From 08b925207e39f291383d633dcd806c5fe8055f6e Mon Sep 17 00:00:00 2001
From: Zhi Guan <guanzhi1980@gmail.com>
Date: Sun, 21 Jun 2026 00:01:39 +0800
Subject: [PATCH] Fix #1884

---
 CMakeLists.txt          |  2 +-
 include/gmssl/version.h |  2 +-
 src/sm9_key.c           | 16 ++++++++++----
 tests/sm9test.c         | 47 +++++++++++++++++++++++++++++++++++++++++
 4 files changed, 61 insertions(+), 6 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index a46bceba..4e2f3fdc 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -874,7 +874,7 @@ endif()
 #
 set(CPACK_PACKAGE_NAME "GmSSL")
 set(CPACK_PACKAGE_VENDOR "GmSSL develop team")
-set(CPACK_PACKAGE_VERSION "3.2.0-dev.1132")
+set(CPACK_PACKAGE_VERSION "3.2.0-dev.1133")
 set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md)
 set(CPACK_NSIS_MODIFY_PATH ON)
 include(CPack)
diff --git a/include/gmssl/version.h b/include/gmssl/version.h
index 9baeec5e..d349921c 100644
--- a/include/gmssl/version.h
+++ b/include/gmssl/version.h
@@ -18,7 +18,7 @@ extern "C" {
 
 
 #define GMSSL_VERSION_NUM	30200
-#define GMSSL_VERSION_STR	"GmSSL 3.2.0-dev.1132"
+#define GMSSL_VERSION_STR	"GmSSL 3.2.0-dev.1133"
 
 int gmssl_version_num(void);
 const char *gmssl_version_str(void);
diff --git a/src/sm9_key.c b/src/sm9_key.c
index 4563fa73..037e4459 100644
--- a/src/sm9_key.c
+++ b/src/sm9_key.c
@@ -78,6 +78,7 @@ int sm9_sign_master_key_from_der(SM9_SIGN_MASTER_KEY *msk, const uint8_t **in, s
 	size_t dlen;
 	const uint8_t *ks;
 	size_t kslen;
+	uint8_t ksbuf[32];
 	const uint8_t *Ppubs;
 	size_t Ppubslen;
 
@@ -87,14 +88,17 @@ int sm9_sign_master_key_from_der(SM9_SIGN_MASTER_KEY *msk, const uint8_t **in, s
 	}
 	if (asn1_integer_from_der(&ks, &kslen, &d, &dlen) != 1
 		|| asn1_bit_octets_from_der(&Ppubs, &Ppubslen, &d, &dlen) != 1
-		|| asn1_check(kslen == 32) != 1
+		|| asn1_check(kslen > 0 && kslen <= 32) != 1
 		|| asn1_check(Ppubslen == 1 + 32 * 4) != 1
 		|| asn1_length_is_zero(dlen) != 1) {
 		error_print();
 		return -1;
 	}
 	memset(msk, 0, sizeof(*msk));
-	sm9_z256_from_bytes(msk->ks, ks);
+	memset(ksbuf, 0, sizeof(ksbuf));
+	memcpy(ksbuf + sizeof(ksbuf) - kslen, ks, kslen);
+	sm9_z256_from_bytes(msk->ks, ksbuf);
+	gmssl_secure_clear(ksbuf, sizeof(ksbuf));
 	if (sm9_z256_cmp(msk->ks, sm9_z256_order()) >= 0) {
 		error_print();
 		return -1;
@@ -263,6 +267,7 @@ int sm9_enc_master_key_from_der(SM9_ENC_MASTER_KEY *msk, const uint8_t **in, siz
 	size_t dlen;
 	const uint8_t *ke;
 	size_t kelen;
+	uint8_t kebuf[32];
 	const uint8_t *Ppube;
 	size_t Ppubelen;
 
@@ -272,7 +277,7 @@ int sm9_enc_master_key_from_der(SM9_ENC_MASTER_KEY *msk, const uint8_t **in, siz
 	}
 	if (asn1_integer_from_der(&ke, &kelen, &d, &dlen) != 1
 		|| asn1_bit_octets_from_der(&Ppube, &Ppubelen, &d, &dlen) != 1
-		|| asn1_check(kelen == 32) != 1
+		|| asn1_check(kelen > 0 && kelen <= 32) != 1
 		|| asn1_check(Ppubelen == 1 + 32 * 2) != 1
 		|| asn1_length_is_zero(dlen) != 1) {
 		error_print();
@@ -280,7 +285,10 @@ int sm9_enc_master_key_from_der(SM9_ENC_MASTER_KEY *msk, const uint8_t **in, siz
 	}
 	memset(msk, 0, sizeof(*msk));
 
-	sm9_z256_from_bytes(msk->ke, ke);
+	memset(kebuf, 0, sizeof(kebuf));
+	memcpy(kebuf + sizeof(kebuf) - kelen, ke, kelen);
+	sm9_z256_from_bytes(msk->ke, kebuf);
+	gmssl_secure_clear(kebuf, sizeof(kebuf));
 	if (sm9_z256_cmp(msk->ke, sm9_z256_order()) >= 0) {
 		error_print();
 		return -1;
diff --git a/tests/sm9test.c b/tests/sm9test.c
index abcf2bb6..96d8b915 100644
--- a/tests/sm9test.c
+++ b/tests/sm9test.c
@@ -13,6 +13,7 @@
 #include <stdlib.h>
 #include <time.h>
 #include <gmssl/sm9.h>
+#include <gmssl/hex.h>
 #include <gmssl/error.h>
 #include <gmssl/rand.h>
 
@@ -778,6 +779,51 @@ err:
 	return -1;
 }
 
+int test_sm9_master_key_from_der_leading_zero()
+{
+	char *enc_master_key_der =
+		"306602200084509d9f11799ba847a142b4c1ed860dd66943ecf79f544d4327882beb229d"
+		"03420004654a84a614e4e3f670152a4253ef8fe5127ad7a5b0d85a6a009b3a95dadfb"
+		"25d407d04cf4d90c3addd3b9829ed92a37d1be32af3ae32e5cb3b6fd5a1ddb8fa2c";
+	char *leading_zero_scalar =
+		"0084509d9f11799ba847a142b4c1ed860dd66943ecf79f544d4327882beb229d";
+	SM9_ENC_MASTER_KEY enc_master;
+	SM9_SIGN_MASTER_KEY sign_master;
+	SM9_SIGN_MASTER_KEY parsed_sign_master;
+	uint8_t der[SM9_SIGN_MASTER_KEY_MAX_SIZE];
+	uint8_t enc_der[SM9_ENC_MASTER_KEY_MAX_SIZE];
+	uint8_t *p = der;
+	const uint8_t *cp;
+	size_t len = 0;
+	size_t derlen;
+	int j = 1;
+
+	if (hex_to_bytes(enc_master_key_der, strlen(enc_master_key_der), enc_der, &derlen) != 1) goto err; ++j;
+	cp = enc_der;
+	len = derlen;
+	if (sm9_enc_master_key_from_der(&enc_master, &cp, &len) != 1
+		|| len != 0
+		|| !sm9_z256_equ_hex(enc_master.ke, leading_zero_scalar)) goto err; ++j;
+
+	sm9_z256_from_hex(sign_master.ks, leading_zero_scalar);
+	sm9_z256_twist_point_mul_generator(&sign_master.Ppubs, sign_master.ks);
+	len = 0;
+	if (sm9_sign_master_key_to_der(&sign_master, &p, &len) != 1) goto err; ++j;
+	cp = der;
+	derlen = len;
+	if (sm9_sign_master_key_from_der(&parsed_sign_master, &cp, &derlen) != 1
+		|| derlen != 0
+		|| sm9_z256_cmp(parsed_sign_master.ks, sign_master.ks) != 0
+		|| !sm9_z256_twist_point_equ(&parsed_sign_master.Ppubs, &sign_master.Ppubs)) goto err; ++j;
+
+	printf("%s() ok\n", __FUNCTION__);
+	return 1;
+err:
+	printf("%s test %d failed\n", __FUNCTION__, j);
+	error_print();
+	return -1;
+}
+
 #define hex_kex		"0002E65B0762D042F51F0D23542B13ED8CFA2E9A0E7206361E013A283905E31F"
 
 #define hex_deA \
@@ -844,6 +890,7 @@ int main(void) {
 	if (test_sm9_z256_sign() != 1) goto err;
 	if (test_sm9_z256_ciphertext() != 1) goto err;
 	if (test_sm9_z256_encrypt() != 1) goto err;
+	if (test_sm9_master_key_from_der_leading_zero() != 1) goto err;
 	if (test_sm9_z256_exchange() != 1) goto err;
 	if (test_sm9_z256_pairing_speed() != 1) goto err;