mirror/gmsm
1
0
Fork 0
mirror of https://github.com/emmansun/gmsm.git synced 2025-04-26 20:26:19 +08:00
Code Issues Packages Projects Releases Wiki Activity

sm9: do not expose internal constants

Browse Source
This commit is contained in:
Sun Yimin 2022-11-25 14:40:27 +08:00 committed by GitHub
parent 63668bb045
commit a592631459
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 36 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
sm9/sm9.go
View File

@ -21,11 +21,10 @@ import (
// SM9 ASN.1 format reference: Information security technology - SM9 cryptographic algorithm application specification // SM9 ASN.1 format reference: Information security technology - SM9 cryptographic algorithm application specification
// OrderNat is the Nat presentation of Order var orderNat = bigmod.NewModulusFromBig(bn256.Order)
var OrderNat = bigmod.NewModulusFromBig(bn256.Order) var orderMinus2 = new(big.Int).Sub(bn256.Order, big.NewInt(2)).Bytes()
var OrderMinus2 = new(big.Int).Sub(bn256.Order, big.NewInt(2)).Bytes()
var bigOne = big.NewInt(1) var bigOne = big.NewInt(1)
var orderMinus1 = new(big.Int).Sub(bn256.Order, bigOne)
type hashMode byte type hashMode byte
@ -64,8 +63,7 @@ func hash(z []byte, h hashMode) *big.Int {
} }
//TODO: how to rewrite this part with nat? //TODO: how to rewrite this part with nat?
k := new(big.Int).SetBytes(ha[:40]) k := new(big.Int).SetBytes(ha[:40])
n := new(big.Int).Sub(bn256.Order, bigOne) k.Mod(k, orderMinus1)
k.Mod(k, n)
k.Add(k, bigOne) k.Add(k, bigOne)
return k return k
} }
@ -81,7 +79,7 @@ func hashH2(z []byte) *big.Int {
func randomScalar(rand io.Reader) (k *bigmod.Nat, err error) { func randomScalar(rand io.Reader) (k *bigmod.Nat, err error) {
k = bigmod.NewNat() k = bigmod.NewNat()
for { for {
b := make([]byte, OrderNat.Size()) b := make([]byte, orderNat.Size())
if _, err = io.ReadFull(rand, b); err != nil { if _, err = io.ReadFull(rand, b); err != nil {
return return
} }
@ -90,7 +88,7 @@ func randomScalar(rand io.Reader) (k *bigmod.Nat, err error) {
// (0, N). These are the most dangerous lines in the package and maybe in // (0, N). These are the most dangerous lines in the package and maybe in
// the library: a single bit of bias in the selection of nonces would likely // the library: a single bit of bias in the selection of nonces would likely
// lead to key recovery, but no tests would fail. Look but DO NOT TOUCH. // lead to key recovery, but no tests would fail. Look but DO NOT TOUCH.
if excess := len(b)*8 - OrderNat.BitLen(); excess > 0 { if excess := len(b)*8 - orderNat.BitLen(); excess > 0 {
// Just to be safe, assert that this only happens for the one curve that // Just to be safe, assert that this only happens for the one curve that
// doesn't have a round number of bits. // doesn't have a round number of bits.
if excess != 0 { if excess != 0 {
@ -103,7 +101,7 @@ func randomScalar(rand io.Reader) (k *bigmod.Nat, err error) {
// Checking 0 < k <= N - 1 is strictly equivalent. // Checking 0 < k <= N - 1 is strictly equivalent.
// None of this matters anyway because the chance of selecting // None of this matters anyway because the chance of selecting
// zero is cryptographically negligible. // zero is cryptographically negligible.
if _, err = k.SetBytes(b, OrderNat); err == nil && k.IsZero() == 0 { if _, err = k.SetBytes(b, orderNat); err == nil && k.IsZero() == 0 {
break break
} }
} }
@ -124,7 +122,7 @@ func Sign(rand io.Reader, priv *SignPrivateKey, hash []byte) (h *big.Int, s *bn2
return return
} }
w, err = priv.SignMasterPublicKey.ScalarBaseMult(r.Bytes(OrderNat)) w, err = priv.SignMasterPublicKey.ScalarBaseMult(r.Bytes(orderNat))
if err != nil { if err != nil {
return return
} }
@ -134,14 +132,14 @@ func Sign(rand io.Reader, priv *SignPrivateKey, hash []byte) (h *big.Int, s *bn2
buffer = append(buffer, w.Marshal()...) buffer = append(buffer, w.Marshal()...)
h = hashH2(buffer) h = hashH2(buffer)
hNat, err = bigmod.NewNat().SetBytes(h.Bytes(), OrderNat) hNat, err = bigmod.NewNat().SetBytes(h.Bytes(), orderNat)
if err != nil { if err != nil {
return return
} }
r.Sub(hNat, OrderNat) r.Sub(hNat, orderNat)
if r.IsZero() == 0 { if r.IsZero() == 0 {
s, err = new(bn256.G1).ScalarMult(priv.PrivateKey, r.Bytes(OrderNat)) s, err = new(bn256.G1).ScalarMult(priv.PrivateKey, r.Bytes(orderNat))
break break
} }
} }
@ -157,7 +155,7 @@ func (priv *SignPrivateKey) Sign(rand io.Reader, hash []byte, opts crypto.Signer
return nil, err return nil, err
} }
hBytes := make([]byte, OrderNat.Size()) hBytes := make([]byte, orderNat.Size())
h.FillBytes(hBytes) h.FillBytes(hBytes)
var b cryptobyte.Builder var b cryptobyte.Builder
@ -184,12 +182,12 @@ func Verify(pub *SignMasterPublicKey, uid []byte, hid byte, hash []byte, h *big.
return false return false
} }
hNat, err := bigmod.NewNat().SetBytes(h.Bytes(), OrderNat) hNat, err := bigmod.NewNat().SetBytes(h.Bytes(), orderNat)
if err != nil { if err != nil {
return false return false
} }
t, err := pub.ScalarBaseMult(hNat.Bytes(OrderNat)) t, err := pub.ScalarBaseMult(hNat.Bytes(orderNat))
if err != nil { if err != nil {
return false return false
} }
@ -256,7 +254,7 @@ func WrapKey(rand io.Reader, pub *EncryptMasterPublicKey, uid []byte, hid byte,
return return
} }
rBytes := r.Bytes(OrderNat) rBytes := r.Bytes(orderNat)
cipher, err = new(bn256.G1).ScalarMult(q, rBytes) cipher, err = new(bn256.G1).ScalarMult(q, rBytes)
if err != nil { if err != nil {
return return
@ -527,7 +525,7 @@ func NewKeyExchange(priv *EncryptPrivateKey, uid, peerUID []byte, keyLen int, ge
// Destroy clear all internal state and Ephemeral private/public keys // Destroy clear all internal state and Ephemeral private/public keys
func (ke *KeyExchange) Destroy() { func (ke *KeyExchange) Destroy() {
if ke.r != nil { if ke.r != nil {
ke.r.SetBytes([]byte{0}, OrderNat) ke.r.SetBytes([]byte{0}, orderNat)
} }
if ke.g1 != nil { if ke.g1 != nil {
ke.g1.SetOne() ke.g1.SetOne()
@ -543,7 +541,7 @@ func (ke *KeyExchange) Destroy() {
func initKeyExchange(ke *KeyExchange, hid byte, r *bigmod.Nat) { func initKeyExchange(ke *KeyExchange, hid byte, r *bigmod.Nat) {
pubB := ke.privateKey.GenerateUserPublicKey(ke.peerUID, hid) pubB := ke.privateKey.GenerateUserPublicKey(ke.peerUID, hid)
ke.r = r ke.r = r
rA, err := new(bn256.G1).ScalarMult(pubB, ke.r.Bytes(OrderNat)) rA, err := new(bn256.G1).ScalarMult(pubB, ke.r.Bytes(orderNat))
if err != nil { if err != nil {
panic(err) panic(err)
} }
@ -611,7 +609,7 @@ func respondKeyExchange(ke *KeyExchange, hid byte, r *bigmod.Nat, rA *bn256.G1)
ke.peerSecret = rA ke.peerSecret = rA
pubA := ke.privateKey.GenerateUserPublicKey(ke.peerUID, hid) pubA := ke.privateKey.GenerateUserPublicKey(ke.peerUID, hid)
ke.r = r ke.r = r
rBytes := r.Bytes(OrderNat) rBytes := r.Bytes(orderNat)
rB, err := new(bn256.G1).ScalarMult(pubA, rBytes) rB, err := new(bn256.G1).ScalarMult(pubA, rBytes)
if err != nil { if err != nil {
return nil, nil, err return nil, nil, err
@ -655,14 +653,14 @@ func (ke *KeyExchange) ConfirmResponder(rB *bn256.G1, sB []byte) ([]byte, []byte
} }
// step 5 // step 5
ke.peerSecret = rB ke.peerSecret = rB
g1, err := ke.privateKey.EncryptMasterPublicKey.ScalarBaseMult(ke.r.Bytes(OrderNat)) g1, err := ke.privateKey.EncryptMasterPublicKey.ScalarBaseMult(ke.r.Bytes(orderNat))
if err != nil { if err != nil {
return nil, nil, err return nil, nil, err
} }
ke.g1 = g1 ke.g1 = g1
ke.g2 = bn256.Pair(ke.peerSecret, ke.privateKey.PrivateKey) ke.g2 = bn256.Pair(ke.peerSecret, ke.privateKey.PrivateKey)
ke.g3 = &bn256.GT{} ke.g3 = &bn256.GT{}
g3, err := bn256.ScalarMultGT(ke.g2, ke.r.Bytes(OrderNat)) g3, err := bn256.ScalarMultGT(ke.g2, ke.r.Bytes(orderNat))
if err != nil { if err != nil {
return nil, nil, err return nil, nil, err
} }

28
sm9/sm9_key.go
View File

@ -62,7 +62,7 @@ func GenerateSignMasterKey(rand io.Reader) (*SignMasterPrivateKey, error) {
if err != nil { if err != nil {
return nil, err return nil, err
} }
kBytes := k.Bytes(OrderNat) kBytes := k.Bytes(orderNat)
p, err := new(bn256.G2).ScalarBaseMult(kBytes) p, err := new(bn256.G2).ScalarBaseMult(kBytes)
if err != nil { if err != nil {
return nil, err return nil, err
@ -118,27 +118,27 @@ func (master *SignMasterPrivateKey) GenerateUserKey(uid []byte, hid byte) (*Sign
t1 := hashH1(id) t1 := hashH1(id)
t1Nat, err := bigmod.NewNat().SetBytes(t1.Bytes(), OrderNat) t1Nat, err := bigmod.NewNat().SetBytes(t1.Bytes(), orderNat)
if err != nil { if err != nil {
return nil, err return nil, err
} }
d, err := bigmod.NewNat().SetBytes(master.D.Bytes(), OrderNat) d, err := bigmod.NewNat().SetBytes(master.D.Bytes(), orderNat)
if err != nil { if err != nil {
return nil, err return nil, err
} }
t1Nat.Add(d, OrderNat) t1Nat.Add(d, orderNat)
if t1Nat.IsZero() == 1 { if t1Nat.IsZero() == 1 {
return nil, errors.New("sm9: need to re-generate sign master private key") return nil, errors.New("sm9: need to re-generate sign master private key")
} }
t1Nat = bigmod.NewNat().Exp(t1Nat, OrderMinus2, OrderNat) t1Nat = bigmod.NewNat().Exp(t1Nat, orderMinus2, orderNat)
t1Nat.Mul(d, OrderNat) t1Nat.Mul(d, orderNat)
priv := new(SignPrivateKey) priv := new(SignPrivateKey)
priv.SignMasterPublicKey = master.SignMasterPublicKey priv.SignMasterPublicKey = master.SignMasterPublicKey
g1, err := new(bn256.G1).ScalarBaseMult(t1Nat.Bytes(OrderNat)) g1, err := new(bn256.G1).ScalarBaseMult(t1Nat.Bytes(orderNat))
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -358,7 +358,7 @@ func GenerateEncryptMasterKey(rand io.Reader) (*EncryptMasterPrivateKey, error)
if err != nil { if err != nil {
return nil, err return nil, err
} }
kBytes := k.Bytes(OrderNat) kBytes := k.Bytes(orderNat)
priv := new(EncryptMasterPrivateKey) priv := new(EncryptMasterPrivateKey)
priv.D = new(big.Int).SetBytes(kBytes) priv.D = new(big.Int).SetBytes(kBytes)
@ -378,27 +378,27 @@ func (master *EncryptMasterPrivateKey) GenerateUserKey(uid []byte, hid byte) (*E
t1 := hashH1(id) t1 := hashH1(id)
t1Nat, err := bigmod.NewNat().SetBytes(t1.Bytes(), OrderNat) t1Nat, err := bigmod.NewNat().SetBytes(t1.Bytes(), orderNat)
if err != nil { if err != nil {
return nil, err return nil, err
} }
d, err := bigmod.NewNat().SetBytes(master.D.Bytes(), OrderNat) d, err := bigmod.NewNat().SetBytes(master.D.Bytes(), orderNat)
if err != nil { if err != nil {
return nil, err return nil, err
} }
t1Nat.Add(d, OrderNat) t1Nat.Add(d, orderNat)
if t1Nat.IsZero() == 1 { if t1Nat.IsZero() == 1 {
return nil, errors.New("sm9: need to re-generate encrypt master private key") return nil, errors.New("sm9: need to re-generate encrypt master private key")
} }
t1Nat = bigmod.NewNat().Exp(t1Nat, OrderMinus2, OrderNat) t1Nat = bigmod.NewNat().Exp(t1Nat, orderMinus2, orderNat)
t1Nat.Mul(d, OrderNat) t1Nat.Mul(d, orderNat)
priv := new(EncryptPrivateKey) priv := new(EncryptPrivateKey)
priv.EncryptMasterPublicKey = master.EncryptMasterPublicKey priv.EncryptMasterPublicKey = master.EncryptMasterPublicKey
p, err := new(bn256.G2).ScalarBaseMult(t1Nat.Bytes(OrderNat)) p, err := new(bn256.G2).ScalarBaseMult(t1Nat.Bytes(orderNat))
if err != nil { if err != nil {
panic(err) panic(err)
} }

4
sm9/sm9_test.go
View File

@ -177,7 +177,7 @@ func TestKeyExchangeSample(t *testing.T) {
responder.Destroy() responder.Destroy()
}() }()
// A1-A4 // A1-A4
k, err := bigmod.NewNat().SetBytes(bigFromHex("5879DD1D51E175946F23B1B41E93BA31C584AE59A426EC1046A4D03B06C8").Bytes(), OrderNat) k, err := bigmod.NewNat().SetBytes(bigFromHex("5879DD1D51E175946F23B1B41E93BA31C584AE59A426EC1046A4D03B06C8").Bytes(), orderNat)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
@ -188,7 +188,7 @@ func TestKeyExchangeSample(t *testing.T) {
} }
// B1 - B7 // B1 - B7
k, err = bigmod.NewNat().SetBytes(bigFromHex("018B98C44BEF9F8537FB7D071B2C928B3BC65BD3D69E1EEE213564905634FE").Bytes(), OrderNat) k, err = bigmod.NewNat().SetBytes(bigFromHex("018B98C44BEF9F8537FB7D071B2C928B3BC65BD3D69E1EEE213564905634FE").Bytes(), orderNat)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }