mirror/gmsm
1
0
Fork 0
mirror of https://github.com/emmansun/gmsm.git synced 2025-04-26 04:06:18 +08:00
Code Issues Packages Projects Releases Wiki Activity

sm2/enc: use bigmod and sm2ec instead of math/big and crypto/elliptic

Browse Source
This commit is contained in:
Sun Yimin 2022-11-23 17:34:08 +08:00 committed by GitHub
parent 9c6638f30e
commit fc8fe5c631
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 476 additions and 275 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

397
sm2/sm2.go
View File

@ -21,7 +21,6 @@ import (
"fmt" "fmt"
"io" "io"
"math/big" "math/big"
"strings"
"sync" "sync"
"github.com/emmansun/gmsm/ecdh" "github.com/emmansun/gmsm/ecdh"
@ -96,19 +95,6 @@ func NewPlainDecrypterOpts(splicingOrder ciphertextSplicingOrder) *DecrypterOpts
return &DecrypterOpts{ENCODING_PLAIN, splicingOrder} return &DecrypterOpts{ENCODING_PLAIN, splicingOrder}
} }
func (mode pointMarshalMode) mashal(curve elliptic.Curve, x, y *big.Int) []byte {
switch mode {
case MarshalCompressed:
return elliptic.MarshalCompressed(curve, x, y)
case MarshalHybrid:
buffer := elliptic.Marshal(curve, x, y)
buffer[0] = byte(y.Bit(0)) | hybrid06
return buffer
default:
return elliptic.Marshal(curve, x, y)
}
}
func toBytes(curve elliptic.Curve, value *big.Int) []byte { func toBytes(curve elliptic.Curve, value *big.Int) []byte {
byteLen := (curve.Params().BitSize + 7) >> 3 byteLen := (curve.Params().BitSize + 7) >> 3
result := make([]byte, byteLen) result := make([]byte, byteLen)
@ -116,43 +102,6 @@ func toBytes(curve elliptic.Curve, value *big.Int) []byte {
return result return result
} }
func bytes2Point(curve elliptic.Curve, bytes []byte) (*big.Int, *big.Int, int, error) {
if len(bytes) < 1+(curve.Params().BitSize/8) {
return nil, nil, 0, fmt.Errorf("sm2: invalid bytes length %d", len(bytes))
}
format := bytes[0]
byteLen := (curve.Params().BitSize + 7) >> 3
switch format {
case uncompressed, hybrid06, hybrid07: // what's the hybrid format purpose?
if len(bytes) < 1+byteLen*2 {
return nil, nil, 0, fmt.Errorf("sm2: invalid point uncompressed/hybrid form bytes length %d", len(bytes))
}
data := make([]byte, 1+byteLen*2)
data[0] = uncompressed
copy(data[1:], bytes[1:1+byteLen*2])
x, y := sm2ec.Unmarshal(curve, data)
if x == nil || y == nil {
return nil, nil, 0, fmt.Errorf("sm2: point is not on curve %s", curve.Params().Name)
}
return x, y, 1 + byteLen*2, nil
case compressed02, compressed03:
if len(bytes) < 1+byteLen {
return nil, nil, 0, fmt.Errorf("sm2: invalid point compressed form bytes length %d", len(bytes))
}
// Make sure it's NIST curve or SM2 P-256 curve
if strings.HasPrefix(curve.Params().Name, "P-") || strings.EqualFold(curve.Params().Name, sm2ec.P256().Params().Name) {
// y² = x³ - 3x + b, prime curves
x, y := sm2ec.UnmarshalCompressed(curve, bytes[:1+byteLen])
if x == nil || y == nil {
return nil, nil, 0, fmt.Errorf("sm2: point is not on curve %s", curve.Params().Name)
}
return x, y, 1 + byteLen, nil
}
return nil, nil, 0, fmt.Errorf("sm2: unsupport point form %d, curve %s", format, curve.Params().Name)
}
return nil, nil, 0, fmt.Errorf("sm2: unknown point form %d", format)
}
var defaultEncrypterOpts = &EncrypterOpts{ENCODING_PLAIN, MarshalUncompressed, C1C3C2} var defaultEncrypterOpts = &EncrypterOpts{ENCODING_PLAIN, MarshalUncompressed, C1C3C2}
var ASN1EncrypterOpts = &EncrypterOpts{ENCODING_ASN1, MarshalUncompressed, C1C3C2} var ASN1EncrypterOpts = &EncrypterOpts{ENCODING_ASN1, MarshalUncompressed, C1C3C2}
@ -245,25 +194,6 @@ func (priv *PrivateKey) Decrypt(rand io.Reader, msg []byte, opts crypto.Decrypte
const maxRetryLimit = 100 const maxRetryLimit = 100
func calculateC3(curve elliptic.Curve, x2, y2 *big.Int, msg []byte) []byte {
md := sm3.New()
md.Write(toBytes(curve, x2))
md.Write(msg)
md.Write(toBytes(curve, y2))
return md.Sum(nil)
}
func mashalASN1Ciphertext(x1, y1 *big.Int, c2, c3 []byte) ([]byte, error) {
var b cryptobyte.Builder
b.AddASN1(asn1.SEQUENCE, func(b *cryptobyte.Builder) {
b.AddASN1BigInt(x1)
b.AddASN1BigInt(y1)
b.AddASN1OctetString(c3)
b.AddASN1OctetString(c2)
})
return b.Bytes()
}
// EncryptASN1 sm2 encrypt and output ASN.1 result, compliance with GB/T 32918.4-2016. // EncryptASN1 sm2 encrypt and output ASN.1 result, compliance with GB/T 32918.4-2016.
