diff --git a/CMakeLists.txt b/CMakeLists.txt index b022eadd..1d394d16 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -552,7 +552,7 @@ if (ENABLE_SDF) src/sdf/sdf_meth.c src/sdf/sdf_ext.c src/sdf/sdf_sansec.c) - list(APPEND tools tools/sdfinfo.c tools/sdfdigest.c tools/sdfexport.c tools/sdfsign.c tools/sdftest.c) + list(APPEND tools tools/sdfinfo.c tools/sdfdigest.c tools/sdfexport.c tools/sdfsign.c tools/sdfencrypt.c tools/sdftest.c) endif() diff --git a/include/gmssl/sdf.h b/include/gmssl/sdf.h index 5cc0097a..9967b84f 100644 --- a/include/gmssl/sdf.h +++ b/include/gmssl/sdf.h @@ -14,6 +14,7 @@ #include #include #include +#include #ifdef __cplusplus @@ -32,6 +33,18 @@ typedef struct { void *session; } SDF_DIGEST_CTX; +typedef struct { + void *session; + void *handle; +} SDF_KEY; + +typedef struct { + SDF_KEY key; + uint8_t iv[SM4_BLOCK_SIZE]; + uint8_t block[SM4_BLOCK_SIZE]; + size_t block_nbytes; +} SDF_CBC_CTX; + typedef struct { SM2_Z256_POINT public_key; void *session; @@ -44,6 +57,9 @@ typedef struct { SDF_SIGN_KEY key; } SDF_SIGN_CTX; + + + int sdf_load_library(const char *so_path, const char *vendor); int sdf_open_device(SDF_DEVICE *dev); int sdf_print_device_info(FILE *fp, int fmt, int ind, const char *lable, SDF_DEVICE *dev); @@ -52,7 +68,17 @@ int sdf_digest_update(SDF_DIGEST_CTX *ctx, const uint8_t *data, size_t datalen); int sdf_digest_finish(SDF_DIGEST_CTX *ctx, uint8_t dgst[SM3_DIGEST_SIZE]); int sdf_digest_reset(SDF_DIGEST_CTX *ctx); void sdf_digest_cleanup(SDF_DIGEST_CTX *ctx); +int sdf_generate_key(SDF_DEVICE *dev, SDF_KEY *key, const SM2_KEY *sm2_key, uint8_t *wrappedkey, size_t *wrappedkey_len); +int sdf_import_key(SDF_DEVICE *dev, unsigned int key_index, const char *pass, const uint8_t *wrappedkey, size_t wrappedkey_len, SDF_KEY *key); +int sdf_cbc_encrypt_init(SDF_CBC_CTX *ctx, const SDF_KEY *key, const uint8_t iv[16]); +int sdf_cbc_encrypt_update(SDF_CBC_CTX *ctx, const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen); +int sdf_cbc_encrypt_finish(SDF_CBC_CTX *ctx, uint8_t *out, size_t *outlen); +int sdf_cbc_decrypt_init(SDF_CBC_CTX *ctx, const SDF_KEY *key, const uint8_t iv[16]); +int sdf_cbc_decrypt_update(SDF_CBC_CTX *ctx, const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen); +int sdf_cbc_decrypt_finish(SDF_CBC_CTX *ctx, uint8_t *out, size_t *outlen); +int sdf_destroy_key(SDF_KEY *key); int sdf_export_sign_public_key(SDF_DEVICE *dev, int key_index, SM2_KEY *public_key); +int sdf_export_encrypt_public_key(SDF_DEVICE *dev, int key_index, SM2_KEY *public_key); int sdf_load_sign_key(SDF_DEVICE *dev, SDF_SIGN_KEY *key, int key_index, const char *pass); int sdf_sign(SDF_SIGN_KEY *key, const uint8_t dgst[32], uint8_t *sig, size_t *siglen); int sdf_sign_init(SDF_SIGN_CTX *ctx, const SDF_SIGN_KEY *key, const char *id, size_t idlen); diff --git a/src/sdf/sdf.c b/src/sdf/sdf.c index 1c29f1e6..a91382a8 100755 --- a/src/sdf/sdf.c +++ b/src/sdf/sdf.c @@ -13,6 +13,7 @@ #include #include #include +#include #include #include "sdf.h" #include "sdf_ext.h" @@ -226,6 +227,445 @@ void sdf_digest_cleanup(SDF_DIGEST_CTX *ctx) } } +static int sdf_cbc_encrypt_blocks(SDF_KEY *key, uint8_t iv[16], const uint8_t *in, size_t nblocks, uint8_t *out) +{ + unsigned int inlen = (unsigned int)(nblocks * 16); + unsigned int outlen = 0; + + if (SDF_Encrypt(key->session, key->handle, SGD_SM4_CBC, iv, + (unsigned char *)in, inlen, out, &outlen) != SDR_OK) { + error_print(); + return -1; + } + if (outlen != inlen) { + error_print(); + return -1; + } + if (outlen) { + if (memcmp(iv, out + outlen - 16, 16) != 0) { + memcpy(iv, out + outlen - 16, 16); + } + } + return 1; +} + +static int sdf_cbc_decrypt_blocks(SDF_KEY *key, uint8_t iv[16], const uint8_t *in, size_t nblocks, uint8_t *out) +{ + unsigned int inlen = (unsigned int)(nblocks * 16); + unsigned int outlen = 0; + + if (SDF_Decrypt(key->session, key->handle, SGD_SM4_CBC, + iv, (unsigned char *)in, inlen, out, &outlen) != SDR_OK) { + error_print(); + return -1; + } + if (outlen != inlen) { + error_print(); + return -1; + } + if (inlen) { + if (memcmp(iv, in + inlen - 16, 16) != 0) { + memcmp(iv, in + inlen - 16, 16); + } + } + return 1; +} + +static int sdf_cbc_padding_encrypt(SDF_KEY *key, + const uint8_t piv[16], const uint8_t *in, size_t inlen, + uint8_t *out, size_t *outlen) +{ + uint8_t iv[16]; + uint8_t block[16]; + size_t rem = inlen % 16; + int padding = 16 - inlen % 16; + + memcpy(iv, piv, 16); + if (in) { + memcpy(block, in + inlen - rem, rem); + } + memset(block + rem, padding, padding); + + if (inlen/16) { + if (sdf_cbc_encrypt_blocks(key, iv, in, inlen/16, out) != 1) { + error_print(); + return -1; + } + out += inlen - rem; + } + + if (sdf_cbc_encrypt_blocks(key, iv, block, 1, out) != 1) { + error_print(); + return -1; + } + *outlen = inlen - rem + 16; + return 1; +} + +static int sdf_cbc_padding_decrypt(SDF_KEY *key, + const uint8_t piv[16], const uint8_t *in, size_t inlen, + uint8_t *out, size_t *outlen) +{ + uint8_t iv[16]; + uint8_t block[16]; + size_t len = sizeof(block); + int padding; + + if (inlen%16 != 0 || inlen < 16) { + error_print(); + return -1; + } + + memcpy(iv, piv, 16); + + if (inlen > 16) { + if (sdf_cbc_decrypt_blocks(key, iv, in, inlen/16 - 1, out) != 1) { + error_print(); + return -1; + } + } + + if (sdf_cbc_decrypt_blocks(key, iv, in + inlen - 16, 1, block) != 1) { + error_print(); + return -1; + } + + padding = block[15]; + if (padding < 1 || padding > 16) { + error_print(); + return -1; + } + len -= padding; + memcpy(out + inlen - 16, block, len); + *outlen = inlen - padding; + return 1; +} + +int sdf_generate_key(SDF_DEVICE *dev, SDF_KEY *key, + const SM2_KEY *sm2_key, uint8_t *wrappedkey, size_t *wrappedkey_len) +{ + void *hSession; + void *hKey; + ECCrefPublicKey eccPublicKey; + ECCCipher eccCipher; + const uint8_t zeros[ECCref_MAX_LEN - 32] = {0}; + SM2_POINT point; + SM2_CIPHERTEXT ciphertext; + int ret; + + if (!dev || !key || !sm2_key || !wrappedkey_len) { + error_print(); + return -1; + } + if (!dev->handle) { + error_print(); + return -1; + } + if (!wrappedkey) { + *wrappedkey_len = SM2_MAX_CIPHERTEXT_SIZE; + return 1; + } + + // SM2_KEY => ECCrefPublicKey + sm2_z256_point_to_bytes(&sm2_key->public_key, (uint8_t *)&point); + eccPublicKey.bits = 256; + memset(eccPublicKey.x, 0, sizeof(zeros)); + memcpy(eccPublicKey.x + sizeof(zeros), point.x, 32); + memset(eccPublicKey.y, 0, sizeof(zeros)); + memcpy(eccPublicKey.y + sizeof(zeros), point.y, 32); + + // SDF_GenerateKeyWithEPK_ECC + if (SDF_OpenSession(dev->handle, &hSession) != SDR_OK) { + error_print(); + return -1; + } + if (SDF_GenerateKeyWithEPK_ECC(hSession, 128, SGD_SM2_3, &eccPublicKey, &eccCipher, &hKey) != SDR_OK) { + (void)SDF_CloseSession(hSession); + error_print(); + return -1; + } + + // ECCCipher => SM2_CIPHERTEXT + if (eccCipher.L > SM2_MAX_PLAINTEXT_SIZE + || memcmp(eccCipher.x, zeros, sizeof(zeros)) != 0 + || memcmp(eccCipher.y, zeros, sizeof(zeros)) != 0) { + (void)SDF_DestroyKey(hSession, hKey); + (void)SDF_CloseSession(hSession); + error_print(); + return -1; + } + memcpy(ciphertext.point.x, eccCipher.x + sizeof(zeros), 32); + memcpy(ciphertext.point.y, eccCipher.y + sizeof(zeros), 32); + memcpy(ciphertext.hash, eccCipher.M, 32); + memcpy(ciphertext.ciphertext, eccCipher.C, eccCipher.L); + ciphertext.ciphertext_size = eccCipher.L; + + // SM2_CIPHERTEXT => DER + *wrappedkey_len = 0; + if (sm2_ciphertext_to_der(&ciphertext, &wrappedkey, wrappedkey_len) != 1) { + (void)SDF_DestroyKey(hSession, hKey); + (void)SDF_CloseSession(hSession); + error_print(); + return -1; + } + + key->session = hSession; + key->handle = hKey; + return 1; +} + +int sdf_destroy_key(SDF_KEY *key) +{ + if (key) { + if (key->session && key->handle) { + if (SDF_DestroyKey(key->session, key->handle) != SDR_OK) { + error_print(); + return -1; + } + key->session = NULL; + key->handle = NULL; + } + if (key->session || key->handle) { + error_print(); + return -1; + } + } + return 1; +} + +int sdf_import_key(SDF_DEVICE *dev, unsigned int key_index, const char *pass, + const uint8_t *wrappedkey, size_t wrappedkey_len, SDF_KEY *key) +{ + void *hSession; + void *hKey; + ECCCipher eccCipher; + const uint8_t zeros[ECCref_MAX_LEN - 32] = {0}; + SM2_POINT point; + SM2_CIPHERTEXT ciphertext; + int ret; + + if (!dev || !pass || !wrappedkey || !wrappedkey_len) { + error_print(); + return -1; + } + if (!dev->handle) { + error_print(); + return -1; + } + + // SM2_CIPHERTEXT <= DER + if (sm2_ciphertext_from_der(&ciphertext, &wrappedkey, &wrappedkey_len) != 1) { + error_print(); + return -1; + } + if (wrappedkey_len != 0) { + error_print(); + return -1; + } + + // ECCCipher <= SM2_CIPHERTEXT + memset(eccCipher.x, 0, sizeof(zeros)); + memcpy(eccCipher.x + sizeof(zeros), ciphertext.point.x, 32); + memset(eccCipher.y, 0, sizeof(zeros)); + memcpy(eccCipher.y + sizeof(zeros), ciphertext.point.y, 32); + memcpy(eccCipher.C, ciphertext.ciphertext, ciphertext.ciphertext_size); + eccCipher.L = ciphertext.ciphertext_size; + + // SDF_ImportKeyWithISK_ECC + if (SDF_OpenSession(dev->handle, &hSession) != SDR_OK) { + error_print(); + return -1; + } + if (SDF_GetPrivateKeyAccessRight(hSession, key_index, (unsigned char *)pass, (unsigned int)strlen(pass)) != SDR_OK) { + (void)SDF_CloseSession(hSession); + error_print(); + return -1; + } + if (SDF_ImportKeyWithISK_ECC(hSession, key_index, &eccCipher, &hKey) != SDR_OK) { + (void)SDF_CloseSession(hSession); + error_print(); + return -1; + } + if (SDF_ReleasePrivateKeyAccessRight(hSession, (unsigned int)key_index) != SDR_OK) { + (void)SDF_CloseSession(hSession); + error_print(); + return -1; + } + + key->session = hSession; + key->handle = hKey; + return 1; +} + +int sdf_cbc_encrypt_init(SDF_CBC_CTX *ctx, const SDF_KEY *key, const uint8_t iv[16]) +{ + if (!ctx || !key || !iv) { + error_print(); + return -1; + } + if (!key->session || !key->handle) { + error_print(); + return -1; + } + ctx->key = *key; + memcpy(ctx->iv, iv, SM4_BLOCK_SIZE); + memset(ctx->block, 0, SM4_BLOCK_SIZE); + ctx->block_nbytes = 0; + return 1; +} + +int sdf_cbc_encrypt_update(SDF_CBC_CTX *ctx, + const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen) +{ + size_t left; + size_t nblocks; + size_t len; + + if (!ctx || !in || !out || !outlen) { + error_print(); + return -1; + } + if (ctx->block_nbytes >= SM4_BLOCK_SIZE) { + error_print(); + return -1; + } + *outlen = 0; + if (ctx->block_nbytes) { + left = SM4_BLOCK_SIZE - ctx->block_nbytes; + if (inlen < left) { + memcpy(ctx->block + ctx->block_nbytes, in, inlen); + ctx->block_nbytes += inlen; + return 1; + } + memcpy(ctx->block + ctx->block_nbytes, in, left); + if (sdf_cbc_encrypt_blocks(&ctx->key, ctx->iv, ctx->block, 1, out) != 1) { + error_print(); + return -1; + } + in += left; + inlen -= left; + out += SM4_BLOCK_SIZE; + *outlen += SM4_BLOCK_SIZE; + } + if (inlen >= SM4_BLOCK_SIZE) { + nblocks = inlen / SM4_BLOCK_SIZE; + len = nblocks * SM4_BLOCK_SIZE; + if (sdf_cbc_encrypt_blocks(&ctx->key, ctx->iv, in, nblocks, out) != 1) { + error_print(); + return -1; + } + in += len; + inlen -= len; + out += len; + *outlen += len; + } + if (inlen) { + memcpy(ctx->block, in, inlen); + } + ctx->block_nbytes = inlen; + return 1; +} + +int sdf_cbc_encrypt_finish(SDF_CBC_CTX *ctx, uint8_t *out, size_t *outlen) +{ + if (!ctx || !out || !outlen) { + error_print(); + return -1; + } + if (ctx->block_nbytes >= SM4_BLOCK_SIZE) { + error_print(); + return -1; + } + if (sdf_cbc_padding_encrypt(&ctx->key, ctx->iv, ctx->block, ctx->block_nbytes, out, outlen) != 1) { + error_print(); + return -1; + } + return 1; +} + +int sdf_cbc_decrypt_init(SDF_CBC_CTX *ctx, const SDF_KEY *key, const uint8_t iv[16]) +{ + if (!ctx || !key || !iv) { + error_print(); + return -1; + } + if (!key->session || !key->handle) { + error_print(); + return -1; + } + ctx->key = *key; + memcpy(ctx->iv, iv, SM4_BLOCK_SIZE); + memset(ctx->block, 0, SM4_BLOCK_SIZE); + ctx->block_nbytes = 0; + return 1; +} + +int sdf_cbc_decrypt_update(SDF_CBC_CTX *ctx, + const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen) +{ + size_t left, len, nblocks; + + if (!ctx || !in || !out || !outlen) { + error_print(); + return -1; + } + if (ctx->block_nbytes > SM4_BLOCK_SIZE) { + error_print(); + return -1; + } + + *outlen = 0; + if (ctx->block_nbytes) { + left = SM4_BLOCK_SIZE - ctx->block_nbytes; + if (inlen <= left) { + memcpy(ctx->block + ctx->block_nbytes, in, inlen); + ctx->block_nbytes += inlen; + return 1; + } + memcpy(ctx->block + ctx->block_nbytes, in, left); + if (sdf_cbc_decrypt_blocks(&ctx->key, ctx->iv, ctx->block, 1, out) != 1) { + error_print(); + return -1; + } + in += left; + inlen -= left; + out += SM4_BLOCK_SIZE; + *outlen += SM4_BLOCK_SIZE; + } + if (inlen > SM4_BLOCK_SIZE) { + nblocks = (inlen-1) / SM4_BLOCK_SIZE; + len = nblocks * SM4_BLOCK_SIZE; + if (sdf_cbc_decrypt_blocks(&ctx->key, ctx->iv, in, nblocks, out) != 1) { + error_print(); + return -1; + } + in += len; + inlen -= len; + out += len; + *outlen += len; + } + memcpy(ctx->block, in, inlen); + ctx->block_nbytes = inlen; + return 1; +} + +int sdf_cbc_decrypt_finish(SDF_CBC_CTX *ctx, uint8_t *out, size_t *outlen) +{ + if (!ctx || !out || !outlen) { + error_print(); + return -1; + } + if (ctx->block_nbytes != SM4_BLOCK_SIZE) { + error_print(); + return -1; + } + if (sdf_cbc_padding_decrypt(&ctx->key, ctx->iv, ctx->block, SM4_BLOCK_SIZE, out, outlen) != 1) { + error_print(); + return -1; + } + return 1; +} + int sdf_export_sign_public_key(SDF_DEVICE *dev, int key_index, SM2_KEY *sm2_key) { void *hSession; @@ -255,6 +695,35 @@ int sdf_export_sign_public_key(SDF_DEVICE *dev, int key_index, SM2_KEY *sm2_key) return 1; } +int sdf_export_encrypt_public_key(SDF_DEVICE *dev, int key_index, SM2_KEY *sm2_key) +{ + void *hSession; + ECCrefPublicKey eccPublicKey; + + if (!dev || !sm2_key) { + error_print(); + return -1; + } + + if (SDF_OpenSession(dev->handle, &hSession) != SDR_OK) { + error_print(); + return -1; + } + if (SDF_ExportEncPublicKey_ECC(hSession, key_index, &eccPublicKey) != SDR_OK) { + (void)SDF_CloseSession(hSession); + error_print(); + return -1; + } + (void)SDF_CloseSession(hSession); + + memset(sm2_key, 0, sizeof(SM2_KEY)); + if (SDF_ECCrefPublicKey_to_SM2_Z256_POINT(&eccPublicKey, &sm2_key->public_key) != SDR_OK) { + error_print(); + return -1; + } + return 1; +} + int sdf_load_sign_key(SDF_DEVICE *dev, SDF_SIGN_KEY *key, int key_index, const char *pass) { void *hSession = NULL; @@ -396,10 +865,14 @@ int sdf_release_key(SDF_SIGN_KEY *key) int sdf_close_device(SDF_DEVICE *dev) { - if (SDF_CloseDevice(dev->handle) != SDR_OK) { - error_print(); - return -1; + if (dev) { + if (dev->handle) { + if (SDF_CloseDevice(dev->handle) != SDR_OK) { + error_print(); + return -1; + } + memset(dev, 0, sizeof(*dev)); + } } - memset(dev, 0, sizeof(SDF_DEVICE)); return 1; } diff --git a/tools/gmssl.c b/tools/gmssl.c index 603d2dc6..60bdeab7 100644 --- a/tools/gmssl.c +++ b/tools/gmssl.c @@ -70,6 +70,7 @@ extern int sdfinfo_main(int argc, char **argv); extern int sdfdigest_main(int argc, char **argv); extern int sdfexport_main(int argc, char **argv); extern int sdfsign_main(int argc, char **argv); +extern int sdfencrypt_main(int argc, char **argv); extern int sdftest_main(int argc, char **argv); #endif #ifdef ENABLE_SKF @@ -133,6 +134,7 @@ static const char *options = " sdfdigest Generate SM3 hash with SDF device\n" " sdfexport Export SM2 signing public key from SDF device\n" " sdfsign Generate SM2 signature with SDF internal private key\n" + " sdfencrypt SM2/SM4-CBC hybrid encryption with SDF device\n" " sdftest Test vendor's SDF library and device\n" #endif #ifdef ENABLE_SKF @@ -291,6 +293,8 @@ int main(int argc, char **argv) return sdfexport_main(argc, argv); } else if (!strcmp(*argv, "sdfsign")) { return sdfsign_main(argc, argv); + } else if (!strcmp(*argv, "sdfencrypt")) { + return sdfencrypt_main(argc, argv); } else if (!strcmp(*argv, "sdftest")) { return sdftest_main(argc, argv); #endif diff --git a/tools/sdfencrypt.c b/tools/sdfencrypt.c new file mode 100755 index 00000000..db867296 --- /dev/null +++ b/tools/sdfencrypt.c @@ -0,0 +1,224 @@ +/* + * Copyright 2014-2024 The GmSSL Project. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the License); you may + * not use this file except in compliance with the License. + * + * http://www.apache.org/licenses/LICENSE-2.0 + */ + + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + + +static const char *usage = "-lib so_path (-pubkey pem | -cert pem) [-in file] [-out file]"; + +static const char *options = +"\n" +"Options\n" +"\n" +" -lib so_path Vendor's SDF dynamic library\n" +" -pubkey pem Recepient's public key file in PEM format\n" +" -cert pem Recipient's certificate in PEM format\n" +" -in file | stdin Input data\n" +" -out file | stdout Output data\n" +"\n" +"Examples\n" +"\n" +" $ TEXT=`gmssl rand -outlen 20 -hex`\n" +" $ gmssl sdfexport -encrypt -key 1 -lib libsoftsdf.so -out sm2encpub.pem\n" +" $ echo -n $TEXT | gmssl sdfencrypt -lib libsoftsdf.so -pubkey sm2encpub.pem -out sdf_ciphertext.bin\n" +" $ gmssl sdfdecrypt -lib libsoftsdf.so -key 1 -pass P@ssw0rd -in sdf_ciphertext.bin\n" +"\n"; + +int sdfencrypt_main(int argc, char **argv) +{ + int ret = 1; + char *prog = argv[0]; + char *lib = NULL; + char *pubkeyfile = NULL; + char *certfile = NULL; + char *infile = NULL; + char *outfile = NULL; + FILE *pubkeyfp = NULL; + FILE *certfp = NULL; + FILE *infp = stdin; + FILE *outfp = stdout; + SM2_KEY sm2_pub; + uint8_t cert[1024]; + size_t certlen; + uint8_t iv[16]; + uint8_t buf[4096]; + size_t inlen; + size_t outlen; + SDF_DEVICE dev; + SDF_KEY key; + SDF_CBC_CTX ctx; + + memset(&dev, 0, sizeof(dev)); + memset(&key, 0, sizeof(key)); + memset(&ctx, 0, sizeof(ctx)); + + argc--; + argv++; + + if (argc < 1) { + fprintf(stderr, "usage: gmssl %s %s\n", prog, usage); + return 1; + } + + while (argc > 0) { + if (!strcmp(*argv, "-help")) { + printf("usage: gmssl %s %s\n", prog, usage); + printf("%s\n", options); + ret = 0; + goto end; + goto end; + } else if (!strcmp(*argv, "-lib")) { + if (--argc < 1) goto bad; + lib = *(++argv); + } else if (!strcmp(*argv, "-pubkey")) { + if (certfile) { + fprintf(stderr, "gmssl %s: options '-pubkey' '-cert' conflict\n", prog); + goto end; + } + if (--argc < 1) goto bad; + pubkeyfile = *(++argv); + if (!(pubkeyfp = fopen(pubkeyfile, "rb"))) { + fprintf(stderr, "gmssl %s: open '%s' failure : %s\n", prog, pubkeyfile, strerror(errno)); + goto end; + } + } else if (!strcmp(*argv, "-cert")) { + if (pubkeyfile) { + fprintf(stderr, "gmssl %s: options '-pubkey' '-cert' conflict\n", prog); + goto end; + } + if (--argc < 1) goto bad; + certfile = *(++argv); + if (!(certfp = fopen(certfile, "rb"))) { + fprintf(stderr, "gmssl %s: open '%s' failure : %s\n", prog, certfile, strerror(errno)); + goto end; + } + } else if (!strcmp(*argv, "-in")) { + if (--argc < 1) goto bad; + infile = *(++argv); + if (!(infp = fopen(infile, "rb"))) { + fprintf(stderr, "gmssl %s: open '%s' failure : %s\n", prog, infile, strerror(errno)); + goto end; + } + } else if (!strcmp(*argv, "-out")) { + if (--argc < 1) goto bad; + outfile = *(++argv); + if (!(outfp = fopen(outfile, "wb"))) { + fprintf(stderr, "gmssl %s: open '%s' failure : %s\n", prog, outfile, strerror(errno)); + goto end; + } + } else { + fprintf(stderr, "gmssl %s: illegal option `%s`\n", prog, *argv); + goto end; +bad: + fprintf(stderr, "gmssl %s: `%s` option value missing\n", prog, *argv); + goto end; + } + + argc--; + argv++; + } + + // load library and open device + if (!lib) { + fprintf(stderr, "gmssl %s: '-lib' option required\n", prog); + goto end; + } + if (sdf_load_library(lib, NULL) != 1) { + fprintf(stderr, "gmssl %s: load library failure\n", prog); + goto end; + } + if (sdf_open_device(&dev) != 1) { + fprintf(stderr, "gmssl %s: open device failure\n", prog); + goto end; + } + + // get public key + if (pubkeyfile) { + if (sm2_public_key_info_from_pem(&sm2_pub, pubkeyfp) != 1) { + fprintf(stderr, "gmssl %s: parse public key failed\n", prog); + goto end; + } + } else if (certfile) { + if (x509_cert_from_pem(cert, &certlen, sizeof(cert), certfp) != 1) { + fprintf(stderr, "gmssl %s: parse certificate from PEM failed\n", prog); + goto end; + } + if (x509_cert_get_subject_public_key(cert, certlen, &sm2_pub) != 1) { + fprintf(stderr, "gmssl %s: parse certificate failed\n", prog); + goto end; + } + } else { + fprintf(stderr, "gmssl %s: '-pubkey' or '-cert' option required\n", prog); + goto end; + } + + // generate key and output wrapped key in DER(SM2_CIPHERTEXT) format + if (sdf_generate_key(&dev, &key, &sm2_pub, buf, &outlen) != 1) { + error_print(); + goto end; + } + if (fwrite(buf, 1, outlen, outfp) != outlen) { + fprintf(stderr, "gmssl %s: output failure : %s\n", prog, strerror(errno)); + goto end; + } + + // output IV + rand_bytes(iv, 16); + if (fwrite(iv, 1, 16, outfp) != 16) { + fprintf(stderr, "gmssl %s: output failure : %s\n", prog, strerror(errno)); + goto end; + } + + // encrypt and output ciphertext + if (sdf_cbc_encrypt_init(&ctx, &key, iv) != 1) { + error_print(); + goto end; + } + while ((inlen = fread(buf, 1, sizeof(buf), infp)) > 0) { + if (sdf_cbc_encrypt_update(&ctx, buf, inlen, buf, &outlen) != 1) { + error_print(); + goto end; + } + if (fwrite(buf, 1, outlen, outfp) != outlen) { + fprintf(stderr, "gmssl %s: output failure : %s\n", prog, strerror(errno)); + goto end; + } + } + if (sdf_cbc_encrypt_finish(&ctx, buf, &outlen) != 1) { + error_print(); + goto end; + } + if (fwrite(buf, 1, outlen, outfp) != outlen) { + fprintf(stderr, "gmssl %s: output failure : %s\n", prog, strerror(errno)); + goto end; + } + + ret = 0; + +end: + (void)sdf_destroy_key(&key); + (void)sdf_close_device(&dev); + (void)sdf_unload_library(); + gmssl_secure_clear(iv, sizeof(iv)); + gmssl_secure_clear(&ctx, sizeof(ctx)); + if (infile && infp) fclose(infp); + if (outfile && outfp) fclose(outfp); + return ret; +} diff --git a/tools/sdfexport.c b/tools/sdfexport.c index 4f83d9ea..62d8d1ec 100644 --- a/tools/sdfexport.c +++ b/tools/sdfexport.c @@ -16,19 +16,22 @@ #include -static const char *usage = "-lib so_path -key num [-out file]"; +static const char *usage = "-lib so_path {-sign|-encrypt} -key num [-out file]"; static const char *options = "\n" "Options\n" "\n" " -lib so_path Vendor's SDF dynamic library\n" +" -sign Export signing public key\n" +" -encrypt Export encryption public key\n" " -key num Private key index number\n" " -out file | stdout Output public key in PEM format\n" "\n" "Examples\n" "\n" -" $ gmssl sdfexport -key 1 -out sm2signpub.pem\n" +" $ gmssl sdfexport -sign -key 1 -out sm2signpub.pem\n" +" $ gmssl sdfexport -encrypt -key 1 -out sm2signpub.pem\n" "\n"; @@ -62,6 +65,18 @@ int sdfexport_main(int argc, char **argv) } else if (!strcmp(*argv, "-lib")) { if (--argc < 1) goto bad; lib = *(++argv); + } else if (!strcmp(*argv, "-sign")) { + if (enc_public_key) { + fprintf(stderr, "gmssl %s: '-sign' and '-encrypt' should not used together\n", prog); + goto end; + } + sign_public_key = 1; + } else if (!strcmp(*argv, "-encrypt")) { + if (sign_public_key) { + fprintf(stderr, "gmssl %s: '-sign' and '-encrypt' should not used together\n", prog); + goto end; + } + enc_public_key = 1; } else if (!strcmp(*argv, "-key")) { if (--argc < 1) goto bad; index = atoi(*(++argv)); @@ -92,6 +107,10 @@ int sdfexport_main(int argc, char **argv) fprintf(stderr, "gmssl %s: option '-lib' required\n", prog); goto end; } + if (!sign_public_key && !enc_public_key) { + fprintf(stderr, "gmssl %s: '-sign' or '-encrypt' option required\n", prog); + goto end; + } if (index < 0) { fprintf(stderr, "gmssl %s: '-index' option required\n", prog); goto end; @@ -106,9 +125,16 @@ int sdfexport_main(int argc, char **argv) goto end; } - if (sdf_export_sign_public_key(&dev, index, &sm2_key) != 1) { - fprintf(stderr, "%s: load sign key failed\n", prog); - goto end; + if (sign_public_key) { + if (sdf_export_sign_public_key(&dev, index, &sm2_key) != 1) { + fprintf(stderr, "%s: load sign key failed\n", prog); + goto end; + } + } else { + if (sdf_export_encrypt_public_key(&dev, index, &sm2_key) != 1) { + fprintf(stderr, "%s: load sign key failed\n", prog); + goto end; + } } if (sm2_public_key_info_to_pem(&sm2_key, outfp) != 1) { fprintf(stderr, "gmssl %s: output public key to PEM failed\n", prog);