Commit 6d72b92f authored by garciay's avatar garciay
Browse files

Increase SSp size from Bit128 to Bit256

parent e16da27a
...@@ -68,7 +68,8 @@ public class Management implements IManagementTA, IManagementLayers { ...@@ -68,7 +68,8 @@ public class Management implements IManagementTA, IManagementLayers {
/** /**
* Enforce secured mode status * Enforce secured mode status
*/ */
private static final String TsEnforceSecuredMode = ((CharstringValue)TERFactory.getInstance().getTaParameter("TsEnforceSecuredMode")).getString(); //private static String TsEnforceSecuredMode = ((CharstringValue)TERFactory.getInstance().getTaParameter("TsEnforceSecuredMode")).getString();
private static String TsEnforceSecuredMode = "false";
/** /**
* Secured root path to access certificates & private keys * Secured root path to access certificates & private keys
...@@ -354,7 +355,12 @@ public class Management implements IManagementTA, IManagementLayers { ...@@ -354,7 +355,12 @@ public class Management implements IManagementTA, IManagementLayers {
@Override @Override
public void setSecuredMode(final byte[] securityData) { public void setSecuredMode(final byte[] securityData) {
certificateId = ByteHelper.byteArrayWithLengthToString(ByteHelper.concat(ByteHelper.intToByteArray(securityData.length, 4), securityData)); certificateId = ByteHelper.byteArrayWithLengthToString(ByteHelper.concat(ByteHelper.intToByteArray(securityData.length - 1, 4), securityData));
if (securityData[securityData.length - 1] == 0x01) {
TsEnforceSecuredMode = "true";
} else {
TsEnforceSecuredMode = "false";
}
setupSecuredMode(); setupSecuredMode();
} }
......
...@@ -103,7 +103,7 @@ public class SecurityHelper { ...@@ -103,7 +103,7 @@ public class SecurityHelper {
} }
public byte[] checkSecuredProfileAndExtractPayload(final byte[] p_message, final int p_offset, final boolean p_enforceSecurityCheck, final int p_itsAidOther, Map<String, Object> lowerInfo) { public byte[] checkSecuredProfileAndExtractPayload(final byte[] p_message, final int p_offset, final boolean p_enforceSecurityCheck, final int p_itsAidOther, Map<String, Object> lowerInfo) {
TERFactory.getInstance().logDebug(">>> SecurityHelper.checkSecuredProfileAndExtractPayload: " + ByteHelper.byteArrayToString(p_message)); //TERFactory.getInstance().logDebug(">>> SecurityHelper.checkSecuredProfileAndExtractPayload: " + ByteHelper.byteArrayToString(p_message));
ByteArrayInputStream decvalue = new ByteArrayInputStream(p_message, p_offset, p_message.length - p_offset); ByteArrayInputStream decvalue = new ByteArrayInputStream(p_message, p_offset, p_message.length - p_offset);
...@@ -111,20 +111,20 @@ public class SecurityHelper { ...@@ -111,20 +111,20 @@ public class SecurityHelper {
if (decvalue.read() != 2) { if (decvalue.read() != 2) {
if (p_enforceSecurityCheck) { if (p_enforceSecurityCheck) {
// Drop it // Drop it
TERFactory.getInstance().logError("SecurityHelper.checkSecuredProfileAndExtractPayload: Drop packet - Wrong version number"); //TERFactory.getInstance().logError("SecurityHelper.checkSecuredProfileAndExtractPayload: Drop packet - Wrong version number");
return null; return null;
} }
} }
// Extract header fields length and header fields // Extract header fields length and header fields
long headerFieldsLength = tls2size(decvalue); long headerFieldsLength = tls2size(decvalue);
TERFactory.getInstance().logDebug("SecurityHelper.checkSecuredProfileAndExtractPayload: headerFieldsLength:" + headerFieldsLength); //TERFactory.getInstance().logDebug("SecurityHelper.checkSecuredProfileAndExtractPayload: headerFieldsLength:" + headerFieldsLength);
byte[] headerFields = new byte[(int) headerFieldsLength]; byte[] headerFields = new byte[(int) headerFieldsLength];
decvalue.read(headerFields, 0, (int) headerFieldsLength); decvalue.read(headerFields, 0, (int) headerFieldsLength);
ByteArrayOutputStream certificateKeys = new ByteArrayOutputStream(); ByteArrayOutputStream certificateKeys = new ByteArrayOutputStream();
if (!checkHeaderfields(headerFields, certificateKeys, p_enforceSecurityCheck, p_itsAidOther, lowerInfo)) { if (!checkHeaderfields(headerFields, certificateKeys, p_enforceSecurityCheck, p_itsAidOther, lowerInfo)) {
if (p_enforceSecurityCheck) { if (p_enforceSecurityCheck) {
// Drop it // Drop it
