From 39f7b5284a6a4332e90975d7fbb1e69722821020 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Thu, 9 Jun 2022 11:53:35 +0200 Subject: [PATCH] Added OID definitions. Signed-off-by: Pol Henarejos --- src/hsm/oid.c | 18 +++++++++++ src/hsm/oid.h | 81 ++++++++++++++++++++++++++++++++++++++++++++++++ src/hsm/sc_hsm.c | 25 ++++++++------- 3 files changed, 113 insertions(+), 11 deletions(-) create mode 100644 src/hsm/oid.c create mode 100644 src/hsm/oid.h diff --git a/src/hsm/oid.c b/src/hsm/oid.c new file mode 100644 index 0000000..56d2da0 --- /dev/null +++ b/src/hsm/oid.c @@ -0,0 +1,18 @@ +/* + * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm). + * Copyright (c) 2022 Pol Henarejos. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, version 3. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +#include "oid.h" diff --git a/src/hsm/oid.h b/src/hsm/oid.h new file mode 100644 index 0000000..e4822c6 --- /dev/null +++ b/src/hsm/oid.h @@ -0,0 +1,81 @@ +/* + * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm). + * Copyright (c) 2022 Pol Henarejos. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, version 3. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +#ifndef _OID_H_ +#define _OID_H_ + +#include +#include "pico/stdlib.h" + +#define OID_BSI_DE "\x04\x00\x7F\x00\x07" + +#define OID_ID_CA OID_BSI_DE "\x02\x02\x03" + +#define OID_ID_CA_DH OID_ID_CA "\x01" + +#define OID_ID_CA_DH_3DES_CBC_CBC OID_ID_CA_DH "\x01" +#define OID_ID_CA_DH_AES_CBC_CMAC_128 OID_ID_CA_DH "\x02" +#define OID_ID_CA_DH_AES_CBC_CMAC_192 OID_ID_CA_DH "\x03" +#define OID_ID_CA_DH_AES_CBC_CMAC_256 OID_ID_CA_DH "\x04" + +#define OID_ID_CA_ECDH OID_ID_CA "\x02" + +#define OID_ID_CA_ECDH_3DES_CBC_CBC OID_ID_CA_ECDH "\x01" +#define OID_ID_CA_ECDH_AES_CBC_CMAC_128 OID_ID_CA_ECDH "\x02" +#define OID_ID_CA_ECDH_AES_CBC_CMAC_192 OID_ID_CA_ECDH "\x03" +#define OID_ID_CA_ECDH_AES_CBC_CMAC_256 OID_ID_CA_ECDH "\x04" + +#define OID_ID_PK OID_BSI_DE "\x02\x02\0x1" +#define OID_ID_PK_DH OID_ID_PK "\x01" +#define OID_ID_PK_ECDH OID_ID_PK "\x02" + +#define OID_ID_TA OID_BSI_DE "\x02\x02\x02" + +#define OID_ID_TA_RSA OID_ID_TA "\x01" + +#define OID_ID_TA_RSA_V1_5_SHA_1 OID_ID_TA_RSA "\x01" +#define OID_ID_TA_RSA_V1_5_SHA_256 OID_ID_TA_RSA "\x02" +#define OID_ID_TA_RSA_PSS_SHA_1 OID_ID_TA_RSA "\x03" +#define OID_ID_TA_RSA_PSS_SHA_256 OID_ID_TA_RSA "\x04" +#define OID_ID_TA_RSA_V1_5_SHA_512 OID_ID_TA_RSA "\x05" +#define OID_ID_TA_RSA_PSS_SHA_512 OID_ID_TA_RSA "\x06" + +#define OID_ID_TA_ECDSA OID_ID_TA "\x02" + +#define OID_IT_TA_ECDSA_SHA_1 OID_ID_TA_ECDSA "\x01" +#define OID_IT_TA_ECDSA_SHA_224 OID_ID_TA_ECDSA "\x02" +#define OID_IT_TA_ECDSA_SHA_256 OID_ID_TA_ECDSA "\x03" +#define OID_IT_TA_ECDSA_SHA_384 OID_ID_TA_ECDSA "\x04" +#define OID_IT_TA_ECDSA_SHA_512 OID_ID_TA_ECDSA "\x05" + +#define OID_ID_RI OID_BSI_DE "\x02\x02\x05" + +#define OID_ID_RI_DH OID_ID_RI "\x01" + +#define OID_ID_RI_DH_SHA_1 OID_ID_RI_DH "\x01" +#define OID_ID_RI_DH_SHA_224 OID_ID_RI_DH "\x02" +#define OID_ID_RI_DH_SHA_256 OID_ID_RI_DH "\x03" + +#define OID_ID_RI_ECDH OID_ID_RI "\x02" + +#define OID_ID_RI_ECDH_SHA_1 OID_ID_RI_ECDH "\x01" +#define OID_ID_RI_ECDH_SHA_224 OID_ID_RI_ECDH "\x02" +#define OID_ID_RI_ECDH_SHA_256 OID_ID_RI_ECDH "\x03" + +#define OID_ID_CI OID_BSI_DE "\x02\x02\x06" + +#endif diff --git a/src/hsm/sc_hsm.c b/src/hsm/sc_hsm.c index 3edad68..9e9f9c8 100644 --- a/src/hsm/sc_hsm.c +++ b/src/hsm/sc_hsm.c @@ -35,6 +35,8 @@ #include "eac.h" #include "cvc.h" #include "asn1.h" +#include "oid.h" +#include "mbedtls/oid.h" const uint8_t sc_hsm_aid[] = { 11, @@ -160,6 +162,7 @@ void init_sc_hsm() { uint16_t cert_len = (cvcerts[i][1] << 8) | cvcerts[i][0]; puk_store[i].chr = cvc_get_chr((uint8_t *)cvcerts[i]+2, cert_len, &puk_store[i].chr_len); puk_store[i].car = cvc_get_chr((uint8_t *)cvcerts[i]+2, cert_len, &puk_store[i].car_len); + puk_store[i].puk = cvc_get_pub((uint8_t *)cvcerts[i]+2, cert_len, &puk_store[i].puk_len); puk_store[i].up = i-1; } } @@ -1001,7 +1004,7 @@ static int cmd_keypair_gen() { uint8_t *kdomd = NULL; if (asn1_find_tag(apdu.data, apdu.nc, 0x92, &kdom_size, &kdomd) && kdom_size > 0 && kdomd != NULL) kdom = *kdomd; - if (memcmp(oid, "\x4\x0\x7F\x0\x7\x2\x2\x2\x1\x2",MIN(oid_len,10)) == 0) { //RSA + if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_256, oid_len) == 0) { //RSA size_t ex_len = 3, ks_len = 2; uint8_t *ex = NULL, *ks = NULL; uint32_t exponent = 65537, key_size = 2048; @@ -1038,7 +1041,7 @@ static int cmd_keypair_gen() { } mbedtls_rsa_free(&rsa); } - else if (memcmp(oid, "\x4\x0\x7F\x0\x7\x2\x2\x2\x2\x3",MIN(oid_len,10)) == 0) { //ECC + else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_256,MIN(oid_len,10)) == 0) { //ECC size_t prime_len; uint8_t *prime = NULL; if (asn1_find_tag(p, tout, 0x81, &prime_len, &prime) != true) @@ -1424,15 +1427,15 @@ static int cmd_signature() { asn1_find_tag(p, tout, 0x4, &hash_len, &hash); } if (oid && oid_len > 0) { - if (memcmp(oid, "\x2B\x0E\x03\x02\x1A", oid_len) == 0) + if (memcmp(oid, MBEDTLS_OID_DIGEST_ALG_SHA1, oid_len) == 0) md = MBEDTLS_MD_SHA1; - else if (memcmp(oid, "\x60\x86\x48\x01\x65\x03\x04\x02\x04", oid_len) == 0) + else if (memcmp(oid, MBEDTLS_OID_DIGEST_ALG_SHA224, oid_len) == 0) md = MBEDTLS_MD_SHA224; - else if (memcmp(oid, "\x60\x86\x48\x01\x65\x03\x04\x02\x01", oid_len) == 0) + else if (memcmp(oid, MBEDTLS_OID_DIGEST_ALG_SHA256, oid_len) == 0) md = MBEDTLS_MD_SHA256; - else if (memcmp(oid, "\x60\x86\x48\x01\x65\x03\x04\x02\x02", oid_len) == 0) + else if (memcmp(oid, MBEDTLS_OID_DIGEST_ALG_SHA384, oid_len) == 0) md = MBEDTLS_MD_SHA384; - else if (memcmp(oid, "\x60\x86\x48\x01\x65\x03\x04\x02\x03", oid_len) == 0) + else if (memcmp(oid, MBEDTLS_OID_DIGEST_ALG_SHA512, oid_len) == 0) md = MBEDTLS_MD_SHA512; } if (p2 == ALGO_RSA_PSS || p2 == ALGO_RSA_PSS_SHA1 || p2 == ALGO_RSA_PSS_SHA256) { @@ -1949,9 +1952,9 @@ static int cmd_mse() { while (walk_tlv(apdu.data, apdu.nc, &p, &tag, &tag_len, &tag_data)) { if (tag == 0x80) { if (p2 == 0xA4) { - if (tag_len == 10 && memcmp(tag_data, "\x04\x00\x7F\x00\x07\x02\x02\x03\x02\x02", tag_len) == 0) + if (tag_len == 10 && memcmp(tag_data, OID_ID_CA_ECDH_AES_CBC_CMAC_128, tag_len) == 0) sm_set_protocol(MSE_AES); - else if (tag_len == 10 && memcmp(tag_data, "\x04\x00\x7F\x00\x07\x02\x02\x03\x02\x01", tag_len) == 0) + else if (tag_len == 10 && memcmp(tag_data, OID_ID_CA_ECDH_3DES_CBC_CBC, tag_len) == 0) sm_set_protocol(MSE_3DES); } } @@ -2021,9 +2024,9 @@ int cmd_general_authenticate() { uint8_t *t = (uint8_t *)calloc(1, pubkey_len+16); memcpy(t, "\x7F\x49\x3F\x06\x0A", 5); if (sm_get_protocol() == MSE_AES) - memcpy(t+5, "\x04\x00\x7F\x00\x07\x02\x02\x03\x02\x02", 10); + memcpy(t+5, OID_ID_CA_ECDH_AES_CBC_CMAC_128, 10); else if (sm_get_protocol() == MSE_3DES) - memcpy(t+5, "\x04\x00\x7F\x00\x07\x02\x02\x03\x02\x01", 10); + memcpy(t+5, OID_ID_CA_ECDH_3DES_CBC_CBC, 10); t[15] = 0x86; memcpy(t+16, pubkey, pubkey_len);