#if !BESTHTTP_DISABLE_ALTERNATE_SSL && (!UNITY_WEBGL || UNITY_EDITOR) #pragma warning disable using System; using BestHTTP.SecureProtocol.Org.BouncyCastle.Crypto.Digests; using BestHTTP.SecureProtocol.Org.BouncyCastle.Crypto.Parameters; using BestHTTP.SecureProtocol.Org.BouncyCastle.Math; using BestHTTP.SecureProtocol.Org.BouncyCastle.Math.EC; using BestHTTP.SecureProtocol.Org.BouncyCastle.Math.EC.Multiplier; using BestHTTP.SecureProtocol.Org.BouncyCastle.Security; using BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities; using BestHTTP.SecureProtocol.Org.BouncyCastle.Utilities.Encoders; namespace BestHTTP.SecureProtocol.Org.BouncyCastle.Crypto.Signers { /// The SM2 Digital Signature algorithm. public class SM2Signer : ISigner { private readonly IDsaKCalculator kCalculator = new RandomDsaKCalculator(); private readonly IDigest digest; private readonly IDsaEncoding encoding; private ECDomainParameters ecParams; private ECPoint pubPoint; private ECKeyParameters ecKey; private byte[] z; public SM2Signer() : this(StandardDsaEncoding.Instance, new SM3Digest()) { } public SM2Signer(IDigest digest) : this(StandardDsaEncoding.Instance, digest) { } public SM2Signer(IDsaEncoding encoding) : this(encoding, new SM3Digest()) { } public SM2Signer(IDsaEncoding encoding, IDigest digest) { this.encoding = encoding; this.digest = digest; } public virtual string AlgorithmName { get { return "SM2Sign"; } } public virtual void Init(bool forSigning, ICipherParameters parameters) { ICipherParameters baseParam; byte[] userID; if (parameters is ParametersWithID) { baseParam = ((ParametersWithID)parameters).Parameters; userID = ((ParametersWithID)parameters).GetID(); if (userID.Length >= 8192) throw new ArgumentException("SM2 user ID must be less than 2^16 bits long"); } else { baseParam = parameters; // the default value, string value is "1234567812345678" userID = Hex.DecodeStrict("31323334353637383132333435363738"); } if (forSigning) { if (baseParam is ParametersWithRandom) { ParametersWithRandom rParam = (ParametersWithRandom)baseParam; ecKey = (ECKeyParameters)rParam.Parameters; ecParams = ecKey.Parameters; kCalculator.Init(ecParams.N, rParam.Random); } else { ecKey = (ECKeyParameters)baseParam; ecParams = ecKey.Parameters; kCalculator.Init(ecParams.N, new SecureRandom()); } pubPoint = CreateBasePointMultiplier().Multiply(ecParams.G, ((ECPrivateKeyParameters)ecKey).D).Normalize(); } else { ecKey = (ECKeyParameters)baseParam; ecParams = ecKey.Parameters; pubPoint = ((ECPublicKeyParameters)ecKey).Q; } digest.Reset(); z = GetZ(userID); digest.BlockUpdate(z, 0, z.Length); } public virtual void Update(byte b) { digest.Update(b); } public virtual void BlockUpdate(byte[] buf, int off, int len) { digest.BlockUpdate(buf, off, len); } public virtual bool VerifySignature(byte[] signature) { try { BigInteger[] rs = encoding.Decode(ecParams.N, signature); return VerifySignature(rs[0], rs[1]); } catch (Exception) { } return false; } public virtual void Reset() { if (z != null) { digest.Reset(); digest.BlockUpdate(z, 0, z.Length); } } public virtual byte[] GenerateSignature() { byte[] eHash = DigestUtilities.DoFinal(digest); BigInteger n = ecParams.N; BigInteger e = CalculateE(n, eHash); BigInteger d = ((ECPrivateKeyParameters)ecKey).D; BigInteger r, s; ECMultiplier basePointMultiplier = CreateBasePointMultiplier(); // 5.2.1 Draft RFC: SM2 Public Key Algorithms do // generate s { BigInteger k; do // generate r { // A3 k = kCalculator.NextK(); // A4 ECPoint p = basePointMultiplier.Multiply(ecParams.G, k).Normalize(); // A5 r = e.Add(p.AffineXCoord.ToBigInteger()).Mod(n); } while (r.SignValue == 0 || r.Add(k).Equals(n)); // A6 BigInteger dPlus1ModN = BigIntegers.ModOddInverse(n, d.Add(BigIntegers.One)); s = k.Subtract(r.Multiply(d)).Mod(n); s = dPlus1ModN.Multiply(s).Mod(n); } while (s.SignValue == 0); // A7 try { return encoding.Encode(ecParams.N, r, s); } catch (Exception ex) { throw new CryptoException("unable to encode signature: " + ex.Message, ex); } } private bool VerifySignature(BigInteger r, BigInteger s) { BigInteger n = ecParams.N; // 5.3.1 Draft RFC: SM2 Public Key Algorithms // B1 if (r.CompareTo(BigInteger.One) < 0 || r.CompareTo(n) >= 0) return false; // B2 if (s.CompareTo(BigInteger.One) < 0 || s.CompareTo(n) >= 0) return false; // B3 byte[] eHash = DigestUtilities.DoFinal(digest); // B4 BigInteger e = CalculateE(n, eHash); // B5 BigInteger t = r.Add(s).Mod(n); if (t.SignValue == 0) return false; // B6 ECPoint q = ((ECPublicKeyParameters)ecKey).Q; ECPoint x1y1 = ECAlgorithms.SumOfTwoMultiplies(ecParams.G, s, q, t).Normalize(); if (x1y1.IsInfinity) return false; // B7 return r.Equals(e.Add(x1y1.AffineXCoord.ToBigInteger()).Mod(n)); } private byte[] GetZ(byte[] userID) { AddUserID(digest, userID); AddFieldElement(digest, ecParams.Curve.A); AddFieldElement(digest, ecParams.Curve.B); AddFieldElement(digest, ecParams.G.AffineXCoord); AddFieldElement(digest, ecParams.G.AffineYCoord); AddFieldElement(digest, pubPoint.AffineXCoord); AddFieldElement(digest, pubPoint.AffineYCoord); return DigestUtilities.DoFinal(digest); } private void AddUserID(IDigest digest, byte[] userID) { int len = userID.Length * 8; digest.Update((byte)(len >> 8)); digest.Update((byte)len); digest.BlockUpdate(userID, 0, userID.Length); } private void AddFieldElement(IDigest digest, ECFieldElement v) { byte[] p = v.GetEncoded(); digest.BlockUpdate(p, 0, p.Length); } protected virtual BigInteger CalculateE(BigInteger n, byte[] message) { // TODO Should hashes larger than the order be truncated as with ECDSA? return new BigInteger(1, message); } protected virtual ECMultiplier CreateBasePointMultiplier() { return new FixedPointCombMultiplier(); } } } #pragma warning restore #endif