diff --git a/cr_hsm_code.c b/cr_hsm_code.c index 2aedc6b..db3a275 100644 --- a/cr_hsm_code.c +++ b/cr_hsm_code.c @@ -134,9 +134,7 @@ NFast_AppHandle hsmHandle; NFastApp_Connection hsmConnection; NFKM_WorldInfo *hsmWorld = NULL; // allocate -M_KeyID hsmLtid; NFKM_ModuleInfo *hsmModuleinfo = NULL; -M_ByteBlock *hsmBlobptr = NULL; // TODO: 最終鍵に変更する #ifdef ENCRYPT_AES @@ -162,7 +160,6 @@ int hsm_initialize( void ) ret_code = NFastApp_InitEx( &hsmHandle, NULL, NULL ); if ( ret_code != CR_GENID_SUCCESS ) { - printf( "error(%d) : NFastApp_InitEx\n", ret_code ); return ret_code; } @@ -177,17 +174,13 @@ int hsm_initialize( void ) NULL ); if ( ret_code != CR_GENID_SUCCESS ) { - printf( "error(%d) : NFastApp_SetBignumUpcalls\n", ret_code ); return ret_code; } // connect HSM - // arg3 is flag - // NFastApp_ConnectionFlags_Privileged flag need to run by nfast user. - ret_code = NFastApp_Connect( hsmHandle, &hsmConnection, 0, NULL ); + ret_code = NFastApp_Connect( hsmHandle, &hsmConnection, 0 /* flag */, NULL ); if ( ret_code != CR_GENID_SUCCESS ) { - printf( "error(%d) : NFastApp_Connect\n", ret_code ); return ret_code; } @@ -195,7 +188,6 @@ int hsm_initialize( void ) ret_code = NFKM_getinfo( hsmHandle, &hsmWorld, NULL ); if ( ret_code != CR_GENID_SUCCESS ) { - printf( "error(%d) : NFKM_getinfo\n", ret_code ); return ret_code; } @@ -253,13 +245,11 @@ int hsm_generate_random( unsigned char *buf, int bytes ) ret_code = NFastApp_Transact( hsmConnection, NULL, &cmd, &reply, NULL ); if ( ret_code != CR_GENID_SUCCESS ) { - printf( "error(%d) : generate random\n", ret_code ); return ret_code; } ret_code = reply.status; if ( ret_code != CR_GENID_SUCCESS ) { - printf( "error(%d) : generate random reply\n", ret_code ); return ret_code; } @@ -288,13 +278,11 @@ int hsm_get_rtc( time_t *time ) result = NFastApp_Transact( hsmConnection, NULL, &cmd, &reply, NULL ); if ( result != CR_GENID_SUCCESS ) { - printf( "error(%d) : get rtc(transaction)\n", result ); return result; } result = reply.status; if ( result != CR_GENID_SUCCESS ) { - printf( "error(%d) : get rtc(reply status)\n", result ); return result; } @@ -309,6 +297,8 @@ int hsm_aes_load_key( NFKM_KeyIdent keyident, M_KeyID *keyid ) { int ret_code = CR_GENID_SUCCESS; NFKM_Key *keyinfo = NULL; + M_KeyID ltid; + M_ByteBlock *blobPtr = NULL; // find key ret_code = NFKM_findkey( hsmHandle, keyident, &keyinfo, NULL ); @@ -326,10 +316,10 @@ int hsm_aes_load_key( NFKM_KeyIdent keyident, M_KeyID *keyid ) } // load key blob - hsmBlobptr = &keyinfo->privblob; + blobPtr = &keyinfo->privblob; ret_code = NFKM_cmd_loadblob( hsmHandle, hsmConnection, - hsmModuleinfo->module, hsmBlobptr, - hsmLtid, keyid, "loading aes key blob", NULL ); + hsmModuleinfo->module, blobPtr, + ltid, keyid, "loading aes key blob", NULL ); if ( ret_code != CR_GENID_SUCCESS ) { return ret_code; @@ -373,13 +363,11 @@ int hsm_aes_encrypt( unsigned char *dst_buf, unsigned char *org_buf, int size, u ret_code = NFastApp_Transact( hsmConnection, NULL, &cmd, &reply, NULL ); if ( ret_code != CR_GENID_SUCCESS ) { - printf( "error(%d) : Encryption by HSM\n", ret_code ); return ret_code; } ret_code = reply.status; if ( ret_code != CR_GENID_SUCCESS ) { - printf( "error(%d) : Encrypt Reply Status by HSM\n", ret_code ); return ret_code; } @@ -426,13 +414,11 @@ int hsm_aes_decrypt( unsigned char *dst_buf, unsigned char *org_buf, int size, u ret_code = NFastApp_Transact( hsmConnection, NULL, &cmd, &reply, NULL ); if ( ret_code != CR_GENID_SUCCESS ) { - printf( "error(%d) : Decryption by HSM\n", ret_code ); return ret_code; } ret_code = reply.status; if ( ret_code != CR_GENID_SUCCESS ) { - printf( "error(%d) : Decrypt Reply Status by HSM\n", ret_code ); return ret_code; } @@ -451,6 +437,8 @@ int hsm_rsa_load_keypair( NFKM_KeyIdent keyident, M_KeyID *privKeyid, M_KeyID *p { int ret_code = CR_GENID_SUCCESS; NFKM_Key *keyinfo = NULL; + M_KeyID ltid; + M_ByteBlock *blobPtr = NULL; // find key ret_code = NFKM_findkey( hsmHandle, keyident, &keyinfo, NULL ); @@ -468,120 +456,31 @@ int hsm_rsa_load_keypair( NFKM_KeyIdent keyident, M_KeyID *privKeyid, M_KeyID *p } // load private key blob - hsmBlobptr = &keyinfo->privblob; + blobPtr = &keyinfo->privblob; ret_code = NFKM_cmd_loadblob( hsmHandle, hsmConnection, - hsmModuleinfo->module, hsmBlobptr, - hsmLtid, privKeyid, + hsmModuleinfo->module, blobPtr, + ltid, privKeyid, "loading priv key blob", NULL ); if ( ret_code != CR_GENID_SUCCESS ) { + NFKM_freekey( hsmHandle, keyinfo, NULL ); return ret_code; } + NFKM_freekey( hsmHandle, keyinfo, NULL ); + // load public key blob - hsmBlobptr = &keyinfo->privblob; + blobPtr = &keyinfo->pubblob; ret_code = NFKM_cmd_loadblob( hsmHandle, hsmConnection, - hsmModuleinfo->module, hsmBlobptr, - hsmLtid, pubKeyid, + hsmModuleinfo->module, blobPtr, + ltid, pubKeyid, "loading pub key blob", NULL ); if ( ret_code != CR_GENID_SUCCESS ) { + NFKM_freekey( hsmHandle, keyinfo, NULL ); return ret_code; } -#if 0 - // get key info - { - M_Command cmd; - M_Reply reply; - - memset( &cmd, 0, sizeof( cmd ) ); - memset( &reply, 0, sizeof( reply ) ); - - cmd.cmd = Cmd_GetKeyInfo; - cmd.args.getkeyinfo.key = hsmRsaPrivkeyid; - ret_code = NFastApp_Transact( hsmConnection, NULL, &cmd, &reply, NULL ); - if ( ret_code != Status_OK ) - { - printf( "error(%d) : FastApp_Transact(Cmd_GetKeyInfo)\n", ret_code ); - } - } - - // get & set key acl - { - int i, j; - M_Command cmd; - M_Reply reply; - M_ACL newACL; - - memset( &cmd, 0, sizeof( cmd ) ); - memset( &reply, 0, sizeof( reply ) ); - - // GetACL - cmd.cmd = Cmd_GetACL; - cmd.args.getacl.key = hsmRsaPrivkeyid; - ret_code = NFastApp_Transact( hsmConnection, NULL, &cmd, &reply, NULL ); - if ( ret_code != Status_OK ) - { - printf( "error(%d) : FastApp_Transact(Cmd_GetKeyInfo)\n", ret_code ); - } - printf( "n_groups : %d\n", reply.reply.getacl.acl.n_groups ); - for ( i = 0; i < reply.reply.getacl.acl.n_groups; i++ ) - { - printf( "group[%d] : %d actions ok.\n", i, reply.reply.getacl.acl.groups[i].n_actions ); - for ( j = 0; j < reply.reply.getacl.acl.groups[i].n_actions; j++ ) - { - if ( reply.reply.getacl.acl.groups[i].actions[j].type == 1 ) // Act_OpPermissions - printf( "OpPermissions : %08X\n", - (int)reply.reply.getacl.acl.groups[i].actions[j].details.oppermissions.perms ); - } - } - newACL = reply.reply.getacl.acl; - - memset( &cmd, 0, sizeof( cmd ) ); - memset( &reply, 0, sizeof( reply ) ); - NFastApp_Free_Reply( hsmHandle, NULL, NULL, &reply ); - - // find cardsets - NFKM_CardSet *cardset = NULL; - ret_code = NFKM_findcardset( hsmHandle, &(hsmRsakeyinfo->cardset), &cardset, NULL ); - if ( ret_code != Status_OK ) - { - printf( "error(%d) : NFKM_findcardset\n", ret_code ); - } - - // make new ACL - NFKM_MakeACLParams map; - NFKM_MakeBlobsParams mbp; - M_ACL newACL; - memset( &map, 0, sizeof( map ) ); - map.f = NFKM_NKF_RecoveryEnabled | NFKM_NKF_ProtectionCardSet; - map.op_base = (NFKM_DEFOPPERMS_SIGN | NFKM_DEFOPPERMS_VERIFY | - NFKM_DEFOPPERMS_ENCRYPT | NFKM_DEFOPPERMS_DECRYPT ); - map.cs = cardset; - ret_code = NFKM_newkey_makeaclx( hsmHandle, hsmConnection, hsmWorld, &map, - &newACL, NULL ); - if ( ret_code != Status_OK ) - { - printf( "error(%d) : NFKM_newkey_makeaclx\n", ret_code ); - } - - // SetACL - cmd.cmd = Cmd_SetACL; - cmd.args.setacl.key = hsmRsaPrivkeyid; - cmd.args.setacl.newacl = newACL; - ret_code = NFastApp_Transact( hsmConnection, NULL, &cmd, &reply, NULL ); - if ( ret_code != Status_OK ) - { - printf( "error(%d) : set acl(transaction)\n", ret_code ); - } - ret_code = reply.status; - if ( ret_code != Status_OK ) - { - printf( "error(%d) : set acl(reply status)\n", ret_code ); - } - } -#endif NFKM_freekey( hsmHandle, keyinfo, NULL ); return CR_GENID_SUCCESS; @@ -614,13 +513,11 @@ int hsm_rsa_encrypt( unsigned char *dst_buf, unsigned char *org_buf, int size, u ret_code = NFastApp_Transact( hsmConnection, NULL, &cmd, &reply, NULL ); if ( ret_code != CR_GENID_SUCCESS ) { - printf( "error(%d) : Encryption by HSM\n", ret_code ); return ret_code; } ret_code = reply.status; if ( ret_code != CR_GENID_SUCCESS ) { - printf( "error(%d) : Encrypt Reply Status by HSM\n", ret_code ); return ret_code; } @@ -661,13 +558,11 @@ int hsm_rsa_decrypt( unsigned char *dst_buf, unsigned char *org_buf, int size, u ret_code = NFastApp_Transact( hsmConnection, NULL, &cmd, &reply, NULL ); if ( ret_code != CR_GENID_SUCCESS ) { - printf( "error(%d) : Decryption by HSM\n", ret_code ); return ret_code; } ret_code = reply.status; if ( ret_code != CR_GENID_SUCCESS ) { - printf( "error(%d) : Decrypt Reply Status by HSM\n", ret_code ); return ret_code; }