sm2_sign.c 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479
  1. /*
  2. * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
  3. * Copyright 2017 Ribose Inc. All Rights Reserved.
  4. * Ported from Ribose contributions from Botan.
  5. *
  6. * Licensed under the OpenSSL license (the "License"). You may not use
  7. * this file except in compliance with the License. You can obtain a copy
  8. * in the file LICENSE in the source distribution or at
  9. * https://www.openssl.org/source/license.html
  10. */
  11. #include "crypto/sm2.h"
  12. #include "crypto/sm2err.h"
  13. #include "crypto/ec.h" /* ec_group_do_inverse_ord() */
  14. #include "internal/numbers.h"
  15. #include <openssl/err.h>
  16. #include <openssl/evp.h>
  17. #include <openssl/err.h>
  18. #include <openssl/bn.h>
  19. #include <string.h>
  20. int sm2_compute_z_digest(uint8_t *out,
  21. const EVP_MD *digest,
  22. const uint8_t *id,
  23. const size_t id_len,
  24. const EC_KEY *key)
  25. {
  26. int rc = 0;
  27. const EC_GROUP *group = EC_KEY_get0_group(key);
  28. BN_CTX *ctx = NULL;
  29. EVP_MD_CTX *hash = NULL;
  30. BIGNUM *p = NULL;
  31. BIGNUM *a = NULL;
  32. BIGNUM *b = NULL;
  33. BIGNUM *xG = NULL;
  34. BIGNUM *yG = NULL;
  35. BIGNUM *xA = NULL;
  36. BIGNUM *yA = NULL;
  37. int p_bytes = 0;
  38. uint8_t *buf = NULL;
  39. uint16_t entl = 0;
  40. uint8_t e_byte = 0;
  41. hash = EVP_MD_CTX_new();
  42. ctx = BN_CTX_new();
  43. if (hash == NULL || ctx == NULL) {
  44. SM2err(SM2_F_SM2_COMPUTE_Z_DIGEST, ERR_R_MALLOC_FAILURE);
  45. goto done;
  46. }
  47. p = BN_CTX_get(ctx);
  48. a = BN_CTX_get(ctx);
  49. b = BN_CTX_get(ctx);
  50. xG = BN_CTX_get(ctx);
  51. yG = BN_CTX_get(ctx);
  52. xA = BN_CTX_get(ctx);
  53. yA = BN_CTX_get(ctx);
  54. if (yA == NULL) {
  55. SM2err(SM2_F_SM2_COMPUTE_Z_DIGEST, ERR_R_MALLOC_FAILURE);
  56. goto done;
  57. }
  58. if (!EVP_DigestInit(hash, digest)) {
  59. SM2err(SM2_F_SM2_COMPUTE_Z_DIGEST, ERR_R_EVP_LIB);
  60. goto done;
  61. }
  62. /* Z = h(ENTL || ID || a || b || xG || yG || xA || yA) */
  63. if (id_len >= (UINT16_MAX / 8)) {
  64. /* too large */
  65. SM2err(SM2_F_SM2_COMPUTE_Z_DIGEST, SM2_R_ID_TOO_LARGE);
  66. goto done;
  67. }
  68. entl = (uint16_t)(8 * id_len);
  69. e_byte = entl >> 8;
  70. if (!EVP_DigestUpdate(hash, &e_byte, 1)) {
  71. SM2err(SM2_F_SM2_COMPUTE_Z_DIGEST, ERR_R_EVP_LIB);
  72. goto done;
  73. }
  74. e_byte = entl & 0xFF;
  75. if (!EVP_DigestUpdate(hash, &e_byte, 1)) {
  76. SM2err(SM2_F_SM2_COMPUTE_Z_DIGEST, ERR_R_EVP_LIB);
  77. goto done;
  78. }
