mirror of
https://github.com/rvtr/ctr_eFuse.git
synced 2025-11-02 00:11:04 -04:00
HSM初期化の時にビルドスイッチによって読み出す鍵を切り替えるよう変更
git-svn-id: file:///Volumes/Transfer/gigaleak_20231201/2020-09-30%20-%20paladin.7z/paladin/ctr_eFuse@24 ff987cc8-cf2f-4642-8568-d52cce064691
This commit is contained in:
kubodera_yuichi
parent
4ae224dc01
commit
8c5597c7eb
336
cr_hsm_code.c
336
cr_hsm_code.c
@ -117,10 +117,9 @@
|
||||
#include <sys/time.h>
|
||||
#include <string.h>
|
||||
|
||||
#include "cr_generate_id.h"
|
||||
|
||||
#ifdef USE_HSM
|
||||
#include "cr_hsm_code.h"
|
||||
#include "cr_generate_id.h"
|
||||
|
||||
// nShield
|
||||
#include "nfastapp.h"
|
||||
@ -129,9 +128,7 @@
|
||||
#include "rqcard-fips.h"
|
||||
// nShield optional
|
||||
#include "simplebignum.h"
|
||||
#endif // USE_HSM
|
||||
|
||||
#ifdef USE_HSM
|
||||
// TORIAEZU : nFast variables
|
||||
NFast_AppHandle hsmHandle;
|
||||
NFastApp_Connection hsmConnection;
|
||||
@ -139,22 +136,23 @@ NFKM_WorldInfo *hsmWorld = NULL; // allocate
|
||||
RQCard hsmCard;
|
||||
RQCard_FIPS hsmFips;
|
||||
M_KeyID hsmLtid;
|
||||
NFKM_ModuleInfo *hsmModuleinfo = NULL;
|
||||
M_ByteBlock *hsmBlobptr = NULL;
|
||||
|
||||
// AES
|
||||
#ifdef ENCRYPT_AES
|
||||
M_KeyID hsmAeskeyid;
|
||||
const NFKM_KeyIdent hsmAeskeyident = { (char*)"simple", (char*)"aes-test-key" };
|
||||
NFKM_Key *hsmAeskeyinfo = NULL; // allocate
|
||||
|
||||
// RSA Priv, Pub
|
||||
static int hsm_aes_load_key( void );
|
||||
#else // !ENCRYPT_AES
|
||||
M_KeyID hsmRsaPrivkeyid, hsmRsaPubkeyid;
|
||||
const NFKM_KeyIdent hsmRsakeyident = { (char*)"simple", (char*)"rsa-priv-key-2048" };
|
||||
NFKM_Key *hsmRsakeyinfo = NULL; // allocate
|
||||
NFKM_ModuleInfo *hsmModuleinfo = NULL;
|
||||
M_ByteBlock *hsmBlobptr = NULL;
|
||||
|
||||
#endif // USE_HSM
|
||||
static int hsm_rsa_load_keypair( void );
|
||||
#endif // ENCRYPT_AES
|
||||
|
||||
#ifdef USE_HSM
|
||||
// init HSM
|
||||
int hsm_initialize( void )
|
||||
{
|
||||
@ -224,72 +222,23 @@ int hsm_initialize( void )
|
||||
printf( "error(%d) : RQCard_ui_scroll\n", ret_code );
|
||||
return ret_code;
|
||||
}
|
||||
|
||||
// load AES key object
|
||||
|
||||
#ifdef ENCRYPT_AES
|
||||
ret_code = hsm_aes_load_key();
|
||||
if ( ret_code != CR_GENID_SUCCESS )
|
||||
{
|
||||
// find key
|
||||
ret_code = NFKM_findkey( hsmHandle, hsmAeskeyident, &hsmAeskeyinfo, NULL );
|
||||
if ( ret_code != CR_GENID_SUCCESS )
|
||||
{
|
||||
printf( "error(%d) : NFKM_findkey\n", ret_code );
|
||||
return ret_code;
|
||||
}
|
||||
|
||||
// if Key_flags_ProtectionCardSet is enable, eventloop is an essential.
|
||||
if ( hsmAeskeyinfo->flags & Key_flags_ProtectionCardSet )
|
||||
{
|
||||
// load specific OCS
|
||||
ret_code = RQCard_logic_ocs_specific( &hsmCard, &hsmAeskeyinfo->cardset, NULL );
|
||||
if ( ret_code != CR_GENID_SUCCESS )
|
||||
{
|
||||
printf( "error(%d) : RQCard_logic_ocs_specific\n", ret_code );
|
||||
return ret_code;
|
||||
}
|
||||
|
||||
// use specific Module
|
||||
ret_code = RQCard_whichmodule_specific( &hsmCard, HSM_MODULE_ID, &hsmLtid );
|
||||
if ( ret_code != CR_GENID_SUCCESS )
|
||||
{
|
||||
printf( "error(%d) : RQCard_whichmodule_specific\n", ret_code );
|
||||
return ret_code;
|
||||
}
|
||||
|
||||
// eventloop
|
||||
ret_code = hsmCard.uf->eventloop( &hsmCard );
|
||||
if ( ret_code != CR_GENID_SUCCESS )
|
||||
{
|
||||
printf( "error(%d) : Card eventloop\n", ret_code );
|
||||
return ret_code;
|
||||
}
|
||||
}
|
||||
|
||||
// get usable Module
|
||||
hsmModuleinfo = hsmWorld->modules[0];
|
||||
ret_code = NFKM_getusablemodule( hsmWorld, HSM_MODULE_ID, &hsmModuleinfo );
|
||||
if ( ret_code != CR_GENID_SUCCESS )
|
||||
{
|
||||
printf( "error(%d) : NFKM_getusablemodule\n", ret_code );
|
||||
return ret_code;
|
||||
}
|
||||
|
||||
// load key blob
|
||||
if ( hsmAeskeyinfo->pubblob.len )
|
||||
hsmBlobptr = &hsmAeskeyinfo->pubblob;
|
||||
else
|
||||
hsmBlobptr = &hsmAeskeyinfo->privblob;
|
||||
ret_code = NFKM_cmd_loadblob( hsmHandle, hsmConnection,
|
||||
hsmModuleinfo->module, hsmBlobptr,
|
||||
hsmLtid, &hsmAeskeyid,
|
||||
"loading key blob", NULL );
|
||||
if ( ret_code != CR_GENID_SUCCESS )
|
||||
{
|
||||
printf( "error(%d) : NFKM_cmd_loadblob\n", ret_code );
|
||||
return ret_code;
|
||||
}
|
||||
|
||||
printf( "AES key object load : ok\n" );
|
||||
} // load AES key object
|
||||
|
||||
printf( "error(%d) : hsm_aes_load_key\n", ret_code );
|
||||
return ret_code;
|
||||
}
|
||||
#else // !ENCRYPT_AES
|
||||
ret_code = hsm_rsa_load_keypair();
|
||||
if ( ret_code != CR_GENID_SUCCESS )
|
||||
{
|
||||
printf( "error(%d) : hsm_rsa_load_keypair\n", ret_code );
|
||||
return ret_code;
|
||||
}
|
||||
#endif // ENCRYPT_AES
|
||||
|
||||
return CR_GENID_SUCCESS;
|
||||
} // hsm_initialize
|
||||
|
||||
@ -367,6 +316,243 @@ int hsm_get_rtc( time_t *time )
|
||||
return CR_GENID_SUCCESS;
|
||||
} // hsm_get_rtc
|
||||
|
||||
int hsm_aes_load_key( void )
|
||||
{
|
||||
int ret_code = 0;
|
||||
|
||||
// find key
|
||||
ret_code = NFKM_findkey( hsmHandle, hsmAeskeyident, &hsmAeskeyinfo, NULL );
|
||||
if ( ret_code != CR_GENID_SUCCESS )
|
||||
{
|
||||
printf( "error(%d) : NFKM_findkey\n", ret_code );
|
||||
return ret_code;
|
||||
}
|
||||
|
||||
// if Key_flags_ProtectionCardSet is enable, eventloop is an essential.
|
||||
if ( hsmAeskeyinfo->flags & Key_flags_ProtectionCardSet )
|
||||
{
|
||||
// load specific OCS
|
||||
ret_code = RQCard_logic_ocs_specific( &hsmCard, &hsmAeskeyinfo->cardset, NULL );
|
||||
if ( ret_code != CR_GENID_SUCCESS )
|
||||
{
|
||||
printf( "error(%d) : RQCard_logic_ocs_specific\n", ret_code );
|
||||
return ret_code;
|
||||
}
|
||||
|
||||
// use specific Module
|
||||
ret_code = RQCard_whichmodule_specific( &hsmCard, HSM_MODULE_ID, &hsmLtid );
|
||||
if ( ret_code != CR_GENID_SUCCESS )
|
||||
{
|
||||
printf( "error(%d) : RQCard_whichmodule_specific\n", ret_code );
|
||||
return ret_code;
|
||||
}
|
||||
|
||||
// eventloop
|
||||
ret_code = hsmCard.uf->eventloop( &hsmCard );
|
||||
if ( ret_code != CR_GENID_SUCCESS )
|
||||
{
|
||||
printf( "error(%d) : Card eventloop\n", ret_code );
|
||||
return ret_code;
|
||||
}
|
||||
}
|
||||
|
||||
// get usable Module
|
||||
hsmModuleinfo = hsmWorld->modules[0];
|
||||
ret_code = NFKM_getusablemodule( hsmWorld, HSM_MODULE_ID, &hsmModuleinfo );
|
||||
if ( ret_code != CR_GENID_SUCCESS )
|
||||
{
|
||||
printf( "error(%d) : NFKM_getusablemodule\n", ret_code );
|
||||
return ret_code;
|
||||
}
|
||||
|
||||
// load key blob
|
||||
if ( hsmAeskeyinfo->pubblob.len )
|
||||
hsmBlobptr = &hsmAeskeyinfo->pubblob;
|
||||
else
|
||||
hsmBlobptr = &hsmAeskeyinfo->privblob;
|
||||
ret_code = NFKM_cmd_loadblob( hsmHandle, hsmConnection,
|
||||
hsmModuleinfo->module, hsmBlobptr,
|
||||
hsmLtid, &hsmAeskeyid,
|
||||
"loading key blob", NULL );
|
||||
if ( ret_code != CR_GENID_SUCCESS )
|
||||
{
|
||||
printf( "error(%d) : NFKM_cmd_loadblob\n", ret_code );
|
||||
return ret_code;
|
||||
}
|
||||
|
||||
return CR_GENID_SUCCESS;
|
||||
} // hsm_aes_load_key
|
||||
|
||||
int hsm_rsa_load_keypair( void )
|
||||
{
|
||||
int ret_code = 0;
|
||||
|
||||
// find key
|
||||
ret_code = NFKM_findkey( hsmHandle, hsmRsakeyident, &hsmRsakeyinfo, NULL );
|
||||
if ( ret_code != CR_GENID_SUCCESS )
|
||||
{
|
||||
printf( "error(%d) : NFKM_findkey\n", ret_code );
|
||||
return ret_code;
|
||||
}
|
||||
|
||||
// if Key_flags_ProtectionCardSet is enable, eventloop is an essential.
|
||||
if ( hsmRsakeyinfo->flags & Key_flags_ProtectionCardSet )
|
||||
{
|
||||
// load specific OCS
|
||||
ret_code = RQCard_logic_ocs_specific( &hsmCard, &hsmRsakeyinfo->cardset, NULL );
|
||||
if ( ret_code != CR_GENID_SUCCESS )
|
||||
{
|
||||
printf( "error(%d) : RQCard_logic_ocs_specific\n", ret_code );
|
||||
return ret_code;
|
||||
}
|
||||
|
||||
// use specific Module
|
||||
ret_code = RQCard_whichmodule_specific( &hsmCard, HSM_MODULE_ID, &hsmLtid );
|
||||
if ( ret_code != CR_GENID_SUCCESS )
|
||||
{
|
||||
printf( "error(%d) : RQCard_whichmodule_specific\n", ret_code );
|
||||
return ret_code;
|
||||
}
|
||||
|
||||
// eventloop
|
||||
ret_code = hsmCard.uf->eventloop( &hsmCard );
|
||||
if ( ret_code != CR_GENID_SUCCESS )
|
||||
{
|
||||
printf( "error(%d) : Card eventloop\n", ret_code );
|
||||
return ret_code;
|
||||
}
|
||||
}
|
||||
|
||||
// get usable Module
|
||||
hsmModuleinfo = hsmWorld->modules[0];
|
||||
ret_code = NFKM_getusablemodule( hsmWorld, HSM_MODULE_ID, &hsmModuleinfo );
|
||||
if ( ret_code != CR_GENID_SUCCESS )
|
||||
{
|
||||
printf( "error(%d) : NFKM_getusablemodule\n", ret_code );
|
||||
return ret_code;
|
||||
}
|
||||
|
||||
// load key blob
|
||||
printf( "pubblob.len : %d, privblob.len : %d\n",
|
||||
(int)hsmRsakeyinfo->pubblob.len, (int)hsmRsakeyinfo->privblob.len );
|
||||
hsmBlobptr = &hsmRsakeyinfo->privblob;
|
||||
ret_code = NFKM_cmd_loadblob( hsmHandle, hsmConnection,
|
||||
hsmModuleinfo->module, hsmBlobptr,
|
||||
hsmLtid, &hsmRsaPrivkeyid,
|
||||
"loading priv-key blob", NULL );
|
||||
if ( ret_code != CR_GENID_SUCCESS )
|
||||
{
|
||||
printf( "error(%d) : NFKM_cmd_loadblob(priv-key)\n", ret_code );
|
||||
return ret_code;
|
||||
}
|
||||
printf( "RSA private key object load : ok\n" );
|
||||
hsmBlobptr = &hsmRsakeyinfo->pubblob;
|
||||
ret_code = NFKM_cmd_loadblob( hsmHandle, hsmConnection,
|
||||
hsmModuleinfo->module, hsmBlobptr,
|
||||
hsmLtid, &hsmRsaPubkeyid,
|
||||
"loading pub-key blob", NULL );
|
||||
if ( ret_code != Status_OK )
|
||||
{
|
||||
printf( "error(%d) : NFKM_cmd_loadblob(pub-key)\n", ret_code );
|
||||
}
|
||||
printf( "RSA public key object load : ok\n" );
|
||||
|
||||
// get key info
|
||||
{
|
||||
M_Command cmd;
|
||||
M_Reply reply;
|
||||
|
||||
memset( &cmd, 0, sizeof( cmd ) );
|
||||
memset( &reply, 0, sizeof( reply ) );
|
||||
|
||||
cmd.cmd = Cmd_GetKeyInfo;
|
||||
cmd.args.getkeyinfo.key = hsmRsaPrivkeyid;
|
||||
ret_code = NFastApp_Transact( hsmConnection, NULL, &cmd, &reply, NULL );
|
||||
if ( ret_code != Status_OK )
|
||||
{
|
||||
printf( "error(%d) : FastApp_Transact(Cmd_GetKeyInfo)\n", ret_code );
|
||||
}
|
||||
}
|
||||
|
||||
#if 0
|
||||
// get & set key acl
|
||||
{
|
||||
int i, j;
|
||||
M_Command cmd;
|
||||
M_Reply reply;
|
||||
M_ACL newACL;
|
||||
|
||||
memset( &cmd, 0, sizeof( cmd ) );
|
||||
memset( &reply, 0, sizeof( reply ) );
|
||||
|
||||
// GetACL
|
||||
cmd.cmd = Cmd_GetACL;
|
||||
cmd.args.getacl.key = hsmRsaPrivkeyid;
|
||||
ret_code = NFastApp_Transact( hsmConnection, NULL, &cmd, &reply, NULL );
|
||||
if ( ret_code != Status_OK )
|
||||
{
|
||||
printf( "error(%d) : FastApp_Transact(Cmd_GetKeyInfo)\n", ret_code );
|
||||
}
|
||||
printf( "n_groups : %d\n", reply.reply.getacl.acl.n_groups );
|
||||
for ( i = 0; i < reply.reply.getacl.acl.n_groups; i++ )
|
||||
{
|
||||
printf( "group[%d] : %d actions ok.\n", i, reply.reply.getacl.acl.groups[i].n_actions );
|
||||
for ( j = 0; j < reply.reply.getacl.acl.groups[i].n_actions; j++ )
|
||||
{
|
||||
if ( reply.reply.getacl.acl.groups[i].actions[j].type == 1 ) // Act_OpPermissions
|
||||
printf( "OpPermissions : %08X\n",
|
||||
(int)reply.reply.getacl.acl.groups[i].actions[j].details.oppermissions.perms );
|
||||
}
|
||||
}
|
||||
newACL = reply.reply.getacl.acl;
|
||||
|
||||
memset( &cmd, 0, sizeof( cmd ) );
|
||||
memset( &reply, 0, sizeof( reply ) );
|
||||
NFastApp_Free_Reply( hsmHandle, NULL, NULL, &reply );
|
||||
|
||||
// find cardsets
|
||||
NFKM_CardSet *cardset = NULL;
|
||||
ret_code = NFKM_findcardset( hsmHandle, &(hsmRsakeyinfo->cardset), &cardset, NULL );
|
||||
if ( ret_code != Status_OK )
|
||||
{
|
||||
printf( "error(%d) : NFKM_findcardset\n", ret_code );
|
||||
}
|
||||
|
||||
// make new ACL
|
||||
NFKM_MakeACLParams map;
|
||||
NFKM_MakeBlobsParams mbp;
|
||||
M_ACL newACL;
|
||||
memset( &map, 0, sizeof( map ) );
|
||||
map.f = NFKM_NKF_RecoveryEnabled | NFKM_NKF_ProtectionCardSet;
|
||||
map.op_base = (NFKM_DEFOPPERMS_SIGN | NFKM_DEFOPPERMS_VERIFY |
|
||||
NFKM_DEFOPPERMS_ENCRYPT | NFKM_DEFOPPERMS_DECRYPT );
|
||||
map.cs = cardset;
|
||||
ret_code = NFKM_newkey_makeaclx( hsmHandle, hsmConnection, hsmWorld, &map,
|
||||
&newACL, NULL );
|
||||
if ( ret_code != Status_OK )
|
||||
{
|
||||
printf( "error(%d) : NFKM_newkey_makeaclx\n", ret_code );
|
||||
}
|
||||
|
||||
// SetACL
|
||||
cmd.cmd = Cmd_SetACL;
|
||||
cmd.args.setacl.key = hsmRsaPrivkeyid;
|
||||
cmd.args.setacl.newacl = newACL;
|
||||
ret_code = NFastApp_Transact( hsmConnection, NULL, &cmd, &reply, NULL );
|
||||
if ( ret_code != Status_OK )
|
||||
{
|
||||
printf( "error(%d) : set acl(transaction)\n", ret_code );
|
||||
}
|
||||
ret_code = reply.status;
|
||||
if ( ret_code != Status_OK )
|
||||
{
|
||||
printf( "error(%d) : set acl(reply status)\n", ret_code );
|
||||
}
|
||||
}
|
||||
#endif
|
||||
return CR_GENID_SUCCESS;
|
||||
} // hsm_rsa_load_keypair
|
||||
|
||||
int hsm_aes_encrypt( unsigned char *dst_buf, unsigned char *org_buf, int size )
|
||||
{
|
||||
int ret_code = 0;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user