From 8c5597c7eb11b1c3da1a4d3a349722ebbca1b298 Mon Sep 17 00:00:00 2001 From: kubodera_yuichi Date: Tue, 22 Dec 2009 06:30:10 +0000 Subject: [PATCH] =?UTF-8?q?HSM=E5=88=9D=E6=9C=9F=E5=8C=96=E3=81=AE?= =?UTF-8?q?=E6=99=82=E3=81=AB=E3=83=93=E3=83=AB=E3=83=89=E3=82=B9=E3=82=A4?= =?UTF-8?q?=E3=83=83=E3=83=81=E3=81=AB=E3=82=88=E3=81=A3=E3=81=A6=E8=AA=AD?= =?UTF-8?q?=E3=81=BF=E5=87=BA=E3=81=99=E9=8D=B5=E3=82=92=E5=88=87=E3=82=8A?= =?UTF-8?q?=E6=9B=BF=E3=81=88=E3=82=8B=E3=82=88=E3=81=86=E5=A4=89=E6=9B=B4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit git-svn-id: file:///Volumes/Transfer/gigaleak_20231201/2020-09-30%20-%20paladin.7z/paladin/ctr_eFuse@24 ff987cc8-cf2f-4642-8568-d52cce064691 --- cr_hsm_code.c | 336 +++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 261 insertions(+), 75 deletions(-) diff --git a/cr_hsm_code.c b/cr_hsm_code.c index 7f3e721..8618481 100644 --- a/cr_hsm_code.c +++ b/cr_hsm_code.c @@ -117,10 +117,9 @@ #include #include -#include "cr_generate_id.h" - #ifdef USE_HSM #include "cr_hsm_code.h" +#include "cr_generate_id.h" // nShield #include "nfastapp.h" @@ -129,9 +128,7 @@ #include "rqcard-fips.h" // nShield optional #include "simplebignum.h" -#endif // USE_HSM -#ifdef USE_HSM // TORIAEZU : nFast variables NFast_AppHandle hsmHandle; NFastApp_Connection hsmConnection; @@ -139,22 +136,23 @@ NFKM_WorldInfo *hsmWorld = NULL; // allocate RQCard hsmCard; RQCard_FIPS hsmFips; M_KeyID hsmLtid; +NFKM_ModuleInfo *hsmModuleinfo = NULL; +M_ByteBlock *hsmBlobptr = NULL; -// AES +#ifdef ENCRYPT_AES M_KeyID hsmAeskeyid; const NFKM_KeyIdent hsmAeskeyident = { (char*)"simple", (char*)"aes-test-key" }; NFKM_Key *hsmAeskeyinfo = NULL; // allocate -// RSA Priv, Pub +static int hsm_aes_load_key( void ); +#else // !ENCRYPT_AES M_KeyID hsmRsaPrivkeyid, hsmRsaPubkeyid; const NFKM_KeyIdent hsmRsakeyident = { (char*)"simple", (char*)"rsa-priv-key-2048" }; NFKM_Key *hsmRsakeyinfo = NULL; // allocate -NFKM_ModuleInfo *hsmModuleinfo = NULL; -M_ByteBlock *hsmBlobptr = NULL; -#endif // USE_HSM +static int hsm_rsa_load_keypair( void ); +#endif // ENCRYPT_AES -#ifdef USE_HSM // init HSM int hsm_initialize( void ) { @@ -224,72 +222,23 @@ int hsm_initialize( void ) printf( "error(%d) : RQCard_ui_scroll\n", ret_code ); return ret_code; } - - // load AES key object + +#ifdef ENCRYPT_AES + ret_code = hsm_aes_load_key(); + if ( ret_code != CR_GENID_SUCCESS ) { - // find key - ret_code = NFKM_findkey( hsmHandle, hsmAeskeyident, &hsmAeskeyinfo, NULL ); - if ( ret_code != CR_GENID_SUCCESS ) - { - printf( "error(%d) : NFKM_findkey\n", ret_code ); - return ret_code; - } - - // if Key_flags_ProtectionCardSet is enable, eventloop is an essential. - if ( hsmAeskeyinfo->flags & Key_flags_ProtectionCardSet ) - { - // load specific OCS - ret_code = RQCard_logic_ocs_specific( &hsmCard, &hsmAeskeyinfo->cardset, NULL ); - if ( ret_code != CR_GENID_SUCCESS ) - { - printf( "error(%d) : RQCard_logic_ocs_specific\n", ret_code ); - return ret_code; - } - - // use specific Module - ret_code = RQCard_whichmodule_specific( &hsmCard, HSM_MODULE_ID, &hsmLtid ); - if ( ret_code != CR_GENID_SUCCESS ) - { - printf( "error(%d) : RQCard_whichmodule_specific\n", ret_code ); - return ret_code; - } - - // eventloop - ret_code = hsmCard.uf->eventloop( &hsmCard ); - if ( ret_code != CR_GENID_SUCCESS ) - { - printf( "error(%d) : Card eventloop\n", ret_code ); - return ret_code; - } - } - - // get usable Module - hsmModuleinfo = hsmWorld->modules[0]; - ret_code = NFKM_getusablemodule( hsmWorld, HSM_MODULE_ID, &hsmModuleinfo ); - if ( ret_code != CR_GENID_SUCCESS ) - { - printf( "error(%d) : NFKM_getusablemodule\n", ret_code ); - return ret_code; - } - - // load key blob - if ( hsmAeskeyinfo->pubblob.len ) - hsmBlobptr = &hsmAeskeyinfo->pubblob; - else - hsmBlobptr = &hsmAeskeyinfo->privblob; - ret_code = NFKM_cmd_loadblob( hsmHandle, hsmConnection, - hsmModuleinfo->module, hsmBlobptr, - hsmLtid, &hsmAeskeyid, - "loading key blob", NULL ); - if ( ret_code != CR_GENID_SUCCESS ) - { - printf( "error(%d) : NFKM_cmd_loadblob\n", ret_code ); - return ret_code; - } - - printf( "AES key object load : ok\n" ); - } // load AES key object - + printf( "error(%d) : hsm_aes_load_key\n", ret_code ); + return ret_code; + } +#else // !ENCRYPT_AES + ret_code = hsm_rsa_load_keypair(); + if ( ret_code != CR_GENID_SUCCESS ) + { + printf( "error(%d) : hsm_rsa_load_keypair\n", ret_code ); + return ret_code; + } +#endif // ENCRYPT_AES + return CR_GENID_SUCCESS; } // hsm_initialize @@ -367,6 +316,243 @@ int hsm_get_rtc( time_t *time ) return CR_GENID_SUCCESS; } // hsm_get_rtc +int hsm_aes_load_key( void ) +{ + int ret_code = 0; + + // find key + ret_code = NFKM_findkey( hsmHandle, hsmAeskeyident, &hsmAeskeyinfo, NULL ); + if ( ret_code != CR_GENID_SUCCESS ) + { + printf( "error(%d) : NFKM_findkey\n", ret_code ); + return ret_code; + } + + // if Key_flags_ProtectionCardSet is enable, eventloop is an essential. + if ( hsmAeskeyinfo->flags & Key_flags_ProtectionCardSet ) + { + // load specific OCS + ret_code = RQCard_logic_ocs_specific( &hsmCard, &hsmAeskeyinfo->cardset, NULL ); + if ( ret_code != CR_GENID_SUCCESS ) + { + printf( "error(%d) : RQCard_logic_ocs_specific\n", ret_code ); + return ret_code; + } + + // use specific Module + ret_code = RQCard_whichmodule_specific( &hsmCard, HSM_MODULE_ID, &hsmLtid ); + if ( ret_code != CR_GENID_SUCCESS ) + { + printf( "error(%d) : RQCard_whichmodule_specific\n", ret_code ); + return ret_code; + } + + // eventloop + ret_code = hsmCard.uf->eventloop( &hsmCard ); + if ( ret_code != CR_GENID_SUCCESS ) + { + printf( "error(%d) : Card eventloop\n", ret_code ); + return ret_code; + } + } + + // get usable Module + hsmModuleinfo = hsmWorld->modules[0]; + ret_code = NFKM_getusablemodule( hsmWorld, HSM_MODULE_ID, &hsmModuleinfo ); + if ( ret_code != CR_GENID_SUCCESS ) + { + printf( "error(%d) : NFKM_getusablemodule\n", ret_code ); + return ret_code; + } + + // load key blob + if ( hsmAeskeyinfo->pubblob.len ) + hsmBlobptr = &hsmAeskeyinfo->pubblob; + else + hsmBlobptr = &hsmAeskeyinfo->privblob; + ret_code = NFKM_cmd_loadblob( hsmHandle, hsmConnection, + hsmModuleinfo->module, hsmBlobptr, + hsmLtid, &hsmAeskeyid, + "loading key blob", NULL ); + if ( ret_code != CR_GENID_SUCCESS ) + { + printf( "error(%d) : NFKM_cmd_loadblob\n", ret_code ); + return ret_code; + } + + return CR_GENID_SUCCESS; +} // hsm_aes_load_key + +int hsm_rsa_load_keypair( void ) +{ + int ret_code = 0; + + // find key + ret_code = NFKM_findkey( hsmHandle, hsmRsakeyident, &hsmRsakeyinfo, NULL ); + if ( ret_code != CR_GENID_SUCCESS ) + { + printf( "error(%d) : NFKM_findkey\n", ret_code ); + return ret_code; + } + + // if Key_flags_ProtectionCardSet is enable, eventloop is an essential. + if ( hsmRsakeyinfo->flags & Key_flags_ProtectionCardSet ) + { + // load specific OCS + ret_code = RQCard_logic_ocs_specific( &hsmCard, &hsmRsakeyinfo->cardset, NULL ); + if ( ret_code != CR_GENID_SUCCESS ) + { + printf( "error(%d) : RQCard_logic_ocs_specific\n", ret_code ); + return ret_code; + } + + // use specific Module + ret_code = RQCard_whichmodule_specific( &hsmCard, HSM_MODULE_ID, &hsmLtid ); + if ( ret_code != CR_GENID_SUCCESS ) + { + printf( "error(%d) : RQCard_whichmodule_specific\n", ret_code ); + return ret_code; + } + + // eventloop + ret_code = hsmCard.uf->eventloop( &hsmCard ); + if ( ret_code != CR_GENID_SUCCESS ) + { + printf( "error(%d) : Card eventloop\n", ret_code ); + return ret_code; + } + } + + // get usable Module + hsmModuleinfo = hsmWorld->modules[0]; + ret_code = NFKM_getusablemodule( hsmWorld, HSM_MODULE_ID, &hsmModuleinfo ); + if ( ret_code != CR_GENID_SUCCESS ) + { + printf( "error(%d) : NFKM_getusablemodule\n", ret_code ); + return ret_code; + } + + // load key blob + printf( "pubblob.len : %d, privblob.len : %d\n", + (int)hsmRsakeyinfo->pubblob.len, (int)hsmRsakeyinfo->privblob.len ); + hsmBlobptr = &hsmRsakeyinfo->privblob; + ret_code = NFKM_cmd_loadblob( hsmHandle, hsmConnection, + hsmModuleinfo->module, hsmBlobptr, + hsmLtid, &hsmRsaPrivkeyid, + "loading priv-key blob", NULL ); + if ( ret_code != CR_GENID_SUCCESS ) + { + printf( "error(%d) : NFKM_cmd_loadblob(priv-key)\n", ret_code ); + return ret_code; + } + printf( "RSA private key object load : ok\n" ); + hsmBlobptr = &hsmRsakeyinfo->pubblob; + ret_code = NFKM_cmd_loadblob( hsmHandle, hsmConnection, + hsmModuleinfo->module, hsmBlobptr, + hsmLtid, &hsmRsaPubkeyid, + "loading pub-key blob", NULL ); + if ( ret_code != Status_OK ) + { + printf( "error(%d) : NFKM_cmd_loadblob(pub-key)\n", ret_code ); + } + printf( "RSA public key object load : ok\n" ); + + // get key info + { + M_Command cmd; + M_Reply reply; + + memset( &cmd, 0, sizeof( cmd ) ); + memset( &reply, 0, sizeof( reply ) ); + + cmd.cmd = Cmd_GetKeyInfo; + cmd.args.getkeyinfo.key = hsmRsaPrivkeyid; + ret_code = NFastApp_Transact( hsmConnection, NULL, &cmd, &reply, NULL ); + if ( ret_code != Status_OK ) + { + printf( "error(%d) : FastApp_Transact(Cmd_GetKeyInfo)\n", ret_code ); + } + } + +#if 0 + // get & set key acl + { + int i, j; + M_Command cmd; + M_Reply reply; + M_ACL newACL; + + memset( &cmd, 0, sizeof( cmd ) ); + memset( &reply, 0, sizeof( reply ) ); + + // GetACL + cmd.cmd = Cmd_GetACL; + cmd.args.getacl.key = hsmRsaPrivkeyid; + ret_code = NFastApp_Transact( hsmConnection, NULL, &cmd, &reply, NULL ); + if ( ret_code != Status_OK ) + { + printf( "error(%d) : FastApp_Transact(Cmd_GetKeyInfo)\n", ret_code ); + } + printf( "n_groups : %d\n", reply.reply.getacl.acl.n_groups ); + for ( i = 0; i < reply.reply.getacl.acl.n_groups; i++ ) + { + printf( "group[%d] : %d actions ok.\n", i, reply.reply.getacl.acl.groups[i].n_actions ); + for ( j = 0; j < reply.reply.getacl.acl.groups[i].n_actions; j++ ) + { + if ( reply.reply.getacl.acl.groups[i].actions[j].type == 1 ) // Act_OpPermissions + printf( "OpPermissions : %08X\n", + (int)reply.reply.getacl.acl.groups[i].actions[j].details.oppermissions.perms ); + } + } + newACL = reply.reply.getacl.acl; + + memset( &cmd, 0, sizeof( cmd ) ); + memset( &reply, 0, sizeof( reply ) ); + NFastApp_Free_Reply( hsmHandle, NULL, NULL, &reply ); + + // find cardsets + NFKM_CardSet *cardset = NULL; + ret_code = NFKM_findcardset( hsmHandle, &(hsmRsakeyinfo->cardset), &cardset, NULL ); + if ( ret_code != Status_OK ) + { + printf( "error(%d) : NFKM_findcardset\n", ret_code ); + } + + // make new ACL + NFKM_MakeACLParams map; + NFKM_MakeBlobsParams mbp; + M_ACL newACL; + memset( &map, 0, sizeof( map ) ); + map.f = NFKM_NKF_RecoveryEnabled | NFKM_NKF_ProtectionCardSet; + map.op_base = (NFKM_DEFOPPERMS_SIGN | NFKM_DEFOPPERMS_VERIFY | + NFKM_DEFOPPERMS_ENCRYPT | NFKM_DEFOPPERMS_DECRYPT ); + map.cs = cardset; + ret_code = NFKM_newkey_makeaclx( hsmHandle, hsmConnection, hsmWorld, &map, + &newACL, NULL ); + if ( ret_code != Status_OK ) + { + printf( "error(%d) : NFKM_newkey_makeaclx\n", ret_code ); + } + + // SetACL + cmd.cmd = Cmd_SetACL; + cmd.args.setacl.key = hsmRsaPrivkeyid; + cmd.args.setacl.newacl = newACL; + ret_code = NFastApp_Transact( hsmConnection, NULL, &cmd, &reply, NULL ); + if ( ret_code != Status_OK ) + { + printf( "error(%d) : set acl(transaction)\n", ret_code ); + } + ret_code = reply.status; + if ( ret_code != Status_OK ) + { + printf( "error(%d) : set acl(reply status)\n", ret_code ); + } + } +#endif + return CR_GENID_SUCCESS; +} // hsm_rsa_load_keypair + int hsm_aes_encrypt( unsigned char *dst_buf, unsigned char *org_buf, int size ) { int ret_code = 0;