sm2_sign.c 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520
  1. /*
  2. * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved.
  3. * Copyright 2017 Ribose Inc. All Rights Reserved.
  4. * Ported from Ribose contributions from Botan.
  5. *
  6. * Licensed under the Apache License 2.0 (the "License"). You may not use
  7. * this file except in compliance with the License. You can obtain a copy
  8. * in the file LICENSE in the source distribution or at
  9. * https://www.openssl.org/source/license.html
  10. */
  11. #include "internal/deprecated.h"
  12. #include "crypto/sm2.h"
  13. #include "crypto/sm2err.h"
  14. #include "crypto/ec.h" /* ossl_ec_group_do_inverse_ord() */
  15. #include "internal/numbers.h"
  16. #include <openssl/err.h>
  17. #include <openssl/evp.h>
  18. #include <openssl/bn.h>
  19. #include <string.h>
  20. int ossl_sm2_compute_z_digest(uint8_t *out,
  21. const EVP_MD *digest,
  22. const uint8_t *id,
  23. const size_t id_len,
  24. const EC_KEY *key)
  25. {
  26. int rc = 0;
  27. const EC_GROUP *group = EC_KEY_get0_group(key);
  28. BN_CTX *ctx = NULL;
  29. EVP_MD_CTX *hash = NULL;
  30. BIGNUM *p = NULL;
  31. BIGNUM *a = NULL;
  32. BIGNUM *b = NULL;
  33. BIGNUM *xG = NULL;
  34. BIGNUM *yG = NULL;
  35. BIGNUM *xA = NULL;
  36. BIGNUM *yA = NULL;
  37. int p_bytes = 0;
  38. uint8_t *buf = NULL;
  39. uint16_t entl = 0;
  40. uint8_t e_byte = 0;
  41. hash = EVP_MD_CTX_new();
  42. if (hash == NULL) {
  43. ERR_raise(ERR_LIB_SM2, ERR_R_EVP_LIB);
  44. goto done;
  45. }
  46. ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(key));
  47. if (ctx == NULL) {
  48. ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB);
  49. goto done;
  50. }
  51. p = BN_CTX_get(ctx);
  52. a = BN_CTX_get(ctx);
  53. b = BN_CTX_get(ctx);
  54. xG = BN_CTX_get(ctx);
  55. yG = BN_CTX_get(ctx);
  56. xA = BN_CTX_get(ctx);
  57. yA = BN_CTX_get(ctx);
  58. if (yA == NULL) {
  59. ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB);
  60. goto done;
  61. }
  62. if (!EVP_DigestInit(hash, digest)) {
  63. ERR_raise(ERR_LIB_SM2, ERR_R_EVP_LIB);
  64. goto done;
  65. }
  66. /* Z = h(ENTL || ID || a || b || xG || yG || xA || yA) */
  67. if (id_len >= (UINT16_MAX / 8)) {
  68. /* too large */
  69. ERR_raise(ERR_LIB_SM2, SM2_R_ID_TOO_LARGE);
  70. goto done;
  71. }
  72. entl = (uint16_t)(8 * id_len);
  73. e_byte = entl >> 8;
  74. if (!EVP_DigestUpdate(hash, &e_byte, 1)) {
  75. ERR_raise(ERR_LIB_SM2, ERR_R_EVP_LIB);
  76. goto done;
  77. }
  78. e_byte = entl & 0xFF;
  79. if (!EVP_DigestUpdate(hash, &e_byte, 1)) {
  80. ERR_raise(ERR_LIB_SM2, ERR_R_EVP_LIB);
  81. goto done;
  82. }
  83. if (id_len > 0 && !EVP_DigestUpdate(hash, id, id_len)) {
  84. ERR_raise(ERR_LIB_SM2, ERR_R_EVP_LIB);
  85. goto done;
  86. }
  87. if (!EC_GROUP_get_curve(group, p, a, b, ctx)) {
  88. ERR_raise(ERR_LIB_SM2, ERR_R_EC_LIB);
  89. goto done;
  90. }
  91. p_bytes = BN_num_bytes(p);
  92. buf = OPENSSL_zalloc(p_bytes);
  93. if (buf == NULL)
  94. goto done;
  95. if (BN_bn2binpad(a, buf, p_bytes) < 0
  96. || !EVP_DigestUpdate(hash, buf, p_bytes)
  97. || BN_bn2binpad(b, buf, p_bytes) < 0
  98. || !EVP_DigestUpdate(hash, buf, p_bytes)
  99. || !EC_POINT_get_affine_coordinates(group,
  100. EC_GROUP_get0_generator(group),
  101. xG, yG, ctx)
  102. || BN_bn2binpad(xG, buf, p_bytes) < 0
  103. || !EVP_DigestUpdate(hash, buf, p_bytes)
  104. || BN_bn2binpad(yG, buf, p_bytes) < 0
  105. || !EVP_DigestUpdate(hash, buf, p_bytes)
  106. || !EC_POINT_get_affine_coordinates(group,
  107. EC_KEY_get0_public_key(key),
  108. xA, yA, ctx)
  109. || BN_bn2binpad(xA, buf, p_bytes) < 0
  110. || !EVP_DigestUpdate(hash, buf, p_bytes)
  111. || BN_bn2binpad(yA, buf, p_bytes) < 0
  112. || !EVP_DigestUpdate(hash, buf, p_bytes)
  113. || !EVP_DigestFinal(hash, out, NULL)) {
  114. ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR);
  115. goto done;
  116. }
  117. rc = 1;
  118. done:
  119. OPENSSL_free(buf);
  120. BN_CTX_free(ctx);
  121. EVP_MD_CTX_free(hash);
  122. return rc;
  123. }
  124. static BIGNUM *sm2_compute_msg_hash(const EVP_MD *digest,
  125. const EC_KEY *key,
  126. const uint8_t *id,
  127. const size_t id_len,
  128. const uint8_t *msg, size_t msg_len)
  129. {
  130. EVP_MD_CTX *hash = EVP_MD_CTX_new();
  131. const int md_size = EVP_MD_get_size(digest);
  132. uint8_t *z = NULL;
  133. BIGNUM *e = NULL;
  134. EVP_MD *fetched_digest = NULL;
  135. OSSL_LIB_CTX *libctx = ossl_ec_key_get_libctx(key);
  136. const char *propq = ossl_ec_key_get0_propq(key);
  137. if (md_size < 0) {
  138. ERR_raise(ERR_LIB_SM2, SM2_R_INVALID_DIGEST);
  139. goto done;
  140. }
  141. if (hash == NULL) {
  142. ERR_raise(ERR_LIB_SM2, ERR_R_EVP_LIB);
  143. goto done;
  144. }
  145. z = OPENSSL_zalloc(md_size);
  146. if (z == NULL)
  147. goto done;
  148. fetched_digest = EVP_MD_fetch(libctx, EVP_MD_get0_name(digest), propq);
  149. if (fetched_digest == NULL) {
  150. ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR);
  151. goto done;
  152. }
  153. if (!ossl_sm2_compute_z_digest(z, fetched_digest, id, id_len, key)) {
  154. /* SM2err already called */
  155. goto done;
  156. }
  157. if (!EVP_DigestInit(hash, fetched_digest)
  158. || !EVP_DigestUpdate(hash, z, md_size)
  159. || !EVP_DigestUpdate(hash, msg, msg_len)
  160. /* reuse z buffer to hold H(Z || M) */
  161. || !EVP_DigestFinal(hash, z, NULL)) {
  162. ERR_raise(ERR_LIB_SM2, ERR_R_EVP_LIB);
  163. goto done;
  164. }
  165. e = BN_bin2bn(z, md_size, NULL);
  166. if (e == NULL)
  167. ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR);
  168. done:
  169. EVP_MD_free(fetched_digest);
  170. OPENSSL_free(z);
  171. EVP_MD_CTX_free(hash);
  172. return e;
  173. }
  174. static ECDSA_SIG *sm2_sig_gen(const EC_KEY *key, const BIGNUM *e)
