1、關于SM2
SM2算法是一種非對稱算法,與國際算法裡中的RSA相對應。
SM2推薦的曲線參數如下:
在驗證PBOC卡片中的發夾行公鑰證書、IC卡公鑰證書、簽名的靜态應用資料、簽名的動态資料之前,先來了解一下PBOC規範中對數字簽名的驗證過程,如下圖:
(該圖參考PBOC第17部分)
此處的a,b,xG,yG即SM2推薦曲線參數中的a,b,Gx,Gy ;而xA,yA分别為公鑰的左半部分和右半部分。可以看出,ENTLA、IDA,a,b,xG,yG都是固定值,而xA,yA則因為公鑰的不同而變化。
2、借貸記交易流程,準備階段
先按借貸記交易流程,發GPO指令,擷取AFL,然後讀取相關的記錄
PDOL=9F66049F02069F03069F1A0295055F2A029A039C019F3704DF6001DF6901
[GPO]
SendAPDU=80A800002583235600000000000001000000000000000001560000000000015615121160010203040001
ReValue=80167C000801020010080A01100707001801010018040600
AFL=0801020010080A01100707001801010018040600
0101=70155713623061571010011182D221122070956101322F
0102=704C9F6128202000000000000000000000000000000000000000000000000000000000000000000000000000009F6201005F201A0000000000000000000000000000000000000000000000000000
0208=7081875F24032211015F25031507245A096230615710100111829F0702FF008E0E000000000000000042031E031F009F0D05D8609CA8009F0E0500100000009F0F05D8689CF8005F280201569F080200308C1B9F02069F03069F1A0295055F2A029A039C019F37049F21039F4E148D1A8A029F02069F03069F1A0295055F2A029A039C019F37049F2103
0209=704993431362307154E77EB80F6F446B2D2B232DA33879940012B4AE59B6B01B7974549443F2A1631BE870B1D17E36DB4B0102BAECA504863E2EDCF96251BFA2EB8370F710A41D9F4A0182
020A=70819C9F46819414623061571010011182FF12300001FC04001140E841B537350C40A54F0DA3A108D1168FCFB9C3AE354D29F6323D50F067F1CCCD5316F8F8E0D777B8AEAFAE8D4098DBF59B640362F659B83DA82D3D7EE0ED815CF4C2638164896895A5B8A662939A920FEAEFEB0A96D2337A3507F5311293C7E683A83DC15D89ED99C0250D7927A8DBD54265A24FB4DDC4A4B28CE5B8C59DE6EF9F470103
0207=70045F340101
0301=70105F300202209F420201569F49039F3704
0304=70089F1401009F230100
0305=70819190818E12623061FF1230000451040011409B7EE1D2AE302EEEED9B97544A73BEF87A4D0A7B24749A4F065F7FBC5E3A16EF8CA7676DFC7C45D8FFAAC38D13340C70B0FEECEDA7AC8E896DE1A7D1A479B345114EC47C751CC851B36647E9940D9EF725FA0DDC875B3FC466918E5E498162FF981654AC77431C488CD96F129B3412452656A945B78A1C9D5A880EB9278DFE3D
0306=701A8F01189F3201039F631030343233333331300000000000000000
Tag8F=18
PK_CA=37710FEB7CC3617767874E85509C268E8F931D68773E93A89F39A4247DFE2D280FC5BC838353885B6DAD447C8F90116BD9D314047591989F67F319544D42A48B
說明:
PK_CA=CA公鑰
PK_Issuer=發夾行公鑰
PK_IC=IC卡公鑰
3、驗證發夾行公鑰證書Tag90
發夾行公鑰證書的格式如下:
(該圖參考PBOC第17部分)
根據“表4”的格式,可以從發夾行公鑰證書中得到發夾行公鑰、數字簽名r||s。
