diff options
| -rw-r--r-- | src/lib/pubkey/sm2/info.txt | 3 | ||||
| -rw-r--r-- | src/lib/pubkey/sm2/sm2.cpp | 16 | ||||
| -rw-r--r-- | src/lib/pubkey/sm2/sm2.h | 11 | ||||
| -rw-r--r-- | src/lib/pubkey/sm2/sm2_enc.cpp | 231 | ||||
| -rw-r--r-- | src/lib/pubkey/sm2/sm2_enc.h | 90 | ||||
| -rw-r--r-- | src/tests/data/pubkey/sm2_enc.vec | 14 | ||||
| -rw-r--r-- | src/tests/test_pubkey.cpp | 5 | ||||
| -rw-r--r-- | src/tests/test_pubkey.h | 6 | ||||
| -rw-r--r-- | src/tests/test_sm2.cpp | 49 | ||||
| -rw-r--r-- | src/tests/unit_ecc.cpp | 4 |
10 files changed, 414 insertions, 15 deletions
diff --git a/src/lib/pubkey/sm2/info.txt b/src/lib/pubkey/sm2/info.txt index e94500277..ee74a74a0 100644 --- a/src/lib/pubkey/sm2/info.txt +++ b/src/lib/pubkey/sm2/info.txt @@ -1,5 +1,5 @@ <defines> -SM2 -> 20170621 +SM2 -> 20170804 </defines> <requires> @@ -10,4 +10,5 @@ keypair numbertheory rng sm3 +kdf2 </requires> diff --git a/src/lib/pubkey/sm2/sm2.cpp b/src/lib/pubkey/sm2/sm2.cpp index 5c5b50792..2882cb0ad 100644 --- a/src/lib/pubkey/sm2/sm2.cpp +++ b/src/lib/pubkey/sm2/sm2.cpp @@ -40,12 +40,10 @@ SM2_Signature_PrivateKey::SM2_Signature_PrivateKey(RandomNumberGenerator& rng, m_da_inv = inverse_mod(m_private_key + 1, domain.get_order()); } -namespace { - -std::vector<uint8_t> compute_za(HashFunction& hash, - const std::string& user_id, - const EC_Group& domain, - const PointGFp& pubkey) +std::vector<uint8_t> sm2_compute_za(HashFunction& hash, + const std::string& user_id, + const EC_Group& domain, + const PointGFp& pubkey) { if(user_id.size() >= 8192) throw Invalid_Argument("SM2 user id too long to represent"); @@ -71,6 +69,8 @@ std::vector<uint8_t> compute_za(HashFunction& hash, return za; } +namespace { + /** * SM2 signature operation */ @@ -88,7 +88,7 @@ class SM2_Signature_Operation : public PK_Ops::Signature m_hash(HashFunction::create_or_throw("SM3")) { // ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA) - m_za = compute_za(*m_hash, ident, sm2.domain(), sm2.public_point()); + m_za = sm2_compute_za(*m_hash, ident, sm2.domain(), sm2.public_point()); m_hash->update(m_za); } @@ -142,7 +142,7 @@ class SM2_Verification_Operation : public PK_Ops::Verification m_hash(HashFunction::create_or_throw("SM3")) { // ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA) - m_za = compute_za(*m_hash, ident, sm2.domain(), sm2.public_point()); + m_za = sm2_compute_za(*m_hash, ident, sm2.domain(), sm2.public_point()); m_hash->update(m_za); } diff --git a/src/lib/pubkey/sm2/sm2.h b/src/lib/pubkey/sm2/sm2.h index a66654dbd..879e0b95d 100644 --- a/src/lib/pubkey/sm2/sm2.h +++ b/src/lib/pubkey/sm2/sm2.h @@ -13,7 +13,7 @@ namespace Botan { /** -* This class represents SM2 Signature Keys +* This class represents SM2 Signature public keys */ class BOTAN_DLL SM2_Signature_PublicKey : public virtual EC_PublicKey { @@ -56,7 +56,7 @@ class BOTAN_DLL SM2_Signature_PublicKey : public virtual EC_PublicKey }; /** -* This class represents SM2 Private Keys +* This class represents SM2 Signature private keys */ class BOTAN_DLL SM2_Signature_PrivateKey : public SM2_Signature_PublicKey, public EC_PrivateKey @@ -93,6 +93,13 @@ class BOTAN_DLL SM2_Signature_PrivateKey : public SM2_Signature_PublicKey, BigInt m_da_inv; }; +class HashFunction; + +std::vector<uint8_t> sm2_compute_za(HashFunction& hash, + const std::string& user_id, + const EC_Group& domain, + const PointGFp& pubkey); + } #endif diff --git a/src/lib/pubkey/sm2/sm2_enc.cpp b/src/lib/pubkey/sm2/sm2_enc.cpp new file