TestECDSAの追加とテスト(現在署名で失敗する)

git-svn-id: file:///Volumes/Transfer/gigaleak_20231201/2020-09-30%20-%20paladin.7z/paladin/ctr_eFuse@34 ff987cc8-cf2f-4642-8568-d52cce064691
2025-11-02 00:11:04 -04:00 · 2009-12-22 09:40:51 +00:00 · 2009-12-22 09:40:51 +00:00 · 5b0e14b861
commit 5b0e14b861
parent 6c97e11eea
3 changed files with 121 additions and 5 deletions
--- a/cr_deviceCert.c
+++ b/cr_deviceCert.c
@ -129,6 +129,9 @@
 #include <openssl/rsa.h>
 #include <openssl/aes.h>

+#include <openssl/ecdsa.h>	// これにより下はいらない
+//#include "ec_lcl.h"	// ec_key_st構造体の参照に必要
+
 #include "cr_generate_id.h"
 #include "cr_generate_id_private.h"
 #include "cr_alloc.h"
@ -155,8 +158,83 @@ typedef struct CTR_Device_Cert
    u8        padding1[ 60 ];       // 0x144 - 0x17F : zero-filled
 } CTR_Device_Cert;

+// 鍵ペアをECDSAで検証（FuseIDに切り出したpubkeyのみを使用して署名検証）
+static int TestECDSA2( EC_KEY *eckey, int ec_curve_name, u8 ec_pub_key_neg, u8 ec_pub_key_num_bytes, u8 *ec_pub_key )
+{
+#define CR_ECDSA_BUF_SIZE       32
+#define CR_ECDSA_SIGN_BUF_SIZE  256
+
+    BN_CTX   *ctx = NULL;
+	BIGNUM   *bn_pubkey = NULL;
+	EC_KEY   *test_key  = NULL;
+	EC_POINT *point_pubkey = NULL;
+	unsigned char buf[256];
+	
+	unsigned char ecdsa_test_buf[CR_ECDSA_BUF_SIZE];
+	unsigned char ecdsasig[CR_ECDSA_SIGN_BUF_SIZE];
+	unsigned int ecdsasiglen = 0;
+	int test_ret = 0;
+	int ret_code = 0;
+	int i;
+	
+	// 署名作成
+	for( i = 0 ; i < CR_ECDSA_BUF_SIZE ; i++ ) {
+		ecdsa_test_buf[i] = (u8)(0xff & i );
+	}
+	memset(ecdsasig, 0, CR_ECDSA_SIGN_BUF_SIZE);
+	
+	test_ret = ECDSA_sign(0, ecdsa_test_buf, CR_ECDSA_BUF_SIZE, ecdsasig, 
+			&ecdsasiglen, eckey);
+	if (test_ret == 0) {
+		return CR_GENID_ERROR_ECDSA_SIGN;
+	}
+	
+	// 署名検証
+	if( ( ctx = BN_CTX_new() ) == NULL ) {
+		ret_code = CR_GENID_ERROR_BN_CTX_NEW;
+		goto end;
+	}
+	if( ( bn_pubkey = BN_new() ) == NULL ) {
+		ret_code = CR_GENID_ERROR_BN_NEW_2;
+		goto end;
+	}
+	if( ( test_key = EC_KEY_new_by_curve_name( ec_curve_name ) ) == NULL) {
+		ret_code = CR_GENID_ERROR_EC_KEY_NEW_1;
+		goto end;
+	}
+	if( ( point_pubkey = EC_POINT_new( test_key->group ) ) == NULL ) {
+		ret_code = CR_GENID_ERROR_EC_POINT_NEW;
+		goto end;
+	}
+	memset( buf, 0, sizeof(buf) );
+	if( ec_pub_key_neg ) {
+		// 負数の場合、先頭はそのまま
+		memcpy( buf, ec_pub_key, ec_pub_key_num_bytes );
+	}else {
+		// 正の数の場合、先頭に0x00をパディングして、サイズを１増やす
+		memcpy( &buf[1], ec_pub_key, ec_pub_key_num_bytes );
+		ec_pub_key_num_bytes++;
+	}
+	(void)BN_bin2bn( buf, ec_pub_key_num_bytes, bn_pubkey );
+	
+	(void)EC_POINT_bn2point( test_key->group, bn_pubkey, point_pubkey , ctx );
+	EC_KEY_set_public_key( test_key, point_pubkey );
+	test_ret = ECDSA_verify( 0, ecdsa_test_buf, CR_ECDSA_BUF_SIZE, ecdsasig, ecdsasiglen, test_key );
+    if( test_ret != 1) {
+		ret_code = CR_GENID_ERROR_ECDSA_VERIFY;
+	}
+	
+end:
+	if( ctx )               BN_CTX_free( ctx );
+	if( bn_pubkey )         BN_free( bn_pubkey );
+	if( test_key )          EC_KEY_free( test_key );
+	if( point_pubkey )      EC_POINT_free( point_pubkey );
+
+	return ret_code;
+}
+
 // create CTR Device cert
-int GenerateCTRDeviceCert( EC_POINT *pubKey, u32 deviceId, u8 bondingOption )
+int GenerateCTRDeviceCert( EC_KEY *eckey, u32 deviceId, u8 bondingOption )
 {
 	int result = 0;
 	char str[80];
@ -189,7 +267,7 @@ int GenerateCTRDeviceCert( EC_POINT *pubKey, u32 deviceId, u8 bondingOption )
 	
 	// expiryDate
 #ifdef USE_HSM
-	result = hsm_get_rtc( &cert.expiryDate );
+	result = hsm_get_rtc( &(cert.expiryDate) );
 	if ( result != 0 )
 	{
 		printf( "error(%d) : hsm_get_rtc\n", result );
@ -202,7 +280,45 @@ int GenerateCTRDeviceCert( EC_POINT *pubKey, u32 deviceId, u8 bondingOption )
 		gettimeofday(&tv,&tz);
 		cert.expiryDate = tv.tv_sec;
 	}
-#endif // USE_HSM
+#endif	// USE_HSM
+
+	// signature
+#ifdef USE_HSM
+
+#else	// !USE_HSM
+	BIGNUM *bn_pubkey = NULL;
+	u8 ec_pub_key_neg;
+	u8 ec_pub_key_num_bytes;
+	u8 ec_pub_key[78];
+
+	bn_pubkey = BN_new();
+	if( bn_pubkey == NULL ) {
+		return CR_GENID_ERROR_BN_NEW_1;
+	}
+	
+	result = EC_POINT_point2bn( eckey->group, eckey->pub_key, eckey->conv_form , bn_pubkey, NULL);
+	if ( result == 0 )
+	{
+		printf( "error(%d) : EC_POINT_point2bn\n", result );
+		return result;
+	}
+	
+	ec_pub_key_neg = (unsigned char)( (bn_pubkey->neg == 0) ? 0 : 1 );
+	ec_pub_key_num_bytes = (unsigned char)(BN_num_bytes(bn_pubkey));
+	
+	BN_bn2bin( bn_pubkey, ec_pub_key );
+	
+	BN_free( bn_pubkey );
+	
+	result = TestECDSA2( eckey, NID_sect233r1, ec_pub_key_neg,
+							ec_pub_key_num_bytes, ec_pub_key );
+	if ( result != 0 )
+	{
+		printf( "error(%d) : TestECDSA2\n", result );
+		return result;
+	}
+    
+#endif	// USE_HSM

 #if 0
 	if ( cr_print_flag )
--- a/cr_generate_id.c
+++ b/cr_generate_id.c
@ -316,7 +316,7 @@ int cr_generate_id( u32 serial[CR_NUM_OF_SERIAL], u8 id_buf[CR_ID_BUF_SIZE], u8
 	//--------------------------------------------------------------
 	// デバイス証明書生成 + 署名の付与 + 証明書期限セット
 	//--------------------------------------------------------------
-	ret_code = GenerateCTRDeviceCert( my_eckey->pub_key, cr_id_buf->serial[0], cr_id_buf->bondingOption );
+	ret_code = GenerateCTRDeviceCert( my_eckey, cr_id_buf->serial[0], cr_id_buf->bondingOption );
 	if ( ret_code != CR_GENID_SUCCESS ) {
 		goto end;
 	}
--- a/cr_generate_id_private.h
+++ b/cr_generate_id_private.h
@ -184,7 +184,7 @@ typedef struct {
 extern int  GetTimestamp( u8 *pYear, u8 *pMonth, u8 *pMday, u8 *pHour, u8 *pMin, u8 *pSec, time_t *pTime);
 extern int  GenerateRandom( u8 *pDst, int length );
 extern int  GenarateECCKeyPair( EC_KEY **ppECkey, u8 *pECPrivkey );
-extern int  GenerateCTRDeviceCert( EC_POINT *pubKey, u32 deviceId, u8 bondingOption );
+extern int  GenerateCTRDeviceCert( EC_KEY *key, u32 deviceId, u8 bondingOption );
 extern int  EncryptID( unsigned char *dst_buf, unsigned char *org_buf, u8 bondingOption );
 extern void DebugPrintArray( char *pStr, const u8 *pData, int length );