diff --git a/cr_generate_id.c b/cr_generate_id.c index 0f00955..ab30fc7 100644 --- a/cr_generate_id.c +++ b/cr_generate_id.c @@ -671,290 +671,14 @@ int cr_generate_id_initialize( void ) FILE *fp; #ifdef USE_HSM - // init HSM - ret_code = NFastApp_InitEx( &hsmHandle, NULL, NULL ); - if ( ret_code != Status_OK ) + ret_code = hsm_initialize(); + if ( ret_code != CR_GENID_SUCCESS ) { printf( "error(%d) : NFastApp_InitEx\n", ret_code ); return ret_code; } +#endif - // set BigNum upcalls for HSM - ret_code = NFastApp_SetBignumUpcalls( - hsmHandle, - sbn_bignumreceiveupcall, - sbn_bignumsendlenupcall, - sbn_bignumsendupcall, - sbn_bignumfreeupcall, - sbn_bignumformatupcall, - NULL ); - if ( ret_code != Status_OK ) - { - printf( "error(%d) : NFastApp_SetBignumUpcalls\n", ret_code ); - } - - // connect HSM - // arg3 is flag - // NFastApp_ConnectionFlags_Privileged flag need to run by nfast user. - ret_code = NFastApp_Connect( hsmHandle, &hsmConnection, 0, NULL ); - if ( ret_code != Status_OK ) - { - printf( "error(%d) : NFastApp_Connect\n", ret_code ); - } - - // get NFKM info - ret_code = NFKM_getinfo( hsmHandle, &hsmWorld, NULL ); - if ( ret_code != Status_OK ) - { - printf( "error(%d) : NFKM_getinfo\n", ret_code ); - } - - // init Card-Loading Lib(RQCard) - ret_code = RQCard_init( &hsmCard, hsmHandle, hsmConnection, hsmWorld, NULL ); - if ( ret_code != Status_OK ) - { - printf( "error(%d) : RQCard_init\n", ret_code ); - } - - // init FIPS state - ret_code = RQCard_fips_init( &hsmCard, &hsmFips ); - if ( ret_code != Status_OK ) - { - printf( "error(%d) : RQCard_fips_init\n", ret_code ); - } - - // select Card-Auth UI - ret_code = RQCard_ui_scroll( &hsmCard ); - if ( ret_code != Status_OK ) - { - printf( "error(%d) : RQCard_ui_scroll\n", ret_code ); - } - - // load AES key object - { - // find key - ret_code = NFKM_findkey( hsmHandle, hsmAeskeyident, &hsmAeskeyinfo, NULL ); - if ( ret_code != Status_OK ) - { - printf( "error(%d) : NFKM_findkey\n", ret_code ); - } - - // if Key_flags_ProtectionCardSet is enable, eventloop is an essential. - if ( hsmAeskeyinfo->flags & Key_flags_ProtectionCardSet ) - { - // load specific OCS - ret_code = RQCard_logic_ocs_specific( &hsmCard, &hsmAeskeyinfo->cardset, NULL ); - if ( ret_code != Status_OK ) - { - printf( "error(%d) : RQCard_logic_ocs_specific\n", ret_code ); - } - - // use specific Module - ret_code = RQCard_whichmodule_specific( &hsmCard, HSM_MODULE_ID, &hsmLtid ); - if ( ret_code != Status_OK ) - { - printf( "error(%d) : RQCard_whichmodule_specific\n", ret_code ); - } - - // eventloop - ret_code = hsmCard.uf->eventloop( &hsmCard ); - if ( ret_code != Status_OK ) - { - printf( "error(%d) : Card eventloop\n", ret_code ); - } - } - - // get usable Module - hsmModuleinfo = hsmWorld->modules[0]; - ret_code = NFKM_getusablemodule( hsmWorld, HSM_MODULE_ID, &hsmModuleinfo ); - if ( ret_code != Status_OK ) - { - printf( "error(%d) : NFKM_getusablemodule\n", ret_code ); - } - - // load key blob - if ( hsmAeskeyinfo->pubblob.len ) - hsmBlobptr = &hsmAeskeyinfo->pubblob; - else - hsmBlobptr = &hsmAeskeyinfo->privblob; - ret_code = NFKM_cmd_loadblob( hsmHandle, hsmConnection, - hsmModuleinfo->module, hsmBlobptr, - hsmLtid, &hsmAeskeyid, - "loading key blob", NULL ); - if ( ret_code != Status_OK ) - { - printf( "error(%d) : NFKM_cmd_loadblob\n", ret_code ); - } - - printf( "AES key object load : ok\n" ); - } // load AES key object - - // load RSA private key object - { - // find key - ret_code = NFKM_findkey( hsmHandle, hsmRsakeyident, &hsmRsakeyinfo, NULL ); - if ( ret_code != Status_OK ) - { - printf( "error(%d) : NFKM_findkey\n", ret_code ); - } - - // if Key_flags_ProtectionCardSet is enable, eventloop is an essential. - if ( hsmRsakeyinfo->flags & Key_flags_ProtectionCardSet ) - { - // load specific OCS - ret_code = RQCard_logic_ocs_specific( &hsmCard, &hsmRsakeyinfo->cardset, NULL ); - if ( ret_code != Status_OK ) - { - printf( "error(%d) : RQCard_logic_ocs_specific\n", ret_code ); - } - - // use specific Module - ret_code = RQCard_whichmodule_specific( &hsmCard, HSM_MODULE_ID, &hsmLtid ); - if ( ret_code != Status_OK ) - { - printf( "error(%d) : RQCard_whichmodule_specific\n", ret_code ); - } - - // eventloop - ret_code = hsmCard.uf->eventloop( &hsmCard ); - if ( ret_code != Status_OK ) - { - printf( "error(%d) : Card eventloop\n", ret_code ); - } - } - - // get usable Module - hsmModuleinfo = hsmWorld->modules[0]; - ret_code = NFKM_getusablemodule( hsmWorld, HSM_MODULE_ID, &hsmModuleinfo ); - if ( ret_code != Status_OK ) - { - printf( "error(%d) : NFKM_getusablemodule\n", ret_code ); - } - - // load key blob - printf( "pubblob.len : %d, privblob.len : %d\n", - (int)hsmRsakeyinfo->pubblob.len, (int)hsmRsakeyinfo->privblob.len ); - hsmBlobptr = &hsmRsakeyinfo->privblob; - ret_code = NFKM_cmd_loadblob( hsmHandle, hsmConnection, - hsmModuleinfo->module, hsmBlobptr, - hsmLtid, &hsmRsaPrivkeyid, - "loading priv-key blob", NULL ); - if ( ret_code != Status_OK ) - { - printf( "error(%d) : NFKM_cmd_loadblob(priv-key)\n", ret_code ); - } - printf( "RSA private key object load : ok\n" ); - hsmBlobptr = &hsmRsakeyinfo->pubblob; - ret_code = NFKM_cmd_loadblob( hsmHandle, hsmConnection, - hsmModuleinfo->module, hsmBlobptr, - hsmLtid, &hsmRsaPubkeyid, - "loading pub-key blob", NULL ); - if ( ret_code != Status_OK ) - { - printf( "error(%d) : NFKM_cmd_loadblob(pub-key)\n", ret_code ); - } - printf( "RSA public key object load : ok\n" ); - - // get key info - { - M_Command cmd; - M_Reply reply; - - memset( &cmd, 0, sizeof( cmd ) ); - memset( &reply, 0, sizeof( reply ) ); - - cmd.cmd = Cmd_GetKeyInfo; - cmd.args.getkeyinfo.key = hsmRsaPrivkeyid; - ret_code = NFastApp_Transact( hsmConnection, NULL, &cmd, &reply, NULL ); - if ( ret_code != Status_OK ) - { - printf( "error(%d) : FastApp_Transact(Cmd_GetKeyInfo)\n", ret_code ); - } - } - - #if 0 - // get & set key acl - { - int i, j; - M_Command cmd; - M_Reply reply; - M_ACL newACL; - - memset( &cmd, 0, sizeof( cmd ) ); - memset( &reply, 0, sizeof( reply ) ); - - // GetACL - cmd.cmd = Cmd_GetACL; - cmd.args.getacl.key = hsmRsaPrivkeyid; - ret_code = NFastApp_Transact( hsmConnection, NULL, &cmd, &reply, NULL ); - if ( ret_code != Status_OK ) - { - printf( "error(%d) : FastApp_Transact(Cmd_GetKeyInfo)\n", ret_code ); - } - printf( "n_groups : %d\n", reply.reply.getacl.acl.n_groups ); - for ( i = 0; i < reply.reply.getacl.acl.n_groups; i++ ) - { - printf( "group[%d] : %d actions ok.\n", i, reply.reply.getacl.acl.groups[i].n_actions ); - for ( j = 0; j < reply.reply.getacl.acl.groups[i].n_actions; j++ ) - { - if ( reply.reply.getacl.acl.groups[i].actions[j].type == 1 ) // Act_OpPermissions - printf( "OpPermissions : %08X\n", - (int)reply.reply.getacl.acl.groups[i].actions[j].details.oppermissions.perms ); - } - } - newACL = reply.reply.getacl.acl; - - memset( &cmd, 0, sizeof( cmd ) ); - memset( &reply, 0, sizeof( reply ) ); - NFastApp_Free_Reply( hsmHandle, NULL, NULL, &reply ); - - // find cardsets - NFKM_CardSet *cardset = NULL; - ret_code = NFKM_findcardset( hsmHandle, &(hsmRsakeyinfo->cardset), &cardset, NULL ); - if ( ret_code != Status_OK ) - { - printf( "error(%d) : NFKM_findcardset\n", ret_code ); - } - - #if 0 - // make new ACL - NFKM_MakeACLParams map; - NFKM_MakeBlobsParams mbp; - M_ACL newACL; - memset( &map, 0, sizeof( map ) ); - map.f = NFKM_NKF_RecoveryEnabled | NFKM_NKF_ProtectionCardSet; - map.op_base = (NFKM_DEFOPPERMS_SIGN | NFKM_DEFOPPERMS_VERIFY | - NFKM_DEFOPPERMS_ENCRYPT | NFKM_DEFOPPERMS_DECRYPT ); - map.cs = cardset; - ret_code = NFKM_newkey_makeaclx( hsmHandle, hsmConnection, hsmWorld, &map, - &newACL, NULL ); - if ( ret_code != Status_OK ) - { - printf( "error(%d) : NFKM_newkey_makeaclx\n", ret_code ); - } - #endif - - // SetACL - cmd.cmd = Cmd_SetACL; - cmd.args.setacl.key = hsmRsaPrivkeyid; - cmd.args.setacl.newacl = newACL; - ret_code = NFastApp_Transact( hsmConnection, NULL, &cmd, &reply, NULL ); - if ( ret_code != Status_OK ) - { - printf( "error(%d) : set acl(transaction)\n", ret_code ); - } - ret_code = reply.status; - if ( ret_code != Status_OK ) - { - printf( "error(%d) : set acl(reply status)\n", ret_code ); - } - - } - #endif - } // load RSA private key object - -#endif // USE_HSM - // CAの証明書を読み込む fp = fopen( CA_FILE, "r" ); if ( !fp ) @@ -1009,12 +733,7 @@ int cr_generate_id_finalize( void ) // HSM #ifdef USE_HSM - RQCard_fips_free( &hsmCard, &hsmFips ); - RQCard_destroy( &hsmCard ); - NFKM_freekey( hsmHandle, hsmAeskeyinfo, NULL ); - NFKM_freeinfo( hsmHandle, &hsmWorld, NULL ); - NFastApp_Disconnect( hsmConnection, NULL ); - NFastApp_Finish( hsmHandle, NULL ); + hsm_finalize(); #endif // USE_HSM ok = 1; diff --git a/cr_hsm_code.c b/cr_hsm_code.c index 16cde8a..7cf7685 100644 --- a/cr_hsm_code.c +++ b/cr_hsm_code.c @@ -151,6 +151,149 @@ M_ByteBlock *hsmBlobptr = NULL; #endif // USE_HSM #ifdef USE_HSM +// init HSM +int hsm_initialize( void ) +{ + // init HSM + ret_code = NFastApp_InitEx( &hsmHandle, NULL, NULL ); + if ( ret_code != Status_OK ) + { + printf( "error(%d) : NFastApp_InitEx\n", ret_code ); + return ret_code; + } + + // set BigNum upcalls for HSM + ret_code = NFastApp_SetBignumUpcalls( + hsmHandle, + sbn_bignumreceiveupcall, + sbn_bignumsendlenupcall, + sbn_bignumsendupcall, + sbn_bignumfreeupcall, + sbn_bignumformatupcall, + NULL ); + if ( ret_code != Status_OK ) + { + printf( "error(%d) : NFastApp_SetBignumUpcalls\n", ret_code ); + return ret_code; + } + + // connect HSM + // arg3 is flag + // NFastApp_ConnectionFlags_Privileged flag need to run by nfast user. + ret_code = NFastApp_Connect( hsmHandle, &hsmConnection, 0, NULL ); + if ( ret_code != Status_OK ) + { + printf( "error(%d) : NFastApp_Connect\n", ret_code ); + return ret_code; + } + + // get NFKM info + ret_code = NFKM_getinfo( hsmHandle, &hsmWorld, NULL ); + if ( ret_code != Status_OK ) + { + printf( "error(%d) : NFKM_getinfo\n", ret_code ); + return ret_code; + } + + // init Card-Loading Lib(RQCard) + ret_code = RQCard_init( &hsmCard, hsmHandle, hsmConnection, hsmWorld, NULL ); + if ( ret_code != Status_OK ) + { + printf( "error(%d) : RQCard_init\n", ret_code ); + return ret_code; + } + + // init FIPS state + ret_code = RQCard_fips_init( &hsmCard, &hsmFips ); + if ( ret_code != Status_OK ) + { + printf( "error(%d) : RQCard_fips_init\n", ret_code ); + return ret_code; + } + + // select Card-Auth UI + ret_code = RQCard_ui_scroll( &hsmCard ); + if ( ret_code != Status_OK ) + { + printf( "error(%d) : RQCard_ui_scroll\n", ret_code ); + return ret_code; + } + + // load AES key object + { + // find key + ret_code = NFKM_findkey( hsmHandle, hsmAeskeyident, &hsmAeskeyinfo, NULL ); + if ( ret_code != Status_OK ) + { + printf( "error(%d) : NFKM_findkey\n", ret_code ); + return ret_code; + } + + // if Key_flags_ProtectionCardSet is enable, eventloop is an essential. + if ( hsmAeskeyinfo->flags & Key_flags_ProtectionCardSet ) + { + // load specific OCS + ret_code = RQCard_logic_ocs_specific( &hsmCard, &hsmAeskeyinfo->cardset, NULL ); + if ( ret_code != Status_OK ) + { + printf( "error(%d) : RQCard_logic_ocs_specific\n", ret_code ); + return ret_code; + } + + // use specific Module + ret_code = RQCard_whichmodule_specific( &hsmCard, HSM_MODULE_ID, &hsmLtid ); + if ( ret_code != Status_OK ) + { + printf( "error(%d) : RQCard_whichmodule_specific\n", ret_code ); + return ret_code; + } + + // eventloop + ret_code = hsmCard.uf->eventloop( &hsmCard ); + if ( ret_code != Status_OK ) + { + printf( "error(%d) : Card eventloop\n", ret_code ); + return ret_code; + } + } + + // get usable Module + hsmModuleinfo = hsmWorld->modules[0]; + ret_code = NFKM_getusablemodule( hsmWorld, HSM_MODULE_ID, &hsmModuleinfo ); + if ( ret_code != Status_OK ) + { + printf( "error(%d) : NFKM_getusablemodule\n", ret_code ); + return ret_code; + } + + // load key blob + if ( hsmAeskeyinfo->pubblob.len ) + hsmBlobptr = &hsmAeskeyinfo->pubblob; + else + hsmBlobptr = &hsmAeskeyinfo->privblob; + ret_code = NFKM_cmd_loadblob( hsmHandle, hsmConnection, + hsmModuleinfo->module, hsmBlobptr, + hsmLtid, &hsmAeskeyid, + "loading key blob", NULL ); + if ( ret_code != Status_OK ) + { + printf( "error(%d) : NFKM_cmd_loadblob\n", ret_code ); + return ret_code; + } + + printf( "AES key object load : ok\n" ); + } // load AES key object +} // hsm_initialize + +void hsm_finalize( void ) +{ + RQCard_fips_free( &hsmCard, &hsmFips ); + RQCard_destroy( &hsmCard ); + NFKM_freekey( hsmHandle, hsmAeskeyinfo, NULL ); + NFKM_freeinfo( hsmHandle, &hsmWorld, NULL ); + NFastApp_Disconnect( hsmConnection, NULL ); + NFastApp_Finish( hsmHandle, NULL ); +} // hsm_finalize int hsm_generate_random( unsigned char *buf, int bytes ) { diff --git a/cr_hsm_code.h b/cr_hsm_code.h index 106564d..d113ce4 100644 --- a/cr_hsm_code.h +++ b/cr_hsm_code.h @@ -117,6 +117,7 @@ extern "C" { #endif // functions +int hsm_initialize( void ); int hsm_generate_random( unsigned char *buf, int bytes ); int hsm_get_rtc( time_t *time );