2 * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright 2017 Ribose Inc. All Rights Reserved.
4 * Ported from Ribose contributions from Botan.
6 * Licensed under the OpenSSL license (the "License"). You may not use
7 * this file except in compliance with the License. You can obtain a copy
8 * in the file LICENSE in the source distribution or at
9 * https://www.openssl.org/source/license.html
12 #include "internal/sm2.h"
13 #include "internal/sm2err.h"
14 #include <openssl/err.h>
15 #include <openssl/evp.h>
16 #include <openssl/err.h>
17 #include <openssl/bn.h>
20 static BIGNUM
*SM2_compute_msg_hash(const EVP_MD
*digest
,
23 const uint8_t *msg
, size_t msg_len
)
25 EVP_MD_CTX
*hash
= EVP_MD_CTX_new();
26 const int md_size
= EVP_MD_size(digest
);
27 uint8_t *za
= OPENSSL_zalloc(md_size
);
32 SM2err(SM2_F_SM2_COMPUTE_MSG_HASH
, ERR_R_MALLOC_FAILURE
);
38 SM2err(SM2_F_SM2_COMPUTE_MSG_HASH
, ERR_R_MALLOC_FAILURE
);
42 if (SM2_compute_userid_digest(za
, digest
, user_id
, key
) == 0)
45 if (EVP_DigestInit(hash
, digest
) == 0)
47 SM2err(SM2_F_SM2_COMPUTE_MSG_HASH
, ERR_R_EVP_LIB
);
51 if (EVP_DigestUpdate(hash
, za
, md_size
) == 0)
53 SM2err(SM2_F_SM2_COMPUTE_MSG_HASH
, ERR_R_EVP_LIB
);
57 if (EVP_DigestUpdate(hash
, msg
, msg_len
) == 0)
59 SM2err(SM2_F_SM2_COMPUTE_MSG_HASH
, ERR_R_EVP_LIB
);
63 /* reuse za buffer to hold H(ZA || M) */
64 if (EVP_DigestFinal(hash
, za
, NULL
) == 0)
66 SM2err(SM2_F_SM2_COMPUTE_MSG_HASH
, ERR_R_EVP_LIB
);
70 e
= BN_bin2bn(za
, md_size
, NULL
);
74 EVP_MD_CTX_free(hash
);
79 ECDSA_SIG
*SM2_sig_gen(const EC_KEY
*key
, const BIGNUM
*e
)
81 const BIGNUM
*dA
= EC_KEY_get0_private_key(key
);
82 const EC_GROUP
*group
= EC_KEY_get0_group(key
);
83 const BIGNUM
*order
= EC_GROUP_get0_order(group
);
85 ECDSA_SIG
*sig
= NULL
;
95 kG
= EC_POINT_new(group
);
98 SM2err(SM2_F_SM2_SIG_GEN
, ERR_R_MALLOC_FAILURE
);
105 SM2err(SM2_F_SM2_SIG_GEN
, ERR_R_MALLOC_FAILURE
);
112 rk
= BN_CTX_get(ctx
);
113 x1
= BN_CTX_get(ctx
);
114 tmp
= BN_CTX_get(ctx
);
118 SM2err(SM2_F_SM2_SIG_GEN
, ERR_R_BN_LIB
);
122 /* These values are returned and so should not be allocated out of the context */
126 if (r
== NULL
|| s
== NULL
)
128 SM2err(SM2_F_SM2_SIG_GEN
, ERR_R_MALLOC_FAILURE
);
133 BN_priv_rand_range(k
, order
);
135 if (EC_POINT_mul(group
, kG
, k
, NULL
, NULL
, ctx
) == 0)
137 SM2err(SM2_F_SM2_SIG_GEN
, ERR_R_EC_LIB
);
141 if (EC_POINT_get_affine_coordinates_GFp(group
, kG
, x1
, NULL
, ctx
) == 0)
143 SM2err(SM2_F_SM2_SIG_GEN
, ERR_R_EC_LIB
);
147 if (BN_mod_add(r
, e
, x1
, order
, ctx
) == 0)
149 SM2err(SM2_F_SM2_SIG_GEN
, ERR_R_BN_LIB
);
153 /* try again if r == 0 or r+k == n */
159 if (BN_cmp(rk
, order
) == 0)
162 if(BN_add(s
, dA
, BN_value_one()) == 0)
164 SM2err(SM2_F_SM2_SIG_GEN
, ERR_R_BN_LIB
);
168 if(BN_mod_inverse(s
, s
, order
, ctx
) == 0)
170 SM2err(SM2_F_SM2_SIG_GEN
, ERR_R_BN_LIB
);
174 if(BN_mod_mul(tmp
, dA
, r
, order
, ctx
) == 0)
176 SM2err(SM2_F_SM2_SIG_GEN
, ERR_R_BN_LIB
);
180 if(BN_sub(tmp
, k
, tmp
) == 0)
182 SM2err(SM2_F_SM2_SIG_GEN
, ERR_R_BN_LIB
);
186 if(BN_mod_mul(s
, s
, tmp
, order
, ctx
) == 0)
188 SM2err(SM2_F_SM2_SIG_GEN
, ERR_R_BN_LIB
);
192 sig
= ECDSA_SIG_new();
196 SM2err(SM2_F_SM2_SIG_GEN
, ERR_R_MALLOC_FAILURE
);
200 /* takes ownership of r and s */
201 ECDSA_SIG_set0(sig
, r
, s
);
219 int SM2_sig_verify(const EC_KEY
*key
, const ECDSA_SIG
*sig
, const BIGNUM
*e
)
222 const EC_GROUP
*group
= EC_KEY_get0_group(key
);
223 const BIGNUM
*order
= EC_GROUP_get0_order(group
);
229 const BIGNUM
*r
= NULL
;
230 const BIGNUM
*s
= NULL
;
235 SM2err(SM2_F_SM2_SIG_VERIFY
, ERR_R_MALLOC_FAILURE
);
239 pt
= EC_POINT_new(group
);
242 SM2err(SM2_F_SM2_SIG_VERIFY
, ERR_R_MALLOC_FAILURE
);
249 x1
= BN_CTX_get(ctx
);
253 SM2err(SM2_F_SM2_SIG_VERIFY
, ERR_R_MALLOC_FAILURE
);
258 B1: verify whether r' in [1,n-1], verification failed if not
259 B2: vefify whether s' in [1,n-1], verification failed if not
261 B4: calculate e'=Hv(M'~)
262 B5: calculate t = (r' + s') modn, verification failed if t=0
263 B6: calculate the point (x1', y1')=[s']G + [t]PA
264 B7: calculate R=(e'+x1') modn, verfication pass if yes, otherwise failed
267 ECDSA_SIG_get0(sig
, &r
, &s
);
269 if ((BN_cmp(r
, BN_value_one()) < 0) || (BN_cmp(s
, BN_value_one()) < 0))
271 SM2err(SM2_F_SM2_SIG_VERIFY
, SM2_R_BAD_SIGNATURE
);
275 if ((BN_cmp(order
, r
) <= 0) || (BN_cmp(order
, s
) <= 0))
277 SM2err(SM2_F_SM2_SIG_VERIFY
, SM2_R_BAD_SIGNATURE
);
281 if (BN_mod_add(t
, r
, s
, order
, ctx
) == 0)
283 SM2err(SM2_F_SM2_SIG_VERIFY
, ERR_R_BN_LIB
);
287 if (BN_is_zero(t
) == 1)
289 SM2err(SM2_F_SM2_SIG_VERIFY
, SM2_R_BAD_SIGNATURE
);
293 if (EC_POINT_mul(group
, pt
, s
, EC_KEY_get0_public_key(key
), t
, ctx
) == 0)
295 SM2err(SM2_F_SM2_SIG_VERIFY
, ERR_R_EC_LIB
);
299 if (EC_POINT_get_affine_coordinates_GFp(group
, pt
, x1
, NULL
, ctx
) == 0)
301 SM2err(SM2_F_SM2_SIG_VERIFY
, ERR_R_EC_LIB
);
305 if (BN_mod_add(t
, e
, x1
, order
, ctx
) == 0)
307 SM2err(SM2_F_SM2_SIG_VERIFY
, ERR_R_BN_LIB
);
311 if (BN_cmp(r
, t
) == 0)
320 ECDSA_SIG
*SM2_do_sign(const EC_KEY
*key
,
321 const EVP_MD
*digest
,
322 const char *user_id
, const uint8_t *msg
, size_t msg_len
)
325 ECDSA_SIG
*sig
= NULL
;
327 e
= SM2_compute_msg_hash(digest
, key
, user_id
, msg
, msg_len
);
331 sig
= SM2_sig_gen(key
, e
);
338 int SM2_do_verify(const EC_KEY
*key
,
339 const EVP_MD
*digest
,
340 const ECDSA_SIG
*sig
,
341 const char *user_id
, const uint8_t *msg
, size_t msg_len
)
346 e
= SM2_compute_msg_hash(digest
, key
, user_id
, msg
, msg_len
);
350 ret
= SM2_sig_verify(key
, sig
, e
);
357 int SM2_sign(int type
, const unsigned char *dgst
, int dgstlen
,
358 unsigned char *sig
, unsigned int *siglen
, EC_KEY
*eckey
)
364 if (type
!= NID_sm3
|| dgstlen
!= 32)
366 SM2err(SM2_F_SM2_SIGN
, SM2_R_INVALID_DIGEST_TYPE
);
370 e
= BN_bin2bn(dgst
, dgstlen
, NULL
);
372 s
= SM2_sig_gen(eckey
, e
);
374 *siglen
= i2d_ECDSA_SIG(s
, &sig
);
384 int SM2_verify(int type
, const unsigned char *dgst
, int dgstlen
,
385 const unsigned char *sig
, int sig_len
, EC_KEY
*eckey
)
389 const unsigned char *p
= sig
;
390 unsigned char *der
= NULL
;
396 SM2err(SM2_F_SM2_VERIFY
, SM2_R_INVALID_DIGEST_TYPE
);
403 SM2err(SM2_F_SM2_VERIFY
, ERR_R_MALLOC_FAILURE
);
406 if (d2i_ECDSA_SIG(&s
, &p
, sig_len
) == NULL
)
408 SM2err(SM2_F_SM2_VERIFY
, SM2_R_INVALID_ENCODING
);
411 /* Ensure signature uses DER and doesn't have trailing garbage */
412 derlen
= i2d_ECDSA_SIG(s
, &der
);
413 if (derlen
!= sig_len
|| memcmp(sig
, der
, derlen
) != 0)
415 SM2err(SM2_F_SM2_VERIFY
, SM2_R_INVALID_ENCODING
);
419 e
= BN_bin2bn(dgst
, dgstlen
, NULL
);
421 ret
= SM2_sig_verify(eckey
, s
, e
);