sm-crypto-v2 1.2.2 → 1.4.0

package/CHANGELOG.md

@@ -2,6 +2,20 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [1.4.0](https://github.com/Cubelrti/sm-crypto-v2/compare/v1.3.0...v1.4.0) (2023-06-09)
+
+
+### Features
+
+* **sm2:** add experimental key agreement ([cdd00b4](https://github.com/Cubelrti/sm-crypto-v2/commit/cdd00b4e42bb5072e1dcb6e0301b6a2f18f53614))
+
+## [1.3.0](https://github.com/Cubelrti/sm-crypto-v2/compare/v1.2.2...v1.3.0) (2023-06-07)
+
+
+### Features
+
+* **sm2:** add benchmark and optimize rng pooling ([b162377](https://github.com/Cubelrti/sm-crypto-v2/commit/b1623774cc4374deea61499f13790c5e8b17041a))
+
 ### [1.2.2](https://github.com/Cubelrti/sm-crypto-v2/compare/v1.2.1...v1.2.2) (2023-06-07)
 
 

package/README.md

@@ -1,19 +1,19 @@
 # sm-crypto-v2
 
-[![npm version](https://badge.fury.io/js/sm-crypto-v2.svg)](https://badge.fury.io/js/sm-crypto-v2)
+[![npm version](https://badge.fury.io/js/sm-crypto-v2.svg)](https://www.npmjs.com/package/sm-crypto-v2)
 [![status](https://img.shields.io/github/actions/workflow/status/cubelrti/sm-crypto-v2/test.yml?branch=master)](https://github.com/cubelrti/sm-crypto-v2/actions)
 [![cov](https://cubelrti.github.io/sm-crypto-v2/badges/coverage.svg)](https://github.com/cubelrti/sm-crypto-v2/actions)
 
-
 国密算法 sm2、sm3 和 sm4 的 TypeScript 实现。参数支持 TypedArray，导出 esm/cjs。
 
 ## 特性
 
-- SM2 底层改用 `noble-curves`，性能提升接近4倍，[noble-curves 文档](https://github.com/paulmillr/noble-curves)
-- 完整的类型支持
-- 移除原有 `jsbn` 依赖，改用原生 BigInt 支持
-- 通过所有之前的单元测试，包括 SM2、SM3 和 SM4
-- 自动使用最优的安全随机数实现，不使用 `random` 和 `Date.now` 模拟
+- ⚡ 基于 [`noble-curves` Abstract API](https://github.com/paulmillr/noble-curves#abstract-api) 重构 SM2，性能提升近4倍。详见 [noble-curves 文档](https://paulmillr.com/posts/noble-secp256k1-fast-ecc/) 
+- 📘 使用 TypeScript 实现，提供全面的类型支持
+- 🔄 移除原有 `jsbn` 依赖，改用原生 BigInt
+- ✔️ 通过全部历史单元测试，包括 SM2、SM3 和 SM4
+- 🎲 自动选择最优的安全随机数实现，避免使用 `Math.random` 和 `Date.now` 进行模拟
+- 📚 同时导出 ES Module 和 CommonJS 两种格式，可按需使用
 
 ## 安装
 
@@ -37,10 +37,12 @@ privateKey = keypair.privateKey // 私钥
 const compressedPublicKey = sm2.compressPublicKeyHex(publicKey) // compressedPublicKey 和 publicKey 等价
 sm2.comparePublicKeyHex(publicKey, compressedPublicKey) // 判断公钥是否等价
 
-// 自定义随机数，参数会直接透传给 jsbn 库的 BigInteger 构造器
+// 自定义随机数，参数会直接透传给 BigInt 构造器
 // 注意：开发者使用自定义随机数，需要自行确保传入的随机数符合密码学安全
 let keypair2 = sm2.generateKeyPairHex('123123123123123')
-let keypair3 = sm2.generateKeyPairHex(256, SecureRandom)
+
+// 初始化随机数池，在某些场景下可能会用到
+await sm2.initRNGPool()
 
 let verifyResult = sm2.verifyPublicKey(publicKey) // 验证公钥
 verifyResult = sm2.verifyPublicKey(compressedPublicKey) // 验证公钥
@@ -161,6 +163,24 @@ let decryptData = sm4.decrypt(encryptData, key, {padding: 'none', output: 'array
 let decryptData = sm4.decrypt(encryptData, key, {mode: 'cbc', iv: 'fedcba98765432100123456789abcdef'}) // 解密，cbc 模式
 ```
 
+### 密钥交换(实验性)
+
+```js
+import { sm2 } from 'sm-crypto-v2'
+
+const keyPairA = sm2.generateKeyPairHex() // A 的秘钥对
+const keyPairB = sm2.generateKeyPairHex() // B 的秘钥对
+const ephemeralKeypairA = sm2.generateKeyPairHex() // A 的临时秘钥对
+const ephemeralKeypairB = sm2.generateKeyPairHex() // B 的临时秘钥对
+
+// A 所需参数：A 的秘钥对，A 的临时秘钥对，B 的公钥，B 的临时秘钥公钥，AB 的身份ID，长度
+const sharedKeyFromA = sm2.calculateSharedKey(keyPairA, ephemeralKeypairA, keyPairB.publicKey, ephemeralKeypairB.publicKey, undefined, undefined, 233)
+// A 所需参数：B 的秘钥对，B 的临时秘钥对，A 的公钥，A 的临时秘钥公钥，AB 的身份ID，长度
