abc/GmSSL
1
0
Fork 0
mirror of https://github.com/guanzhi/GmSSL.git synced 2026-05-07 00:46:17 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add SM3 LMS/HSS hash-based post-quantum signatures

Browse Source
This commit is contained in:
Zhi Guan
2025-12-04 11:46:16 +08:00
parent 34fa519dc0
commit 6a51ca01dc
12 changed files with 3515 additions and 608 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
tools/gmssl.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2014-2024 The GmSSL Project. All Rights Reserved.
* Copyright 2014-2025 The GmSSL Project. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the License); you may
* not use this file except in compliance with the License.
@@ -34,7 +34,6 @@ extern int sm2decrypt_main(int argc, char **argv);
extern int sm3_main(int argc, char **argv);
extern int sm3hmac_main(int argc, char **argv);
extern int sm3_pbkdf2_main(int argc, char **argv);
extern int sm3xmss_keygen_main(int argc, char **argv);
extern int sm4_ecb_main(int argc, char **argv);
extern int sm4_cbc_main(int argc, char **argv);
extern int sm4_ctr_main(int argc, char **argv);
@@ -65,6 +64,17 @@ extern int tls12_client_main(int argc, char **argv);
extern int tls12_server_main(int argc, char **argv);
extern int tls13_client_main(int argc, char **argv);
extern int tls13_server_main(int argc, char **argv);
#ifdef ENABLE_SM3_LMS
extern int sm3lmskeygen_main(int argc, char **argv);
extern int sm3lmssign_main(int argc, char **argv);
extern int sm3lmsverify_main(int argc, char **argv);
extern int sm3hsskeygen_main(int argc, char **argv);
extern int sm3hsssign_main(int argc, char **argv);
extern int sm3hssverify_main(int argc, char **argv);
#endif
#ifdef ENABLE_SM3_XMSS
extern int sm3xmss_keygen_main(int argc, char **argv);
#endif
#ifdef ENABLE_SDF
extern int sdfinfo_main(int argc, char **argv);
extern int sdfdigest_main(int argc, char **argv);
@@ -94,7 +104,6 @@ static const char *options =
" sm3 Generate SM3 hash\n"
" sm3hmac Generate SM3 HMAC tag\n"
" sm3_pbkdf2 Hash password into key using PBKDF2 algoritm\n"
" sm3xmss_keygen Generate SM3-XMSS keypair\n"
" sm4_ecb Encrypt or decrypt with SM4 ECB\n"
" sm4_cbc Encrypt or decrypt with SM4 CBC\n"
" sm4_ctr Encrypt or decrypt with SM4 CTR\n"
@@ -130,6 +139,17 @@ static const char *options =
" cmsdecrypt Decrypt CMS EnvelopedData\n"
" cmssign Generate CMS SignedData\n"
" cmsverify Verify CMS SignedData\n"
#ifdef ENABLE_SM3_LMS
" sm3lmskeygen Generate SM3-LMS keypair\n"
" sm3lmssign Generate LMS signature\n"
" sm3lmsverify Verify LMS signature\n"
" sm3hsskeygen Generate SM3-HSS keypair\n"
" sm3hsssign Generate HSS signature\n"
" sm3hssverify Verify HSS signature\n"
#endif
#ifdef ENABLE_SM3_XMSS
" sm3xmss_keygen Generate SM3-XMSS keypair\n"
#endif
#ifdef ENABLE_SDF
" sdfinfo Print SDF device info\n"
" sdfdigest Generate SM3 hash with SDF device\n"
@@ -212,8 +232,6 @@ int main(int argc, char **argv)
return sm3hmac_main(argc, argv);
} else if (!strcmp(*argv, "sm3_pbkdf2")) {
return sm3_pbkdf2_main(argc, argv);
} else if (!strcmp(*argv, "sm3xmss_keygen")) {
return sm3xmss_keygen_main(argc, argv);
#if ENABLE_SM4_ECB
} else if (!strcmp(*argv, "sm4_ecb")) {
return sm4_ecb_main(argc, argv);
@@ -286,6 +304,24 @@ int main(int argc, char **argv)
return tls13_client_main(argc, argv);
} else if (!strcmp(*argv, "tls13_server")) {
return tls13_server_main(argc, argv);
#ifdef ENABLE_SM3_LMS
} else if (!strcmp(*argv, "sm3lmskeygen")) {
return sm3lmskeygen_main(argc, argv);
} else if (!strcmp(*argv, "sm3lmssign")) {
return sm3lmssign_main(argc, argv);
} else if (!strcmp(*argv, "sm3lmsverify")) {
return sm3lmsverify_main(argc, argv);
} else if (!strcmp(*argv, "sm3hsskeygen")) {
return sm3hsskeygen_main(argc, argv);
} else if (!strcmp(*argv, "sm3hsssign")) {
return sm3hsssign_main(argc, argv);
} else if (!strcmp(*argv, "sm3hssverify")) {
return sm3hssverify_main(argc, argv);
#endif
#ifdef ENABLE_SM3_XMSS
} else if (!strcmp(*argv, "sm3xmss_keygen")) {
return sm3xmss_keygen_main(argc, argv);
#endif
#ifdef ENABLE_SDF
} else if (!strcmp(*argv, "sdfinfo")) {
return sdfinfo_main(argc, argv);

158
tools/sm3hsskeygen.c Normal file
View File

@@ -0,0 +1,158 @@
/*
* Copyright 2014-2025 The GmSSL Project. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the License); you may
* not use this file except in compliance with the License.
