1 /*-
2 * Copyright (c) 2017 Ribose Inc.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
15 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
16 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
17 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS
18 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
19 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
20 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
21 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
22 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
23 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
24 * POSSIBILITY OF SUCH DAMAGE.
25 */
26
27 #include <string.h>
28 #include <botan/ffi.h>
29 #include "sm2.h"
30 #include "hash.h"
31 #include "utils.h"
32 #include "bn.h"
33
34 static bool
sm2_load_public_key(botan_pubkey_t * pubkey,const pgp_ec_key_t * keydata)35 sm2_load_public_key(botan_pubkey_t *pubkey, const pgp_ec_key_t *keydata)
36 {
37 const ec_curve_desc_t *curve = NULL;
38 botan_mp_t px = NULL;
39 botan_mp_t py = NULL;
40 size_t sz;
41 bool res = false;
42
43 if (!(curve = get_curve_desc(keydata->curve))) {
44 return false;
45 }
46
47 const size_t sign_half_len = BITS_TO_BYTES(curve->bitlen);
48 sz = mpi_bytes(&keydata->p);
49 if (!sz || (sz != (2 * sign_half_len + 1)) || (keydata->p.mpi[0] != 0x04)) {
50 goto end;
51 }
52
53 if (botan_mp_init(&px) || botan_mp_init(&py) ||
54 botan_mp_from_bin(px, &keydata->p.mpi[1], sign_half_len) ||
55 botan_mp_from_bin(py, &keydata->p.mpi[1 + sign_half_len], sign_half_len)) {
56 goto end;
57 }
58 res = !botan_pubkey_load_sm2(pubkey, px, py, curve->botan_name);
59 end:
60 botan_mp_destroy(px);
61 botan_mp_destroy(py);
62 return res;
63 }
64
65 static bool
sm2_load_secret_key(botan_privkey_t * seckey,const pgp_ec_key_t * keydata)66 sm2_load_secret_key(botan_privkey_t *seckey, const pgp_ec_key_t *keydata)
67 {
68 const ec_curve_desc_t *curve = NULL;
69 bignum_t * x = NULL;
70 bool res = false;
71
72 if (!(curve = get_curve_desc(keydata->curve))) {
73 return false;
74 }
75 if (!(x = mpi2bn(&keydata->x))) {
76 return false;
77 }
78 res = !botan_privkey_load_sm2(seckey, BN_HANDLE_PTR(x), curve->botan_name);
79 bn_free(x);
80 return res;
81 }
82
83 rnp_result_t
sm2_compute_za(const pgp_ec_key_t & key,rnp::Hash & hash,const char * ident_field)84 sm2_compute_za(const pgp_ec_key_t &key, rnp::Hash &hash, const char *ident_field)
85 {
86 rnp_result_t result = RNP_ERROR_GENERIC;
87 botan_pubkey_t sm2_key = NULL;
88 int rc;
89
90 const char *hash_algo = rnp::Hash::name_backend(hash.alg());
91 size_t digest_len = hash.size();
92
93 uint8_t *digest_buf = (uint8_t *) malloc(digest_len);
94 if (!digest_buf) {
95 return RNP_ERROR_OUT_OF_MEMORY;
96 }
97
98 if (!sm2_load_public_key(&sm2_key, &key)) {
99 RNP_LOG("Failed to load SM2 key");
100 goto done;
101 }
102
103 if (ident_field == NULL)
104 ident_field = "1234567812345678";
105
106 rc = botan_pubkey_sm2_compute_za(digest_buf, &digest_len, ident_field, hash_algo, sm2_key);
107
108 if (rc != 0) {
109 RNP_LOG("compute_za failed %d", rc);
110 goto done;
111 }
112
113 try {
114 hash.add(digest_buf, digest_len);
115 } catch (const std::exception &e) {
116 RNP_LOG("Failed to update hash: %s", e.what());
117 goto done;
118 }
119
120 result = RNP_SUCCESS;
121 done:
122 free(digest_buf);
123 botan_pubkey_destroy(sm2_key);
124 return result;
125 }
126
127 rnp_result_t
sm2_validate_key(rnp::RNG * rng,const pgp_ec_key_t * key,bool secret)128 sm2_validate_key(rnp::RNG *rng, const pgp_ec_key_t *key, bool secret)
129 {
130 botan_pubkey_t bpkey = NULL;
131 botan_privkey_t bskey = NULL;
132 rnp_result_t ret = RNP_ERROR_BAD_PARAMETERS;
133
134 if (!sm2_load_public_key(&bpkey, key) || botan_pubkey_check_key(bpkey, rng->handle(), 0)) {
135 goto done;
136 }
137
138 if (!secret) {
139 ret = RNP_SUCCESS;
140 goto done;
141 }
142
143 if (!sm2_load_secret_key(&bskey, key) ||
144 botan_privkey_check_key(bskey, rng->handle(), 0)) {
145 goto done;
146 }
147 ret = RNP_SUCCESS;
148 done:
149 botan_privkey_destroy(bskey);
150 botan_pubkey_destroy(bpkey);
151 return ret;
152 }
153
154 rnp_result_t
sm2_sign(rnp::RNG * rng,pgp_ec_signature_t * sig,pgp_hash_alg_t hash_alg,const uint8_t * hash,size_t hash_len,const pgp_ec_key_t * key)155 sm2_sign(rnp::RNG * rng,
156 pgp_ec_signature_t *sig,
157 pgp_hash_alg_t hash_alg,
158 const uint8_t * hash,
159 size_t hash_len,
160 const pgp_ec_key_t *key)
161 {
162 const ec_curve_desc_t *curve = NULL;
163 botan_pk_op_sign_t signer = NULL;
164 botan_privkey_t b_key = NULL;
165 uint8_t out_buf[2 * MAX_CURVE_BYTELEN] = {0};
166 size_t sign_half_len = 0;
167 size_t sig_len = 0;
168 rnp_result_t ret = RNP_ERROR_SIGNING_FAILED;
169
170 if (botan_ffi_supports_api(20180713) != 0) {
171 RNP_LOG("SM2 signatures requires Botan 2.8 or higher");
172 return RNP_ERROR_NOT_SUPPORTED;
173 }
174
175 if (hash_len != rnp::Hash::size(hash_alg)) {
176 return RNP_ERROR_BAD_PARAMETERS;
177 }
178
179 if (!(curve = get_curve_desc(key->curve))) {
180 return RNP_ERROR_BAD_PARAMETERS;
181 }
182 sign_half_len = BITS_TO_BYTES(curve->bitlen);
183 sig_len = 2 * sign_half_len;
184
185 if (!sm2_load_secret_key(&b_key, key)) {
186 RNP_LOG("Can't load private key");
187 ret = RNP_ERROR_BAD_PARAMETERS;
188 goto end;
189 }
190
191 if (botan_pk_op_sign_create(&signer, b_key, ",Raw", 0)) {
192 goto end;
193 }
194
195 if (botan_pk_op_sign_update(signer, hash, hash_len)) {
196 goto end;
197 }
198
199 if (botan_pk_op_sign_finish(signer, rng->handle(), out_buf, &sig_len)) {
200 RNP_LOG("Signing failed");
201 goto end;
202 }
203
204 // Allocate memory and copy results
205 if (mem2mpi(&sig->r, out_buf, sign_half_len) &&
206 mem2mpi(&sig->s, out_buf + sign_half_len, sign_half_len)) {
207 // All good now
208 ret = RNP_SUCCESS;
209 }
210 end:
211 botan_privkey_destroy(b_key);
212 botan_pk_op_sign_destroy(signer);
213 return ret;
214 }
215
216 rnp_result_t
sm2_verify(const pgp_ec_signature_t * sig,pgp_hash_alg_t hash_alg,const uint8_t * hash,size_t hash_len,const pgp_ec_key_t * key)217 sm2_verify(const pgp_ec_signature_t *sig,
218 pgp_hash_alg_t hash_alg,
219 const uint8_t * hash,
220 size_t hash_len,
221 const pgp_ec_key_t * key)
222 {
223 const ec_curve_desc_t *curve = NULL;
224 botan_pubkey_t pub = NULL;
225 botan_pk_op_verify_t verifier = NULL;
226 rnp_result_t ret = RNP_ERROR_SIGNATURE_INVALID;
227 uint8_t sign_buf[2 * MAX_CURVE_BYTELEN] = {0};
228 size_t r_blen, s_blen, sign_half_len;
229
230 if (botan_ffi_supports_api(20180713) != 0) {
231 RNP_LOG("SM2 signatures requires Botan 2.8 or higher");
232 return RNP_ERROR_NOT_SUPPORTED;
233 }
234
235 if (hash_len != rnp::Hash::size(hash_alg)) {
236 return RNP_ERROR_BAD_PARAMETERS;
237 }
238
239 curve = get_curve_desc(key->curve);
240 if (curve == NULL) {
241 return RNP_ERROR_BAD_PARAMETERS;
242 }
243 sign_half_len = BITS_TO_BYTES(curve->bitlen);
244
245 if (!sm2_load_public_key(&pub, key)) {
246 RNP_LOG("Failed to load public key");
247 goto end;
248 }
249
250 if (botan_pk_op_verify_create(&verifier, pub, ",Raw", 0)) {
251 goto end;
252 }
253
254 if (botan_pk_op_verify_update(verifier, hash, hash_len)) {
255 goto end;
256 }
257
258 r_blen = sig->r.len;
259 s_blen = sig->s.len;
