From 27ea1e76a74d72cefe3811eae6a0cc0f9d4e2d4a Mon Sep 17 00:00:00 2001 From: n2460 Date: Wed, 9 Oct 2013 01:34:12 +0000 Subject: [PATCH] =?UTF-8?q?hsm=5Futils:RSA-PSS=E7=BD=B2=E5=90=8D=E3=82=92?= =?UTF-8?q?=E4=BD=9C=E6=88=90=E3=81=99=E3=82=8B=20create=5Frsa=5Fpss=5Fcer?= =?UTF-8?q?t=20=E8=BF=BD=E5=8A=A0(=E3=81=BE=E3=81=A0=E5=AE=9F=E8=A3=85?= =?UTF-8?q?=E3=81=AF=E3=81=AA=E3=81=84)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit git-svn-id: file:///Volumes/Transfer/gigaleak_20231201/2020-09-30%20-%20paladin.7z/paladin/ctr_eFuse@226 ff987cc8-cf2f-4642-8568-d52cce064691 --- trunk/hsm_utils/Makefile | 3 + trunk/hsm_utils/create_rsa_pss_cert.c | 470 ++++++++++++++++++++++++++ 2 files changed, 473 insertions(+) create mode 100644 trunk/hsm_utils/create_rsa_pss_cert.c diff --git a/trunk/hsm_utils/Makefile b/trunk/hsm_utils/Makefile index 6ca9488..610566b 100644 --- a/trunk/hsm_utils/Makefile +++ b/trunk/hsm_utils/Makefile @@ -111,6 +111,9 @@ import_rsa_keypair: import_rsa_keypair.c $(EXTRA_OBJECTS) import_ecdsa_keypair: import_ecdsa_keypair.c $(EXTRA_OBJECTS) $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o import_ecdsa_keypair import_ecdsa_keypair.c $(COMMON_OBJECTS) $(EXTRA_OBJECTS) $(LDLIBS) +create_rsa_pss_cert: create_rsa_pss_cert.c $(EXTRA_OBJECTS) + $(CC) $(CFLAGS) $(CPPFLAGS) -o create_rsa_pss_cert create_rsa_pss_cert.c $(COMMON_OBJECTS) $(EXTRA_OBJECTS) $(LDLIBS) + # All single-threaded targets TARGETS_SIMPLE= \ diff --git a/trunk/hsm_utils/create_rsa_pss_cert.c b/trunk/hsm_utils/create_rsa_pss_cert.c new file mode 100644 index 0000000..4f6162e --- /dev/null +++ b/trunk/hsm_utils/create_rsa_pss_cert.c @@ -0,0 +1,470 @@ + +// sign rsa pss test for nShield + +#include +#include +#include +#include + +// openssl +#include +#include +#include +#include +#include +#include +#include + +#include "nfastapp.h" +#include "nfkm.h" +#include "rqcard-applic.h" +#include "rqcard-fips.h" + +//#include "picky-upcalls.h" + +#include "my_hsm_bignum.h" +#include "my_hsm_alloc.h" + +#define PRIV_KEY_FILE "./test_key/test-rsa-privkey2048.der" +#define PUB_KEY_FILE "./test_key/test-rsa-pubkey2048.der" + +#define MODULE_ID 1 +#define DATA_LEN 256 // bytes + +// RSA private key data +typedef struct +{ + struct NFast_Bignum *p; + struct NFast_Bignum *q; + struct NFast_Bignum *dmp1; + struct NFast_Bignum *dmq1; + struct NFast_Bignum *iqmp; + struct NFast_Bignum *e; +} +RSAPrivateKeyDataBn; + +// RSA public key data +typedef struct +{ + struct NFast_Bignum *e; + struct NFast_Bignum *n; +} +RSAPublicKeyDataBn; + +// global variable +NFast_AppHandle handle; +NFastApp_Connection nc; +NFKM_WorldInfo *world = NULL; +RQCard card; +RQCard_FIPS fips; +M_KeyID ltid = 0; // the cardset loaded into the module +NFKM_CardSet *cardset = NULL; +NFKM_ModuleInfo *moduleinfo = NULL; +const NFKM_KeyIdent priv_keyident = { (char*)"simple", (char*)"test-rsa-privkey2048" }; +const NFKM_KeyIdent pub_keyident = { (char*)"simple", (char*)"test-rsa-pubkey2048" }; + +unsigned char save_enc[DATA_LEN]; + +// function +int verifyRSAKeyPair( NFKM_KeyIdent priv_keyident, NFKM_KeyIdent pub_keyident ); +void PrintArray( char *pStr, const unsigned char *pData, int length ); + +int verifyRSAKeyPair( NFKM_KeyIdent priv_ident, NFKM_KeyIdent pub_ident ) +{ + int i; + int result = Status_OK; + M_ByteBlock *blobptr = NULL; + M_KeyID priv_keyid, pub_keyid; + NFKM_Key *keyinfo = NULL; + M_Command cmd; + M_Reply reply; + + priv_keyid = pub_keyid = 0; + memset( &cmd, 0, sizeof( cmd ) ); + memset( &reply, 0, sizeof( reply ) ); + + // find priv key + result = NFKM_findkey( handle, priv_ident, &keyinfo, NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : NFKM_findkey(priv)\n", result ); + return result; + } + + // load priv key blob + blobptr = &(keyinfo->privblob); + result = NFKM_cmd_loadblob( handle, nc, + moduleinfo->module, blobptr, ltid, &priv_keyid, "loading priv key blob", NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : NFKM_cmd_loadblob(priv)\n", result ); + return result; + } + NFKM_freekey( handle, keyinfo, NULL ); + keyinfo = NULL; + +#if 0 + // get priv key info + cmd.cmd = Cmd_GetKeyInfo; + cmd.args.getkeyinfo.key = priv_keyid; + result = NFastApp_Transact( nc, NULL, &cmd, &reply, NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : FastApp_Transact(Cmd_GetKeyInfo)\n", result ); + return result; + } + printf( "priv key ID : %08X\n", (unsigned int)priv_keyid ); + printf( "priv keytype : %d\n", reply.reply.getkeyinfo.type ); + NFastApp_Free_Command( handle, NULL, NULL, &cmd ); + NFastApp_Free_Reply( handle, NULL, NULL, &reply ); + memset( &cmd, 0, sizeof( cmd ) ); + memset( &reply, 0, sizeof( reply ) ); +#endif + + // find pub key + result = NFKM_findkey( handle, pub_ident, &keyinfo, NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : NFKM_findkey(pub)\n", result ); + return result; + } + + // load pub key blob + blobptr = &(keyinfo->pubblob); // pub dakedo privblob + result = NFKM_cmd_loadblob( handle, nc, + moduleinfo->module, blobptr, ltid, &pub_keyid, "loading pub key blob", NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : NFKM_cmd_loadblob(pub)\n", result ); + return result; + } + NFKM_freekey( handle, keyinfo, NULL ); + keyinfo = NULL; + +#if 0 + // get priv key info + cmd.cmd = Cmd_GetKeyInfo; + cmd.args.getkeyinfo.key = pub_keyid; + result = NFastApp_Transact( nc, NULL, &cmd, &reply, NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : FastApp_Transact(Cmd_GetKeyInfo)\n", result ); + return result; + } + printf( "pub key ID : %08X\n", (unsigned int)pub_keyid ); + printf( "pub keytype : %d\n", reply.reply.getkeyinfo.type ); + NFastApp_Free_Command( handle, NULL, NULL, &cmd ); + NFastApp_Free_Reply( handle, NULL, NULL, &reply ); + memset( &cmd, 0, sizeof( cmd ) ); + memset( &reply, 0, sizeof( reply ) ); + keyinfo = NULL; +#endif + + // encrypt & dectypt test + { + unsigned char *beforePtr, *middlePtr, *afterPtr; + int beforeLen, middleLen, afterLen; + unsigned char *encPtr, *decPtr; + struct NFast_Bignum *enc_bn, *dec_bn; + M_Mech dec_mech; + + beforePtr = middlePtr = afterPtr = NULL; + beforeLen = middleLen = afterLen = 0; + encPtr = decPtr = NULL; + enc_bn = dec_bn = NULL; + + // encrypt data setting + beforeLen = DATA_LEN - 11; + beforePtr = (unsigned char*)malloc( beforeLen ); + for ( i = 0; i < beforeLen; i++ ) + beforePtr[i] = ~i; + my_bin2bignum( &(enc_bn), handle, beforePtr, beforeLen ); + +#if 0 + // my_bignum2bin test + unsigned char debug_buf[ DATA_LEN ]; + PrintArray( (char*)"beforePtr", beforePtr, DATA_LEN ); + printf( "beforePtr -> bin2bignum -> bignum2bin -> debug_buf\n" ); + my_bignum2bin( debug_buf, DATA_LEN, handle, enc_bn ); + PrintArray( (char*)"debug_buf", debug_buf, DATA_LEN ); +#endif + + // encrypt transact + cmd.cmd = Cmd_Encrypt; + cmd.args.encrypt.flags = 0; // Cmd_Encrypt_Args_flags_given_iv_present; + cmd.args.encrypt.key = pub_keyid; + cmd.args.encrypt.mech = Mech_RSApPKCS1; + cmd.args.encrypt.plain.type = PlainTextType_Bignum; + cmd.args.encrypt.plain.data.bignum.m = enc_bn; + //cmd.args.encrypt.given_iv = NULL; + result = NFastApp_Transact( nc, NULL, &cmd, &reply, NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : FastApp_Transact(Cmd_Encrypt)\n", result ); + return 1; + } + result = reply.status; + if ( result != Status_OK ) + { + printf( "error(%d) : reply.status(Cmd_Encrypt)\n", result ); + return 1; + } +#if 0 + if ( DATA_LEN != reply.reply.encrypt.cipher.data.rsappkcs1.m->nbytes ) + { + printf( "error : output size isn't %d bytes!\n", DATA_LEN ); + return 1; + } +#endif + + printf( "RSA data encrypt ok\n" ); + + // decrypt data setting + middleLen = reply.reply.encrypt.cipher.data.rsappkcs1.m->nbytes; + middlePtr = (unsigned char*)malloc( middleLen ); + my_bignum2bin( middlePtr, middleLen, handle, + reply.reply.encrypt.cipher.data.rsappkcs1.m ); + my_bin2bignum( &dec_bn, handle, middlePtr, middleLen ); + dec_mech = reply.reply.encrypt.cipher.mech; + + NFastApp_Free_Command( handle, NULL, NULL, &cmd ); + NFastApp_Free_Reply( handle, NULL, NULL, &reply ); + memset( &cmd, 0, sizeof( cmd ) ); + memset( &reply, 0, sizeof( reply ) ); + + // decrypt transact + cmd.cmd = Cmd_Decrypt; + cmd.args.decrypt.flags = 0; + cmd.args.decrypt.key = priv_keyid; + cmd.args.decrypt.mech = Mech_RSApPKCS1; + cmd.args.decrypt.cipher.mech = dec_mech; + cmd.args.decrypt.cipher.data.rsappkcs1.m = dec_bn; + cmd.args.decrypt.reply_type = PlainTextType_Bignum; + result = NFastApp_Transact( nc, NULL, &cmd, &reply, NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : FastApp_Transact(Cmd_Decrypt)\n", result ); + return 1; + } + result = reply.status; + if ( result != Status_OK ) + { + printf( "error(%d) : reply.status(Cmd_Decrypt)\n", result ); + return 1; + } +#if 0 + if ( DATA_LEN != reply.reply.decrypt.plain.data.bignum.m->nbytes ) + { + printf( "error : output size isn't %d bytes!\n", DATA_LEN ); + return 1; + } +#endif + + printf( "RSA data decrypt ok\n" ); + + // after + afterLen = reply.reply.encrypt.cipher.data.rsappkcs1.m->nbytes; + afterPtr = (unsigned char*)malloc( afterLen ); + my_bignum2bin( afterPtr, afterLen, handle, + reply.reply.decrypt.plain.data.bignum.m ); + + NFastApp_Free_Command( handle, NULL, NULL, &cmd ); + NFastApp_Free_Reply( handle, NULL, NULL, &reply ); + + // data show + PrintArray( (char*)"before", beforePtr, beforeLen ); + PrintArray( (char*)"middle", middlePtr, middleLen ); + PrintArray( (char*)"after", afterPtr, afterLen ); + } // encrypt & decrypt + + return result; +} // verify_rsa_keypair + +void PrintArray( char *pStr, const unsigned char *pData, int length ) +{ + int i; + printf( "%s(%d bytes)", pStr, length ); + for ( i = 0; i < length; i++ ) + { + if ( (i % 16) == 0 ) printf( "\n" ); + printf( "%02X ", pData[ i ] ); + } + printf( "\n" ); +} // PrintArray + +int main( int argc, char *argv[] ) +{ + int result = Status_OK; + + M_Command cmd; + M_Reply reply; + + memset( &cmd, 0, sizeof( cmd ) ); + memset( &reply, 0, sizeof( reply ) ); + + // init nFast + result = NFastApp_InitEx( &handle, NULL, NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : NFastApp_InitEx\n", result ); + return 1; + } + + // connecting to hardserver + result = NFastApp_Connect( handle, &nc, 0, NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : NFastApp_Connect\n", result ); + return 1; + } + + // set bignum upcalls setting + result = NFastApp_SetBignumUpcalls( + handle, + my_bignumreceiveupcall, + my_bignumsendlenupcall, + my_bignumsendupcall, + my_bignumfreeupcall, + my_bignumformatupcall, + NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : NFastApp_SetBignumUpcalls\n", result ); + return 1; + } + + // NFKM getinfo + result = NFKM_getinfo( handle, &world, NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : NFKM_getinfo\n", result ); + return 1; + } + + // init card-loading lib + result = RQCard_init( &card, handle, nc, world, NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : RQCard_init\n", result ); + return 1; + } + + // init FIPS state + result = RQCard_fips_init( &card, &fips ); + if ( result != Status_OK ) + { + printf( "error(%d) : RQCard_fips_init\n", result ); + return 1; + } + + // ui select + result = RQCard_ui_default( &card ); + if ( result != Status_OK ) + { + printf( "error(%d) : RQCard_ui_default\n", result ); + return 1; + } + + // get strict-FIPS authorization +#if 0 + NFKM_FIPS140AuthHandle fipsHandle; + M_SlotID slotId; + result = RQCard_fips_get( &fips, 1, &fipsHandle, &slotId ); + if ( result != Status_OK ) + { + printf( "error(%d) : RQCard_fips_get\n", result ); + return 0; + } + if ( fipsHandle == NULL ) + { + printf( "this sworld isn't strict-FIPS.\n" ); + } +#endif + +#if 0 + // list cardsets + int card_num; + NFKM_CardSetIdent *cardident = NULL; + result = NFKM_listcardsets( handle, &card_num, &cardident, NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : NFKM_listcardsets\n", result ); + return 0; + } + + // find cardsets + result = NFKM_findcardset( handle, cardident, &cardset, NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : NFKM_findcardset\n", result ); + return 0; + } + + // load cardset + result = RQCard_logic_ocs_specific( &card, &(cardset->hkltu), "Load Cardset" ); + if ( result != Status_OK ) + { + printf( "error(%d) : RQCard_logic_ocs_specific\n", result ); + return 0; + } + + // use specific module : #1 + // important!! : if you set resultplace=NULL, abort. (possibility is 100%) + result = RQCard_whichmodule_specific( &card, world->modules[0]->module, <id ); + if ( result != Status_OK ) + { + printf( "error(%d) : RQCard_whichmodule_specific\n", result ); + } + + // wait event loop + result = card.uf->eventloop( &card ); + if ( result != Status_OK ) + { + printf( "error(%d) : card module event loop\n", result ); + } +#endif + + // get usable module + moduleinfo = world->modules[0]; + result = NFKM_getusablemodule( world, MODULE_ID, &moduleinfo ); + if ( result != Status_OK ) + { + printf( "error(%d) : NFKM_getusablemodule\n", result ); + return 1; + } + + // list key +#if 0 + int key_num; + NFKM_KeyIdent *keylist = NULL; + result = NFKM_listkeys( handle, &key_num, &keylist, "simple", NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : NFKM_listkeys\n", result ); + } + NFKM_KeyIdent **tkp = &keylist; + for ( i = 0; i < key_num; i++ ) + { + printf( "appname : %s, ident : %s\n", tkp[i]->appname, tkp[i]->ident ); + } +#endif + + // verify key pair + result = verifyRSAKeyPair( priv_keyident, pub_keyident ); + if ( result != Status_OK ) + { + printf( "error : verifyRSAKeyPair\n" ); + return 1; + } + printf( "RSA keypair verify success.\n" ); + + // end processing + RQCard_fips_free( &card, &fips ); + RQCard_destroy( &card ); + NFKM_freeinfo( handle, &world, NULL ); + NFastApp_Disconnect( nc, NULL ); + NFastApp_Finish( handle, NULL ); + + return 0; + +} // main