From 5b0e14b86159caccedfd1f4a7246beaca11c6cae Mon Sep 17 00:00:00 2001 From: kubodera_yuichi Date: Tue, 22 Dec 2009 09:40:51 +0000 Subject: [PATCH] =?UTF-8?q?TestECDSA=E3=81=AE=E8=BF=BD=E5=8A=A0=E3=81=A8?= =?UTF-8?q?=E3=83=86=E3=82=B9=E3=83=88(=E7=8F=BE=E5=9C=A8=E7=BD=B2?= =?UTF-8?q?=E5=90=8D=E3=81=A7=E5=A4=B1=E6=95=97=E3=81=99=E3=82=8B)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit git-svn-id: file:///Volumes/Transfer/gigaleak_20231201/2020-09-30%20-%20paladin.7z/paladin/ctr_eFuse@34 ff987cc8-cf2f-4642-8568-d52cce064691 --- cr_deviceCert.c | 122 ++++++++++++++++++++++++++++++++++++++- cr_generate_id.c | 2 +- cr_generate_id_private.h | 2 +- 3 files changed, 121 insertions(+), 5 deletions(-) diff --git a/cr_deviceCert.c b/cr_deviceCert.c index 5c53edf..d7d920d 100644 --- a/cr_deviceCert.c +++ b/cr_deviceCert.c @@ -129,6 +129,9 @@ #include #include +#include // これにより下はいらない +//#include "ec_lcl.h" // ec_key_st構造体の参照に必要 + #include "cr_generate_id.h" #include "cr_generate_id_private.h" #include "cr_alloc.h" @@ -155,8 +158,83 @@ typedef struct CTR_Device_Cert u8 padding1[ 60 ]; // 0x144 - 0x17F : zero-filled } CTR_Device_Cert; +// 鍵ペアをECDSAで検証(FuseIDに切り出したpubkeyのみを使用して署名検証) +static int TestECDSA2( EC_KEY *eckey, int ec_curve_name, u8 ec_pub_key_neg, u8 ec_pub_key_num_bytes, u8 *ec_pub_key ) +{ +#define CR_ECDSA_BUF_SIZE 32 +#define CR_ECDSA_SIGN_BUF_SIZE 256 + + BN_CTX *ctx = NULL; + BIGNUM *bn_pubkey = NULL; + EC_KEY *test_key = NULL; + EC_POINT *point_pubkey = NULL; + unsigned char buf[256]; + + unsigned char ecdsa_test_buf[CR_ECDSA_BUF_SIZE]; + unsigned char ecdsasig[CR_ECDSA_SIGN_BUF_SIZE]; + unsigned int ecdsasiglen = 0; + int test_ret = 0; + int ret_code = 0; + int i; + + // 署名作成 + for( i = 0 ; i < CR_ECDSA_BUF_SIZE ; i++ ) { + ecdsa_test_buf[i] = (u8)(0xff & i ); + } + memset(ecdsasig, 0, CR_ECDSA_SIGN_BUF_SIZE); + + test_ret = ECDSA_sign(0, ecdsa_test_buf, CR_ECDSA_BUF_SIZE, ecdsasig, + &ecdsasiglen, eckey); + if (test_ret == 0) { + return CR_GENID_ERROR_ECDSA_SIGN; + } + + // 署名検証 + if( ( ctx = BN_CTX_new() ) == NULL ) { + ret_code = CR_GENID_ERROR_BN_CTX_NEW; + goto end; + } + if( ( bn_pubkey = BN_new() ) == NULL ) { + ret_code = CR_GENID_ERROR_BN_NEW_2; + goto end; + } + if( ( test_key = EC_KEY_new_by_curve_name( ec_curve_name ) ) == NULL) { + ret_code = CR_GENID_ERROR_EC_KEY_NEW_1; + goto end; + } + if( ( point_pubkey = EC_POINT_new( test_key->group ) ) == NULL ) { + ret_code = CR_GENID_ERROR_EC_POINT_NEW; + goto end; + } + memset( buf, 0, sizeof(buf) ); + if( ec_pub_key_neg ) { + // 負数の場合、先頭はそのまま + memcpy( buf, ec_pub_key, ec_pub_key_num_bytes ); + }else { + // 正の数の場合、先頭に0x00をパディングして、サイズを1増やす + memcpy( &buf[1], ec_pub_key, ec_pub_key_num_bytes ); + ec_pub_key_num_bytes++; + } + (void)BN_bin2bn( buf, ec_pub_key_num_bytes, bn_pubkey ); + + (void)EC_POINT_bn2point( test_key->group, bn_pubkey, point_pubkey , ctx ); + EC_KEY_set_public_key( test_key, point_pubkey ); + test_ret = ECDSA_verify( 0, ecdsa_test_buf, CR_ECDSA_BUF_SIZE, ecdsasig, ecdsasiglen, test_key ); + if( test_ret != 1) { + ret_code = CR_GENID_ERROR_ECDSA_VERIFY; + } + +end: + if( ctx ) BN_CTX_free( ctx ); + if( bn_pubkey ) BN_free( bn_pubkey ); + if( test_key ) EC_KEY_free( test_key ); + if( point_pubkey ) EC_POINT_free( point_pubkey ); + + return ret_code; +} + // create CTR Device cert -int GenerateCTRDeviceCert( EC_POINT *pubKey, u32 deviceId, u8 bondingOption ) +int GenerateCTRDeviceCert( EC_KEY *eckey, u32 deviceId, u8 bondingOption ) { int result = 0; char str[80]; @@ -189,7 +267,7 @@ int GenerateCTRDeviceCert( EC_POINT *pubKey, u32 deviceId, u8 bondingOption ) // expiryDate #ifdef USE_HSM - result = hsm_get_rtc( &cert.expiryDate ); + result = hsm_get_rtc( &(cert.expiryDate) ); if ( result != 0 ) { printf( "error(%d) : hsm_get_rtc\n", result ); @@ -202,7 +280,45 @@ int GenerateCTRDeviceCert( EC_POINT *pubKey, u32 deviceId, u8 bondingOption ) gettimeofday(&tv,&tz); cert.expiryDate = tv.tv_sec; } -#endif // USE_HSM +#endif // USE_HSM + + // signature +#ifdef USE_HSM + +#else // !USE_HSM + BIGNUM *bn_pubkey = NULL; + u8 ec_pub_key_neg; + u8 ec_pub_key_num_bytes; + u8 ec_pub_key[78]; + + bn_pubkey = BN_new(); + if( bn_pubkey == NULL ) { + return CR_GENID_ERROR_BN_NEW_1; + } + + result = EC_POINT_point2bn( eckey->group, eckey->pub_key, eckey->conv_form , bn_pubkey, NULL); + if ( result == 0 ) + { + printf( "error(%d) : EC_POINT_point2bn\n", result ); + return result; + } + + ec_pub_key_neg = (unsigned char)( (bn_pubkey->neg == 0) ? 0 : 1 ); + ec_pub_key_num_bytes = (unsigned char)(BN_num_bytes(bn_pubkey)); + + BN_bn2bin( bn_pubkey, ec_pub_key ); + + BN_free( bn_pubkey ); + + result = TestECDSA2( eckey, NID_sect233r1, ec_pub_key_neg, + ec_pub_key_num_bytes, ec_pub_key ); + if ( result != 0 ) + { + printf( "error(%d) : TestECDSA2\n", result ); + return result; + } + +#endif // USE_HSM #if 0 if ( cr_print_flag ) diff --git a/cr_generate_id.c b/cr_generate_id.c index fef533a..458da8c 100644 --- a/cr_generate_id.c +++ b/cr_generate_id.c @@ -316,7 +316,7 @@ int cr_generate_id( u32 serial[CR_NUM_OF_SERIAL], u8 id_buf[CR_ID_BUF_SIZE], u8 //-------------------------------------------------------------- // デバイス証明書生成 + 署名の付与 + 証明書期限セット //-------------------------------------------------------------- - ret_code = GenerateCTRDeviceCert( my_eckey->pub_key, cr_id_buf->serial[0], cr_id_buf->bondingOption ); + ret_code = GenerateCTRDeviceCert( my_eckey, cr_id_buf->serial[0], cr_id_buf->bondingOption ); if ( ret_code != CR_GENID_SUCCESS ) { goto end; } diff --git a/cr_generate_id_private.h b/cr_generate_id_private.h index df70e30..7682915 100644 --- a/cr_generate_id_private.h +++ b/cr_generate_id_private.h @@ -184,7 +184,7 @@ typedef struct { extern int GetTimestamp( u8 *pYear, u8 *pMonth, u8 *pMday, u8 *pHour, u8 *pMin, u8 *pSec, time_t *pTime); extern int GenerateRandom( u8 *pDst, int length ); extern int GenarateECCKeyPair( EC_KEY **ppECkey, u8 *pECPrivkey ); -extern int GenerateCTRDeviceCert( EC_POINT *pubKey, u32 deviceId, u8 bondingOption ); +extern int GenerateCTRDeviceCert( EC_KEY *key, u32 deviceId, u8 bondingOption ); extern int EncryptID( unsigned char *dst_buf, unsigned char *org_buf, u8 bondingOption ); extern void DebugPrintArray( char *pStr, const u8 *pData, int length );