func EncryptASN1(random io.Reader, pub *ecdsa.PublicKey, msg []byte) ([]byte, error) { func EncryptASN1(random io.Reader, pub *ecdsa.PublicKey, msg []byte) ([]byte, error) {
return Encrypt(random, pub, msg, ASN1EncrypterOpts) return Encrypt(random, pub, msg, ASN1EncrypterOpts)
@ -271,35 +201,41 @@ func EncryptASN1(random io.Reader, pub *ecdsa.PublicKey, msg []byte) ([]byte, er
// Encrypt sm2 encrypt implementation, compliance with GB/T 32918.4-2016. // Encrypt sm2 encrypt implementation, compliance with GB/T 32918.4-2016.
func Encrypt(random io.Reader, pub *ecdsa.PublicKey, msg []byte, opts *EncrypterOpts) ([]byte, error) { func Encrypt(random io.Reader, pub *ecdsa.PublicKey, msg []byte, opts *EncrypterOpts) ([]byte, error) {
curve := pub.Curve //A3, requirement is to check if h*P is infinite point, h is 1
msgLen := len(msg) if pub.X.Sign() == 0 && pub.Y.Sign() == 0 {
if msgLen == 0 { return nil, errors.New("sm2: invalid public key")
}
if len(msg) == 0 {
return nil, nil return nil, nil
} }
if opts == nil { if opts == nil {
opts = defaultEncrypterOpts opts = defaultEncrypterOpts
} }
//A3, requirement is to check if h*P is infinite point, h is 1 switch pub.Curve.Params() {
if pub.X.Sign() == 0 && pub.Y.Sign() == 0 { case P256().Params():
return nil, errors.New("sm2: invalid public key") return encryptSM2EC(p256(), pub, random, msg, opts)
default:
return encryptLegacy(random, pub, msg, opts)
}
}
func encryptSM2EC(c *sm2Curve, pub *ecdsa.PublicKey, random io.Reader, msg []byte, opts *EncrypterOpts) ([]byte, error) {
Q, err := c.pointFromAffine(pub.X, pub.Y)
if err != nil {
return nil, err
} }
var retryCount int = 0 var retryCount int = 0
for { for {
//A1, generate random k k, C1, err := randomPoint(c, random)
k, err := randFieldElement(curve, random)
if err != nil { if err != nil {
return nil, err return nil, err
} }
C2, err := Q.ScalarMult(Q, k.Bytes(c.N))
//A2, calculate C1 = k * G if err != nil {
x1, y1 := curve.ScalarBaseMult(k.Bytes()) return nil, err
c1 := opts.PointMarshalMode.mashal(curve, x1, y1) }
C2Bytes := C2.Bytes()[1:]
//A4, calculate k * P (point of Public Key) c2 := kdf.Kdf(sm3.New(), C2Bytes, len(msg))
x2, y2 := curve.ScalarMult(pub.X, pub.Y, k.Bytes())
//A5, calculate t=KDF(x2||y2, klen)
c2 := kdf.Kdf(sm3.New(), append(toBytes(curve, x2), toBytes(curve, y2)...), msgLen)
if subtle.ConstantTimeAllZero(c2) { if subtle.ConstantTimeAllZero(c2) {
retryCount++ retryCount++
if retryCount > maxRetryLimit { if retryCount > maxRetryLimit {
@ -307,26 +243,52 @@ func Encrypt(random io.Reader, pub *ecdsa.PublicKey, msg []byte, opts *Encrypter
} }
continue continue
} }
//A6, C2 = M + t; //A6, C2 = M + t;
subtle.XORBytes(c2, msg, c2) subtle.XORBytes(c2, msg, c2)
//A7, C3 = hash(x2||M||y2) //A7, C3 = hash(x2||M||y2)
c3 := calculateC3(curve, x2, y2, msg) md := sm3.New()
md.Write(C2Bytes[:len(C2Bytes)/2])
md.Write(msg)
md.Write(C2Bytes[len(C2Bytes)/2:])
c3 := md.Sum(nil)
if opts.CiphertextEncoding == ENCODING_PLAIN { if opts.CiphertextEncoding == ENCODING_PLAIN {
if opts.CiphertextSplicingOrder == C1C3C2 { return encodingCiphertext(opts, C1, c2, c3)
// c1 || c3 || c2
return append(append(c1, c3...), c2...), nil
}
// c1 || c2 || c3
return append(append(c1, c2...), c3...), nil
} }
// ASN.1 format will force C3 C2 order return encodingCiphertextASN1(C1, c2, c3)
return mashalASN1Ciphertext(x1, y1, c2, c3)
} }
} }
func encodingCiphertext(opts *EncrypterOpts, C1 *_sm2ec.SM2P256Point, c2, c3 []byte) ([]byte, error) {
var c1 []byte
switch opts.PointMarshalMode {
case MarshalCompressed:
c1 = C1.BytesCompressed()
default:
c1 = C1.Bytes()
}
if opts.CiphertextSplicingOrder == C1C3C2 {
// c1 || c3 || c2
return append(append(c1, c3...), c2...), nil
}
// c1 || c2 || c3
return append(append(c1, c2...), c3...), nil
}
func encodingCiphertextASN1(C1 *_sm2ec.SM2P256Point, c2, c3 []byte) ([]byte, error) {
c1 := C1.Bytes()
var b cryptobyte.Builder
b.AddASN1(asn1.SEQUENCE, func(b *cryptobyte.Builder) {
addASN1IntBytes(b, c1[1:len(c1)/2+1])
addASN1IntBytes(b, c1[len(c1)/2+1:])
b.AddASN1OctetString(c3)
b.AddASN1OctetString(c2)
})
return b.Bytes()
}
// GenerateKey generates a public and private key pair. // GenerateKey generates a public and private key pair.
func GenerateKey(rand io.Reader) (*PrivateKey, error) { func GenerateKey(rand io.Reader) (*PrivateKey, error) {
c := p256() c := p256()
@ -351,19 +313,36 @@ func Decrypt(priv *PrivateKey, ciphertext []byte) ([]byte, error) {
return decrypt(priv, ciphertext, nil) return decrypt(priv, ciphertext, nil)
} }
func decryptASN1(priv *PrivateKey, ciphertext []byte) ([]byte, error) { func decrypt(priv *PrivateKey, ciphertext []byte, opts *DecrypterOpts) ([]byte, error) {
x1, y1, c2, c3, err := unmarshalASN1Ciphertext(ciphertext) ciphertextLen := len(ciphertext)
if ciphertextLen <= 1+(priv.Params().BitSize/8)+sm3.Size {
return nil, errors.New("sm2: invalid ciphertext length")
}
switch priv.Curve.Params() {
case P256().Params():
return decryptSM2EC(p256(), priv, ciphertext, opts)
default:
return decryptLegacy(priv, ciphertext, opts)
}
}
func decryptSM2EC(c *sm2Curve, priv *PrivateKey, ciphertext []byte, opts *DecrypterOpts) ([]byte, error) {
C1, c2, c3, err := parseCiphertext(c, ciphertext, opts)
if err != nil {
return nil, err
}
d, err := bigmod.NewNat().SetBytes(priv.D.Bytes(), c.N)
if err != nil { if err != nil {
return nil, err return nil, err
} }
return rawDecrypt(priv, x1, y1, c2, c3)
}
func rawDecrypt(priv *PrivateKey, x1, y1 *big.Int, c2, c3 []byte) ([]byte, error) { C2, err := C1.ScalarMult(C1, d.Bytes(c.N))
curve := priv.Curve if err != nil {
x2, y2 := curve.ScalarMult(x1, y1, priv.D.Bytes()) return nil, err
}
C2Bytes := C2.Bytes()[1:]
msgLen := len(c2) msgLen := len(c2)
msg := kdf.Kdf(sm3.New(), append(toBytes(curve, x2), toBytes(curve, y2)...), msgLen) msg := kdf.Kdf(sm3.New(), C2Bytes, msgLen)
if subtle.ConstantTimeAllZero(c2) { if subtle.ConstantTimeAllZero(c2) {
return nil, errors.New("sm2: invalid cipher text") return nil, errors.New("sm2: invalid cipher text")
} }
@ -371,167 +350,73 @@ func rawDecrypt(priv *PrivateKey, x1, y1 *big.Int, c2, c3 []byte) ([]byte, error
//B5, calculate msg = c2 ^ t //B5, calculate msg = c2 ^ t
subtle.XORBytes(msg, c2, msg) subtle.XORBytes(msg, c2, msg)
u := calculateC3(curve, x2, y2, msg) md := sm3.New()
for i := 0; i < sm3.Size; i++ { md.Write(C2Bytes[:len(C2Bytes)/2])
if c3[i] != u[i] { md.Write(msg)
return nil, errors.New("sm2: invalid hash value") md.Write(C2Bytes[len(C2Bytes)/2:])
} u := md.Sum(nil)
if _subtle.ConstantTimeCompare(u, c3) == 1 {
return msg, nil
} }
return msg, nil return nil, errors.New("sm2: invalid plaintext digest")
} }
func decrypt(priv *PrivateKey, ciphertext []byte, opts *DecrypterOpts) ([]byte, error) { func parseCiphertext(c *sm2Curve, ciphertext []byte, opts *DecrypterOpts) (*_sm2ec.SM2P256Point, []byte, []byte, error) {
bitSize := c.curve.Params().BitSize
// Encode the coordinates and let SetBytes reject invalid points.
