5230455705

Committed 10 Jun 2023 02:30PM UTC coverage: 91.715% (-0.03%) from 91.746%

Build # 5230455705

Build Type

push

github

Committed by

randombit

Commit Message

Merge GH #3584 Change clang-format AllowShortFunctionsOnASingleLine config from All to Inline

Run Details

77182 of 84154 relevant lines covered (91.72%)

11975295.43 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

94.87

/src/lib/pubkey/sm2/sm2.cpp

/*
* SM2 Signatures
* (C) 2017,2018 Ribose Inc
* (C) 2018 Jack Lloyd
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/sm2.h>

#include <botan/hash.h>
#include <botan/numthry.h>
#include <botan/internal/keypair.h>
#include <botan/internal/loadstor.h>
#include <botan/internal/parsing.h>
#include <botan/internal/pk_ops_impl.h>
#include <botan/internal/point_mul.h>

namespace Botan {

std::string SM2_PublicKey::algo_name() const {
   return "SM2";
}

std::unique_ptr<Public_Key> SM2_PrivateKey::public_key() const {
   return std::make_unique<SM2_Signature_PublicKey>(domain(), public_point());
}

bool SM2_PrivateKey::check_key(RandomNumberGenerator& rng, bool strong) const {
   if(!public_point().on_the_curve()) {
      return false;
   }

   if(!strong) {
      return true;
   }

   return KeyPair::signature_consistency_check(rng, *this, "user@example.com,SM3");
}

SM2_PrivateKey::SM2_PrivateKey(const AlgorithmIdentifier& alg_id, std::span<const uint8_t> key_bits) :
      EC_PrivateKey(alg_id, key_bits) {
   m_da_inv = domain().inverse_mod_order(m_private_key + 1);
}

SM2_PrivateKey::SM2_PrivateKey(RandomNumberGenerator& rng, const EC_Group& domain, const BigInt& x) :
      EC_PrivateKey(rng, domain, x) {
   m_da_inv = domain.inverse_mod_order(m_private_key + 1);
}

std::vector<uint8_t> sm2_compute_za(HashFunction& hash,
                                    std::string_view user_id,
                                    const EC_Group& domain,
                                    const EC_Point& pubkey) {
   if(user_id.size() >= 8192) {
      throw Invalid_Argument("SM2 user id too long to represent");
   }

   const uint16_t uid_len = static_cast<uint16_t>(8 * user_id.size());

   hash.update(get_byte<0>(uid_len));
   hash.update(get_byte<1>(uid_len));
   hash.update(user_id);

   const size_t p_bytes = domain.get_p_bytes();

   hash.update(BigInt::encode_1363(domain.get_a(), p_bytes));
   hash.update(BigInt::encode_1363(domain.get_b(), p_bytes));
   hash.update(BigInt::encode_1363(domain.get_g_x(), p_bytes));
   hash.update(BigInt::encode_1363(domain.get_g_y(), p_bytes));
   hash.update(BigInt::encode_1363(pubkey.get_affine_x(), p_bytes));
   hash.update(BigInt::encode_1363(pubkey.get_affine_y(), p_bytes));

   std::vector<uint8_t> za(hash.output_length());
   hash.final(za.data());

   return za;
}

namespace {

/**
* SM2 signature operation
*/
class SM2_Signature_Operation final : public PK_Ops::Signature {
   public:
      SM2_Signature_Operation(const SM2_PrivateKey& sm2, std::string_view ident, std::string_view hash) :
            m_group(sm2.domain()), m_x(sm2.private_value()), m_da_inv(sm2.get_da_inv()) {
         if(hash == "Raw") {
            // m_hash is null, m_za is empty
         } else {
            m_hash = HashFunction::create_or_throw(hash);
            // ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA)
            m_za = sm2_compute_za(*m_hash, ident, m_group, sm2.public_point());
            m_hash->update(m_za);
         }
      }

      size_t signature_length() const override { return 2 * m_group.get_order_bytes(); }

      void update(const uint8_t msg[], size_t msg_len) override {
         if(m_hash) {
            m_hash->update(msg, msg_len);
         } else {
            m_digest.insert(m_digest.end(), msg, msg + msg_len);
         }
      }