  79. if (id_len > 0 && !EVP_DigestUpdate(hash, id, id_len)) {
  80. SM2err(SM2_F_SM2_COMPUTE_Z_DIGEST, ERR_R_EVP_LIB);
  81. goto done;
  82. }
  83. if (!EC_GROUP_get_curve(group, p, a, b, ctx)) {
  84. SM2err(SM2_F_SM2_COMPUTE_Z_DIGEST, ERR_R_EC_LIB);
  85. goto done;
  86. }
  87. p_bytes = BN_num_bytes(p);
  88. buf = OPENSSL_zalloc(p_bytes);
  89. if (buf == NULL) {
  90. SM2err(SM2_F_SM2_COMPUTE_Z_DIGEST, ERR_R_MALLOC_FAILURE);
  91. goto done;
  92. }
  93. if (BN_bn2binpad(a, buf, p_bytes) < 0
  94. || !EVP_DigestUpdate(hash, buf, p_bytes)
  95. || BN_bn2binpad(b, buf, p_bytes) < 0
  96. || !EVP_DigestUpdate(hash, buf, p_bytes)
  97. || !EC_POINT_get_affine_coordinates(group,
  98. EC_GROUP_get0_generator(group),
  99. xG, yG, ctx)
  100. || BN_bn2binpad(xG, buf, p_bytes) < 0
  101. || !EVP_DigestUpdate(hash, buf, p_bytes)
  102. || BN_bn2binpad(yG, buf, p_bytes) < 0
  103. || !EVP_DigestUpdate(hash, buf, p_bytes)
  104. || !EC_POINT_get_affine_coordinates(group,
  105. EC_KEY_get0_public_key(key),
  106. xA, yA, ctx)
  107. || BN_bn2binpad(xA, buf, p_bytes) < 0
  108. || !EVP_DigestUpdate(hash, buf, p_bytes)
  109. || BN_bn2binpad(yA, buf, p_bytes) < 0
  110. || !EVP_DigestUpdate(hash, buf, p_bytes)
  111. || !EVP_DigestFinal(hash, out, NULL)) {
  112. SM2err(SM2_F_SM2_COMPUTE_Z_DIGEST, ERR_R_INTERNAL_ERROR);
  113. goto done;
  114. }
  115. rc = 1;
  116. done:
  117. OPENSSL_free(buf);
  118. BN_CTX_free(ctx);
  119. EVP_MD_CTX_free(hash);
  120. return rc;
  121. }
  122. static BIGNUM *sm2_compute_msg_hash(const EVP_MD *digest,
  123. const EC_KEY *key,
  124. const uint8_t *id,
  125. const size_t id_len,
  126. const uint8_t *msg, size_t msg_len)
  127. {
  128. EVP_MD_CTX *hash = EVP_MD_CTX_new();
  129. const int md_size = EVP_MD_size(digest);
  130. uint8_t *z = NULL;
  131. BIGNUM *e = NULL;
  132. if (md_size < 0) {
  133. SM2err(SM2_F_SM2_COMPUTE_MSG_HASH, SM2_R_INVALID_DIGEST);
  134. goto done;
  135. }
  136. z = OPENSSL_zalloc(md_size);
  137. if (hash == NULL || z == NULL) {
  138. SM2err(SM2_F_SM2_COMPUTE_MSG_HASH, ERR_R_MALLOC_FAILURE);
  139. goto done;
  140. }
  141. if (!sm2_compute_z_digest(z, digest, id, id_len, key)) {
  142. /* SM2err already called */
  143. goto done;
  144. }
  145. if (!EVP_DigestInit(hash, digest)
  146. || !EVP_DigestUpdate(hash, z, md_size)
  147. || !EVP_DigestUpdate(hash, msg, msg_len)
  148. /* reuse z buffer to hold H(Z || M) */
  149. || !EVP_DigestFinal(hash, z, NULL)) {
  150. SM2err(SM2_F_SM2_COMPUTE_MSG_HASH, ERR_R_EVP_LIB);
  151. goto done;
  152. }
  153. e = BN_bin2bn(z, md_size, NULL);