  175. {
  176. const BIGNUM *dA = EC_KEY_get0_private_key(key);
  177. const EC_GROUP *group = EC_KEY_get0_group(key);
  178. const BIGNUM *order = EC_GROUP_get0_order(group);
  179. ECDSA_SIG *sig = NULL;
  180. EC_POINT *kG = NULL;
  181. BN_CTX *ctx = NULL;
  182. BIGNUM *k = NULL;
  183. BIGNUM *rk = NULL;
  184. BIGNUM *r = NULL;
  185. BIGNUM *s = NULL;
  186. BIGNUM *x1 = NULL;
  187. BIGNUM *tmp = NULL;
  188. OSSL_LIB_CTX *libctx = ossl_ec_key_get_libctx(key);
  189. kG = EC_POINT_new(group);
  190. if (kG == NULL) {
  191. ERR_raise(ERR_LIB_SM2, ERR_R_EC_LIB);
  192. goto done;
  193. }
  194. ctx = BN_CTX_new_ex(libctx);
  195. if (ctx == NULL) {
  196. ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB);
  197. goto done;
  198. }
  199. BN_CTX_start(ctx);
  200. k = BN_CTX_get(ctx);
  201. rk = BN_CTX_get(ctx);
  202. x1 = BN_CTX_get(ctx);
  203. tmp = BN_CTX_get(ctx);
  204. if (tmp == NULL) {
  205. ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB);
  206. goto done;
  207. }
  208. /*
  209. * These values are returned and so should not be allocated out of the
  210. * context
  211. */
  212. r = BN_new();
  213. s = BN_new();
  214. if (r == NULL || s == NULL) {
  215. ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB);
  216. goto done;
  217. }
  218. /*
  219. * A3: Generate a random number k in [1,n-1] using random number generators;
  220. * A4: Compute (x1,y1)=[k]G, and convert the type of data x1 to be integer
  221. * as specified in clause 4.2.8 of GM/T 0003.1-2012;
  222. * A5: Compute r=(e+x1) mod n. If r=0 or r+k=n, then go to A3;
  223. * A6: Compute s=(1/(1+dA)*(k-r*dA)) mod n. If s=0, then go to A3;
  224. * A7: Convert the type of data (r,s) to be bit strings according to the details
  225. * in clause 4.2.2 of GM/T 0003.1-2012. Then the signature of message M is (r,s).
  226. */
  227. for (;;) {
  228. if (!BN_priv_rand_range_ex(k, order, 0, ctx)) {
  229. ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR);
  230. goto done;
  231. }
  232. if (!EC_POINT_mul(group, kG, k, NULL, NULL, ctx)
  233. || !EC_POINT_get_affine_coordinates(group, kG, x1, NULL,
  234. ctx)
  235. || !BN_mod_add(r, e, x1, order, ctx)) {
  236. ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR);
  237. goto done;
  238. }
  239. /* try again if r == 0 or r+k == n */
  240. if (BN_is_zero(r))
  241. continue;
  242. if (!BN_add(rk, r, k)) {
  243. ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR);
  244. goto done;
  245. }
  246. if (BN_cmp(rk, order) == 0)
  247. continue;
  248. if (!BN_add(s, dA, BN_value_one())
  249. || !ossl_ec_group_do_inverse_ord(group, s, s, ctx)
  250. || !BN_mod_mul(tmp, dA, r, order, ctx)
  251. || !BN_sub(tmp, k, tmp)
  252. || !BN_mod_mul(s, s, tmp, order, ctx)) {
  253. ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB);
  254. goto done;