TERFactory.getInstance().logError("SecurityHelper.checkSecuredProfileAndExtractPayload: Drop packet - Wrong Headerfields"); //TERFactory.getInstance().logError("SecurityHelper.checkSecuredProfileAndExtractPayload: Drop packet - Wrong Headerfields");
return null; return null;
} }
} }
...@@ -133,31 +133,31 @@ public class SecurityHelper { ...@@ -133,31 +133,31 @@ public class SecurityHelper {
byte[] keys = certificateKeys.toByteArray(); byte[] keys = certificateKeys.toByteArray();
if ((keys[0] == 0x02) || (keys[0] == 0x03)) { // Key length = 32 bytes if ((keys[0] == 0x02) || (keys[0] == 0x03)) { // Key length = 32 bytes
aaSigningPublicKeyX = ByteHelper.extract(keys, 1, 32); aaSigningPublicKeyX = ByteHelper.extract(keys, 1, 32);
TERFactory.getInstance().logDebug("SecurityHelper.checkSecuredProfileAndExtractPayload: aaSigningPublicKeyX:" + ByteHelper.byteArrayToString(aaSigningPublicKeyX)); //TERFactory.getInstance().logDebug("SecurityHelper.checkSecuredProfileAndExtractPayload: aaSigningPublicKeyX:" + ByteHelper.byteArrayToString(aaSigningPublicKeyX));
} else { // Key length = 64 bytes } else { // Key length = 64 bytes
aaSigningPublicKeyX = ByteHelper.extract(keys, 1, 32); aaSigningPublicKeyX = ByteHelper.extract(keys, 1, 32);
TERFactory.getInstance().logDebug("SecurityHelper.checkSecuredProfileAndExtractPayload: aaSigningPublicKeyX:" + ByteHelper.byteArrayToString(aaSigningPublicKeyX)); //TERFactory.getInstance().logDebug("SecurityHelper.checkSecuredProfileAndExtractPayload: aaSigningPublicKeyX:" + ByteHelper.byteArrayToString(aaSigningPublicKeyX));
aaSigningPublicKeyY = ByteHelper.extract(keys, 33, 32); aaSigningPublicKeyY = ByteHelper.extract(keys, 33, 32);
TERFactory.getInstance().logDebug("SecurityHelper.checkSecuredProfileAndExtractPayload: aaSigningPublicKeyX:" + ByteHelper.byteArrayToString(aaSigningPublicKeyX)); //TERFactory.getInstance().logDebug("SecurityHelper.checkSecuredProfileAndExtractPayload: aaSigningPublicKeyX:" + ByteHelper.byteArrayToString(aaSigningPublicKeyX));
} }
} }
// FIXME Add encryption support // FIXME Add encryption support
// if (p_enforceSecurityCheck) { // if (p_enforceSecurityCheck) {
// } // }
TERFactory.getInstance().logDebug("SecurityHelper.checkSecuredProfileAndExtractPayload: headerFields:" + ByteHelper.byteArrayToString(headerFields)); //TERFactory.getInstance().logDebug("SecurityHelper.checkSecuredProfileAndExtractPayload: headerFields:" + ByteHelper.byteArrayToString(headerFields));
// Extract payload, decvalue is updated with the payload // Extract payload, decvalue is updated with the payload
if (decvalue.read() != 1) { if (decvalue.read() != 1) {
TERFactory.getInstance().logError("SecurityHelper.checkSecuredProfileAndExtractPayload: Drop packet - Wrong Payload type"); //TERFactory.getInstance().logError("SecurityHelper.checkSecuredProfileAndExtractPayload: Drop packet - Wrong Payload type");
if (p_enforceSecurityCheck) { if (p_enforceSecurityCheck) {
// Drop it // Drop it
return null; return null;
} }
} }
long payloadLength = tls2size(decvalue); long payloadLength = tls2size(decvalue);
TERFactory.getInstance().logDebug("SecurityHelper.checkSecuredProfileAndExtractPayload: payloadLength:" + payloadLength); //TERFactory.getInstance().logDebug("SecurityHelper.checkSecuredProfileAndExtractPayload: payloadLength:" + payloadLength);
byte[] payload = new byte[(int) payloadLength]; byte[] payload = new byte[(int) payloadLength];
decvalue.read(payload, 0, (int) payloadLength); decvalue.read(payload, 0, (int) payloadLength);
TERFactory.getInstance().logDebug("SecurityHelper.checkSecuredProfileAndExtractPayload: payload:" + ByteHelper.byteArrayToString(payload)); //TERFactory.getInstance().logDebug("SecurityHelper.checkSecuredProfileAndExtractPayload: payload:" + ByteHelper.byteArrayToString(payload));
if (p_enforceSecurityCheck) { // Extract Secure Trailer if (p_enforceSecurityCheck) { // Extract Secure Trailer
long secureTrailerLength = tls2size(decvalue); long secureTrailerLength = tls2size(decvalue);
byte[] secureTrailer = new byte[(int) secureTrailerLength]; byte[] secureTrailer = new byte[(int) secureTrailerLength];
...@@ -165,17 +165,17 @@ public class SecurityHelper { ...@@ -165,17 +165,17 @@ public class SecurityHelper {
ByteArrayOutputStream signature = new ByteArrayOutputStream(); ByteArrayOutputStream signature = new ByteArrayOutputStream();