  154. if (e == NULL)
  155. SM2err(SM2_F_SM2_COMPUTE_MSG_HASH, ERR_R_INTERNAL_ERROR);
  156. done:
  157. OPENSSL_free(z);
  158. EVP_MD_CTX_free(hash);
  159. return e;
  160. }
  161. static ECDSA_SIG *sm2_sig_gen(const EC_KEY *key, const BIGNUM *e)
  162. {
  163. const BIGNUM *dA = EC_KEY_get0_private_key(key);
  164. const EC_GROUP *group = EC_KEY_get0_group(key);
  165. const BIGNUM *order = EC_GROUP_get0_order(group);
  166. ECDSA_SIG *sig = NULL;
  167. EC_POINT *kG = NULL;
  168. BN_CTX *ctx = NULL;
  169. BIGNUM *k = NULL;
  170. BIGNUM *rk = NULL;
  171. BIGNUM *r = NULL;
  172. BIGNUM *s = NULL;
  173. BIGNUM *x1 = NULL;
  174. BIGNUM *tmp = NULL;
  175. kG = EC_POINT_new(group);
  176. ctx = BN_CTX_new();
  177. if (kG == NULL || ctx == NULL) {
  178. SM2err(SM2_F_SM2_SIG_GEN, ERR_R_MALLOC_FAILURE);
  179. goto done;
  180. }
  181. BN_CTX_start(ctx);
  182. k = BN_CTX_get(ctx);
  183. rk = BN_CTX_get(ctx);
  184. x1 = BN_CTX_get(ctx);
  185. tmp = BN_CTX_get(ctx);
  186. if (tmp == NULL) {
  187. SM2err(SM2_F_SM2_SIG_GEN, ERR_R_MALLOC_FAILURE);
  188. goto done;
  189. }
  190. /*
  191. * These values are returned and so should not be allocated out of the
  192. * context
  193. */
  194. r = BN_new();
  195. s = BN_new();
  196. if (r == NULL || s == NULL) {
  197. SM2err(SM2_F_SM2_SIG_GEN, ERR_R_MALLOC_FAILURE);
  198. goto done;
  199. }
  200. for (;;) {
  201. if (!BN_priv_rand_range(k, order)) {
  202. SM2err(SM2_F_SM2_SIG_GEN, ERR_R_INTERNAL_ERROR);
  203. goto done;
  204. }
  205. if (!EC_POINT_mul(group, kG, k, NULL, NULL, ctx)
  206. || !EC_POINT_get_affine_coordinates(group, kG, x1, NULL,
  207. ctx)
  208. || !BN_mod_add(r, e, x1, order, ctx)) {
  209. SM2err(SM2_F_SM2_SIG_GEN, ERR_R_INTERNAL_ERROR);
  210. goto done;
  211. }
  212. /* try again if r == 0 or r+k == n */
  213. if (BN_is_zero(r))
  214. continue;
  215. if (!BN_add(rk, r, k)) {
  216. SM2err(SM2_F_SM2_SIG_GEN, ERR_R_INTERNAL_ERROR);
  217. goto done;
  218. }
  219. if (BN_cmp(rk, order) == 0)
  220. continue;
  221. if (!BN_add(s, dA, BN_value_one())
  222. || !ec_group_do_inverse_ord(group, s, s, ctx)
  223. || !BN_mod_mul(tmp, dA, r, order, ctx)
  224. || !BN_sub(tmp, k, tmp)
  225. || !BN_mod_mul(s, s, tmp, order, ctx)) {
  226. SM2err(SM2_F_SM2_SIG_GEN, ERR_R_BN_LIB);
  227. goto done;
  228. }
  229. sig = ECDSA_SIG_new();
  230. if (sig == NULL) {
  231. SM2err(SM2_F_SM2_SIG_GEN, ERR_R_MALLOC_FAILURE);
  232. goto done;
  233. }
  234. /* takes ownership of r and s */
  235. ECDSA_SIG_set0(sig, r, s);
  236. break;
  237. }
  238. done:
