Commit 3fe96d02 authored by garciay's avatar garciay
Browse files

STF538: Start validation

parent 33700ff2
......@@ -324,7 +324,19 @@ namespace LibItsSecurity__Functions
p__publicKeyY = OCTETSTRING();
return FALSE;
}
// Sanity checks
if (k.private_key().size() != 32) {
loggers::get_instance().error("fx__generateKeyPair__nistp256: Invalid private key size");
return FALSE;
}
if (k.public_key_x().size() != 32) {
loggers::get_instance().error("fx__generateKeyPair__nistp256: Invalid public key X-coordonate size");
return FALSE;
}
if (k.public_key_y().size() != 32) {
loggers::get_instance().error("fx__generateKeyPair__nistp256: Invalid public key Y-coordonate size");
return FALSE;
}
p__privateKey = OCTETSTRING(k.private_key().size(), k.private_key().data());
p__publicKeyX = OCTETSTRING(k.public_key_x().size(), k.public_key_x().data());
p__publicKeyY = OCTETSTRING(k.public_key_y().size(), k.public_key_y().data());
......@@ -353,6 +365,19 @@ namespace LibItsSecurity__Functions
return FALSE;
}
// Sanity checks
if (k.private_key().size() != 32) {
loggers::get_instance().error("fx__generateKeyPair__nistp256: Invalid private key size");
return FALSE;
}
if (k.public_key_x().size() != 32) {
loggers::get_instance().error("fx__generateKeyPair__nistp256: Invalid public key X-coordonate size");
return FALSE;
}
if (k.public_key_y().size() != 32) {
loggers::get_instance().error("fx__generateKeyPair__nistp256: Invalid public key Y-coordonate size");
return FALSE;
}
p__privateKey = OCTETSTRING(k.private_key().size(), k.private_key().data());
p__publicKeyX = OCTETSTRING(k.public_key_x().size(), k.public_key_x().data());
p__publicKeyY = OCTETSTRING(k.public_key_y().size(), k.public_key_y().data());
......@@ -381,6 +406,19 @@ namespace LibItsSecurity__Functions
return FALSE;
}
// Sanity checks
if (k.private_key().size() != 48) {
loggers::get_instance().error("fx__generateKeyPair__nistp256: Invalid private key size");
return FALSE;
}
if (k.public_key_x().size() != 48) {
loggers::get_instance().error("fx__generateKeyPair__nistp256: Invalid public key X-coordonate size");
return FALSE;
}
if (k.public_key_y().size() != 48) {
loggers::get_instance().error("fx__generateKeyPair__nistp256: Invalid public key Y-coordonate size");
return FALSE;
}
p__privateKey = OCTETSTRING(k.private_key().size(), k.private_key().data());
p__publicKeyX = OCTETSTRING(k.public_key_x().size(), k.public_key_x().data());
p__publicKeyY = OCTETSTRING(k.public_key_y().size(), k.public_key_y().data());
......
......@@ -284,7 +284,7 @@ void GeoNetworkingLayer::receiveData(OCTETSTRING& data, Params& params) {
sopv = &ex.tsbHeader().srcPosVector();
}
} // else, nothing to do
loggers::get_instance().log("GeoNetworkingLayer::receiveData: sopv is boud: %d", sopv->is_bound());
loggers::get_instance().log("GeoNetworkingLayer::receiveData: sopv is bound: %d", sopv->is_bound());
if(sopv->is_bound()) {
const LibItsGeoNetworking__TypesAndValues::LongPosVector& lpv = *sopv;
_location_table.add_entry(lpv);
......
......@@ -46,6 +46,7 @@ int security_cache::get_certificate(const std::string& p_certificate_id, OCTETST
std::map<std::string, std::unique_ptr<security_db_record> >::const_iterator it = _certificates.find(p_certificate_id);
if (it == _certificates.cend()) {
loggers::get_instance().warning("security_cache::get_certificate: record not found");
dump();
return -1;
}
const std::vector<unsigned char> cert = it->second.get()->certificate();
......
......@@ -40,7 +40,7 @@ int security_services::setup(Params& p_params) { // FIXME Rename this method
}
// Setup encryption instance
// std::string certificate_id = p_params[Params::certificate] + "_AT";
// std::string certificate_id = p_params[Params::certificate];
// OCTETSTRING os;
// _security_db.get()->get_private_enc_key(certificate_id, os);
// std::vector<unsigned char> pri_enc_key(static_cast<const unsigned char*>(os), os.lengthof() + static_cast<const unsigned char*>(os));
......@@ -141,13 +141,15 @@ int security_services::process_ieee_1609_dot2_signed_data(const IEEE1609dot2::Si
}
} else {
const OPTIONAL<INTEGER>& v = dynamic_cast<const OPTIONAL<INTEGER>& >(header_info.generationTime());
unsigned long long gt = ((INTEGER&)(*v.get_opt_value())).get_long_long_val();
unsigned long long gt = ((INTEGER&)(*v.get_opt_value())).get_long_long_val() * 1000 - 1072911600000L;
// Get current time timestamp
unsigned long long ms = std::chrono::duration_cast<std::chrono::milliseconds>(std::chrono::system_clock::now().time_since_epoch()).count() - 1072911600000L; // TODO Add method such as its_tme() & its_time_mod() beacuse it is used also in LibItsCommon_externals
loggers::get_instance().log("security_services::process_ieee_1609_dot2_signed_data: generation time check %ld / %ld", header_info.generationTime(), ms);
if (abs((double)gt - (double)ms) >= 5.0) { // TODO Use a params for generation_time_epsilon
loggers::get_instance().warning("security_services::process_ieee_1609_dot2_signed_data: Invalid generation time, discard it");
return -1;
if (p_verify) {
return -1;
}
}
}
// Check and extract unsecured payload
......@@ -158,15 +160,21 @@ int security_services::process_ieee_1609_dot2_signed_data(const IEEE1609dot2::Si
const IEEE1609dot2::Ieee1609Dot2Data& ieee_1609dot2_data = static_cast<const IEEE1609dot2::Ieee1609Dot2Data&>(*v.get_opt_value());
if (p_verify && ((unsigned int)(int)ieee_1609dot2_data.protocolVersion() != security_services::ProtocolVersion)) {
loggers::get_instance().warning("security_services::process_ieee_1609_dot2_signed_data: Wrong version protocol, discard it");
return -1;
if (p_verify) {
return -1;
}
}
if (process_ieee_1609_dot2_content(ieee_1609dot2_data.content(), p_verify, p_unsecured_payload, p_params) != 0) {
loggers::get_instance().warning("security_services::process_ieee_1609_dot2_signed_data: Failed to process SignedData, discard it");
return -1;
if (p_verify) {
return -1;
}
}
} else if (p_signed_data.tbsData().payload().extDataHash().is_present()) {
loggers::get_instance().warning("security_services::process_ieee_1609_dot2_signed_data: Unsupported extDataHash, discard it");
return -1;
if (p_verify) {
return -1;
}
} else { // Shall not be reached
loggers::get_instance().warning("security_services::process_ieee_1609_dot2_signed_data: Unsupported SignedDataPayload, discard it");
return -1;
......@@ -225,8 +233,8 @@ int security_services::process_ieee_1609_dot2_signed_data(const IEEE1609dot2::Si
IEEE1609dot2::CertificateBase cert = p_signed_data.signer().certificate()[i];
if (cert.issuer().ischosen(IEEE1609dot2::IssuerIdentifier::ALT_sha256AndDigest)) {
result = _security_db.get()->get_certificate_id(cert.issuer().sha256AndDigest(), certificate_id);
if (result == -1) {
if (_security_cache.get()->get_certificate_id(cert.issuer().sha256AndDigest(), certificate_id) == -1) {
if (result == -1) { // Not found in current DB
if (_security_cache.get()->get_certificate_id(cert.issuer().sha256AndDigest(), certificate_id) == -1) { // Not found in TS cache
loggers::get_instance().log_msg("security_services::process_ieee_1609_dot2_signed_data: Store new certificate in cache: ", cert);
const std::vector<unsigned char> v(static_cast<const unsigned char*>(cert.issuer().sha256AndDigest()), static_cast<const unsigned char*>(cert.issuer().sha256AndDigest()) + cert.issuer().sha256AndDigest().lengthof());
certificate_id = converter::get_instance().bytes_to_hexa(v);
......@@ -445,7 +453,7 @@ int security_services::sign_gn_payload(const OCTETSTRING& p_unsecured_gn_payload
}
IEEE1609dot2::SignerIdentifier signer;
loggers::get_instance().log("security_services::sign_gn_payload: ms = %d - _last_generation_time = %d - ms - _last_generation_time = %d", (unsigned int)ms, _last_generation_time, (unsigned int)(ms - _last_generation_time));
std::string certificate_id = p_params[Params::certificate] + "_AT";
std::string certificate_id = p_params[Params::certificate];
loggers::get_instance().log("security_services::sign_gn_payload: certificate_id = %s", certificate_id.c_str());
if ((unsigned int)(ms - _last_generation_time) >= 1000 * 0.95) { // Need to add certificate
IEEE1609dot2::CertificateBase cert;
......@@ -514,7 +522,7 @@ int security_services::encrypt_gn_payload(const OCTETSTRING& p_unsecured_gn_payl
loggers::get_instance().log_msg("security_services::encrypt_gn_payload: aes_128_ccm = ", cipher_text);
// Build the recipient_id
std::string certificate_id = p_params[Params::certificate] + "_AT";
std::string certificate_id = p_params[Params::certificate];
OCTETSTRING recipient_id;
_security_db.get()->get_hashed_id(certificate_id, recipient_id); // SHA-256 of the certificate which contain the encryption private/public keys
// TODO Encryt the AES-128 key
......@@ -652,7 +660,7 @@ int security_services::hash_sha384(const OCTETSTRING& p_data, OCTETSTRING& p_has
int security_services::sign_ecdsa_nistp256(const OCTETSTRING& p_hash, IEEE1609dot2BaseTypes::Signature& p_signature, Params& p_params) {
loggers::get_instance().log_msg(">>> security_services::sign_ecdsa_nistp256: ", p_hash);
std::string certificate_id = p_params[Params::certificate] + "_AT"; // FIXME Specified strictly the naming of the certificate files
std::string certificate_id = p_params[Params::certificate];
loggers::get_instance().log("security_services::sign_ecdsa_nistp256: encoded certificate_id = '%s'", certificate_id.c_str());
OCTETSTRING pkey;
if (_security_db->get_private_key(certificate_id, pkey) != 0) {
......@@ -722,19 +730,23 @@ int security_services::verify_sign_ecdsa_nistp256(const OCTETSTRING& p_hash, con
}
int security_services::extract_encryption_keys(const IEEE1609dot2::CertificateBase& p_cert, OCTETSTRING& p_public_enc_key_x, OCTETSTRING& p_public_enc_key_y) {
loggers::get_instance().log("security_services::extract_encryption_keys");
if (p_cert.toBeSigned().encryptionKey().ispresent()) {
const IEEE1609dot2BaseTypes::PublicEncryptionKey& p = static_cast<const IEEE1609dot2BaseTypes::PublicEncryptionKey&>(p_cert.toBeSigned().encryptionKey());
if (p.publicKey().ischosen(IEEE1609dot2BaseTypes::BasePublicEncryptionKey::ALT_eciesNistP256)) {
p_public_enc_key_x = p.publicKey().eciesNistP256().uncompressedP256().x();
p_public_enc_key_y = p.publicKey().eciesNistP256().uncompressedP256().y();
} else if (p.publicKey().ischosen(IEEE1609dot2BaseTypes::BasePublicEncryptionKey::ALT_eciesBrainpoolP256r1)) {
} else if (p.publicKey().ischosen(IEEE1609dot2BaseTypes::BasePublicEncryptionKey::ALT_eciesBrainpoolP256r1)) {
p_public_enc_key_x = p.publicKey().eciesBrainpoolP256r1().uncompressedP256().x();
p_public_enc_key_y = p.publicKey().eciesBrainpoolP256r1().uncompressedP256().y();
} else {
loggers::get_instance().error("security_services::process_ieee_1609_dot2_signed_data: Unsupported EncryptionKey");
return -1;
}
} else {
p_public_enc_key_x = int2oct(0, 32);
p_public_enc_key_y = int2oct(0, 32);
}
return 0;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment