From ecaf1ba492cfc5c3f7bc180f5d961cf1fd6fe982 Mon Sep 17 00:00:00 2001 From: kubodera_yuichi Date: Thu, 24 Dec 2009 04:43:23 +0000 Subject: [PATCH] =?UTF-8?q?hsm=5Futils:=E3=81=BE=E3=81=9F=E8=BF=BD?= =?UTF-8?q?=E5=8A=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit git-svn-id: file:///Volumes/Transfer/gigaleak_20231201/2020-09-30%20-%20paladin.7z/paladin/ctr_eFuse@80 ff987cc8-cf2f-4642-8568-d52cce064691 --- hsm_utils/Makefile | 5 +- hsm_utils/import_asymmetric_key.c | 526 ++++++++++++++++++++++++++++++ 2 files changed, 530 insertions(+), 1 deletion(-) create mode 100644 hsm_utils/import_asymmetric_key.c diff --git a/hsm_utils/Makefile b/hsm_utils/Makefile index d930f8f..e4dc7b3 100644 --- a/hsm_utils/Makefile +++ b/hsm_utils/Makefile @@ -76,7 +76,6 @@ LDLIBS_THREADED= $(XLDLIBS_THREADED) -lpthread $(LDLIBS) all: simple - XLDLIBS= $(LIBPATH_SWORLD)/librqcard.a \ $(LIBPATH_SWORLD)/libnfkm.a \ $(LIBPATH_HILIBS)/libnfstub.a \ @@ -98,10 +97,14 @@ $(SRCPATH)/getdate.c: ; import_common_key: import_common_key.c $(CC) $(CFLAGS) $(CPPFLAGS) -o import_common_key import_common_key.c $(COMMON_OBJECTS) $(LDLIBS) +import_asymmetric_key: import_asymmetric_key.c + $(CC) $(CFLAGS) $(CPPFLAGS) -o import_asymmetric_key import_asymmetric_key.c $(COMMON_OBJECTS) $(LDLIBS) + # All single-threaded targets TARGETS_SIMPLE= \ import_common_key \ + import_asymmetric_key \ simple: $(TARGETS_SIMPLE) diff --git a/hsm_utils/import_asymmetric_key.c b/hsm_utils/import_asymmetric_key.c new file mode 100644 index 0000000..fe35f79 --- /dev/null +++ b/hsm_utils/import_asymmetric_key.c @@ -0,0 +1,526 @@ + +// import key (+ encrypt, decrypt) test for nShield + +#include +#include +#include +#include + +// openssl +#include +#include +#include +#include +#include +#include +#include + +#include "nfastapp.h" +#include "nfkm.h" +#include "rqcard-applic.h" +#include "rqcard-fips.h" + +#include "simplebignum.h" +#include "ncthread-upcalls.h" +//#include "picky-upcalls.h" + +#include "simplecmd.h" + +#define PUB_KEY_FILE "/opt/nfast/work/rsa-pub-key2048.der" + +#define MODULE_ID 1 +#define DATA_LEN 256 // bytes + +typedef struct _NFast_Call_Context +{ + int notused; +} +NFast_Call_Context; +NFast_Call_Context context; + +typedef struct NFast_Transaction_Context +{ + M_Command cmd; + M_Reply reply; +} +NFast_Transaction_Context; +NFast_Transaction_Context tc; + +static void *my_malloc( size_t nbytes, + struct NFast_Call_Context *cctx, struct NFast_Transaction_Context *tctx ); +static void *my_realloc( void *ptr, size_t nbytes, + struct NFast_Call_Context *cctx, struct NFast_Transaction_Context *tctx ); +static void my_free( void *ptr, + struct NFast_Call_Context *cctx, struct NFast_Transaction_Context *tctx ); + +// bignum upcalls +int my_bignumsendlenupcall( struct NFast_Application *app, + struct NFast_Call_Context *cctx, struct NFast_Transaction_Context *tctx, + const M_Bignum *bignum, int *nbytes_r ); + +const NFast_MallocUpcalls my_malloc_upcalls = +{ + my_malloc, my_realloc, my_free +}; + +static void *my_malloc( size_t nbytes, + struct NFast_Call_Context *cctx, struct NFast_Transaction_Context *tctx ) +{ + return malloc( nbytes ); +} + +static void *my_realloc( void *ptr, size_t nbytes, + struct NFast_Call_Context *cctx, struct NFast_Transaction_Context *tctx ) +{ + return realloc( ptr, nbytes ); +} + +static void my_free( void *ptr, + struct NFast_Call_Context *cctx, struct NFast_Transaction_Context *tctx ) +{ + free( ptr ); +} + +int my_bignumsendlenupcall( struct NFast_Application *app, + struct NFast_Call_Context *cctx, struct NFast_Transaction_Context *tctx, + const M_Bignum *bignum, int *nbytes_r ) +{ + char *ptr = (char*)bignum; + printf( "%08X\n", ptr ); + while( *ptr ) + printf( "%02X ", *(ptr++) ); + + *nbytes_r = BN_num_bytes( (BIGNUM *)bignum ); + return Status_OK;; +} + +int main( int argc, char *argv[] ) +{ + int i; + int result = 0; + int rand_size = 80; + + NFast_AppHandle handle; + NFastApp_Connection nc; + NFKM_WorldInfo *world = NULL; + RQCard card; + RQCard_FIPS fips; + M_KeyID ltid; // the cardset loaded into the module + M_KeyID keyid; + NFKM_Key *keyinfo; + + if ( argc == 2 ) + rand_size = atoi( argv[1] ); + + // load rsa data(public) + RSA *pubkey = NULL; + FILE *fp; + fp = fopen( PUB_KEY_FILE, "rb" ); + if ( !fp ) + { + printf( "error : open %s file\n", PUB_KEY_FILE ); + return 0; + } + + printf( "before : %08X\n", pubkey ); + pubkey = d2i_RSA_PUBKEY_fp( fp, NULL ); + if ( !pubkey ) + { + printf( "error : d2i_RSA_PUBKEY_fp\n" ); + return 0; + } + printf( "after : %08X\n", pubkey ); + + // init nFast + NFastAppInitArgs app_init_args; + memset( &app_init_args, 0, sizeof( app_init_args ) ); + app_init_args.flags = NFAPP_IF_MALLOC | NFAPP_IF_BIGNUM; + app_init_args.mallocupcalls = &my_malloc_upcalls; + app_init_args.bignumupcalls = &sbn_upcalls; + //app_init_args.newthreadupcalls = &newthread_upcalls; + result = NFastApp_InitEx( &handle, &app_init_args, NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : NFastApp_InitEx\n", result ); + } + + // connecting to hardserver + result = NFastApp_Connect( handle, &nc, 0, NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : NFastApp_Connect\n", result ); + } + + // set bignum upcalls setting + result = NFastApp_SetBignumUpcalls( + handle, + sbn_bignumreceiveupcall, + sbn_bignumsendlenupcall, + sbn_bignumsendupcall, + sbn_bignumfreeupcall, + sbn_bignumformatupcall, + NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : NFastApp_SetBignumUpcalls\n", result ); + } + + // NFKM getinfo + result = NFKM_getinfo( handle, &world, NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : NFKM_getinfo\n", result ); + } + + // init card-loading lib + result = RQCard_init( &card, handle, nc, world, NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : RQCard_init\n", result ); + } + + // init FIPS state + result = RQCard_fips_init( &card, &fips ); + if ( result != Status_OK ) + { + printf( "error(%d) : RQCard_fips_init\n", result ); + } + + // ui select + //result = RQCard_ui_default( &card ); + result = RQCard_ui_scroll( &card ); + if ( result != Status_OK ) + { + printf( "error(%d) : RQCard_ui_xxx\n", result ); + } + + // get strict-FIPS authorization +#if 0 + NFKM_FIPS140AuthHandle fipsHandle; + M_SlotID slotId; + result = RQCard_fips_get( &fips, 1, &fipsHandle, &slotId ); + if ( result != Status_OK ) + { + printf( "error(%d) : RQCard_fips_get\n", result ); + } + if ( fipsHandle == NULL ) + { + printf( "this sworld isn't strict-FIPS.\n" ); + } +#endif + + // list cardsets + int card_num; + NFKM_CardSetIdent *cardident = NULL; + result = NFKM_listcardsets( handle, &card_num, &cardident, NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : NFKM_listcardsets\n", result ); + } + + // find cardsets + NFKM_CardSet *cardset = NULL; + result = NFKM_findcardset( handle, cardident, &cardset, NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : NFKM_findcardset\n", result ); + } + + // load cardset + result = RQCard_logic_ocs_specific( &card, &(cardset->hkltu), "Load Cardset" ); + if ( result != Status_OK ) + { + printf( "error(%d) : RQCard_logic_ocs_specific\n", result ); + } + + // use specific module : #1 + // important!! : if you set resultplace=NULL, abort. (possibility is 100%) + result = RQCard_whichmodule_specific( &card, world->modules[0]->module, <id ); + if ( result != Status_OK ) + { + printf( "error(%d) : RQCard_whichmodule_specific\n", result ); + } + + // wait event loop + result = card.uf->eventloop( &card ); + if ( result != Status_OK ) + { + printf( "error(%d) : card module event loop\n", result ); + } + + // get usable module + NFKM_ModuleInfo *moduleinfo = world->modules[0]; + result = NFKM_getusablemodule( world, MODULE_ID, &moduleinfo ); + if ( result != Status_OK ) + { + printf( "error(%d) : NFKM_getusablemodule\n", result ); + } + + // make ACL + NFKM_MakeACLParams map; + NFKM_MakeBlobsParams mbp; + memset( &map, 0, sizeof( map ) ); + map.f = NFKM_NKF_RecoveryEnabled | NFKM_NKF_ProtectionCardSet; + map.op_base = (NFKM_DEFOPPERMS_SIGN | NFKM_DEFOPPERMS_VERIFY | + NFKM_DEFOPPERMS_ENCRYPT | NFKM_DEFOPPERMS_DECRYPT ); + map.cs = cardset; + result = NFKM_newkey_makeaclx( handle, nc, world, &map, + &(tc.cmd.args.import.acl), NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : NFKM_newkey_makeaclx\n", result ); + } + + // set bignum upcalls setting + result = NFastApp_SetBignumUpcalls( + handle, + sbn_bignumreceiveupcall, + my_bignumsendlenupcall, + sbn_bignumsendupcall, + sbn_bignumfreeupcall, + sbn_bignumformatupcall, + NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : NFastApp_SetBignumUpcalls\n", result ); + } + + // import key + NFKM_KeyIdent keyident = { (char*)"custom", (char*)"rsa-import-pubkey" }; + tc.cmd.cmd = Cmd_Import; + tc.cmd.args.import.module = MODULE_ID; + tc.cmd.args.import.data.type = KeyType_RSAPublic; + tc.cmd.args.import.data.data.rsapublic.e = (M_Bignum)pubkey->e; // Public exponent of the RSA keypair + tc.cmd.args.import.data.data.rsapublic.n = (M_Bignum)pubkey->n; // Modules of the RSA keypair + result = NFastApp_Transact( nc, NULL, &(tc.cmd), &(tc.reply), NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : NFKM_newkey_makeaclx\n", result ); + } + + // make blobs + NFKM_Key reg_key; + memset( &mbp, 0, sizeof( mbp ) ); + memset( ®_key, 0, sizeof( reg_key ) ); + mbp.f = map.f; + mbp.kpriv = tc.reply.reply.import.key; + mbp.lt = ltid; + mbp.cs = cardset; + reg_key.v = Key__maxversion; // TORIAEZU Version Max (8) + reg_key.name = keyident.ident; + reg_key.appname = keyident.appname; + reg_key.ident = keyident.ident; + time( &(reg_key.gentime) ); + result = NFKM_newkey_makeblobsx( handle, nc, world, &mbp, ®_key, NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : NFKM_newkey_makeblobsx\n", result ); + } + + // record key to disk + result = NFKM_recordkey( handle, ®_key, NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : NFKM_recordkey\n", result ); + } + + printf( "record key success?\n" ); + + // destroy key + result = NFKM_cmd_destroy( handle, nc, 0, tc.reply.reply.import.key, + "import.key", NULL ); + + // list key +#if 0 + int key_num; + NFKM_KeyIdent *keylist = NULL; + result = NFKM_listkeys( handle, &key_num, &keylist, "simple", NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : NFKM_listkeys\n", result ); + } + NFKM_KeyIdent **tkp = &keylist; + for ( i = 0; i < key_num; i++ ) + { + printf( "appname : %s, ident : %s\n", tkp[i]->appname, tkp[i]->ident ); + } +#endif + + // find key + NFKM_KeyIdent ki_v = { (char*)"custom", (char*)"rsa-import-pubkey" }; + + printf( "appname : %s, ident : %s\n", ki_v.appname, ki_v.ident ); + + result = NFKM_findkey( handle, ki_v, &keyinfo, NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : NFKM_findkey\n", result ); + } + + // load blob + M_ByteBlock *blobptr; + if ( keyinfo->pubblob.len) + blobptr = &keyinfo->pubblob; + else + { + printf( "aes is symmetric key!\n" ); + blobptr = &keyinfo->privblob; + } + + result = NFKM_cmd_loadblob( handle, nc, + moduleinfo->module, blobptr, ltid, &keyid, "loading key blob", NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : NFKM_cmd_loadblob\n", result ); + } + printf( "key ID : %u\n", (unsigned int)keyid ); + + // get key info + tc.cmd.cmd = Cmd_GetKeyInfo; + tc.cmd.args.getkeyinfo.key = keyid; + result = NFastApp_Transact( nc, NULL, &(tc.cmd), &(tc.reply), NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : FastApp_Transact(Cmd_GetKeyInfo)\n", result ); + } + // if type == 30 then Rijndael(AES) + printf( "keytype : %d\n", tc.reply.reply.getkeyinfo.type ); + + // encrypt & dectypt test + { + M_ByteBlock enc_input, dec_input; + M_ByteBlock enc_output, dec_output; + M_IV base_iv, enc_iv, dec_iv; + + // data setting + enc_input.len = DATA_LEN; + enc_input.ptr = (unsigned char*)malloc( DATA_LEN ); + for ( i = 0; i < enc_input.len; i++ ) + enc_input.ptr[i] = i; + + base_iv.mech = Mech_RijndaelmCBCpNONE; + for ( i = 0; i < 16; i++ ) + base_iv.iv.generic128.iv.bytes[i] = i; + enc_iv = base_iv; + dec_iv = base_iv; + + // encrypt : my ver + tc.cmd.cmd = Cmd_Encrypt; + tc.cmd.args.encrypt.key = keyid; + tc.cmd.args.encrypt.mech = Mech_RijndaelmCBCpNONE; + tc.cmd.args.encrypt.plain.type = PlainTextType_Bytes; + tc.cmd.args.encrypt.plain.data.bytes.data = enc_input; + tc.cmd.args.encrypt.flags = Cmd_Encrypt_Args_flags_given_iv_present; + tc.cmd.args.encrypt.given_iv = &enc_iv; + result = NFastApp_Transact( nc, NULL, &(tc.cmd), &(tc.reply), NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : FastApp_Transact(Cmd_Encrypt)\n", result ); + } + result = tc.reply.status; + if ( result != Status_OK ) + { + printf( "error(%d) : reply.status(Cmd_Encrypt)\n", result ); + } + enc_output.len = tc.reply.reply.encrypt.cipher.data.generic128.cipher.len; + if ( enc_output.len != DATA_LEN ) + { + printf( "error : output data size isn't %d bytes(Cmd_Encrypt)\n", (int)enc_output.len ); + } + enc_output.ptr = (unsigned char*)malloc( enc_output.len ); + memcpy( enc_output.ptr, + tc.reply.reply.encrypt.cipher.data.generic128.cipher.ptr, + enc_output.len ); + + printf( "encrypt ok\n" ); + + dec_input.len = enc_output.len; + dec_input.ptr = (unsigned char*)malloc( dec_input.len ); + memcpy( dec_input.ptr, enc_output.ptr, DATA_LEN ); + + NFastApp_Free_Reply( handle, NULL, NULL, &(tc.reply) ); + + // decrypt : my ver + tc.cmd.cmd = Cmd_Decrypt; + tc.cmd.args.decrypt.flags = 0; + tc.cmd.args.decrypt.key = keyid; + tc.cmd.args.decrypt.mech = Mech_RijndaelmCBCpNONE; + tc.cmd.args.decrypt.cipher.mech = Mech_RijndaelmCBCpNONE; + tc.cmd.args.decrypt.cipher.data.generic128.cipher = dec_input; + tc.cmd.args.decrypt.cipher.iv = dec_iv.iv; + tc.cmd.args.decrypt.reply_type = PlainTextType_Bytes; + result = NFastApp_Transact( nc, NULL, &(tc.cmd), &(tc.reply), NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : FastApp_Transact(Cmd_Decrypt)\n", result ); + } + result = tc.reply.status; + if ( result != Status_OK ) + { + printf( "error(%d) : reply.status(Cmd_Decrypt)\n", result ); + } + dec_output.len = tc.reply.reply.decrypt.plain.data.bytes.data.len; + if ( dec_output.len != DATA_LEN ) + { + printf( "error : output size isn't %d bytes(Cmd_Decrypt)\n", (int)enc_output.len ); + } + dec_output.ptr = (unsigned char*)malloc( dec_output.len ); + memcpy( dec_output.ptr, + tc.reply.reply.decrypt.plain.data.bytes.data.ptr, + dec_output.len ); + + printf( "decrypt ok\n" ); + + NFastApp_Free_Reply( handle, NULL, NULL, &(tc.reply) ); + + // key destroy + memset( &(tc.cmd), 0, sizeof( tc.cmd ) ); // fail if NFastApp_Free_Command + tc.cmd.cmd = Cmd_Destroy; + tc.cmd.args.destroy.key = keyid; + result = NFastApp_Transact( nc, NULL, &(tc.cmd), &(tc.reply), NULL ); + if ( result != Status_OK ) + { + printf( "error(%d) : NFastApp_Transact(Cmd_Destroy)\n", result ); + } + NFastApp_Free_Reply( handle, NULL, NULL, &(tc.reply) ); + + // data show + printf( "enc_input : (%d bytes)", (int)enc_input.len ); + for ( i = 0; i < enc_input.len; i++ ) + { + if ( i % 16 == 0 ) + printf( "\n" ); + printf( "%02X ", enc_input.ptr[i] ); + } + printf( "\n" ); + + printf( "\nenc_output : (%d bytes)", (int)enc_output.len ); + for ( i = 0; i < enc_output.len; i++ ) + { + if ( i % 16 == 0 ) + printf( "\n" ); + printf( "%02X ", enc_output.ptr[i] ); + } + printf( "\n" ); + + printf( "\ndec_output : (%d bytes)", (int)dec_output.len ); + for ( i = 0; i < dec_output.len; i++ ) + { + if ( i % 16 == 0 ) + printf( "\n" ); + printf( "%02X ", dec_output.ptr[i] ); + } + printf( "\n" ); + } // encrypt & decrypt + + // end processing + RQCard_fips_free( &card, &fips ); + RQCard_destroy( &card ); + NFKM_freekey( handle, keyinfo, NULL ); + NFKM_freeinfo( handle, &world, NULL ); + NFastApp_Disconnect( nc, NULL ); + NFastApp_Finish( handle, NULL ); + + return 0; + +} // main