hsm_utils:RSA-PSS署名を作成する create_rsa_pss_cert 追加(まだ実装はない)

git-svn-id: file:///Volumes/Transfer/gigaleak_20231201/2020-09-30%20-%20paladin.7z/paladin/ctr_eFuse@226 ff987cc8-cf2f-4642-8568-d52cce064691

trunk/hsm_utils/Makefile

@@ -111,6 +111,9 @@ import_rsa_keypair: import_rsa_keypair.c $(EXTRA_OBJECTS)
 import_ecdsa_keypair: import_ecdsa_keypair.c $(EXTRA_OBJECTS)
 	$(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o import_ecdsa_keypair import_ecdsa_keypair.c $(COMMON_OBJECTS) $(EXTRA_OBJECTS) $(LDLIBS)
 
+create_rsa_pss_cert: create_rsa_pss_cert.c $(EXTRA_OBJECTS)
+	$(CC) $(CFLAGS) $(CPPFLAGS) -o create_rsa_pss_cert create_rsa_pss_cert.c $(COMMON_OBJECTS) $(EXTRA_OBJECTS) $(LDLIBS)
+
 # All single-threaded targets
 
 TARGETS_SIMPLE=	\

trunk/hsm_utils/create_rsa_pss_cert.c

@@ -0,0 +1,470 @@
+
+// sign rsa pss test for nShield
+
+#include <assert.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+// openssl
+#include <openssl/err.h>
+#include <openssl/bn.h>
+#include <openssl/sha.h>
+#include <openssl/rsa.h>
+#include <openssl/x509.h>
+#include <openssl/aes.h>
+#include <openssl/pem.h>
+
+#include "nfastapp.h"
+#include "nfkm.h"
+#include "rqcard-applic.h"
+#include "rqcard-fips.h"
+
+//#include "picky-upcalls.h"
+
+#include "my_hsm_bignum.h"
+#include "my_hsm_alloc.h"
+
+#define PRIV_KEY_FILE		"./test_key/test-rsa-privkey2048.der"
+#define PUB_KEY_FILE		"./test_key/test-rsa-pubkey2048.der"
+
+#define MODULE_ID		1
+#define DATA_LEN		256	// bytes
+
+// RSA private key data
+typedef struct
+{
+	struct NFast_Bignum *p;
+	struct NFast_Bignum *q;
+	struct NFast_Bignum *dmp1;
+	struct NFast_Bignum *dmq1;
+	struct NFast_Bignum *iqmp;
+	struct NFast_Bignum *e;
+}
+RSAPrivateKeyDataBn;
+
+// RSA public key data
+typedef struct
+{
+	struct NFast_Bignum *e;
+	struct NFast_Bignum *n;
+}
+RSAPublicKeyDataBn;
+
+// global variable
+NFast_AppHandle handle;
+NFastApp_Connection nc;
+NFKM_WorldInfo *world = NULL;
+RQCard card;
+RQCard_FIPS fips;
+M_KeyID ltid = 0;	// the cardset loaded into the module
+NFKM_CardSet *cardset = NULL;
+NFKM_ModuleInfo *moduleinfo = NULL;
+const NFKM_KeyIdent priv_keyident = { (char*)"simple", (char*)"test-rsa-privkey2048" };
+const NFKM_KeyIdent pub_keyident = { (char*)"simple", (char*)"test-rsa-pubkey2048" };
+
+unsigned char save_enc[DATA_LEN];
+
+// function
+int verifyRSAKeyPair( NFKM_KeyIdent priv_keyident, NFKM_KeyIdent pub_keyident );
+void PrintArray( char *pStr, const unsigned char *pData, int length );
+
+int verifyRSAKeyPair( NFKM_KeyIdent priv_ident, NFKM_KeyIdent pub_ident )
+{
+	int i;
+	int result = Status_OK;
+	M_ByteBlock *blobptr = NULL;
+	M_KeyID priv_keyid, pub_keyid;
+	NFKM_Key *keyinfo = NULL;
+	M_Command cmd;
+	M_Reply reply;
+
+	priv_keyid = pub_keyid = 0;
+	memset( &cmd, 0, sizeof( cmd ) );
+	memset( &reply, 0, sizeof( reply ) );
+
+	// find priv key
+	result = NFKM_findkey( handle, priv_ident, &keyinfo, NULL );
+	if ( result != Status_OK )
+	{	
+		printf( "error(%d) : NFKM_findkey(priv)\n", result );
+		return result;
+	}
+	
+	// load priv key blob
+	blobptr = &(keyinfo->privblob);
+	result = NFKM_cmd_loadblob( handle, nc, 
+		moduleinfo->module, blobptr, ltid, &priv_keyid, "loading priv key blob", NULL );
+	if ( result != Status_OK )
+	{	
+		printf( "error(%d) : NFKM_cmd_loadblob(priv)\n", result );
+		return result;
+	}
+	NFKM_freekey( handle, keyinfo, NULL );