      secure_vector<uint8_t> sign(RandomNumberGenerator& rng) override;

      std::string hash_function() const override { return m_hash->name(); }

   private:
      const EC_Group m_group;
      const BigInt& m_x;
      const BigInt& m_da_inv;

      std::vector<uint8_t> m_za;
      secure_vector<uint8_t> m_digest;
      std::unique_ptr<HashFunction> m_hash;
      std::vector<BigInt> m_ws;
};

secure_vector<uint8_t> SM2_Signature_Operation::sign(RandomNumberGenerator& rng) {
   BigInt e;
   if(m_hash) {
      e = BigInt::decode(m_hash->final());
      // prepend ZA for next signature if any
      m_hash->update(m_za);
   } else {
      e = BigInt::decode(m_digest);
      m_digest.clear();
   }

   const BigInt k = m_group.random_scalar(rng);

   const BigInt r = m_group.mod_order(m_group.blinded_base_point_multiply_x(k, rng, m_ws) + e);
   const BigInt s = m_group.multiply_mod_order(m_da_inv, m_group.mod_order(k - r * m_x));

   return BigInt::encode_fixed_length_int_pair(r, s, m_group.get_order().bytes());
}

/**
* SM2 verification operation
*/
class SM2_Verification_Operation final : public PK_Ops::Verification {
   public:
      SM2_Verification_Operation(const SM2_PublicKey& sm2, std::string_view ident, std::string_view hash) :
            m_group(sm2.domain()), m_gy_mul(m_group.get_base_point(), sm2.public_point()) {
         if(hash == "Raw") {
            // m_hash is null, m_za is empty
         } else {
            m_hash = HashFunction::create_or_throw(hash);
            // ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA)
            m_za = sm2_compute_za(*m_hash, ident, m_group, sm2.public_point());
            m_hash->update(m_za);
         }
      }

      void update(const uint8_t msg[], size_t msg_len) override {
         if(m_hash) {
            m_hash->update(msg, msg_len);
         } else {
            m_digest.insert(m_digest.end(), msg, msg + msg_len);
         }
      }

      bool is_valid_signature(const uint8_t sig[], size_t sig_len) override;

      std::string hash_function() const override { return m_hash->name(); }

   private:
      const EC_Group m_group;
      const EC_Point_Multi_Point_Precompute m_gy_mul;
      secure_vector<uint8_t> m_digest;
      std::vector<uint8_t> m_za;
      std::unique_ptr<HashFunction> m_hash;
};

bool SM2_Verification_Operation::is_valid_signature(const uint8_t sig[], size_t sig_len) {
   BigInt e;
   if(m_hash) {
      e = BigInt::decode(m_hash->final());
      // prepend ZA for next signature if any
      m_hash->update(m_za);
   } else {
      e = BigInt::decode(m_digest);
      m_digest.clear();
   }

   if(sig_len != m_group.get_order().bytes() * 2) {
      return false;
   }

   const BigInt r(sig, sig_len / 2);
   const BigInt s(sig + sig_len / 2, sig_len / 2);

   if(r <= 0 || r >= m_group.get_order() || s <= 0 || s >= m_group.get_order()) {
      return false;
   }

   const BigInt t = m_group.mod_order(r + s);

   if(t == 0) {
      return false;
   }

   const EC_Point R = m_gy_mul.multi_exp(s, t);

   // ???
   if(R.is_zero()) {
      return false;
   }

   return (m_group.mod_order(R.get_affine_x() + e) == r);
}

void parse_sm2_param_string(std::string_view params, std::string& userid, std::string& hash) {
   // GM/T 0009-2012 specifies this as the default userid
   const std::string default_userid = "1234567812345678";

   // defaults:
   userid = default_userid;
   hash = "SM3";

   /*
   * SM2 parameters have the following possible formats:
   * Ident [since 2.2.0]
   * Ident,Hash [since 2.3.0]
   */

   auto comma = params.find(',');
   if(comma == std::string::npos) {
      userid = params;
   } else {
      userid = params.substr(0, comma);
      hash = params.substr(comma + 1, std::string::npos);
   }
}