260 if (!r_blen || (r_blen > sign_half_len) || !s_blen || (s_blen > sign_half_len) ||
261 (sign_half_len > MAX_CURVE_BYTELEN)) {
262 goto end;
263 }
264
265 mpi2mem(&sig->r, sign_buf + sign_half_len - r_blen);
266 mpi2mem(&sig->s, sign_buf + 2 * sign_half_len - s_blen);
267
268 if (!botan_pk_op_verify_finish(verifier, sign_buf, sign_half_len * 2)) {
269 ret = RNP_SUCCESS;
270 }
271 end:
272 botan_pubkey_destroy(pub);
273 botan_pk_op_verify_destroy(verifier);
274 return ret;
275 }
276
277 rnp_result_t
sm2_encrypt(rnp::RNG * rng,pgp_sm2_encrypted_t * out,const uint8_t * in,size_t in_len,pgp_hash_alg_t hash_algo,const pgp_ec_key_t * key)278 sm2_encrypt(rnp::RNG * rng,
279 pgp_sm2_encrypted_t *out,
280 const uint8_t * in,
281 size_t in_len,
282 pgp_hash_alg_t hash_algo,
283 const pgp_ec_key_t * key)
284 {
285 rnp_result_t ret = RNP_ERROR_GENERIC;
286 const ec_curve_desc_t *curve = NULL;
287 botan_pubkey_t sm2_key = NULL;
288 botan_pk_op_encrypt_t enc_op = NULL;
289 size_t point_len;
290 size_t hash_alg_len;
291 size_t ctext_len;
292
293 curve = get_curve_desc(key->curve);
294 if (curve == NULL) {
295 return RNP_ERROR_GENERIC;
296 }
297 point_len = BITS_TO_BYTES(curve->bitlen);
298 hash_alg_len = rnp::Hash::size(hash_algo);
299 if (!hash_alg_len) {
300 RNP_LOG("Unknown hash algorithm for SM2 encryption");
301 goto done;
302 }
303
304 /*
305 * Format of SM2 ciphertext is a point (2*point_len+1) plus
306 * the masked ciphertext (out_len) plus a hash.
307 */
308 ctext_len = (2 * point_len + 1) + in_len + hash_alg_len;
309 if (ctext_len > PGP_MPINT_SIZE) {
310 RNP_LOG("too large output for SM2 encryption");
311 goto done;
312 }
313
314 if (!sm2_load_public_key(&sm2_key, key)) {
315 RNP_LOG("Failed to load public key");
316 goto done;
317 }
318
319 /*
320 SM2 encryption doesn't have any kind of format specifier because
321 it's an all in one scheme, only the hash (used for the integrity
322 check) is specified.
323 */
324 if (botan_pk_op_encrypt_create(&enc_op, sm2_key, rnp::Hash::name_backend(hash_algo), 0)) {
325 goto done;
326 }
327
328 out->m.len = sizeof(out->m.mpi);
329 if (botan_pk_op_encrypt(enc_op, rng->handle(), out->m.mpi, &out->m.len, in, in_len) == 0) {
330 out->m.mpi[out->m.len++] = hash_algo;
331 ret = RNP_SUCCESS;
332 }
333 done:
334 botan_pk_op_encrypt_destroy(enc_op);
335 botan_pubkey_destroy(sm2_key);
336 return ret;
337 }
338
339 rnp_result_t
sm2_decrypt(uint8_t * out,size_t * out_len,const pgp_sm2_encrypted_t * in,const pgp_ec_key_t * key)340 sm2_decrypt(uint8_t * out,
341 size_t * out_len,
342 const pgp_sm2_encrypted_t *in,
343 const pgp_ec_key_t * key)
344 {
345 const ec_curve_desc_t *curve;
346 botan_pk_op_decrypt_t decrypt_op = NULL;
347 botan_privkey_t b_key = NULL;
348 size_t in_len;
349 rnp_result_t ret = RNP_ERROR_GENERIC;
350 uint8_t hash_id;
351 const char * hash_name = NULL;
352
353 curve = get_curve_desc(key->curve);
354 in_len = mpi_bytes(&in->m);
355 if (curve == NULL || in_len < 64) {
356 goto done;
357 }
358
359 if (!sm2_load_secret_key(&b_key, key)) {
360 RNP_LOG("Can't load private key");
361 goto done;
362 }
363
364 hash_id = in->m.mpi[in_len - 1];
365 hash_name = rnp::Hash::name_backend((pgp_hash_alg_t) hash_id);
366 if (!hash_name) {
367 RNP_LOG("Unknown hash used in SM2 ciphertext");
368 goto done;
369 }
370
371 if (botan_pk_op_decrypt_create(&decrypt_op, b_key, hash_name, 0) != 0) {
372 goto done;
373 }
374
375 if (botan_pk_op_decrypt(decrypt_op, out, out_len, in->m.mpi, in_len - 1) == 0) {
376 ret = RNP_SUCCESS;
377 }
378 done:
379 botan_privkey_destroy(b_key);
380 botan_pk_op_decrypt_destroy(decrypt_op);
381 return ret;
382 }
383