+	keyinfo = NULL;
+
+#if 0
+	// get priv key info
+	cmd.cmd = Cmd_GetKeyInfo;
+	cmd.args.getkeyinfo.key = priv_keyid;
+	result = NFastApp_Transact( nc, NULL, &cmd, &reply, NULL );
+	if ( result != Status_OK )
+	{	
+		printf( "error(%d) : FastApp_Transact(Cmd_GetKeyInfo)\n", result );
+		return result;
+	}
+	printf( "priv key ID  : %08X\n", (unsigned int)priv_keyid );			
+	printf( "priv keytype : %d\n", reply.reply.getkeyinfo.type );
+	NFastApp_Free_Command( handle, NULL, NULL, &cmd );
+	NFastApp_Free_Reply( handle, NULL, NULL, &reply );
+	memset( &cmd, 0, sizeof( cmd ) );
+	memset( &reply, 0, sizeof( reply ) );
+#endif
+		
+	// find pub key
+	result = NFKM_findkey( handle, pub_ident, &keyinfo, NULL );
+	if ( result != Status_OK )
+	{	
+		printf( "error(%d) : NFKM_findkey(pub)\n", result );
+		return result;
+	}
+	
+	// load pub key blob
+	blobptr = &(keyinfo->pubblob); // pub dakedo privblob
+	result = NFKM_cmd_loadblob( handle, nc, 
+		moduleinfo->module, blobptr, ltid, &pub_keyid, "loading pub key blob", NULL );
+	if ( result != Status_OK )
+	{	
+		printf( "error(%d) : NFKM_cmd_loadblob(pub)\n", result );
+		return result;
+	}
+	NFKM_freekey( handle, keyinfo, NULL );
+	keyinfo = NULL;
+	
+#if 0
+	// get priv key info
+	cmd.cmd = Cmd_GetKeyInfo;
+	cmd.args.getkeyinfo.key = pub_keyid;
+	result = NFastApp_Transact( nc, NULL, &cmd, &reply, NULL );
+	if ( result != Status_OK )
+	{	
+		printf( "error(%d) : FastApp_Transact(Cmd_GetKeyInfo)\n", result );
+		return result;
+	}
+	printf( "pub key ID  : %08X\n", (unsigned int)pub_keyid );
+	printf( "pub keytype : %d\n", reply.reply.getkeyinfo.type );
+	NFastApp_Free_Command( handle, NULL, NULL, &cmd );
+	NFastApp_Free_Reply( handle, NULL, NULL, &reply );
+	memset( &cmd, 0, sizeof( cmd ) );
+	memset( &reply, 0, sizeof( reply ) );
+	keyinfo = NULL;
+#endif
+
+	// encrypt & dectypt test
+	{
+		unsigned char *beforePtr, *middlePtr, *afterPtr;
+		int beforeLen, middleLen, afterLen;
+		unsigned char *encPtr, *decPtr;
+		struct NFast_Bignum *enc_bn, *dec_bn;
+		M_Mech dec_mech;
+				
+		beforePtr = middlePtr = afterPtr = NULL;
+		beforeLen = middleLen = afterLen = 0;
+		encPtr = decPtr = NULL;
+		enc_bn = dec_bn = NULL;
+		
+		// encrypt data setting
+		beforeLen = DATA_LEN - 11;
+		beforePtr = (unsigned char*)malloc( beforeLen );
+		for ( i = 0; i < beforeLen; i++ )
+			beforePtr[i] = ~i;
+		my_bin2bignum( &(enc_bn), handle, beforePtr, beforeLen );
+
+#if 0
+		// my_bignum2bin test
+		unsigned char debug_buf[ DATA_LEN ];
+		PrintArray( (char*)"beforePtr", beforePtr, DATA_LEN );
+		printf( "beforePtr -> bin2bignum -> bignum2bin -> debug_buf\n" );
+		my_bignum2bin( debug_buf, DATA_LEN, handle, enc_bn );
+		PrintArray( (char*)"debug_buf", debug_buf, DATA_LEN );
+#endif 
+		
+		// encrypt transact
+		cmd.cmd = Cmd_Encrypt;
+		cmd.args.encrypt.flags = 0;	// Cmd_Encrypt_Args_flags_given_iv_present;
+		cmd.args.encrypt.key = pub_keyid;
+		cmd.args.encrypt.mech = Mech_RSApPKCS1;
+		cmd.args.encrypt.plain.type = PlainTextType_Bignum;
+		cmd.args.encrypt.plain.data.bignum.m = enc_bn;
+		//cmd.args.encrypt.given_iv = NULL;
+		result = NFastApp_Transact( nc, NULL, &cmd, &reply, NULL );
+		if ( result != Status_OK )
+		{	
+			printf( "error(%d) : FastApp_Transact(Cmd_Encrypt)\n", result );
+			return 1;
+		}
+		result = reply.status;
+		if ( result != Status_OK )
+		{	
+			printf( "error(%d) : reply.status(Cmd_Encrypt)\n", result );
+			return 1;
+		}
+#if 0
+		if ( DATA_LEN != reply.reply.encrypt.cipher.data.rsappkcs1.m->nbytes )
+		{
+			printf( "error : output size isn't %d bytes!\n", DATA_LEN );
+			return 1;
+		}
+#endif
+		
+		printf( "RSA data encrypt ok\n" );
+		
+		// decrypt data setting
+		middleLen = reply.reply.encrypt.cipher.data.rsappkcs1.m->nbytes;
+		middlePtr = (unsigned char*)malloc( middleLen );
+		my_bignum2bin( middlePtr, middleLen, handle,
+					reply.reply.encrypt.cipher.data.rsappkcs1.m );
+		my_bin2bignum( &dec_bn, handle, middlePtr, middleLen );		
+		dec_mech = reply.reply.encrypt.cipher.mech;
+				
+		NFastApp_Free_Command( handle, NULL, NULL, &cmd );
+		NFastApp_Free_Reply( handle, NULL, NULL, &reply );
+		memset( &cmd, 0, sizeof( cmd ) );
+		memset( &reply, 0, sizeof( reply ) );
+
+		// decrypt transact
+		cmd.cmd = Cmd_Decrypt;
+		cmd.args.decrypt.flags = 0;
+		cmd.args.decrypt.key = priv_keyid;
+		cmd.args.decrypt.mech = Mech_RSApPKCS1;
+		cmd.args.decrypt.cipher.mech = dec_mech;
+		cmd.args.decrypt.cipher.data.rsappkcs1.m = dec_bn;
+		cmd.args.decrypt.reply_type = PlainTextType_Bignum;
+		result = NFastApp_Transact( nc, NULL, &cmd, &reply, NULL );
+		if ( result != Status_OK )
+		{	
+			printf( "error(%d) : FastApp_Transact(Cmd_Decrypt)\n", result );
+			return 1;
+		}
+		result = reply.status;
+		if ( result != Status_OK )
+		{	
+			printf( "error(%d) : reply.status(Cmd_Decrypt)\n", result );
+			return 1;
+		}
+#if 0
+		if ( DATA_LEN != reply.reply.decrypt.plain.data.bignum.m->nbytes )
+		{
+			printf( "error : output size isn't %d bytes!\n", DATA_LEN );
+			return 1;
+		}
+#endif
+		
+		printf( "RSA data decrypt ok\n" );
+		
+		// after
+		afterLen = reply.reply.encrypt.cipher.data.rsappkcs1.m->nbytes;
+		afterPtr = (unsigned char*)malloc( afterLen );
+		my_bignum2bin( afterPtr, afterLen, handle,
+					reply.reply.decrypt.plain.data.bignum.m );
+		
+		NFastApp_Free_Command( handle, NULL, NULL, &cmd );
+		NFastApp_Free_Reply( handle, NULL, NULL, &reply );
+								
+		// data show
+		PrintArray( (char*)"before", beforePtr, beforeLen );
+		PrintArray( (char*)"middle", middlePtr, middleLen );
+		PrintArray( (char*)"after", afterPtr, afterLen );
+	}	// encrypt & decrypt
+		
+	return result;
+}	// verify_rsa_keypair
+
+void PrintArray( char *pStr, const unsigned char *pData, int length )
+{
+	int i;
+	printf( "%s(%d bytes)", pStr, length );
+	for ( i = 0; i < length; i++ )
+	{
+		if ( (i % 16) == 0 ) printf( "\n" );
+		printf( "%02X ", pData[ i ] );
+	}
+	printf( "\n" );
+}	// PrintArray
+
+int main( int argc, char *argv[] )
+{
+	int result = Status_OK;
+
+	M_Command cmd;
+	M_Reply reply;
+	
+	memset( &cmd, 0, sizeof( cmd ) );
+	memset( &reply, 0, sizeof( reply ) );
+	
+	// init nFast
+	result = NFastApp_InitEx( &handle, NULL, NULL );
+	if ( result != Status_OK )
+	{	
+		printf( "error(%d) : NFastApp_InitEx\n", result );
+		return 1;
+	}
+
+	// connecting to hardserver
+	result = NFastApp_Connect( handle, &nc, 0, NULL );
+	if ( result != Status_OK )
+	{
+		printf( "error(%d) : NFastApp_Connect\n", result );
+		return 1;
+	}
+
+	// set bignum upcalls setting
+	result = NFastApp_SetBignumUpcalls( 
+				handle, 
+				my_bignumreceiveupcall,
+				my_bignumsendlenupcall,
+				my_bignumsendupcall,
+				my_bignumfreeupcall,
+				my_bignumformatupcall,
+				NULL );
+	if ( result != Status_OK )
+	{
+		printf( "error(%d) : NFastApp_SetBignumUpcalls\n", result );
+		return 1;
+	}
+
+	// NFKM getinfo
+	result = NFKM_getinfo( handle, &world, NULL );
+	if ( result != Status_OK )
+	{	
+		printf( "error(%d) : NFKM_getinfo\n", result );
+		return 1;
+	}
+
+	// init card-loading lib
+	result = RQCard_init( &card, handle, nc, world, NULL );
+	if ( result != Status_OK )
+	{	
+		printf( "error(%d) : RQCard_init\n", result );
+		return 1;
+	}
+
+	// init FIPS state
+	result = RQCard_fips_init( &card, &fips );
+	if ( result != Status_OK )
+	{	
+		printf( "error(%d) : RQCard_fips_init\n", result );
+		return 1;
+	}
+	
+	// ui select
+	result = RQCard_ui_default( &card );
+	if ( result != Status_OK )
+	{	
+		printf( "error(%d) : RQCard_ui_default\n", result );
+		return 1;
+	}
+
+	// get strict-FIPS authorization
+#if 0
+	NFKM_FIPS140AuthHandle fipsHandle;
+	M_SlotID slotId;
+	result = RQCard_fips_get( &fips, 1, &fipsHandle, &slotId );
+	if ( result != Status_OK )
+	{	
+		printf( "error(%d) : RQCard_fips_get\n", result );
+		return 0;
+	}
+	if ( fipsHandle == NULL )
+	{
+		printf( "this sworld isn't strict-FIPS.\n" );
+	}
+#endif
+
+#if 0
+	// list cardsets
+	int card_num;
+	NFKM_CardSetIdent *cardident = NULL;
+	result = NFKM_listcardsets( handle, &card_num, &cardident, NULL );
+	if ( result != Status_OK )
+	{	
+		printf( "error(%d) : NFKM_listcardsets\n", result );
+		return 0;
+	}
+	
+	// find cardsets
+	result = NFKM_findcardset( handle, cardident, &cardset, NULL );
+	if ( result != Status_OK )
+	{	
+		printf( "error(%d) : NFKM_findcardset\n", result );
+		return 0;
+	}
+	
+	// load cardset
+	result = RQCard_logic_ocs_specific( &card, &(cardset->hkltu), "Load Cardset" );
+	if ( result != Status_OK )
+	{	
+		printf( "error(%d) : RQCard_logic_ocs_specific\n", result );
+		return 0;
+	}
+	
+	// use specific module : #1
+	// important!! : if you set resultplace=NULL, abort. (possibility is 100%)
+	result = RQCard_whichmodule_specific( &card, world->modules[0]->module, &ltid );
+	if ( result != Status_OK )
+	{	
+		printf( "error(%d) : RQCard_whichmodule_specific\n", result );
+	}
+
+	// wait event loop
+	result = card.uf->eventloop( &card );
+	if ( result != Status_OK )
+	{	
+		printf( "error(%d) : card module event loop\n", result );
+	}
+#endif
+		
+	// get usable module
+	moduleinfo = world->modules[0];
+	result = NFKM_getusablemodule( world, MODULE_ID, &moduleinfo );
+	if ( result != Status_OK )
+	{	
+		printf( "error(%d) : NFKM_getusablemodule\n", result );
+		return 1;
+	}
+
+	// list key
+#if 0
+	int key_num;
+	NFKM_KeyIdent *keylist = NULL;
+	result = NFKM_listkeys( handle, &key_num, &keylist, "simple", NULL );
+	if ( result != Status_OK )
+	{	
+		printf( "error(%d) : NFKM_listkeys\n", result );
+	}
+	NFKM_KeyIdent **tkp = &keylist;
+	for ( i = 0; i < key_num; i++ )
+	{
+		printf( "appname : %s, ident : %s\n", tkp[i]->appname, tkp[i]->ident );
+	}
+#endif
+	
+	// verify key pair
+	result = verifyRSAKeyPair( priv_keyident, pub_keyident );
+	if ( result != Status_OK )
+	{	
+		printf( "error : verifyRSAKeyPair\n" );
+		return 1;
+	}
+	printf( "RSA keypair verify success.\n" );
+											
+	// end processing
+	RQCard_fips_free( &card, &fips );
+	RQCard_destroy( &card );
+	NFKM_freeinfo( handle, &world, NULL );
+	NFastApp_Disconnect( nc, NULL );
+	NFastApp_Finish( handle, NULL );
+
+	return 0;
+
+}	// main