}  // namespace

std::unique_ptr<PK_Ops::Verification> SM2_PublicKey::create_verification_op(std::string_view params,
                                                                            std::string_view provider) const {
   if(provider == "base" || provider.empty()) {
      std::string userid, hash;
      parse_sm2_param_string(params, userid, hash);
      return std::make_unique<SM2_Verification_Operation>(*this, userid, hash);
   }

   throw Provider_Not_Found(algo_name(), provider);
}

std::unique_ptr<PK_Ops::Signature> SM2_PrivateKey::create_signature_op(RandomNumberGenerator& /*rng*/,
                                                                       std::string_view params,
                                                                       std::string_view provider) const {
   if(provider == "base" || provider.empty()) {
      std::string userid, hash;
      parse_sm2_param_string(params, userid, hash);
      return std::make_unique<SM2_Signature_Operation>(*this, userid, hash);
   }

   throw Provider_Not_Found(algo_name(), provider);
}

}  // namespace Botan

1	/*
2	* SM2 Signatures
3	* (C) 2017,2018 Ribose Inc
4	* (C) 2018 Jack Lloyd
5	*
6	* Botan is released under the Simplified BSD License (see license.txt)
7	*/
8
9	#include <botan/sm2.h>
10
11	#include <botan/hash.h>
12	#include <botan/numthry.h>
13	#include <botan/internal/keypair.h>
14	#include <botan/internal/loadstor.h>
15	#include <botan/internal/parsing.h>
16	#include <botan/internal/pk_ops_impl.h>
17	#include <botan/internal/point_mul.h>
18
19	namespace Botan {
20
21	std::string SM2_PublicKey::algo_name() const {	189✔
22	return "SM2";	189✔
23	}
24
25	std::unique_ptr<Public_Key> SM2_PrivateKey::public_key() const {	5✔
26	return std::make_unique<SM2_Signature_PublicKey>(domain(), public_point());	5✔
27	}
28
29	bool SM2_PrivateKey::check_key(RandomNumberGenerator& rng, bool strong) const {	4✔
30	if(!public_point().on_the_curve()) {	4✔
31	return false;
32	}
33
34	if(!strong) {	4✔
35	return true;
36	}
37
38	return KeyPair::signature_consistency_check(rng, *this, "user@example.com,SM3");	2✔
39	}
40
41	SM2_PrivateKey::SM2_PrivateKey(const AlgorithmIdentifier& alg_id, std::span<const uint8_t> key_bits) :	20✔
42	EC_PrivateKey(alg_id, key_bits) {	20✔
43	m_da_inv = domain().inverse_mod_order(m_private_key + 1);	40✔
44	}	20✔
45
46	SM2_PrivateKey::SM2_PrivateKey(RandomNumberGenerator& rng, const EC_Group& domain, const BigInt& x) :	26✔
47	EC_PrivateKey(rng, domain, x) {	26✔
48	m_da_inv = domain.inverse_mod_order(m_private_key + 1);	52✔
49	}	26✔
50
51	std::vector<uint8_t> sm2_compute_za(HashFunction& hash,	36✔
52	std::string_view user_id,
53	const EC_Group& domain,
54	const EC_Point& pubkey) {
55	if(user_id.size() >= 8192) {	36✔
56	throw Invalid_Argument("SM2 user id too long to represent");	×
57	}
58
59	const uint16_t uid_len = static_cast<uint16_t>(8 * user_id.size());	36✔
60
61	hash.update(get_byte<0>(uid_len));	36✔
62	hash.update(get_byte<1>(uid_len));	36✔
63	hash.update(user_id);	36✔
64
65	const size_t p_bytes = domain.get_p_bytes();	36✔
66
67	hash.update(BigInt::encode_1363(domain.get_a(), p_bytes));	36✔
68	hash.update(BigInt::encode_1363(domain.get_b(), p_bytes));	36✔
