Commit d48c62b4 authored by garciay's avatar garciay
Browse files

Major security bugs fixed for signature. Encryption to do.

parent a1e6df0f

ccsrc/Protocols/Security/security_cache.cc

+2 −0
Original line number Diff line number Diff line
@@ -253,7 +253,9 @@ void security_cache::dump() const { 
    loggers::get_instance().log("security_cache::dump: certificate_id = %s", p->certificate_id().c_str());

    loggers::get_instance().log_to_hexa("security_cache::dump: certificate = ", p->certificate().data(), p->certificate().size());

    loggers::get_instance().log_msg("security_cache::dump: decoded certificate = ", p->decoded_certificate());

    loggers::get_instance().log_to_hexa("security_cache::dump: issuer = ", p->issuer().data(), p->issuer().size());

    loggers::get_instance().log_to_hexa("security_cache::dump: hashed_id = ", p->hashed_id().data(), p->hashed_id().size());

    loggers::get_instance().log_to_hexa("security_cache::dump: hash = ", p->hash().data(), p->hash().size());

    loggers::get_instance().log_to_hexa("security_cache::dump: private_key = ", p->private_key().data(), p->private_key().size());

    loggers::get_instance().log_to_hexa("security_cache::dump: public_key_x = ", p->public_key_x().data(), p->public_key_x().size());

    loggers::get_instance().log_to_hexa("security_cache::dump: public_key_y = ", p->public_key_y().data(), p->public_key_y().size());

ccsrc/Protocols/Security/security_services.cc

+28 −36
Original line number Diff line number Diff line
@@ -258,24 +258,23 @@ int security_services::process_ieee_1609_dot2_signed_data(const IEEE1609dot2::Si 
    }

  } else if (p_signed_data.signer().ischosen(IEEE1609dot2::SignerIdentifier::ALT_certificate) && (p_signed_data.signer().certificate().size_of() != 0)) {

    // Extract the certificates

    std::vector<std::string> certificate_ids;

    for (int i = 0; i < p_signed_data.signer().certificate().size_of(); i++) {

      IEEE1609dot2::CertificateBase cert = p_signed_data.signer().certificate()[i];

      if (extract_and_store_certificate(cert) != 0) {

      std::string certificate_id;

      if (extract_and_store_certificate(cert, certificate_id) != 0) {

        loggers::get_instance().warning("security_services::process_ieee_1609_dot2_signed_data: Failed to store certificate");

        if (p_verify) {

          return -1;

        }

      }

      certificate_ids.push_back(certificate_id);

    } // End of 'for' statement

    IEEE1609dot2::CertificateBase cert = p_signed_data.signer().certificate()[0];

    certificate_id = certificate_id[0];

  } else {

    loggers::get_instance().warning("security_services::process_ieee_1609_dot2_signed_data: Unsupported SignerIdentifier");

    return -1;

  }

  if (result == -1) {

    loggers::get_instance().warning("security_services::process_ieee_1609_dot2_signed_data: Certificate not found for the specified signer, it will be requested");

    return -1;

  }

  loggers::get_instance().log("security_services::process_ieee_1609_dot2_signed_data: certificate id = '%s'", certificate_id.c_str());

  // Verify the signature of the ToBeSignedData

  loggers::get_instance().log_msg("security_services::process_ieee_1609_dot2_signed_data: signature = ", p_signed_data.signature__());
@@ -708,18 +707,22 @@ int security_services::sign_ecdsa_nistp256(const OCTETSTRING& p_hash, IEEE1609do 
    return -1;

  }

  std::vector<unsigned char> private_key(static_cast<const unsigned char *>(pkey), static_cast<const unsigned char *>(pkey) + pkey.lengthof());

  OCTETSTRING public_key_x;

  OCTETSTRING public_key_y;

  if (_security_db->get_public_keys(certificate_id, public_key_x, public_key_y) != 0) {

    loggers::get_instance().warning("security_services::sign_ecdsa_nistp256: Failed to get public keys");

  // Hash ( Hash (Data input) || Hash (Signer identifier input) )

  OCTETSTRING hash_cert;

  if (_security_db->get_hash(certificate_id, hash_cert) != 0) {

    loggers::get_instance().warning("security_services::sign_ecdsa_nistp256: Failed to get whole hash certificate");

    return -1;

