シャープ側で生成されたIDを検証するためのツール、testSharpID.exe をビルドできるよう変更。

git-svn-id: file:///Volumes/Transfer/gigaleak_20231201/2020-09-30%20-%20paladin.7z/paladin/ctr_eFuse@202 ff987cc8-cf2f-4642-8568-d52cce064691

trunk/Makefile.testSharpID

@@ -0,0 +1,224 @@
+# nm ntd_mem_allocator.o | grep " [T|B|D] "
+# nm ntd_crypto_ecdsa.o | grep " [T|B|D] "
+# nm ntd_crypto_rsa.o | grep " [T|B|D] "
+# nm generate_id.o | grep " [T|B|D] "
+# nm ../rsa_keysrcgen/rsa1_key.o | grep " [T|B|D] "
+
+
+#　最終的なビルドスイッチの設定は、以下の通り。
+#      DEV_CYGWIN    = FALSE
+#      DEBUG_PRINT   = FALSE
+#      DEBUG_OUTPUT  = FALSE
+#      ECDSA_SHA256  = TRUE
+#      USE_HSM       = TRUE
+#      RESET_HSM     = TRUE
+
+DEV_CYGWIN   = TRUE
+DEBUG_PRINT  = TRUE
+DEBUG_OUTPUT = FALSE
+ECDSA_SHA256 = TRUE
+USE_HSM      = FALSE
+RESET_HSM    = TRUE
+
+ifeq ($(USE_HSM),TRUE)
+
+# HSM使用時は強制的にDUMMY_KEYは未使用にする。
+USE_DUMMY_KEY = FALSE
+
+# nFast Path
+NFAST_PATH = /opt/nfast
+
+# nFast Developer tools installation
+NFAST_DEV_PATH = $(NFAST_PATH)/c/ctd/gcc
+NFAST_EXAMPLES = $(NFAST_PATH)/c/ctd/examples
+
+# nFast Developer tools library
+NFAST_LIBPATH = $(NFAST_DEV_PATH)/lib
+
+# nFast Developer tools include
+NFAST_INC = $(NFAST_DEV_PATH)/include
+
+# nFast CPPFLAGS
+NFAST_CPPFLAGS = \
+					-I$(NFAST_INC)/sworld \
+					-I$(NFAST_INC)/hilibs \
+					-I$(NFAST_INC)/nflog \
+					-I$(NFAST_INC)/cutils \
+					-I$(NFAST_EXAMPLES)/sworld \
+					-I$(NFAST_EXAMPLES)/hilibs \
+					-I$(NFAST_EXAMPLES)/nflog \
+					-I$(NFAST_EXAMPLES)/cutils \
+					
+# nFast LDLIBS
+NFAST_LDLIBS = \
+					$(NFAST_LIBPATH)/libnfkm.a \
+					$(NFAST_LIBPATH)/libnfstub.a \
+					$(NFAST_LIBPATH)/libnflog.a \
+					$(NFAST_LIBPATH)/libcutils.a \
+
+else # !USE_HSM
+
+# HSMが使用できない場合は、DUMMY_KEYを使ってテストする。
+USE_DUMMY_KEY = TRUE
+
+endif # USE_HSM
+
+ifeq ($(USE_DUMMY_KEY),TRUE)
+DEV_DER_KEY_DIR  = ./dummyKey/dev
+PROD_DER_KEY_DIR = ./dummyKey/prod
+else # !USE_DUMMY_KEY
+DEV_DER_KEY_DIR  = ./realKey/dev
+PROD_DER_KEY_DIR = ./realKey/prod
+endif # USE_DUMMY_KEY
+
+PACKAGE_DIR = ./package
+OPENSSL_DIR = ./openssl-1.0.0-beta5
+# OPENSSL_DIR = ./openssl-0.9.8k
+
+TARGET_LIB  = libgenid.a
+
+TARGET	    = testSharpID
+
+KEYS_C  = cr_eFuse_iv_prod.c \
+          cr_eFuse_iv_dev.c  \
+          cr_NCT2_pub_prod.c \
+          cr_NCT2_pub_dev.c
+  
+ifeq ($(USE_DUMMY_KEY),TRUE)
+KEYS_C  += cr_eFuse_privKey_prod.c cr_eFuse_pubKey_prod.c \
+           cr_eFuse_privKey_dev.c  cr_eFuse_pubKey_dev.c \
+           cr_eFuse_aesKey_prod.c \
+           cr_eFuse_aesKey_dev.c \
+           cr_NCT2_priv_prod.c \
+           cr_NCT2_priv_dev.c
+endif # USE_DUMMY_KEY
+
+SRCS	=	main2.c
+OBJS	=	$(notdir $(SRCS:.c=.o))
+
+LIB_SRCS	= cr_generate_id.c cr_id_util.c cr_keyPair.c \
+          cr_device_cert.c cr_enc_id.c cr_alloc.c \
+          cr_hsm_code.c cr_hsm_alloc.c cr_hsm_bignum.c
+LIB_OBJS	= $(notdir $(LIB_SRCS:.c=.o))
+
+CFLAGS	= -Wall -DMEXP=216091 -msse2 -DHAVE_SSE2
+CPPFLAGS= -I. -I$(OPENSSL_DIR)/include -I$(OPENSSL_DIR)/crypto/ec
+LDFLAGS	= -mwindows -L$(OPENSSL_DIR)
+LDLIBS	= -lcrypto -lssl
+MERGE_PROG = merge_lib_objs.plx
+
+ifeq ($(DEV_CYGWIN),TRUE)
+CC := C:/Cygwin/bin/gcc
+LD	= C:/Cygwin/bin/gcc
+CFLAGS	+= -mno-cygwin -DDEV_CYGWIN
+LDFLAGS	+= -Wl,--subsystem,console -mno-cygwin
+TARGET_DEL	= $(TARGET).exe
+else # DEV_CYGWIN
+CC := /usr/bin/gcc
+LD	= /usr/bin/gcc
+LDFLAGS	+= -Wl
+LDLIBS	+= -ldl -lnsl
+TARGET_DEL	= $(TARGET)
+endif # DEV_CYGWIN
+
+ifeq ($(USE_DUMMY_KEY),TRUE)
+CFLAGS += -DUSE_DUMMY_KEY
+endif
+
+ifeq ($(DEBUG_PRINT),TRUE)
+CFLAGS += -DDEBUG_PRINT
+endif
+
+ifeq ($(DEBUG_OUTPUT),TRUE)
+CFLAGS += -DDEBUG_OUTPUT_FILE
+endif
+
+ifeq ($(ECDSA_SHA256),TRUE)
+CFLAGS += -DECDSA_SHA256
+endif
+
+ifeq ($(USE_HSM),TRUE)
+CFLAGS  += -DUSE_HSM
+CPPFLAGS+= $(NFAST_CPPFLAGS)
+LDLIBS  += $(NFAST_LDLIBS)
+MERGE_PROG = merge_lib_objs_hsm.plx
+endif
+
+ifeq ($(RESET_HSM),TRUE)
+CFLAGS += -DRESET_HSM
+endif
+
+.SUFFIXES:
+
+all: package_build $(KEYS_C) $(TARGET_LIB) $(TARGET) 
+
+# install: $(TARGET)
+#	install -c -m 777 $(TARGET) ../bin
+
+ifeq ($(DEV_CYGWIN),TRUE)
+package_build :
+	cd $(PACKAGE_DIR);make DEV_CYGWIN=TRUE
+else
+package_build :
+	cd $(PACKAGE_DIR);make
+endif
+
+$(TARGET): $(OBJS) $(TARGET_LIB)
+	$(LD) $(LDFLAGS) $(OBJS) -o $@ $(TARGET_LIB)
+
+$(TARGET_LIB): $(LIB_OBJS)
+	ar rcs $@ $(LIB_OBJS)
+	perl tools/$(MERGE_PROG)
+
+%.o:%.c
+	$(CC) $(CFLAGS) $(CPPFLAGS) -c $< -o $@
+
+#%.c:$(DER_KEY_DIR)/%.der
+#	perl tools/bin2c.plx $<
+
+cr_eFuse_privKey_prod.c : $(PROD_DER_KEY_DIR)/eFuse_privKey.der
+	perl tools/bin2c.plx $< prod
+
+cr_eFuse_pubKey_prod.c : $(PROD_DER_KEY_DIR)/eFuse_pubKey.der
+	perl tools/bin2c.plx $< prod
+
+cr_eFuse_aesKey_prod.c : $(PROD_DER_KEY_DIR)/eFuse_aesKey.bin
+	perl tools/bin2c.plx $< prod
+
+cr_eFuse_iv_prod.c : $(PROD_DER_KEY_DIR)/eFuse_iv.bin
+	perl tools/bin2c.plx $< prod
+
+cr_NCT2_priv_prod.c : $(PROD_DER_KEY_DIR)/NCT2_priv.der
+	perl tools/bin2c.plx $< prod
+
+cr_NCT2_pub_prod.c : $(PROD_DER_KEY_DIR)/NCT2_pub.der
+	perl tools/bin2c.plx $< prod
+
+
+cr_eFuse_privKey_dev.c : $(DEV_DER_KEY_DIR)/eFuse_privKey.der
+	perl tools/bin2c.plx $< dev
+
+cr_eFuse_pubKey_dev.c : $(DEV_DER_KEY_DIR)/eFuse_pubKey.der
+	perl tools/bin2c.plx $< dev
+
+cr_eFuse_aesKey_dev.c : $(DEV_DER_KEY_DIR)/eFuse_aesKey.bin
+	perl tools/bin2c.plx $< dev
+
+cr_eFuse_iv_dev.c : $(DEV_DER_KEY_DIR)/eFuse_iv.bin
+	perl tools/bin2c.plx $< dev
+
+cr_NCT2_priv_dev.c : $(DEV_DER_KEY_DIR)/NCT2_priv.der
+	perl tools/bin2c.plx $< dev
+
+cr_NCT2_pub_dev.c : $(DEV_DER_KEY_DIR)/NCT2_pub.der
+	perl tools/bin2c.plx $< dev
+
+
+.PHONY: clean clobber
+clean:
+	$(RM) $(LIB_OBJS) $(OBJS) $(TARGET_DEL) $(TARGET_LIB) $(KEYS_C) $(KEYS_H)
+
+clobber:
+	$(RM) $(LIB_OBJS) $(OBJS) $(TARGET_DEL) $(TARGET_LIB) $(KEYS_C) $(KEYS_H)
+	cd $(PACKAGE_DIR);make clobber
+

trunk/cr_device_cert.c

@@ -167,6 +167,7 @@ const u8 issuerName[] = {
 };
 
 static void BN2BinWithPadding( BIGNUM *pBn, u8 *pDst, int dstLen );
+static void ConstructCTRDeviceCert( CR_DeviceCert *pDeviceCert, EC_KEY *pECkey, u8 bonding_option, u32 device_id, u32 expiryDate );
 
 
 // create CTR Device cert
@@ -451,3 +452,116 @@ static void BN2BinWithPadding( BIGNUM *pBN, u8 *pDst, int dstLen )
 		pDst[ dstLen - 1 - i ] = buffer[ bnByteLen - 1 - i ];
 	}
 }
+
+
+// eFuseIDをもとにデバイス署名のチェック
+int CheckCTRDeviceCert( EC_KEY *pECkey, u32 device_id, u8 bonding_option, u8 *pDevCertSign, u32 expiryDate )
+{
+	int ret_code = CR_GENID_SUCCESS;
+	CR_DeviceCert deviceCert;
+	EC_KEY *NCT2 = NULL;
+	u8 sha256Buf[ SHA256_DIGEST_LENGTH ];
+
+	ConstructCTRDeviceCert( &deviceCert, pECkey, bonding_option, device_id, expiryDate );
+
+	// CR_DeviceCertのSHA256計算
+	SHA256( deviceCert.issuerName, (int)&deviceCert + sizeof(CR_DeviceCert) - (int)deviceCert.issuerName, sha256Buf );
+
+	// ECDSA署名検証
+	{
+		// bonding_option によって、鍵を差し替え
+		const unsigned char *der_pub = bonding_option ? cr_NCT2_pub_dev : cr_NCT2_pub_prod;
+		int pub_len = der_pub[ 8 ] | der_pub[ 9 ] << 8;	// KEY長を取り出し
+		der_pub += 0x10; // ヘッダ部分を除外してKEY実体を指定
+
+		// BIT STRING の実データ部分のみを指定するよう調整
+		pub_len = der_pub[0x15] - 1;
+		der_pub += 0x17;
+		
+		// ECC公開鍵の読み込み
+		NCT2 = EC_KEY_new_by_curve_name( NID_sect233r1 );
+		if( NCT2 == NULL ) {
+			SetErrorInfo( __FUNCTION__, __LINE__ );
+			ret_code = CR_GENID_ERROR_ECC_KEY_NEW;
+			goto end;
+		}
+		if( o2i_ECPublicKey( &NCT2, &der_pub, pub_len ) == NULL ) {
+			SetErrorInfo( __FUNCTION__, __LINE__ );
+			ret_code = CR_GENID_ERROR_ECC_READ_PUBLIC_KEY;
+			goto end;
+		}
+		
+		// ECDSA署名（DER）を再構築
+		u8 signBuf[70];
+		int signLen = 66;
+		memset( signBuf, 0, sizeof( signBuf ) );
+		signBuf[0] = 0x30;
+		signBuf[1] = 0x40;
+		signBuf[2] = 0x02;
+		signBuf[3] = 0x1E;
+		memcpy( &signBuf[4], &pDevCertSign[0], 0x1E );
+		signBuf[0x22] = 0x02;
+		signBuf[0x23] = 0x1E;
+		memcpy( &signBuf[0x24], &pDevCertSign[30], 0x1E );	
+
+		// 署名ベリファイ
+		ret_code = ECDSA_verify( 0, sha256Buf, 32, signBuf, signLen, NCT2 );
+		if( ret_code != 1) {
+			ret_code = CR_GENID_ERROR_ECDSA_VERIFY;
+			SetErrorInfo( __FUNCTION__, __LINE__ );
+			goto end;
+		}
+	}
+
+	ret_code = CR_GENID_SUCCESS;
+
+end:
+	if( NCT2 ) EC_KEY_free( NCT2 );
+
+	return ret_code;
+}
+
+
+// 指定パラメータをもとにデバイス証明書を構築（署名なし）
+static void ConstructCTRDeviceCert( CR_DeviceCert *pDeviceCert, EC_KEY *pECkey, u8 bonding_option, u32 device_id, u32 expiryDate )
+{
+	int i;
+
+	memset( pDeviceCert, 0, sizeof(CR_DeviceCert) );
+
+	// sigType
+	// ECDSA+SHA256 = 0x00010005, ECDSA+SHA1 = 0x00010002
+	pDeviceCert->sigType[0] = 0x00;
+	pDeviceCert->sigType[1] = 0x01;
+	pDeviceCert->sigType[2] = 0x00;
+#ifdef ECDSA_SHA256
+	pDeviceCert->sigType[3] = 0x05;
+#else	// !ECDSA_SHA256
+	pDeviceCert->sigType[3] = 0x02;
+#endif	// ECDSA_SHA256
+
+	// issuerName
+	for( i = 0; i < sizeof(issuerName); i++ ) {
+		pDeviceCert->issuerName[ i ] = issuerName[ i ] ^ 0x5a;
+	}
+	sprintf( &pDeviceCert->issuerName[ sizeof(issuerName) ], "%s", bonding_option ? "dev" : "prod" );
+
+	// keyType  0x00000002 ECC233
+	pDeviceCert->keyType[0] = 0x00;
+	pDeviceCert->keyType[1] = 0x00;
+	pDeviceCert->keyType[2] = 0x00;
+	pDeviceCert->keyType[3] = 0x02;
+
+	// subject	: CT + device_id + bonding_option
+	sprintf( pDeviceCert->subject, "CT%08X-%02X", (unsigned int)device_id, bonding_option );
+
+	// expiryDate
+	pDeviceCert->expiryDate = expiryDate;
+
+	// eccPubKey
+	BN2BinWithPadding( &pECkey->pub_key->X, &pDeviceCert->eccPubKey[  0 ], 30 );
+	BN2BinWithPadding( &pECkey->pub_key->Y, &pDeviceCert->eccPubKey[ 30 ], 30 );
+
+	DEBUG_PRINT_ARRAY( (char*)"deviceCert", (const char *)pDeviceCert, sizeof(CR_DeviceCert) );
+}
+

trunk/cr_enc_id.c

@@ -210,6 +210,25 @@ int crypto_aes_enc_dec( unsigned char *dst_buf, unsigned char *org_buf, u8 bondi
 	return CR_GENID_SUCCESS;
 }	// hsm_crypto_aes_enc_dec
 
+
+int crypto_aes_dec( unsigned char *dst_buf, unsigned char *org_buf, u8 bonding_option )
+{
+	int i;
+	int ret_code = CR_GENID_SUCCESS;
+	char *pIV = (char *)( bonding_option ? cr_eFuse_iv_dev : cr_eFuse_iv_prod ) + 0x10;
+	
+	// decyrpt
+	ret_code = hsm_aes_decrypt( dst_buf, org_buf, CR_ID_BUF_SIZE, bonding_option, pIV );
+	if ( ret_code != CR_GENID_SUCCESS )
+	{
+		SetErrorInfo( __FUNCTION__, __LINE__ );
+		return ret_code;
+	}
+	
+	return CR_GENID_SUCCESS;
+}	// hsm_crypto_aes_enc_dec
+
+
 #else // !USE_HSM
 
 int crypto_aes_enc_dec( unsigned char *dst_buf, unsigned char *org_buf, u8 bonding_option )
@@ -258,6 +277,27 @@ int crypto_aes_enc_dec( unsigned char *dst_buf, unsigned char *org_buf, u8 bondi
 	return CR_GENID_SUCCESS;
 }	// crypto_aes_enc_dec
 
+int crypto_aes_dec( unsigned char *dst_buf, unsigned char *org_buf, u8 bonding_option )
+{
+	AES_KEY	aesDecKey;
+	u8 temp_iv[16];
+	// 鍵データ取り出し。（ヘッダ部分0x10を除去。）
+	char *pAesKey = (char *)( bonding_option ? cr_eFuse_aesKey_dev : cr_eFuse_aesKey_prod ) + 0x10;
+	char *pIV     = (char *)( bonding_option ? cr_eFuse_iv_dev : cr_eFuse_iv_prod ) + 0x10;
+
+	if ( AES_set_decrypt_key( pAesKey, 128, &aesDecKey ) != 0 )
+	{
+		SetErrorInfo( __FUNCTION__, __LINE__ );
+		return CR_GENID_ERROR_AES_DEC;
+	}
+	
+	memcpy( temp_iv, pIV, 16 );
+	AES_cbc_encrypt ( org_buf, dst_buf, CR_ID_BUF_SIZE, &aesDecKey, temp_iv, AES_DECRYPT );
+	
+	return CR_GENID_SUCCESS;
+}	// crypto_aes_enc_dec
+
+
 #endif	// USE_HSM
 
 #else   // !ENCRYPT_AES

trunk/cr_generate_id_private.h

@@ -214,6 +214,7 @@ typedef struct {
 extern int  GetTimestamp( u8 *pYear, u8 *pMonth, u8 *pMday, u8 *pHour, u8 *pMin, u8 *pSec, time_t *pTime);
 extern int  GenerateRandom( u8 *pDst, int length );
 extern int  GenarateECCKeyPair( EC_KEY **ppECkey, u8 *pECPrivkey );
+extern int  SetECCKeyPair( EC_KEY **ppECkey, u8 *pECPrivkey );
 
 extern void InitErrorInfo( void );
 extern void SetErrorInfo( const char *funcName, u32 line );
@@ -221,6 +222,7 @@ extern void GetErrorInfo( char *stack, u8 *size );
 
 extern int  TestECDSA( EC_KEY *pECkey );
 extern int  GenerateCTRDeviceCert( EC_KEY *pECkey, u32 device_id, u8 bonding_option, u8 *pDevCertSign, u32 *pExpiryDate );
+extern int  CheckCTRDeviceCert( EC_KEY *pECkey, u32 device_id, u8 bonding_option, u8 *pDevCertSign, u32 expiryDate );
 extern int  EncryptID( unsigned char *dst_buf, unsigned char *org_buf, u8 bonding_option );
 extern void DebugPrintArray( char *pStr, const u8 *pData, int length );
 extern void DebugFileOutput( u32 device_id, char *pSuffix, const u8 *pSrc, int length );

trunk/cr_keyPair.c

@@ -308,3 +308,45 @@ int TestECDSA( EC_KEY *pECkey )
 	
 	return CR_GENID_SUCCESS;
 }
+
+
+// 指定された秘密鍵をそのままセットして、そこから公開鍵を生成する。
+int SetECCKeyPair( EC_KEY **ppECkey, u8 *pECPrivkey )
+{
+	int openssl_result = 0;
+	BIGNUM *bn_privkey = NULL;
+
+	// 楕円を選択   ( NID_X9_62_prime256v1 -> 32bytesまで、 NID_sect571r1 -> 71bytesまで 署名にデータを含められる )
+	*ppECkey = EC_KEY_new_by_curve_name( NID_sect233r1 );
+	if( *ppECkey == NULL )
+	{
+		SetErrorInfo( __FUNCTION__, __LINE__ );
+		return CR_GENID_ERROR_ECC_KEY_NEW;
+	}
+
+	// 指定された秘密鍵をそのままセット
+	bn_privkey = BN_new();
+	if( bn_privkey == NULL ) 
+	{
+		SetErrorInfo( __FUNCTION__, __LINE__ );
+	    return CR_GENID_ERROR_BN_NEW;
+	}
+	BN_init( bn_privkey ); /* memset(a,0,sizeof(BIGNUM)); */
+	(void)BN_bin2bn( pECPrivkey, EC_PRIVATE_KEY_LENGTH, bn_privkey );
+	(*ppECkey)->priv_key = bn_privkey;
+	
+	// 公開鍵生成
+	openssl_result = generate_EC_public_key( *ppECkey );
+	if ( openssl_result == 0 )
+	{
+		SetErrorInfo( __FUNCTION__, __LINE__ );
+		return CR_GENID_ERROR_ECC_GENERATE_PUBLIC_KEY;
+	}
+
+	// ASN.1 形式指定フラグをセットする
+	// (これをセットしないと色々変なフィールドが入ってしまうため)
+	EC_KEY_set_asn1_flag( *ppECkey, 1 );
+
+	return CR_GENID_SUCCESS;
+}
+

trunk/main2.c

@@ -0,0 +1,239 @@
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+
+#ifdef DEV_CYGWIN
+#include <conio.h>
+#else	// Cygwin
+#include <termios.h>
+#include <unistd.h>
+#endif	// Linux
+
+#include <openssl/sha.h>
+#include <openssl/x509.h>
+
+#include "cr_generate_id.h"
+#include "cr_generate_id_private.h"
+#include "cr_alloc.h"
+
+
+extern int crypto_aes_dec( unsigned char *dst_buf, unsigned char *org_buf, u8 bonding_option );
+
+int main(int argc, char *argv[])
+{
+	int ret_code = 0;
+	int fileLen;
+	int bondingOption = 0;
+	u8  *pFileBuf = NULL;
+	u8  err_buf[ 256 ];
+
+	if( argc < 3 ) {
+		printf( "parameter error.\n" );
+		printf( "Usage: testSharpID.exe [bondingOption] [FILE]\n" );
+		return 1;
+	}
+	// ボンディングオプション読み込み
+	bondingOption = atoi( argv[ 1 ] );
+	printf( "bondingOption = %d\n", bondingOption );
+
+	// eFuseIDサンプルファイル読み込み
+	{
+		FILE *fp;
+		int readLen;
+		struct stat fileStat;
+		
+		if( stat( argv[2], &fileStat ) || !S_ISREG( fileStat.st_mode ) ) {
+			ret_code = 1;
+		    goto end;
+		}
+		fileLen = fileStat.st_size;
+		if ( fileLen < 0 ) {
+			ret_code = 1;
+		    goto end;
+		}
+		pFileBuf = malloc( fileLen );
+		if( pFileBuf == NULL ) {
+			ret_code = 1;
+			goto end;
+		}
+		memset( pFileBuf, 0, fileLen );
+		fp = fopen( argv[2], "rb" );
+		
+		if( fp == NULL ) {
+			fprintf( stderr, "failed to fopen %s\n", argv[2] );
+		}
+		// 先頭２行を読み捨て
+		if( fgets( pFileBuf, 1024, fp ) != NULL ) {
+			fileLen  -= strlen( pFileBuf );
+		}
+		if( fgets( pFileBuf, 1024, fp ) != NULL ) {
+			fileLen  -= strlen( pFileBuf );
+		}
+		// 実データ部分の読み込み
+		readLen = fread( pFileBuf, 1, fileLen, fp );
+		fclose( fp );
+		if( readLen < fileLen ) {
+			ret_code = 1;
+			printf( "read error %x\n", readLen );
+			goto end;
+		}
+	}
+	
+	// cr_generate_id を使用する前に呼び出す
+	ret_code = cr_generate_id_initialize( err_buf );
+	if ( ret_code != CR_GENID_SUCCESS )
+	{
+		printf( "error : cr_generate_id_initialize\n" );
+		return 0;	// error
+	}
+	
+	// ファイルの内容を各eFuseIDに分解して、検証
+	{
+		int completeLen = 0;
+		int index = 0;
+		int i;
+		int serial[ 5 ];
+		u8 enc_buf[ sizeof(CR_ID_BUFFER) ];
+		u8 dec_buf[ sizeof(CR_ID_BUFFER) ];
+		char *pFile = pFileBuf;
+		char *pEnc  = (char *)enc_buf;
+
+		while( 1 ) {
+			int num;
+			int temp;
+		    EC_KEY *deviceKeyPair = NULL;
+			
+			memset( serial,     0, sizeof(serial) );
+			memset( enc_buf, 0, sizeof(enc_buf) );
+			if( ( num = sscanf( pFile, "%08x, %08x %08x, %08x %08x, ", &serial[0], &serial[2], &serial[1], &serial[4], &serial[3] ) ) < 5 ) {
+				
+				printf( "sscanf NG.\n" );
+				ret_code = 2;
+				break;
+			}
+		    pFile += 48;
+			for( i = 0; i < sizeof(CR_ID_BUFFER); i++ ) {
+				if( sscanf( pFile, "%02x", &temp ) == 0 ) {
+					ret_code = 2;
+					printf( "sscanf 2 NG.\n" );
+					goto end;
+				}
+				pEnc[ i ] = (char)temp;
+				pFile+=2;
+			}
+			pFile++; // \n
+			completeLen += 48 + 512 + 1;
+			
+			DebugFileOutput( serial[ 0 ], "enc", pEnc, 256 );
+			
+			{
+				int i;
+				int isFailed = 0;
+				CR_ID_BUFFER *peFuse = (CR_ID_BUFFER *)dec_buf;
+				u8 sha256buf[ SHA256_DIGEST_LENGTH ];
+				
+				printf( "ID[ %04d ]:\n", index );
+				if( crypto_aes_dec( dec_buf, enc_buf, bondingOption ) != CR_GENID_SUCCESS ) {
+					printf( "  eFuse decrypto NG.\n" );
+					ret_code = 3;
+					goto end;
+				}
+
+				DEBUG_PRINT_ARRAY( (char*)"dec_buf", (const char *)dec_buf, sizeof(CR_ID_BUFFER) );
+//				DebugFileOutput( serial[ 0 ], "raw", dec_buf, 256 );
+
+				// bondingOption チェック
+				if( bondingOption == peFuse->bonding_option ) {
+					printf( "  bondingOption OK.\n" );
+				}else {
+					printf( "  bondingOption NG.\n" );
+				}
+
+				// デバイス証明書期限の確認
+				{
+					struct tm *gt = gmtime( &peFuse->expiryDate );
+					struct timeval tv;
+					gettimeofday( &tv, NULL );
+					printf( "  expiryDate : %d/%d/%d %d:%d:%d",
+							gt->tm_year+1900,
+							gt->tm_mon+1,
+							gt->tm_mday,
+							gt->tm_hour,
+							gt->tm_min,
+							gt->tm_sec );
+					if( peFuse->expiryDate >= tv.tv_sec + ( 60*60*24*365* 19 ) ) {
+						printf( "  OK.\n" );
+					}else {
+						printf( "  NG.\n" );
+					}
+				}
+				
+				// serialNo. チェック
+				for( i = 0; i < 5; i++ ) {
+					if( serial[ i ] != peFuse->device_id[ i ] ) {
+						isFailed = 1;
+						printf( "  serial[ %d ] NG : %08x %08x\n", i, (unsigned int)serial[ i ], (unsigned int)peFuse->device_id[ i ] );
+					}
+				}
+				if( !isFailed ) {
+					printf( "  serial OK.\n" );
+				}
+				
+				//---------------------------------------------
+				// openssl 使用区間
+				cr_mem_bufmgr_initialize();
+				OpenSSL_add_all_digests();
+				
+				// SHA256ハッシュ チェック
+				SHA256( dec_buf, CR_ID_BUF_SIZE - SHA256_DIGEST_LENGTH, sha256buf );
+				if( memcmp( peFuse->hash, sha256buf, SHA256_DIGEST_LENGTH ) == 0 ) {
+					printf( "  SHA256 hash OK.\n" );
+				}else {
+					printf( "  SHA256 hash NG.\n" );
+				}
+				
+				// デバイス署名のチェック
+				ret_code = SetECCKeyPair( &deviceKeyPair, peFuse->devicePrivKey );
+				if ( ret_code != CR_GENID_SUCCESS ) {
+					printf( "  deviceKeyPair NG.\n" );
+				}else {
+					if( CheckCTRDeviceCert( deviceKeyPair, peFuse->device_id[0], bondingOption,
+											peFuse->deviceCertSign, peFuse->expiryDate ) != CR_GENID_SUCCESS ) {
+						printf( "  deviceCert verify NG.\n" );
+					}else {
+						printf( "  deviceCert verify OK.\n" );
+					}
+					if( deviceKeyPair ) {
+						EC_KEY_free( deviceKeyPair );
+					}
+				}
+				ERR_remove_state(0);
+				EVP_cleanup();
+				CRYPTO_cleanup_all_ex_data();
+				// openssl 使用区間終わり
+				//------------------------------------------------
+			}
+			if( completeLen >= fileLen ) break;
+			index++;
+		}
+	}
+
+end:
+	if( pFileBuf ) free( pFileBuf );
+
+	// cr_generate_id を使用した後に呼び出す
+	ret_code = cr_generate_id_finalize( err_buf );
+	if ( ret_code != CR_GENID_SUCCESS )
+	{
+		printf( "error : cr_generate_id_finalize\n" );
+		return 0;	// error
+	}
+
+	printf("end of main\n");
+	return 0;
+}
+
+