69	hash.update(BigInt::encode_1363(domain.get_g_x(), p_bytes));	36✔
70	hash.update(BigInt::encode_1363(domain.get_g_y(), p_bytes));	36✔
71	hash.update(BigInt::encode_1363(pubkey.get_affine_x(), p_bytes));	72✔
72	hash.update(BigInt::encode_1363(pubkey.get_affine_y(), p_bytes));	72✔
73
74	std::vector<uint8_t> za(hash.output_length());	36✔
75	hash.final(za.data());	36✔
76
77	return za;	36✔
78	}	×
79
80	namespace {
81
82	/**
83	* SM2 signature operation
84	*/
85	class SM2_Signature_Operation final : public PK_Ops::Signature {	×
86	public:
87	SM2_Signature_Operation(const SM2_PrivateKey& sm2, std::string_view ident, std::string_view hash) :	18✔
88	m_group(sm2.domain()), m_x(sm2.private_value()), m_da_inv(sm2.get_da_inv()) {	18✔
89	if(hash == "Raw") {	33✔
90	// m_hash is null, m_za is empty
91	} else {
92	m_hash = HashFunction::create_or_throw(hash);	17✔
93	// ZA=H256(ENTLA \|\| IDA \|\| a \|\| b \|\| xG \|\| yG \|\| xA \|\| yA)
94	m_za = sm2_compute_za(*m_hash, ident, m_group, sm2.public_point());	17✔
95	m_hash->update(m_za);	17✔
96	}
97	}	18✔
98
99	size_t signature_length() const override { return 2 * m_group.get_order_bytes(); }	10✔
100
101	void update(const uint8_t msg[], size_t msg_len) override {	19✔
102	if(m_hash) {	19✔
103	m_hash->update(msg, msg_len);	18✔
104	} else {
105	m_digest.insert(m_digest.end(), msg, msg + msg_len);	1✔
106	}
107	}	19✔
108
109	secure_vector<uint8_t> sign(RandomNumberGenerator& rng) override;
110
111	std::string hash_function() const override { return m_hash->name(); }	×
112
113	private:
114	const EC_Group m_group;
115	const BigInt& m_x;
116	const BigInt& m_da_inv;
117
118	std::vector<uint8_t> m_za;
119	secure_vector<uint8_t> m_digest;
120	std::unique_ptr<HashFunction> m_hash;
121	std::vector<BigInt> m_ws;
122	};
123
124	secure_vector<uint8_t> SM2_Signature_Operation::sign(RandomNumberGenerator& rng) {	20✔
125	BigInt e;	20✔
126	if(m_hash) {	20✔
127	e = BigInt::decode(m_hash->final());	38✔
128	// prepend ZA for next signature if any
129	m_hash->update(m_za);	19✔
130	} else {
131	e = BigInt::decode(m_digest);	2✔
132	m_digest.clear();	1✔
133	}
134
135	const BigInt k = m_group.random_scalar(rng);	20✔
136
137	const BigInt r = m_group.mod_order(m_group.blinded_base_point_multiply_x(k, rng, m_ws) + e);	40✔
138	const BigInt s = m_group.multiply_mod_order(m_da_inv, m_group.mod_order(k - r * m_x));	60✔
139
140	return BigInt::encode_fixed_length_int_pair(r, s, m_group.get_order().bytes());	20✔
141	}	80✔
142
143	/**
144	* SM2 verification operation
145	*/
146	class SM2_Verification_Operation final : public PK_Ops::Verification {	×
147	public:
148	SM2_Verification_Operation(const SM2_PublicKey& sm2, std::string_view ident, std::string_view hash) :	18✔
149	m_group(sm2.domain()), m_gy_mul(m_group.get_base_point(), sm2.public_point()) {	18✔
150	if(hash == "Raw") {	33✔
151	// m_hash is null, m_za is empty
152	} else {
153	m_hash = HashFunction::create_or_throw(hash);	17✔
154	// ZA=H256(ENTLA \|\| IDA \|\| a \|\| b \|\| xG \|\| yG \|\| xA \|\| yA)
155	m_za = sm2_compute_za(*m_hash, ident, m_group, sm2.public_point());	17✔
156	m_hash->update(m_za);	17✔
157	}
158	}	18✔
159
160	void update(const uint8_t msg[], size_t msg_len) override {	184✔
161	if(m_hash) {	184✔
