sm9: code review

README.md

@@ -35,7 +35,7 @@ Go语言商用密码软件，简称**GMSM**，一个安全、高性能、易于
 - **ZUC** - 祖冲之序列密码算法实现。使用SIMD、AES指令以及无进位乘法指令，分别对**amd64**、**arm64**和**ppc64x**架构做了优化实现, 您也可以参考[ZUC实现及优化](https://github.com/emmansun/gmsm/wiki/Efficient-Software-Implementations-of-ZUC)和相关代码，以获得更多实现细节。ZUC包实现了基于祖冲之序列密码算法的机密性算法、128/256位完整性算法。
 
 - **CBCMAC** - 符合《GB/T 15852.1-2020 采用分组密码的机制》的消息鉴别码。 
-- **CFCA** - CFCA（中金）特定实现，目前实现的是SM2私钥、证书封装处理，对应SADK中的**PKCS12_SM2**。
+- **CFCA** - CFCA（中金）特定实现，目前实现的是SM2私钥、证书封装处理，对应SADK中的**PKCS12_SM2**；信封加密、签名；CSR生成及返回私钥解密、解析等功能。
 
 - **CIPHER** - ECB/CCM/XTS/HCTR/BC/OFBNLF加密模式实现。XTS模式同时支持NIST规范和国标 **GB/T 17964-2021**。当前的XTS模式由于实现了BlockMode，其结构包含一个tweak数组，所以其**不支持并发使用**。**分组链接（BC）模式**和**带非线性函数的输出反馈（OFBNLF）模式**为分组密码算法的工作模式标准**GB/T 17964**的遗留模式，**带泛杂凑函数的计数器（HCTR）模式**是**GB/T 17964-2021**中的新增模式。分组链接（BC）模式和CBC模式类似；而带非线性函数的输出反馈（OFBNLF）模式的话，从软件实现的角度来看，基本没有性能优化的空间。
 

sm9/sm9.go

@@ -162,8 +162,7 @@ func SignASN1(rand io.Reader, priv *SignPrivateKey, hash []byte) ([]byte, error)
 		}
 
 		var buffer []byte
-		buffer = append(buffer, hash...)
+		buffer = append(append(buffer, hash...), w.Marshal()...)
-		buffer = append(buffer, w.Marshal()...)
 
 		hNat = hashH2(buffer)
 		r.Sub(hNat, orderNat)
@@ -266,8 +265,7 @@ func VerifyASN1(pub *SignMasterPublicKey, uid []byte, hid byte, hash, sig []byte
 	w := new(bn256.GT).Add(u, t)
 
 	var buffer []byte
-	buffer = append(buffer, hash...)
+	buffer = append(append(buffer, hash...), w.Marshal()...)
-	buffer = append(buffer, w.Marshal()...)
 	h2 := hashH2(buffer)
 
 	return h2.Equal(hNat) == 1

sm9/sm9_key.go

@@ -95,7 +95,7 @@ func (master *SignMasterPrivateKey) UnmarshalASN1(der []byte) error {
 			!inner.ReadASN1Integer(d) {
 			return errors.New("sm9: invalid sign master private key asn1 data")
 		}
-		// Just parse it, did't validate it
+		// Just parse it, didn't validate it
 		if !inner.Empty() && (!inner.ReadASN1BitStringAsBytes(&pubBytes) || !inner.Empty()) {
 			return errors.New("sm9: invalid sign master public key asn1 data")
 		}
@@ -115,8 +115,7 @@ func (master *SignMasterPrivateKey) UnmarshalASN1(der []byte) error {
 // GenerateUserKey generate an user dsa key.
 func (master *SignMasterPrivateKey) GenerateUserKey(uid []byte, hid byte) (*SignPrivateKey, error) {
 	var id []byte
-	id = append(id, uid...)
+	id = append(append(id, uid...), hid)
-	id = append(id, hid)
 
 	t1Nat := hashH1(id)
 
@@ -174,8 +173,7 @@ func (pub *SignMasterPublicKey) ScalarBaseMult(scalar []byte) (*bn256.GT, error)
 // GenerateUserPublicKey generate user sign public key
 func (pub *SignMasterPublicKey) GenerateUserPublicKey(uid []byte, hid byte) *bn256.G2 {
 	var buffer []byte
-	buffer = append(buffer, uid...)
+	buffer = append(append(buffer, uid...), hid)
-	buffer = append(buffer, hid)
 	h1 := hashH1(buffer)
 	p, err := new(bn256.G2).ScalarBaseMult(h1.Bytes(orderNat))
 	if err != nil {
@@ -371,8 +369,7 @@ func GenerateEncryptMasterKey(rand io.Reader) (*EncryptMasterPrivateKey, error)
 // GenerateUserKey generate an user key for encryption.
 func (master *EncryptMasterPrivateKey) GenerateUserKey(uid []byte, hid byte) (*EncryptPrivateKey, error) {
 	var id []byte
-	id = append(id, uid...)
+	id = append(append(id, uid...), hid)
-	id = append(id, hid)
 
 	t1Nat := hashH1(id)
 
@@ -467,8 +464,7 @@ func (pub *EncryptMasterPublicKey) ScalarBaseMult(scalar []byte) (*bn256.GT, err
 // GenerateUserPublicKey generate user encrypt public key
 func (pub *EncryptMasterPublicKey) GenerateUserPublicKey(uid []byte, hid byte) *bn256.G1 {
 	var buffer []byte
-	buffer = append(buffer, uid...)
+	buffer = append(append(buffer, uid...), hid)
-	buffer = append(buffer, hid)
 	h1 := hashH1(buffer)
 	p, err := new(bn256.G1).ScalarBaseMult(h1.Bytes(orderNat))
 	if err != nil {