Tag90=12623061FF1230000451040011409B7EE1D2AE302EEEED9B97544A73BEF87A4D0A7B24749A4F065F7FBC5E3A16EF8CA7676DFC7C45D8FFAAC38D13340C70B0FEECEDA7AC8E896DE1A7D1A479B345114EC47C751CC851B36647E9940D9EF725FA0DDC875B3FC466918E5E498162FF981654AC77431C488CD96F129B3412452656A945B78A1C9D5A880EB9278DFE3D
PK_Issuer=9B7EE1D2AE302EEEED9B97544A73BEF87A4D0A7B24749A4F065F7FBC5E3A16EF8CA7676DFC7C45D8FFAAC38D13340C70B0FEECEDA7AC8E896DE1A7D1A479B345
r||s=114EC47C751CC851B36647E9940D9EF725FA0DDC875B3FC466918E5E498162FF981654AC77431C488CD96F129B3412452656A945B78A1C9D5A880EB9278DFE3D
(該圖參考PBOC第17部分)
根據“表1”可知,發夾行公鑰證書中的簽名是由CA私鑰簽名的,是以應該用CA公鑰解簽。
現在我們來根據公式h = SM3 [ZA||MSG]計算哈希值,根據簽名的驗證過程:
ZA = SM3 [ENTLA+IDA+a+b+xG+yG+xCA+yCA];
ENTLA=0080
IDA=31323334353637383132333435363738
a=FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFC
b=28E9FA9E9D9F5E344D5A9E4BCF6509A7F39789F515AB8F92DDBCBD414D940E93
xG=32C4AE2C1F1981195F9904466A39C9948FE30BBFF2660BE1715A4589334C74C7
yG=BC3736A2F4F6779C59BDCEE36B692153D0A9877CC62A474002DF32E52139F0A0
xCA=37710FEB7CC3617767874E85509C268E8F931D68773E93A89F39A4247DFE2D28
yCA=0FC5BC838353885B6DAD447C8F90116BD9D314047591989F67F319544D42A48B
ZA=SM3[ENTLA+IDA+a+b+xG+yG+xCA+yCA]
=SM3[008031323334353637383132333435363738FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFC28E9FA9E9D9F5E344D5A9E4BCF6509A7F39789F515AB8F92DDBCBD414D940E9332C4AE2C1F1981195F9904466A39C9948FE30BBFF2660BE1715A4589334C74C7BC3736A2F4F6779C59BDCEE36B692153D0A9877CC62A474002DF32E52139F0A037710FEB7CC3617767874E85509C268E8F931D68773E93A89F39A4247DFE2D280FC5BC838353885B6DAD447C8F90116BD9D314047591989F67F319544D42A48B]
=320A0ADACC0A5FBC783FEBE18DA52138B82FB66ECA74ED5A556F53600390B5D7
根據“表1”,可以得到待簽名的資料,也就是MSG。
MSG=12623061FF1230000451040011409B7EE1D2AE302EEEED9B97544A73BEF87A4D0A7B24749A4F065F7FBC5E3A16EF8CA7676DFC7C45D8FFAAC38D13340C70B0FEECEDA7AC8E896DE1A7D1A479B345
MSG=12623061FF1230000451040011409B7EE1D2AE302EEEED9B97544A73BEF87A4D0A7B24749A4F065F7FBC5E3A16EF8CA7676DFC7C45D8FFAAC38D13340C70B0FEECEDA7AC8E896DE1A7D1A479B345
h = SM3 [ZA||MSG];
h=7E4EA4C8CE6CC2AC98C32CB55F1AEF8ECC6797C0FE3336D59D33E6CAAEBC39DC
S= r || s
現在,PK_CA、h、S都是已知的,就可以用函數Verify (PK_CA) [ h,S ]來驗證簽名是否正确了。
(結果是簽名驗證成功)
4、驗證簽名的靜态應用資料Tag93
簽名的靜态應用資料(Tag93)格式如下:
根據上面第2步讀取的記錄内容,可以得到Tag93的值。
Tag93=1362307154E77EB80F6F446B2D2B232DA33879940012B4AE59B6B01B7974549443F2A1631BE870B1D17E36DB4B0102BAECA504863E2EDCF96251BFA2EB8370F710A41D
根據“表5”的格式,擷取數字簽名r||s。
r||s=7154E77EB80F6F446B2D2B232DA33879940012B4AE59B6B01B7974549443F2A1631BE870B1D17E36DB4B0102BAECA504863E2EDCF96251BFA2EB8370F710A41D
根據上面第3步,可以得到 發夾行公鑰。
PK_Issuer=9B7EE1D2AE302EEEED9B97544A73BEF87A4D0A7B24749A4F065F7FBC5E3A16EF8CA7676DFC7C45D8FFAAC38D13340C70B0FEECEDA7AC8E896DE1A7D1A479B345
根據“表2”可知,靜态應用資料是由發夾行私鑰簽名的,是以要用發夾行公鑰來解簽。
現在我們來根據公式h = SM3 [ZA||MSG]計算哈希值,根據簽名的驗證過程:
ZA = SM3 [ENTLA+IDA+a+b+xG+yG+xPK_Issuer+yPK_Issuer];
ENTLA=0080
IDA=31323334353637383132333435363738
a=FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFC
b=28E9FA9E9D9F5E344D5A9E4BCF6509A7F39789F515AB8F92DDBCBD414D940E93
xG=32C4AE2C1F1981195F9904466A39C9948FE30BBFF2660BE1715A4589334C74C7
yG=BC3736A2F4F6779C59BDCEE36B692153D0A9877CC62A474002DF32E52139F0A0
xPK_Issuer=9B7EE1D2AE302EEEED9B97544A73BEF87A4D0A7B24749A4F065F7FBC5E3A16EF
yPK_Issuer=8CA7676DFC7C45D8FFAAC38D13340C70B0FEECEDA7AC8E896DE1A7D1A479B345
ZA=SM3 [ENTLA+IDA+a+b+xG+yG+xPK_Issuer+yPK_Issuer]
=SM3[008031323334353637383132333435363738FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFC28E9FA9E9D9F5E344D5A9E4BCF6509A7F39789F515AB8F92DDBCBD414D940E9332C4AE2C1F1981195F9904466A39C9948FE30BBFF2660BE1715A4589334C74C7BC3736A2F4F6779C59BDCEE36B692153D0A9877CC62A474002DF32E52139F0A09B7EE1D2AE302EEEED9B97544A73BEF87A4D0A7B24749A4F065F7FBC5E3A16EF8CA7676DFC7C45D8FFAAC38D13340C70B0FEECEDA7AC8E896DE1A7D1A479B345]
=7A96CBFCAEF87D8CDF4C5CC58A2F394154028B9067B563034D14A4DF7A67A6D8
“表2”中“需認證的靜态資料”包括記錄0208的内容(除去Tag70和Len)和AIP。
根據“表2”,可以得到待簽名的資料,也就是MSG。
MSG= 1362305F24032211015F25031507245A096230615710100111829F0702FF008E0E000000000000000042031E031F009F0D05D8609CA8009F0E0500100000009F0F05D8689CF8005F280201569F080200308C1B9F02069F03069F1A0295055F2A029A039C019F37049F21039F4E148D1A8A029F02069F03069F1A0295055F2A029A039C019F37049F21037C00
h = SM3 [ZA||MSG];
h= AFB08413485539F74EE7D6C9F5D3199C86185F6579DECA94B65A389FFDF39B10
S= r || s
現在,PK_Issuer、h、S都是已知的,就可以用函數Verify ( PK_Issuer ) [ h, S ]來驗證簽名是否正确了。
(結果是簽名驗證成功)
5、驗證IC卡公鑰證書Tag9F46
IC卡公鑰證書格式如下:
根據上面第2步讀取的記錄内容,可以得到IC卡公鑰證書Tag9F46的值。
Tag9F46=14623061571010011182FF12300001FC04001140E841B537350C40A54F0DA3A108D1168FCFB9C3AE354D29F6323D50F067F1CCCD5316F8F8E0D777B8AEAFAE8D4098DBF59B640362F659B83DA82D3D7EE0ED815CF4C2638164896895A5B8A662939A920FEAEFEB0A96D2337A3507F5311293C7E683A83DC15D89ED99C0250D7927A8DBD54265A24FB4DDC4A4B28CE5B8C59DE6EF
根據“表8”的格式,可以擷取IC卡公鑰PK_IC以及數字簽名r||s。
PK_IC=E841B537350C40A54F0DA3A108D1168FCFB9C3AE354D29F6323D50F067F1CCCD5316F8F8E0D777B8AEAFAE8D4098DBF59B640362F659B83DA82D3D7EE0ED815C
r||s=F4C2638164896895A5B8A662939A920FEAEFEB0A96D2337A3507F5311293C7E683A83DC15D89ED99C0250D7927A8DBD54265A24FB4DDC4A4B28CE5B8C59DE6EF
根據上面第3步,可以得到 發夾行公鑰。
PK_Issuer=9B7EE1D2AE302EEEED9B97544A73BEF87A4D0A7B24749A4F065F7FBC5E3A16EF8CA7676DFC7C45D8FFAAC38D13340C70B0FEECEDA7AC8E896DE1A7D1A479B345
根據“表6”可知,IC卡公鑰是由發夾行私鑰簽名的,是以要用發夾行公鑰來解簽。
現在我們來根據公式h = SM3 [ZA||MSG]計算哈希值,根據簽名的驗證過程:
ZA = SM3 [ENTLA+IDA+a+b+xG+yG+xPK_Issuer+yPK_Issuer];
ENTLA=0080
IDA=31323334353637383132333435363738
a=FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFC
b=28E9FA9E9D9F5E344D5A9E4BCF6509A7F39789F515AB8F92DDBCBD414D940E93
xG=32C4AE2C1F1981195F9904466A39C9948FE30BBFF2660BE1715A4589334C74C7
yG=BC3736A2F4F6779C59BDCEE36B692153D0A9877CC62A474002DF32E52139F0A0
xPK_Issuer=9B7EE1D2AE302EEEED9B97544A73BEF87A4D0A7B24749A4F065F7FBC5E3A16EF
yPK_Issuer=8CA7676DFC7C45D8FFAAC38D13340C70B0FEECEDA7AC8E896DE1A7D1A479B345
ZA=SM3[ENTLA+IDA+a+b+xG+yG+xPK_Issuer+yPK_Issuer]
=SM3[008031323334353637383132333435363738FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFC28E9FA9E9D9F5E344D5A9E4BCF6509A7F39789F515AB8F92DDBCBD414D940E9332C4AE2C1F1981195F9904466A39C9948FE30BBFF2660BE1715A4589334C74C7BC3736A2F4F6779C59BDCEE36B692153D0A9877CC62A474002DF32E52139F0A09B7EE1D2AE302EEEED9B97544A73BEF87A4D0A7B24749A4F065F7FBC5E3A16EF8CA7676DFC7C45D8FFAAC38D13340C70B0FEECEDA7AC8E896DE1A7D1A479B345]
=7A96CBFCAEF87D8CDF4C5CC58A2F394154028B9067B563034D14A4DF7A67A6D8
“表6”中“參與脫機資料認證的靜态資料”包括記錄0208的内容(除去Tag70和Len)和AIP。
根據“表2”,可以得到待簽名的資料,也就是MSG。
MSG= 14623061571010011182FF12300001FC04001140E841B537350C40A54F0DA3A108D1168FCFB9C3AE354D29F6323D50F067F1CCCD5316F8F8E0D777B8AEAFAE8D4098DBF59B640362F659B83DA82D3D7EE0ED815C5F24032211015F25031507245A096230615710100111829F0702FF008E0E000000000000000042031E031F009F0D05D8609CA8009F0E0500100000009F0F05D8689CF8005F280201569F080200308C1B9F02069F03069F1A0295055F2A029A039C019F37049F21039F4E148D1A8A029F02069F03069F1A0295055F2A029A039C019F37049F21037C00
h = SM3 [ZA||MSG];
h= 7FC10B13983FBB801209EB41B62CA38A214313D2C307330A03A16A4F0EBC4A2E
S= r || s
現在,PK_Issuer、h、S都是已知的,就可以用函數Verify( PK_Issuer )[h,S]來驗證簽名是否正确了。
(結果是簽名驗證成功)
6、驗證簽名的動态應用資料Tag9F4B(借貸記交易流程)
标準借貸記交易中,9F4B通過内容認證指令産生。
SendAPDU=008800000401020304
ReValue=80451503020068F72C221E2938BE6FD0317BD98C66C2C99713792EDEE66CA25FF97FC905F0F8C608D951777A060C9A498A207BA3B3F611CEAF1E48A6F809C6EC417EAB17851107
根據傳回的資料,可知9F4B的内容如下:
9F4B=1503020068F72C221E2938BE6FD0317BD98C66C2C99713792EDEE66CA25FF97FC905F0F8C608D951777A060C9A498A207BA3B3F611CEAF1E48A6F809C6EC417EAB17851107
簽名的動态應用資料9F4B的格式如下:
根據“表11”的格式,可以擷取數字簽名r||s。
r||s=F72C221E2938BE6FD0317BD98C66C2C99713792EDEE66CA25FF97FC905F0F8C608D951777A060C9A498A207BA3B3F611CEAF1E48A6F809C6EC417EAB17851107
根據上面第5步,可以得到IC卡行公鑰。
PK_IC=E841B537350C40A54F0DA3A108D1168FCFB9C3AE354D29F6323D50F067F1CCCD5316F8F8E0D777B8AEAFAE8D4098DBF59B640362F659B83DA82D3D7EE0ED815C
現在我們來根據公式h = SM3 [ZA||MSG]計算哈希值,根據簽名的驗證過程:
ZA = SM3 [ENTLA+IDA+a+b+xG+yG+xIC+yIC];
ENTLA=0080
IDA=31323334353637383132333435363738
a=FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFC
b=28E9FA9E9D9F5E344D5A9E4BCF6509A7F39789F515AB8F92DDBCBD414D940E93
xG=32C4AE2C1F1981195F9904466A39C9948FE30BBFF2660BE1715A4589334C74C7
yG=BC3736A2F4F6779C59BDCEE36B692153D0A9877CC62A474002DF32E52139F0A0
xIC= E841B537350C40A54F0DA3A108D1168FCFB9C3AE354D29F6323D50F067F1CCCD
yIC= 5316F8F8E0D777B8AEAFAE8D4098DBF59B640362F659B83DA82D3D7EE0ED815C
ZA=SM3 [ENTLA+IDA+a+b+xG+yG+xIC+yIC]
=SM3[008031323334353637383132333435363738FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFC28E9FA9E9D9F5E344D5A9E4BCF6509A7F39789F515AB8F92DDBCBD414D940E9332C4AE2C1F1981195F9904466A39C9948FE30BBFF2660BE1715A4589334C74C7BC3736A2F4F6779C59BDCEE36B692153D0A9877CC62A474002DF32E52139F0A0E841B537350C40A54F0DA3A108D1168FCFB9C3AE354D29F6323D50F067F1CCCD5316F8F8E0D777B8AEAFAE8D4098DBF59B640362F659B83DA82D3D7EE0ED815C]
=52957BB5894D5AC693F35CBC91D59D12D29041AEFAC408954E303FB77CC3544F
根據“表9”,可以得到待簽名的資料,也就是MSG。
MSG=150302006801020304
h = SM3 [ZA||MSG];
h= 133652D963731ABB5513E527B266287F129A0CA89E5D3D23602EE060AF4AA149
S= r || s
現在,PK_IC、h、S都是已知的,就可以用函數Verify( PK_IC )[h,S]來驗證簽名是否正确了。
(結果是簽名驗證成功)