  255. }
  256. /* try again if s == 0 */
  257. if (BN_is_zero(s))
  258. continue;
  259. sig = ECDSA_SIG_new();
  260. if (sig == NULL) {
  261. ERR_raise(ERR_LIB_SM2, ERR_R_ECDSA_LIB);
  262. goto done;
  263. }
  264. /* takes ownership of r and s */
  265. ECDSA_SIG_set0(sig, r, s);
  266. break;
  267. }
  268. done:
  269. if (sig == NULL) {
  270. BN_free(r);
  271. BN_free(s);
  272. }
  273. BN_CTX_free(ctx);
  274. EC_POINT_free(kG);
  275. return sig;
  276. }
  277. static int sm2_sig_verify(const EC_KEY *key, const ECDSA_SIG *sig,
  278. const BIGNUM *e)
  279. {
  280. int ret = 0;
  281. const EC_GROUP *group = EC_KEY_get0_group(key);
  282. const BIGNUM *order = EC_GROUP_get0_order(group);
  283. BN_CTX *ctx = NULL;
  284. EC_POINT *pt = NULL;
  285. BIGNUM *t = NULL;
  286. BIGNUM *x1 = NULL;
  287. const BIGNUM *r = NULL;
  288. const BIGNUM *s = NULL;
  289. OSSL_LIB_CTX *libctx = ossl_ec_key_get_libctx(key);
  290. ctx = BN_CTX_new_ex(libctx);
  291. pt = EC_POINT_new(group);
  292. if (ctx == NULL || pt == NULL) {
  293. ERR_raise(ERR_LIB_SM2, ERR_R_EC_LIB);
  294. goto done;
  295. }
  296. BN_CTX_start(ctx);
  297. t = BN_CTX_get(ctx);
  298. x1 = BN_CTX_get(ctx);
  299. if (x1 == NULL) {
  300. ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB);
  301. goto done;
  302. }
  303. /*
  304. * B1: verify whether r' in [1,n-1], verification failed if not
  305. * B2: verify whether s' in [1,n-1], verification failed if not
  306. * B3: set M'~=ZA || M'
  307. * B4: calculate e'=Hv(M'~)
  308. * B5: calculate t = (r' + s') modn, verification failed if t=0
  309. * B6: calculate the point (x1', y1')=[s']G + [t]PA
  310. * B7: calculate R=(e'+x1') modn, verification pass if yes, otherwise failed
  311. */
  312. ECDSA_SIG_get0(sig, &r, &s);
  313. if (BN_cmp(r, BN_value_one()) < 0
  314. || BN_cmp(s, BN_value_one()) < 0
  315. || BN_cmp(order, r) <= 0
  316. || BN_cmp(order, s) <= 0) {
  317. ERR_raise(ERR_LIB_SM2, SM2_R_BAD_SIGNATURE);
  318. goto done;
  319. }
  320. if (!BN_mod_add(t, r, s, order, ctx)) {
  321. ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB);
  322. goto done;
  323. }
  324. if (BN_is_zero(t)) {
  325. ERR_raise(ERR_LIB_SM2, SM2_R_BAD_SIGNATURE);
  326. goto done;
  327. }
  328. if (!EC_POINT_mul(group, pt, s, EC_KEY_get0_public_key(key), t, ctx)
  329. || !EC_POINT_get_affine_coordinates(group, pt, x1, NULL, ctx)) {
  330. ERR_raise(ERR_LIB_SM2, ERR_R_EC_LIB);
  331. goto done;
  332. }
  333. if (!BN_mod_add(t, e, x1, order, ctx)) {
  334. ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB);
  335. goto done;
  336. }
  337. if (BN_cmp(r, t) == 0)
  338. ret = 1;
  339. done:
  340. BN_CTX_end(ctx);
  341. EC_POINT_free(pt);
  342. BN_CTX_free(ctx);
  343. return ret;
  344. }
  345. ECDSA_SIG *ossl_sm2_do_sign(const EC_KEY *key,
  346. const EVP_MD *digest,
  347. const uint8_t *id,
