mirror of
https://github.com/rvtr/ctr_eFuse.git
synced 2025-11-02 00:11:04 -04:00
hsm_utils:RSA鍵インポートプログラム整理
git-svn-id: file:///Volumes/Transfer/gigaleak_20231201/2020-09-30%20-%20paladin.7z/paladin/ctr_eFuse@115 ff987cc8-cf2f-4642-8568-d52cce064691
This commit is contained in:
kubodera_yuichi
parent
cb9e43f645
commit
ebd20afe39
@ -31,13 +31,6 @@
|
||||
#define MODULE_ID 1
|
||||
#define DATA_LEN 256 // bytes
|
||||
|
||||
typedef struct _NFast_Call_Context
|
||||
{
|
||||
int notused;
|
||||
}
|
||||
NFast_Call_Context;
|
||||
NFast_Call_Context context;
|
||||
|
||||
// RSA private key data
|
||||
typedef struct
|
||||
{
|
||||
@ -48,7 +41,7 @@ typedef struct
|
||||
struct NFast_Bignum *iqmp;
|
||||
struct NFast_Bignum *e;
|
||||
}
|
||||
RSAPrivateKeyData;
|
||||
RSAPrivateKeyDataBn;
|
||||
|
||||
// RSA public key data
|
||||
typedef struct
|
||||
@ -58,8 +51,224 @@ typedef struct
|
||||
}
|
||||
RSAPublicKeyData;
|
||||
|
||||
// global variable
|
||||
NFast_AppHandle handle;
|
||||
NFastApp_Connection nc;
|
||||
NFKM_WorldInfo *world = NULL;
|
||||
RQCard card;
|
||||
RQCard_FIPS fips;
|
||||
M_KeyID ltid = 0; // the cardset loaded into the module
|
||||
NFKM_CardSet *cardset = NULL;
|
||||
|
||||
// function
|
||||
int importRSAPrivate( void );
|
||||
void PrintArray( char *pStr, const unsigned char *pData, int length );
|
||||
|
||||
int importRSAPrivate( NFKM_KeyIdent keyident )
|
||||
{
|
||||
RSA *privkey = NULL;
|
||||
FILE *fp;
|
||||
|
||||
unsigned char *pPtr, *qPtr, *dmp1Ptr, *dmq1Ptr, *iqmpPtr, *ePtr;
|
||||
int pLen, qLen, dmp1Len, dmq1Len, iqmpLen, eLen;
|
||||
|
||||
M_Command cmd;
|
||||
M_Reply reply;
|
||||
NFKM_MakeACLParams map;
|
||||
NFKM_MakeBlobsParams mbp;
|
||||
NFKM_Key reg_key;
|
||||
RSAPrivateKeyDataBn *privBn = NULL;
|
||||
|
||||
pPtr = qPtr = dmp1Ptr = dmq1Ptr = iqmpPtr = ePtr = NULL;
|
||||
pLen = qLen = dmp1Len = dmq1Len = iqmpLen = eLen = 0;
|
||||
memset( &cmd, 0, sizeof( cmd ) );
|
||||
memset( &reply, 0, sizeof( reply ) );
|
||||
memset( &map, 0, sizeof( map ) );
|
||||
memset( &mbp, 0, sizeof( mbp ) );
|
||||
memset( ®_key, 0, sizeof( reg_key ) );
|
||||
|
||||
// key data open
|
||||
fp = fopen( PRIV_KEY_FILE, "rb" );
|
||||
if ( !fp )
|
||||
{
|
||||
printf( "error : open %s file\n", PRIV_KEY_FILE );
|
||||
return 1;
|
||||
}
|
||||
privkey = d2i_RSAPrivateKey_fp( fp, NULL );
|
||||
if ( !privkey )
|
||||
{
|
||||
printf( "error : d2i_RSAPrivateKey_fp\n" );
|
||||
return 1;
|
||||
}
|
||||
fclose( fp );
|
||||
|
||||
#if 0
|
||||
printf( "RSA(p) : %d bytes\n", BN_num_bytes( privkey->p ) );
|
||||
printf( "RSA(q) : %d bytes\n", BN_num_bytes( privkey->q ) );
|
||||
printf( "RSA(dmp1) : %d bytes\n", BN_num_bytes( privkey->dmp1 ) );
|
||||
printf( "RSA(dmq1) : %d bytes\n", BN_num_bytes( privkey->dmq1 ) );
|
||||
printf( "RSA(iqmp) : %d bytes\n", BN_num_bytes( privkey->iqmp ) );
|
||||
printf( "RSA(e) : %d bytes\n", BN_num_bytes( privkey->e ) );
|
||||
#endif
|
||||
|
||||
// RSA priv key の構成要素をそれぞれバイナリに変換
|
||||
{
|
||||
// p
|
||||
pLen = BN_num_bytes( privkey->p );
|
||||
pPtr = (char *)malloc( pLen );
|
||||
if ( pLen != BN_bn2bin( privkey->p, pPtr ) )
|
||||
{
|
||||
printf( "BN_bn2bin failed!(p)\n" );
|
||||
return 1;
|
||||
}
|
||||
// q
|
||||
qLen = BN_num_bytes( privkey->q );
|
||||
qPtr = (char *)malloc( qLen );
|
||||
if ( qLen != BN_bn2bin( privkey->q, qPtr ) )
|
||||
{
|
||||
printf( "BN_bn2bin failed!(q)\n" );
|
||||
return 1;
|
||||
}
|
||||
// dmp1
|
||||
dmp1Len = BN_num_bytes( privkey->dmp1 );
|
||||
dmp1Ptr = (char *)malloc( dmp1Len );
|
||||
if ( dmp1Len != BN_bn2bin( privkey->dmp1, dmp1Ptr ) )
|
||||
{
|
||||
printf( "BN_bn2bin failed!(dmp1)\n" );
|
||||
return 1;
|
||||
}
|
||||
|
||||
// dmq1
|
||||
dmq1Len = BN_num_bytes( privkey->dmq1 );
|
||||
dmq1Ptr = (char *)malloc( dmq1Len );
|
||||
if ( dmq1Len != BN_bn2bin( privkey->dmq1, dmq1Ptr ) )
|
||||
{
|
||||
printf( "BN_bn2bin failed!(dmq1)\n" );
|
||||
return 1;
|
||||
}
|
||||
// iqmp
|
||||
iqmpLen = BN_num_bytes( privkey->iqmp );
|
||||
iqmpPtr = (char *)malloc( iqmpLen );
|
||||
if ( iqmpLen != BN_bn2bin( privkey->iqmp, iqmpPtr ) )
|
||||
{
|
||||
printf( "BN_bn2bin failed!(dmq1)\n" );
|
||||
return 1;
|
||||
}
|
||||
// e
|
||||
eLen = BN_num_bytes( privkey->e );
|
||||
ePtr = (char *)malloc( eLen );
|
||||
if ( eLen != BN_bn2bin( privkey->e, ePtr ) )
|
||||
{
|
||||
printf( "BN_bn2bin failed!(e)\n" );
|
||||
return 1;
|
||||
}
|
||||
} // rsa bignum(openssl) -> bin
|
||||
|
||||
// バイナリをHSMのBignumに変換
|
||||
{
|
||||
my_bin2bignum( &(privBn->p), handle, pPtr, pLen );
|
||||
my_bin2bignum( &(privBn->q), handle, qPtr, qLen );
|
||||
my_bin2bignum( &(privBn->dmp1), handle, dmp1Ptr, dmp1Len );
|
||||
my_bin2bignum( &(privBn->dmq1), handle, dmq1Ptr, dmq1Len );
|
||||
my_bin2bignum( &(privBn->iqmp), handle, iqmpPtr, iqmpLen );
|
||||
my_bin2bignum( &(privBn->e), handle, ePtr, eLen );
|
||||
free( pPtr );
|
||||
free( qPtr );
|
||||
free( dmp1Ptr );
|
||||
free( dmq1Ptr );
|
||||
free( iqmpPtr );
|
||||
free( ePtr );
|
||||
}
|
||||
|
||||
#if 0
|
||||
printf( "RSA(p) : 0x%08X\n", (unsigned int)privBn->p );
|
||||
printf( "RSA(q) : 0x%08X\n", (unsigned int)privBn->q );
|
||||
printf( "RSA(dmp1) : 0x%08X\n", (unsigned int)privBn->dmp1 );
|
||||
printf( "RSA(dmq1) : 0x%08X\n", (unsigned int)privBn->dmq1 );
|
||||
printf( "RSA(iqmp) : 0x%08X\n", (unsigned int)privBn->iqmp );
|
||||
printf( "RSA(e) : 0x%08X\n", (unsigned int)privBn->e );
|
||||
#endif
|
||||
|
||||
// make ACL
|
||||
if ( cardset != NULL )
|
||||
map.f = NFKM_NKF_RecoveryEnabled | NFKM_NKF_ProtectionCardSet;
|
||||
else
|
||||
map.f = NFKM_NKF_RecoveryEnabled | NFKM_NKF_ProtectionModule;
|
||||
// 秘密鍵には DECRYPT と SIGN
|
||||
// 公開鍵には ENCRYPT と VERIFY しかセットできない??
|
||||
map.op_base = NFKM_DEFOPPERMS_DECRYPT | NFKM_DEFOPPERMS_SIGN;
|
||||
map.cs = cardset;
|
||||
result = NFKM_newkey_makeaclx( handle, nc, world, &map, &(cmd.args.import.acl), NULL );
|
||||
if ( result != Status_OK )
|
||||
{
|
||||
printf( "error(%d) : NFKM_newkey_makeaclx\n", result );
|
||||
return result;
|
||||
}
|
||||
|
||||
printf( "import.\n" );
|
||||
|
||||
// import key
|
||||
cmd.cmd = Cmd_Import;
|
||||
cmd.args.import.module = MODULE_ID;
|
||||
cmd.args.import.data.type = KeyType_RSAPrivate;
|
||||
cmd.args.import.data.data.rsaprivate.p = pBn;
|
||||
cmd.args.import.data.data.rsaprivate.q = qBn;
|
||||
cmd.args.import.data.data.rsaprivate.dmp1 = dmp1Bn;
|
||||
cmd.args.import.data.data.rsaprivate.dmq1 = dmq1Bn;
|
||||
cmd.args.import.data.data.rsaprivate.iqmp = iqmpBn;
|
||||
cmd.args.import.data.data.rsaprivate.e = eBn;
|
||||
result = NFastApp_Transact( nc, NULL, &cmd, &reply, NULL );
|
||||
if ( result != Status_OK )
|
||||
{
|
||||
printf( "error(%d) : Cmd_Import\n", result );
|
||||
return 1;
|
||||
}
|
||||
result = reply.status;
|
||||
if ( result != Status_OK )
|
||||
{
|
||||
printf( "error(%d) : Cmd_Import(reply)\n", result );
|
||||
return 1;
|
||||
}
|
||||
printf( "keyid : 0x%08X\n", (unsigned int)reply.reply.import.key );
|
||||
|
||||
// make blobs
|
||||
reg_key.v = Key__maxversion; // TORIAEZU Version Max (8)
|
||||
reg_key.name = keyident.ident;
|
||||
reg_key.appname = keyident.appname;
|
||||
reg_key.ident = keyident.ident;
|
||||
time( &(reg_key.gentime) );
|
||||
mbp.f = map.f;
|
||||
mbp.kpriv = reply.reply.import.key;
|
||||
mbp.lt = ltid;
|
||||
mbp.cs = cardset;
|
||||
result = NFKM_newkey_makeblobsx( handle, nc, world, &mbp, ®_key, NULL );
|
||||
if ( result != Status_OK )
|
||||
{
|
||||
printf( "error(%d) : NFKM_newkey_makeblobsx\n", result );
|
||||
return 1;
|
||||
}
|
||||
|
||||
printf( "recordkey.\n" );
|
||||
|
||||
// record key to disk
|
||||
result = NFKM_recordkey( handle, ®_key, NULL );
|
||||
if ( result != Status_OK )
|
||||
{
|
||||
printf( "error(%d) : NFKM_recordkey\n", result );
|
||||
return 1;
|
||||
}
|
||||
|
||||
// destroy key
|
||||
result = NFKM_cmd_destroy( handle, nc, 0, reply.reply.import.key, "destroy import key", NULL );
|
||||
if ( result != Status_OK )
|
||||
{
|
||||
printf( "error(%d) : NFKM_cmd_destroy\n", result );
|
||||
return 1;
|
||||
}
|
||||
|
||||
printf( "record key success.\n" );
|
||||
} // import_rsa_private
|
||||
|
||||
void PrintArray( char *pStr, const unsigned char *pData, int length )
|
||||
{
|
||||
int i;
|
||||
@ -70,7 +279,7 @@ void PrintArray( char *pStr, const unsigned char *pData, int length )
|
||||
printf( "%02X ", pData[ i ] );
|
||||
}
|
||||
printf( "\n" );
|
||||
}
|
||||
} // PrintArray
|
||||
|
||||
int main( int argc, char *argv[] )
|
||||
{
|
||||
@ -84,108 +293,11 @@ int main( int argc, char *argv[] )
|
||||
memset( &cmd, 0, sizeof( cmd ) );
|
||||
memset( &reply, 0, sizeof( reply ) );
|
||||
|
||||
NFast_AppHandle handle;
|
||||
NFastApp_Connection nc;
|
||||
NFKM_WorldInfo *world = NULL;
|
||||
RQCard card;
|
||||
RQCard_FIPS fips;
|
||||
M_KeyID ltid = 0; // the cardset loaded into the module
|
||||
M_KeyID keyid;
|
||||
NFKM_Key *keyinfo;
|
||||
NFKM_CardSet *cardset = NULL;
|
||||
|
||||
if ( argc == 2 )
|
||||
rand_size = atoi( argv[1] );
|
||||
|
||||
// load rsa data (private)
|
||||
RSA *privkey = NULL;
|
||||
FILE *fp;
|
||||
fp = fopen( PRIV_KEY_FILE, "rb" );
|
||||
if ( !fp )
|
||||
{
|
||||
printf( "error : open %s file\n", PRIV_KEY_FILE );
|
||||
return 0;
|
||||
}
|
||||
privkey = d2i_RSAPrivateKey_fp( fp, NULL );
|
||||
if ( !privkey )
|
||||
{
|
||||
printf( "error : d2i_RSAPrivateKey_fp\n" );
|
||||
return 0;
|
||||
}
|
||||
|
||||
#if 0
|
||||
printf( "RSA(p) : %d bytes\n", BN_num_bytes( privkey->p ) );
|
||||
printf( "RSA(q) : %d bytes\n", BN_num_bytes( privkey->q ) );
|
||||
printf( "RSA(dmp1) : %d bytes\n", BN_num_bytes( privkey->dmp1 ) );
|
||||
printf( "RSA(dmq1) : %d bytes\n", BN_num_bytes( privkey->dmq1 ) );
|
||||
printf( "RSA(iqmp) : %d bytes\n", BN_num_bytes( privkey->iqmp ) );
|
||||
printf( "RSA(e) : %d bytes\n", BN_num_bytes( privkey->e ) );
|
||||
#endif
|
||||
|
||||
// p
|
||||
unsigned char *pPtr;
|
||||
int pLen = BN_num_bytes( privkey->p );
|
||||
pPtr = (char *)malloc( pLen );
|
||||
if ( pLen != BN_bn2bin( privkey->p, pPtr ) )
|
||||
{
|
||||
printf( "BN_bn2bin failed!(p)\n" );
|
||||
}
|
||||
|
||||
// q
|
||||
unsigned char *qPtr;
|
||||
int qLen = BN_num_bytes( privkey->q );
|
||||
qPtr = (char *)malloc( qLen );
|
||||
if ( qLen != BN_bn2bin( privkey->q, qPtr ) )
|
||||
{
|
||||
printf( "BN_bn2bin failed!(q)\n" );
|
||||
}
|
||||
|
||||
// dmp1
|
||||
unsigned char *dmp1Ptr;
|
||||
int dmp1Len = BN_num_bytes( privkey->dmp1 );
|
||||
dmp1Ptr = (char *)malloc( dmp1Len );
|
||||
if ( dmp1Len != BN_bn2bin( privkey->dmp1, dmp1Ptr ) )
|
||||
{
|
||||
printf( "BN_bn2bin failed!(dmp1)\n" );
|
||||
}
|
||||
|
||||
// dmq1
|
||||
unsigned char *dmq1Ptr;
|
||||
int dmq1Len = BN_num_bytes( privkey->dmq1 );
|
||||
dmq1Ptr = (char *)malloc( dmq1Len );
|
||||
if ( dmq1Len != BN_bn2bin( privkey->dmq1, dmq1Ptr ) )
|
||||
{
|
||||
printf( "BN_bn2bin failed!(dmq1)\n" );
|
||||
}
|
||||
|
||||
// iqmp
|
||||
unsigned char *iqmpPtr;
|
||||
int iqmpLen = BN_num_bytes( privkey->iqmp );
|
||||
iqmpPtr = (char *)malloc( iqmpLen );
|
||||
if ( iqmpLen != BN_bn2bin( privkey->iqmp, iqmpPtr ) )
|
||||
{
|
||||
printf( "BN_bn2bin failed!(dmq1)\n" );
|
||||
}
|
||||
|
||||
// e
|
||||
unsigned char *ePtr;
|
||||
int eLen = BN_num_bytes( privkey->e );
|
||||
ePtr = (char *)malloc( eLen );
|
||||
if ( eLen != BN_bn2bin( privkey->e, ePtr ) )
|
||||
{
|
||||
printf( "BN_bn2bin failed!(e)\n" );
|
||||
}
|
||||
|
||||
printf( "\n" );
|
||||
|
||||
#if 0
|
||||
printf( "RSA(p) : 0x%08X\n", (unsigned int)pPtr );
|
||||
printf( "RSA(q) : 0x%08X\n", (unsigned int)qPtr );
|
||||
printf( "RSA(dmp1) : 0x%08X\n", (unsigned int)dmp1Ptr );
|
||||
printf( "RSA(dmq1) : 0x%08X\n", (unsigned int)dmq1Ptr );
|
||||
printf( "RSA(iqmp) : 0x%08X\n", (unsigned int)iqmpPtr );
|
||||
printf( "RSA(e) : 0x%08X\n", (unsigned int)ePtr );
|
||||
#endif
|
||||
|
||||
// init nFast
|
||||
result = NFastApp_InitEx( &handle, NULL, NULL );
|
||||
@ -317,119 +429,14 @@ int main( int argc, char *argv[] )
|
||||
printf( "error(%d) : NFKM_getusablemodule\n", result );
|
||||
}
|
||||
|
||||
// make ACL
|
||||
NFKM_MakeACLParams map;
|
||||
memset( &map, 0, sizeof( map ) );
|
||||
if ( cardset != NULL )
|
||||
map.f = NFKM_NKF_RecoveryEnabled | NFKM_NKF_ProtectionCardSet;
|
||||
else
|
||||
map.f = NFKM_NKF_RecoveryEnabled | NFKM_NKF_ProtectionModule;
|
||||
// 暗号化と復号化、署名とベリファイなど、相反する操作を持たせることはできない(エラーになる)
|
||||
// e.g. NFKM_DEFOPPERMS_SIGN | NFKM_DEFOPPERMS_VERIFY -> エラー
|
||||
// e.g. NFKM_DEFOPPERMS_ENCRYPT | NFKM_DEFOPPERMS_DECRYPT -> エラー
|
||||
map.op_base = NFKM_DEFOPPERMS_SIGN | NFKM_DEFOPPERMS_DECRYPT;
|
||||
map.cs = cardset;
|
||||
result = NFKM_newkey_makeaclx( handle, nc, world, &map, &(cmd.args.import.acl), NULL );
|
||||
if ( result != Status_OK )
|
||||
{
|
||||
printf( "error(%d) : NFKM_newkey_makeaclx\n", result );
|
||||
}
|
||||
|
||||
#if 0
|
||||
// set bignum upcalls setting
|
||||
result = NFastApp_SetBignumUpcalls(
|
||||
handle,
|
||||
my_bignumreceiveupcall,
|
||||
my_bignumsendlenupcall,
|
||||
my_bignumsendupcall,
|
||||
my_bignumfreeupcall,
|
||||
my_bignumformatupcall,
|
||||
NULL );
|
||||
if ( result != Status_OK )
|
||||
{
|
||||
printf( "error(%d) : NFastApp_SetBignumUpcalls\n", result );
|
||||
}
|
||||
#endif
|
||||
|
||||
// convert bin -> M_Bignum
|
||||
struct NFast_Bignum *pBn = NULL;
|
||||
struct NFast_Bignum *qBn = NULL;
|
||||
struct NFast_Bignum *dmp1Bn = NULL;
|
||||
struct NFast_Bignum *dmq1Bn = NULL;
|
||||
struct NFast_Bignum *iqmpBn = NULL;
|
||||
struct NFast_Bignum *eBn = NULL;
|
||||
|
||||
my_bin2bignum( &pBn, handle, pPtr, pLen );
|
||||
my_bin2bignum( &qBn, handle, qPtr, qLen );
|
||||
my_bin2bignum( &dmp1Bn, handle, dmp1Ptr, dmp1Len );
|
||||
my_bin2bignum( &dmq1Bn, handle, dmq1Ptr, dmq1Len );
|
||||
my_bin2bignum( &iqmpBn, handle, iqmpPtr, iqmpLen );
|
||||
my_bin2bignum( &eBn, handle, ePtr, eLen );
|
||||
|
||||
printf( "import ...\n" );
|
||||
|
||||
// import key
|
||||
// RSA privkey のインポート
|
||||
NFKM_KeyIdent keyident = { (char*)"simple", (char*)"rsa-import-privkey" };
|
||||
cmd.cmd = Cmd_Import;
|
||||
cmd.args.import.module = MODULE_ID;
|
||||
cmd.args.import.data.type = KeyType_RSAPrivate;
|
||||
cmd.args.import.data.data.rsaprivate.p = pBn;
|
||||
cmd.args.import.data.data.rsaprivate.q = qBn;
|
||||
cmd.args.import.data.data.rsaprivate.dmp1 = dmp1Bn;
|
||||
cmd.args.import.data.data.rsaprivate.dmq1 = dmq1Bn;
|
||||
cmd.args.import.data.data.rsaprivate.iqmp = iqmpBn;
|
||||
cmd.args.import.data.data.rsaprivate.e = eBn;
|
||||
result = NFastApp_Transact( nc, NULL, &cmd, &reply, NULL );
|
||||
result = importRSAPrivate( keyident );
|
||||
if ( result != Status_OK )
|
||||
{
|
||||
printf( "error(%d) : Cmd_Import\n", result );
|
||||
}
|
||||
result = reply.status;
|
||||
if ( result != Status_OK )
|
||||
{
|
||||
printf( "error(%d) : Cmd_Import(reply)\n", result );
|
||||
}
|
||||
printf( "keyid : 0x%08X\n", (unsigned int)reply.reply.import.key );
|
||||
|
||||
printf( "done. next : make blob ...\n" );
|
||||
|
||||
// make blobs
|
||||
NFKM_MakeBlobsParams mbp;
|
||||
NFKM_Key reg_key;
|
||||
memset( &mbp, 0, sizeof( mbp ) );
|
||||
memset( ®_key, 0, sizeof( reg_key ) );
|
||||
|
||||
reg_key.v = Key__maxversion; // TORIAEZU Version Max (8)
|
||||
reg_key.name = keyident.ident;
|
||||
reg_key.appname = keyident.appname;
|
||||
reg_key.ident = keyident.ident;
|
||||
time( &(reg_key.gentime) );
|
||||
|
||||
mbp.f = map.f;
|
||||
mbp.kpriv = reply.reply.import.key;
|
||||
mbp.lt = ltid;
|
||||
mbp.cs = cardset;
|
||||
result = NFKM_newkey_makeblobsx( handle, nc, world, &mbp, ®_key, NULL );
|
||||
if ( result != Status_OK )
|
||||
{
|
||||
printf( "error(%d) : NFKM_newkey_makeblobsx\n", result );
|
||||
return 0;
|
||||
printf( "error(%d) : importRSAPrivate\n", result );
|
||||
}
|
||||
|
||||
printf( "done. next : record blob ...\n" );
|
||||
|
||||
// record key to disk
|
||||
result = NFKM_recordkey( handle, ®_key, NULL );
|
||||
if ( result != Status_OK )
|
||||
{
|
||||
printf( "error(%d) : NFKM_recordkey\n", result );
|
||||
}
|
||||
|
||||
printf( "record key success?\n" );
|
||||
|
||||
// destroy key
|
||||
result = NFKM_cmd_destroy( handle, nc, 0, reply.reply.import.key,
|
||||
"import.key", NULL );
|
||||
|
||||
// list key
|
||||
#if 0
|
||||
|
||||
Loading…
Reference in New Issue
Block a user