162	m_hash->update(msg, msg_len);	161✔
163	} else {
164	m_digest.insert(m_digest.end(), msg, msg + msg_len);	23✔
165	}
166	}	184✔
167
168	bool is_valid_signature(const uint8_t sig[], size_t sig_len) override;
169
170	std::string hash_function() const override { return m_hash->name(); }	×
171
172	private:
173	const EC_Group m_group;
174	const EC_Point_Multi_Point_Precompute m_gy_mul;
175	secure_vector<uint8_t> m_digest;
176	std::vector<uint8_t> m_za;
177	std::unique_ptr<HashFunction> m_hash;
178	};
179
180	bool SM2_Verification_Operation::is_valid_signature(const uint8_t sig[], size_t sig_len) {	185✔
181	BigInt e;	185✔
182	if(m_hash) {	185✔
183	e = BigInt::decode(m_hash->final());	324✔
184	// prepend ZA for next signature if any
185	m_hash->update(m_za);	162✔
186	} else {
187	e = BigInt::decode(m_digest);	46✔
188	m_digest.clear();	23✔
189	}
190
191	if(sig_len != m_group.get_order().bytes() * 2) {	185✔
192	return false;
193	}
194
195	const BigInt r(sig, sig_len / 2);	185✔
196	const BigInt s(sig + sig_len / 2, sig_len / 2);	185✔
197
198	if(r <= 0 \|\| r >= m_group.get_order() \|\| s <= 0 \|\| s >= m_group.get_order()) {	362✔
199	return false;	9✔
200	}
201
202	const BigInt t = m_group.mod_order(r + s);	176✔
203
204	if(t == 0) {	176✔
205	return false;
206	}
207
208	const EC_Point R = m_gy_mul.multi_exp(s, t);	176✔
209
210	// ???
211	if(R.is_zero()) {	352✔
212	return false;
213	}
214
215	return (m_group.mod_order(R.get_affine_x() + e) == r);	880✔
216	}	916✔
217
218	void parse_sm2_param_string(std::string_view params, std::string& userid, std::string& hash) {	36✔
219	// GM/T 0009-2012 specifies this as the default userid
220	const std::string default_userid = "1234567812345678";	36✔
221
222	// defaults:
223	userid = default_userid;	36✔
224	hash = "SM3";	36✔
225
226	/*
227	* SM2 parameters have the following possible formats:
228	* Ident [since 2.2.0]
229	* Ident,Hash [since 2.3.0]
230	*/
231
232	auto comma = params.find(',');	36✔
233	if(comma == std::string::npos) {	36✔
234	userid = params;	54✔
235	} else {
236	userid = params.substr(0, comma);	18✔
237	hash = params.substr(comma + 1, std::string::npos);	36✔
238	}
239	}	36✔
240
241	} // namespace
242
243	std::unique_ptr<PK_Ops::Verification> SM2_PublicKey::create_verification_op(std::string_view params,	39✔
244	std::string_view provider) const {
245	if(provider == "base" \|\| provider.empty()) {	46✔
246	std::string userid, hash;	18✔
247	parse_sm2_param_string(params, userid, hash);	18✔
248	return std::make_unique<SM2_Verification_Operation>(*this, userid, hash);	18✔
249	}	36✔
250
251	throw Provider_Not_Found(algo_name(), provider);	42✔
252	}
253
254	std::unique_ptr<PK_Ops::Signature> SM2_PrivateKey::create_signature_op(RandomNumberGenerator& /rng/,	39✔
255	std::string_view params,
256	std::string_view provider) const {
257	if(provider == "base" \|\| provider.empty()) {	46✔
258	std::string userid, hash;	18✔
259	parse_sm2_param_string(params, userid, hash);	18✔
260	return std::make_unique<SM2_Signature_Operation>(*this, userid, hash);	18✔
261	}	36✔
262
263	throw Provider_Not_Found(algo_name(), provider);	42✔
264	}
265
266	} // namespace Botan

randombit / botan / 5230455705

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous