Commit 4f503327 authored by Yann Garcia's avatar Yann Garcia
Browse files

Validation with Escrypt PKI

parent db77b62a
......@@ -107,11 +107,15 @@ module LibItsDenm_Functions {
function f_utTriggerEvent(template (value) UtDenmTrigger p_event) runs on ItsDenm return ActionID {
var ActionID v_actionId;
var UtDenmResults v_result;
log(">>> f_utTriggerEvent: ", p_event);
//deactivate denmPort default alts
vc_denmDefaultActive := false;
log("f_utTriggerEvent: Send message");
utPort.send(p_event);
log("f_utTriggerEvent: Wait response");
tc_wait.start;
alt {
[] utPort.receive(UtDenmResults: { utDenmTriggerResult := ? }) -> value v_result {
......
......@@ -828,7 +828,7 @@ module LibItsGeoNetworking_Functions {
*/
function f_startBeingNeighbour() runs on ItsGeoNetworking {
vc_neighbourDefault := activate(a_neighbourDefault());
vc_neighbourDefault := activate(a_neighbourDefault());
f_acTriggerEvent(m_startBeaconing(m_beaconHeader(f_getPosition(vc_componentName)).beaconHeader));
f_sleepIgnoreDef(PX_NEIGHBOUR_DISCOVERY_DELAY);
} // end f_startBeingNeighbour
......
......@@ -1013,7 +1013,14 @@ module LibItsPki_Functions {
log("f_generate_inner_at_request: Wrong NistP256 encryption variant");
return false;
}
v_enc_signed_ec_signature := f_encryptWithEciesNistp256WithSha256(bit2oct(encvalue(v_signed_ec_signature)), v_public_enc_key, v_compressed_mode, ''O, v_public_compressed_ephemeral_key, v_public_compressed_ephemeral_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, PICS_SEC_FIXED_KEYS);
if (PX_EC_ALG == e_nist_p256) {
v_enc_signed_ec_signature := f_encryptWithEciesNistp256WithSha256(bit2oct(encvalue(v_signed_ec_signature)), v_public_enc_key, v_compressed_mode, ''O, v_public_compressed_ephemeral_key, v_public_compressed_ephemeral_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, PICS_SEC_FIXED_KEYS);
} else if (PX_EC_ALG == e_brainpool_p256_r1) {
v_enc_signed_ec_signature := f_encryptWithEciesBrainpoolp256WithSha256(bit2oct(encvalue(v_signed_ec_signature)), v_public_enc_key, v_compressed_mode, ''O, v_public_compressed_ephemeral_key, v_public_compressed_ephemeral_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, PICS_SEC_FIXED_KEYS);
} else {
log("f_generate_inner_at_request: Wrong encryption variant");
return false;
}
v_encrypted_data_encryption_key := valueof(
m_encryptedDataEncryptionKey_eciesNistP256(
m_evciesP256EncryptedKey(
......@@ -1032,7 +1039,14 @@ module LibItsPki_Functions {
log("f_generate_inner_at_request: Wrong BrainpoolP256r1 encryption variant");
return false;
}
v_enc_signed_ec_signature := f_encryptWithEciesBrainpoolp256WithSha256(bit2oct(encvalue(v_signed_ec_signature)), v_public_enc_key, v_compressed_mode, ''O, v_public_compressed_ephemeral_key, v_public_compressed_ephemeral_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, PICS_SEC_FIXED_KEYS);
if (PX_EC_ALG == e_nist_p256) {
v_enc_signed_ec_signature := f_encryptWithEciesNistp256WithSha256(bit2oct(encvalue(v_signed_ec_signature)), v_public_enc_key, v_compressed_mode, ''O, v_public_compressed_ephemeral_key, v_public_compressed_ephemeral_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, PICS_SEC_FIXED_KEYS);
} else if (PX_EC_ALG == e_brainpool_p256_r1) {
v_enc_signed_ec_signature := f_encryptWithEciesBrainpoolp256WithSha256(bit2oct(encvalue(v_signed_ec_signature)), v_public_enc_key, v_compressed_mode, ''O, v_public_compressed_ephemeral_key, v_public_compressed_ephemeral_mode, v_aes_sym_key, v_encrypted_sym_key, v_authentication_vector, v_nonce, PICS_SEC_FIXED_KEYS);
} else {
log("f_generate_inner_at_request: Wrong encryption variant");
return false;
}
v_encrypted_data_encryption_key := valueof(
m_encryptedDataEncryptionKey_eciesBrainpoolP256r1(
m_evciesP256EncryptedKey(
......@@ -1270,6 +1284,7 @@ module LibItsPki_Functions {
),
m_headerInfo_inner_ec_request(c_its_aid_SCR, f_getCurrentTimeUtc())
);
log("f_build_pki_secured_request_message_signed_with_pop: signer: ", p_signer_identifier);
if (ischosen(p_signer_identifier.self_)) {
v_tbs_signed := f_signWithEcdsa(bit2oct(encvalue(v_tbs)), int2oct(0, 32), p_private_key);
} else {
......@@ -1329,7 +1344,15 @@ module LibItsPki_Functions {
if (PICS_SEC_FIXED_KEYS) {
p_salt := '77C0637C3558B3238FDE1EEC376DA080BE4076FB8491CA0F8C19FD34DF298CEB'O;
}
v_encrypted_request := f_encryptWithEciesNistp256WithSha256(v_encoded_request, p_public_key_compressed, p_compressed_mode, p_salt, v_public_compressed_ephemeral_key, v_public_compressed_ephemeral_mode, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, PICS_SEC_FIXED_KEYS);
if (PX_EC_ALG == e_nist_p256) {
v_encrypted_request := f_encryptWithEciesNistp256WithSha256(v_encoded_request, p_public_key_compressed, p_compressed_mode, p_salt, v_public_compressed_ephemeral_key, v_public_compressed_ephemeral_mode, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, PICS_SEC_FIXED_KEYS);
} else if (PX_EC_ALG == e_brainpool_p256_r1) {
v_encrypted_request := f_encryptWithEciesBrainpoolp256WithSha256(v_encoded_request, p_public_key_compressed, p_compressed_mode, p_salt, v_public_compressed_ephemeral_key, v_public_compressed_ephemeral_mode, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, PICS_SEC_FIXED_KEYS);
} else {
log("f_build_pki_secured_request_message_signed_with_pop: Wrong encryption variant");
return false;
}
log("f_build_pki_secured_request_message_signed_with_pop: p_aes_sym_key= ", p_aes_sym_key);
log("f_build_pki_secured_request_message_signed_with_pop: p_encrypted_sym_key= ", p_encrypted_sym_key);
log("f_build_pki_secured_request_message_signed_with_pop: p_authentication_vector= ", p_authentication_vector);
......@@ -1373,18 +1396,18 @@ module LibItsPki_Functions {
m_etsiTs103097Data_encrypted(
m_encryptedData(
{
m_recipientInfo_signedDataRecipInfo(
m_pKRecipientInfo(
v_recipientId,
v_encrypted_data_encryption_key
))
},
m_SymmetricCiphertext_aes128ccm(
m_aesCcmCiphertext(
p_nonce,
v_encrypted_request
)
)
m_recipientInfo_certRecipInfo(
m_pKRecipientInfo(
v_recipientId,
v_encrypted_data_encryption_key
))
},
m_SymmetricCiphertext_aes128ccm(
m_aesCcmCiphertext(
p_nonce,
v_encrypted_request
)
)
)
)
);
......@@ -1437,7 +1460,14 @@ module LibItsPki_Functions {
if (PICS_SEC_FIXED_KEYS) {
p_salt := '77C0637C3558B3238FDE1EEC376DA080BE4076FB8491CA0F8C19FD34DF298CEB'O;
}
v_encrypted_request := f_encryptWithEciesNistp256WithSha256(p_pki_message, p_public_key_compressed, p_compressed_mode, p_salt, v_public_compressed_ephemeral_key, v_public_compressed_ephemeral_mode, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, PICS_SEC_FIXED_KEYS);
if (PX_EC_ALG == e_nist_p256) {
v_encrypted_request := f_encryptWithEciesNistp256WithSha256(p_pki_message, p_public_key_compressed, p_compressed_mode, p_salt, v_public_compressed_ephemeral_key, v_public_compressed_ephemeral_mode, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, PICS_SEC_FIXED_KEYS);
} else if (PX_EC_ALG == e_brainpool_p256_r1) {
v_encrypted_request := f_encryptWithEciesBrainpoolp256WithSha256(p_pki_message, p_public_key_compressed, p_compressed_mode, p_salt, v_public_compressed_ephemeral_key, v_public_compressed_ephemeral_mode, p_aes_sym_key, p_encrypted_sym_key, p_authentication_vector, p_nonce, PICS_SEC_FIXED_KEYS);
} else {
log("f_build_pki_secured_request_message: Wrong encryption variant");
return false;
}
log("f_build_pki_secured_request_message: p_aes_sym_key= ", p_aes_sym_key);
log("f_build_pki_secured_request_message: p_encrypted_sym_key= ", p_encrypted_sym_key);
log("f_build_pki_secured_request_message: p_authentication_vector= ", p_authentication_vector);
......@@ -1630,38 +1660,73 @@ module LibItsPki_Functions {
if (isbound(v_plain_message) == false) {
return false;
}
log("v_plain_message= ", v_plain_message);
log("f_verify_pki_message: v_plain_message= ", v_plain_message);
// 2. Decode it
v_tbs := oct2bit(v_plain_message);
if (decvalue(v_tbs, v_ieee1609dot2_signed_data) != 0) {
return false;
}
log("v_ieee1609dot2_signed_data= ", v_ieee1609dot2_signed_data);
log("f_verify_pki_message: v_ieee1609dot2_signed_data= ", v_ieee1609dot2_signed_data);
// 3. Check the signature
log("v_ieee1609dot2_signed_data.content.signedData.tbsData= ", v_ieee1609dot2_signed_data.content.signedData.tbsData);
log("f_verify_pki_message: v_ieee1609dot2_signed_data.content.signedData.tbsData= ", v_ieee1609dot2_signed_data.content.signedData.tbsData);
v_tbs := encvalue(v_ieee1609dot2_signed_data.content.signedData.tbsData);
if (f_getCertificateFromDigest(v_ieee1609dot2_signed_data.content.signedData.signer.digest, v_certificate) == false) {
if (p_check_security == true) {
return false;
}
}
//log("v_certificate= ", v_certificate);
if (ischosen(v_certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaNistP256.compressed_y_0)) {
v_ret := f_verifyWithEcdsaNistp256WithSha256(
bit2oct(v_tbs),
p_issuer,
v_ieee1609dot2_signed_data.content.signedData.signature_.ecdsaNistP256Signature.rSig.x_only & v_ieee1609dot2_signed_data.content.signedData.signature_.ecdsaNistP256Signature.sSig,
v_certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaNistP256.compressed_y_0,
0);
} else {
v_ret := f_verifyWithEcdsaNistp256WithSha256(
bit2oct(v_tbs),
p_issuer,
v_ieee1609dot2_signed_data.content.signedData.signature_.ecdsaNistP256Signature.rSig.x_only & v_ieee1609dot2_signed_data.content.signedData.signature_.ecdsaNistP256Signature.sSig,
v_certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaNistP256.compressed_y_1,
1);
//log("f_verify_pki_message: v_certificate= ", v_certificate);
v_ret := false;
if (ischosen(v_certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaNistP256)) {
if (ischosen(v_certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaNistP256.compressed_y_0)) {
v_ret := f_verifyWithEcdsaNistp256WithSha256(
bit2oct(v_tbs),
p_issuer,
v_ieee1609dot2_signed_data.content.signedData.signature_.ecdsaNistP256Signature.rSig.x_only & v_ieee1609dot2_signed_data.content.signedData.signature_.ecdsaNistP256Signature.sSig,
v_certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaNistP256.compressed_y_0,
0);
} else {
v_ret := f_verifyWithEcdsaNistp256WithSha256(
bit2oct(v_tbs),
p_issuer,
v_ieee1609dot2_signed_data.content.signedData.signature_.ecdsaNistP256Signature.rSig.x_only & v_ieee1609dot2_signed_data.content.signedData.signature_.ecdsaNistP256Signature.sSig,
v_certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaNistP256.compressed_y_1,
1);
}
} else if (ischosen(v_certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaBrainpoolP256r1)) {
if (ischosen(v_certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaBrainpoolP256r1.compressed_y_0)) {
v_ret := f_verifyWithEcdsaBrainpoolp256WithSha256(
bit2oct(v_tbs),
p_issuer,
v_ieee1609dot2_signed_data.content.signedData.signature_.ecdsaBrainpoolP256r1Signature.rSig.x_only & v_ieee1609dot2_signed_data.content.signedData.signature_.ecdsaBrainpoolP256r1Signature.sSig,
v_certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaBrainpoolP256r1.compressed_y_0,
0);
} else {
v_ret := f_verifyWithEcdsaBrainpoolp256WithSha256(
bit2oct(v_tbs),
p_issuer,
v_ieee1609dot2_signed_data.content.signedData.signature_.ecdsaBrainpoolP256r1Signature.rSig.x_only & v_ieee1609dot2_signed_data.content.signedData.signature_.ecdsaBrainpoolP256r1Signature.sSig,
v_certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaBrainpoolP256r1.compressed_y_1,
1);
}
} else if (ischosen(v_certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaBrainpoolP384r1)) {
if (ischosen(v_certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaBrainpoolP384r1.compressed_y_0)) {
v_ret := f_verifyWithEcdsaBrainpoolp384WithSha384(
bit2oct(v_tbs),
p_issuer,
v_ieee1609dot2_signed_data.content.signedData.signature_.ecdsaBrainpoolP384r1Signature.rSig.x_only & v_ieee1609dot2_signed_data.content.signedData.signature_.ecdsaBrainpoolP384r1Signature.sSig,
v_certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaBrainpoolP384r1.compressed_y_0,
0);
} else {
v_ret := f_verifyWithEcdsaBrainpoolp384WithSha384(
bit2oct(v_tbs),
p_issuer,
v_ieee1609dot2_signed_data.content.signedData.signature_.ecdsaBrainpoolP384r1Signature.rSig.x_only & v_ieee1609dot2_signed_data.content.signedData.signature_.ecdsaBrainpoolP384r1Signature.sSig,
v_certificate.toBeSigned.verifyKeyIndicator.verificationKey.ecdsaBrainpoolP384r1.compressed_y_1,
1);
}
}
if (v_ret == false) {
if (p_check_security == true) {
......
......@@ -33,7 +33,7 @@ module LibItsPki_Pics {
/**
* @desc Is a re-enrolment request?
*/
modulepar boolean PICS_SECPKI_REENROLMENT := true;
modulepar boolean PICS_SECPKI_REENROLMENT := false;
/**
* @desc ?
......
......@@ -2207,6 +2207,22 @@ module LibItsSecurity_Functions {
return true;
} // End of function f_getCertificateFromDigest
function f_getCertificateFromHashedId3(
in HashedId3 p_digest,
out EtsiTs103097Certificate p_certificate
) return boolean {
var charstring v_certificate_id;
if (not(fx_readCertificateFromHashedId3(p_digest, v_certificate_id))) {
log("f_getCertificateFromHashedId3: Failed to retrieve digest for ", p_digest);
return false;
}
if (not(f_readCertificate(v_certificate_id, p_certificate))) {
log("f_getCertificateFromHashedId3: Failed to retrieve digest for ", v_certificate_id);
return false;
}
return true;
} // End of function f_getCertificateFromHashedId3
/**
* @desc Read the signing private key for the specified certificate
* @param p_keysId the keys identifier
......@@ -2589,6 +2605,8 @@ module LibItsSecurity_Functions {
external function fx_readCertificateFromDigest(in HashedId8 p_digest, out charstring p_certificate_id) return boolean;
external function fx_readCertificateFromHashedId3(in HashedId3 p_digest, out charstring p_certificate_id) return boolean;
/**
* @desc Read the private keys for the specified certificate
* @param p_keysId the keys identifier
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment