refactor(crypto): simplify SM2 to blockchain-adapted hash-signing model

Author: Federico2014

crypto/src/main/java/org/tron/common/crypto/sm2/SM2.java

@@ -45,7 +45,16 @@
 import org.tron.common.utils.ByteUtil;
 
 /**
- * Implement Chinese Commercial Cryptographic Standard of SM2
+ * Blockchain-adapted SM2 signature implementation (GB/T 32918 / GM/T 0003).
+ *
+ * <p><b>Non-standard usage:</b> The SM2 standard computes signatures over
+ * {@code e = SM3(Z_A || M)}, where {@code Z_A} binds the signer's identity and public key to the
+ * message. This implementation omits the {@code Z_A} step and signs the 32-byte transaction hash
+ * directly, consistent with how ECDSA is used on TRON. This keeps both cryptographic engines
+ * interchangeable at the {@link org.tron.common.crypto.SignInterface} level.
+ *
+ * <p><b>Note:</b> Signatures produced here are not interoperable with standard SM2
+ * implementations that apply the {@code Z_A} pre-hash.
  */
 @Slf4j(topic = "crypto")
 public class SM2 implements Serializable, SignInterface {
@@ -385,11 +394,6 @@ public static byte[] signatureToKeyBytes(byte[] messageHash,
     return key;
   }
 
-  public byte[] hash(byte[] message) {
-    SM2Signer signer = this.getSM2SignerForHash();
-    return signer.generateSM3Hash(message);
-  }
-
   @Override
   public byte[] getPrivateKey() {
     return getPrivKeyBytes();
@@ -507,40 +511,6 @@ public byte[] Base64toBytes(String signature) {
     return ByteUtil.appendByte(temp, first);
   }
 
-  /**
-   * Takes the message of data and returns the SM2 signature
-   *
-   * @param message -
-   * @return -
-   * @throws IllegalStateException if this ECKey does not have the private part.
-   */
-  public SM2Signature signMessage(byte[] message, @Nullable String userID) {
-    SM2Signature sig = signMsg(message, userID);
-
-    SM2Signer signer = getSigner();
-    byte[] messageHash = signer.generateSM3Hash(message);
-    sig.v = (byte) (findRecId(sig, messageHash) + 27);
-    return sig;
-  }
-
-  /**
-   * Signs the given hash and returns the R and S components as BigIntegers and
-   * putData them in SM2Signature
-   *
-   * @param msg to sign
-   * @return SM2Signature signature that contains the R and S components
-   */
-  public SM2Signature signMsg(byte[] msg, @Nullable String userID) {
-    if (msg == null) {
-      throw new IllegalArgumentException("Expected signature message of " +
-          "SM2 is null");
-    }
-    // No decryption of private key required.
-    SM2Signer signer = getSigner();
-    BigInteger[] componets = signer.generateSignature(msg);
-    return new SM2Signature(componets[0], componets[1]);
-  }
-
   private int findRecId(SM2Signature sig, byte[] messageHash) {
     byte[] thisKey = this.pub.getEncoded(/* compressed */ false);
     for (int i = 0; i < 4; i++) {
@@ -557,17 +527,18 @@ private SM2Signer getSigner() {
     SM2Signer signer = new SM2Signer();
     BigInteger d = getPrivKey();
     ECPrivateKeyParameters privateKeyParameters = new ECPrivateKeyParameters(d, eccParam);
-    signer.init(true, privateKeyParameters);
+    signer.init(privateKeyParameters);
     return signer;
   }
 
   /**
-   * used to generate the SM3 hash for SM2 signature generation or verification
+   * Returns an {@link SM2Signer} initialized with this key's public key, ready to call
+   * {@link SM2Signer#verifyHashSignature}.
    */
-  public SM2Signer getSM2SignerForHash() {
+  public SM2Signer getVerifier() {
     SM2Signer signer = new SM2Signer();
     ECPublicKeyParameters publicKeyParameters = new ECPublicKeyParameters(pub, eccParam);
-    signer.init(false, publicKeyParameters);
+    signer.init(publicKeyParameters);
     return signer;
   }
 
@@ -686,7 +657,7 @@ public static boolean verify(byte[] data, SM2Signature signature,
     SM2Signer signer = new SM2Signer();
     ECPublicKeyParameters params = new ECPublicKeyParameters(eccParam
         .getCurve().decodePoint(pub), eccParam);
-    signer.init(false, params);
+    signer.init(params);
     try {
       return signer.verifyHashSignature(data, signature.r, signature.s);
     } catch (NullPointerException npe) {

crypto/src/main/java/org/tron/common/crypto/sm2/SM2Signer.java

@@ -1,92 +1,42 @@
 package org.tron.common.crypto.sm2;
 
 import java.math.BigInteger;
-import javax.annotation.Nullable;
 import org.bouncycastle.crypto.CipherParameters;
-import org.bouncycastle.crypto.Digest;
 import org.bouncycastle.crypto.digests.SM3Digest;
 import org.bouncycastle.crypto.params.ECDomainParameters;
 import org.bouncycastle.crypto.params.ECKeyParameters;
 import org.bouncycastle.crypto.params.ECPrivateKeyParameters;
 import org.bouncycastle.crypto.params.ECPublicKeyParameters;
-import org.bouncycastle.crypto.params.ParametersWithID;
 import org.bouncycastle.crypto.signers.DSAKCalculator;
 import org.bouncycastle.crypto.signers.HMacDSAKCalculator;
 import org.bouncycastle.math.ec.ECConstants;
-import org.bouncycastle.math.ec.ECFieldElement;
 import org.bouncycastle.math.ec.ECMultiplier;
 import org.bouncycastle.math.ec.ECPoint;
 import org.bouncycastle.math.ec.FixedPointCombMultiplier;
-import org.bouncycastle.util.BigIntegers;
 import org.tron.common.utils.ByteArray;
 
+/**
+ * Low-level SM2 signer used by {@link org.tron.common.crypto.sm2.SM2}.
+ *
+ * <p>Exposes two operations: {@link #generateHashSignature} (sign a pre-computed 32-byte hash)
+ * and {@link #verifyHashSignature} (verify against a pre-computed hash). The standard SM2
+ * {@code Z_A} pre-hash step is intentionally absent; see {@link org.tron.common.crypto.sm2.SM2}
+ * for the rationale.
+ */
 public class SM2Signer
     implements ECConstants {
 
   private final DSAKCalculator kCalculator = new HMacDSAKCalculator(new SM3Digest());
 
-  private byte[] userID;
-
-  private int curveLength;
   private ECDomainParameters ecParams;
-  private ECPoint pubPoint;
   private ECKeyParameters ecKey;
 
-  public void init(boolean forSigning, CipherParameters param) {
+  public void init(CipherParameters param) {
     if (param == null) {
       throw new IllegalArgumentException("CipherParameters cannot be null");
     }
-    CipherParameters baseParam;
-
-    if (param instanceof ParametersWithID) {
-      baseParam = ((ParametersWithID) param).getParameters();
-      userID = ((ParametersWithID) param).getID();
-    } else {
-      baseParam = param;
-      userID = new byte[0];
-    }
-
-    ecKey = (ECKeyParameters) baseParam;
+    ecKey = (ECKeyParameters) param;
     ecParams = ecKey.getParameters();
-
-    if (forSigning) {
-      pubPoint = ecParams.getG().multiply(((ECPrivateKeyParameters) ecKey).getD()).normalize();
-    } else {
-      pubPoint = ((ECPublicKeyParameters) ecKey).getQ();
-    }
-
-    curveLength = (ecParams.getCurve().getFieldSize() + 7) / 8;
-  }
-
-
-  /**
-   * generate the signature for the message
-   *
-   * @param message plaintext
-   */
-  public BigInteger[] generateSignature(byte[] message) {
-    byte[] eHash = generateSM3Hash(message);
-    return generateHashSignature(eHash);
-  }
-
-  /**
-   * generate the signature for the message
-   */
-
-  public byte[] generateSM3Hash(byte[] message) {
-    if (message == null) {
-      throw new IllegalArgumentException("Message cannot be null");
-    }
-    SM3Digest digest = new SM3Digest();
-    byte[] z = getZ(digest);
-
-    digest.update(z, 0, z.length);
-    digest.update(message, 0, message.length);
-
-    byte[] eHash = new byte[digest.getDigestSize()];
-
-    digest.doFinal(eHash, 0);
-    return eHash;
   }
 
   /**
@@ -136,51 +86,6 @@ public BigInteger[] generateHashSignature(byte[] hash) {
     return new BigInteger[]{r, s};
   }
 
-  /**
-   * verify the message signature
-   */
-  public boolean verifySignature(byte[] message, BigInteger r, BigInteger s,
-      @Nullable String userID) {
-    if (message == null || r == null || s == null) {
-      throw new IllegalArgumentException("Message, R, or S cannot be null");
-    }
-    BigInteger n = ecParams.getN();
-
-    // 5.3.1 Draft RFC:  SM2 Public Key Algorithms
-    // B1
-    if (r.compareTo(ONE) < 0 || r.compareTo(n) >= 0) {
-      return false;
-    }
-
-    // B2
-    if (s.compareTo(ONE) < 0 || s.compareTo(n) >= 0) {
-      return false;
-    }
-
-    ECPoint q = ((ECPublicKeyParameters) ecKey).getQ();
-
-    if (userID != null) {
-      this.userID = userID.getBytes();
-    }
-    byte[] eHash = generateSM3Hash(message);
-
-    // B4
-    BigInteger e = calculateE(eHash);
-
-    // B5
-    BigInteger t = r.add(s).mod(n);
-    if (t.equals(ZERO)) {
-      return false;
-    } else {
-      // B6
-      ECPoint x1y1 = ecParams.getG().multiply(s);
-      x1y1 = x1y1.add(q.multiply(t)).normalize();
-
-      // B7
-      return r.equals(e.add(x1y1.getAffineXCoord().toBigInteger()).mod(n));
-    }
-  }
-
   /**
    * verify the hash signature
    */
@@ -224,36 +129,6 @@ public boolean verifyHashSignature(byte[] hash, BigInteger r, BigInteger s) {
     }
   }
 
-  private byte[] getZ(Digest digest) {
-
-    //addUserID(digest, userID);
-
-    addFieldElement(digest, ecParams.getCurve().getA());
-    addFieldElement(digest, ecParams.getCurve().getB());
-    addFieldElement(digest, ecParams.getG().getAffineXCoord());
-    addFieldElement(digest, ecParams.getG().getAffineYCoord());
-    addFieldElement(digest, pubPoint.getAffineXCoord());
-    addFieldElement(digest, pubPoint.getAffineYCoord());
-
-    byte[] rv = new byte[digest.getDigestSize()];
-
-    digest.doFinal(rv, 0);
-
-    return rv;
-  }
-
-  private void addUserID(Digest digest, byte[] userID) {
-    int len = userID.length * 8;
-    digest.update((byte) (len >> 8 & 0xFF));
-    digest.update((byte) (len & 0xFF));
-    digest.update(userID, 0, userID.length);
-  }
-
-  private void addFieldElement(Digest digest, ECFieldElement v) {
-    byte[] p = BigIntegers.asUnsignedByteArray(curveLength, v.toBigInteger());
-    digest.update(p, 0, p.length);
-  }
-
   protected ECMultiplier createBasePointMultiplier() {
     return new FixedPointCombMultiplier();
   }

framework/src/test/java/org/tron/common/crypto/SM2KeyTest.java

@@ -22,6 +22,7 @@
 import org.junit.Test;
 import org.tron.common.crypto.sm2.SM2;
 import org.tron.common.crypto.sm2.SM2Signer;
+import org.tron.common.utils.Sha256Hash;
 import org.tron.core.Wallet;
 
 /**
@@ -117,17 +118,6 @@ public void testInvalidSignatureLength() throws SignatureException {
     fail("Expecting a SignatureException for invalid signature length");
   }
 
-  @Test
-  public void testSM3Hash() {
-    SM2 key = SM2.fromPublicOnly(pubKey);
-    SM2Signer signer = key.getSM2SignerForHash();
-    String message = "message digest";
-    byte[] hash = signer.generateSM3Hash(message.getBytes());
-    assertEquals("2A723761EAE35429DF643648FD69FB7787E7FC32F321BFAF7E294390F529BAF4",
-        Hex.toHexString(hash).toUpperCase());
-  }
-
-
   @Test
   public void testSignatureToKeyBytes() throws SignatureException {
     SM2 key = SM2.fromPrivate(privateKey);
@@ -329,12 +319,12 @@ public void testDifferentMessagesSignatures() {
   public void testSignatureVerification() {
     SM2 key = SM2.fromPrivate(privateKey);
     String message = "Hello, SM2 deterministic signature test!";
-    byte[] hash = key.getSM2SignerForHash().generateSM3Hash(message.getBytes());
+    byte[] hash = Sha256Hash.hash(false, message.getBytes());
 
     SM2.SM2Signature signature = key.sign(hash);
 
     // Verify the signature
-    SM2Signer verifier = key.getSM2SignerForHash();
+    SM2Signer verifier = key.getVerifier();
     boolean isValid = verifier.verifyHashSignature(hash, signature.r, signature.s);
 
     assertTrue("Signature should be valid", isValid);

framework/src/test/java/org/tron/common/utils/PublicMethod.java

@@ -80,12 +80,6 @@ public static byte[] getSM2PublicKeyFromPrivate(String privateKey) {
     return SM2.publicKeyFromPrivate(tmpKey, true);
   }
 
-  public static byte[] getSM2HashByPubKey(byte[] pubKey, String message) {
-    SM2 key = SM2.fromPublicOnly(pubKey);
-    SM2Signer signer = key.getSM2SignerForHash();
-    return signer.generateSM3Hash(message.getBytes());
-  }
-
   /** constructor. */
   public static SmartContractOuterClass.SmartContract.ABI jsonStr2Abi(String jsonStr) {
     if (jsonStr == null) {