  }

  

  std::vector<unsigned char> hashed_data(static_cast<const unsigned char *>(p_hash), static_cast<const unsigned char *>(p_hash) + p_hash.lengthof());

  loggers::get_instance().log_msg("security_services::sign_ecdsa_nistp256: hash_issuer: ", hash_cert);

  OCTETSTRING os = p_hash + hash_cert; // Hash (Data input) || Hash (Signer identifier input)

  loggers::get_instance().log_msg("security_services::sign_ecdsa_nistp256: hash: ", os);

  OCTETSTRING hashed_data;

  hash_sha256(os, hashed_data); // Hash ( Hash (Data input) || Hash (Signer identifier input) )

  std::vector<unsigned char> tbv(static_cast<const unsigned char *>(hashed_data), static_cast<const unsigned char *>(hashed_data) + hashed_data.lengthof());

  security_ecc k(ec_elliptic_curves::nist_p_256, private_key);

  std::vector<unsigned char> r_sig;

  std::vector<unsigned char> s_sig;

  if (k.sign(hashed_data, r_sig, s_sig) != 0) {

  if (k.sign(tbv, r_sig, s_sig) != 0) {

    loggers::get_instance().warning("security_services::sign_ecdsa_nistp256: Failed to sign payload");

    return -1;

  }
@@ -746,18 +749,7 @@ int security_services::verify_sign_ecdsa_nistp256(const OCTETSTRING& p_hash, con 
  

  // Generate the hash to be verified: Hash ( Hash (Data input) || Hash (Signer identifier input) )

  OCTETSTRING issuer;

  if (_security_db->get_issuer(p_certificate_id, issuer) != 0) {

    loggers::get_instance().warning("security_services::verify_sign_ecdsa_nistp256: Failed to get issuer hashed id");

    return -1;

  }

  loggers::get_instance().log_msg("security_services::verify_sign_ecdsa_nistp256: issuer: ", issuer);

  std::string certificate_issuer;

  if (_security_db->get_certificate_id(issuer, certificate_issuer) != 0) {

    loggers::get_instance().warning("security_services::verify_sign_ecdsa_nistp256: Failed to get issuer certificate");

    return -1;

  }

  loggers::get_instance().log("security_services::verify_sign_ecdsa_nistp256: certificate_issuer: %s", certificate_issuer.c_str());

  if (_security_db->get_hash(certificate_issuer, issuer) != 0) {

  if (_security_db->get_hash(p_certificate_id, issuer) != 0) {

    loggers::get_instance().warning("security_services::verify_sign_ecdsa_nistp256: Failed to get hash of the issuer certificate");

    return -1;

  }
@@ -765,6 +757,7 @@ int security_services::verify_sign_ecdsa_nistp256(const OCTETSTRING& p_hash, con 
  loggers::get_instance().log_to_hexa("security_services::verify_sign_ecdsa_nistp256: hash_issuer: ", hash_issuer.data(), hash_issuer.size());

  std::vector<unsigned char> hash_data(static_cast<const unsigned char *>(p_hash), static_cast<const unsigned char *>(p_hash) + p_hash.lengthof());

  hash_data.insert(hash_data.end(), hash_issuer.cbegin(), hash_issuer.cend()); // Hash (Data input) || Hash (Signer identifier input)

  loggers::get_instance().log_to_hexa("security_services::verify_sign_ecdsa_nistp256: hash: ", hash_data.data(), hash_data.size());

  sha256 sha;

  std::vector<unsigned char> hash_to_be_verified;

  sha.generate(hash_data, hash_to_be_verified); // Hash ( Hash (Data input) || Hash (Signer identifier input) )
@@ -928,18 +921,17 @@ int security_services::extract_encryption_keys(const IEEE1609dot2::CertificateBa 
  return 0;

} // End of method extract_encryption_keys



int security_services::extract_and_store_certificate(IEEE1609dot2::CertificateBase p_certificate) {

 int security_services::extract_and_store_certificate(const IEEE1609dot2::CertificateBase& p_certificate, std::string& p_certificate_id) {

  loggers::get_instance().log_msg(">>> security_services::extract_and_store_certificate: ", p_certificate);



  int result = -1;

  std::string certificate_id;

  if (p_certificate.issuer().ischosen(IEEE1609dot2::IssuerIdentifier::ALT_sha256AndDigest)) {

    result = _security_db.get()->get_certificate_id(p_certificate.issuer().sha256AndDigest(), certificate_id);

    result = _security_db.get()->get_certificate_id(p_certificate.issuer().sha256AndDigest(), p_certificate_id);

    if (result == -1) { // Not found in current DB

      if (_security_cache.get()->get_certificate_id(p_certificate.issuer().sha256AndDigest(), certificate_id) == -1) { // Not found in TS cache

      if (_security_cache.get()->get_certificate_id(p_certificate.issuer().sha256AndDigest(), p_certificate_id) == -1) { // Not found in TS cache

        loggers::get_instance().log_msg("security_services::extract_and_store_certificate: Store new certificate in cache: ", p_certificate);

        const std::vector<unsigned char> v(static_cast<const unsigned char*>(p_certificate.issuer().sha256AndDigest()), static_cast<const unsigned char*>(p_certificate.issuer().sha256AndDigest()) + p_certificate.issuer().sha256AndDigest().lengthof());

        certificate_id = converter::get_instance().bytes_to_hexa(v);

        p_certificate_id = converter::get_instance().bytes_to_hexa(v);

        // Add it into the cache

        OCTETSTRING public_key_x, public_key_y, public_comp_key;

        INTEGER public_comp_key_mode;
@@ -962,7 +954,7 @@ int security_services::extract_and_store_certificate(IEEE1609dot2::CertificateBa 
        hash_sha256(enc_cert, hash_cert);

        // And store it into the cache

        _security_cache.get()->store_certificate(

                                                 CHARSTRING(certificate_id.c_str()),

                                                 CHARSTRING(p_certificate_id.c_str()),

                                                 enc_cert,

                                                 int2oct(0, 32), // No way to get the private key here

                                                 public_key_x,
@@ -980,12 +972,12 @@ int security_services::extract_and_store_certificate(IEEE1609dot2::CertificateBa 
      }

    }

  } else if (p_certificate.issuer().ischosen(IEEE1609dot2::IssuerIdentifier::ALT_sha384AndDigest)) {

    result = _security_db.get()->get_certificate_id(p_certificate.issuer().sha384AndDigest(), certificate_id);

    result = _security_db.get()->get_certificate_id(p_certificate.issuer().sha384AndDigest(), p_certificate_id);

    if (result == -1) {

      if (_security_cache.get()->get_certificate_id(p_certificate.issuer().sha384AndDigest(), certificate_id) == -1) {

      if (_security_cache.get()->get_certificate_id(p_certificate.issuer().sha384AndDigest(), p_certificate_id) == -1) {

        loggers::get_instance().log_msg("security_services::extract_and_store_certificate: Store new certificate in cache: ", p_certificate);

        const std::vector<unsigned char> v(static_cast<const unsigned char*>(p_certificate.issuer().sha384AndDigest()), static_cast<const unsigned char*>(p_certificate.issuer().sha384AndDigest()) + p_certificate.issuer().sha384AndDigest().lengthof());

        certificate_id = converter::get_instance().bytes_to_hexa(v);

        p_certificate_id = converter::get_instance().bytes_to_hexa(v);

        // Add it into the cache

        OCTETSTRING public_key_x, public_key_y, public_comp_key;

        INTEGER public_comp_key_mode;
@@ -1008,7 +1000,7 @@ int security_services::extract_and_store_certificate(IEEE1609dot2::CertificateBa 
        hash_sha384(enc_cert, hash_cert);

        // And store it into the cache

        _security_cache.get()->store_certificate(

                                                 CHARSTRING(certificate_id.c_str()),

                                                 CHARSTRING(p_certificate_id.c_str()),

                                                 enc_cert,

                                                 int2oct(0, 48), // No way to get the private key here

                                                 public_key_x,

ccsrc/Protocols/Security/security_services.hh

+1 −1
Original line number Diff line number Diff line
@@ -150,5 +150,5 @@ private: 


  int extract_verification_keys(const IEEE1609dot2::CertificateBase& p_cert, OCTETSTRING& p_public_key_x, OCTETSTRING& p_public_key_y, OCTETSTRING& p_public_comp_key, INTEGER& p_public_comp_key_mode);

  int extract_encryption_keys(const IEEE1609dot2::CertificateBase& p_cert, OCTETSTRING& p_public_enc_key_x, OCTETSTRING& p_public_enc_key_y, OCTETSTRING& p_public_enc_comp_key, INTEGER& p_public_enc_comp_key_mode);

  int extract_and_store_certificate(IEEE1609dot2::CertificateBase p_certificate);

  int extract_and_store_certificate(const IEEE1609dot2::CertificateBase& p_certificate, std::string& p_certificate_id);

}; // End of class security_services