byteLen := (bitSize + 7) / 8
splicingOrder := C1C3C2 splicingOrder := C1C3C2
if opts != nil { if opts != nil {
if opts.CiphertextEncoding == ENCODING_ASN1 {
return decryptASN1(priv, ciphertext)
}
splicingOrder = opts.CipherTextSplicingOrder splicingOrder = opts.CipherTextSplicingOrder
} }
if ciphertext[0] == 0x30 {
return decryptASN1(priv, ciphertext) b := ciphertext[0]
switch b {
case uncompressed:
if len(ciphertext) <= 1+2*byteLen {
return nil, nil, nil, errors.New("sm2: invalid ciphertext length")
}
C1, err := c.newPoint().SetBytes(ciphertext[:1+2*byteLen])
if err != nil {
return nil, nil, nil, err
}
c2, c3 := parseCiphertextC2C3(ciphertext[1+2*byteLen:], splicingOrder)
return C1, c2, c3, nil
case compressed02, compressed03:
if len(ciphertext) <= 1+byteLen {
return nil, nil, nil, errors.New("sm2: invalid ciphertext length")
}
C1, err := c.newPoint().SetBytes(ciphertext[:1+byteLen])
if err != nil {
return nil, nil, nil, err
}
c2, c3 := parseCiphertextC2C3(ciphertext[1+byteLen:], splicingOrder)
return C1, c2, c3, nil
case byte(0x30):
return parseCiphertextASN1(c, ciphertext)
default:
return nil, nil, nil, errors.New("sm2: invalid/unsupport ciphertext format")
} }
ciphertextLen := len(ciphertext) }
if ciphertextLen <= 1+(priv.Params().BitSize/8)+sm3.Size {
return nil, errors.New("sm2: invalid ciphertext length") func parseCiphertextC2C3(ciphertext []byte, order ciphertextSplicingOrder) ([]byte, []byte) {
if order == C1C3C2 {
return ciphertext[sm3.Size:], ciphertext[:sm3.Size]
} }
curve := priv.Curve return ciphertext[:len(ciphertext)-sm3.Size], ciphertext[len(ciphertext)-sm3.Size:]
// B1, get C1, and check C1 }
x1, y1, c3Start, err := bytes2Point(curve, ciphertext)
func parseCiphertextASN1(c *sm2Curve, ciphertext []byte) (*_sm2ec.SM2P256Point, []byte, []byte, error) {
x1, y1, c2, c3, err := unmarshalASN1Ciphertext(ciphertext)
if err != nil { if err != nil {
return nil, err return nil, nil, nil, err
} }
C1, err := c.pointFromAffine(x1, y1)
//B4, calculate t=KDF(x2||y2, klen)
var c2, c3 []byte
if splicingOrder == C1C3C2 {
c2 = ciphertext[c3Start+sm3.Size:]
c3 = ciphertext[c3Start : c3Start+sm3.Size]
} else {
c2 = ciphertext[c3Start : ciphertextLen-sm3.Size]
c3 = ciphertext[ciphertextLen-sm3.Size:]
}
return rawDecrypt(priv, x1, y1, c2, c3)
}
func unmarshalASN1Ciphertext(ciphertext []byte) (*big.Int, *big.Int, []byte, []byte, error) {
var (
x1, y1 = &big.Int{}, &big.Int{}
c2, c3 []byte
inner cryptobyte.String
)
input := cryptobyte.String(ciphertext)
if !input.ReadASN1(&inner, asn1.SEQUENCE) ||
!input.Empty() ||
!inner.ReadASN1Integer(x1) ||
!inner.ReadASN1Integer(y1) ||
!inner.ReadASN1Bytes(&c3, asn1.OCTET_STRING) ||
!inner.ReadASN1Bytes(&c2, asn1.OCTET_STRING) ||
!inner.Empty() {
return nil, nil, nil, nil, errors.New("sm2: invalid asn1 format ciphertext")
}
return x1, y1, c2, c3, nil
}
// ASN1Ciphertext2Plain utility method to convert ASN.1 encoding ciphertext to plain encoding format
func ASN1Ciphertext2Plain(ciphertext []byte, opts *EncrypterOpts) ([]byte, error) {
if opts == nil {
opts = defaultEncrypterOpts
}
x1, y1, c2, c3, err := unmarshalASN1Ciphertext((ciphertext))
if err != nil { if err != nil {
return nil, err return nil, nil, nil, err
} }
curve := sm2ec.P256() return C1, c2, c3, nil
c1 := opts.PointMarshalMode.mashal(curve, x1, y1)
if opts.CiphertextSplicingOrder == C1C3C2 {
// c1 || c3 || c2
return append(append(c1, c3...), c2...), nil
}
// c1 || c2 || c3
return append(append(c1, c2...), c3...), nil
}
// PlainCiphertext2ASN1 utility method to convert plain encoding ciphertext to ASN.1 encoding format
func PlainCiphertext2ASN1(ciphertext []byte, from ciphertextSplicingOrder) ([]byte, error) {
if ciphertext[0] == 0x30 {
return nil, errors.New("sm2: invalid plain encoding ciphertext")
}
curve := sm2ec.P256()
ciphertextLen := len(ciphertext)
if ciphertextLen <= 1+(curve.Params().BitSize/8)+sm3.Size {
return nil, errors.New("sm2: invalid ciphertext length")
}
// get C1, and check C1
x1, y1, c3Start, err := bytes2Point(curve, ciphertext)
if err != nil {
return nil, err
}
var c2, c3 []byte
if from == C1C3C2 {
c2 = ciphertext[c3Start+sm3.Size:]
c3 = ciphertext[c3Start : c3Start+sm3.Size]
} else {
c2 = ciphertext[c3Start : ciphertextLen-sm3.Size]
c3 = ciphertext[ciphertextLen-sm3.Size:]
}
return mashalASN1Ciphertext(x1, y1, c2, c3)
}
// AdjustCiphertextSplicingOrder utility method to change c2 c3 order
func AdjustCiphertextSplicingOrder(ciphertext []byte, from, to ciphertextSplicingOrder) ([]byte, error) {
curve := sm2ec.P256()
if from == to {
return ciphertext, nil
}
ciphertextLen := len(ciphertext)
if ciphertextLen <= 1+(curve.Params().BitSize/8)+sm3.Size {
return nil, errors.New("sm2: invalid ciphertext length")
}
// get C1, and check C1
_, _, c3Start, err := bytes2Point(curve, ciphertext)
if err != nil {
return nil, err
}
var c1, c2, c3 []byte
c1 = ciphertext[:c3Start]
if from == C1C3C2 {
c2 = ciphertext[c3Start+sm3.Size:]
c3 = ciphertext[c3Start : c3Start+sm3.Size]
} else {
c2 = ciphertext[c3Start : ciphertextLen-sm3.Size]
c3 = ciphertext[ciphertextLen-sm3.Size:]
}
result := make([]byte, ciphertextLen)
copy(result, c1)
if to == C1C3C2 {
// c1 || c3 || c2
copy(result[c3Start:], c3)
copy(result[c3Start+sm3.Size:], c2)
} else {
// c1 || c2 || c3
copy(result[c3Start:], c2)
copy(result[ciphertextLen-sm3.Size:], c3)
}
return result, nil
}
// fermatInverse calculates the inverse of k in GF(P) using Fermat's method
// (exponentiation modulo P - 2, per Euler's theorem). This has better
// constant-time properties than Euclid's method (implemented in
// math/big.Int.ModInverse and FIPS 186-4, Appendix C.1) although math/big
// itself isn't strictly constant-time so it's not perfect.
func fermatInverse(k, N *big.Int) *big.Int {
two := big.NewInt(2)
nMinus2 := new(big.Int).Sub(N, two)
return new(big.Int).Exp(k, nMinus2, N)
} }
var defaultUID = []byte{0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38} var defaultUID = []byte{0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38}
@ -955,8 +840,8 @@ func randomPoint(c *sm2Curve, rand io.Reader) (k *bigmod.Nat, p *_sm2ec.SM2P256P
if excess := len(b)*8 - c.N.BitLen(); excess > 0 { if excess := len(b)*8 - c.N.BitLen(); excess > 0 {
// Just to be safe, assert that this only happens for the one curve that // Just to be safe, assert that this only happens for the one curve that
// doesn't have a round number of bits. // doesn't have a round number of bits.
if excess != 0 && c.curve.Params().Name != "P-521" { if excess != 0 {
panic("ecdsa: internal error: unexpectedly masking off bits") panic("sm2: internal error: unexpectedly masking off bits")
} }
b[0] >>= excess b[0] >>= excess
} }

302
sm2/sm2_legacy.go
View File

@ -3,10 +3,17 @@ package sm2
import ( import (
"crypto/ecdsa" "crypto/ecdsa"
"crypto/elliptic" "crypto/elliptic"
_subtle "crypto/subtle"
"errors" "errors"
"fmt"
"io" "io"
"math/big" "math/big"
"strings"
"github.com/emmansun/gmsm/internal/subtle"
"github.com/emmansun/gmsm/kdf"
"github.com/emmansun/gmsm/sm2/sm2ec"
"github.com/emmansun/gmsm/sm3"
"golang.org/x/crypto/cryptobyte" "golang.org/x/crypto/cryptobyte"
"golang.org/x/crypto/cryptobyte/asn1" "golang.org/x/crypto/cryptobyte/asn1"
) )
@ -119,6 +126,17 @@ func signLegacy(priv *PrivateKey, csprng io.Reader, hash []byte) (sig []byte, er
return encodeSignature(r.Bytes(), s.Bytes()) return encodeSignature(r.Bytes(), s.Bytes())
} }
// fermatInverse calculates the inverse of k in GF(P) using Fermat's method
// (exponentiation modulo P - 2, per Euler's theorem). This has better
// constant-time properties than Euclid's method (implemented in
// math/big.Int.ModInverse and FIPS 186-4, Appendix C.1) although math/big
// itself isn't strictly constant-time so it's not perfect.
func fermatInverse(k, N *big.Int) *big.Int {
two := big.NewInt(2)
nMinus2 := new(big.Int).Sub(N, two)
return new(big.Int).Exp(k, nMinus2, N)
}
// SignWithSM2 follow sm2 dsa standards for hash part, compliance with GB/T 32918.2-2016. // SignWithSM2 follow sm2 dsa standards for hash part, compliance with GB/T 32918.2-2016.
func SignWithSM2(rand io.Reader, priv *ecdsa.PrivateKey, uid, msg []byte) (r, s *big.Int, err error) { func SignWithSM2(rand io.Reader, priv *ecdsa.PrivateKey, uid, msg []byte) (r, s *big.Int, err error) {
digest, err := calculateSM2Hash(&priv.PublicKey, msg, uid) digest, err := calculateSM2Hash(&priv.PublicKey, msg, uid)
@ -215,3 +233,287 @@ func randFieldElement(c elliptic.Curve, rand io.Reader) (k *big.Int, err error)
} }
} }
} }
func encryptLegacy(random io.Reader, pub *ecdsa.PublicKey, msg []byte, opts *EncrypterOpts) ([]byte, error) {
curve := pub.Curve
msgLen := len(msg)
var retryCount int = 0
for {
//A1, generate random k
k, err := randFieldElement(curve, random)
if err != nil {
return nil, err
}
//A2, calculate C1 = k * G
x1, y1 := curve.ScalarBaseMult(k.Bytes())
c1 := opts.PointMarshalMode.mashal(curve, x1, y1)
//A4, calculate k * P (point of Public Key)
x2, y2 := curve.ScalarMult(pub.X, pub.Y, k.Bytes())
//A5, calculate t=KDF(x2||y2, klen)
c2 := kdf.Kdf(sm3.New(), append(toBytes(curve, x2), toBytes(curve, y2)...), msgLen)
if subtle.ConstantTimeAllZero(c2) {
retryCount++
if retryCount > maxRetryLimit {
return nil, fmt.Errorf("sm2: A5, failed to calculate valid t, tried %v times", retryCount)
}
continue
}
//A6, C2 = M + t;
subtle.XORBytes(c2, msg, c2)
//A7, C3 = hash(x2||M||y2)
c3 := calculateC3(curve, x2, y2, msg)
if opts.CiphertextEncoding == ENCODING_PLAIN {
if opts.CiphertextSplicingOrder == C1C3C2 {
// c1 || c3 || c2
return append(append(c1, c3...), c2...), nil
}
// c1 || c2 || c3
return append(append(c1, c2...), c3...), nil
}
// ASN.1 format will force C3 C2 order
return mashalASN1Ciphertext(x1, y1, c2, c3)
}
}
func calculateC3(curve elliptic.Curve, x2, y2 *big.Int, msg []byte) []byte {
md := sm3.New()
md.Write(toBytes(curve, x2))
md.Write(msg)
md.Write(toBytes(curve, y2))
return md.Sum(nil)
}
func mashalASN1Ciphertext(x1, y1 *big.Int, c2, c3 []byte) ([]byte, error) {
var b cryptobyte.Builder
b.AddASN1(asn1.SEQUENCE, func(b *cryptobyte.Builder) {
b.AddASN1BigInt(x1)
b.AddASN1BigInt(y1)
b.AddASN1OctetString(c3)
b.AddASN1OctetString(c2)
})
return b.Bytes()
}
func unmarshalASN1Ciphertext(ciphertext []byte) (*big.Int, *big.Int, []byte, []byte, error) {
var (
x1, y1 = &big.Int{}, &big.Int{}
c2, c3 []byte
inner cryptobyte.String
)
input := cryptobyte.String(ciphertext)
if !input.ReadASN1(&inner, asn1.SEQUENCE) ||
!input.Empty() ||
!inner.ReadASN1Integer(x1) ||
!inner.ReadASN1Integer(y1) ||
!inner.ReadASN1Bytes(&c3, asn1.OCTET_STRING) ||
!inner.ReadASN1Bytes(&c2, asn1.OCTET_STRING) ||
!inner.Empty() {
return nil, nil, nil, nil, errors.New("sm2: invalid asn1 format ciphertext")
}
return x1, y1, c2, c3, nil
}
// ASN1Ciphertext2Plain utility method to convert ASN.1 encoding ciphertext to plain encoding format
func ASN1Ciphertext2Plain(ciphertext []byte, opts *EncrypterOpts) ([]byte, error) {
if opts == nil {
opts = defaultEncrypterOpts
}
x1, y1, c2, c3, err := unmarshalASN1Ciphertext((ciphertext))
if err != nil {
return nil, err
}
curve := sm2ec.P256()
c1 := opts.PointMarshalMode.mashal(curve, x1, y1)
if opts.CiphertextSplicingOrder == C1C3C2 {
// c1 || c3 || c2
return append(append(c1, c3...), c2...), nil
}
// c1 || c2 || c3
return append(append(c1, c2...), c3...), nil
}
// PlainCiphertext2ASN1 utility method to convert plain encoding ciphertext to ASN.1 encoding format
func PlainCiphertext2ASN1(ciphertext []byte, from ciphertextSplicingOrder) ([]byte, error) {
if ciphertext[0] == 0x30 {
return nil, errors.New("sm2: invalid plain encoding ciphertext")
}
curve := sm2ec.P256()
ciphertextLen := len(ciphertext)
if ciphertextLen <= 1+(curve.Params().BitSize/8)+sm3.Size {
return nil, errors.New("sm2: invalid ciphertext length")
}
// get C1, and check C1
x1, y1, c3Start, err := bytes2Point(curve, ciphertext)
if err != nil {
return nil, err
}
var c2, c3 []byte
if from == C1C3C2 {
c2 = ciphertext[c3Start+sm3.Size:]
c3 = ciphertext[c3Start : c3Start+sm3.Size]
} else {
c2 = ciphertext[c3Start : ciphertextLen-sm3.Size]
c3 = ciphertext[ciphertextLen-sm3.Size:]
}
return mashalASN1Ciphertext(x1, y1, c2, c3)
}
// AdjustCiphertextSplicingOrder utility method to change c2 c3 order
func AdjustCiphertextSplicingOrder(ciphertext []byte, from, to ciphertextSplicingOrder) ([]byte, error) {
curve := sm2ec.P256()
if from == to {
return ciphertext, nil
}
ciphertextLen := len(ciphertext)
if ciphertextLen <= 1+(curve.Params().BitSize/8)+sm3.Size {
return nil, errors.New("sm2: invalid ciphertext length")
}
// get C1, and check C1
_, _, c3Start, err := bytes2Point(curve, ciphertext)
if err != nil {
return nil, err
}
var c1, c2, c3 []byte
c1 = ciphertext[:c3Start]
if from == C1C3C2 {
c2 = ciphertext[c3Start+sm3.Size:]
c3 = ciphertext[c3Start : c3Start+sm3.Size]
} else {
c2 = ciphertext[c3Start : ciphertextLen-sm3.Size]
c3 = ciphertext[ciphertextLen-sm3.Size:]
}
result := make([]byte, ciphertextLen)
copy(result, c1)
if to == C1C3C2 {
// c1 || c3 || c2
copy(result[c3Start:], c3)
copy(result[c3Start+sm3.Size:], c2)
} else {
// c1 || c2 || c3
copy(result[c3Start:], c2)
copy(result[ciphertextLen-sm3.Size:], c3)
}
return result, nil
}
func decryptASN1(priv *PrivateKey, ciphertext []byte) ([]byte, error) {
x1, y1, c2, c3, err := unmarshalASN1Ciphertext(ciphertext)
if err != nil {
return nil, err
