ class SM2_Signature_Operation : public PK_Ops::Signature
m_hash(HashFunction::create_or_throw("SM3"))
{
// ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA)
- m_za = compute_za(*m_hash, ident, sm2.domain(), sm2.public_point());
+ m_za = sm2_compute_za(*m_hash, ident, sm2.domain(), sm2.public_point());
m_hash->update(m_za);
}
@@ -142,7 +142,7 @@ class SM2_Verification_Operation : public PK_Ops::Verification
m_hash(HashFunction::create_or_throw("SM3"))
{
// ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA)
- m_za = compute_za(*m_hash, ident, sm2.domain(), sm2.public_point());
+ m_za = sm2_compute_za(*m_hash, ident, sm2.domain(), sm2.public_point());
m_hash->update(m_za);
}
diff --git a/src/lib/pubkey/sm2/sm2.h b/src/lib/pubkey/sm2/sm2.h
index a66654dbd..879e0b95d 100644
--- a/src/lib/pubkey/sm2/sm2.h
+++ b/src/lib/pubkey/sm2/sm2.h
@@ -13,7 +13,7 @@
namespace Botan {
/**
-* This class represents SM2 Signature Keys
+* This class represents SM2 Signature public keys
*/
class BOTAN_DLL SM2_Signature_PublicKey : public virtual EC_PublicKey
{
@@ -56,7 +56,7 @@ class BOTAN_DLL SM2_Signature_PublicKey : public virtual EC_PublicKey
};
/**
-* This class represents SM2 Private Keys
+* This class represents SM2 Signature private keys
*/
class BOTAN_DLL SM2_Signature_PrivateKey : public SM2_Signature_PublicKey,
public EC_PrivateKey
@@ -93,6 +93,13 @@ class BOTAN_DLL SM2_Signature_PrivateKey : public SM2_Signature_PublicKey,
BigInt m_da_inv;
};
+class HashFunction;
+
+std::vector<uint8_t> sm2_compute_za(HashFunction& hash,
+ const std::string& user_id,
+ const EC_Group& domain,
+ const PointGFp& pubkey);
+
}
#endif
diff --git a/src/lib/pubkey/sm2/sm2_enc.cpp b/src/lib/pubkey/sm2/sm2_enc.cpp
new file mode 100644
index 000000000..a832dd1ac
--- /dev/null
+++ b/src/lib/pubkey/sm2/sm2_enc.cpp
@@ -0,0 +1,231 @@
+/*
+* SM2 Encryption
+* (C) 2017 Ribose Inc
+*
+* Botan is released under the Simplified BSD License (see license.txt)
+*/
+
+#include <botan/sm2_enc.h>
+#include <botan/pk_ops.h>
+#include <botan/keypair.h>
+#include <botan/kdf.h>
+#include <botan/hash.h>
+
+namespace Botan {
+
+bool SM2_Encryption_PrivateKey::check_key(RandomNumberGenerator& rng,
+ bool strong) const
+ {
+ if(!public_point().on_the_curve())
+ return false;
+
+ if(!strong)
+ return true;
+
+ return KeyPair::encryption_consistency_check(rng, *this, "SM3");
+ }
+
+SM2_Encryption_PrivateKey::SM2_Encryption_PrivateKey(const AlgorithmIdentifier& alg_id,
+ const secure_vector<uint8_t>& key_bits) :
+ EC_PrivateKey(alg_id, key_bits)
+ {
+ }
+
+SM2_Encryption_PrivateKey::SM2_Encryption_PrivateKey(RandomNumberGenerator& rng,
+ const EC_Group& domain,
+ const BigInt& x) :
+ EC_PrivateKey(rng, domain, x)
+ {
+ }
+
+namespace {
+
+class SM2_Encryption_Operation : public PK_Ops::Encryption
+ {
+ public:
+ SM2_Encryption_Operation(const SM2_Encryption_PublicKey& key) :
+ m_p_bytes(key.domain().get_curve().get_p().bytes()),
+ m_order(key.domain().get_order()),
+ m_base_point(key.domain().get_base_point(), m_order),
+ m_public_point(key.public_point(), m_order)
+ {}
+
+ size_t max_input_bits() const override
+ {
+ // This is arbitrary, but assumes SM2 is used for key encapsulation
+ return 512;
+ }
+
+ secure_vector<uint8_t> encrypt(const uint8_t msg[],
+ size_t msg_len,
+ RandomNumberGenerator& rng) override
+ {
+ std::unique_ptr<HashFunction> hash = HashFunction::create("SM3");
+ std::unique_ptr<KDF> kdf = KDF::create("KDF2(SM3)");
+
+ secure_vector<uint8_t> ciphertext;
+ ciphertext.reserve(1 + m_p_bytes*2 + msg_len + hash->output_length());
+
+ const BigInt k = BigInt::random_integer(rng, 1, m_order);
+
+ const PointGFp C1 = m_base_point.blinded_multiply(k, rng);
+ const BigInt x1 = C1.get_affine_x();
+ const BigInt y1 = C1.get_affine_y();
+ std::vector<uint8_t> x1_bytes(m_p_bytes);
+ std::vector<uint8_t> y1_bytes(m_p_bytes);
+ BigInt::encode_1363(x1_bytes.data(), x1_bytes.size(), x1);
+ BigInt::encode_1363(y1_bytes.data(), y1_bytes.size(), y1);
+
+ const PointGFp kPB = m_public_point.blinded_multiply(k, rng);
+
+ const BigInt x2 = kPB.get_affine_x();
+ const BigInt y2 = kPB.get_affine_y();
+ std::vector<uint8_t> x2_bytes(m_p_bytes);
+ std::vector<uint8_t> y2_bytes(m_p_bytes);
+ BigInt::encode_1363(x2_bytes.data(), x2_bytes.size(), x2);
+ BigInt::encode_1363(y2_bytes.data(), y2_bytes.size(), y2);
+
+ secure_vector<uint8_t> kdf_input;
+ kdf_input += x2_bytes;
+ kdf_input += y2_bytes;
+
+ const secure_vector<uint8_t> kdf_output =
+ kdf->derive_key(msg_len, kdf_input.data(), kdf_input.size());
+
+ secure_vector<uint8_t> masked_msg(msg_len);
+ xor_buf(masked_msg.data(), msg, kdf_output.data(), msg_len);
+
+ hash->update(x2_bytes);
+ hash->update(msg, msg_len);
+ hash->update(y2_bytes);
+ std::vector<uint8_t> C3(hash->output_length());
+ hash->final(C3.data());
+
+ ciphertext.push_back(0x04);
+ ciphertext += x1_bytes;
+ ciphertext += y1_bytes;
+ ciphertext += masked_msg;
+ ciphertext += C3;
+
+ return ciphertext;
+ }
+
+ private:
+ size_t m_p_bytes;
+ const BigInt& m_order;
+ Blinded_Point_Multiply m_base_point;
+ Blinded_Point_Multiply m_public_point;
+ };
+
+class SM2_Decryption_Operation : public PK_Ops::Decryption
+ {
+ public:
+ SM2_Decryption_Operation(const SM2_Encryption_PrivateKey& key,
+ RandomNumberGenerator& rng) :
+ m_key(key),
+ m_rng(rng)
+ {}
+
+ secure_vector<uint8_t> decrypt(uint8_t& valid_mask,
+ const uint8_t ciphertext[],
+ size_t ciphertext_len) override
+ {
+ const BigInt& cofactor = m_key.domain().get_cofactor();
+ const size_t p_bytes = m_key.domain().get_curve().get_p().bytes();
+
+ valid_mask = 0;
+
+ std::unique_ptr<HashFunction> hash = HashFunction::create("SM3");
+
+ // Too short to be valid - no timing problem from early return
+ if(ciphertext_len < 1 + p_bytes*2 + hash->output_length())
+ {
+ return secure_vector<uint8_t>();
+ }
+
+ if(ciphertext[0] != 0x04)
+ {
+ return secure_vector<uint8_t>();
+ }
+
+ const PointGFp C1 = OS2ECP(ciphertext, 1 + p_bytes*2, m_key.domain().get_curve());
+ // OS2ECP verifies C1 is on the curve
+
+ Blinded_Point_Multiply C1_mul(C1, m_key.domain().get_order());
+
+ if(cofactor > 1 && C1_mul.blinded_multiply(cofactor, m_rng).is_zero())
+ {
+ return secure_vector<uint8_t>();
+ }
+
+ const PointGFp dbC1 = C1_mul.blinded_multiply(m_key.private_value(), m_rng);
+
+ const BigInt x2 = dbC1.get_affine_x();
+ const BigInt y2 = dbC1.get_affine_y();
+
+ std::vector<uint8_t> x2_bytes(p_bytes);
+ std::vector<uint8_t> y2_bytes(p_bytes);
+ BigInt::encode_1363(x2_bytes.data(), x2_bytes.size(), x2);
+ BigInt::encode_1363(y2_bytes.data(), y2_bytes.size(), y2);
+
+ secure_vector<uint8_t> kdf_input;
+ kdf_input += x2_bytes;
+ kdf_input += y2_bytes;
+
+ const size_t msg_len = ciphertext_len - (1 + p_bytes*2 + hash->output_length());
+
+ std::unique_ptr<KDF> kdf = KDF::create("KDF2(SM3)");
+ const secure_vector<uint8_t> kdf_output =
+ kdf->derive_key(msg_len, kdf_input.data(), kdf_input.size());
+
+ secure_vector<uint8_t> msg(msg_len);
+ xor_buf(msg.data(), ciphertext + (1+p_bytes*2), kdf_output.data(), msg_len);
+
+ hash->update(x2_bytes);
+ hash->update(msg);
+ hash->update(y2_bytes);
+ secure_vector<uint8_t> u = hash->final();
+
+ if(same_mem(u.data(), ciphertext + (1+p_bytes*2+msg_len), hash->output_length()) == false)
+ return secure_vector<uint8_t>();
+
+ valid_mask = 0xFF;
+ return msg;
+ }
+ private:
+ const SM2_Encryption_PrivateKey& m_key;
+ RandomNumberGenerator& m_rng;
+ const std::string m_ident;
+ };
+
+}
+
+std::unique_ptr<PK_Ops::Encryption>
+SM2_Encryption_PublicKey::create_encryption_op(RandomNumberGenerator& /*rng*/,
+ const std::string& params,
+ const std::string& provider) const
+ {
+ if(provider == "base" || provider.empty())
+ {
+ if(params == "")
+ return std::unique_ptr<PK_Ops::Encryption>(new SM2_Encryption_Operation(*this));
+ }
+
+ throw Provider_Not_Found(algo_name(), provider);
+ }
+
+std::unique_ptr<PK_Ops::Decryption>
+SM2_Encryption_PrivateKey::create_decryption_op(RandomNumberGenerator& rng,
+ const std::string& params,
+ const std::string& provider) const
+ {
+ if(provider == "base" || provider.empty())
+ {
+ if(params == "")
+ return std::unique_ptr<PK_Ops::Decryption>(new SM2_Decryption_Operation(*this, rng));
+ }
+
+ throw Provider_Not_Found(algo_name(), provider);
+ }
+
+}
diff --git a/src/lib/pubkey/sm2/sm2_enc.h b/src/lib/pubkey/sm2/sm2_enc.h
new file mode 100644
index 000000000..f8da6a27f
--- /dev/null
+++ b/src/lib/pubkey/sm2/sm2_enc.h
@@ -0,0 +1,90 @@
+/*
+* SM2 Encryption
+* (C) 2017 Ribose Inc
+*
+* Botan is released under the Simplified BSD License (see license.txt)
+*/
+
+#ifndef BOTAN_SM2_ENC_KEY_H__
+#define BOTAN_SM2_ENC_KEY_H__
+
+#include <botan/ecc_key.h>
+
+namespace Botan {
+
+/**
+* This class represents a public key used for SM2 encryption
+*/
+class BOTAN_DLL SM2_Encryption_PublicKey : public virtual EC_PublicKey
+ {
+ public:
+
+ /**
+ * Create a public key from a given public point.
+ * @param dom_par the domain parameters associated with this key
+ * @param public_point the public point defining this key
+ */
+ SM2_Encryption_PublicKey(const EC_Group& dom_par,
+ const PointGFp& public_point) :
+ EC_PublicKey(dom_par, public_point) {}
+
+ /**
+ * Load a public key.
+ * @param alg_id the X.509 algorithm identifier
+ * @param key_bits DER encoded public key bits
+ */
+ SM2_Encryption_PublicKey(const AlgorithmIdentifier& alg_id,
+ const std::vector<uint8_t>& key_bits) :
+ EC_PublicKey(alg_id, key_bits) {}
+
+ /**
+ * Get this keys algorithm name.