mode 100644 index 000000000..a832dd1ac --- /dev/null +++ b/src/lib/pubkey/sm2/sm2_enc.cpp @@ -0,0 +1,231 @@ +/* +* SM2 Encryption +* (C) 2017 Ribose Inc +* +* Botan is released under the Simplified BSD License (see license.txt) +*/ + +#include <botan/sm2_enc.h> +#include <botan/pk_ops.h> +#include <botan/keypair.h> +#include <botan/kdf.h> +#include <botan/hash.h> + +namespace Botan { + +bool SM2_Encryption_PrivateKey::check_key(RandomNumberGenerator& rng, + bool strong) const + { + if(!public_point().on_the_curve()) + return false; + + if(!strong) + return true; + + return KeyPair::encryption_consistency_check(rng, *this, "SM3"); + } + +SM2_Encryption_PrivateKey::SM2_Encryption_PrivateKey(const AlgorithmIdentifier& alg_id, + const secure_vector<uint8_t>& key_bits) : + EC_PrivateKey(alg_id, key_bits) + { + } + +SM2_Encryption_PrivateKey::SM2_Encryption_PrivateKey(RandomNumberGenerator& rng, + const EC_Group& domain, + const BigInt& x) : + EC_PrivateKey(rng, domain, x) + { + } + +namespace { + +class SM2_Encryption_Operation : public PK_Ops::Encryption + { + public: + SM2_Encryption_Operation(const SM2_Encryption_PublicKey& key) : + m_p_bytes(key.domain().get_curve().get_p().bytes()), + m_order(key.domain().get_order()), + m_base_point(key.domain().get_base_point(), m_order), + m_public_point(key.public_point(), m_order) + {} + + size_t max_input_bits() const override + { + // This is arbitrary, but assumes SM2 is used for key encapsulation + return 512; + } + + secure_vector<uint8_t> encrypt(const uint8_t msg[], + size_t msg_len, + RandomNumberGenerator& rng) override + { + std::unique_ptr<HashFunction> hash = HashFunction::create("SM3"); + std::unique_ptr<KDF> kdf = KDF::create("KDF2(SM3)"); + + secure_vector<uint8_t> ciphertext; + ciphertext.reserve(1 + m_p_bytes*2 + msg_len + hash->output_length()); + + const BigInt k = BigInt::random_integer(rng, 1, m_order); + + const PointGFp C1 = m_base_point.blinded_multiply(k, rng); + const BigInt x1 = C1.get_affine_x(); + const BigInt y1 = C1.get_affine_y(); + std::vector<uint8_t> x1_bytes(m_p_bytes); + std::vector<uint8_t> y1_bytes(m_p_bytes); + BigInt::encode_1363(x1_bytes.data(), x1_bytes.size(), x1); + BigInt::encode_1363(y1_bytes.data(), y1_bytes.size(), y1); + + const PointGFp kPB = m_public_point.blinded_multiply(k, rng); + + const BigInt x2 = kPB.get_affine_x(); + const BigInt y2 = kPB.get_affine_y(); + std::vector<uint8_t> x2_bytes(m_p_bytes); + std::vector<uint8_t> y2_bytes(m_p_bytes); + BigInt::encode_1363(x2_bytes.data(), x2_bytes.size(), x2); + BigInt::encode_1363(y2_bytes.data(), y2_bytes.size(), y2); + + secure_vector<uint8_t> kdf_input; + kdf_input += x2_bytes; + kdf_input += y2_bytes; + + const secure_vector<uint8_t> kdf_output = + kdf->derive_key(msg_len, kdf_input.data(), kdf_input.size()); + + secure_vector<uint8_t> masked_msg(msg_len); + xor_buf(masked_msg.data(), msg, kdf_output.data(), msg_len); + + hash->update(x2_bytes); + hash->update(msg, msg_len); + hash->update(y2_bytes); + std::vector<uint8_t> C3(hash->output_length()); + hash->final(C3.data()); + + ciphertext.push_back(0x04); + ciphertext += x1_bytes; + ciphertext += y1_bytes; + ciphertext += masked_msg; + ciphertext += C3; + + return ciphertext; + } + + private: + size_t m_p_bytes; + const BigInt& m_order; + Blinded_Point_Multiply m_base_point; + Blinded_Point_Multiply m_public_point; + }; + +class SM2_Decryption_Operation : public PK_Ops::Decryption + { + public: + SM2_Decryption_Operation(const SM2_Encryption_PrivateKey& key, + RandomNumberGenerator& rng) : + m_key(key), + m_rng(rng) + {} + + secure_vector<uint8_t> decrypt(uint8_t& valid_mask, + const uint8_t ciphertext[], + size_t ciphertext_len) override + { + const BigInt& cofactor = m_key.domain().get_cofactor(); + const size_t p_bytes = m_key.domain().get_curve().get_p().bytes(); + + valid_mask = 0; + + std::unique_ptr<HashFunction> hash = HashFunction::create("SM3"); + + // Too short to be valid - no timing problem from early return + if(ciphertext_len < 1 + p_bytes*2 + hash->output_length()) + { + return secure_vector<uint8_t>(); + } + + if(ciphertext[0] != 0x04) + { + return secure_vector<uint8_t>(); + } + + const PointGFp C1 = OS2ECP(ciphertext, 1 + p_bytes*2, m_key.domain().get_curve()); + // OS2ECP verifies C1 is on the curve + + Blinded_Point_Multiply C1_mul(C1, m_key.domain().get_order()); + + if(cofactor > 1 && C1_mul.blinded_multiply(cofactor, m_rng).is_zero()) + { + return secure_vector<uint8_t>(); + } + + const PointGFp dbC1 = C1_mul.blinded_multiply(m_key.private_value(), m_rng); + + const BigInt x2 = dbC1.get_affine_x(); + const BigInt y2 = dbC1.get_affine_y(); + + std::vector<uint8_t> x2_bytes(p_bytes); + std::vector<uint8_t> y2_bytes(p_bytes); + BigInt::encode_1363(x2_bytes.data(), x2_bytes.size(), x2); + BigInt::encode_1363(y2_bytes.data(), y2_bytes.size(), y2); + + secure_vector<uint8_t> kdf_input; + kdf_input += x2_bytes; + kdf_input += y2_bytes; + + const size_t msg_len = ciphertext_len - (1 + p_bytes*2 + hash->output_length()); + + std::unique_ptr<KDF> kdf = KDF::create("KDF2(SM3)"); + const secure_vector<uint8_t> kdf_output = + kdf->derive_key(msg_len, kdf_input.data(), kdf_input.size()); + + secure_vector<uint8_t> msg(msg_len); + xor_buf(msg.data(), ciphertext + (1+p_bytes*2), kdf_output.data(), msg_len); + + hash->update(x2_bytes); + hash->update(msg); + hash->update(y2_bytes); + secure_vector<uint8_t> u = hash->final(); + + if(same_mem(u.data(), ciphertext + (1+p_bytes*2+msg_len), hash->output_length()) == false) + return secure_vector<uint8_t>(); + + valid_mask = 0xFF; + return msg; + } + private: + const SM2_Encryption_PrivateKey& m_key; + RandomNumberGenerator& m_rng; + const std::string m_ident; + }; + +} + +std::unique_ptr<PK_Ops::Encryption> +SM2_Encryption_PublicKey::create_encryption_op(RandomNumberGenerator& /*rng*/, + const std::string& params, + const std::string& provider) const + { + if(provider == "base" || provider.empty()) + { + if(params == "") + return std::unique_ptr<PK_Ops::Encryption>(new SM2_Encryption_Operation(*this)); + } + + throw Provider_Not_Found(algo_name(), provider); + } + +std::unique_ptr<PK_Ops::Decryption> +SM2_Encryption_PrivateKey::create_decryption_op(RandomNumberGenerator& rng, + const std::string& params, + const std::string& provider) const + { + if(provider == "base" || provider.empty()) + { + if(params == "") + return std::unique_ptr<PK_Ops::Decryption>(new SM2_Decryption_Operation(*this, rng)); + } + + throw Provider_Not_Found(algo_name(), provider); + } + +} diff --git a/src/lib/pubkey/sm2/sm2_enc.h b/src/lib/pubkey/sm2/sm2_enc.h new file mode 100644 index 000000000..f8da6a27f --- /dev/null +++ b/src/lib/pubkey/sm2/sm2_enc.h @@ -0,0 +1,90 @@ +/* +* SM2 Encryption +* (C) 2017 Ribose Inc +* +* Botan is released under the Simplified BSD License (see license.txt) +*/ + +#ifndef BOTAN_SM2_ENC_KEY_H__ +#define BOTAN_SM2_ENC_KEY_H__ + +#include <botan/ecc_key.h> + +namespace Botan { + +/** +* This class represents a public key used for SM2 encryption +*/ +class BOTAN_DLL SM2_Encryption_PublicKey : public virtual EC_PublicKey + { + public: + + /** + * Create a public key from a given public point. + * @param dom_par the domain parameters associated with this key + * @param public_point the public point defining this key + */ + SM2_Encryption_PublicKey(const EC_Group& dom_par, + const PointGFp& public_point) : + EC_PublicKey(dom_par, public_point) {} + + /** + * Load a public key. + * @param alg_id the X.509 algorithm identifier + * @param key_bits DER encoded public key bits + */ + SM2_Encryption_PublicKey(const AlgorithmIdentifier& alg_id, + const std::vector<uint8_t>& key_bits) : + EC_PublicKey(alg_id, key_bits) {} + + /** + * Get this keys algorithm name. + * @result this keys algorithm name + */ + std::string algo_name() const override { return "SM2_Enc"; } + + std::unique_ptr<PK_Ops::Encryption> + create_encryption_op(RandomNumberGenerator& rng, + const std::string& params, + const std::string& provider) const override; + protected: + SM2_Encryption_PublicKey() = default; + }; + +/** +* This class represents a private key used for SM2 encryption +*/ +class BOTAN_DLL SM2_Encryption_PrivateKey : public SM2_Encryption_PublicKey, + public EC_PrivateKey + { + public: + + /** + * Load a private key + * @param alg_id the X.509 algorithm identifier + * @param key_bits ECPrivateKey bits + */ + SM2_Encryption_PrivateKey(const AlgorithmIdentifier& alg_id, + const secure_vector<uint8_t>& key_bits); + + /** + * Create a private key. + * @param rng a random number generator + * @param domain parameters to used for this key + * @param x the private key (if zero, generate a new random key) + */ + SM2_Encryption_PrivateKey(RandomNumberGenerator& rng, + const EC_Group& domain, + const BigInt& x = 0); + + bool check_key(RandomNumberGenerator& rng, bool) const override; + + std::unique_ptr<PK_Ops::Decryption> + create_decryption_op(RandomNumberGenerator& rng, + const std::string& params, + const std::string& provider) const override; + }; + +} + +#endif diff --git a/src/tests/data/pubkey/sm2_enc.vec b/src/tests/data/pubkey/sm2_enc.vec new file mode 100644 index 000000000..f878a11a2 --- /dev/null +++ b/src/tests/data/pubkey/sm2_enc.vec @@ -0,0 +1,14 @@ +# Example from draft-shen-sm2-ecdsa-02 + +P = 0x8542D69E4C044F18E8B92435BF6FF7DE457283915C45517D722EDB8B08F1DFC3 +A = 0x787968B4FA32C3FD2417842E73BBFEFF2F3C848B6831D7E0EC65228B3937E498 +B = 0x63E4C6D3B23B0C849CF84241484BFE48F61D59A5B16BA06E6E12D1DA27C5249A +xG = 0x421DEBD61B62EAB6746434EBC3CC315E32220B3BADD50BDC4C4E6C147FEDD43D +yG = 0x0680512BCBB42C07D47349D2153B70C4E5D7FDFCBFA36EA1A85841B9E46E09A2 +Order = 0x8542D69E4C044F18E8B92435BF6FF7DD297720630485628D5AE74EE7C32E79B7 +Cofactor = 1 + +Msg = 656E6372797074696F6E207374616E64617264 +x = 0x1649AB77A00637BD5E2EFE283FBF353534AA7F7CB89463F208DDBC2920BB0DA0 +Nonce = 4C62EEFD6ECFC2B95B92FD6C3D9575148AFA17425546D49018E5388D49DD7B4F +Ciphertext = 04245C26FB68B1DDDDB12C4B6BF9F2B6D5FE60A383B0D18D1C4144ABF17F6252E776CB9264C2A7E88E52B19903FDC47378F605E36811F5C07423A24B84400F01B8650053A89B41C418B0C3AAD00D886C002864679C3D7360C30156FAB7C80A0276712DA9D8094A634B766D3A285E07480653426D diff --git a/src/tests/test_pubkey.cpp b/src/tests/test_pubkey.cpp index fb423bc35..4bb4ea9b1 100644 --- a/src/tests/test_pubkey.cpp +++ b/src/tests/test_pubkey.cpp @@ -1,5 +1,6 @@ /* * (C) 2009,2015 Jack Lloyd +* (C) 2017 Ribose Inc * * Botan is released under the Simplified BSD License (see license.txt) */ @@ -241,7 +242,7 @@ PK_Encryption_Decryption_Test::run_one_test(const std::string&, const VarMap& va const std::string padding = get_opt_str(vars, "Padding", default_padding(vars)); - Test::Result result(algo_name() + "/" + padding + " decryption"); + Test::Result result(algo_name() + (padding.empty() ? padding : "/" + padding) + " decryption"); std::unique_ptr<Botan::Private_Key> privkey = load_private_key(vars); @@ -285,7 +286,7 @@ PK_Encryption_Decryption_Test::run_one_test(const std::string&, const VarMap& va std::unique_ptr<Botan::RandomNumberGenerator> kat_rng; if(vars.count("Nonce")) { - kat_rng.reset(new Fixed_Output_RNG(get_req_bin(vars, "Nonce"))); + kat_rng.reset(test_rng(get_req_bin(vars, "Nonce"))); } const std::vector<uint8_t> generated_ciphertext = diff --git a/src/tests/test_pubkey.h b/src/tests/test_pubkey.h index 5d1b2cd99..5d8536496 100644 --- a/src/tests/test_pubkey.h +++ b/src/tests/test_pubkey.h @@ -121,6 +121,12 @@ class PK_Encryption_Decryption_Test : public PK_Test { return "Raw"; } + + virtual Botan::RandomNumberGenerator* test_rng(const std::vector<uint8_t>& nonce) const + { + return new Fixed_Output_RNG(nonce); + } + private: Test::Result run_one_test(const std::string& header, const VarMap& vars) override final; }; diff --git a/src/tests/test_sm2.cpp b/src/tests/test_sm2.cpp index c0d272cbd..2b647e2db 100644 --- a/src/tests/test_sm2.cpp +++ b/src/tests/test_sm2.cpp @@ -9,6 +9,7 @@ #if defined(BOTAN_HAS_SM2) #include <botan/sm2.h> + #include <botan/sm2_enc.h> #include "test_pubkey.h" #endif @@ -60,9 +61,55 @@ class SM2_Signature_KAT_Tests : public PK_Signature_Generation_Test } }; +BOTAN_REGISTER_TEST("sm2_sig", SM2_Signature_KAT_Tests); + +class SM2_Encryption_KAT_Tests : public PK_Encryption_Decryption_Test + { + public: + SM2_Encryption_KAT_Tests() + : PK_Encryption_Decryption_Test( + "SM2", + "pubkey/sm2_enc.vec", + "P,A,B,xG,yG,Order,Cofactor,Msg,x,Nonce,Ciphertext", + "") {} + + virtual std::string default_padding(const VarMap& vars) const override + { + return ""; + } + + Botan::RandomNumberGenerator* test_rng(const std::vector<uint8_t>& nonce) const override + { + return new Fixed_Output_Position_RNG(nonce, 1); + } + + std::unique_ptr<Botan::Private_Key> load_private_key(const VarMap& vars) override + { + // group params + const BigInt p = get_req_bn(vars, "P"); + const BigInt a = get_req_bn(vars, "A"); + const BigInt b = get_req_bn(vars, "B"); + const BigInt xG = get_req_bn(vars, "xG"); + const BigInt yG = get_req_bn(vars, "yG"); + const BigInt order = get_req_bn(vars, "Order"); + const BigInt cofactor = get_req_bn(vars, "Cofactor"); + const BigInt x = get_req_bn(vars, "x"); + + Botan::CurveGFp curve(p, a, b); + Botan::PointGFp base_point(curve, xG, yG); + Botan::EC_Group domain(curve, base_point, order, cofactor); + + Botan::Null_RNG null_rng; + std::unique_ptr<Botan::Private_Key> key(new Botan::SM2_Encryption_PrivateKey(null_rng, domain, x)); + return key; + } + }; + } -BOTAN_REGISTER_TEST("sm2_sig", SM2_Signature_KAT_Tests); +BOTAN_REGISTER_TEST("sm2_enc", SM2_Encryption_KAT_Tests); + + #endif } diff --git a/src/tests/unit_ecc.cpp b/src/tests/unit_ecc.cpp index e1e1a15ab..408b5040c 100644 --- a/src/tests/unit_ecc.cpp +++ b/src/tests/unit_ecc.cpp @@ -53,7 +53,9 @@ const std::vector<std::string> ec_groups = "x962_p192v3", "x962_p239v1", "x962_p239v2", - "x962_p239v3" + "x962_p239v3", + "sm2p256v1", + "frp256v1" }; Botan::BigInt test_integer(Botan::RandomNumberGenerator& rng, size_t bits, BigInt max) |