+const sharedKeyFromB = sm2.calculateSharedKey(keyPairB, ephemeralKeypairB, keyPairA.publicKey, ephemeralKeypairA.publicKey, undefined, undefined, 233)
+
+// expect(sharedKeyFromA).toEqual(sharedKeyFromB) => true
+```
+
 ## 其他实现
 
 * 原 js 版本：[https://github.com/JuneAndGreen/sm-crypto](https://github.com/JuneAndGreen/sm-crypto)
@@ -168,6 +188,30 @@ let decryptData = sm4.decrypt(encryptData, key, {mode: 'cbc', iv: 'fedcba9876543
 * java 实现（感谢 @antherd 提供）：[https://github.com/antherd/sm-crypto](https://github.com/antherd/sm-crypto)
 * dart 实现（感谢 @luckykellan 提供）：[https://github.com/luckykellan/dart_sm](https://github.com/luckykellan/dart_sm)
 
+## 性能
+
+CPU: Apple M1 Pro
+
+```
+❯ npm run bench
+
+> benchmark@0.1.0 bench
+> node index.js
+
+Benchmarking
+
+=== sm-crypto ===
+sm2 generateKeyPair x 134 ops/sec @ 7ms/op ± 4.12% (min: 6ms, max: 21ms)
+sm2 encrypt x 71 ops/sec @ 14ms/op
+sm2 sign x 139 ops/sec @ 7ms/op
+sm2 verify x 70 ops/sec @ 14ms/op
+=== sm-crypto-v2 ===
+sm2 generateKeyPair x 2,835 ops/sec @ 352μs/op ± 6.34% (min: 286μs, max: 1ms)
+sm2 encrypt x 253 ops/sec @ 3ms/op ± 2.11% (min: 3ms, max: 24ms)
+sm2 sign x 3,186 ops/sec @ 313μs/op ± 1.26% (min: 277μs, max: 854μs)
+sm2 verify x 258 ops/sec @ 3ms/op
+```
+
 ## 协议
 
 MIT

package/benchmark/index.js

@@ -0,0 +1,29 @@
+import { run, mark, utils } from 'micro-bmark';
+import * as sm from 'sm-crypto'
+import * as smV2 from 'sm-crypto-v2'
+
+const msg = 'Hello world~!'
+
+const keypair = smV2.sm2.generateKeyPairHex('12345678901234567890')
+
+run(async () => {
+  await smV2.sm2.initRNGPool()
+  const sig = smV2.sm2.doSignature(msg, keypair.privateKey, { publicKey: keypair.publicKey})
+
+  const RAM = false
+  console.log();
+  if (RAM) utils.logMem();
+  console.log('=== sm-crypto ===')
+  await mark('sm2 generateKeyPair', 100, () => sm.sm2.generateKeyPairHex())
+  await mark('sm2 encrypt', 500, () => sm.sm2.doEncrypt(msg, keypair.publicKey));
+  await mark('sm2 sign', 500, () => sm.sm2.doSignature(msg, keypair.privateKey, { publicKey: keypair.publicKey}));
+  await mark('sm2 verify', 500, () => sm.sm2.doVerifySignature(msg, sig, keypair.publicKey));
+  if (RAM) utils.logMem();
+  if (RAM) utils.logMem();
+  console.log('=== sm-crypto-v2 ===')
+  await mark('sm2 generateKeyPair', 100, () => smV2.sm2.generateKeyPairHex())
+  await mark('sm2 encrypt', 500, () => smV2.sm2.doEncrypt(msg, keypair.publicKey));
+  await mark('sm2 sign', 500, () => smV2.sm2.doSignature(msg, keypair.privateKey, { publicKey: keypair.publicKey}));
+  await mark('sm2 verify', 500, () => smV2.sm2.doVerifySignature(msg, sig, keypair.publicKey));
+  if (RAM) utils.logMem();
+});

package/benchmark/package.json

@@ -0,0 +1,19 @@
+{
+  "name": "benchmark",
+  "private": true,
+  "version": "0.1.0",
+  "description": "benchmarks",
+  "main": "index.js",
+  "type": "module",
+  "scripts": {
+    "bench": "node index.js"
+  },
+  "keywords": [],
+  "author": "",
+  "license": "MIT",
+  "dependencies": {
+    "micro-bmark": "^0.3.1",
+    "sm-crypto": "^0.3.12",
+    "sm-crypto-v2": "^1.2.2"
+  }
+}

package/benchmark/pnpm-lock.yaml

@@ -0,0 +1,28 @@
+lockfileVersion: '6.0'
+
+dependencies:
+  micro-bmark:
+    specifier: ^0.3.1
+    version: 0.3.1
+  sm-crypto:
+    specifier: ^0.3.12
+    version: 0.3.12
+  sm-crypto-v2:
+    specifier: ^1.2.2
+    version: link:..
+
+packages:
+
+  /jsbn@1.1.0:
+    resolution: {integrity: sha512-4bYVV3aAMtDTTu4+xsDYa6sy9GyJ69/amsu9sYF2zqjiEoZA5xJi3BrfX3uY+/IekIu7MwdObdbDWpoZdBv3/A==}
+    dev: false
+
+  /micro-bmark@0.3.1:
+    resolution: {integrity: sha512-bNaKObD4yPAAPrpEqp5jO6LJ2sEFgLoFSmRjEY809mJ62+2AehI/K3+RlVpN3Oo92RHpgC2RQhj6b1Tb4dmo+w==}
+    dev: false
+
+  /sm-crypto@0.3.12:
+    resolution: {integrity: sha512-272PBzB4PYaBdeGa41TH9ZlMGLPVRmS36Gs4FjmHwXIdihQypAbhhFWZTaa/3de69q2KfMme1M5O2W5+spAdrg==}
+    dependencies:
+      jsbn: 1.1.0
+    dev: false

package/dist/index.d.ts

@@ -1,10 +1,11 @@
+interface KeyPair {
+    privateKey: string;
+    publicKey: string;
+}
 /**
  * 生成密钥对：publicKey = privateKey * G
  */
-declare function generateKeyPairHex(str?: string): {
-    privateKey: string;
-    publicKey: string;
-};
+declare function generateKeyPairHex(str?: string): KeyPair;
 /**
  * 生成压缩公钥
  */
@@ -39,6 +40,10 @@ declare function verifyPublicKey(publicKey: string): boolean;
 declare function comparePublicKeyHex(publicKey1: string, publicKey2: string): boolean;
 declare function concatArray(...arrays: Uint8Array[]): Uint8Array;
 
+declare function initRNGPool(): Promise<void>;
+
+declare function calculateSharedKey(keypairA: KeyPair, ephemeralKeypairA: KeyPair, publicKeyB: string, ephemeralPublicKeyB: string, idA: string | undefined, idB: string | undefined, sharedKeyLength: number): Uint8Array;
+
 /**
  * 加密
  */
@@ -100,6 +105,9 @@ declare const index$2_doVerifySignature: typeof doVerifySignature;
 declare const index$2_getHash: typeof getHash;
 declare const index$2_getPublicKeyFromPrivateKey: typeof getPublicKeyFromPrivateKey;
 declare const index$2_getPoint: typeof getPoint;
+declare const index$2_initRNGPool: typeof initRNGPool;
+declare const index$2_calculateSharedKey: typeof calculateSharedKey;
+type index$2_KeyPair = KeyPair;
 declare const index$2_generateKeyPairHex: typeof generateKeyPairHex;
 declare const index$2_compressPublicKeyHex: typeof compressPublicKeyHex;
 declare const index$2_utf8ToHex: typeof utf8ToHex;
@@ -120,6 +128,9 @@ declare namespace index$2 {
     index$2_getHash as getHash,
     index$2_getPublicKeyFromPrivateKey as getPublicKeyFromPrivateKey,
     index$2_getPoint as getPoint,
+    index$2_initRNGPool as initRNGPool,
+    index$2_calculateSharedKey as calculateSharedKey,
+    index$2_KeyPair as KeyPair,
     index$2_generateKeyPairHex as generateKeyPairHex,
     index$2_compressPublicKeyHex as compressPublicKeyHex,
     index$2_utf8ToHex as utf8ToHex,

package/dist/index.js

@@ -37,6 +37,7 @@ var sm2_exports = {};
 __export(sm2_exports, {
   arrayToHex: () => arrayToHex,
   arrayToUtf8: () => arrayToUtf8,
+  calculateSharedKey: () => calculateSharedKey,
   comparePublicKeyHex: () => comparePublicKeyHex,
   compressPublicKeyHex: () => compressPublicKeyHex,
   concatArray: () => concatArray,
@@ -49,6 +50,7 @@ __export(sm2_exports, {
   getPoint: () => getPoint,
   getPublicKeyFromPrivateKey: () => getPublicKeyFromPrivateKey,
   hexToArray: () => hexToArray,
+  initRNGPool: () => initRNGPool,
   leftPad: () => leftPad2,
   utf8ToHex: () => utf8ToHex,
   verifyPublicKey: () => verifyPublicKey
@@ -359,11 +361,14 @@ function sm32(input, options) {
 }
 
 // src/sm2/ec.ts
-var DEFAULT_PRNG_POOL_SIZE = 4096;
+var DEFAULT_PRNG_POOL_SIZE = 16384;
 var prngPool = new Uint8Array(0);
-async function FillPRNGPoolIfNeeded() {
-  if ("crypto" in globalThis)
+var _syncCrypto;
+async function initRNGPool() {
+  if ("crypto" in globalThis) {
+    _syncCrypto = globalThis.crypto;
     return;
+  }
   if (prngPool.length > DEFAULT_PRNG_POOL_SIZE / 2)
     return;
   if ("wx" in globalThis) {
@@ -381,29 +386,30 @@ async function FillPRNGPoolIfNeeded() {
         /* webpackIgnore: true */
         "crypto"
       );
+      _syncCrypto = crypto.webcrypto;
       const array = new Uint8Array(DEFAULT_PRNG_POOL_SIZE);
-      crypto.webcrypto.getRandomValues(array);
+      _syncCrypto.getRandomValues(array);
       prngPool = array;
     } catch (error) {
       throw new Error("no available csprng, abort.");
     }
   }
 }
-FillPRNGPoolIfNeeded();
+initRNGPool();
 function consumePool(length) {
   if (prngPool.length > length) {
     const prng = prngPool.slice(0, length);
     prngPool = prngPool.slice(length);
-    FillPRNGPoolIfNeeded();
+    initRNGPool();
     return prng;
   } else {
-    throw new Error("random number pool is insufficient, prevent getting too long random values or too often.");
+    throw new Error("random number pool is not ready or insufficient, prevent getting too long random values or too often.");
   }
 }
 function randomBytes(length = 0) {
   const array = new Uint8Array(length);
-  if ("crypto" in globalThis) {
-    return globalThis.crypto.getRandomValues(array);
+  if (_syncCrypto) {
+    return _syncCrypto.getRandomValues(array);
   } else {
     const result = consumePool(length);
     return result;
@@ -539,19 +545,65 @@ function concatArray(...arrays) {
 
 // src/sm2/index.ts
 var mod2 = __toESM(require("@noble/curves/abstract/modular"));
+var utils4 = __toESM(require("@noble/curves/abstract/utils"));
+
+// src/sm2/kx.ts
 var utils3 = __toESM(require("@noble/curves/abstract/utils"));
+var import_modular3 = require("@noble/curves/abstract/modular");
+var field = (0, import_modular3.Field)(BigInt(sm2Curve.CURVE.n));
+var wPow2 = utils3.hexToNumber("80000000000000000000000000000000");
+var wPow2Sub1 = utils3.hexToNumber("7fffffffffffffffffffffffffffffff");
+function hkdf(z, keylen) {
+  let t = new Uint8Array();
+  let msg = new Uint8Array(keylen);
+  let ct = 1;
+  let offset = 0;
+  const nextT = () => {
+    t = sm3(Uint8Array.from([...z, ct >> 24 & 255, ct >> 16 & 255, ct >> 8 & 255, ct & 255]));
+    ct++;
+    offset = 0;
+  };
+  nextT();
+  for (let i = 0, len = msg.length; i < len; i++) {
+    if (offset === t.length)
+      nextT();
+    msg[i] = t[offset++] & 255;
+  }
+  return msg;
+}
+function calculateSharedKey(keypairA, ephemeralKeypairA, publicKeyB, ephemeralPublicKeyB, idA = "1234567812345678", idB = "1234567812345678", sharedKeyLength) {
+  const RA = sm2Curve.ProjectivePoint.fromHex(ephemeralKeypairA.publicKey);
+  const RB = sm2Curve.ProjectivePoint.fromHex(ephemeralPublicKeyB);
+  const PB = sm2Curve.ProjectivePoint.fromHex(publicKeyB);
+  const ZA = hexToArray(idA);
+  const ZB = hexToArray(idB);
+  const rA = utils3.hexToNumber(ephemeralKeypairA.privateKey);
+  const dA = utils3.hexToNumber(keypairA.privateKey);
+  const x1 = RA.x;
+  const x1_ = field.add(wPow2, x1 & wPow2Sub1);
+  const tA = field.add(dA, field.mul(x1_, rA));
+  const x2 = RB.x;
+  const x2_ = field.add(wPow2, x2 & wPow2Sub1);
+  const U = RB.multiply(x2_).add(PB).multiply(tA);
+  const xU = hexToArray(leftPad2(utils3.numberToHexUnpadded(U.x), 64));
+  const yU = hexToArray(leftPad2(utils3.numberToHexUnpadded(U.y), 64));
+  const KA = hkdf(concatArray(xU, yU, ZA, ZB), sharedKeyLength);
+  return KA;
+}
+
+// src/sm2/index.ts
 var C1C2C3 = 0;
 function doEncrypt(msg, publicKey, cipherMode = 1) {
   const msgArr = typeof msg === "string" ? hexToArray(utf8ToHex(msg)) : Uint8Array.from(msg);
   const publicKeyPoint = sm2Curve.ProjectivePoint.fromHex(publicKey);
   const keypair = generateKeyPairHex();
-  const k = utils3.hexToNumber(keypair.privateKey);
+  const k = utils4.hexToNumber(keypair.privateKey);
   let c1 = keypair.publicKey;
   if (c1.length > 128)
     c1 = c1.substring(c1.length - 128);
   const p = publicKeyPoint.multiply(k);
-  const x2 = hexToArray(leftPad2(utils3.numberToHexUnpadded(p.x), 64));
-  const y2 = hexToArray(leftPad2(utils3.numberToHexUnpadded(p.y), 64));
+  const x2 = hexToArray(leftPad2(utils4.numberToHexUnpadded(p.x), 64));
+  const y2 = hexToArray(leftPad2(utils4.numberToHexUnpadded(p.y), 64));
   const c3 = arrayToHex(Array.from(sm3(concatArray(x2, msgArr, y2))));
   let ct = 1;
   let offset = 0;
@@ -574,7 +626,7 @@ function doEncrypt(msg, publicKey, cipherMode = 1) {
 function doDecrypt(encryptData, privateKey, cipherMode = 1, {
   output = "string"
 } = {}) {
-  const privateKeyInteger = utils3.hexToNumber(privateKey);
+  const privateKeyInteger = utils4.hexToNumber(privateKey);
   let c3 = encryptData.substring(128, 128 + 64);
   let c2 = encryptData.substring(128 + 64);
   if (cipherMode === C1C2C3) {
@@ -584,8 +636,8 @@ function doDecrypt(encryptData, privateKey, cipherMode = 1, {
   const msg = hexToArray(c2);
   const c1 = sm2Curve.ProjectivePoint.fromHex("04" + encryptData.substring(0, 128));
   const p = c1.multiply(privateKeyInteger);
-  const x2 = hexToArray(leftPad2(utils3.numberToHexUnpadded(p.x), 64));
-  const y2 = hexToArray(leftPad2(utils3.numberToHexUnpadded(p.y), 64));
+  const x2 = hexToArray(leftPad2(utils4.numberToHexUnpadded(p.x), 64));
+  const y2 = hexToArray(leftPad2(utils4.numberToHexUnpadded(p.y), 64));
   let ct = 1;
   let offset = 0;
   let t = new Uint8Array();
@@ -621,8 +673,8 @@ function doSignature(msg, privateKey, options = {}) {
     publicKey = publicKey || getPublicKeyFromPrivateKey(privateKey);
     hashHex = getHash(hashHex, publicKey, userId);
   }
-  const dA = utils3.hexToNumber(privateKey);
-  const e = utils3.hexToNumber(hashHex);
+  const dA = utils4.hexToNumber(privateKey);
+  const e = utils4.hexToNumber(hashHex);
   let k = null;
   let r = null;
   let s = null;
@@ -641,7 +693,7 @@ function doSignature(msg, privateKey, options = {}) {
   } while (s === ZERO);
   if (der)
     return encodeDer(r, s);
-  return leftPad2(utils3.numberToHexUnpadded(r), 64) + leftPad2(utils3.numberToHexUnpadded(s), 64);
+  return leftPad2(utils4.numberToHexUnpadded(r), 64) + leftPad2(utils4.numberToHexUnpadded(s), 64);
 }
 function doVerifySignature(msg, signHex, publicKey, options = {}) {
   let hashHex;
@@ -662,11 +714,11 @@ function doVerifySignature(msg, signHex, publicKey, options = {}) {
     r = decodeDerObj.r;
     s = decodeDerObj.s;
   } else {
-    r = utils3.hexToNumber(signHex.substring(0, 64));
-    s = utils3.hexToNumber(signHex.substring(64));
+    r = utils4.hexToNumber(signHex.substring(0, 64));
+    s = utils4.hexToNumber(signHex.substring(64));
   }
   const PA = sm2Curve.ProjectivePoint.fromHex(publicKey);
-  const e = utils3.hexToNumber(hashHex);
+  const e = utils4.hexToNumber(hashHex);
   const t = mod2.mod(r + s, sm2Curve.CURVE.n);
   if (t === ZERO)
     return false;
@@ -676,10 +728,10 @@ function doVerifySignature(msg, signHex, publicKey, options = {}) {
 }
 function getHash(hashHex, publicKey, userId = "1234567812345678") {
   userId = utf8ToHex(userId);
-  const a = leftPad2(utils3.numberToHexUnpadded(sm2Curve.CURVE.a), 64);
-  const b = leftPad2(utils3.numberToHexUnpadded(sm2Curve.CURVE.b), 64);
-  const gx = leftPad2(utils3.numberToHexUnpadded(sm2Curve.ProjectivePoint.BASE.x), 64);
-  const gy = leftPad2(utils3.numberToHexUnpadded(sm2Curve.ProjectivePoint.BASE.y), 64);
+  const a = leftPad2(utils4.numberToHexUnpadded(sm2Curve.CURVE.a), 64);
+  const b = leftPad2(utils4.numberToHexUnpadded(sm2Curve.CURVE.b), 64);
+  const gx = leftPad2(utils4.numberToHexUnpadded(sm2Curve.ProjectivePoint.BASE.x), 64);
+  const gy = leftPad2(utils4.numberToHexUnpadded(sm2Curve.ProjectivePoint.BASE.y), 64);
   let px;
   let py;
   if (publicKey.length === 128) {
@@ -687,8 +739,8 @@ function getHash(hashHex, publicKey, userId = "1234567812345678") {
     py = publicKey.substring(64, 128);
   } else {
     const point = sm2Curve.ProjectivePoint.fromHex(publicKey);
-    px = leftPad2(utils3.numberToHexUnpadded(point.x), 64);
-    py = leftPad2(utils3.numberToHexUnpadded(point.y), 64);
+    px = leftPad2(utils4.numberToHexUnpadded(point.x), 64);
+    py = leftPad2(utils4.numberToHexUnpadded(point.y), 64);
   }
   const data = hexToArray(userId + a + b + gx + gy + px + py);
   const entl = userId.length * 4;
@@ -697,13 +749,13 @@ function getHash(hashHex, publicKey, userId = "1234567812345678") {
 }
 function getPublicKeyFromPrivateKey(privateKey) {
   const pubKey = sm2Curve.getPublicKey(privateKey, false);
-  const pubPad = leftPad2(utils3.bytesToHex(pubKey), 64);
+  const pubPad = leftPad2(utils4.bytesToHex(pubKey), 64);
   return pubPad;
 }
 function getPoint() {
   const keypair = generateKeyPairHex();
   const PA = sm2Curve.ProjectivePoint.fromHex(keypair.publicKey);
-  const k = utils3.hexToNumber(keypair.privateKey);
+  const k = utils4.hexToNumber(keypair.privateKey);
   return {
     ...keypair,
     k,

package/dist/index.mjs

@@ -9,6 +9,7 @@ var sm2_exports = {};
 __export(sm2_exports, {
   arrayToHex: () => arrayToHex,
   arrayToUtf8: () => arrayToUtf8,
+  calculateSharedKey: () => calculateSharedKey,
   comparePublicKeyHex: () => comparePublicKeyHex,
   compressPublicKeyHex: () => compressPublicKeyHex,
   concatArray: () => concatArray,
@@ -21,6 +22,7 @@ __export(sm2_exports, {
   getPoint: () => getPoint,
   getPublicKeyFromPrivateKey: () => getPublicKeyFromPrivateKey,
   hexToArray: () => hexToArray,
+  initRNGPool: () => initRNGPool,
   leftPad: () => leftPad2,
   utf8ToHex: () => utf8ToHex,
   verifyPublicKey: () => verifyPublicKey
@@ -331,11 +333,14 @@ function sm32(input, options) {
 }
 
 // src/sm2/ec.ts
-var DEFAULT_PRNG_POOL_SIZE = 4096;
+var DEFAULT_PRNG_POOL_SIZE = 16384;
 var prngPool = new Uint8Array(0);
-async function FillPRNGPoolIfNeeded() {
-  if ("crypto" in globalThis)
+var _syncCrypto;
+async function initRNGPool() {
+  if ("crypto" in globalThis) {
+    _syncCrypto = globalThis.crypto;
     return;
+  }
   if (prngPool.length > DEFAULT_PRNG_POOL_SIZE / 2)
     return;
   if ("wx" in globalThis) {
@@ -353,29 +358,30 @@ async function FillPRNGPoolIfNeeded() {
         /* webpackIgnore: true */
         "crypto"
       );
+      _syncCrypto = crypto.webcrypto;
       const array = new Uint8Array(DEFAULT_PRNG_POOL_SIZE);
-      crypto.webcrypto.getRandomValues(array);
+      _syncCrypto.getRandomValues(array);
       prngPool = array;
     } catch (error) {
       throw new Error("no available csprng, abort.");
     }
   }
 }
-FillPRNGPoolIfNeeded();
+initRNGPool();
 function consumePool(length) {
   if (prngPool.length > length) {
     const prng = prngPool.slice(0, length);
     prngPool = prngPool.slice(length);
-    FillPRNGPoolIfNeeded();
+    initRNGPool();
     return prng;
   } else {
-    throw new Error("random number pool is insufficient, prevent getting too long random values or too often.");
+    throw new Error("random number pool is not ready or insufficient, prevent getting too long random values or too often.");
   }
 }
 function randomBytes(length = 0) {
   const array = new Uint8Array(length);
-  if ("crypto" in globalThis) {
-    return globalThis.crypto.getRandomValues(array);
+  if (_syncCrypto) {
+    return _syncCrypto.getRandomValues(array);
   } else {
     const result = consumePool(length);
     return result;
@@ -511,19 +517,65 @@ function concatArray(...arrays) {
 
 // src/sm2/index.ts
 import * as mod2 from "@noble/curves/abstract/modular";
+import * as utils4 from "@noble/curves/abstract/utils";
+
+// src/sm2/kx.ts
 import * as utils3 from "@noble/curves/abstract/utils";
+import { Field as Field2 } from "@noble/curves/abstract/modular";
+var field = Field2(BigInt(sm2Curve.CURVE.n));
+var wPow2 = utils3.hexToNumber("80000000000000000000000000000000");
+var wPow2Sub1 = utils3.hexToNumber("7fffffffffffffffffffffffffffffff");
+function hkdf(z, keylen) {
+  let t = new Uint8Array();
+  let msg = new Uint8Array(keylen);
+  let ct = 1;
+  let offset = 0;
+  const nextT = () => {
+    t = sm3(Uint8Array.from([...z, ct >> 24 & 255, ct >> 16 & 255, ct >> 8 & 255, ct & 255]));
+    ct++;
+    offset = 0;
+  };
+  nextT();
+  for (let i = 0, len = msg.length; i < len; i++) {
+    if (offset === t.length)
+      nextT();
+    msg[i] = t[offset++] & 255;
+  }
+  return msg;
+}
+function calculateSharedKey(keypairA, ephemeralKeypairA, publicKeyB, ephemeralPublicKeyB, idA = "1234567812345678", idB = "1234567812345678", sharedKeyLength) {
+  const RA = sm2Curve.ProjectivePoint.fromHex(ephemeralKeypairA.publicKey);
+  const RB = sm2Curve.ProjectivePoint.fromHex(ephemeralPublicKeyB);
+  const PB = sm2Curve.ProjectivePoint.fromHex(publicKeyB);
+  const ZA = hexToArray(idA);
+  const ZB = hexToArray(idB);
+  const rA = utils3.hexToNumber(ephemeralKeypairA.privateKey);
+  const dA = utils3.hexToNumber(keypairA.privateKey);
+  const x1 = RA.x;
+  const x1_ = field.add(wPow2, x1 & wPow2Sub1);
+  const tA = field.add(dA, field.mul(x1_, rA));
+  const x2 = RB.x;
+  const x2_ = field.add(wPow2, x2 & wPow2Sub1);
+  const U = RB.multiply(x2_).add(PB).multiply(tA);
+  const xU = hexToArray(leftPad2(utils3.numberToHexUnpadded(U.x), 64));
+  const yU = hexToArray(leftPad2(utils3.numberToHexUnpadded(U.y), 64));
+  const KA = hkdf(concatArray(xU, yU, ZA, ZB), sharedKeyLength);
+  return KA;
+}
+
+// src/sm2/index.ts
 var C1C2C3 = 0;
 function doEncrypt(msg, publicKey, cipherMode = 1) {
   const msgArr = typeof msg === "string" ? hexToArray(utf8ToHex(msg)) : Uint8Array.from(msg);
   const publicKeyPoint = sm2Curve.ProjectivePoint.fromHex(publicKey);
   const keypair = generateKeyPairHex();
-  const k = utils3.hexToNumber(keypair.privateKey);
+  const k = utils4.hexToNumber(keypair.privateKey);
   let c1 = keypair.publicKey;
   if (c1.length > 128)
     c1 = c1.substring(c1.length - 128);
   const p = publicKeyPoint.multiply(k);
-  const x2 = hexToArray(leftPad2(utils3.numberToHexUnpadded(p.x), 64));
-  const y2 = hexToArray(leftPad2(utils3.numberToHexUnpadded(p.y), 64));
+  const x2 = hexToArray(leftPad2(utils4.numberToHexUnpadded(p.x), 64));
+  const y2 = hexToArray(leftPad2(utils4.numberToHexUnpadded(p.y), 64));
   const c3 = arrayToHex(Array.from(sm3(concatArray(x2, msgArr, y2))));
   let ct = 1;
   let offset = 0;
@@ -546,7 +598,7 @@ function doEncrypt(msg, publicKey, cipherMode = 1) {
 function doDecrypt(encryptData, privateKey, cipherMode = 1, {
   output = "string"
 } = {}) {
-  const privateKeyInteger = utils3.hexToNumber(privateKey);
+  const privateKeyInteger = utils4.hexToNumber(privateKey);
   let c3 = encryptData.substring(128, 128 + 64);
   let c2 = encryptData.substring(128 + 64);
   if (cipherMode === C1C2C3) {
@@ -556,8 +608,8 @@ function doDecrypt(encryptData, privateKey, cipherMode = 1, {
   const msg = hexToArray(c2);
   const c1 = sm2Curve.ProjectivePoint.fromHex("04" + encryptData.substring(0, 128));
   const p = c1.multiply(privateKeyInteger);
-  const x2 = hexToArray(leftPad2(utils3.numberToHexUnpadded(p.x), 64));
-  const y2 = hexToArray(leftPad2(utils3.numberToHexUnpadded(p.y), 64));
+  const x2 = hexToArray(leftPad2(utils4.numberToHexUnpadded(p.x), 64));
+  const y2 = hexToArray(leftPad2(utils4.numberToHexUnpadded(p.y), 64));
   let ct = 1;
   let offset = 0;
   let t = new Uint8Array();
@@ -593,8 +645,8 @@ function doSignature(msg, privateKey, options = {}) {
     publicKey = publicKey || getPublicKeyFromPrivateKey(privateKey);
     hashHex = getHash(hashHex, publicKey, userId);
   }
-  const dA = utils3.hexToNumber(privateKey);
-  const e = utils3.hexToNumber(hashHex);
+  const dA = utils4.hexToNumber(privateKey);
+  const e = utils4.hexToNumber(hashHex);
   let k = null;
   let r = null;
   let s = null;
@@ -613,7 +665,7 @@ function doSignature(msg, privateKey, options = {}) {
   } while (s === ZERO);
   if (der)
     return encodeDer(r, s);
-  return leftPad2(utils3.numberToHexUnpadded(r), 64) + leftPad2(utils3.numberToHexUnpadded(s), 64);
+  return leftPad2(utils4.numberToHexUnpadded(r), 64) + leftPad2(utils4.numberToHexUnpadded(s), 64);
 }
 function doVerifySignature(msg, signHex, publicKey, options = {}) {
   let hashHex;
@@ -634,11 +686,11 @@ function doVerifySignature(msg, signHex, publicKey, options = {}) {
     r = decodeDerObj.r;
     s = decodeDerObj.s;
   } else {
-    r = utils3.hexToNumber(signHex.substring(0, 64));
-    s = utils3.hexToNumber(signHex.substring(64));
+    r = utils4.hexToNumber(signHex.substring(0, 64));
+    s = utils4.hexToNumber(signHex.substring(64));
   }
   const PA = sm2Curve.ProjectivePoint.fromHex(publicKey);
-  const e = utils3.hexToNumber(hashHex);
+  const e = utils4.hexToNumber(hashHex);
   const t = mod2.mod(r + s, sm2Curve.CURVE.n);
   if (t === ZERO)
     return false;
@@ -648,10 +700,10 @@ function doVerifySignature(msg, signHex, publicKey, options = {}) {
 }
 function getHash(hashHex, publicKey, userId = "1234567812345678") {
   userId = utf8ToHex(userId);
-  const a = leftPad2(utils3.numberToHexUnpadded(sm2Curve.CURVE.a), 64);
-  const b = leftPad2(utils3.numberToHexUnpadded(sm2Curve.CURVE.b), 64);
-  const gx = leftPad2(utils3.numberToHexUnpadded(sm2Curve.ProjectivePoint.BASE.x), 64);
-  const gy = leftPad2(utils3.numberToHexUnpadded(sm2Curve.ProjectivePoint.BASE.y), 64);
+  const a = leftPad2(utils4.numberToHexUnpadded(sm2Curve.CURVE.a), 64);
+  const b = leftPad2(utils4.numberToHexUnpadded(sm2Curve.CURVE.b), 64);
+  const gx = leftPad2(utils4.numberToHexUnpadded(sm2Curve.ProjectivePoint.BASE.x), 64);
+  const gy = leftPad2(utils4.numberToHexUnpadded(sm2Curve.ProjectivePoint.BASE.y), 64);
   let px;
   let py;
   if (publicKey.length === 128) {
@@ -659,8 +711,8 @@ function getHash(hashHex, publicKey, userId = "1234567812345678") {
     py = publicKey.substring(64, 128);
   } else {
     const point = sm2Curve.ProjectivePoint.fromHex(publicKey);
-    px = leftPad2(utils3.numberToHexUnpadded(point.x), 64);
-    py = leftPad2(utils3.numberToHexUnpadded(point.y), 64);
+    px = leftPad2(utils4.numberToHexUnpadded(point.x), 64);
+    py = leftPad2(utils4.numberToHexUnpadded(point.y), 64);
   }
   const data = hexToArray(userId + a + b + gx + gy + px + py);
   const entl = userId.length * 4;
@@ -669,13 +721,13 @@ function getHash(hashHex, publicKey, userId = "1234567812345678") {
 }
 function getPublicKeyFromPrivateKey(privateKey) {
   const pubKey = sm2Curve.getPublicKey(privateKey, false);
-  const pubPad = leftPad2(utils3.bytesToHex(pubKey), 64);
+  const pubPad = leftPad2(utils4.bytesToHex(pubKey), 64);
   return pubPad;
 }
 function getPoint() {
   const keypair = generateKeyPairHex();
   const PA = sm2Curve.ProjectivePoint.fromHex(keypair.publicKey);
-  const k = utils3.hexToNumber(keypair.privateKey);
+  const k = utils4.hexToNumber(keypair.privateKey);
   return {
     ...keypair,
     k,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sm-crypto-v2",
-  "version": "1.2.2",
+  "version": "1.4.0",
   "description": "sm-crypto-v2",
   "main": "dist/index.js",
   "module": "dist/index.mjs",

package/src/sm2/ec.ts

@@ -19,11 +19,14 @@ declare module wx {
   }): void;
 }
 
-const DEFAULT_PRNG_POOL_SIZE = 4096
+const DEFAULT_PRNG_POOL_SIZE = 16384
 let prngPool = new Uint8Array(0)
-
-async function FillPRNGPoolIfNeeded() {
-  if ('crypto' in globalThis) return // no need to use pooling
+let _syncCrypto: typeof import('crypto')['webcrypto']
+export async function initRNGPool() {
+  if ('crypto' in globalThis) {
+    _syncCrypto = globalThis.crypto
+    return // no need to use pooling
+  }
   if (prngPool.length > DEFAULT_PRNG_POOL_SIZE / 2) return // there is sufficient number
   // we always populate full pool size
   // since numbers may be consumed during micro tasks.
@@ -40,8 +43,9 @@ async function FillPRNGPoolIfNeeded() {
     // check if node, use webcrypto if available
     try {
       const crypto = await import(/* webpackIgnore: true */ 'crypto');
+      _syncCrypto = crypto.webcrypto
       const array = new Uint8Array(DEFAULT_PRNG_POOL_SIZE);
-      crypto.webcrypto.getRandomValues(array);
+      _syncCrypto.getRandomValues(array);
       prngPool = array;
     } catch (error) {
       throw new Error('no available csprng, abort.');
@@ -49,24 +53,25 @@ async function FillPRNGPoolIfNeeded() {
   }
 }
 
-FillPRNGPoolIfNeeded()
+initRNGPool()
 
 function consumePool(length: number): Uint8Array {
   if (prngPool.length > length) {
     const prng = prngPool.slice(0, length)
     prngPool = prngPool.slice(length)
-    FillPRNGPoolIfNeeded()
+    initRNGPool()
     return prng
   } else {
-    throw new Error('random number pool is insufficient, prevent getting too long random values or too often.')
+    throw new Error('random number pool is not ready or insufficient, prevent getting too long random values or too often.')
   }
 }
 
 export function randomBytes(length = 0): Uint8Array {
   const array = new Uint8Array(length);
-  if ('crypto' in globalThis) {
-    return globalThis.crypto.getRandomValues(array);
+  if (_syncCrypto) {
+    return _syncCrypto.getRandomValues(array);
   } else {
+    // no sync crypto available, use async pool
     const result = consumePool(length)
     return result
   }

package/src/sm2/index.ts

@@ -2,12 +2,15 @@
 import { encodeDer, decodeDer } from './asn1'
 import { arrayToHex, arrayToUtf8, concatArray, generateKeyPairHex, hexToArray, leftPad, utf8ToHex } from './utils'
 import { sm3 } from './sm3'
-export * from './utils'
 import * as mod from '@noble/curves/abstract/modular';
 import * as utils from '@noble/curves/abstract/utils';
 import { sm2Curve } from './ec';
 import { ONE, ZERO } from './bn';
 
+export * from './utils'
+export { initRNGPool } from './ec'
+export { calculateSharedKey } from './kx'
+
 // const { G, curve, n } = generateEcparam()
 const C1C2C3 = 0
 

package/src/sm2/kx.ts

@@ -0,0 +1,76 @@
+import { sm2Curve } from './ec';
+import { KeyPair, concatArray, hexToArray, leftPad } from './utils';
+import * as utils from '@noble/curves/abstract/utils';
+import { Field } from '@noble/curves/abstract/modular';
+import { sm3 } from './sm3';
+
+export const field = Field(BigInt(sm2Curve.CURVE.n))
+
+// 用到的常数
+const wPow2 = utils.hexToNumber('80000000000000000000000000000000')
+const wPow2Sub1 = utils.hexToNumber('7fffffffffffffffffffffffffffffff')
+
+// from sm2 sign part, extracted for code reusable.
+function hkdf(z: Uint8Array, keylen: number) {
+  let t = new Uint8Array() // 256 位
+  let msg = new Uint8Array(keylen)
+  let ct = 1
+  let offset = 0
+  const nextT = () => {
+    // (1) Hai = hash(z || ct)
+    // (2) ct++
+    t = sm3(Uint8Array.from([...z, ct >> 24 & 0x00ff, ct >> 16 & 0x00ff, ct >> 8 & 0x00ff, ct & 0x00ff]))
+    ct++
+    offset = 0
+  }
+  nextT() // 先生成 Ha1
+
+  for (let i = 0, len = msg.length; i < len; i++) {
+    // t = Ha1 || Ha2 || Ha3 || Ha4
+    if (offset === t.length) nextT()
+
+    // c2 = msg ^ t
+    msg[i] = t[offset++] & 0xff
+  }
+  return msg
+}
+
+
+export function calculateSharedKey(
+  keypairA: KeyPair,
+  ephemeralKeypairA: KeyPair,
+  publicKeyB: string,
+  ephemeralPublicKeyB: string,
+  idA: string = '1234567812345678',
+  idB: string = '1234567812345678',
+  sharedKeyLength: number,
+) {
+  const RA = sm2Curve.ProjectivePoint.fromHex(ephemeralKeypairA.publicKey)
+  const RB = sm2Curve.ProjectivePoint.fromHex(ephemeralPublicKeyB)
+  // const PA = sm2Curve.ProjectivePoint.fromHex(keypairA.publicKey) // 暂时用不到
+  const PB = sm2Curve.ProjectivePoint.fromHex(publicKeyB)
+  const ZA = hexToArray(idA)
+  const ZB = hexToArray(idB)
+  const rA = utils.hexToNumber(ephemeralKeypairA.privateKey)
+  const dA = utils.hexToNumber(keypairA.privateKey)
+  // 1.先算tA
+  const x1 = RA.x
+  // x1_ = 2^w + (x1 & (2^w - 1))
+  const x1_ = field.add(wPow2, (x1 & wPow2Sub1))
+  // tA = (dA + x1b * rA) mod n
+  const tA = field.add(dA, field.mul(x1_, rA))
+
+  // 2.算 U
+  // x2_ = 2^w + (x2 & (2^w - 1))
+  const x2 = RB.x
+  const x2_ = field.add(wPow2, (x2 & wPow2Sub1))
+  // U = [h * tA](PB + x2_ * RB)
+  const U = RB.multiply(x2_).add(PB).multiply(tA)
+
+  // 3.算 KDF
+  // KA = KDF(xU || yU || ZA || ZB, kLen)
+  const xU = hexToArray(leftPad(utils.numberToHexUnpadded(U.x), 64))
+  const yU = hexToArray(leftPad(utils.numberToHexUnpadded(U.y), 64))
+  const KA = hkdf(concatArray(xU, yU, ZA, ZB), sharedKeyLength)
+  return KA
+}

package/src/sm2/utils.ts

@@ -5,10 +5,15 @@ import { sm2Curve, sm2Fp } from './ec';
 import { mod } from '@noble/curves/abstract/modular';
 import { ONE, TWO, ZERO } from './bn';
 
+export interface KeyPair {
+  privateKey: string
+  publicKey: string
+}
+
 /**
  * 生成密钥对：publicKey = privateKey * G
  */
-export function generateKeyPairHex(str?: string) {
+export function generateKeyPairHex(str?: string): KeyPair {
   const privateKey = str ? utils.numberToBytesBE((mod(BigInt(str), ONE) + ONE), 32) : sm2Curve.utils.randomPrivateKey()
   // const random = typeof a === 'string' ? new BigInteger(a, b) :
   //   a ? new BigInteger(a, b!, c!) : new BigInteger(n.bitLength(), rng)