}
return rawDecrypt(priv, x1, y1, c2, c3)
}
func rawDecrypt(priv *PrivateKey, x1, y1 *big.Int, c2, c3 []byte) ([]byte, error) {
curve := priv.Curve
x2, y2 := curve.ScalarMult(x1, y1, priv.D.Bytes())
msgLen := len(c2)
msg := kdf.Kdf(sm3.New(), append(toBytes(curve, x2), toBytes(curve, y2)...), msgLen)
if subtle.ConstantTimeAllZero(c2) {
return nil, errors.New("sm2: invalid cipher text")
}
//B5, calculate msg = c2 ^ t
subtle.XORBytes(msg, c2, msg)
u := calculateC3(curve, x2, y2, msg)
if _subtle.ConstantTimeCompare(u, c3) == 1 {
return msg, nil
}
return nil, errors.New("sm2: invalid plaintext digest")
}
func decryptLegacy(priv *PrivateKey, ciphertext []byte, opts *DecrypterOpts) ([]byte, error) {
splicingOrder := C1C3C2
if opts != nil {
if opts.CiphertextEncoding == ENCODING_ASN1 {
return decryptASN1(priv, ciphertext)
}
splicingOrder = opts.CipherTextSplicingOrder
}
if ciphertext[0] == 0x30 {
return decryptASN1(priv, ciphertext)
}
ciphertextLen := len(ciphertext)
curve := priv.Curve
// B1, get C1, and check C1
x1, y1, c3Start, err := bytes2Point(curve, ciphertext)
if err != nil {
return nil, err
}
//B4, calculate t=KDF(x2||y2, klen)
var c2, c3 []byte
if splicingOrder == C1C3C2 {
c2 = ciphertext[c3Start+sm3.Size:]
c3 = ciphertext[c3Start : c3Start+sm3.Size]
} else {
c2 = ciphertext[c3Start : ciphertextLen-sm3.Size]
c3 = ciphertext[ciphertextLen-sm3.Size:]
}
return rawDecrypt(priv, x1, y1, c2, c3)
}
func bytes2Point(curve elliptic.Curve, bytes []byte) (*big.Int, *big.Int, int, error) {
if len(bytes) < 1+(curve.Params().BitSize/8) {
return nil, nil, 0, fmt.Errorf("sm2: invalid bytes length %d", len(bytes))
}
format := bytes[0]
byteLen := (curve.Params().BitSize + 7) >> 3
switch format {
case uncompressed, hybrid06, hybrid07: // what's the hybrid format purpose?
if len(bytes) < 1+byteLen*2 {
return nil, nil, 0, fmt.Errorf("sm2: invalid point uncompressed/hybrid form bytes length %d", len(bytes))
}
data := make([]byte, 1+byteLen*2)
data[0] = uncompressed
copy(data[1:], bytes[1:1+byteLen*2])
x, y := sm2ec.Unmarshal(curve, data)
if x == nil || y == nil {
return nil, nil, 0, fmt.Errorf("sm2: point is not on curve %s", curve.Params().Name)
}
return x, y, 1 + byteLen*2, nil
case compressed02, compressed03:
if len(bytes) < 1+byteLen {
return nil, nil, 0, fmt.Errorf("sm2: invalid point compressed form bytes length %d", len(bytes))
}
// Make sure it's NIST curve or SM2 P-256 curve
if strings.HasPrefix(curve.Params().Name, "P-") || strings.EqualFold(curve.Params().Name, sm2ec.P256().Params().Name) {
// y² = x³ - 3x + b, prime curves
x, y := sm2ec.UnmarshalCompressed(curve, bytes[:1+byteLen])
if x == nil || y == nil {
return nil, nil, 0, fmt.Errorf("sm2: point is not on curve %s", curve.Params().Name)
}
return x, y, 1 + byteLen, nil
}
return nil, nil, 0, fmt.Errorf("sm2: unsupport point form %d, curve %s", format, curve.Params().Name)
}
return nil, nil, 0, fmt.Errorf("sm2: unknown point form %d", format)
}
func (mode pointMarshalMode) mashal(curve elliptic.Curve, x, y *big.Int) []byte {
switch mode {
case MarshalCompressed:
return elliptic.MarshalCompressed(curve, x, y)
case MarshalHybrid:
buffer := elliptic.Marshal(curve, x, y)
buffer[0] = byte(y.Bit(0)) | hybrid06
return buffer
default:
return elliptic.Marshal(curve, x, y)
}
}

52
sm2/sm2_test.go
View File

@ -67,32 +67,39 @@ func Test_SplicingOrder(t *testing.T) {
func Test_encryptDecrypt_ASN1(t *testing.T) { func Test_encryptDecrypt_ASN1(t *testing.T) {
priv, _ := GenerateKey(rand.Reader) priv, _ := GenerateKey(rand.Reader)
priv2, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
key2 := new(PrivateKey)
key2.PrivateKey = *priv2
tests := []struct { tests := []struct {
name string name string
plainText string plainText string
priv *PrivateKey
}{ }{
// TODO: Add test cases. // TODO: Add test cases.
{"less than 32", "encryption standard"}, {"less than 32", "encryption standard", priv},
{"equals 32", "encryption standard encryption "}, {"equals 32", "encryption standard encryption ", priv},
{"long than 32", "encryption standard encryption standard"}, {"long than 32", "encryption standard encryption standard", priv},
{"less than 32", "encryption standard", key2},
{"equals 32", "encryption standard encryption ", key2},
{"long than 32", "encryption standard encryption standard", key2},
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
encrypterOpts := ASN1EncrypterOpts encrypterOpts := ASN1EncrypterOpts
ciphertext, err := Encrypt(rand.Reader, &priv.PublicKey, []byte(tt.plainText), encrypterOpts) ciphertext, err := Encrypt(rand.Reader, &tt.priv.PublicKey, []byte(tt.plainText), encrypterOpts)
if err != nil { if err != nil {
t.Fatalf("encrypt failed %v", err) t.Fatalf("%v encrypt failed %v", tt.priv.Curve.Params().Name, err)
} }
plaintext, err := priv.Decrypt(rand.Reader, ciphertext, ASN1DecrypterOpts) plaintext, err := tt.priv.Decrypt(rand.Reader, ciphertext, ASN1DecrypterOpts)
if err != nil { if err != nil {
t.Fatalf("decrypt failed %v", err) t.Fatalf("%v decrypt 1 failed %v", tt.priv.Curve.Params().Name, err)
} }
if !reflect.DeepEqual(string(plaintext), tt.plainText) { if !reflect.DeepEqual(string(plaintext), tt.plainText) {
t.Errorf("Decrypt() = %v, want %v", string(plaintext), tt.plainText) t.Errorf("Decrypt() = %v, want %v", string(plaintext), tt.plainText)
} }
plaintext, err = priv.Decrypt(rand.Reader, ciphertext, ASN1DecrypterOpts) plaintext, err = tt.priv.Decrypt(rand.Reader, ciphertext, ASN1DecrypterOpts)
if err != nil { if err != nil {
t.Fatalf("decrypt failed %v", err) t.Fatalf("%v decrypt 2 failed %v", tt.priv.Curve.Params().Name, err)
} }
if !reflect.DeepEqual(string(plaintext), tt.plainText) { if !reflect.DeepEqual(string(plaintext), tt.plainText) {
t.Errorf("Decrypt() = %v, want %v", string(plaintext), tt.plainText) t.Errorf("Decrypt() = %v, want %v", string(plaintext), tt.plainText)
@ -218,22 +225,29 @@ func Test_ASN1Ciphertext2Plain(t *testing.T) {
func Test_encryptDecrypt(t *testing.T) { func Test_encryptDecrypt(t *testing.T) {
priv, _ := GenerateKey(rand.Reader) priv, _ := GenerateKey(rand.Reader)
priv2, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
key2 := new(PrivateKey)
key2.PrivateKey = *priv2
tests := []struct { tests := []struct {
name string name string
plainText string plainText string
priv *PrivateKey
}{ }{
// TODO: Add test cases. // TODO: Add test cases.
{"less than 32", "encryption standard"}, {"less than 32", "encryption standard", priv},
{"equals 32", "encryption standard encryption "}, {"equals 32", "encryption standard encryption ", priv},
{"long than 32", "encryption standard encryption standard"}, {"long than 32", "encryption standard encryption standard", priv},
{"less than 32", "encryption standard", key2},
{"equals 32", "encryption standard encryption ", key2},
{"long than 32", "encryption standard encryption standard", key2},
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
ciphertext, err := Encrypt(rand.Reader, &priv.PublicKey, []byte(tt.plainText), nil) ciphertext, err := Encrypt(rand.Reader, &tt.priv.PublicKey, []byte(tt.plainText), nil)
if err != nil { if err != nil {
t.Fatalf("encrypt failed %v", err) t.Fatalf("encrypt failed %v", err)
} }
plaintext, err := Decrypt(priv, ciphertext) plaintext, err := Decrypt(tt.priv, ciphertext)
if err != nil { if err != nil {
t.Fatalf("decrypt failed %v", err) t.Fatalf("decrypt failed %v", err)
} }
@ -242,11 +256,11 @@ func Test_encryptDecrypt(t *testing.T) {
} }
// compress mode // compress mode
encrypterOpts := NewPlainEncrypterOpts(MarshalCompressed, C1C3C2) encrypterOpts := NewPlainEncrypterOpts(MarshalCompressed, C1C3C2)
ciphertext, err = Encrypt(rand.Reader, &priv.PublicKey, []byte(tt.plainText), encrypterOpts) ciphertext, err = Encrypt(rand.Reader, &tt.priv.PublicKey, []byte(tt.plainText), encrypterOpts)
if err != nil { if err != nil {
t.Fatalf("encrypt failed %v", err) t.Fatalf("encrypt failed %v", err)
} }
plaintext, err = Decrypt(priv, ciphertext) plaintext, err = Decrypt(tt.priv, ciphertext)
if err != nil { if err != nil {
t.Fatalf("decrypt failed %v", err) t.Fatalf("decrypt failed %v", err)
} }
@ -256,18 +270,18 @@ func Test_encryptDecrypt(t *testing.T) {
// hybrid mode // hybrid mode
encrypterOpts = NewPlainEncrypterOpts(MarshalHybrid, C1C3C2) encrypterOpts = NewPlainEncrypterOpts(MarshalHybrid, C1C3C2)
ciphertext, err = Encrypt(rand.Reader, &priv.PublicKey, []byte(tt.plainText), encrypterOpts) ciphertext, err = Encrypt(rand.Reader, &tt.priv.PublicKey, []byte(tt.plainText), encrypterOpts)
if err != nil { if err != nil {
t.Fatalf("encrypt failed %v", err) t.Fatalf("encrypt failed %v", err)
} }
plaintext, err = Decrypt(priv, ciphertext) plaintext, err = Decrypt(tt.priv, ciphertext)
if err != nil { if err != nil {
t.Fatalf("decrypt failed %v", err) t.Fatalf("decrypt failed %v", err)
} }
if !reflect.DeepEqual(string(plaintext), tt.plainText) { if !reflect.DeepEqual(string(plaintext), tt.plainText) {
t.Errorf("Decrypt() = %v, want %v", string(plaintext), tt.plainText) t.Errorf("Decrypt() = %v, want %v", string(plaintext), tt.plainText)
} }
plaintext, err = Decrypt(priv, ciphertext) plaintext, err = Decrypt(tt.priv, ciphertext)
if err != nil { if err != nil {
t.Fatalf("decrypt failed %v", err) t.Fatalf("decrypt failed %v", err)
} }