*
* http://www.apache.org/licenses/LICENSE-2.0
*/
#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>
#include <gmssl/mem.h>
#include <gmssl/error.h>
#include <gmssl/sm3_lms.h>
static const char *usage = "-lms_types types -out file [-pubout file] [-verbose]\n";
static const char *options =
"Options\n"
" -lms_types types LMS Algorithm Types, start from level 0, seperate by ':'\n"
" such as "LMS_HASH256_M32_H5_NAME":"LMS_HASH256_M32_H10_NAME"\n"
" Supported types:\n"
" "LMS_HASH256_M32_H5_NAME"\n"
" "LMS_HASH256_M32_H10_NAME"\n"
" "LMS_HASH256_M32_H15_NAME"\n"
" "LMS_HASH256_M32_H20_NAME"\n"
" "LMS_HASH256_M32_H25_NAME"\n"
" -out file Output private key\n"
" -pubout file Output public key\n"
" -verbose Print public key\n"
"\n";
#define LMS_TYPES_STR_MAX_SIZE (sizeof("LMS_SM3_M32_H20_NAME") * 5)
int sm3hsskeygen_main(int argc, char **argv)
{
int ret = 1;
char *prog = argv[0];
char *lms_types = NULL;
char *outfile = NULL;
char *puboutfile = NULL;
int verbose = 0;
char lms_types_str[LMS_TYPES_STR_MAX_SIZE];
int lms_types_val[5];
int levels = 0;
FILE *outfp = NULL;
FILE *puboutfp = stdout;
SM3_HSS_KEY key;
uint8_t out[SM3_HSS_PRIVATE_KEY_MAX_SIZE];
uint8_t pubout[SM3_HSS_PUBLIC_KEY_SIZE];
uint8_t *pout = out;
uint8_t *ppubout = pubout;
size_t outlen = 0, puboutlen = 0;
argc--;
argv++;
if (argc < 1) {
fprintf(stderr, "usage: gmssl %s %s\n", prog, usage);
return 1;
}
while (argc > 0) {
if (!strcmp(*argv, "-help")) {
printf("usage: gmssl %s %s\n", prog, usage);
printf("%s\n", options);
ret = 0;
goto end;
} else if (!strcmp(*argv, "-lms_types")) {
char *tok;
if (--argc < 1) goto bad;
lms_types = *(++argv);
strncpy(lms_types_str, lms_types, sizeof(lms_types_str));
tok = strtok(lms_types_str, ":");
while (tok) {
if (!(lms_types_val[levels] = sm3_lms_type_from_name(tok))) {
fprintf(stderr, "%s: invalid lms_type `%s`\n", prog, tok);
goto end;
}
tok = strtok(NULL, ":");
levels++;
}
} else if (!strcmp(*argv, "-out")) {
if (--argc < 1) goto bad;
outfile = *(++argv);
if (!(outfp = fopen(outfile, "wb"))) {
fprintf(stderr, "%s: open '%s' failure : %s\n", prog, outfile, strerror(errno));
goto end;
}
} else if (!strcmp(*argv, "-pubout")) {
if (--argc < 1) goto bad;
puboutfile = *(++argv);
if (!(puboutfp = fopen(puboutfile, "wb"))) {
fprintf(stderr, "%s: open '%s' failure : %s\n", prog, outfile, strerror(errno));
goto end;
}
} else if (!strcmp(*argv, "-verbose")) {
verbose = 1;
} else {
fprintf(stderr, "%s: illegal option '%s'\n", prog, *argv);
goto end;
bad:
fprintf(stderr, "%s: `%s` option value missing\n", prog, *argv);
goto end;
}
argc--;
argv++;
}
if (!lms_types) {
fprintf(stderr, "%s: `-lms_types` option required\n", prog);
goto end;
}
if (!outfp) {
fprintf(stderr, "%s: `-out` option required\n", prog);
goto end;
}
if (sm3_hss_key_generate(&key, lms_types_val, levels) != 1) {
error_print();
return -1;
}
if (verbose) {
sm3_hss_public_key_print(stderr, 0, 0, "hss_public_key", &key);
}
if (sm3_hss_private_key_to_bytes(&key, &pout, &outlen) != 1) {
error_print();
goto end;
}
if (fwrite(out, 1, outlen, outfp) != outlen) {
error_print();
goto end;
}
if (sm3_hss_public_key_to_bytes(&key, &ppubout, &puboutlen) != 1) {
error_print();
goto end;
}
if (fwrite(pubout, 1, puboutlen, puboutfp) != puboutlen) {
error_print();
goto end;
}
ret = 0;
end:
gmssl_secure_clear(&key, sizeof(key));
gmssl_secure_clear(out, outlen);
if (outfile && outfp) fclose(outfp);
if (puboutfile && puboutfp) fclose(puboutfp);
return ret;
}

170
tools/sm3hsssign.c Normal file
View File

@@ -0,0 +1,170 @@
/*
* Copyright 2014-2025 The GmSSL Project. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the License); you may
* not use this file except in compliance with the License.
*
* http://www.apache.org/licenses/LICENSE-2.0
*/
#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>
#include <gmssl/mem.h>
#include <gmssl/error.h>
#include <gmssl/sm3_lms.h>
static const char *usage = "-key file [-in file] [-out file] [-verbose]\n";
static const char *options =
"Options\n"
" -key file Input private key file\n"
" -in file Input data file (if not using stdin)\n"
" -out file Output signature file\n"
" -verbose Print public key and signature\n"
"\n";
int sm3hsssign_main(int argc, char **argv)
{
int ret = 1;
char *prog = argv[0];
char *keyfile = NULL;
char *infile = NULL;
char *outfile = NULL;
int verbose = 0;
FILE *keyfp = NULL;
FILE *infp = stdin;
FILE *outfp = stdout;
uint8_t keybuf[SM3_HSS_PRIVATE_KEY_MAX_SIZE];
size_t keylen = SM3_HSS_PRIVATE_KEY_MAX_SIZE;
const uint8_t *cp = keybuf;
uint8_t *p = keybuf;
SM3_HSS_KEY key;
SM3_HSS_SIGN_CTX ctx;
uint8_t sig[SM3_HSS_SIGNATURE_MAX_SIZE];
size_t siglen;
argc--;
argv++;
if (argc < 1) {
fprintf(stderr, "usage: gmssl %s %s\n", prog, usage);
return 1;
}
while (argc > 0) {
if (!strcmp(*argv, "-help")) {
printf("usage: %s %s\n", prog, usage);
printf("%s\n", options);
ret = 0;
goto end;
} else if (!strcmp(*argv, "-key")) {
if (--argc < 1) goto bad;
keyfile = *(++argv);
if (!(keyfp = fopen(keyfile, "rb+"))) {
fprintf(stderr, "%s: open '%s' failure: %s\n", prog, keyfile, strerror(errno));
goto end;
}
} else if (!strcmp(*argv, "-in")) {
if (--argc < 1) goto bad;
infile = *(++argv);
if (!(infp = fopen(infile, "rb"))) {
fprintf(stderr, "%s: open '%s' failure: %s\n", prog, infile, strerror(errno));
goto end;
}
} else if (!strcmp(*argv, "-out")) {
if (--argc < 1) goto bad;
outfile = *(++argv);
if (!(outfp = fopen(outfile, "wb"))) {
fprintf(stderr, "%s: open '%s' failure: %s\n", prog, outfile, strerror(errno));
goto end;
}
} else if (!strcmp(*argv, "-verbose")) {
verbose = 1;
} else {
fprintf(stderr, "%s: illegal option '%s'\n", prog, *argv);
goto end;
bad:
fprintf(stderr, "%s: `%s` option value missing\n", prog, *argv);
goto end;
}
argc--;
argv++;
}
if (!keyfile) {
fprintf(stderr, "%s: `-key` option required\n", prog);
goto end;
}
if ((keylen = fread(keybuf, 1, keylen, keyfp)) <= 0) {
fprintf(stderr, "%s: read private key failure\n", prog);
goto end;
}
if (sm3_hss_private_key_from_bytes(&key, &cp, &keylen) != 1) {
error_print();
goto end;
}
if (keylen) {
error_print();
return -1;
}
if (verbose) {
sm3_hss_public_key_print(stderr, 0, 0, "hss_public_key", &key);
}
if (sm3_hss_sign_init(&ctx, &key) != 1) {
error_print();
goto end;
}
// write updated key back to file
// TODO: write back `q` only
if (sm3_hss_private_key_to_bytes(&key, &p, &keylen) != 1) {
error_print();
return -1;
}
rewind(keyfp);
if (fwrite(keybuf, 1, keylen, keyfp) != keylen) {
error_print();
return -1;
}
while (1) {
uint8_t buf[1024];
size_t len = fread(buf, 1, sizeof(buf), infp);
if (len == 0) {
break;
}
if (sm3_hss_sign_update(&ctx, buf, len) != 1) {
error_print();
goto end;
}
}
if (sm3_hss_sign_finish(&ctx, sig, &siglen) != 1) {
error_print();
goto end;
}
if (fwrite(sig, 1, siglen, outfp) != siglen) {
error_print();
goto end;
}
if (verbose) {
sm3_hss_signature_print(stderr, 0, 0, "hss_signature", sig, siglen);
}
ret = 0;
end:
gmssl_secure_clear(keybuf, sizeof(keybuf));
gmssl_secure_clear(&key, sizeof(key));
gmssl_secure_clear(&ctx, sizeof(ctx));
if (keyfp) fclose(keyfp);
if (infp && infp != stdin) fclose(infp);
if (outfp && outfp != stdout) fclose(outfp);
return ret;
}

157
tools/sm3hssverify.c Normal file
View File

@@ -0,0 +1,157 @@
/*
* Copyright 2014-2025 The GmSSL Project. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the License); you may
* not use this file except in compliance with the License.
*
* http://www.apache.org/licenses/LICENSE-2.0
*/
#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>
#include <gmssl/mem.h>
#include <gmssl/error.h>
#include <gmssl/sm3_lms.h>
static const char *usage = "-pubkey file [-in file] -sig file [-verbose]\n";
static const char *options =
"Options\n"
" -pubkey file Input public key file\n"
" -in file Input data file (if not using stdin)\n"
" -sig file Input signature file\n"
" -verbose Print public key and signature\n"
"\n";
int sm3hssverify_main(int argc, char **argv)
{
int ret = 1;
char *prog = argv[0];
char *pubkeyfile = NULL;
char *infile = NULL;
char *sigfile = NULL;
int verbose = 0;
FILE *pubkeyfp = NULL;
FILE *infp = stdin;
FILE *sigfp = NULL;
uint8_t pubkeybuf[SM3_HSS_PUBLIC_KEY_SIZE];
size_t pubkeylen = SM3_HSS_PUBLIC_KEY_SIZE;
const uint8_t *cp = pubkeybuf;
uint8_t sig[SM3_HSS_SIGNATURE_MAX_SIZE];
size_t siglen;
SM3_HSS_KEY key;
SM3_HSS_SIGN_CTX ctx;
int vr;
argc--;
argv++;
if (argc < 1) {
fprintf(stderr, "usage: gmssl %s %s\n", prog, usage);
return 1;
}
while (argc > 0) {
if (!strcmp(*argv, "-help")) {
printf("usage: %s %s\n", prog, usage);
printf("%s\n", options);
ret = 0;
goto end;
} else if (!strcmp(*argv, "-pubkey")) {
if (--argc < 1) goto bad;
pubkeyfile = *(++argv);
if (!(pubkeyfp = fopen(pubkeyfile, "rb"))) {
fprintf(stderr, "%s: open '%s' failure: %s\n", prog, pubkeyfile, strerror(errno));
goto end;
}
} else if (!strcmp(*argv, "-in")) {
if (--argc < 1) goto bad;
infile = *(++argv);
if (!(infp = fopen(infile, "rb"))) {
fprintf(stderr, "%s: open '%s' failure: %s\n", prog, infile, strerror(errno));
goto end;
}
} else if (!strcmp(*argv, "-sig")) {
if (--argc < 1) goto bad;
sigfile = *(++argv);
if (!(sigfp = fopen(sigfile, "rb"))) {
fprintf(stderr, "%s: open '%s' failure: %s\n", prog, sigfile, strerror(errno));
goto end;
}
} else if (!strcmp(*argv, "-verbose")) {
verbose = 1;
} else {
fprintf(stderr, "%s: illegal option '%s'\n", prog, *argv);
goto end;
bad:
fprintf(stderr, "%s: `%s` option value missing\n", prog, *argv);
goto end;
}
argc--;
argv++;
}
if (!pubkeyfile) {
fprintf(stderr, "%s: `-key` option required\n", prog);
goto end;
}
if (!sigfile) {
fprintf(stderr, "%s: `-sig` option required\n", prog);
goto end;
}
if (fread(pubkeybuf, 1, pubkeylen, pubkeyfp) != pubkeylen) {
fprintf(stderr, "%s: read public key failure\n", prog);
goto end;
}
if (sm3_hss_public_key_from_bytes(&key, &cp, &pubkeylen) != 1) {
error_print();
goto end;
}
if (verbose) {
sm3_hss_public_key_print(stderr, 0, 0, "lms_public_key", &key);
}
// read signature even if signature not compatible with the public key
if ((siglen = fread(sig, 1, SM3_HSS_SIGNATURE_MAX_SIZE, sigfp)) <= 0) {
fprintf(stderr, "%s: read signature failure\n", prog);
goto end;
}
if (verbose) {
sm3_hss_signature_print(stderr, 0, 0, "lms_signature", sig, siglen);
}
if (sm3_hss_verify_init(&ctx, &key, sig, siglen) != 1) {
error_print();
goto end;
}
while (1) {
uint8_t buf[1024];
size_t len = fread(buf, 1, sizeof(buf), infp);
if (len == 0) {
break;
}
if (sm3_hss_verify_update(&ctx, buf, len) != 1) {
error_print();
goto end;
}
}
if ((vr = sm3_hss_verify_finish(&ctx)) < 0) {
error_print();
goto end;
}
fprintf(stdout, "verify : %s\n", vr == 1 ? "success" : "failure");
if (vr == 1) {
ret = 0;
}
end:
if (pubkeyfp) fclose(pubkeyfp);
if (infp && infp != stdin) fclose(infp);
if (sigfp) fclose(sigfp);
return ret;
}

144
tools/sm3lmskeygen.c Normal file
View File

@@ -0,0 +1,144 @@
/*
* Copyright 2014-2025 The GmSSL Project. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the License); you may
* not use this file except in compliance with the License.
*
* http://www.apache.org/licenses/LICENSE-2.0
*/
#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>
#include <gmssl/mem.h>
#include <gmssl/error.h>
#include <gmssl/sm3_lms.h>
static const char *usage = "-lms_type type -out file [-pubout file] [-verbose]\n";
static const char *options =
"Options\n"
" -lms_type type LMS Algorithm Type\n"
" "LMS_HASH256_M32_H5_NAME"\n"
" "LMS_HASH256_M32_H10_NAME"\n"
" "LMS_HASH256_M32_H15_NAME"\n"
" "LMS_HASH256_M32_H20_NAME"\n"
" "LMS_HASH256_M32_H25_NAME"\n"
" -out file Output private key\n"
" -pubout file Output public key\n"
" -verbose Print public key\n"
"\n";
int sm3lmskeygen_main(int argc, char **argv)
{
int ret = 1;
char *prog = argv[0];
char *lms_type = NULL;
int lms_type_val = 0;
char *outfile = NULL;
char *puboutfile = NULL;
int verbose = 0;
FILE *outfp = NULL;
FILE *puboutfp = stdout;
SM3_LMS_KEY key;
uint8_t out[SM3_LMS_PRIVATE_KEY_SIZE];
uint8_t pubout[SM3_LMS_PUBLIC_KEY_SIZE];
uint8_t *pout = out;
uint8_t *ppubout = pubout;
size_t outlen = 0, puboutlen = 0;
argc--;
argv++;
if (argc < 1) {
fprintf(stderr, "usage: gmssl %s %s\n", prog, usage);
return 1;
}
while (argc > 0) {
if (!strcmp(*argv, "-help")) {
printf("usage: gmssl %s %s\n", prog, usage);
printf("%s\n", options);
ret = 0;
goto end;
} else if (!strcmp(*argv, "-lms_type")) {
if (--argc < 1) goto bad;
lms_type = *(++argv);
if (!(lms_type_val = sm3_lms_type_from_name(lms_type))) {
fprintf(stderr, "%s: invalid lms_type `%s`\n", prog, lms_type);
goto end;
}
} else if (!strcmp(*argv, "-out")) {
if (--argc < 1) goto bad;
outfile = *(++argv);
if (!(outfp = fopen(outfile, "wb"))) {
fprintf(stderr, "%s: open '%s' failure : %s\n", prog, outfile, strerror(errno));
goto end;
}
} else if (!strcmp(*argv, "-pubout")) {
if (--argc < 1) goto bad;
puboutfile = *(++argv);
if (!(puboutfp = fopen(puboutfile, "wb"))) {
fprintf(stderr, "%s: open '%s' failure : %s\n", prog, outfile, strerror(errno));
goto end;
}
} else if (!strcmp(*argv, "-verbose")) {
verbose = 1;
} else {
fprintf(stderr, "%s: illegal option '%s'\n", prog, *argv);
goto end;
bad:
fprintf(stderr, "%s: `%s` option value missing\n", prog, *argv);
goto end;
}
argc--;
argv++;
}
if (!lms_type) {
fprintf(stderr, "%s: `-lms_type` option required\n", prog);
goto end;
}
if (!outfp) {
fprintf(stderr, "%s: `-out` option required\n", prog);
goto end;
}
if (sm3_lms_key_generate(&key, lms_type_val) != 1) {
error_print();
return -1;
}
if (verbose) {
sm3_lms_public_key_print(stderr, 0, 0, "lms_public_key", &key.public_key);
}
if (sm3_lms_private_key_to_bytes(&key, &pout, &outlen) != 1) {
error_print();
goto end;
}
if (fwrite(out, 1, outlen, outfp) != outlen) {
error_print();
goto end;
}
if (sm3_lms_public_key_to_bytes(&key, &ppubout, &puboutlen) != 1) {
error_print();
goto end;
}
if (fwrite(pubout, 1, puboutlen, puboutfp) != puboutlen) {
error_print();
goto end;
}
ret = 0;
end:
gmssl_secure_clear(&key, sizeof(key));
gmssl_secure_clear(out, outlen);
if (outfile && outfp) fclose(outfp);
if (puboutfile && puboutfp) fclose(puboutfp);
return ret;
}

170
tools/sm3lmssign.c Normal file
View File

@@ -0,0 +1,170 @@
/*
* Copyright 2014-2025 The GmSSL Project. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the License); you may
* not use this file except in compliance with the License.
*
* http://www.apache.org/licenses/LICENSE-2.0
*/
#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>
#include <gmssl/mem.h>
#include <gmssl/error.h>
#include <gmssl/sm3_lms.h>
static const char *usage = "-key file [-in file] [-out file] [-verbose]\n";
static const char *options =
"Options\n"
" -key file Input private key file\n"
" -in file Input data file (if not using stdin)\n"
" -out file Output signature file\n"
" -verbose Print public key and signature\n"
"\n";
int sm3lmssign_main(int argc, char **argv)
{
int ret = 1;
char *prog = argv[0];
char *keyfile = NULL;
char *infile = NULL;
char *outfile = NULL;
int verbose = 0;
FILE *keyfp = NULL;
FILE *infp = stdin;
FILE *outfp = stdout;
uint8_t keybuf[SM3_LMS_PRIVATE_KEY_SIZE];
size_t keylen = SM3_LMS_PRIVATE_KEY_SIZE;
const uint8_t *cp = keybuf;
uint8_t *p = keybuf;
SM3_LMS_KEY key;
SM3_LMS_SIGN_CTX ctx;
uint8_t sig[SM3_LMS_SIGNATURE_MAX_SIZE];
size_t siglen;
argc--;
argv++;
if (argc < 1) {
fprintf(stderr, "usage: gmssl %s %s\n", prog, usage);
return 1;
}
while (argc > 0) {
if (!strcmp(*argv, "-help")) {
printf("usage: %s %s\n", prog, usage);
printf("%s\n", options);
ret = 0;
goto end;
} else if (!strcmp(*argv, "-key")) {
if (--argc < 1) goto bad;
keyfile = *(++argv);
if (!(keyfp = fopen(keyfile, "rb+"))) {
fprintf(stderr, "%s: open '%s' failure: %s\n", prog, keyfile, strerror(errno));
goto end;
}
} else if (!strcmp(*argv, "-in")) {
if (--argc < 1) goto bad;
infile = *(++argv);
if (!(infp = fopen(infile, "rb"))) {
fprintf(stderr, "%s: open '%s' failure: %s\n", prog, infile, strerror(errno));
goto end;
}
} else if (!strcmp(*argv, "-out")) {
if (--argc < 1) goto bad;
outfile = *(++argv);
if (!(outfp = fopen(outfile, "wb"))) {
fprintf(stderr, "%s: open '%s' failure: %s\n", prog, outfile, strerror(errno));
goto end;
}
} else if (!strcmp(*argv, "-verbose")) {
verbose = 1;
} else {
fprintf(stderr, "%s: illegal option '%s'\n", prog, *argv);
goto end;
bad:
fprintf(stderr, "%s: `%s` option value missing\n", prog, *argv);
goto end;
}
argc--;
argv++;
}
if (!keyfile) {
fprintf(stderr, "%s: `-key` option required\n", prog);
goto end;
}
if (fread(keybuf, 1, keylen, keyfp) != keylen) {
fprintf(stderr, "%s: read private key failure\n", prog);
goto end;
}
if (sm3_lms_private_key_from_bytes(&key, &cp, &keylen) != 1) {
error_print();
goto end;
}
if (keylen) {
error_print();
return -1;
}
if (verbose) {
sm3_lms_public_key_print(stderr, 0, 0, "lms_public_key", &key.public_key);
}
if (sm3_lms_sign_init(&ctx, &key) != 1) {
error_print();
goto end;
}
// write updated key back to file
// TODO: write back `q` only
if (sm3_lms_private_key_to_bytes(&key, &p, &keylen) != 1) {
error_print();
return -1;
}
rewind(keyfp);
if (fwrite(keybuf, 1, keylen, keyfp) != keylen) {
error_print();
return -1;
}
while (1) {
uint8_t buf[1024];
size_t len = fread(buf, 1, sizeof(buf), infp);
if (len == 0) {
break;
}
if (sm3_lms_sign_update(&ctx, buf, len) != 1) {
error_print();
goto end;
}
}
if (sm3_lms_sign_finish(&ctx, sig, &siglen) != 1) {
error_print();
goto end;
}
if (fwrite(sig, 1, siglen, outfp) != siglen) {
error_print();
goto end;
}
if (verbose) {
sm3_lms_signature_print(stderr, 0, 0, "lms_signature", sig, siglen);
}
ret = 0;
end:
gmssl_secure_clear(keybuf, sizeof(keybuf));
gmssl_secure_clear(&key, sizeof(key));
gmssl_secure_clear(&ctx, sizeof(ctx));
if (keyfp) fclose(keyfp);
if (infp && infp != stdin) fclose(infp);
if (outfp && outfp != stdout) fclose(outfp);
return ret;
}

157
tools/sm3lmsverify.c Normal file
View File

@@ -0,0 +1,157 @@
/*
* Copyright 2014-2025 The GmSSL Project. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the License); you may
* not use this file except in compliance with the License.
*
* http://www.apache.org/licenses/LICENSE-2.0
*/
#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>
#include <gmssl/mem.h>
#include <gmssl/error.h>
#include <gmssl/sm3_lms.h>
static const char *usage = "-pubkey file [-in file] -sig file [-verbose]\n";
static const char *options =
"Options\n"
" -pubkey file Input public key file\n"
" -in file Input data file (if not using stdin)\n"
" -sig file Input signature file\n"
" -verbose Print public key and signature\n"
"\n";
int sm3lmsverify_main(int argc, char **argv)
{
int ret = 1;
char *prog = argv[0];
char *pubkeyfile = NULL;
char *infile = NULL;
char *sigfile = NULL;
int verbose = 0;
FILE *pubkeyfp = NULL;
FILE *infp = stdin;
FILE *sigfp = NULL;
uint8_t pubkeybuf[SM3_LMS_PUBLIC_KEY_SIZE];
size_t pubkeylen = SM3_LMS_PUBLIC_KEY_SIZE;
const uint8_t *cp = pubkeybuf;
uint8_t sig[SM3_LMS_SIGNATURE_MAX_SIZE];
size_t siglen;
SM3_LMS_KEY key;
SM3_LMS_SIGN_CTX ctx;
int vr;
argc--;
argv++;
if (argc < 1) {
fprintf(stderr, "usage: gmssl %s %s\n", prog, usage);
return 1;
}
while (argc > 0) {
if (!strcmp(*argv, "-help")) {
printf("usage: %s %s\n", prog, usage);
printf("%s\n", options);
ret = 0;
goto end;
} else if (!strcmp(*argv, "-pubkey")) {
if (--argc < 1) goto bad;
pubkeyfile = *(++argv);
if (!(pubkeyfp = fopen(pubkeyfile, "rb"))) {
fprintf(stderr, "%s: open '%s' failure: %s\n", prog, pubkeyfile, strerror(errno));
goto end;
}
} else if (!strcmp(*argv, "-in")) {
if (--argc < 1) goto bad;
infile = *(++argv);
if (!(infp = fopen(infile, "rb"))) {
fprintf(stderr, "%s: open '%s' failure: %s\n", prog, infile, strerror(errno));
goto end;
}
} else if (!strcmp(*argv, "-sig")) {
if (--argc < 1) goto bad;
sigfile = *(++argv);
if (!(sigfp = fopen(sigfile, "rb"))) {
fprintf(stderr, "%s: open '%s' failure: %s\n", prog, sigfile, strerror(errno));
goto end;
}
} else if (!strcmp(*argv, "-verbose")) {
verbose = 1;
} else {
fprintf(stderr, "%s: illegal option '%s'\n", prog, *argv);
goto end;
bad:
fprintf(stderr, "%s: `%s` option value missing\n", prog, *argv);
goto end;
}
argc--;
argv++;
}
if (!pubkeyfile) {
fprintf(stderr, "%s: `-key` option required\n", prog);
goto end;
}
if (!sigfile) {
fprintf(stderr, "%s: `-sig` option required\n", prog);
goto end;
}
if (fread(pubkeybuf, 1, pubkeylen, pubkeyfp) != pubkeylen) {
fprintf(stderr, "%s: read public key failure\n", prog);
goto end;
}
if (sm3_lms_public_key_from_bytes(&key, &cp, &pubkeylen) != 1) {
error_print();
goto end;
}
if (verbose) {
sm3_lms_public_key_print(stderr, 0, 0, "lms_public_key", &key.public_key);
}
// read signature even if signature not compatible with the public key
if ((siglen = fread(sig, 1, SM3_LMS_SIGNATURE_MAX_SIZE, sigfp)) <= 0) {
fprintf(stderr, "%s: read signature failure\n", prog);
goto end;
}
if (verbose) {
sm3_lms_signature_print(stderr, 0, 0, "lms_signature", sig, siglen);
}
if (sm3_lms_verify_init(&ctx, &key, sig, siglen) != 1) {
error_print();
goto end;
}
while (1) {
uint8_t buf[1024];
size_t len = fread(buf, 1, sizeof(buf), infp);
if (len == 0) {
break;
}
if (sm3_lms_verify_update(&ctx, buf, len) != 1) {
error_print();
goto end;
}
}
if ((vr = sm3_lms_verify_finish(&ctx)) < 0) {
error_print();
goto end;
}
fprintf(stdout, "verify : %s\n", vr == 1 ? "success" : "failure");
if (vr == 1) {
ret = 0;
}
end:
if (pubkeyfp) fclose(pubkeyfp);
if (infp && infp != stdin) fclose(infp);
if (sigfp) fclose(sigfp);
return ret;
}