+ * @result this keys algorithm name
+ */
+ std::string algo_name() const override { return "SM2_Enc"; }
+
+ std::unique_ptr<PK_Ops::Encryption>
+ create_encryption_op(RandomNumberGenerator& rng,
+ const std::string& params,
+ const std::string& provider) const override;
+ protected:
+ SM2_Encryption_PublicKey() = default;
+ };
+
+/**
+* This class represents a private key used for SM2 encryption
+*/
+class BOTAN_DLL SM2_Encryption_PrivateKey : public SM2_Encryption_PublicKey,
+ public EC_PrivateKey
+ {
+ public:
+
+ /**
+ * Load a private key
+ * @param alg_id the X.509 algorithm identifier
+ * @param key_bits ECPrivateKey bits
+ */
+ SM2_Encryption_PrivateKey(const AlgorithmIdentifier& alg_id,
+ const secure_vector<uint8_t>& key_bits);
+
+ /**
+ * Create a private key.
+ * @param rng a random number generator
+ * @param domain parameters to used for this key
+ * @param x the private key (if zero, generate a new random key)
+ */
+ SM2_Encryption_PrivateKey(RandomNumberGenerator& rng,
+ const EC_Group& domain,
+ const BigInt& x = 0);
+
+ bool check_key(RandomNumberGenerator& rng, bool) const override;
+
+ std::unique_ptr<PK_Ops::Decryption>
+ create_decryption_op(RandomNumberGenerator& rng,
+ const std::string& params,
+ const std::string& provider) const override;
+ };
+
+}
+
+#endif
diff --git a/src/tests/data/pubkey/sm2_enc.vec b/src/tests/data/pubkey/sm2_enc.vec
new file mode 100644
index 000000000..f878a11a2
--- /dev/null
+++ b/src/tests/data/pubkey/sm2_enc.vec
@@ -0,0 +1,14 @@
+# Example from draft-shen-sm2-ecdsa-02
+
+P = 0x8542D69E4C044F18E8B92435BF6FF7DE457283915C45517D722EDB8B08F1DFC3
+A = 0x787968B4FA32C3FD2417842E73BBFEFF2F3C848B6831D7E0EC65228B3937E498
+B = 0x63E4C6D3B23B0C849CF84241484BFE48F61D59A5B16BA06E6E12D1DA27C5249A
+xG = 0x421DEBD61B62EAB6746434EBC3CC315E32220B3BADD50BDC4C4E6C147FEDD43D
+yG = 0x0680512BCBB42C07D47349D2153B70C4E5D7FDFCBFA36EA1A85841B9E46E09A2
+Order = 0x8542D69E4C044F18E8B92435BF6FF7DD297720630485628D5AE74EE7C32E79B7
+Cofactor = 1
+
+Msg = 656E6372797074696F6E207374616E64617264
+x = 0x1649AB77A00637BD5E2EFE283FBF353534AA7F7CB89463F208DDBC2920BB0DA0
+Nonce = 4C62EEFD6ECFC2B95B92FD6C3D9575148AFA17425546D49018E5388D49DD7B4F
+Ciphertext = 04245C26FB68B1DDDDB12C4B6BF9F2B6D5FE60A383B0D18D1C4144ABF17F6252E776CB9264C2A7E88E52B19903FDC47378F605E36811F5C07423A24B84400F01B8650053A89B41C418B0C3AAD00D886C002864679C3D7360C30156FAB7C80A0276712DA9D8094A634B766D3A285E07480653426D
diff --git a/src/tests/test_pubkey.cpp b/src/tests/test_pubkey.cpp
index fb423bc35..4bb4ea9b1 100644
--- a/src/tests/test_pubkey.cpp
+++ b/src/tests/test_pubkey.cpp
@@ -1,5 +1,6 @@
/*
* (C) 2009,2015 Jack Lloyd
+* (C) 2017 Ribose Inc
*
* Botan is released under the Simplified BSD License (see license.txt)
*/
@@ -241,7 +242,7 @@ PK_Encryption_Decryption_Test::run_one_test(const std::string&, const VarMap& va
const std::string padding = get_opt_str(vars, "Padding", default_padding(vars));
- Test::Result result(algo_name() + "/" + padding + " decryption");
+ Test::Result result(algo_name() + (padding.empty() ? padding : "/" + padding) + " decryption");
std::unique_ptr<Botan::Private_Key> privkey = load_private_key(vars);
@@ -285,7 +286,7 @@ PK_Encryption_Decryption_Test::run_one_test(const std::string&, const VarMap& va
std::unique_ptr<Botan::RandomNumberGenerator> kat_rng;
if(vars.count("Nonce"))
{
- kat_rng.reset(new Fixed_Output_RNG(get_req_bin(vars, "Nonce")));
+ kat_rng.reset(test_rng(get_req_bin(vars, "Nonce")));
}
const std::vector<uint8_t> generated_ciphertext =
diff --git a/src/tests/test_pubkey.h b/src/tests/test_pubkey.h
index 5d1b2cd99..5d8536496 100644
--- a/src/tests/test_pubkey.h
+++ b/src/tests/test_pubkey.h
@@ -121,6 +121,12 @@ class PK_Encryption_Decryption_Test : public PK_Test
{
return "Raw";
}
+
+ virtual Botan::RandomNumberGenerator* test_rng(const std::vector<uint8_t>& nonce) const
+ {
+ return new Fixed_Output_RNG(nonce);
+ }
+
private:
Test::Result run_one_test(const std::string& header, const VarMap& vars) override final;
};
diff --git a/src/tests/test_sm2.cpp b/src/tests/test_sm2.cpp
index c0d272cbd..2b647e2db 100644
--- a/src/tests/test_sm2.cpp
+++ b/src/tests/test_sm2.cpp
@@ -9,6 +9,7 @@
#if defined(BOTAN_HAS_SM2)
#include <botan/sm2.h>
+ #include <botan/sm2_enc.h>
#include "test_pubkey.h"
#endif
@@ -60,9 +61,55 @@ class SM2_Signature_KAT_Tests : public PK_Signature_Generation_Test
}
};
+BOTAN_REGISTER_TEST("sm2_sig", SM2_Signature_KAT_Tests);
+
+class SM2_Encryption_KAT_Tests : public PK_Encryption_Decryption_Test
+ {
+ public:
+ SM2_Encryption_KAT_Tests()
+ : PK_Encryption_Decryption_Test(
+ "SM2",
+ "pubkey/sm2_enc.vec",
+ "P,A,B,xG,yG,Order,Cofactor,Msg,x,Nonce,Ciphertext",
+ "") {}
+
+ virtual std::string default_padding(const VarMap& vars) const override
+ {
+ return "";
+ }
+
+ Botan::RandomNumberGenerator* test_rng(const std::vector<uint8_t>& nonce) const override
+ {
+ return new Fixed_Output_Position_RNG(nonce, 1);
+ }
+
+ std::unique_ptr<Botan::Private_Key> load_private_key(const VarMap& vars) override
+ {
+ // group params
+ const BigInt p = get_req_bn(vars, "P");
+ const BigInt a = get_req_bn(vars, "A");
+ const BigInt b = get_req_bn(vars, "B");
+ const BigInt xG = get_req_bn(vars, "xG");
+ const BigInt yG = get_req_bn(vars, "yG");
+ const BigInt order = get_req_bn(vars, "Order");
+ const BigInt cofactor = get_req_bn(vars, "Cofactor");
+ const BigInt x = get_req_bn(vars, "x");
+
+ Botan::CurveGFp curve(p, a, b);
+ Botan::PointGFp base_point(curve, xG, yG);
+ Botan::EC_Group domain(curve, base_point, order, cofactor);
+
+ Botan::Null_RNG null_rng;
+ std::unique_ptr<Botan::Private_Key> key(new Botan::SM2_Encryption_PrivateKey(null_rng, domain, x));
+ return key;
+ }
+ };
+
}
-BOTAN_REGISTER_TEST("sm2_sig", SM2_Signature_KAT_Tests);
+BOTAN_REGISTER_TEST("sm2_enc", SM2_Encryption_KAT_Tests);
+
+
#endif
}
diff --git a/src/tests/unit_ecc.cpp b/src/tests/unit_ecc.cpp
index e1e1a15ab..408b5040c 100644
--- a/src/tests/unit_ecc.cpp
+++ b/src/tests/unit_ecc.cpp
@@ -53,7 +53,9 @@ const std::vector<std::string> ec_groups =
"x962_p192v3",
"x962_p239v1",
"x962_p239v2",
- "x962_p239v3"
+ "x962_p239v3",
+ "sm2p256v1",
+ "frp256v1"
};
Botan::BigInt test_integer(Botan::RandomNumberGenerator& rng, size_t bits, BigInt max)