sm-crypto-v2 1.5.0 → 1.6.0

package/CHANGELOG.md

@@ -2,6 +2,20 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [1.6.0](https://github.com/Cubelrti/sm-crypto-v2/compare/v1.5.1...v1.6.0) (2023-07-11)
+
+
+### Features
+
+* **sm4:** optimize sm4 ([031159c](https://github.com/Cubelrti/sm-crypto-v2/commit/031159c7e2889f01b499b9286ce1d93a5e55b151))
+
+### [1.5.1](https://github.com/Cubelrti/sm-crypto-v2/compare/v1.5.0...v1.5.1) (2023-06-28)
+
+
+### Bug Fixes
+
+* **sm2/kx:** align key exchange with standard ([b4fae83](https://github.com/Cubelrti/sm-crypto-v2/commit/b4fae831ae587821a9c1fe72617420134ae7f326))
+
 ## [1.5.0](https://github.com/Cubelrti/sm-crypto-v2/compare/v1.4.0...v1.5.0) (2023-06-11)
 
 

package/README.md

@@ -16,7 +16,7 @@
 - ✔️ 通过全部历史单元测试，包括 SM2、SM3 和 SM4
 - 🎲 自动选择最优的安全随机数实现，避免使用 `Math.random()` 和 `Date.now()` 进行模拟
 - 📚 同时导出 ES Module 和 CommonJS 两种格式，可按需使用
-- 🔑 新增密钥交换 API（实验性）
+- 🔑 提供 SM2 密钥交换 API
 - 🎒 未压缩大小 34kb，压缩后 17kb
 
 ## 安装
@@ -167,7 +167,7 @@ let decryptData = sm4.decrypt(encryptData, key, {padding: 'none', output: 'array
 let decryptData = sm4.decrypt(encryptData, key, {mode: 'cbc', iv: 'fedcba98765432100123456789abcdef'}) // 解密，cbc 模式
 ```
 
-### 密钥交换(实验性)
+### 密钥交换
 
 ```js
 import { sm2 } from 'sm-crypto-v2'
@@ -177,10 +177,17 @@ const keyPairB = sm2.generateKeyPairHex() // B 的秘钥对
 const ephemeralKeypairA = sm2.generateKeyPairHex() // A 的临时秘钥对
 const ephemeralKeypairB = sm2.generateKeyPairHex() // B 的临时秘钥对
 
-// A 所需参数：A 的秘钥对，A 的临时秘钥对，B 的公钥，B 的临时秘钥公钥，AB 的身份ID，长度
-const sharedKeyFromA = sm2.calculateSharedKey(keyPairA, ephemeralKeypairA, keyPairB.publicKey, ephemeralKeypairB.publicKey, 'alice@yahoo.com', 'bob@yahoo.com', 233)
-// B 所需参数：B 的秘钥对，B 的临时秘钥对，A 的公钥，A 的临时秘钥公钥，AB 的身份ID，长度
-const sharedKeyFromB = sm2.calculateSharedKey(keyPairB, ephemeralKeypairB, keyPairA.publicKey, ephemeralKeypairA.publicKey, 'alice@yahoo.com', 'bob@yahoo.com', 233)
+// 无身份的密钥交换
+// A 所需参数：A 的秘钥对，A 的临时秘钥对，B 的公钥，B 的临时秘钥公钥，长度，是否为接收方（默认为 false）
+const sharedKeyFromA = sm2.calculateSharedKey(keyPairA, ephemeralKeypairA, keyPairB.publicKey, ephemeralKeypairB.publicKey, 233)
+// B 所需参数：B 的秘钥对，B 的临时秘钥对，A 的公钥，A 的临时秘钥公钥，长度，是否为接收方（默认为 false）
+const sharedKeyFromB = sm2.calculateSharedKey(keyPairB, ephemeralKeypairB, keyPairA.publicKey, ephemeralKeypairA.publicKey, 233, true)
+
+// 带身份的密钥交换
+// A 所需参数：A 的秘钥对，A 的临时秘钥对，B 的公钥，B 的临时秘钥公钥，长度，是否为接收方（默认为 false），A 的身份，B 的身份
+const sharedKeyFromA = sm2.calculateSharedKey(keyPairA, ephemeralKeypairA, keyPairB.publicKey, ephemeralKeypairB.publicKey, 233, false, 'alice@yahoo.com', 'bob@yahoo.com')
+// B 所需参数：B 的秘钥对，B 的临时秘钥对，A 的公钥，A 的临时秘钥公钥，长度，是否为接收方（默认为 false），B 的身份，A 的身份
+const sharedKeyFromB = sm2.calculateSharedKey(keyPairB, ephemeralKeypairB, keyPairA.publicKey, ephemeralKeypairA.publicKey, 233, true, 'bob@yahoo.com', 'alice@yahoo.com')
 
 // expect(sharedKeyFromA).toEqual(sharedKeyFromB) => true
 ```

package/dist/index.d.ts

@@ -41,7 +41,7 @@ declare function comparePublicKeyHex(publicKey1: string, publicKey2: string): bo
 
 declare function initRNGPool(): Promise<void>;
 
-declare function calculateSharedKey(keypairA: KeyPair, ephemeralKeypairA: KeyPair, publicKeyB: string, ephemeralPublicKeyB: string, idA: string | undefined, idB: string | undefined, sharedKeyLength: number): Uint8Array;