  239. if (sig == NULL) {
  240. BN_free(r);
  241. BN_free(s);
  242. }
  243. BN_CTX_free(ctx);
  244. EC_POINT_free(kG);
  245. return sig;
  246. }
  247. static int sm2_sig_verify(const EC_KEY *key, const ECDSA_SIG *sig,
  248. const BIGNUM *e)
  249. {
  250. int ret = 0;
  251. const EC_GROUP *group = EC_KEY_get0_group(key);
  252. const BIGNUM *order = EC_GROUP_get0_order(group);
  253. BN_CTX *ctx = NULL;
  254. EC_POINT *pt = NULL;
  255. BIGNUM *t = NULL;
  256. BIGNUM *x1 = NULL;
  257. const BIGNUM *r = NULL;
  258. const BIGNUM *s = NULL;
  259. ctx = BN_CTX_new();
  260. pt = EC_POINT_new(group);
  261. if (ctx == NULL || pt == NULL) {
  262. SM2err(SM2_F_SM2_SIG_VERIFY, ERR_R_MALLOC_FAILURE);
  263. goto done;
  264. }
  265. BN_CTX_start(ctx);
  266. t = BN_CTX_get(ctx);
  267. x1 = BN_CTX_get(ctx);
  268. if (x1 == NULL) {
  269. SM2err(SM2_F_SM2_SIG_VERIFY, ERR_R_MALLOC_FAILURE);
  270. goto done;
  271. }
  272. /*
  273. * B1: verify whether r' in [1,n-1], verification failed if not
  274. * B2: verify whether s' in [1,n-1], verification failed if not
  275. * B3: set M'~=ZA || M'
  276. * B4: calculate e'=Hv(M'~)
  277. * B5: calculate t = (r' + s') modn, verification failed if t=0
  278. * B6: calculate the point (x1', y1')=[s']G + [t]PA
  279. * B7: calculate R=(e'+x1') modn, verification pass if yes, otherwise failed
  280. */
  281. ECDSA_SIG_get0(sig, &r, &s);
  282. if (BN_cmp(r, BN_value_one()) < 0
  283. || BN_cmp(s, BN_value_one()) < 0
  284. || BN_cmp(order, r) <= 0
  285. || BN_cmp(order, s) <= 0) {
  286. SM2err(SM2_F_SM2_SIG_VERIFY, SM2_R_BAD_SIGNATURE);
  287. goto done;
  288. }
  289. if (!BN_mod_add(t, r, s, order, ctx)) {
  290. SM2err(SM2_F_SM2_SIG_VERIFY, ERR_R_BN_LIB);
  291. goto done;
  292. }
  293. if (BN_is_zero(t)) {
  294. SM2err(SM2_F_SM2_SIG_VERIFY, SM2_R_BAD_SIGNATURE);
  295. goto done;
  296. }
  297. if (!EC_POINT_mul(group, pt, s, EC_KEY_get0_public_key(key), t, ctx)
  298. || !EC_POINT_get_affine_coordinates(group, pt, x1, NULL, ctx)) {
  299. SM2err(SM2_F_SM2_SIG_VERIFY, ERR_R_EC_LIB);
  300. goto done;
  301. }
  302. if (!BN_mod_add(t, e, x1, order, ctx)) {
  303. SM2err(SM2_F_SM2_SIG_VERIFY, ERR_R_BN_LIB);
  304. goto done;
  305. }
  306. if (BN_cmp(r, t) == 0)
  307. ret = 1;
  308. done:
  309. EC_POINT_free(pt);
  310. BN_CTX_free(ctx);
  311. return ret;
  312. }
  313. ECDSA_SIG *sm2_do_sign(const EC_KEY *key,
  314. const EVP_MD *digest,
  315. const uint8_t *id,
  316. const size_t id_len,
  317. const uint8_t *msg, size_t msg_len)
  318. {
  319. BIGNUM *e = NULL;
  320. ECDSA_SIG *sig = NULL;