  348. const size_t id_len,
  349. const uint8_t *msg, size_t msg_len)
  350. {
  351. BIGNUM *e = NULL;
  352. ECDSA_SIG *sig = NULL;
  353. e = sm2_compute_msg_hash(digest, key, id, id_len, msg, msg_len);
  354. if (e == NULL) {
  355. /* SM2err already called */
  356. goto done;
  357. }
  358. sig = sm2_sig_gen(key, e);
  359. done:
  360. BN_free(e);
  361. return sig;
  362. }
  363. int ossl_sm2_do_verify(const EC_KEY *key,
  364. const EVP_MD *digest,
  365. const ECDSA_SIG *sig,
  366. const uint8_t *id,
  367. const size_t id_len,
  368. const uint8_t *msg, size_t msg_len)
  369. {
  370. BIGNUM *e = NULL;
  371. int ret = 0;
  372. e = sm2_compute_msg_hash(digest, key, id, id_len, msg, msg_len);
  373. if (e == NULL) {
  374. /* SM2err already called */
  375. goto done;
  376. }
  377. ret = sm2_sig_verify(key, sig, e);
  378. done:
  379. BN_free(e);
  380. return ret;
  381. }
  382. int ossl_sm2_internal_sign(const unsigned char *dgst, int dgstlen,
  383. unsigned char *sig, unsigned int *siglen,
  384. EC_KEY *eckey)
  385. {
  386. BIGNUM *e = NULL;
  387. ECDSA_SIG *s = NULL;
  388. int sigleni;
  389. int ret = -1;
  390. e = BN_bin2bn(dgst, dgstlen, NULL);
  391. if (e == NULL) {
  392. ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB);
  393. goto done;
  394. }
  395. s = sm2_sig_gen(eckey, e);
  396. if (s == NULL) {
  397. ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR);
  398. goto done;
  399. }
  400. sigleni = i2d_ECDSA_SIG(s, sig != NULL ? &sig : NULL);
  401. if (sigleni < 0) {
  402. ERR_raise(ERR_LIB_SM2, ERR_R_INTERNAL_ERROR);
  403. goto done;
  404. }
  405. *siglen = (unsigned int)sigleni;
  406. ret = 1;
  407. done:
  408. ECDSA_SIG_free(s);
  409. BN_free(e);
  410. return ret;
  411. }
  412. int ossl_sm2_internal_verify(const unsigned char *dgst, int dgstlen,
  413. const unsigned char *sig, int sig_len,
  414. EC_KEY *eckey)
  415. {
  416. ECDSA_SIG *s = NULL;
  417. BIGNUM *e = NULL;
  418. const unsigned char *p = sig;
  419. unsigned char *der = NULL;
  420. int derlen = -1;
  421. int ret = -1;
  422. s = ECDSA_SIG_new();
  423. if (s == NULL) {
  424. ERR_raise(ERR_LIB_SM2, ERR_R_ECDSA_LIB);
  425. goto done;
  426. }
  427. if (d2i_ECDSA_SIG(&s, &p, sig_len) == NULL) {
  428. ERR_raise(ERR_LIB_SM2, SM2_R_INVALID_ENCODING);
  429. goto done;
  430. }
  431. /* Ensure signature uses DER and doesn't have trailing garbage */
  432. derlen = i2d_ECDSA_SIG(s, &der);
  433. if (derlen != sig_len || memcmp(sig, der, derlen) != 0) {
  434. ERR_raise(ERR_LIB_SM2, SM2_R_INVALID_ENCODING);
  435. goto done;
  436. }
  437. e = BN_bin2bn(dgst, dgstlen, NULL);
  438. if (e == NULL) {
  439. ERR_raise(ERR_LIB_SM2, ERR_R_BN_LIB);
  440. goto done;
  441. }
  442. ret = sm2_sig_verify(eckey, s, e);
  443. done:
  444. OPENSSL_free(der);
  445. BN_free(e);
  446. ECDSA_SIG_free(s);
  447. return ret;
  448. }