abc/GmSSL
1
0
Fork 0
mirror of https://github.com/guanzhi/GmSSL.git synced 2026-05-07 08:56:17 +08:00
Code Issues Packages Projects Releases Wiki Activity

update sm_standard

Browse Source
This commit is contained in:
[GGSuchao]
2017-07-10 10:40:04 +08:00
committed by GGSuchao
parent ac3cb97071
commit 07610b4229
5 changed files with 1761 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

406
engines/sm_standard/sm2/kdf_standard.h Normal file
View File

@@ -0,0 +1,406 @@
/*
* Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#ifndef HEADER_KDF_STANDARD_H
#define HEADER_KDF_STANDARD_H
#include <string.h>
#ifdef __cplusplus
extern "C" {
#endif
#define SM3_len 256
#define SM3_T1 0x79CC4519
#define SM3_T2 0x7A879D8A
#define SM3_IVA 0x7380166f
#define SM3_IVB 0x4914b2b9
#define SM3_IVC 0x172442d7
#define SM3_IVD 0xda8a0600
#define SM3_IVE 0xa96f30bc
#define SM3_IVF 0x163138aa
#define SM3_IVG 0xe38dee4d
#define SM3_IVH 0xb0fb0e4e
#define SM2_WORDSIZE 8
#define SM2_NUMBITS 256
#define SM2_NUMWORD (SM2_NUMBITS / SM2_WORDSIZE) //32
/* Various logical functions */
#define SM3_p1(x) (x ^ SM3_rotl32(x, 15) ^ SM3_rotl32(x, 23))
#define SM3_p0(x) (x ^ SM3_rotl32(x, 9) ^ SM3_rotl32(x, 17))
#define SM3_ff0(a, b, c) (a ^ b ^ c)
#define SM3_ff1(a, b, c) ((a & b) | (a & c) | (b & c))
#define SM3_gg0(e, f, g) (e ^ f ^ g)
#define SM3_gg1(e, f, g) ((e & f) | ((~e) & g))
#define SM3_rotl32(x, n) (((x) << n) | ((x) >> (32 - n)))
#define SM3_rotr32(x, n) (((x) >> n) | ((x) << (32 - n)))
typedef struct {
unsigned long state[8];
unsigned long length;
unsigned long curlen;
unsigned char buf[64];
} SM3_STATE;
static void BiToW(unsigned long Bi[], unsigned long W[]);
static void WToW1(unsigned long W[], unsigned long W1[]);
static void CF(unsigned long W[], unsigned long W1[], unsigned long V[]);
static void BigEndian(unsigned char src[], unsigned int bytelen, unsigned char des[]);
static void SM3_init(SM3_STATE *md);
static void SM3_compress(SM3_STATE *md);
static void SM3_process(SM3_STATE *md, unsigned char *buf, int len);
static void SM3_done(SM3_STATE *md, unsigned char hash[]);
static void SM3_256(unsigned char buf[], int len, unsigned char hash[]);
static void SM3_kdf(unsigned char Z[], unsigned short zlen, unsigned short klen, unsigned char K[]);
/* calculate W from Bi */
static void BiToW(unsigned long Bi[], unsigned long W[])
{
int i;
unsigned long tmp;
for(i = 0; i <= 15; i++)
{
W[i] = Bi[i];
}
for(i = 16;i <= 67; i++)
{
tmp = W[i - 16] ^ W[i - 9] ^ SM3_rotl32(W[i - 3], 15);
W[i] = SM3_p1(tmp) ^ (SM3_rotl32(W[i - 13], 7)) ^ W[i - 6];
}
}
/* calculate W1 from W */
static void WToW1(unsigned long W[], unsigned long W1[])
{
int i;
for(i = 0; i <= 63; i++)
{
W1[i] = W[i] ^ W[i + 4];
}
}
/* calculate the CF compress function and update V */
static void CF(unsigned long W[], unsigned long W1[], unsigned long V[])
{
unsigned long SS1;
unsigned long SS2;
unsigned long TT1;
unsigned long TT2;
unsigned long A, B, C, D, E, F, G, H;
unsigned long T = SM3_T1;
unsigned long FF;
unsigned long GG;
int j;
//reg init, set ABCDEFGH = V0
A = V[0];
B = V[1];
C = V[2];
D = V[3];
E = V[4];
F = V[5];
G = V[6];
H = V[7];
for (j = 0; j <= 63; j++)
{
//SS1
if (j == 0)
{
T = SM3_T1;
}
else if (j == 16)
{
T = SM3_rotl32(SM3_T2, 16);
}
else
{
T = SM3_rotl32(T, 1);
}
SS1 = SM3_rotl32((SM3_rotl32(A, 12) + E + T), 7);
//SS2
SS2 = SS1 ^ SM3_rotl32(A, 12);
//TT1
if (j <= 15)
{
FF = SM3_ff0(A, B, C);
}
else
{
FF = SM3_ff1(A, B, C);
}
TT1 = FF + D + SS2 + *W1;
W1++;
//TT2
if (j <= 15)
{
GG = SM3_gg0(E, F, G);
}
else
{
GG = SM3_gg1(E, F, G);
}
TT2 = GG + H + SS1 + *W;
W++;
//D
D = C;
//C
C = SM3_rotl32(B, 9);
//B
B = A;
//A
A = TT1;
//H
H = G;
//G
G = SM3_rotl32(F, 19);
//F
F = E;
//E
E = SM3_p0(TT2);
}
//update V
V[0] = A ^ V[0];
V[1] = B ^ V[1];
V[2] = C ^ V[2];
V[3] = D ^ V[3];
V[4] = E ^ V[4];
V[5] = F ^ V[5];
V[6] = G ^ V[6];
V[7] = H ^ V[7];
}
/* unsigned int endian converse. GM/T 0004-2012 requires to use big-endian.
* if CPu uses little-endian, BigEndian function is a necessary
* call to change the little-endian format into big-endian format.
*/
static void BigEndian(unsigned char src[], unsigned int bytelen, unsigned char des[])
{
unsigned char tmp = 0;
unsigned long i = 0;
for (i = 0; i < bytelen / 4; i++)
{
tmp = des[4 * i];
des[4 * i] = src[4 * i + 3];
src[4 * i + 3] = tmp;
tmp = des[4 * i + 1];
des[4 * i + 1] = src[4 * i + 2];
des[4 * i + 2] = tmp;
}
}
/* initiate SM3 state */
static void SM3_init(SM3_STATE *md)
{
md->curlen = md->length = 0;
md->state[0] = SM3_IVA;
md->state[1] = SM3_IVB;
md->state[2] = SM3_IVC;
md->state[3] = SM3_IVD;
md->state[4] = SM3_IVE;
md->state[5] = SM3_IVF;
md->state[6] = SM3_IVG;
md->state[7] = SM3_IVH;
}
/* compress a single a block of message */
static void SM3_compress(SM3_STATE *md)
{
unsigned long W[68];
unsigned long W1[64];
//if CPU uses little-endian, BigEndian function is a necessary call
BigEndian(md->buf, 64, md->buf);
BiToW((unsigned long *)md->buf, W);
WToW1(W, W1);
CF(W, W1, md->state);
}
/* compress the first(len/64) blocks of message */
static void SM3_process(SM3_STATE *md, unsigned char *buf, int len)
{
while (len--)
{
/* copy byte */
md->buf[md->curlen] = *buf++;
md->curlen++;
/* is 64 bytes full? */
if (md->curlen == 64)
{
SM3_compress(md);
md->length += 512;
md->curlen = 0;
}
}
}
/* compress the rest message that the SM3_process has left behind */
static void SM3_done(SM3_STATE *md, unsigned char hash[])
{
int i;
unsigned char tmp = 0;
/* increase the bit length of the message */
md->length += md->curlen << 3;
/* append the '1' bit */
md->buf[md->curlen] = 0x80;
md->curlen++;
/* if the length is currently above 56 bytes, appends zeros till
it reaches 64 bytes, compress the current block, creat a new
block by appending zeros and length,and then compress it
*/
if (md->curlen > 56)
{
for (; md->curlen < 64;)
{
md->buf[md->curlen] = 0;
md->curlen++;
}
SM3_compress(md);
md->curlen = 0;
}
/* if the length is less than 56 bytes, pad upto 56 bytes of zeroes */
for (; md->curlen < 56;)
{
md->buf[md->curlen] = 0;
md->curlen++;
}
/* since all messages are under 2^32 bits we mark the top bits zero */
for (i = 56; i < 60; i++)
{
md->buf[i] = 0;
}
/* append length */
md->buf[63] = md->length & 0xff;
md->buf[62] = (md->length >> 8) & 0xff;
md->buf[61] = (md->length >> 16) & 0xff;
md->buf[60] = (md->length >> 24) & 0xff;
SM3_compress(md);
/* copy output */
memcpy(hash, md->state, SM3_len / 8);
BigEndian(hash, SM3_len / 8, hash); //if CPU uses little-endian, BigEndian function is a necessary call
}
/* calculate a hash value from a given message */
static void SM3_256(unsigned char buf[], int len, unsigned char hash[])
{
SM3_STATE md;
SM3_init(&md);
SM3_process(&md, buf, len);
SM3_done(&md, hash);
}
/* key derivation function */
static void SM3_kdf(unsigned char Z[], unsigned short zlen, unsigned short klen, unsigned char K[])
{
unsigned short i, j, t;
unsigned int bitklen;
SM3_STATE md;
unsigned char Ha[SM2_NUMWORD];
unsigned char ct[4] = {0, 0, 0, 1};
bitklen = klen * 8;
if (bitklen % SM2_NUMBITS)
t = bitklen / SM2_NUMBITS + 1;
else
t = bitklen / SM2_NUMBITS;
//s4: K = Ha1 || Ha2 || ...