  321. e = sm2_compute_msg_hash(digest, key, id, id_len, msg, msg_len);
  322. if (e == NULL) {
  323. /* SM2err already called */
  324. goto done;
  325. }
  326. sig = sm2_sig_gen(key, e);
  327. done:
  328. BN_free(e);
  329. return sig;
  330. }
  331. int sm2_do_verify(const EC_KEY *key,
  332. const EVP_MD *digest,
  333. const ECDSA_SIG *sig,
  334. const uint8_t *id,
  335. const size_t id_len,
  336. const uint8_t *msg, size_t msg_len)
  337. {
  338. BIGNUM *e = NULL;
  339. int ret = 0;
  340. e = sm2_compute_msg_hash(digest, key, id, id_len, msg, msg_len);
  341. if (e == NULL) {
  342. /* SM2err already called */
  343. goto done;
  344. }
  345. ret = sm2_sig_verify(key, sig, e);
  346. done:
  347. BN_free(e);
  348. return ret;
  349. }
  350. int sm2_sign(const unsigned char *dgst, int dgstlen,
  351. unsigned char *sig, unsigned int *siglen, EC_KEY *eckey)
  352. {
  353. BIGNUM *e = NULL;
  354. ECDSA_SIG *s = NULL;
  355. int sigleni;
  356. int ret = -1;
  357. e = BN_bin2bn(dgst, dgstlen, NULL);
  358. if (e == NULL) {
  359. SM2err(SM2_F_SM2_SIGN, ERR_R_BN_LIB);
  360. goto done;
  361. }
  362. s = sm2_sig_gen(eckey, e);
  363. sigleni = i2d_ECDSA_SIG(s, &sig);
  364. if (sigleni < 0) {
  365. SM2err(SM2_F_SM2_SIGN, ERR_R_INTERNAL_ERROR);
  366. goto done;
  367. }
  368. *siglen = (unsigned int)sigleni;
  369. ret = 1;
  370. done:
  371. ECDSA_SIG_free(s);
  372. BN_free(e);
  373. return ret;
  374. }
  375. int sm2_verify(const unsigned char *dgst, int dgstlen,
  376. const unsigned char *sig, int sig_len, EC_KEY *eckey)
  377. {
  378. ECDSA_SIG *s = NULL;
  379. BIGNUM *e = NULL;
  380. const unsigned char *p = sig;
  381. unsigned char *der = NULL;
  382. int derlen = -1;
  383. int ret = -1;
  384. s = ECDSA_SIG_new();
  385. if (s == NULL) {
  386. SM2err(SM2_F_SM2_VERIFY, ERR_R_MALLOC_FAILURE);
  387. goto done;
  388. }
  389. if (d2i_ECDSA_SIG(&s, &p, sig_len) == NULL) {
  390. SM2err(SM2_F_SM2_VERIFY, SM2_R_INVALID_ENCODING);
  391. goto done;
  392. }
  393. /* Ensure signature uses DER and doesn't have trailing garbage */
  394. derlen = i2d_ECDSA_SIG(s, &der);
  395. if (derlen != sig_len || memcmp(sig, der, derlen) != 0) {
  396. SM2err(SM2_F_SM2_VERIFY, SM2_R_INVALID_ENCODING);
  397. goto done;
  398. }
  399. e = BN_bin2bn(dgst, dgstlen, NULL);
  400. if (e == NULL) {
  401. SM2err(SM2_F_SM2_VERIFY, ERR_R_BN_LIB);
  402. goto done;
  403. }
  404. ret = sm2_sig_verify(eckey, s, e);
  405. done:
  406. OPENSSL_free(der);
  407. BN_free(e);
  408. ECDSA_SIG_free(s);
  409. return ret;
  410. }