if (!extractMessageSignature(secureTrailer, signature)) { if (!extractMessageSignature(secureTrailer, signature)) {
// Drop it // Drop it
TERFactory.getInstance().logError("SecurityHelper.checkSecuredProfileAndExtractPayload: Drop packet - Wrong Signatures"); //TERFactory.getInstance().logError("SecurityHelper.checkSecuredProfileAndExtractPayload: Drop packet - Wrong Signatures");
return null; return null;
} }
TERFactory.getInstance().logDebug("SecurityHelper.checkSecuredProfileAndExtractPayload: signature:" + ByteHelper.byteArrayToString(signature.toByteArray())); //TERFactory.getInstance().logDebug("SecurityHelper.checkSecuredProfileAndExtractPayload: signature:" + ByteHelper.byteArrayToString(signature.toByteArray()));
// Build signed data // Build signed data
byte[] toBeVerifiedData = ByteHelper.extract( byte[] toBeVerifiedData = ByteHelper.extract(
p_message, p_message,
p_offset, p_offset,
p_message.length - (int)(p_offset + secureTrailerLength - 1 /* Exclude signature structure but keep signature type and signature length */) p_message.length - (int)(p_offset + secureTrailerLength - 1 /* Exclude signature structure but keep signature type and signature length */)
); );
TERFactory.getInstance().logDebug("SecurityHelper.checkSecuredProfileAndExtractPayload:" + ByteHelper.byteArrayToString(toBeVerifiedData)); //TERFactory.getInstance().logDebug("SecurityHelper.checkSecuredProfileAndExtractPayload:" + ByteHelper.byteArrayToString(toBeVerifiedData));
boolean result; boolean result;
try { try {
if (aaSigningPublicKeyY == null) { if (aaSigningPublicKeyY == null) {
...@@ -188,16 +188,16 @@ public class SecurityHelper { ...@@ -188,16 +188,16 @@ public class SecurityHelper {
aaSigningPublicKeyX, aaSigningPublicKeyX,
aaSigningPublicKeyY aaSigningPublicKeyY
); );
TERFactory.getInstance().logDebug("SecurityHelper.checkSecuredProfileAndExtractPayload: Verify signature: " + new Boolean(result)); //TERFactory.getInstance().logDebug("SecurityHelper.checkSecuredProfileAndExtractPayload: Verify signature: " + new Boolean(result));
if (!result) { if (!result) {
// Drop packet // Drop packet
TERFactory.getInstance().logDebug("SecurityHelper.checkSecuredProfileAndExtractPayload: toBeVerifiedData :" + ByteHelper.byteArrayToString(toBeVerifiedData)); //TERFactory.getInstance().logDebug("SecurityHelper.checkSecuredProfileAndExtractPayload: toBeVerifiedData :" + ByteHelper.byteArrayToString(toBeVerifiedData));
// Calculate Digest digest from the buffer toBeVerifiedData // Calculate Digest digest from the buffer toBeVerifiedData
TERFactory.getInstance().logDebug("SecurityHelper.checkSecuredProfileAndExtractPayload: Hash :" + ByteHelper.byteArrayToString(CryptoLib.hashWithSha256(toBeVerifiedData))); //TERFactory.getInstance().logDebug("SecurityHelper.checkSecuredProfileAndExtractPayload: Hash :" + ByteHelper.byteArrayToString(CryptoLib.hashWithSha256(toBeVerifiedData)));
TERFactory.getInstance().logDebug("SecurityHelper.checkSecuredProfileAndExtractPayload: signature :" + ByteHelper.byteArrayToString(signature.toByteArray())); //TERFactory.getInstance().logDebug("SecurityHelper.checkSecuredProfileAndExtractPayload: signature :" + ByteHelper.byteArrayToString(signature.toByteArray()));
TERFactory.getInstance().logDebug("SecurityHelper.checkSecuredProfileAndExtractPayload: aaSigningPublicKeyX:" + ByteHelper.byteArrayToString(aaSigningPublicKeyX)); //TERFactory.getInstance().logDebug("SecurityHelper.checkSecuredProfileAndExtractPayload: aaSigningPublicKeyX:" + ByteHelper.byteArrayToString(aaSigningPublicKeyX));
TERFactory.getInstance().logDebug("SecurityHelper.checkSecuredProfileAndExtractPayload: aaSigningPublicKeyY:" + ByteHelper.byteArrayToString(aaSigningPublicKeyY)); //TERFactory.getInstance().logDebug("SecurityHelper.checkSecuredProfileAndExtractPayload: aaSigningPublicKeyY:" + ByteHelper.byteArrayToString(aaSigningPublicKeyY));
TERFactory.getInstance().logError("SecurityHelper.checkSecuredProfileAndExtractPayload: Drop packet - Invalid signature"); //TERFactory.getInstance().logError("SecurityHelper.checkSecuredProfileAndExtractPayload: Drop packet - Invalid signature");
return null; return null;
} }
...@@ -207,7 +207,7 @@ public class SecurityHelper { ...@@ -207,7 +207,7 @@ public class SecurityHelper {
} }
// Drop packet // Drop packet