for (i = 1; i < t; i++)
{
//s2: Hai = Hv(Z || ct)
SM3_init(&md);
SM3_process(&md, Z, zlen);
SM3_process(&md, ct, 4);
SM3_done(&md, Ha);
memcpy((K + SM2_NUMWORD * (i - 1)), Ha, SM2_NUMWORD);
if (ct[3] == 0xff)
{
ct[3] = 0;
if (ct[2] == 0xff)
{
ct[2] = 0;
if (ct[1] == 0xff)
{
ct[1] = 0;
ct[0]++;
}
else
ct[1]++;
}
else
ct[2]++;
}
else
ct[3]++;
}
//s3
SM3_init(&md);
SM3_process(&md, Z, zlen);
SM3_process(&md, ct, 4);
SM3_done(&md, Ha);
if(bitklen % SM2_NUMBITS)
{
i = (SM2_NUMBITS - bitklen + SM2_NUMBITS * (bitklen / SM2_NUMBITS)) / 8;
j = (bitklen - SM2_NUMBITS * (bitklen / SM2_NUMBITS)) / 8;
memcpy((K + SM2_NUMWORD * (t - 1)), Ha, j);
}
else
{
memcpy((K + SM2_NUMWORD * (t - 1)), Ha, SM2_NUMWORD);
}
}
#ifdef __cplusplus
}
# endif
#endif

278
engines/sm_standard/sm2/sm2_standard.h Normal file
View File

@@ -0,0 +1,278 @@
/* ====================================================================
* Copyright (c) 2015 - 2016 The GmSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the GmSSL Project.
* (http://gmssl.org/)"
*
* 4. The name "GmSSL Project" must not be used to endorse or promote
* products derived from this software without prior written
* permission. For written permission, please contact
* guanzhi1980@gmail.com.
*
* 5. Products derived from this software may not be called "GmSSL"
* nor may "GmSSL" appear in their names without prior written
* permission of the GmSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the GmSSL Project
* (http://gmssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE GmSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*/
#ifndef HEADER_SM2_STANDARD_H
#define HEADER_SM2_STANDARD_H
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#ifdef __cplusplus
extern "C" {
#endif
#include "miracl.h"
#include "mirdef.h"
#include "kdf_standard.h"
#define ERR_INFINITY_POINT 0x00000001
#define ERR_NOT_VALID_ELEMENT 0x00000002
#define ERR_NOT_VALID_POINT 0x00000003
#define ERR_ORDER 0x00000004
#define ERR_ECURVE_INIT 0x00000005
#define ERR_KEYEX_RA 0x00000006
#define ERR_KEYEX_RB 0x00000007
#define ERR_EQUAL_S1SB 0x00000008
#define ERR_EQUAL_S2SA 0x00000009
#define ERR_SELFTEST_Z 0x0000000A
#define ERR_SELFTEST_INI_I 0x0000000B
#define ERR_SELFTEST_RES_I 0x0000000C
#define ERR_SELFTEST_INI_II 0x0000000D
#define ERR_GENERATE_R 0x0000000E
#define ERR_GENERATE_S 0x0000000F
#define ERR_OUTRANGE_R 0x00000010
#define ERR_OUTRANGE_S 0x00000011
#define ERR_GENERATE_T 0x00000012
#define ERR_PUBKEY_INIT 0x00000013
#define ERR_DATA_MEMCMP 0x00000014
#define ERR_ARRAY_NULL 0x00000015
#define ERR_C3_MATCH 0x00000016
#define ERR_SELFTEST_KG 0x00000017
#define ERR_SELFTEST_ENC 0x00000018
#define ERR_SELFTEST_DEC 0x00000019
static unsigned char SM2_p[32] = {0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
static unsigned char SM2_a[32] = {0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC};
static unsigned char SM2_b[32] = {0x28, 0xE9, 0xFA, 0x9E, 0x9D, 0x9F, 0x5E, 0x34, 0x4D, 0x5A, 0x9E, 0x4B, 0xCF, 0x65, 0x09, 0xA7,
0xF3, 0x97, 0x89, 0xF5, 0x15, 0xAB, 0x8F, 0x92, 0xDD, 0xBC, 0xBD, 0x41, 0x4D, 0x94, 0x0E, 0x93};
static unsigned char SM2_n[32] = {0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0x72, 0x03, 0xDF, 0x6B, 0x21, 0xC6, 0x05, 0x2B, 0x53, 0xBB, 0xF4, 0x09, 0x39, 0xD5, 0x41, 0x23};
static unsigned char SM2_Gx[32] = {0x32, 0xC4, 0xAE, 0x2C, 0x1F, 0x19, 0x81, 0x19, 0x5F, 0x99, 0x04, 0x46, 0x6A, 0x39, 0xC9, 0x94,
0x8F, 0xE3, 0x0B, 0xBF, 0xF2, 0x66, 0x0B, 0xE1, 0x71, 0x5A, 0x45, 0x89, 0x33, 0x4C, 0x74, 0xC7};
static unsigned char SM2_Gy[32] = {0xBC, 0x37, 0x36, 0xA2, 0xF4, 0xF6, 0x77, 0x9C, 0x59, 0xBD, 0xCE, 0xE3, 0x6B, 0x69, 0x21, 0x53,
0xD0, 0xA9, 0x87, 0x7C, 0xC6, 0x2A, 0x47, 0x40, 0x02, 0xDF, 0x32, 0xE5, 0x21, 0x39, 0xF0, 0xA0};
static unsigned char SM2_h[32] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01};
big para_p, para_a, para_b, para_n, para_Gx, para_Gy, para_h;
epoint *G;
miracl *mip;
int SM2_w(big n);
void SM3_z(unsigned char ID[], unsigned short int ELAN, epoint* pubKey, unsigned char hash[]);
static int Test_Point(epoint* point);
static int Test_PubKey(epoint *pubKey);
int Test_Null(unsigned char array[], int len);
int Test_Zero(big x);
int Test_n(big x);
static int Test_Range(big x);
static int SM2_standard_init();
static int SM2_standard_keygeneration(big priKey, epoint *pubKey);
int SM2_standard_sign_keygeneration(unsigned char PriKey[], unsigned char Px[], unsigned char Py[]);
int SM2_standard_keyex_init_i(big ra, epoint* RA);
int SM2_standard_keyex_re_i(big rb, big dB, epoint* RA, epoint* PA, unsigned char ZA[], unsigned char ZB[], unsigned char K[], int klen, epoint* RB, epoint* V, unsigned char hash[]);
int SM2_standard_keyex_init_ii(big ra, big dA, epoint* RA, epoint* RB, epoint* PB, unsigned char ZA[], unsigned char ZB[], unsigned char SB[], unsigned char K[], int klen, unsigned char SA[]);
int SM2_standard_keyex_re_ii(epoint *V, epoint *RA, epoint *RB, unsigned char ZA[], unsigned char ZB[], unsigned char SA[]);
int SM2_standard_keyex_selftest();
int SM2_standard_encrypt(unsigned char* randK, epoint *pubKey, unsigned char M[], int klen, unsigned char C[]);
int SM2_standard_decrypt(big dB, unsigned char C[], int Clen, unsigned char M[]);
int SM2_standard_enc_selftest();
int SM2_standard_sign(unsigned char *message, int len, unsigned char ZA[], unsigned char rand[], unsigned char d[], unsigned char R[], unsigned char S[]);
int SM2_standard_verify(unsigned char *message, int len, unsigned char ZA[], unsigned char Px[], unsigned char Py[], unsigned char R[], unsigned char S[]);
int SM2_standard_selfcheck();
/* Initiate SM2 curve */
static int SM2_standard_init()
{
epoint *nG;
para_p = mirvar(0);
para_a = mirvar(0);
para_b = mirvar(0);
para_n = mirvar(0);
para_Gx = mirvar(0);
para_Gy = mirvar(0);
para_h = mirvar(0);
G = epoint_init();
nG = epoint_init();
bytes_to_big(SM2_NUMWORD, SM2_p, para_p);
bytes_to_big(SM2_NUMWORD, SM2_a, para_a);
bytes_to_big(SM2_NUMWORD, SM2_b, para_b);
bytes_to_big(SM2_NUMWORD, SM2_n, para_n);
bytes_to_big(SM2_NUMWORD, SM2_Gx, para_Gx);
bytes_to_big(SM2_NUMWORD, SM2_Gy, para_Gy);
bytes_to_big(SM2_NUMWORD, SM2_h, para_h);
ecurve_init(para_a, para_b, para_p, MR_PROJECTIVE); //Initialises GF(p) elliptic curve.
//MR_PROJECTIVE specifying projective coordinates
if (!epoint_set(para_Gx, para_Gy, 0, G)) //initialise point G
{
return ERR_ECURVE_INIT;
}
ecurve_mult(para_n, G, nG);
if (!point_at_infinity(nG)) //test if the order of the point is n
{
return ERR_ORDER;
}
return 0;
}
/* test if the given point is on SM2 curve */
static int Test_Point(epoint* point)
{
big x, y, x_3, tmp;
x = mirvar(0);
y = mirvar(0);
x_3 = mirvar(0);
tmp = mirvar(0);
//test if y^2 = x^3 + ax + b
epoint_get(point, x, y);
power(x, 3, para_p, x_3); //x_3 = x^3 mod p
multiply(x, para_a, x); //x = a * x
divide(x, para_p, tmp); //x = a * x mod p, tmp = a * x / p
add(x_3, x, x); //x = x^3 + ax
add(x, para_b, x); //x = x^3 + ax + b
divide(x, para_p, tmp); //x = x^3 + ax + b mod p
power(y, 2, para_p, y); //y = y^2 mod p
if (mr_compare(x, y) != 0)
return ERR_NOT_VALID_POINT;
else
return 0;
}
/* test if the given public key is valid */
static int Test_PubKey(epoint *pubKey)
{
big x, y, x_3, tmp;
epoint *nP;
x = mirvar(0);
y = mirvar(0);
x_3 = mirvar(0);
tmp = mirvar(0);
nP = epoint_init();
//test if the pubKey is the point at infinity
if (point_at_infinity(pubKey)) //if pubKey is point at infinity, return error;
return ERR_INFINITY_POINT;
//test if x < p and y<p both hold
epoint_get(pubKey, x, y);
if ((mr_compare(x, para_p) != -1) || (mr_compare(y, para_p) != -1))
return ERR_NOT_VALID_ELEMENT;
if (Test_Point(pubKey) != 0)
return ERR_NOT_VALID_POINT;
//test if the order of pubKey is equal to n
ecurve_mult(para_n, pubKey, nP); //nP=[n]P
if (!point_at_infinity(nP)) //if np is point NOT at infinity, return error;
return ERR_ORDER;
return 0;
}
/* test if the big x belong to the range[1, n-1] */
static int Test_Range(big x)
{
big one, decr_n;
one = mirvar(0);
decr_n = mirvar(0);
convert(1, one);
decr(para_n, 1, decr_n);
if ((mr_compare(x, one) < 0) | (mr_compare(x, decr_n) > 0))
return 1;
return 0;
}
/* calculate a pubKey out of a given priKey */
static int SM2_standard_keygeneration(big priKey, epoint *pubKey)
{
int i = 0;
big x, y;
x = mirvar(0);
y = mirvar(0);
//mip = mirsys(1000, 16);
//mip->IOBASE = 16;
ecurve_mult(priKey, G, pubKey);
epoint_get(pubKey, x, y);
i = Test_PubKey(pubKey);
if (i)
return i;
else
return 0;
}
#ifdef __cplusplus
}
# endif
#endif

253
engines/sm_standard/sm2/sm2_standard_enc.c Normal file
View File

@@ -0,0 +1,253 @@
/*
* Copyright (c) 2015 - 2017 The GmSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the GmSSL Project.
* (http://gmssl.org/)"
*
* 4. The name "GmSSL Project" must not be used to endorse or promote
* products derived from this software without prior written
* permission. For written permission, please contact
* guanzhi1980@gmail.com.
*
* 5. Products derived from this software may not be called "GmSSL"
* nor may "GmSSL" appear in their names without prior written
* permission of the GmSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the GmSSL Project
* (http://gmssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE GmSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "miracl.h"
#include "mirdef.h"
#include "sm2_standard.h"
/* test if the given array is all zero */
int Test_Null(unsigned char array[], int len)
{
int i;
i = 0;
for (i = 0; i < len; i++)
{
if (array[i] != 0x00)
return 0;
}
return 1;
}
/* sm2 encryption */
int SM2_standard_encrypt(unsigned char* randK, epoint *pubKey, unsigned char M[], int klen, unsigned char C[])
{
big C1x, C1y, x2, y2, rand;
epoint *C1, *kP, *S;
int i;
i = 0;
unsigned char x2y2[SM2_NUMWORD * 2] = {0};
SM3_STATE md;
C1x = mirvar(0);
C1y = mirvar(0);
x2 = mirvar(0);
y2 = mirvar(0);
rand = mirvar(0);
C1 = epoint_init();
kP = epoint_init();
S = epoint_init();
//step2. calculate C1 = [k]G = (rGx, rGy)
bytes_to_big(SM2_NUMWORD, randK, rand);
ecurve_mult(rand, G, C1); //C1 = [k]G
epoint_get(C1, C1x, C1y);
big_to_bytes(SM2_NUMWORD, C1x, C, 1);
big_to_bytes(SM2_NUMWORD, C1y, C + SM2_NUMWORD, 1);
//step3. test if S = [h]pubKey if the point at infinity
ecurve_mult(para_h, pubKey, S);
if (point_at_infinity(S)) //if S is point at infinity, return error;
return ERR_INFINITY_POINT;
//step4. calculate [k]PB = (x2, y2)
ecurve_mult(rand, pubKey, kP); //kP = [k]P
epoint_get(kP, x2, y2);
//step5. KDF(x2 || y2, klen)
big_to_bytes(SM2_NUMWORD, x2, x2y2, 1);
big_to_bytes(SM2_NUMWORD, y2, x2y2 + SM2_NUMWORD, 1);
SM3_kdf(x2y2, SM2_NUMWORD * 2, klen, C + SM2_NUMWORD * 3);
if (Test_Null(C + SM2_NUMWORD * 3, klen) != 0)
return ERR_ARRAY_NULL;
//step6. C2 = M^t
for (i = 0; i < klen; i++)
{
C[SM2_NUMWORD * 3 + i] = M[i] ^ C[SM2_NUMWORD * 3 + i];
}
//step7. C3 = hash(x2, M, y2)
SM3_init(&md);
SM3_process(&md, x2y2, SM2_NUMWORD);
SM3_process(&md, M, klen);
SM3_process(&md, x2y2 + SM2_NUMWORD, SM2_NUMWORD);
SM3_done(&md, C + SM2_NUMWORD * 2);
return 0;
}
/* sm2 decryption */
int SM2_standard_decrypt(big dB, unsigned char C[], int Clen, unsigned char M[])
{
SM3_STATE md;
int i;
i = 0;
unsigned char x2y2[SM2_NUMWORD * 2] = {0};
unsigned char hash[SM2_NUMWORD] = {0};
big C1x, C1y, x2, y2;
epoint *C1, *S, *dBC1;
C1x = mirvar(0);
C1y = mirvar(0);
x2 = mirvar(0);
y2 = mirvar(0);
C1 = epoint_init();
S = epoint_init();
dBC1 = epoint_init();
//step1. test if C1 fits the curve
bytes_to_big(SM2_NUMWORD, C, C1x);
bytes_to_big(SM2_NUMWORD, C + SM2_NUMWORD, C1y);
epoint_set(C1x, C1y, 0, C1);
i = Test_Point(C1);
if (i != 0)
return i;
//step2. S = [h]C1 and test if S is the point at infinity
ecurve_mult(para_h, C1, S);
if (point_at_infinity(S)) // if S is point at infinity, return error;
return ERR_INFINITY_POINT;
//step3. [dB]C1 = (x2, y2)
ecurve_mult(dB, C1, dBC1);
epoint_get(dBC1, x2, y2);
big_to_bytes(SM2_NUMWORD, x2, x2y2, 1);
big_to_bytes(SM2_NUMWORD, y2, x2y2 + SM2_NUMWORD, 1);
//step4. t = KDF(x2 || y2, klen)
SM3_kdf(x2y2, SM2_NUMWORD * 2, Clen - SM2_NUMWORD * 3, M);
if (Test_Null(M, Clen - SM2_NUMWORD * 3) != 0)
return ERR_ARRAY_NULL;
//step5. M = C2^t
for (i = 0; i < Clen - SM2_NUMWORD * 3; i++)
M[i] = M[i] ^ C[SM2_NUMWORD * 3 + i];
//step6. hash(x2, m, y2)
SM3_init(&md);
SM3_process(&md, x2y2, SM2_NUMWORD);
SM3_process(&md, M, Clen - SM2_NUMWORD * 3);
SM3_process(&md, x2y2 + SM2_NUMWORD, SM2_NUMWORD);
SM3_done(&md, hash);
if (memcmp(hash, C + SM2_NUMWORD * 2, SM2_NUMWORD) != 0)
return ERR_C3_MATCH;
else
return 0;
}
/* test whether the SM2 calculation is correct by comparing the result with the standard data */
int SM2_standard_enc_selftest()
{
int tmp, i;
tmp = 0;
i = 0;
unsigned char Cipher[115] = {0};
unsigned char M[19] = {0};
unsigned char kGxy[SM2_NUMWORD * 2] = {0};
big ks, x, y;
epoint *kG;
//standard data
unsigned char std_priKey[32] = {0x39, 0x45, 0x20, 0x8F, 0x7B, 0x21, 0x44, 0xB1, 0x3F, 0x36, 0xE3, 0x8A, 0xC6, 0xD3, 0x9F, 0x95,
0x88, 0x93, 0x93, 0x69, 0x28, 0x60, 0xB5, 0x1A, 0x42, 0xFB, 0x81, 0xEF, 0x4D, 0xF7, 0xC5, 0xB8};
unsigned char std_pubKey[64] = {0x09, 0xF9, 0xDF, 0x31, 0x1E, 0x54, 0x21, 0xA1, 0x50, 0xDD, 0x7D, 0x16, 0x1E, 0x4B, 0xC5, 0xC6,
0x72, 0x17, 0x9F, 0xAD, 0x18, 0x33, 0xFC, 0x07, 0x6B, 0xB0, 0x8F, 0xF3, 0x56, 0xF3, 0x50, 0x20,
0xCC, 0xEA, 0x49, 0x0C, 0xE2, 0x67, 0x75, 0xA5, 0x2D, 0xC6, 0xEA, 0x71, 0x8C, 0xC1, 0xAA, 0x60,
0x0A, 0xED, 0x05, 0xFB, 0xF3, 0x5E, 0x08, 0x4A, 0x66, 0x32, 0xF6, 0x07, 0x2D, 0xA9, 0xAD, 0x13};
unsigned char std_rand[32] = {0x59, 0x27, 0x6E, 0x27, 0xD5, 0x06, 0x86, 0x1A, 0x16, 0x68, 0x0F, 0x3A, 0xD9, 0xC0, 0x2D, 0xCC,
0xEF, 0x3C, 0xC1, 0xFA, 0x3C, 0xDB, 0xE4, 0xCE, 0x6D, 0x54, 0xB8, 0x0D, 0xEA, 0xC1, 0xBC, 0x21};
unsigned char std_Message[19] = {0x65, 0x6E, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6F, 0x6E, 0x20, 0x73, 0x74, 0x61, 0x6E, 0x64,
0x61, 0x72, 0x64};
unsigned char std_Cipher[115] = {0x04, 0xEB, 0xFC, 0x71, 0x8E, 0x8D, 0x17, 0x98, 0x62, 0x04, 0x32, 0x26, 0x8E, 0x77, 0xFE, 0xB6,
0x41, 0x5E, 0x2E, 0xDE, 0x0E, 0x07, 0x3C, 0x0F, 0x4F, 0x64, 0x0E, 0xCD, 0x2E, 0x14, 0x9A, 0x73,
0xE8, 0x58, 0xF9, 0xD8, 0x1E, 0x54, 0x30, 0xA5, 0x7B, 0x36, 0xDA, 0xAB, 0x8F, 0x95, 0x0A, 0x3C,
0x64, 0xE6, 0xEE, 0x6A, 0x63, 0x09, 0x4D, 0x99, 0x28, 0x3A, 0xFF, 0x76, 0x7E, 0x12, 0x4D, 0xF0,
0x59, 0x98, 0x3C, 0x18, 0xF8, 0x09, 0xE2, 0x62, 0x92, 0x3C, 0x53, 0xAE, 0xC2, 0x95, 0xD3, 0x03,
0x83, 0xB5, 0x4E, 0x39, 0xD6, 0x09, 0xD1, 0x60, 0xAF, 0xCB, 0x19, 0x08, 0xD0, 0xBD, 0x87, 0x66,
0x21, 0x88, 0x6C, 0xA9, 0x89, 0xCA, 0x9C, 0x7D, 0x58, 0x08, 0x73, 0x07, 0xCA, 0x93, 0x09, 0x2D,
0x65, 0x1E, 0xFA};
mip= mirsys(1000, 16);
mip->IOBASE = 16;
x = mirvar(0);
y = mirvar(0);
ks = mirvar(0);
kG = epoint_init();
bytes_to_big(32, std_priKey, ks); //ks is the standard private key
//initiate SM2 curve
SM2_standard_init();
//generate key pair
tmp = SM2_standard_keygeneration(ks, kG);
if (tmp != 0)
return tmp;
epoint_get(kG, x, y);
big_to_bytes(SM2_NUMWORD, x, kGxy, 1);
big_to_bytes(SM2_NUMWORD, y, kGxy + SM2_NUMWORD, 1);
if (memcmp(kGxy, std_pubKey, SM2_NUMWORD * 2) != 0)
return ERR_SELFTEST_KG;
//encrypt data and compare the result with the standard data
tmp = SM2_standard_encrypt(std_rand, kG, std_Message, 19, Cipher);
if (tmp != 0)
return tmp;
if (memcmp(Cipher, std_Cipher, 19 + SM2_NUMWORD * 3) != 0)
return ERR_SELFTEST_ENC;
//decrypt cipher and compare the result with the standard data
tmp = SM2_standard_decrypt(ks, Cipher, 115, M);
if (tmp != 0)
return tmp;
if (memcmp(M, std_Message, 19) != 0)
return ERR_SELFTEST_DEC;
return 0;
}

491
engines/sm_standard/sm2/sm2_standard_exch.c Normal file
View File

@@ -0,0 +1,491 @@
/* ====================================================================
* Copyright (c) 2015 - 2016 The GmSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the GmSSL Project.
* (http://gmssl.org/)"
*
* 4. The name "GmSSL Project" must not be used to endorse or promote
* products derived from this software without prior written
* permission. For written permission, please contact
* guanzhi1980@gmail.com.
*
* 5. Products derived from this software may not be called "GmSSL"
* nor may "GmSSL" appear in their names without prior written
* permission of the GmSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the GmSSL Project
* (http://gmssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE GmSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
*/
#include "mirdef.h"
#include "miracl.h"
#include "sm2_standard.h"
/* calculation of w */
int SM2_w(big n)
{
big n1;
int w = 0;
n1 = mirvar(0);
w = logb2(para_n); //approximate integer log to the base 2 of para_n
expb2(w, n1); //n1 = 2^w
if (mr_compare(para_n, n1) == 1)
w++;
if ((w % 2) == 0)
w = w / 2 - 1;
else
w = (w + 1) / 2 - 1;
return w;
}
/* calculation of ZA or ZB */
void SM3_z(unsigned char ID[], unsigned short int ELAN, epoint* pubKey, unsigned char hash[])
{
unsigned char Px[SM2_NUMWORD] = {0}, Py[SM2_NUMWORD] = {0};
unsigned char IDlen[2] = {0};
big x, y;
SM3_STATE md;
x = mirvar(0);
y = mirvar(0);
epoint_get(pubKey, x, y);
big_to_bytes(SM2_NUMWORD, x, Px, 1);
big_to_bytes(SM2_NUMWORD, y, Py, 1);
memcpy(IDlen, &ELAN + 1, 1);
memcpy(IDlen + 1, &ELAN, 1);
SM3_init(&md);
SM3_process(&md, IDlen, 2);
SM3_process(&md, ID, ELAN / 8);
SM3_process(&md, SM2_a, SM2_NUMWORD);
SM3_process(&md, SM2_b, SM2_NUMWORD);
SM3_process(&md, SM2_Gx, SM2_NUMWORD);
SM3_process(&md, SM2_Gy, SM2_NUMWORD);
SM3_process(&md, Px, SM2_NUMWORD);
SM3_process(&md, Py, SM2_NUMWORD);
SM3_done(&md, hash);
return;
}
/* calculate RA */
int SM2_standard_keyex_init_i(big ra, epoint* RA)
{
return SM2_standard_keygeneration(ra, RA);
}
/* calculate RB and a secret key */
int SM2_standard_keyex_re_i(big rb, big dB, epoint* RA, epoint* PA, unsigned char ZA[], unsigned char ZB[], unsigned char K[], int klen, epoint* RB, epoint* V, unsigned char hash[])
{
SM3_STATE md;
int i = 0, w = 0;
unsigned char Z[SM2_NUMWORD * 2 + SM3_len / 4] = {0};
unsigned char x1y1[SM2_NUMWORD * 2] = {0};
unsigned char x2y2[SM2_NUMWORD * 2] = {0};
unsigned char temp = 0x02;
big x1, y1, x1_, x2, y2, x2_, tmp, Vx, Vy, temp_x, temp_y;
//mip = mirsys(1000, 16);
//mip->IOBASE = 16;
x1 = mirvar(0);
y1 = mirvar(0);
x1_ = mirvar(0);
x2 = mirvar(0);
y2 = mirvar(0);
x2_ = mirvar(0);
tmp = mirvar(0);
Vx = mirvar(0);
Vy = mirvar(0);
temp_x = mirvar(0);
temp_y = mirvar(0);
w = SM2_w(para_n);
//--------B2: RB = [rb]G = (x2, y2)--------
SM2_standard_keygeneration(rb, RB);
epoint_get(RB, x2, y2);
big_to_bytes(SM2_NUMWORD, x2, x2y2, 1);
big_to_bytes(SM2_NUMWORD, y2, x2y2 + SM2_NUMWORD, 1);
//--------B3: x2_ = 2^w + x2 & (2^w - 1)--------
expb2(w, x2_); //x2_ = 2^w
divide(x2, x2_, tmp); //x2 = x2 mod x2_ = x2 & (2^w - 1)
add(x2_, x2, x2_);
divide(x2_, para_n, tmp); //x2_ = n mod q
//--------B4: tB = (dB + x2_ * rB) mod n--------
multiply(x2_, rb, x2_);
add(dB, x2_, x2_);
divide(x2_, para_n, tmp);
//--------B5: x1_ = 2^w + x1 & (2^w - 1)--------
if (Test_Point(RA) != 0)
return ERR_KEYEX_RA;
epoint_get(RA, x1, y1);
big_to_bytes(SM2_NUMWORD, x1, x1y1, 1);
big_to_bytes(SM2_NUMWORD, y1, x1y1 + SM2_NUMWORD, 1);
expb2(w, x1_); //x1_ = 2^w
divide(x1, x1_, tmp); //x1 = x1 mod x1_ = x1 & (2^w - 1)
add(x1_,x1, x1_);
divide(x1_, para_n, tmp); //x1_ = n mod q
//--------B6: V = [h * tB](PA + [x1_]RA)--------
ecurve_mult(x1_, RA, V); //v = [x1_]RA
epoint_get(V, temp_x, temp_y);
ecurve_add(PA, V); //V = PA + V
epoint_get(V, temp_x, temp_y);
multiply(para_h, x2_, x2_); //tB = tB * h
ecurve_mult(x2_, V, V);
if (point_at_infinity(V) == 1)
return ERR_INFINITY_POINT;
epoint_get(V, Vx, Vy);
big_to_bytes(SM2_NUMWORD, Vx, Z, 1);
big_to_bytes(SM2_NUMWORD, Vy, Z + SM2_NUMWORD, 1);
//------------B7:KB = KDF(VX, VY, ZA, ZB, KLEN)----------
memcpy(Z + SM2_NUMWORD * 2, ZA, SM3_len / 8);
memcpy(Z + SM2_NUMWORD * 2 + SM3_len / 8, ZB, SM3_len / 8);
SM3_kdf(Z, SM2_NUMWORD * 2 + SM3_len / 4, klen / 8, K);
//---------------B8:(optional)SB = hash(0x02 || Vy || HASH(Vx || ZA || ZB || x1 || y1 || x2 || y2)-------------
SM3_init(&md);
SM3_process(&md, Z, SM2_NUMWORD);
SM3_process(&md, ZA, SM3_len / 8);
SM3_process(&md, ZB, SM3_len / 8);
SM3_process(&md, x1y1, SM2_NUMWORD * 2);
SM3_process(&md, x2y2, SM2_NUMWORD * 2);
SM3_done(&md, hash);
SM3_init(&md);
SM3_process(&md, &temp, 1);
SM3_process(&md, Z + SM2_NUMWORD, SM2_NUMWORD);
SM3_process(&md, hash, SM3_len / 8);
SM3_done(&md, hash);
return 0;
}
/* initiator A calculates the secret key out of RA and RB, and calculates a hash */
int SM2_standard_keyex_init_ii(big ra, big dA, epoint* RA, epoint* RB, epoint* PB, unsigned char ZA[], unsigned char ZB[], unsigned char SB[], unsigned char K[], int klen, unsigned char SA[])
{
SM3_STATE md;
int i = 0, w = 0;
unsigned char Z[SM2_NUMWORD * 2 + SM3_len / 4] = {0};
unsigned char x1y1[SM2_NUMWORD * 2] = {0};
unsigned char x2y2[SM2_NUMWORD * 2] = {0};
unsigned char hash[SM2_NUMWORD], S1[SM2_NUMWORD];
unsigned char temp[2] = {0x02, 0x03};
big x1, y1, x1_, x2, y2, x2_, tmp, Ux, Uy, temp_x, temp_y, tA;
epoint* U;
//mip = mirsys(1000, 16);
//mip->IOBASE = 16;
U = epoint_init();
x1 = mirvar(0);
y1 = mirvar(0);
x1_ = mirvar(0);
x2 = mirvar(0);
y2 = mirvar(0);
x2_ = mirvar(0);
tmp = mirvar(0);
Ux = mirvar(0);
Uy = mirvar(0);
temp_x = mirvar(0);
temp_y = mirvar(0);
tA=mirvar(0);
w = SM2_w(para_n);
epoint_get(RA, x1, y1);
big_to_bytes(SM2_NUMWORD, x1, x1y1, TRUE);
big_to_bytes(SM2_NUMWORD, y1, x1y1 + SM2_NUMWORD, TRUE);
//--------A4: x1_ = 2^w + x2 & (2^w - 1)--------
expb2(w, x1_); //x1_ = 2^w
divide(x1, x1_, tmp); //x1 = x1 mod x1_ = x1 & (2^w - 1)
add(x1_, x1, x1_);
divide(x1_, para_n, tmp);
//-------- A5:tA = (dA + x1_ * rA) mod n--------
multiply(x1_, ra, tA);
divide(tA, para_n, tmp);
add(tA, dA, tA);
divide(tA, para_n, tmp);
//-------- A6:x2_ = 2^w + x2 & (2^w - 1)-----------------
if (Test_Point(RB) != 0)
return ERR_KEYEX_RB;//////////////////////////////////
epoint_get(RB, x2, y2);
big_to_bytes(SM2_NUMWORD, x2, x2y2, TRUE);
big_to_bytes(SM2_NUMWORD, y2, x2y2 + SM2_NUMWORD, TRUE);
expb2(w, x2_); //x2_ = 2^w
divide(x2, x2_, tmp); //x2 = x2 mod x2_ = x2 & (2^w - 1)
add(x2_, x2, x2_);
divide(x2_, para_n, tmp);
//--------A7:U = [h * tA](PB + [x2_]RB)-----------------
ecurve_mult(x2_, RB, U); //U = [x2_]RB
epoint_get(U, temp_x, temp_y);
ecurve_add(PB, U); //U = PB + U
epoint_get(U, temp_x, temp_y);
multiply(para_h, tA, tA); //tA = tA * h
divide(tA, para_n, tmp);
ecurve_mult(tA, U, U);
if (point_at_infinity(U) == 1)
return ERR_INFINITY_POINT;
epoint_get(U, Ux, Uy);
big_to_bytes(SM2_NUMWORD, Ux, Z, 1);
big_to_bytes(SM2_NUMWORD, Uy, Z + SM2_NUMWORD, 1);
//------------A8:KA = KDF(UX, UY, ZA, ZB, KLEN)----------
memcpy(Z + SM2_NUMWORD * 2, ZA, SM3_len / 8);
memcpy(Z + SM2_NUMWORD * 2 + SM3_len / 8, ZB, SM3_len / 8);
SM3_kdf(Z, SM2_NUMWORD * 2 + SM3_len / 4, klen / 8, K);
//---------------A9:(optional) S1 = Hash(0x02 || Uy || Hash(Ux || ZA || ZB || x1 || y1 || x2 || y2))-----------
SM3_init (&md);
SM3_process(&md, Z, SM2_NUMWORD);
SM3_process(&md, ZA, SM3_len / 8);
SM3_process(&md, ZB, SM3_len / 8);
SM3_process(&md, x1y1, SM2_NUMWORD * 2);
SM3_process(&md, x2y2, SM2_NUMWORD * 2);
SM3_done(&md, hash);
SM3_init(&md);
SM3_process(&md, temp, 1);
SM3_process(&md, Z + SM2_NUMWORD, SM2_NUMWORD);
SM3_process(&md, hash, SM3_len / 8);
SM3_done(&md, S1);
//test S1 = SB?
if (memcmp(S1, SB, SM2_NUMWORD) != 0)
return ERR_EQUAL_S1SB;
//---------------A10 SA = Hash(0x03 || yU || Hash(xU || ZA || ZB || x1 || y1 || x2 || y2))-------------
SM3_init(&md);
SM3_process(&md, &temp[1], 1);
SM3_process(&md, Z + SM2_NUMWORD, SM2_NUMWORD);
SM3_process(&md, hash, SM3_len / 8);
SM3_done(&md, SA);
return 0;
}
/* (optional)Step B10: verifies the hash value received from initiator A */
int SM2_standard_keyex_re_ii(epoint *V, epoint *RA, epoint *RB, unsigned char ZA[], unsigned char ZB[], unsigned char SA[])
{
big x1, y1, x2, y2, Vx, Vy;
unsigned char hash[SM2_NUMWORD], S2[SM2_NUMWORD];
unsigned char temp = 0x03;
unsigned char xV[SM2_NUMWORD], yV[SM2_NUMWORD];
unsigned char x1y1[SM2_NUMWORD * 2] = {0};
unsigned char x2y2[SM2_NUMWORD * 2] = {0};
SM3_STATE md;
x1 = mirvar(0);
y1 = mirvar(0);
x2 = mirvar(0);
y2 = mirvar(0);
Vx = mirvar(0);
Vy = mirvar(0);
epoint_get(RA, x1, y1);
epoint_get(RB, x2, y2);
epoint_get(V, Vx, Vy);
big_to_bytes(SM2_NUMWORD, Vx, xV, TRUE);
big_to_bytes(SM2_NUMWORD, Vy, yV, TRUE);
big_to_bytes(SM2_NUMWORD, x1, x1y1, TRUE);
big_to_bytes(SM2_NUMWORD, y1, x1y1 + SM2_NUMWORD, TRUE);
big_to_bytes(SM2_NUMWORD, x2, x2y2, TRUE);
big_to_bytes(SM2_NUMWORD, y2, x2y2 + SM2_NUMWORD, TRUE);
//---------------B10:(optional) S2 = Hash(0x03 || Vy || Hash(Vx || ZA || ZB || x1 || y1 || x2 || y2))
SM3_init(&md);
SM3_process(&md, xV, SM2_NUMWORD);
SM3_process(&md, ZA, SM3_len / 8);
SM3_process(&md, ZB, SM3_len / 8);
SM3_process(&md, x1y1, SM2_NUMWORD * 2);
SM3_process(&md, x2y2, SM2_NUMWORD * 2);
SM3_done(&md, hash);
SM3_init(&md);
SM3_process(&md, &temp, 1);
SM3_process(&md, yV, SM2_NUMWORD);
SM3_process(&md, hash, SM3_len / 8);
SM3_done(&md, S2);
if (memcmp(S2, SA, SM3_len / 8) != 0)
return ERR_EQUAL_S2SA;
return 0;
}
/* self check of SM2 key exchange */
int SM2_standard_keyex_selftest()
{
//standard data
unsigned char std_priKeyA[SM2_NUMWORD] = {0x81, 0xEB, 0x26, 0xE9, 0x41, 0xBB, 0x5A, 0xF1, 0x6D, 0xF1, 0x16, 0x49, 0x5F, 0x90, 0x69, 0x52,
0x72, 0xAE, 0x2C, 0xD6, 0x3D, 0x6C, 0x4A, 0xE1, 0x67, 0x84, 0x18, 0xBE, 0x48, 0x23, 0x00, 0x29};
unsigned char std_pubKeyA[SM2_NUMWORD * 2] = {0x16, 0x0E, 0x12, 0x89, 0x7D, 0xF4, 0xED, 0xB6, 0x1D, 0xD8, 0x12, 0xFE, 0xB9, 0x67, 0x48,
0xFB, 0xD3, 0xCC, 0xF4, 0xFF, 0xE2, 0x6A, 0xA6, 0xF6, 0xDB, 0x95, 0x40, 0xAF, 0x49, 0xC9,
0x42, 0x32, 0x4A, 0x7D, 0xAD, 0x08, 0xBB, 0x9A, 0x45, 0x95, 0x31, 0x69, 0x4B, 0xEB, 0x20,
0xAA, 0x48, 0x9D, 0x66, 0x49, 0x97, 0x5E, 0x1B, 0xFC, 0xF8, 0xC4, 0x74, 0x1B, 0x78, 0xB4,
0xB2, 0x23, 0x00, 0x7F};
unsigned char std_randA[SM2_NUMWORD] = {0xD4, 0xDE, 0x15, 0x47, 0x4D, 0xB7, 0x4D, 0x06, 0x49, 0x1C, 0x44, 0x0D, 0x30, 0x5E, 0x01, 0x24,
0x00, 0x99, 0x0F, 0x3E, 0x39, 0x0C, 0x7E, 0x87, 0x15, 0x3C, 0x12, 0xDB, 0x2E, 0xA6, 0x0B, 0xB3};
unsigned char std_priKeyB[SM2_NUMWORD] = {0x78, 0x51, 0x29, 0x91, 0x7D, 0x45, 0xA9, 0xEA, 0x54, 0x37, 0xA5, 0x93, 0x56, 0xB8, 0x23, 0x38,
0xEA, 0xAD, 0xDA, 0x6C, 0xEB, 0x19, 0x90, 0x88, 0xF1, 0x4A, 0xE1, 0x0D, 0xEF, 0xA2, 0x29, 0xB5};
unsigned char std_pubKeyB[SM2_NUMWORD * 2] = {0x6A, 0xE8, 0x48, 0xC5, 0x7C, 0x53, 0xC7, 0xB1, 0xB5, 0xFA, 0x99, 0xEB, 0x22, 0x86, 0xAF,
0x07, 0x8B, 0xA6, 0x4C, 0x64, 0x59, 0x1B, 0x8B, 0x56, 0x6F, 0x73, 0x57, 0xD5, 0x76, 0xF1,
0x6D, 0xFB, 0xEE, 0x48, 0x9D, 0x77, 0x16, 0x21, 0xA2, 0x7B, 0x36, 0xC5, 0xC7, 0x99, 0x20,
0x62, 0xE9, 0xCD, 0x09, 0xA9, 0x26, 0x43, 0x86, 0xF3, 0xFB, 0xEA, 0x54, 0xDF, 0xF6, 0x93,
0x05, 0x62, 0x1C, 0x4D};
unsigned char std_randB[SM2_NUMWORD] = {0x7E, 0x07, 0x12, 0x48, 0x14, 0xB3, 0x09, 0x48, 0x91, 0x25, 0xEA, 0xED, 0x10, 0x11, 0x13, 0x16,
0x4E, 0xBF, 0x0F, 0x34, 0x58, 0xC5, 0xBD, 0x88, 0x33, 0x5C, 0x1F, 0x9D, 0x59, 0x62, 0x43, 0xD6};
unsigned char std_IDA[16] = {0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38};
unsigned char std_IDB[16] = {0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38};
unsigned short int std_ENTLA = 0x0080;
unsigned short int std_ENTLB = 0x0080;
unsigned char std_ZA[SM3_len] = {0x3B, 0x85, 0xA5, 0x71, 0x79, 0xE1, 0x1E, 0x7E, 0x51, 0x3A, 0xA6, 0x22, 0x99, 0x1F, 0x2C,
0xA7, 0x4D, 0x18, 0x07, 0xA0, 0xBD, 0x4D, 0x4B, 0x38, 0xF9, 0x09, 0x87, 0xA1, 0x7A, 0xC2,
0x45, 0xB1};
unsigned char std_ZB[SM3_len] = {0x79, 0xC9, 0x88, 0xD6, 0x32, 0x29, 0xD9, 0x7E, 0xF1, 0x9F, 0xE0, 0x2C, 0xA1, 0x05, 0x6E,
0x01, 0xE6, 0xA7, 0x41, 0x1E, 0xD2, 0x46, 0x94, 0xAA, 0x8F, 0x83, 0x4F, 0x4A, 0x4A, 0xB0,
0x22, 0xF7};
unsigned char std_RA[SM2_NUMWORD * 2] = {0x64, 0xCE, 0xD1, 0xBD, 0xBC, 0x99, 0xD5, 0x90, 0x04, 0x9B, 0x43, 0x4D, 0x0F, 0xD7, 0x34, 0x28,
0xCF, 0x60, 0x8A, 0x5D, 0xB8, 0xFE, 0x5C, 0xE0, 0x7F, 0x15, 0x02, 0x69, 0x40, 0xBA, 0xE4, 0x0E,
0x37, 0x66, 0x29, 0xC7, 0xAB, 0x21, 0xE7, 0xDB, 0x26, 0x09, 0x22, 0x49, 0x9D, 0xDB, 0x11, 0x8F,
0x07, 0xCE, 0x8E, 0xAA, 0xE3, 0xE7, 0x72, 0x0A, 0xFE, 0xF6, 0xA5, 0xCC, 0x06, 0x20, 0x70, 0xC0};
unsigned char std_K[16] = {0x6C, 0x89, 0x34, 0x73, 0x54, 0xDE, 0x24, 0x84, 0xC6, 0x0B, 0x4A, 0xB1, 0xFD, 0xE4, 0xC6, 0xE5};
unsigned char std_RB[SM2_NUMWORD * 2] = {0xAC, 0xC2, 0x76, 0x88, 0xA6, 0xF7, 0xB7, 0x06, 0x09, 0x8B, 0xC9, 0x1F, 0xF3, 0xAD, 0x1B, 0xFF,
0x7D, 0xC2, 0x80, 0x2C, 0xDB, 0x14, 0xCC, 0xCC, 0xDB, 0x0A, 0x90, 0x47, 0x1F, 0x9B, 0xD7, 0x07,
0x2F, 0xED, 0xAC, 0x04, 0x94, 0xB2, 0xFF, 0xC4, 0xD6, 0x85, 0x38, 0x76, 0xC7, 0x9B, 0x8F, 0x30,
0x1C, 0x65, 0x73, 0xAD, 0x0A, 0xA5, 0x0F, 0x39, 0xFC, 0x87, 0x18, 0x1E, 0x1A, 0x1B, 0x46, 0xFE};
unsigned char std_SB[SM3_len] = {0xD3, 0xA0, 0xFE, 0x15, 0xDE, 0xE1, 0x85, 0xCE, 0xAE, 0x90, 0x7A, 0x6B, 0x59, 0x5C, 0xC3,
0x2A, 0x26, 0x6E, 0xD7, 0xB3, 0x36, 0x7E, 0x99, 0x83, 0xA8, 0x96, 0xDC, 0x32, 0xFA, 0x20,
0xF8, 0xEB};
int std_Klen = 128; //bit len
int temp;
big x, y, dA, dB, rA, rB;
epoint* pubKeyA, *pubKeyB, *RA, *RB, *V;
unsigned char hash[SM3_len / 8] = {0};
unsigned char ZA[SM3_len / 8] = {0};
unsigned char ZB[SM3_len / 8] = {0};
unsigned char xy[SM2_NUMWORD * 2] = {0};
unsigned char *KA, *KB;
unsigned char SA[SM3_len / 8];
KA = malloc(std_Klen / 8);
KB = malloc(std_Klen / 8);
mip = mirsys(1000, 16);
mip->IOBASE = 16;
x = mirvar(0);
y = mirvar(0);
dA = mirvar(0);
dB = mirvar(0);
rA = mirvar(0);
rB = mirvar(0);
pubKeyA = epoint_init();
pubKeyB = epoint_init();
RA = epoint_init();
RB = epoint_init();
V = epoint_init();
SM2_standard_init();
bytes_to_big(SM2_NUMWORD, std_priKeyA, dA);
bytes_to_big(SM2_NUMWORD, std_priKeyB, dB);
bytes_to_big(SM2_NUMWORD, std_randA, rA);
bytes_to_big(SM2_NUMWORD, std_randB, rB);
bytes_to_big(SM2_NUMWORD, std_pubKeyA, x);
bytes_to_big(SM2_NUMWORD, std_pubKeyA + SM2_NUMWORD, y);
epoint_set(x, y, 0, pubKeyA);
bytes_to_big(SM2_NUMWORD, std_pubKeyB, x);
bytes_to_big(SM2_NUMWORD, std_pubKeyB + SM2_NUMWORD, y);
epoint_set(x, y, 0, pubKeyB);
SM3_z(std_IDA, std_ENTLA, pubKeyA, ZA);
if (memcmp(ZA, std_ZA, SM3_len / 8) != 0)
return ERR_SELFTEST_Z;
SM3_z(std_IDB, std_ENTLB, pubKeyB, ZB);
if (memcmp(ZB, std_ZB, SM3_len / 8) != 0)
return ERR_SELFTEST_Z;
temp = SM2_standard_keyex_init_i(rA, RA);
if (temp)
return temp;
epoint_get(RA, x, y);
big_to_bytes(SM2_NUMWORD, x, xy, 1);
big_to_bytes(SM2_NUMWORD, y, xy + SM2_NUMWORD, 1);
if (memcmp(xy, std_RA, SM2_NUMWORD * 2) != 0)
return ERR_SELFTEST_INI_I;
temp = SM2_standard_keyex_re_i(rB, dB, RA, pubKeyA, ZA, ZB, KA, std_Klen, RB, V, hash);
if (temp)
return temp;
if (memcmp(KA, std_K, std_Klen / 8) != 0)
return ERR_SELFTEST_RES_I;
temp = SM2_standard_keyex_init_ii(rA, dA, RA, RB, pubKeyB, ZA, ZB, hash, KB, std_Klen, SA);
if (temp)
return temp;
if (memcmp(KB, std_K, std_Klen / 8) != 0)
return ERR_SELFTEST_INI_II;
if (SM2_standard_keyex_re_ii(V, RA, RB, ZA, ZB, SA) != 0)
return ERR_EQUAL_S2SA;
free(KA);
free(KB);
return 0;
}

333
engines/sm_standard/sm2/sm2_standard_sign.c Normal file
View File

@@ -0,0 +1,333 @@
/* ====================================================================
* Copyright (c) 2015 - 2016 The GmSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the GmSSL Project.
* (http://gmssl.org/)"
*
* 4. The name "GmSSL Project" must not be used to endorse or promote
* products derived from this software without prior written
* permission. For written permission, please contact
* guanzhi1980@gmail.com.
*
* 5. Products derived from this software may not be called "GmSSL"
* nor may "GmSSL" appear in their names without prior written
* permission of the GmSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the GmSSL Project
* (http://gmssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE GmSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*/
#include "mirdef.h"
#include "miracl.h"
#include "sm2_standard.h"
/* test if the big x is zero */
int Test_Zero(big x)
{
big zero;
zero = mirvar(0);
if (mr_compare(x, zero) == 0)
return 1;
else
return 0;
}
/* test if the big x is order n */
int Test_n(big x)
{
//bytes_to_big(32, SM2_n, n);
if (mr_compare(x, para_n) == 0)
return 1;
else
return 0;
}
/* calculate a pubKey out of a given priKey */
int SM2_standard_sign_keygeneration(unsigned char PriKey[], unsigned char Px[], unsigned char Py[])
{
int i = 0;
big d, PAx, PAy;
epoint *PA;
SM2_standard_init();
PA = epoint_init();
d = mirvar(0);
PAx = mirvar(0);
PAy = mirvar(0);
bytes_to_big(SM2_NUMWORD, PriKey, d);
ecurve_mult(d, G, PA);
epoint_get(PA, PAx, PAy);
big_to_bytes(SM2_NUMWORD, PAx, Px, TRUE);
big_to_bytes(SM2_NUMWORD, PAy, Py, TRUE);
i = Test_PubKey(PA);
if (i)
return i;
else
return 0;
}
/* SM2 signature algorithm */
int SM2_standard_sign(unsigned char *message, int len, unsigned char ZA[], unsigned char rand[], unsigned char d[], unsigned char R[], unsigned char S[])
{
unsigned char hash[SM3_len / 8];
int M_len = len + SM3_len / 8;
unsigned char *M = NULL;
int i;
big dA, r, s, e, k, KGx, KGy;
big rem, rk, z1, z2;
epoint *KG;
i = SM2_standard_init();
if (i)
return i;
//initiate
dA = mirvar(0);
e = mirvar(0);
k = mirvar(0);
KGx = mirvar(0);
KGy = mirvar(0);
r = mirvar(0);
s = mirvar(0);
rem = mirvar(0);
rk = mirvar(0);
z1 = mirvar(0);
z2 = mirvar(0);
bytes_to_big(SM2_NUMWORD, d, dA); //cinstr(dA, d);
KG = epoint_init();
//step1, set M = ZA || M
M = (char *)malloc(sizeof(char)*(M_len + 1));
memcpy(M, ZA, SM3_len / 8);
memcpy(M + SM3_len / 8, message, len);
//step2, generate e = H(M)
SM3_256(M, M_len, hash);
bytes_to_big(SM3_len / 8, hash, e);
//step3:generate k
bytes_to_big(SM3_len / 8, rand, k);
//step4:calculate kG
ecurve_mult(k, G, KG);
//step5:calculate r
epoint_get(KG, KGx, KGy);
add(e, KGx, r);
divide(r, para_n, rem);
//judge r = 0 or n + k = n?
add(r, k, rk);
if (Test_Zero(r) | Test_n(rk))
return ERR_GENERATE_R;
//step6:generate s
incr(dA, 1, z1);
xgcd(z1, para_n, z1, z1, z1);
multiply(r, dA, z2);
divide(z2, para_n, rem);
subtract(k, z2, z2);
add(z2, para_n, z2);
multiply(z1, z2, s);
divide(s, para_n, rem);
//judge s = 0?
if (Test_Zero(s))
return ERR_GENERATE_S ;
big_to_bytes(SM2_NUMWORD, r, R, TRUE);
big_to_bytes(SM2_NUMWORD, s, S, TRUE);
free(M);
return 0;
}
/* SM2 verification algorithm */
int SM2_standard_verify(unsigned char *message, int len, unsigned char ZA[], unsigned char Px[], unsigned char Py[], unsigned char R[], unsigned char S[])
{
unsigned char hash[SM3_len / 8];
int M_len = len + SM3_len / 8;
unsigned char *M = NULL;
int i;
big PAx, PAy, r, s, e, t, rem, x1, y1;
big RR;
epoint *PA, *sG, *tPA;
i = SM2_standard_init();
if (i)
return i;
PAx = mirvar(0);
PAy = mirvar(0);
r = mirvar(0);
s = mirvar(0);
e = mirvar(0);
t = mirvar(0);
x1 = mirvar(0);
y1 = mirvar(0);
rem = mirvar(0);
RR = mirvar(0);
PA = epoint_init();
sG = epoint_init();
tPA = epoint_init();
bytes_to_big(SM2_NUMWORD, Px, PAx);
bytes_to_big(SM2_NUMWORD, Py, PAy);
bytes_to_big(SM2_NUMWORD, R, r);
bytes_to_big(SM2_NUMWORD, S, s);
if (!epoint_set(PAx, PAy, 0, PA)) //initialise public key
{
return ERR_PUBKEY_INIT;
}
//step1: test if r belong to [1, n-1]
if (Test_Range(r))
return ERR_OUTRANGE_R;
//step2: test if s belong to [1, n-1]
if (Test_Range(s))
return ERR_OUTRANGE_S;
//step3, generate M
M = (char *)malloc(sizeof(char)*(M_len + 1));
memcpy(M, ZA, SM3_len / 8);
memcpy(M + SM3_len / 8, message, len);
//step4, generate e = H(M)
SM3_256(M, M_len, hash);
bytes_to_big(SM3_len / 8, hash, e);
//step5:generate t
add(r, s, t);
divide(t, para_n, rem);
if (Test_Zero(t))
return ERR_GENERATE_T;
//step 6: generate(x1, y1)
ecurve_mult(s, G, sG);
ecurve_mult(t, PA, tPA);
ecurve_add(sG, tPA);
epoint_get(tPA, x1, y1);
//step7:generate RR
add(e, x1, RR);
divide(RR, para_n, rem);
free(M);
if (mr_compare(RR, r) == 0)
return 0;
else
return ERR_DATA_MEMCMP;
}
/* SM2 self check */
int SM2_standard_selfcheck()
{
//the private key
unsigned char dA[32] = {0x39, 0x45, 0x20, 0x8f, 0x7b, 0x21, 0x44, 0xb1, 0x3f, 0x36, 0xe3, 0x8a, 0xc6, 0xd3, 0x9f,
0x95, 0x88, 0x93, 0x93, 0x69, 0x28, 0x60, 0xb5, 0x1a, 0x42, 0xfb, 0x81, 0xef, 0x4d, 0xf7,
0xc5, 0xb8};
unsigned char rand[32] = {0x59, 0x27, 0x6E, 0x27, 0xD5, 0x06, 0x86, 0x1A, 0x16, 0x68, 0x0F, 0x3A, 0xD9, 0xC0, 0x2D,
0xCC, 0xEF, 0x3C, 0xC1, 0xFA, 0x3C, 0xDB, 0xE4, 0xCE, 0x6D, 0x54, 0xB8, 0x0D, 0xEA, 0xC1,
0xBC, 0x21};
//the public key
/* unsigned char xA[32] = {0x09, 0xf9, 0xdf, 0x31, 0x1e, 0x54, 0x21, 0xa1, 0x50, 0xdd, 0x7d, 0x16, 0x1e, 0x4b, 0xc5,
0xc6, 0x72, 0x17, 0x9f, 0xad, 0x18, 0x33, 0xfc, 0x07, 0x6b, 0xb0, 0x8f, 0xf3, 0x56, 0xf3,
0x50, 0x20};
unsigned char yA[32] = {0xcc, 0xea, 0x49, 0x0c, 0xe2, 0x67, 0x75, 0xa5, 0x2d, 0xc6, 0xea, 0x71, 0x8c, 0xc1, 0xaa,
0x60, 0x0a, 0xed, 0x05, 0xfb, 0xf3, 0x5e, 0x08, 0x4a, 0x66, 0x32, 0xf6, 0x07, 0x2d, 0xa9,
0xad, 0x13};*/
unsigned char xA[32], yA[32];
unsigned char r[32], s[32]; // Signature
unsigned char IDA[16] = {0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x31, 0x32, 0x33,
0x34, 0x35, 0x36, 0x37, 0x38}; //ASCII code of userA's identification
int IDA_len = 16;
unsigned char ENTLA[2] = {0x00, 0x80}; //the length of userA's identification, presentation in ASCII code
unsigned char *message = "message digest"; //the message to be signed
int len = strlen(message); //the length of message
unsigned char ZA[SM3_len / 8]; //ZA = Hash(ENTLA || IDA || a || b || Gx || Gy || xA|| yA)
unsigned char Msg[210]; //210 = IDA_len + 2 + SM2_NUMWORD * 6
int temp;
mip = mirsys(10000, 16);
mip->IOBASE = 16;
temp = SM2_standard_sign_keygeneration(dA, xA, yA);
if (temp)
return temp;
//ENTLA || IDA || a || b || Gx || Gy || xA || yA
memcpy(Msg, ENTLA, 2);
memcpy(Msg + 2, IDA, IDA_len);
memcpy(Msg + 2 + IDA_len, SM2_a, SM2_NUMWORD);
memcpy(Msg + 2 + IDA_len + SM2_NUMWORD, SM2_b, SM2_NUMWORD);
memcpy(Msg + 2 + IDA_len + SM2_NUMWORD * 2, SM2_Gx, SM2_NUMWORD);
memcpy(Msg + 2 + IDA_len + SM2_NUMWORD * 3, SM2_Gy, SM2_NUMWORD);
memcpy(Msg + 2 + IDA_len + SM2_NUMWORD * 4, xA, SM2_NUMWORD);
memcpy(Msg + 2 + IDA_len + SM2_NUMWORD * 5, yA, SM2_NUMWORD);
SM3_256(Msg, 210, ZA);
temp = SM2_standard_sign(message, len, ZA, rand, dA, r, s);
if (temp)
return temp;
temp = SM2_standard_verify(message, len, ZA, xA, yA, r, s);
if (temp)
return temp;
return 0;
}