diff --git a/hsm_utils/import_rsa_keypair.c b/hsm_utils/import_rsa_keypair.c index ec9b29d..0071d5f 100644 --- a/hsm_utils/import_rsa_keypair.c +++ b/hsm_utils/import_rsa_keypair.c @@ -31,13 +31,6 @@ #define MODULE_ID 1 #define DATA_LEN 256 // bytes -typedef struct _NFast_Call_Context -{ - int notused; -} -NFast_Call_Context; -NFast_Call_Context context; - // RSA private key data typedef struct { @@ -48,7 +41,7 @@ typedef struct struct NFast_Bignum *iqmp; struct NFast_Bignum *e; } -RSAPrivateKeyData; +RSAPrivateKeyDataBn; // RSA public key data typedef struct @@ -58,8 +51,224 @@ typedef struct } RSAPublicKeyData; +// global variable +NFast_AppHandle handle; +NFastApp_Connection nc; +NFKM_WorldInfo *world = NULL; +RQCard card; +RQCard_FIPS fips; +M_KeyID ltid = 0; // the cardset loaded into the module +NFKM_CardSet *cardset = NULL; + +// function +int importRSAPrivate( void ); void PrintArray( char *pStr, const unsigned char *pData, int length ); +int importRSAPrivate( NFKM_KeyIdent keyident ) +{ + RSA *privkey = NULL; + FILE *fp; + + unsigned char *pPtr, *qPtr, *dmp1Ptr, *dmq1Ptr, *iqmpPtr, *ePtr; + int pLen, qLen, dmp1Len, dmq1Len, iqmpLen, eLen; + + M_Command cmd; + M_Reply reply; + NFKM_MakeACLParams map; + NFKM_MakeBlobsParams mbp; + NFKM_Key reg_key; + RSAPrivateKeyDataBn *privBn = NULL; + + pPtr = qPtr = dmp1Ptr = dmq1Ptr = iqmpPtr = ePtr = NULL; + pLen = qLen = dmp1Len = dmq1Len = iqmpLen = eLen = 0; + memset( &cmd, 0, sizeof( cmd ) ); + memset( &reply, 0, sizeof( reply ) ); + memset( &map, 0, sizeof( map ) ); + memset( &mbp, 0, sizeof( mbp ) ); + memset( ®_key, 0, sizeof( reg_key ) ); + + // key data open + fp = fopen( PRIV_KEY_FILE, "rb" ); + if ( !fp ) + { + printf( "error : open %s file\n", PRIV_KEY_FILE ); + return 1; + } + privkey = d2i_RSAPrivateKey_fp( fp, NULL ); + if ( !privkey ) + { + printf( "error : d2i_RSAPrivateKey_fp\n" ); + return 1; + } + fclose( fp ); + +#if 0 + printf( "RSA(p) : %d bytes\n", BN_num_bytes( privkey->p ) ); + printf( "RSA(q) : %d bytes\n", BN_num_bytes( privkey->q ) ); + printf( "RSA(dmp1) : %d bytes\n", BN_num_bytes( privkey->dmp1 ) ); + printf( "RSA(dmq1) : %d bytes\n", BN_num_bytes( privkey->dmq1 ) ); + printf( "RSA(iqmp) : %d bytes\n", BN_num_bytes( privkey->iqmp ) ); + printf( "RSA(e) : %d bytes\n", BN_num_bytes( privkey->e ) ); +#endif + + // RSA priv key の構成要素をそれぞれバイナリに変換 + { + // p + pLen = BN_num_bytes( privkey->p ); + pPtr = (char *)malloc( pLen ); + if ( pLen != BN_bn2bin( privkey->p, pPtr ) ) + { + printf( "BN_bn2bin failed!(p)\n" ); + return 1; + } + // q + qLen = BN_num_bytes( privkey->q ); + qPtr = (char *)malloc( qLen ); + if ( qLen != BN_bn2bin( privkey->q, qPtr ) ) + { + printf( "BN_bn2bin failed!(q)\n" ); + return 1; + } + // dmp1 + dmp1Len = BN_num_bytes( privkey->dmp1 ); + dmp1Ptr = (char *)malloc( dmp1Len ); + if ( dmp1Len != BN_bn2bin( privkey->dmp1, dmp1Ptr ) ) + { + printf( "BN_bn2bin failed!(dmp1)\n" ); + return 1; + } + + // dmq1 + dmq1Len = BN_num_bytes( privkey->dmq1 ); + dmq1Ptr = (char *)malloc( dmq1Len ); + if ( dmq1Len != BN_bn2bin( privkey->dmq1, dmq1Ptr ) ) + { + printf( "BN_bn2bin failed!(dmq1)\n" ); + return 1; + } + // iqmp + iqmpLen = BN_num_bytes( privkey->iqmp ); + iqmpPtr = (char *)malloc( iqmpLen ); + if ( iqmpLen != BN_bn2bin( privkey->iqmp, iqmpPtr ) ) + { + printf( "BN_bn2bin failed!(dmq1)\n" ); + return 1; + } + // e + eLen = BN_num_bytes( privkey->e ); + ePtr = (char *)malloc( eLen ); + if ( eLen != BN_bn2bin( privkey->e, ePtr ) ) + { + printf( "BN_bn2bin failed!(e)\n" ); + return 1; + } + } // rsa bignum(openssl) -> bin + + // バイナリをHSMのBignumに変換 + { + my_bin2bignum( &(privBn->p), handle, pPtr, pLen ); + my_bin2bignum( &(privBn->q), handle, qPtr, qLen ); + my_bin2bignum( &(privBn->dmp1), handle, dmp1Ptr, dmp1Len ); + my_bin2bignum( &(privBn->dmq1), handle, dmq1Ptr, dmq1Len ); + my_bin2bignum( &(privBn->iqmp), handle, iqmpPtr, iqmpLen ); + my_bin2bignum( &(privBn->e), handle, ePtr, eLen ); + free( pPtr ); + free( qPtr ); + free( dmp1Ptr ); + free( dmq1Ptr ); + free( iqmpPtr ); + free( ePtr ); + } + +#if 0 + printf( "RSA(p) : 0x%08X\n", (unsigned int)privBn->p ); + printf( "RSA(q) : 0x%08X\n", (unsigned int)privBn->q ); + printf( "RSA(dmp1) : 0x%08X\n", (unsigned int)privBn->dmp1 ); + printf( "RSA(dmq1) : 0x%08X\n", (unsigned int)privBn->dmq1 ); + printf( "RSA(iqmp) : 0x%08X\n", (unsigned int)privBn->iqmp ); + printf( "RSA(e) : 0x%08X\n", (unsigned int)privBn->e ); +#endif + + // make ACL + if ( cardset != NULL ) + map.f = NFKM_NKF_RecoveryEnabled | NFKM_NKF_ProtectionCardSet; + else + map.f = NFKM_NKF_RecoveryEnabled | NFKM_NKF_ProtectionModule; + // 秘密鍵には DECRYPT と SIGN + // 公開鍵には ENCRYPT と VERIFY しかセットできない?? + map.op_base = NFKM_DEFOPPERMS_DECRYPT | NFKM_DEFOPPERMS_SIGN; + map.cs = cardset; + result = NFKM_newkey_makeaclx( handle, nc, world, &map, &(cmd.args.import.acl), NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : NFKM_newkey_makeaclx\n", result ); + return result; + } + + printf( "import.\n" ); + + // import key + cmd.cmd = Cmd_Import; + cmd.args.import.module = MODULE_ID; + cmd.args.import.data.type = KeyType_RSAPrivate; + cmd.args.import.data.data.rsaprivate.p = pBn; + cmd.args.import.data.data.rsaprivate.q = qBn; + cmd.args.import.data.data.rsaprivate.dmp1 = dmp1Bn; + cmd.args.import.data.data.rsaprivate.dmq1 = dmq1Bn; + cmd.args.import.data.data.rsaprivate.iqmp = iqmpBn; + cmd.args.import.data.data.rsaprivate.e = eBn; + result = NFastApp_Transact( nc, NULL, &cmd, &reply, NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : Cmd_Import\n", result ); + return 1; + } + result = reply.status; + if ( result != Status_OK ) + { + printf( "error(%d) : Cmd_Import(reply)\n", result ); + return 1; + } + printf( "keyid : 0x%08X\n", (unsigned int)reply.reply.import.key ); + + // make blobs + reg_key.v = Key__maxversion; // TORIAEZU Version Max (8) + reg_key.name = keyident.ident; + reg_key.appname = keyident.appname; + reg_key.ident = keyident.ident; + time( &(reg_key.gentime) ); + mbp.f = map.f; + mbp.kpriv = reply.reply.import.key; + mbp.lt = ltid; + mbp.cs = cardset; + result = NFKM_newkey_makeblobsx( handle, nc, world, &mbp, ®_key, NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : NFKM_newkey_makeblobsx\n", result ); + return 1; + } + + printf( "recordkey.\n" ); + + // record key to disk + result = NFKM_recordkey( handle, ®_key, NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : NFKM_recordkey\n", result ); + return 1; + } + + // destroy key + result = NFKM_cmd_destroy( handle, nc, 0, reply.reply.import.key, "destroy import key", NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : NFKM_cmd_destroy\n", result ); + return 1; + } + + printf( "record key success.\n" ); +} // import_rsa_private + void PrintArray( char *pStr, const unsigned char *pData, int length ) { int i; @@ -70,7 +279,7 @@ void PrintArray( char *pStr, const unsigned char *pData, int length ) printf( "%02X ", pData[ i ] ); } printf( "\n" ); -} +} // PrintArray int main( int argc, char *argv[] ) { @@ -84,108 +293,11 @@ int main( int argc, char *argv[] ) memset( &cmd, 0, sizeof( cmd ) ); memset( &reply, 0, sizeof( reply ) ); - NFast_AppHandle handle; - NFastApp_Connection nc; - NFKM_WorldInfo *world = NULL; - RQCard card; - RQCard_FIPS fips; - M_KeyID ltid = 0; // the cardset loaded into the module M_KeyID keyid; NFKM_Key *keyinfo; - NFKM_CardSet *cardset = NULL; if ( argc == 2 ) rand_size = atoi( argv[1] ); - - // load rsa data (private) - RSA *privkey = NULL; - FILE *fp; - fp = fopen( PRIV_KEY_FILE, "rb" ); - if ( !fp ) - { - printf( "error : open %s file\n", PRIV_KEY_FILE ); - return 0; - } - privkey = d2i_RSAPrivateKey_fp( fp, NULL ); - if ( !privkey ) - { - printf( "error : d2i_RSAPrivateKey_fp\n" ); - return 0; - } - -#if 0 - printf( "RSA(p) : %d bytes\n", BN_num_bytes( privkey->p ) ); - printf( "RSA(q) : %d bytes\n", BN_num_bytes( privkey->q ) ); - printf( "RSA(dmp1) : %d bytes\n", BN_num_bytes( privkey->dmp1 ) ); - printf( "RSA(dmq1) : %d bytes\n", BN_num_bytes( privkey->dmq1 ) ); - printf( "RSA(iqmp) : %d bytes\n", BN_num_bytes( privkey->iqmp ) ); - printf( "RSA(e) : %d bytes\n", BN_num_bytes( privkey->e ) ); -#endif - - // p - unsigned char *pPtr; - int pLen = BN_num_bytes( privkey->p ); - pPtr = (char *)malloc( pLen ); - if ( pLen != BN_bn2bin( privkey->p, pPtr ) ) - { - printf( "BN_bn2bin failed!(p)\n" ); - } - - // q - unsigned char *qPtr; - int qLen = BN_num_bytes( privkey->q ); - qPtr = (char *)malloc( qLen ); - if ( qLen != BN_bn2bin( privkey->q, qPtr ) ) - { - printf( "BN_bn2bin failed!(q)\n" ); - } - - // dmp1 - unsigned char *dmp1Ptr; - int dmp1Len = BN_num_bytes( privkey->dmp1 ); - dmp1Ptr = (char *)malloc( dmp1Len ); - if ( dmp1Len != BN_bn2bin( privkey->dmp1, dmp1Ptr ) ) - { - printf( "BN_bn2bin failed!(dmp1)\n" ); - } - - // dmq1 - unsigned char *dmq1Ptr; - int dmq1Len = BN_num_bytes( privkey->dmq1 ); - dmq1Ptr = (char *)malloc( dmq1Len ); - if ( dmq1Len != BN_bn2bin( privkey->dmq1, dmq1Ptr ) ) - { - printf( "BN_bn2bin failed!(dmq1)\n" ); - } - - // iqmp - unsigned char *iqmpPtr; - int iqmpLen = BN_num_bytes( privkey->iqmp ); - iqmpPtr = (char *)malloc( iqmpLen ); - if ( iqmpLen != BN_bn2bin( privkey->iqmp, iqmpPtr ) ) - { - printf( "BN_bn2bin failed!(dmq1)\n" ); - } - - // e - unsigned char *ePtr; - int eLen = BN_num_bytes( privkey->e ); - ePtr = (char *)malloc( eLen ); - if ( eLen != BN_bn2bin( privkey->e, ePtr ) ) - { - printf( "BN_bn2bin failed!(e)\n" ); - } - - printf( "\n" ); - -#if 0 - printf( "RSA(p) : 0x%08X\n", (unsigned int)pPtr ); - printf( "RSA(q) : 0x%08X\n", (unsigned int)qPtr ); - printf( "RSA(dmp1) : 0x%08X\n", (unsigned int)dmp1Ptr ); - printf( "RSA(dmq1) : 0x%08X\n", (unsigned int)dmq1Ptr ); - printf( "RSA(iqmp) : 0x%08X\n", (unsigned int)iqmpPtr ); - printf( "RSA(e) : 0x%08X\n", (unsigned int)ePtr ); -#endif // init nFast result = NFastApp_InitEx( &handle, NULL, NULL ); @@ -317,119 +429,14 @@ int main( int argc, char *argv[] ) printf( "error(%d) : NFKM_getusablemodule\n", result ); } - // make ACL - NFKM_MakeACLParams map; - memset( &map, 0, sizeof( map ) ); - if ( cardset != NULL ) - map.f = NFKM_NKF_RecoveryEnabled | NFKM_NKF_ProtectionCardSet; - else - map.f = NFKM_NKF_RecoveryEnabled | NFKM_NKF_ProtectionModule; - // 暗号化と復号化、署名とベリファイなど、相反する操作を持たせることはできない(エラーになる) - // e.g. NFKM_DEFOPPERMS_SIGN | NFKM_DEFOPPERMS_VERIFY -> エラー - // e.g. NFKM_DEFOPPERMS_ENCRYPT | NFKM_DEFOPPERMS_DECRYPT -> エラー - map.op_base = NFKM_DEFOPPERMS_SIGN | NFKM_DEFOPPERMS_DECRYPT; - map.cs = cardset; - result = NFKM_newkey_makeaclx( handle, nc, world, &map, &(cmd.args.import.acl), NULL ); - if ( result != Status_OK ) - { - printf( "error(%d) : NFKM_newkey_makeaclx\n", result ); - } - -#if 0 - // set bignum upcalls setting - result = NFastApp_SetBignumUpcalls( - handle, - my_bignumreceiveupcall, - my_bignumsendlenupcall, - my_bignumsendupcall, - my_bignumfreeupcall, - my_bignumformatupcall, - NULL ); - if ( result != Status_OK ) - { - printf( "error(%d) : NFastApp_SetBignumUpcalls\n", result ); - } -#endif - - // convert bin -> M_Bignum - struct NFast_Bignum *pBn = NULL; - struct NFast_Bignum *qBn = NULL; - struct NFast_Bignum *dmp1Bn = NULL; - struct NFast_Bignum *dmq1Bn = NULL; - struct NFast_Bignum *iqmpBn = NULL; - struct NFast_Bignum *eBn = NULL; - - my_bin2bignum( &pBn, handle, pPtr, pLen ); - my_bin2bignum( &qBn, handle, qPtr, qLen ); - my_bin2bignum( &dmp1Bn, handle, dmp1Ptr, dmp1Len ); - my_bin2bignum( &dmq1Bn, handle, dmq1Ptr, dmq1Len ); - my_bin2bignum( &iqmpBn, handle, iqmpPtr, iqmpLen ); - my_bin2bignum( &eBn, handle, ePtr, eLen ); - - printf( "import ...\n" ); - - // import key + // RSA privkey のインポート NFKM_KeyIdent keyident = { (char*)"simple", (char*)"rsa-import-privkey" }; - cmd.cmd = Cmd_Import; - cmd.args.import.module = MODULE_ID; - cmd.args.import.data.type = KeyType_RSAPrivate; - cmd.args.import.data.data.rsaprivate.p = pBn; - cmd.args.import.data.data.rsaprivate.q = qBn; - cmd.args.import.data.data.rsaprivate.dmp1 = dmp1Bn; - cmd.args.import.data.data.rsaprivate.dmq1 = dmq1Bn; - cmd.args.import.data.data.rsaprivate.iqmp = iqmpBn; - cmd.args.import.data.data.rsaprivate.e = eBn; - result = NFastApp_Transact( nc, NULL, &cmd, &reply, NULL ); + result = importRSAPrivate( keyident ); if ( result != Status_OK ) { - printf( "error(%d) : Cmd_Import\n", result ); - } - result = reply.status; - if ( result != Status_OK ) - { - printf( "error(%d) : Cmd_Import(reply)\n", result ); - } - printf( "keyid : 0x%08X\n", (unsigned int)reply.reply.import.key ); - - printf( "done. next : make blob ...\n" ); - - // make blobs - NFKM_MakeBlobsParams mbp; - NFKM_Key reg_key; - memset( &mbp, 0, sizeof( mbp ) ); - memset( ®_key, 0, sizeof( reg_key ) ); - - reg_key.v = Key__maxversion; // TORIAEZU Version Max (8) - reg_key.name = keyident.ident; - reg_key.appname = keyident.appname; - reg_key.ident = keyident.ident; - time( &(reg_key.gentime) ); - - mbp.f = map.f; - mbp.kpriv = reply.reply.import.key; - mbp.lt = ltid; - mbp.cs = cardset; - result = NFKM_newkey_makeblobsx( handle, nc, world, &mbp, ®_key, NULL ); - if ( result != Status_OK ) - { - printf( "error(%d) : NFKM_newkey_makeblobsx\n", result ); - return 0; + printf( "error(%d) : importRSAPrivate\n", result ); } - printf( "done. next : record blob ...\n" ); - - // record key to disk - result = NFKM_recordkey( handle, ®_key, NULL ); - if ( result != Status_OK ) - { - printf( "error(%d) : NFKM_recordkey\n", result ); - } - - printf( "record key success?\n" ); - - // destroy key - result = NFKM_cmd_destroy( handle, nc, 0, reply.reply.import.key, - "import.key", NULL ); // list key #if 0