TERFactory.getInstance().logError("<<< SecurityHelper.checkSecuredProfileAndExtractPayload: dropped"); //TERFactory.getInstance().logError("<<< SecurityHelper.checkSecuredProfileAndExtractPayload: dropped");
return null; return null;
} }
...@@ -215,11 +215,11 @@ public class SecurityHelper { ...@@ -215,11 +215,11 @@ public class SecurityHelper {
} }
public boolean checkHeaderfields(final byte[] p_headerfields, final ByteArrayOutputStream p_keys, final boolean p_enforceSecurityCheck, final int p_itsAidOther, Map<String, Object> lowerInfo) { public boolean checkHeaderfields(final byte[] p_headerfields, final ByteArrayOutputStream p_keys, final boolean p_enforceSecurityCheck, final int p_itsAidOther, Map<String, Object> lowerInfo) {
TERFactory.getInstance().logDebug(">>> SecurityHelper.checkHeaderfields: " + ByteHelper.byteArrayToString(p_headerfields)); //TERFactory.getInstance().logDebug(">>> SecurityHelper.checkHeaderfields: " + ByteHelper.byteArrayToString(p_headerfields));
// Sanity check // Sanity check
if (p_headerfields.length == 0) { if (p_headerfields.length == 0) {
TERFactory.getInstance().logError("SecurityHelper.checkHeaderfields: Drop packet - Invalid header fields"); //TERFactory.getInstance().logError("SecurityHelper.checkHeaderfields: Drop packet - Invalid header fields");
return false; return false;
} }
// Extract digest or certificate // Extract digest or certificate
...@@ -232,7 +232,7 @@ public class SecurityHelper { ...@@ -232,7 +232,7 @@ public class SecurityHelper {
(p_headerfields[signerInfoTypeIndex + 1] != 0x03) // SignerInfo Type: certificate chain (3) (p_headerfields[signerInfoTypeIndex + 1] != 0x03) // SignerInfo Type: certificate chain (3)
) )
) { ) {
TERFactory.getInstance().logError("SecurityHelper.checkHeaderfields: Drop packet - Certificate"); //TERFactory.getInstance().logError("SecurityHelper.checkHeaderfields: Drop packet - Certificate");
if (p_enforceSecurityCheck) { if (p_enforceSecurityCheck) {
// Drop it // Drop it
return false; return false;
...@@ -244,17 +244,17 @@ public class SecurityHelper { ...@@ -244,17 +244,17 @@ public class SecurityHelper {
// Extract certificate because of it is an Other message profile // Extract certificate because of it is an Other message profile
byte[] certificate = decodeCertificate(p_headerfields, signerInfoTypeIndex, p_keys, p_enforceSecurityCheck, lowerInfo); byte[] certificate = decodeCertificate(p_headerfields, signerInfoTypeIndex, p_keys, p_enforceSecurityCheck, lowerInfo);
if (certificate == null) { if (certificate == null) {
TERFactory.getInstance().logError("SecurityHelper.checkHeaderfields: Drop packet - Certificate not decoded"); //TERFactory.getInstance().logError("SecurityHelper.checkHeaderfields: Drop packet - Certificate not decoded");
if (p_enforceSecurityCheck) { if (p_enforceSecurityCheck) {
// Drop it // Drop it
return false; return false;
} }
} }
TERFactory.getInstance().logDebug("SecurityHelper.checkHeaderfields: Certificate=" + ByteHelper.byteArrayToString(certificate)); //TERFactory.getInstance().logDebug("SecurityHelper.checkHeaderfields: Certificate=" + ByteHelper.byteArrayToString(certificate));
// Add it in our map // Add it in our map
Long lKey = ByteHelper.byteArrayToLong(calculateDigestFromCertificate(certificate)); Long lKey = ByteHelper.byteArrayToLong(calculateDigestFromCertificate(certificate));
if (!_neighborsCertificates.containsKey(lKey)) { if (!_neighborsCertificates.containsKey(lKey)) {
TERFactory.getInstance().logDebug("SecurityHelper.checkHeaderfields: Add keys for " + ByteHelper.byteArrayToString(calculateDigestFromCertificate(certificate)) + " / " + lKey); //TERFactory.getInstance().logDebug("SecurityHelper.checkHeaderfields: Add keys for " + ByteHelper.byteArrayToString(calculateDigestFromCertificate(certificate)) + " / " + lKey);
_neighborsCertificates.put(lKey, p_keys); _neighborsCertificates.put(lKey, p_keys);
} }
signerInfoTypeIndex += certificate.length; signerInfoTypeIndex += certificate.length;
...@@ -263,11 +263,11 @@ public class SecurityHelper { ...@@ -263,11 +263,11 @@ public class SecurityHelper {
byte[] hashedid8 = ByteHelper.extract(p_headerfields, signerInfoTypeIndex, Long.SIZE / Byte.SIZE); byte[] hashedid8 = ByteHelper.extract(p_headerfields, signerInfoTypeIndex, Long.SIZE / Byte.SIZE);
signerInfoTypeIndex += (Long.SIZE / Byte.SIZE); signerInfoTypeIndex += (Long.SIZE / Byte.SIZE);
