From 9c8836b2c63dc12db275d6cd048e7ea492da47b9 Mon Sep 17 00:00:00 2001
From: Sun Yimin <emmansun@users.noreply.github.com>
Date: Fri, 2 Dec 2022 14:33:54 +0800
Subject: [PATCH] sm9: sm9: use bigmod instead of math/big, verify method

---
 sm9/sm9.go | 30 +++++++++++++++++++-----------
 1 file changed, 19 insertions(+), 11 deletions(-)

diff --git a/sm9/sm9.go b/sm9/sm9.go
index dc9391e..5d1a5e9 100644
--- a/sm9/sm9.go
+++ b/sm9/sm9.go
@@ -121,7 +121,7 @@ func Sign(rand io.Reader, priv *SignPrivateKey, hash []byte) (h *big.Int, s *bn2
 	if err != nil {
 		return nil, nil, err
 	}
-	return parseSignature(sig)
+	return parseSignatureLegacy(sig)
 }
 
 // Sign signs digest with user's DSA key, reading randomness from rand. The opts argument
@@ -171,9 +171,10 @@ func SignASN1(rand io.Reader, priv *SignPrivateKey, hash []byte) ([]byte, error)
 // Verify verifies the signature in h, s of hash using the master dsa public key and user id, uid and hid.
 // Its return value records whether the signature is valid. Please use VerifyASN1 instead.
 func Verify(pub *SignMasterPublicKey, uid []byte, hid byte, hash []byte, h *big.Int, s *bn256.G1) bool {
-	hBytes := make([]byte, orderNat.Size())
-	h.FillBytes(hBytes)
-	sig, err := encodeSignature(hBytes, s)
+	if h.Sign() <= 0 {
+		return false
+	}
+	sig, err := encodeSignature(h.Bytes(), s)
 	if err != nil {
 		return false
 	}
@@ -189,7 +190,7 @@ func encodeSignature(hBytes []byte, s *bn256.G1) ([]byte, error) {
 	return b.Bytes()
 }
 
-func parseSignature(sig []byte) (*big.Int, *bn256.G1, error) {
+func parseSignature(sig []byte) ([]byte, *bn256.G1, error) {
 	var (
 		hBytes []byte
 		sBytes []byte
@@ -203,7 +204,6 @@ func parseSignature(sig []byte) (*big.Int, *bn256.G1, error) {
 		!inner.Empty() {
 		return nil, nil, errors.New("invalid ASN.1")
 	}
-	h := new(big.Int).SetBytes(hBytes)
 	if sBytes[0] != 4 {
 		return nil, nil, errors.New("sm9: invalid point format")
 	}
@@ -212,7 +212,15 @@ func parseSignature(sig []byte) (*big.Int, *bn256.G1, error) {
 	if err != nil {
 		return nil, nil, err
 	}
-	return h, s, nil
+	return hBytes, s, nil
+}
+
+func parseSignatureLegacy(sig []byte) (*big.Int, *bn256.G1, error) {
+	hBytes, s, err := parseSignature(sig)
+	if err != nil {
+		return nil, nil, err
+	}
+	return new(big.Int).SetBytes(hBytes), s, nil
 }
 
 // VerifyASN1 verifies the ASN.1 encoded signature of type SM9Signature, sig, of hash using the
@@ -222,17 +230,17 @@ func VerifyASN1(pub *SignMasterPublicKey, uid []byte, hid byte, hash, sig []byte
 	if err != nil {
 		return false
 	}
-	if h.Sign() <= 0 || h.Cmp(bn256.Order) >= 0 {
-		return false
-	}
 	if !s.IsOnCurve() {
 		return false
 	}
 
-	hNat, err := bigmod.NewNat().SetBytes(h.Bytes(), orderNat)
+	hNat, err := bigmod.NewNat().SetBytes(h, orderNat)
 	if err != nil {
 		return false
 	}
+	if hNat.IsZero() == 1 {
+		return false
+	}
 
 	t, err := pub.ScalarBaseMult(hNat.Bytes(orderNat))
 	if err != nil {