+declare function calculateSharedKey(keypairA: KeyPair, ephemeralKeypairA: KeyPair, publicKeyB: string, ephemeralPublicKeyB: string, sharedKeyLength: number, isRecipient?: boolean, idA?: string, idB?: string): Uint8Array;
 
 declare const EmptyArray: Uint8Array;
 /**
@@ -79,6 +79,7 @@ declare function doVerifySignature(msg: string | Uint8Array, signHex: string, pu
     hash?: boolean;
     userId?: string;
 }): boolean;
+declare function getZ(publicKey: string, userId?: string): Uint8Array;
 /**
  * sm3杂凑算法
  */
@@ -103,6 +104,7 @@ declare const index$1_doDecrypt: typeof doDecrypt;
 type index$1_SignaturePoint = SignaturePoint;
 declare const index$1_doSignature: typeof doSignature;
 declare const index$1_doVerifySignature: typeof doVerifySignature;
+declare const index$1_getZ: typeof getZ;
 declare const index$1_getHash: typeof getHash;
 declare const index$1_getPublicKeyFromPrivateKey: typeof getPublicKeyFromPrivateKey;
 declare const index$1_getPoint: typeof getPoint;
@@ -126,6 +128,7 @@ declare namespace index$1 {
     index$1_SignaturePoint as SignaturePoint,
     index$1_doSignature as doSignature,
     index$1_doVerifySignature as doVerifySignature,
+    index$1_getZ as getZ,
     index$1_getHash as getHash,
     index$1_getPublicKeyFromPrivateKey as getPublicKeyFromPrivateKey,
     index$1_getPoint as getPoint,

package/dist/index.js

@@ -49,6 +49,7 @@ __export(sm2_exports, {
   getHash: () => getHash,
   getPoint: () => getPoint,
   getPublicKeyFromPrivateKey: () => getPublicKeyFromPrivateKey,
+  getZ: () => getZ,
   hexToArray: () => hexToArray,
   initRNGPool: () => initRNGPool,
   leftPad: () => leftPad,
@@ -197,7 +198,7 @@ async function initRNGPool() {
   }
   if (prngPool.length > DEFAULT_PRNG_POOL_SIZE / 2)
     return;
-  if ("wx" in globalThis) {
+  if ("wx" in globalThis && "getRandomValues" in globalThis.wx) {
     prngPool = await new Promise((r) => {
       wx.getRandomValues({
         length: DEFAULT_PRNG_POOL_SIZE,
@@ -208,11 +209,15 @@ async function initRNGPool() {
     });
   } else {
     try {
-      const crypto = await import(
-        /* webpackIgnore: true */
-        "crypto"
-      );
-      _syncCrypto = crypto.webcrypto;
+      if (globalThis.crypto) {
+        _syncCrypto = globalThis.crypto;
+      } else {
+        const crypto = await import(
+          /* webpackIgnore: true */
+          "crypto"
+        );
+        _syncCrypto = crypto.webcrypto;
+      }
       const array = new Uint8Array(DEFAULT_PRNG_POOL_SIZE);
       _syncCrypto.getRandomValues(array);
       prngPool = array;
@@ -679,16 +684,19 @@ function hkdf(z, keylen) {
   }
   return msg;
 }
-function calculateSharedKey(keypairA, ephemeralKeypairA, publicKeyB, ephemeralPublicKeyB, idA = "1234567812345678", idB = "1234567812345678", sharedKeyLength) {
+function calculateSharedKey(keypairA, ephemeralKeypairA, publicKeyB, ephemeralPublicKeyB, sharedKeyLength, isRecipient = false, idA = "1234567812345678", idB = "1234567812345678") {
   const RA = sm2Curve.ProjectivePoint.fromHex(ephemeralKeypairA.publicKey);
   const RB = sm2Curve.ProjectivePoint.fromHex(ephemeralPublicKeyB);
   const PB = sm2Curve.ProjectivePoint.fromHex(publicKeyB);
-  const ZA = hexToArray(idA);
-  const ZB = hexToArray(idB);
+  let ZA = getZ(keypairA.publicKey, idA);
+  let ZB = getZ(publicKeyB, idB);
+  if (isRecipient) {
+    [ZA, ZB] = [ZB, ZA];
+  }
   const rA = utils3.hexToNumber(ephemeralKeypairA.privateKey);
   const dA = utils3.hexToNumber(keypairA.privateKey);
   const x1 = RA.x;
-  const x1_ = field.add(wPow2, x1 & wPow2Sub1);
+  const x1_ = wPow2 + (x1 & wPow2Sub1);
   const tA = field.add(dA, field.mulN(x1_, rA));
   const x2 = RB.x;
   const x2_ = field.add(wPow2, x2 & wPow2Sub1);
@@ -828,7 +836,7 @@ function doVerifySignature(msg, signHex, publicKey, options = {}) {
   const R = field.add(e, x1y1.x);
   return r === R;
 }
-function getHash(hashHex, publicKey, userId = "1234567812345678") {
+function getZ(publicKey, userId = "1234567812345678") {
   userId = utf8ToHex(userId);
   const a = leftPad(utils4.numberToHexUnpadded(sm2Curve.CURVE.a), 64);
   const b = leftPad(utils4.numberToHexUnpadded(sm2Curve.CURVE.b), 64);
@@ -847,6 +855,10 @@ function getHash(hashHex, publicKey, userId = "1234567812345678") {
   const data = hexToArray(userId + a + b + gx + gy + px + py);
   const entl = userId.length * 4;
   const z = sm3(utils4.concatBytes(new Uint8Array([entl >> 8 & 255, entl & 255]), data));
+  return z;
+}
+function getHash(hashHex, publicKey, userId = "1234567812345678") {
+  const z = getZ(publicKey, userId);
   return bytesToHex(sm3(utils4.concatBytes(z, typeof hashHex === "string" ? hexToArray(hashHex) : hashHex)));
 }
 function getPublicKeyFromPrivateKey(privateKey) {
@@ -1212,66 +1224,92 @@ var CK = new Uint32Array([
 function byteSub(a) {
   return (Sbox[a >>> 24 & 255] & 255) << 24 | (Sbox[a >>> 16 & 255] & 255) << 16 | (Sbox[a >>> 8 & 255] & 255) << 8 | Sbox[a & 255] & 255;
 }
-function l1(b) {
-  return b ^ rotl(b, 2) ^ rotl(b, 10) ^ rotl(b, 18) ^ rotl(b, 24);
-}
-function l2(b) {
-  return b ^ rotl(b, 13) ^ rotl(b, 23);
-}
 var x = new Uint32Array(4);
 var tmp = new Uint32Array(4);
 function sms4Crypt(input, output, roundKey) {
-  for (let i = 0; i < 4; i++) {
-    tmp[0] = input[4 * i] & 255;
-    tmp[1] = input[4 * i + 1] & 255;
-    tmp[2] = input[4 * i + 2] & 255;
-    tmp[3] = input[4 * i + 3] & 255;
-    x[i] = tmp[0] << 24 | tmp[1] << 16 | tmp[2] << 8 | tmp[3];
-  }
-  for (let r = 0, mid; r < 32; r += 4) {
-    mid = x[1] ^ x[2] ^ x[3] ^ roundKey[r + 0];
-    x[0] ^= l1(byteSub(mid));
-    mid = x[2] ^ x[3] ^ x[0] ^ roundKey[r + 1];
-    x[1] ^= l1(byteSub(mid));
-    mid = x[3] ^ x[0] ^ x[1] ^ roundKey[r + 2];
-    x[2] ^= l1(byteSub(mid));
-    mid = x[0] ^ x[1] ^ x[2] ^ roundKey[r + 3];
-    x[3] ^= l1(byteSub(mid));
-  }
-  for (let j = 0; j < 16; j += 4) {
-    output[j] = x[3 - j / 4] >>> 24 & 255;
-    output[j + 1] = x[3 - j / 4] >>> 16 & 255;
-    output[j + 2] = x[3 - j / 4] >>> 8 & 255;
-    output[j + 3] = x[3 - j / 4] & 255;
+  let x0 = 0, x1 = 0, x2 = 0, x3 = 0, tmp0 = 0, tmp1 = 0, tmp2 = 0, tmp3 = 0;
+  tmp0 = input[0] & 255;
+  tmp1 = input[1] & 255;
+  tmp2 = input[2] & 255;
+  tmp3 = input[3] & 255;
+  x0 = tmp0 << 24 | tmp1 << 16 | tmp2 << 8 | tmp3;
+  tmp0 = input[4] & 255;
+  tmp1 = input[5] & 255;
+  tmp2 = input[6] & 255;
+  tmp3 = input[7] & 255;
+  x1 = tmp0 << 24 | tmp1 << 16 | tmp2 << 8 | tmp3;
+  tmp0 = input[8] & 255;
+  tmp1 = input[9] & 255;
+  tmp2 = input[10] & 255;
+  tmp3 = input[11] & 255;
+  x2 = tmp0 << 24 | tmp1 << 16 | tmp2 << 8 | tmp3;
+  tmp0 = input[12] & 255;
+  tmp1 = input[13] & 255;
+  tmp2 = input[14] & 255;
+  tmp3 = input[15] & 255;
+  x3 = tmp0 << 24 | tmp1 << 16 | tmp2 << 8 | tmp3;
+  for (let r = 0; r < 32; r += 4) {
+    tmp0 = x1 ^ x2 ^ x3 ^ roundKey[r];
+    tmp0 = byteSub(tmp0);
+    x0 ^= tmp0 ^ (tmp0 << 2 | tmp0 >>> 30) ^ (tmp0 << 10 | tmp0 >>> 22) ^ (tmp0 << 18 | tmp0 >>> 14) ^ (tmp0 << 24 | tmp0 >>> 8);
+    tmp1 = x2 ^ x3 ^ x0 ^ roundKey[r + 1];
+    tmp1 = byteSub(tmp1);
+    x1 ^= tmp1 ^ (tmp1 << 2 | tmp1 >>> 30) ^ (tmp1 << 10 | tmp1 >>> 22) ^ (tmp1 << 18 | tmp1 >>> 14) ^ (tmp1 << 24 | tmp1 >>> 8);
+    tmp2 = x3 ^ x0 ^ x1 ^ roundKey[r + 2];
+    tmp2 = byteSub(tmp2);
+    x2 ^= tmp2 ^ (tmp2 << 2 | tmp2 >>> 30) ^ (tmp2 << 10 | tmp2 >>> 22) ^ (tmp2 << 18 | tmp2 >>> 14) ^ (tmp2 << 24 | tmp2 >>> 8);
+    tmp3 = x0 ^ x1 ^ x2 ^ roundKey[r + 3];
+    tmp3 = byteSub(tmp3);
+    x3 ^= tmp3 ^ (tmp3 << 2 | tmp3 >>> 30) ^ (tmp3 << 10 | tmp3 >>> 22) ^ (tmp3 << 18 | tmp3 >>> 14) ^ (tmp3 << 24 | tmp3 >>> 8);
   }
+  output[0] = x3 >>> 24 & 255;
+  output[1] = x3 >>> 16 & 255;
+  output[2] = x3 >>> 8 & 255;
+  output[3] = x3 & 255;
+  output[4] = x2 >>> 24 & 255;
+  output[5] = x2 >>> 16 & 255;
+  output[6] = x2 >>> 8 & 255;
+  output[7] = x2 & 255;
+  output[8] = x1 >>> 24 & 255;
+  output[9] = x1 >>> 16 & 255;
+  output[10] = x1 >>> 8 & 255;
+  output[11] = x1 & 255;
+  output[12] = x0 >>> 24 & 255;
+  output[13] = x0 >>> 16 & 255;
+  output[14] = x0 >>> 8 & 255;
+  output[15] = x0 & 255;
 }
 function sms4KeyExt(key, roundKey, cryptFlag) {
-  for (let i = 0; i < 4; i++) {
-    tmp[0] = key[0 + 4 * i] & 255;
-    tmp[1] = key[1 + 4 * i] & 255;
-    tmp[2] = key[2 + 4 * i] & 255;
-    tmp[3] = key[3 + 4 * i] & 255;
-    x[i] = tmp[0] << 24 | tmp[1] << 16 | tmp[2] << 8 | tmp[3];
-  }
-  x[0] ^= 2746333894;
-  x[1] ^= 1453994832;
-  x[2] ^= 1736282519;
-  x[3] ^= 2993693404;
-  for (let r = 0, mid; r < 32; r += 4) {
-    mid = x[1] ^ x[2] ^ x[3] ^ CK[r + 0];
-    roundKey[r + 0] = x[0] ^= l2(byteSub(mid));
-    mid = x[2] ^ x[3] ^ x[0] ^ CK[r + 1];
-    roundKey[r + 1] = x[1] ^= l2(byteSub(mid));
-    mid = x[3] ^ x[0] ^ x[1] ^ CK[r + 2];
-    roundKey[r + 2] = x[2] ^= l2(byteSub(mid));
-    mid = x[0] ^ x[1] ^ x[2] ^ CK[r + 3];
-    roundKey[r + 3] = x[3] ^= l2(byteSub(mid));
+  let x0 = 0, x1 = 0, x2 = 0, x3 = 0, mid = 0;
+  x0 = (key[0] & 255) << 24 | (key[1] & 255) << 16 | (key[2] & 255) << 8 | key[3] & 255;
+  x1 = (key[4] & 255) << 24 | (key[5] & 255) << 16 | (key[6] & 255) << 8 | key[7] & 255;
+  x2 = (key[8] & 255) << 24 | (key[9] & 255) << 16 | (key[10] & 255) << 8 | key[11] & 255;
+  x3 = (key[12] & 255) << 24 | (key[13] & 255) << 16 | (key[14] & 255) << 8 | key[15] & 255;
+  x0 ^= 2746333894;
+  x1 ^= 1453994832;
+  x2 ^= 1736282519;
+  x3 ^= 2993693404;
+  for (let r = 0; r < 32; r += 4) {
+    mid = x1 ^ x2 ^ x3 ^ CK[r + 0];
+    mid = byteSub(mid);
+    x0 ^= mid ^ (mid << 13 | mid >>> 19) ^ (mid << 23 | mid >>> 9);
+    roundKey[r + 0] = x0;
+    mid = x2 ^ x3 ^ x0 ^ CK[r + 1];
+    mid = byteSub(mid);
+    x1 ^= mid ^ (mid << 13 | mid >>> 19) ^ (mid << 23 | mid >>> 9);
+    roundKey[r + 1] = x1;
+    mid = x3 ^ x0 ^ x1 ^ CK[r + 2];
+    mid = byteSub(mid);
+    x2 ^= mid ^ (mid << 13 | mid >>> 19) ^ (mid << 23 | mid >>> 9);
+    roundKey[r + 2] = x2;
+    mid = x0 ^ x1 ^ x2 ^ CK[r + 3];
+    mid = byteSub(mid);
+    x3 ^= mid ^ (mid << 13 | mid >>> 19) ^ (mid << 23 | mid >>> 9);
+    roundKey[r + 3] = x3;
   }
   if (cryptFlag === DECRYPT) {
-    for (let r = 0, mid; r < 16; r++) {
-      mid = roundKey[r];
-      roundKey[r] = roundKey[31 - r];
-      roundKey[31 - r] = mid;
+    for (let r = 0; r < 16; r++) {
+      [roundKey[r], roundKey[31 - r]] = [roundKey[31 - r], roundKey[r]];
     }
   }
 }

package/dist/index.mjs

@@ -21,6 +21,7 @@ __export(sm2_exports, {
   getHash: () => getHash,
   getPoint: () => getPoint,
   getPublicKeyFromPrivateKey: () => getPublicKeyFromPrivateKey,
+  getZ: () => getZ,
   hexToArray: () => hexToArray,
   initRNGPool: () => initRNGPool,
   leftPad: () => leftPad,
@@ -169,7 +170,7 @@ async function initRNGPool() {
   }
   if (prngPool.length > DEFAULT_PRNG_POOL_SIZE / 2)
     return;
-  if ("wx" in globalThis) {
+  if ("wx" in globalThis && "getRandomValues" in globalThis.wx) {
     prngPool = await new Promise((r) => {
       wx.getRandomValues({
         length: DEFAULT_PRNG_POOL_SIZE,
@@ -180,11 +181,15 @@ async function initRNGPool() {
     });
   } else {
     try {
-      const crypto = await import(
-        /* webpackIgnore: true */
-        "crypto"
-      );
-      _syncCrypto = crypto.webcrypto;
+      if (globalThis.crypto) {
+        _syncCrypto = globalThis.crypto;
+      } else {
+        const crypto = await import(
+          /* webpackIgnore: true */
+          "crypto"
+        );
+        _syncCrypto = crypto.webcrypto;
+      }
       const array = new Uint8Array(DEFAULT_PRNG_POOL_SIZE);
       _syncCrypto.getRandomValues(array);
       prngPool = array;
@@ -651,16 +656,19 @@ function hkdf(z, keylen) {
   }
   return msg;
 }
-function calculateSharedKey(keypairA, ephemeralKeypairA, publicKeyB, ephemeralPublicKeyB, idA = "1234567812345678", idB = "1234567812345678", sharedKeyLength) {
+function calculateSharedKey(keypairA, ephemeralKeypairA, publicKeyB, ephemeralPublicKeyB, sharedKeyLength, isRecipient = false, idA = "1234567812345678", idB = "1234567812345678") {
   const RA = sm2Curve.ProjectivePoint.fromHex(ephemeralKeypairA.publicKey);
   const RB = sm2Curve.ProjectivePoint.fromHex(ephemeralPublicKeyB);
   const PB = sm2Curve.ProjectivePoint.fromHex(publicKeyB);
-  const ZA = hexToArray(idA);
-  const ZB = hexToArray(idB);
+  let ZA = getZ(keypairA.publicKey, idA);
+  let ZB = getZ(publicKeyB, idB);
+  if (isRecipient) {
+    [ZA, ZB] = [ZB, ZA];
+  }
   const rA = utils3.hexToNumber(ephemeralKeypairA.privateKey);
   const dA = utils3.hexToNumber(keypairA.privateKey);
   const x1 = RA.x;
-  const x1_ = field.add(wPow2, x1 & wPow2Sub1);
+  const x1_ = wPow2 + (x1 & wPow2Sub1);
   const tA = field.add(dA, field.mulN(x1_, rA));
   const x2 = RB.x;
   const x2_ = field.add(wPow2, x2 & wPow2Sub1);
@@ -800,7 +808,7 @@ function doVerifySignature(msg, signHex, publicKey, options = {}) {
   const R = field.add(e, x1y1.x);
   return r === R;
 }
-function getHash(hashHex, publicKey, userId = "1234567812345678") {
+function getZ(publicKey, userId = "1234567812345678") {
   userId = utf8ToHex(userId);
   const a = leftPad(utils4.numberToHexUnpadded(sm2Curve.CURVE.a), 64);
   const b = leftPad(utils4.numberToHexUnpadded(sm2Curve.CURVE.b), 64);
@@ -819,6 +827,10 @@ function getHash(hashHex, publicKey, userId = "1234567812345678") {
   const data = hexToArray(userId + a + b + gx + gy + px + py);
   const entl = userId.length * 4;
   const z = sm3(utils4.concatBytes(new Uint8Array([entl >> 8 & 255, entl & 255]), data));
+  return z;
+}
+function getHash(hashHex, publicKey, userId = "1234567812345678") {
+  const z = getZ(publicKey, userId);
   return bytesToHex(sm3(utils4.concatBytes(z, typeof hashHex === "string" ? hexToArray(hashHex) : hashHex)));
 }
 function getPublicKeyFromPrivateKey(privateKey) {
@@ -1184,66 +1196,92 @@ var CK = new Uint32Array([
 function byteSub(a) {
   return (Sbox[a >>> 24 & 255] & 255) << 24 | (Sbox[a >>> 16 & 255] & 255) << 16 | (Sbox[a >>> 8 & 255] & 255) << 8 | Sbox[a & 255] & 255;
 }
-function l1(b) {
-  return b ^ rotl(b, 2) ^ rotl(b, 10) ^ rotl(b, 18) ^ rotl(b, 24);
-}
-function l2(b) {
-  return b ^ rotl(b, 13) ^ rotl(b, 23);
-}
 var x = new Uint32Array(4);
 var tmp = new Uint32Array(4);
 function sms4Crypt(input, output, roundKey) {
-  for (let i = 0; i < 4; i++) {
-    tmp[0] = input[4 * i] & 255;
-    tmp[1] = input[4 * i + 1] & 255;
-    tmp[2] = input[4 * i + 2] & 255;
-    tmp[3] = input[4 * i + 3] & 255;
-    x[i] = tmp[0] << 24 | tmp[1] << 16 | tmp[2] << 8 | tmp[3];
-  }
-  for (let r = 0, mid; r < 32; r += 4) {
-    mid = x[1] ^ x[2] ^ x[3] ^ roundKey[r + 0];
-    x[0] ^= l1(byteSub(mid));
-    mid = x[2] ^ x[3] ^ x[0] ^ roundKey[r + 1];
-    x[1] ^= l1(byteSub(mid));
-    mid = x[3] ^ x[0] ^ x[1] ^ roundKey[r + 2];
-    x[2] ^= l1(byteSub(mid));
-    mid = x[0] ^ x[1] ^ x[2] ^ roundKey[r + 3];
-    x[3] ^= l1(byteSub(mid));
-  }
-  for (let j = 0; j < 16; j += 4) {
-    output[j] = x[3 - j / 4] >>> 24 & 255;
-    output[j + 1] = x[3 - j / 4] >>> 16 & 255;
-    output[j + 2] = x[3 - j / 4] >>> 8 & 255;
-    output[j + 3] = x[3 - j / 4] & 255;
+  let x0 = 0, x1 = 0, x2 = 0, x3 = 0, tmp0 = 0, tmp1 = 0, tmp2 = 0, tmp3 = 0;
+  tmp0 = input[0] & 255;
+  tmp1 = input[1] & 255;
+  tmp2 = input[2] & 255;
+  tmp3 = input[3] & 255;
+  x0 = tmp0 << 24 | tmp1 << 16 | tmp2 << 8 | tmp3;
+  tmp0 = input[4] & 255;
+  tmp1 = input[5] & 255;
+  tmp2 = input[6] & 255;
+  tmp3 = input[7] & 255;
+  x1 = tmp0 << 24 | tmp1 << 16 | tmp2 << 8 | tmp3;
+  tmp0 = input[8] & 255;
+  tmp1 = input[9] & 255;
+  tmp2 = input[10] & 255;
+  tmp3 = input[11] & 255;
+  x2 = tmp0 << 24 | tmp1 << 16 | tmp2 << 8 | tmp3;
+  tmp0 = input[12] & 255;
+  tmp1 = input[13] & 255;
+  tmp2 = input[14] & 255;
+  tmp3 = input[15] & 255;
+  x3 = tmp0 << 24 | tmp1 << 16 | tmp2 << 8 | tmp3;
+  for (let r = 0; r < 32; r += 4) {
+    tmp0 = x1 ^ x2 ^ x3 ^ roundKey[r];
+    tmp0 = byteSub(tmp0);
+    x0 ^= tmp0 ^ (tmp0 << 2 | tmp0 >>> 30) ^ (tmp0 << 10 | tmp0 >>> 22) ^ (tmp0 << 18 | tmp0 >>> 14) ^ (tmp0 << 24 | tmp0 >>> 8);
+    tmp1 = x2 ^ x3 ^ x0 ^ roundKey[r + 1];
+    tmp1 = byteSub(tmp1);
+    x1 ^= tmp1 ^ (tmp1 << 2 | tmp1 >>> 30) ^ (tmp1 << 10 | tmp1 >>> 22) ^ (tmp1 << 18 | tmp1 >>> 14) ^ (tmp1 << 24 | tmp1 >>> 8);
+    tmp2 = x3 ^ x0 ^ x1 ^ roundKey[r + 2];
+    tmp2 = byteSub(tmp2);
+    x2 ^= tmp2 ^ (tmp2 << 2 | tmp2 >>> 30) ^ (tmp2 << 10 | tmp2 >>> 22) ^ (tmp2 << 18 | tmp2 >>> 14) ^ (tmp2 << 24 | tmp2 >>> 8);
+    tmp3 = x0 ^ x1 ^ x2 ^ roundKey[r + 3];
+    tmp3 = byteSub(tmp3);
+    x3 ^= tmp3 ^ (tmp3 << 2 | tmp3 >>> 30) ^ (tmp3 << 10 | tmp3 >>> 22) ^ (tmp3 << 18 | tmp3 >>> 14) ^ (tmp3 << 24 | tmp3 >>> 8);
   }
+  output[0] = x3 >>> 24 & 255;
+  output[1] = x3 >>> 16 & 255;
+  output[2] = x3 >>> 8 & 255;
+  output[3] = x3 & 255;
+  output[4] = x2 >>> 24 & 255;
+  output[5] = x2 >>> 16 & 255;
+  output[6] = x2 >>> 8 & 255;
+  output[7] = x2 & 255;
+  output[8] = x1 >>> 24 & 255;
+  output[9] = x1 >>> 16 & 255;
+  output[10] = x1 >>> 8 & 255;
+  output[11] = x1 & 255;
+  output[12] = x0 >>> 24 & 255;
+  output[13] = x0 >>> 16 & 255;
+  output[14] = x0 >>> 8 & 255;
+  output[15] = x0 & 255;
 }
 function sms4KeyExt(key, roundKey, cryptFlag) {
-  for (let i = 0; i < 4; i++) {
-    tmp[0] = key[0 + 4 * i] & 255;
-    tmp[1] = key[1 + 4 * i] & 255;
-    tmp[2] = key[2 + 4 * i] & 255;
-    tmp[3] = key[3 + 4 * i] & 255;
-    x[i] = tmp[0] << 24 | tmp[1] << 16 | tmp[2] << 8 | tmp[3];
-  }
-  x[0] ^= 2746333894;
-  x[1] ^= 1453994832;
-  x[2] ^= 1736282519;
-  x[3] ^= 2993693404;
-  for (let r = 0, mid; r < 32; r += 4) {
-    mid = x[1] ^ x[2] ^ x[3] ^ CK[r + 0];
-    roundKey[r + 0] = x[0] ^= l2(byteSub(mid));
-    mid = x[2] ^ x[3] ^ x[0] ^ CK[r + 1];
-    roundKey[r + 1] = x[1] ^= l2(byteSub(mid));
-    mid = x[3] ^ x[0] ^ x[1] ^ CK[r + 2];
-    roundKey[r + 2] = x[2] ^= l2(byteSub(mid));
-    mid = x[0] ^ x[1] ^ x[2] ^ CK[r + 3];
-    roundKey[r + 3] = x[3] ^= l2(byteSub(mid));
+  let x0 = 0, x1 = 0, x2 = 0, x3 = 0, mid = 0;
+  x0 = (key[0] & 255) << 24 | (key[1] & 255) << 16 | (key[2] & 255) << 8 | key[3] & 255;
+  x1 = (key[4] & 255) << 24 | (key[5] & 255) << 16 | (key[6] & 255) << 8 | key[7] & 255;
+  x2 = (key[8] & 255) << 24 | (key[9] & 255) << 16 | (key[10] & 255) << 8 | key[11] & 255;
+  x3 = (key[12] & 255) << 24 | (key[13] & 255) << 16 | (key[14] & 255) << 8 | key[15] & 255;
+  x0 ^= 2746333894;
+  x1 ^= 1453994832;
+  x2 ^= 1736282519;
+  x3 ^= 2993693404;
+  for (let r = 0; r < 32; r += 4) {
+    mid = x1 ^ x2 ^ x3 ^ CK[r + 0];
+    mid = byteSub(mid);
+    x0 ^= mid ^ (mid << 13 | mid >>> 19) ^ (mid << 23 | mid >>> 9);
+    roundKey[r + 0] = x0;
+    mid = x2 ^ x3 ^ x0 ^ CK[r + 1];
+    mid = byteSub(mid);
+    x1 ^= mid ^ (mid << 13 | mid >>> 19) ^ (mid << 23 | mid >>> 9);
+    roundKey[r + 1] = x1;
+    mid = x3 ^ x0 ^ x1 ^ CK[r + 2];
+    mid = byteSub(mid);
+    x2 ^= mid ^ (mid << 13 | mid >>> 19) ^ (mid << 23 | mid >>> 9);
+    roundKey[r + 2] = x2;
+    mid = x0 ^ x1 ^ x2 ^ CK[r + 3];
+    mid = byteSub(mid);
+    x3 ^= mid ^ (mid << 13 | mid >>> 19) ^ (mid << 23 | mid >>> 9);
+    roundKey[r + 3] = x3;
   }
   if (cryptFlag === DECRYPT) {
-    for (let r = 0, mid; r < 16; r++) {
-      mid = roundKey[r];
-      roundKey[r] = roundKey[31 - r];
-      roundKey[31 - r] = mid;
+    for (let r = 0; r < 16; r++) {
+      [roundKey[r], roundKey[31 - r]] = [roundKey[31 - r], roundKey[r]];
     }
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sm-crypto-v2",
-  "version": "1.5.0",
+  "version": "1.6.0",
   "description": "sm-crypto-v2",
   "main": "dist/index.js",
   "module": "dist/index.mjs",

package/src/sm2/index.ts

@@ -209,10 +209,7 @@ export function doVerifySignature(msg: string | Uint8Array, signHex: string, pub
   return r === R
 }
 
-/**
- * sm3杂凑算法
- */
-export function getHash(hashHex: string | Uint8Array, publicKey: string, userId = '1234567812345678') {
+export function getZ(publicKey: string, userId = '1234567812345678') {
   // z = hash(entl || userId || a || b || gx || gy || px || py)
   userId = utf8ToHex(userId)
   const a = leftPad(utils.numberToHexUnpadded(sm2Curve.CURVE.a), 64)
@@ -241,6 +238,14 @@ export function getHash(hashHex: string | Uint8Array, publicKey: string, userId
 
   const z = sm3(utils.concatBytes(new Uint8Array([entl >> 8 & 0x00ff, entl & 0x00ff]), data))
 
+  return z
+}
+
+/**
+ * sm3杂凑算法
+ */
+export function getHash(hashHex: string | Uint8Array, publicKey: string, userId = '1234567812345678') {
+  const z = getZ(publicKey, userId)
   // e = hash(z || msg)
   return bytesToHex(sm3(utils.concatBytes(z, typeof hashHex === 'string' ? hexToArray(hashHex) : hashHex)))
 }

package/src/sm2/kx.ts

@@ -2,7 +2,7 @@ import { field, sm2Curve } from './ec';
 import { KeyPair, hexToArray, leftPad } from './utils';
 import * as utils from '@noble/curves/abstract/utils';
 import { sm3 } from './sm3';
-import { EmptyArray } from '.';
+import { EmptyArray, getZ } from '.';
 
 
 // 用到的常数
@@ -39,28 +39,31 @@ function hkdf(z: Uint8Array, keylen: number) {
   return msg
 }
 
-
 export function calculateSharedKey(
   keypairA: KeyPair,
   ephemeralKeypairA: KeyPair,
   publicKeyB: string,
   ephemeralPublicKeyB: string,
+  sharedKeyLength: number,
+  isRecipient = false,
   idA: string = '1234567812345678',
   idB: string = '1234567812345678',
-  sharedKeyLength: number,
 ) {
   const RA = sm2Curve.ProjectivePoint.fromHex(ephemeralKeypairA.publicKey)
   const RB = sm2Curve.ProjectivePoint.fromHex(ephemeralPublicKeyB)
   // const PA = sm2Curve.ProjectivePoint.fromHex(keypairA.publicKey) // 用不到
   const PB = sm2Curve.ProjectivePoint.fromHex(publicKeyB)
-  const ZA = hexToArray(idA)
-  const ZB = hexToArray(idB)
+  let ZA = getZ(keypairA.publicKey, idA)
+  let ZB = getZ(publicKeyB, idB)
+  if (isRecipient) {
+    [ZA, ZB] = [ZB, ZA];
+  }
   const rA = utils.hexToNumber(ephemeralKeypairA.privateKey)
   const dA = utils.hexToNumber(keypairA.privateKey)
   // 1.先算 tA
   const x1 = RA.x
   // x1_ = 2^w + (x1 & (2^w - 1))
-  const x1_ = field.add(wPow2, (x1 & wPow2Sub1))
+  const x1_ = wPow2 + (x1 & wPow2Sub1)
   // tA = (dA + x1b * rA) mod n
   const tA = field.add(dA, field.mulN(x1_, rA))