Long lKey = ByteHelper.byteArrayToLong(hashedid8); Long lKey = ByteHelper.byteArrayToLong(hashedid8);
TERFactory.getInstance().logDebug("SecurityHelper.checkHeaderfields: Certificate digest with SHA256=" + lKey + " / " + ByteHelper.byteArrayToString(hashedid8)); //TERFactory.getInstance().logDebug("SecurityHelper.checkHeaderfields: Certificate digest with SHA256=" + lKey + " / " + ByteHelper.byteArrayToString(hashedid8));
if (!_neighborsCertificates.containsKey(lKey) || (_neighborsCertificates.get(lKey) == null)) { //FIXME as long as the cert chain is not complete, it should not be seen as error -> raise CR if (!_neighborsCertificates.containsKey(lKey) || (_neighborsCertificates.get(lKey) == null)) { //FIXME as long as the cert chain is not complete, it should not be seen as error -> raise CR
if (p_enforceSecurityCheck) { if (p_enforceSecurityCheck) {
// Drop it // Drop it
TERFactory.getInstance().logError("SecurityHelper.checkHeaderfields: Drop packet - Unknown HahedId8"); //TERFactory.getInstance().logError("SecurityHelper.checkHeaderfields: Drop packet - Unknown HahedId8");
return false; return false;
} }
} }
...@@ -278,7 +278,7 @@ public class SecurityHelper { ...@@ -278,7 +278,7 @@ public class SecurityHelper {
//e.printStackTrace(); //e.printStackTrace();
if (p_enforceSecurityCheck) { if (p_enforceSecurityCheck) {
// Drop it // Drop it
TERFactory.getInstance().logError("SecurityHelper.checkHeaderfields: key " + lKey + "_neighbors certificates table"); //TERFactory.getInstance().logError("SecurityHelper.checkHeaderfields: key " + lKey + "_neighbors certificates table");
return false; return false;
} }
} }
...@@ -286,7 +286,7 @@ public class SecurityHelper { ...@@ -286,7 +286,7 @@ public class SecurityHelper {
signerInfoTypeIndex += 1; signerInfoTypeIndex += 1;
ByteArrayInputStream ba = new ByteArrayInputStream(ByteHelper.extract(p_headerfields, signerInfoTypeIndex, p_headerfields.length - signerInfoTypeIndex)); ByteArrayInputStream ba = new ByteArrayInputStream(ByteHelper.extract(p_headerfields, signerInfoTypeIndex, p_headerfields.length - signerInfoTypeIndex));
int certChainLength = (int) this.tls2size(ba); int certChainLength = (int) this.tls2size(ba);
TERFactory.getInstance().logDebug("SecurityHelper.checkHeaderfields: Certchain length = " + certChainLength); //TERFactory.getInstance().logDebug("SecurityHelper.checkHeaderfields: Certchain length = " + certChainLength);
signerInfoTypeIndex += this.size2tls(certChainLength).length; signerInfoTypeIndex += this.size2tls(certChainLength).length;
ByteArrayOutputStream keys; ByteArrayOutputStream keys;
do { do {
...@@ -295,57 +295,57 @@ public class SecurityHelper { ...@@ -295,57 +295,57 @@ public class SecurityHelper {
byte[] certificate = decodeCertificate(p_headerfields, signerInfoTypeIndex, keys, p_enforceSecurityCheck, lowerInfo); byte[] certificate = decodeCertificate(p_headerfields, signerInfoTypeIndex, keys, p_enforceSecurityCheck, lowerInfo);
if (certificate == null) { if (certificate == null) {
// Drop it // Drop it
TERFactory.getInstance().logError("SecurityHelper.checkHeaderfields: Drop packet - Failed to decode chain of certificate"); //TERFactory.getInstance().logError("SecurityHelper.checkHeaderfields: Drop packet - Failed to decode chain of certificate");
return false; return false;
} }
TERFactory.getInstance().logDebug("SecurityHelper.checkHeaderfields: Certificate=" + ByteHelper.byteArrayToString(certificate)); //TERFactory.getInstance().logDebug("SecurityHelper.checkHeaderfields: Certificate=" + ByteHelper.byteArrayToString(certificate));
// Add it in our map // Add it in our map
Long lKey = ByteHelper.byteArrayToLong(calculateDigestFromCertificate(certificate)); Long lKey = ByteHelper.byteArrayToLong(calculateDigestFromCertificate(certificate));
if (!_neighborsCertificates.containsKey(lKey)) { if (!_neighborsCertificates.containsKey(lKey)) {
TERFactory.getInstance().logDebug("SecurityHelper.checkHeaderfields: Add keys for " + ByteHelper.byteArrayToString(calculateDigestFromCertificate(certificate)) + " / " + lKey); //TERFactory.getInstance().logDebug("SecurityHelper.checkHeaderfields: Add keys for " + ByteHelper.byteArrayToString(calculateDigestFromCertificate(certificate)) + " / " + lKey);
_neighborsCertificates.put(lKey, p_keys); _neighborsCertificates.put(lKey, p_keys);
} }
certChainLength -= certificate.length; certChainLength -= certificate.length;
signerInfoTypeIndex += certificate.length; signerInfoTypeIndex += certificate.length;
TERFactory.getInstance().logDebug("SecurityHelper.checkHeaderfields: Extracted certificate = " + ByteHelper.byteArrayToString(certificate)); //TERFactory.getInstance().logDebug("SecurityHelper.checkHeaderfields: Extracted certificate = " + ByteHelper.byteArrayToString(certificate));
} while (certChainLength > 0); } while (certChainLength > 0);
} }
// Check generation time // Check generation time
if (p_headerfields[signerInfoTypeIndex++] != 0x00) { // Header Field: Generation Time (0) if (p_headerfields[signerInfoTypeIndex++] != 0x00) { // Header Field: Generation Time (0)
if (p_enforceSecurityCheck) { if (p_enforceSecurityCheck) {
// Drop it // Drop it
TERFactory.getInstance().logError("SecurityHelper.checkHeaderfields: Drop packet - GenerationTime not found"); //TERFactory.getInstance().logError("SecurityHelper.checkHeaderfields: Drop packet - GenerationTime not found");
return false; return false;
} }
} }
long generationTime = ByteHelper.byteArrayToLong(ByteHelper.extract(p_headerfields, signerInfoTypeIndex, Long.SIZE / Byte.SIZE)); long generationTime = ByteHelper.byteArrayToLong(ByteHelper.extract(p_headerfields, signerInfoTypeIndex, Long.SIZE / Byte.SIZE));
TERFactory.getInstance().logDebug("SecurityHelper.checkHeaderfields: generationTime=" + generationTime); //TERFactory.getInstance().logDebug("SecurityHelper.checkHeaderfields: generationTime=" + generationTime);
if (Math.abs(System.currentTimeMillis() - generationTime) < 1000) { if (Math.abs(System.currentTimeMillis() - generationTime) < 1000) {
if (p_enforceSecurityCheck) { if (p_enforceSecurityCheck) {
// Drop it // Drop it
TERFactory.getInstance().logError("SecurityHelper.checkHeaderfields: Drop packet - GenerationTime out of range"); //TERFactory.getInstance().logError("SecurityHelper.checkHeaderfields: Drop packet - GenerationTime out of range");
return false; return false;
} }
} }
signerInfoTypeIndex += (Long.SIZE / Byte.SIZE); signerInfoTypeIndex += (Long.SIZE / Byte.SIZE);
if (signerInfoTypeIndex < p_headerfields.length) { if (signerInfoTypeIndex < p_headerfields.length) {
TERFactory.getInstance().logDebug("SecurityHelper.checkHeaderfields: dump #1=" + ByteHelper.byteArrayToString(ByteHelper.extract(p_headerfields, signerInfoTypeIndex, p_headerfields.length - signerInfoTypeIndex))); //TERFactory.getInstance().logDebug("SecurityHelper.checkHeaderfields: dump #1=" + ByteHelper.byteArrayToString(ByteHelper.extract(p_headerfields, signerInfoTypeIndex, p_headerfields.length - signerInfoTypeIndex)));
if (p_headerfields[signerInfoTypeIndex] == 0x03) { // Header Field: Generation Location (3) if (p_headerfields[signerInfoTypeIndex] == 0x03) { // Header Field: Generation Location (3)
signerInfoTypeIndex += 1; signerInfoTypeIndex += 1;
byte[] lat = ByteHelper.extract(p_headerfields, signerInfoTypeIndex, 4); byte[] lat = ByteHelper.extract(p_headerfields, signerInfoTypeIndex, 4);
signerInfoTypeIndex += 4; signerInfoTypeIndex += 4;
TERFactory.getInstance().logDebug("SecurityHelper.checkHeaderfields: latitude=" + ByteHelper.byteArrayToString(lat)); //TERFactory.getInstance().logDebug("SecurityHelper.checkHeaderfields: latitude=" + ByteHelper.byteArrayToString(lat));
byte[] lon = ByteHelper.extract(p_headerfields, signerInfoTypeIndex, 4); byte[] lon = ByteHelper.extract(p_headerfields, signerInfoTypeIndex, 4);
signerInfoTypeIndex += 4; signerInfoTypeIndex += 4;
TERFactory.getInstance().logDebug("SecurityHelper.checkHeaderfields: longitude=" + ByteHelper.byteArrayToString(lon)); //TERFactory.getInstance().logDebug("SecurityHelper.checkHeaderfields: longitude=" + ByteHelper.byteArrayToString(lon));
byte[] ele = ByteHelper.extract(p_headerfields, signerInfoTypeIndex, 2); byte[] ele = ByteHelper.extract(p_headerfields, signerInfoTypeIndex, 2);
signerInfoTypeIndex += 2; signerInfoTypeIndex += 2;
TERFactory.getInstance().logDebug("SecurityHelper.checkHeaderfields: elevation=" + ByteHelper.byteArrayToString(ele)); //TERFactory.getInstance().logDebug("SecurityHelper.checkHeaderfields: elevation=" + ByteHelper.byteArrayToString(ele));
} }
} }
if (signerInfoTypeIndex < p_headerfields.length) { if (signerInfoTypeIndex < p_headerfields.length) {
TERFactory.getInstance().logDebug("SecurityHelper.checkHeaderfields: dump #2=" + ByteHelper.byteArrayToString(ByteHelper.extract(p_headerfields, signerInfoTypeIndex, p_headerfields.length - signerInfoTypeIndex))); //TERFactory.getInstance().logDebug("SecurityHelper.checkHeaderfields: dump #2=" + ByteHelper.byteArrayToString(ByteHelper.extract(p_headerfields, signerInfoTypeIndex, p_headerfields.length - signerInfoTypeIndex)));
if (p_headerfields[signerInfoTypeIndex] == 0x05) { // Header Field: Its AID (5) if (p_headerfields[signerInfoTypeIndex] == 0x05) { // Header Field: Its AID (5)
signerInfoTypeIndex += 1; signerInfoTypeIndex += 1;
// Check ItsAid // Check ItsAid
...@@ -358,11 +358,11 @@ public class SecurityHelper { ...@@ -358,11 +358,11 @@ public class SecurityHelper {
) { ) {
if (p_enforceSecurityCheck) { if (p_enforceSecurityCheck) {
// Drop it // Drop it
TERFactory.getInstance().logError("SecurityHelper.checkHeaderfields: Drop packet - Unknown ItsAid value"); //TERFactory.getInstance().logError("SecurityHelper.checkHeaderfields: Drop packet - Unknown ItsAid value");
return false; return false;
} }
} }
TERFactory.getInstance().logDebug("SecurityHelper.checkHeaderfields: ItsAid=" + p_headerfields[signerInfoTypeIndex]); //TERFactory.getInstance().logDebug("SecurityHelper.checkHeaderfields: ItsAid=" + p_headerfields[signerInfoTypeIndex]);
lowerInfo.put(SecurityHelper.SEC_ITS_AID, ByteHelper.intToByteArray(p_headerfields[signerInfoTypeIndex], Integer.SIZE / Byte.SIZE)); lowerInfo.put(SecurityHelper.SEC_ITS_AID, ByteHelper.intToByteArray(p_headerfields[signerInfoTypeIndex], Integer.SIZE / Byte.SIZE));
signerInfoTypeIndex += 1; signerInfoTypeIndex += 1;
} else { } else {
...@@ -373,23 +373,23 @@ public class SecurityHelper { ...@@ -373,23 +373,23 @@ public class SecurityHelper {
} }
if (signerInfoTypeIndex < p_headerfields.length) { if (signerInfoTypeIndex < p_headerfields.length) {
// TODO check other fields // TODO check other fields
TERFactory.getInstance().logDebug("SecurityHelper.checkHeaderfields: dump #3=" + ByteHelper.byteArrayToString(ByteHelper.extract(p_headerfields, signerInfoTypeIndex, p_headerfields.length - signerInfoTypeIndex))); //TERFactory.getInstance().logDebug("SecurityHelper.checkHeaderfields: dump #3=" + ByteHelper.byteArrayToString(ByteHelper.extract(p_headerfields, signerInfoTypeIndex, p_headerfields.length - signerInfoTypeIndex)));
} }
return true; return true;
} }
public byte[] decodeCertificate(final byte[] p_headerfields, final int p_offset, final ByteArrayOutputStream p_keys, final boolean p_enforceSecurityCheck, Map<String, Object> p_lowerInfo) { public byte[] decodeCertificate(final byte[] p_headerfields, final int p_offset, final ByteArrayOutputStream p_keys, final boolean p_enforceSecurityCheck, Map<String, Object> p_lowerInfo) {
TERFactory.getInstance().logDebug(">>> SecurityHelper.decodeCertificate: " + ByteHelper.byteArrayToString(ByteHelper.extract(p_headerfields, p_offset, p_headerfields.length - p_offset))); //TERFactory.getInstance().logDebug(">>> SecurityHelper.decodeCertificate: " + ByteHelper.byteArrayToString(ByteHelper.extract(p_headerfields, p_offset, p_headerfields.length - p_offset)));
ByteArrayInputStream headerfields = new ByteArrayInputStream(p_headerfields, p_offset, p_headerfields.length - p_offset); ByteArrayInputStream headerfields = new ByteArrayInputStream(p_headerfields, p_offset, p_headerfields.length - p_offset);
TERFactory.getInstance().logDebug("SecurityHelper.decodeCertificate: headerfields length=" + headerfields.available()); //TERFactory.getInstance().logDebug("SecurityHelper.decodeCertificate: headerfields length=" + headerfields.available());
ByteArrayOutputStream cert = new ByteArrayOutputStream(); // FIXME To be removed ByteArrayOutputStream cert = new ByteArrayOutputStream(); // FIXME To be removed
try { try {
// Version // Version
cert.write((byte)headerfields.read()); cert.write((byte)headerfields.read());
if (cert.toByteArray()[0] != 0x02) { if (cert.toByteArray()[0] != 0x02) {
TERFactory.getInstance().logError("SecurityHelper.decodeCertificate: Wrong version number"); //TERFactory.getInstance().logError("SecurityHelper.decodeCertificate: Wrong version number");
if (p_enforceSecurityCheck) { if (p_enforceSecurityCheck) {
// Drop it // Drop it
return null; return null;
...@@ -402,7 +402,7 @@ public class SecurityHelper { ...@@ -402,7 +402,7 @@ public class SecurityHelper {
case 0x01: case 0x01:
byte[] digest = new byte[8]; byte[] digest = new byte[8];
headerfields.read(digest, 0, digest.length); headerfields.read(digest, 0, digest.length);
TERFactory.getInstance().logDebug("SecurityHelper.decodeCertificate: hashedid8=" + ByteHelper.byteArrayToString(digest)); //TERFactory.getInstance().logDebug("SecurityHelper.decodeCertificate: hashedid8=" + ByteHelper.byteArrayToString(digest));
cert.write(digest); cert.write(digest);
break; break;
// FIXME To be continued // FIXME To be continued
...@@ -413,7 +413,7 @@ public class SecurityHelper { ...@@ -413,7 +413,7 @@ public class SecurityHelper {
(subjectInfoType != 0x01) && // Subject Info: authorization ticket (1) (subjectInfoType != 0x01) && // Subject Info: authorization ticket (1)
(subjectInfoType != 0x02) // Subject Info: authorization authority (2) (subjectInfoType != 0x02) // Subject Info: authorization authority (2)
) { ) {
TERFactory.getInstance().logError("SecurityHelper.decodeCertificate: Subject Info: authorization authority/ticket expected - " + ByteHelper.byteArrayToString(cert.toByteArray())); //TERFactory.getInstance().logError("SecurityHelper.decodeCertificate: Subject Info: authorization authority/ticket expected - " + ByteHelper.byteArrayToString(cert.toByteArray()));
return null; return null;
} }
cert.write(subjectInfoType); cert.write(subjectInfoType);
...@@ -423,7 +423,7 @@ public class SecurityHelper { ...@@ -423,7 +423,7 @@ public class SecurityHelper {
byte[] subjectInfo = new byte[(int) length]; byte[] subjectInfo = new byte[(int) length];
headerfields.read(subjectInfo, 0, subjectInfo.length); headerfields.read(subjectInfo, 0, subjectInfo.length);
cert.write(subjectInfo); cert.write(subjectInfo);
TERFactory.getInstance().logDebug("SecurityHelper.decodeCertificate: subjectInfo: " + ByteHelper.byteArrayToString(subjectInfo)); //TERFactory.getInstance().logDebug("SecurityHelper.decodeCertificate: subjectInfo: " + ByteHelper.byteArrayToString(subjectInfo));
} else { } else {
cert.write(0x00); cert.write(0x00);
} }
...@@ -434,30 +434,30 @@ public class SecurityHelper { ...@@ -434,30 +434,30 @@ public class SecurityHelper {
byte[] b = new byte[(int) length]; byte[] b = new byte[(int) length];
headerfields.read(b, 0, b.length); headerfields.read(b, 0, b.length);
cert.write(b); cert.write(b);
TERFactory.getInstance().logDebug("SecurityHelper.decodeCertificate: Subject Attributes length=" + length + " / " + headerfields.available()); //TERFactory.getInstance().logDebug("SecurityHelper.decodeCertificate: Subject Attributes length=" + length + " / " + headerfields.available());
ByteArrayInputStream subjectAttributes = new ByteArrayInputStream(b); ByteArrayInputStream subjectAttributes = new ByteArrayInputStream(b);
if (subjectAttributes.read() == 0x00) { // Subject Attribute: verification key (0) - Mandatory if (subjectAttributes.read() == 0x00) { // Subject Attribute: verification key (0) - Mandatory
if (subjectAttributes.read() == 0x00) { // Public Key Alg: ecdsa nistp256 with sha256 (0) if (subjectAttributes.read() == 0x00) { // Public Key Alg: ecdsa nistp256 with sha256 (0)
byte v = (byte) subjectAttributes.read(); byte v = (byte) subjectAttributes.read();
p_keys.write(v); p_keys.write(v);
TERFactory.getInstance().logDebug("SecurityHelper.decodeCertificate: ECC Point Type: =" + v); //TERFactory.getInstance().logDebug("SecurityHelper.decodeCertificate: ECC Point Type: =" + v);
if (v == 0x02) { // ECC Point Type: compressed lsb y-0(2) if (v == 0x02) { // ECC Point Type: compressed lsb y-0(2)
byte[] key = new byte[32]; byte[] key = new byte[32];
subjectAttributes.read(key, 0, 32); subjectAttributes.read(key, 0, 32);
TERFactory.getInstance().logDebug("SecurityHelper.decodeCertificate: Verification lsb y-1 key=" + ByteHelper.byteArrayToString(key)); //TERFactory.getInstance().logDebug("SecurityHelper.decodeCertificate: Verification lsb y-1 key=" + ByteHelper.byteArrayToString(key));
p_keys.write(key); p_keys.write(key);
} else if (v == 0x03) { // ECC Point Type: compressed lsb y-1(3) } else if (v == 0x03) { // ECC Point Type: compressed lsb y-1(3)
byte[] key = new byte[32]; byte[] key = new byte[32];