Loading ttcn/Pki/LibItsPki_Functions.ttcn +25 −14 Original line number Original line Diff line number Diff line Loading @@ -706,7 +706,7 @@ module LibItsPki_Functions { var bitstring v_authorization_request_msg; var bitstring v_authorization_request_msg; // Generate the InnerAtRequest // Generate the InnerAtRequest if (f_generate_inner_at_request(vc_eaCertificate, vc_eaHashedId8, p_ec_certificate, p_ec_private_key, p_private_key, p_public_key_compressed, p_compressed_key_mode, p_private_enc_key, p_public_compressed_enc_key, p_compressed_enc_key_mode, v_inner_at_request) == false) { if (f_generate_inner_at_request(vc_aaCertificate, vc_aaHashedId8, vc_eaHashedId8, p_ec_certificate, p_ec_private_key, p_private_key, p_public_key_compressed, p_compressed_key_mode, p_private_enc_key, p_public_compressed_enc_key, p_compressed_enc_key_mode, v_inner_at_request) == false) { log("*** f_http_build_authorization_request: ERROR: Failed to generate AuthorizationValidationRequest ***"); log("*** f_http_build_authorization_request: ERROR: Failed to generate AuthorizationValidationRequest ***"); f_selfOrClientSyncAndVerdict("error", e_error); f_selfOrClientSyncAndVerdict("error", e_error); return; return; Loading Loading @@ -1387,7 +1387,8 @@ module LibItsPki_Functions { group inner_at_xxx { group inner_at_xxx { function f_generate_inner_at_request( function f_generate_inner_at_request( in Certificate p_ea_certificate, in Certificate p_aa_certificate, in Oct8 p_aa_hashed_id8, in Oct8 p_ea_hashed_id8, in Oct8 p_ea_hashed_id8, in Certificate p_ec_certificate, in Certificate p_ec_certificate, in octetstring p_ec_private_key, in octetstring p_ec_private_key, Loading Loading @@ -1434,6 +1435,10 @@ module LibItsPki_Functions { if (f_generate_key_pair(p_private_enc_key, v_public_enc_key_x, v_public_enc_key_y, p_public_compressed_enc_key, p_compressed_enc_key_mode) == false) { if (f_generate_key_pair(p_private_enc_key, v_public_enc_key_x, v_public_enc_key_y, p_public_compressed_enc_key, p_compressed_enc_key_mode) == false) { log("f_generate_inner_at_request: Failed to generate encryption key"); log("f_generate_inner_at_request: Failed to generate encryption key"); return false; return false; } else { log ("f_generate_inner_at_request: AT encryption private key: ", p_private_enc_key); log ("f_generate_inner_at_request: AT encryption public compressed key: ", p_public_compressed_enc_key); log ("f_generate_inner_at_request: AT encryption public compressed mode: ", p_compressed_enc_key_mode); } } } else { } else { p_private_enc_key := ''O; p_private_enc_key := ''O; Loading @@ -1453,20 +1458,26 @@ module LibItsPki_Functions { log("f_generate_inner_at_request: v_ec_hash= ", v_ec_hash); log("f_generate_inner_at_request: v_ec_hash= ", v_ec_hash); // Generate 32 octets length secret key // Generate 32 octets length secret key v_hmac_key := f_hashWithSha256(int2oct(f_getCurrentTime(), 12)); v_hmac_key := f_hashWithSha256(int2oct((f_getCurrentTimeUtc() * 1000), 12)); log("f_generate_inner_at_request: v_hmac_key= ", v_hmac_key); log("f_generate_inner_at_request: v_hmac_key= ", v_hmac_key); // Generate tag based on the concatenation of verification keys & encryption keys // Generate tag based on the concatenation of verification keys & encryption keys v_message_to_tag := v_public_key_x & v_public_key_y & v_public_enc_key_x & v_public_enc_key_y; v_message_to_tag := v_public_key_x & v_public_key_y & v_public_enc_key_x & v_public_enc_key_y; log("f_generate_inner_at_request: v_message_to_tag= ", v_message_to_tag); // FIXME encryption keys could be optional log("f_generate_inner_at_request: v_message_to_tag= ", v_message_to_tag); // FIXME encryption keys could be optional v_key_tag := fx_hmac_sha256(v_hmac_key, v_message_to_tag); // TODO Rename and use a wrapper function v_key_tag := substr( fx_hmac_sha256( // TODO Rename and use a wrapper function v_hmac_key, v_message_to_tag ), 0, 16); // Leftmost 128 bits of the HMAC-SHA256 tag computed previously log("f_generate_inner_at_request: v_key_tag= ", v_key_tag); log("f_generate_inner_at_request: v_key_tag= ", v_key_tag); // Build the SharedAtRequest // Build the SharedAtRequest p_inner_at_request.sharedAtRequest := valueof( p_inner_at_request.sharedAtRequest := valueof( m_shared_at_request( m_shared_at_request( p_ea_hashed_id8, // eaId identifies the EA certificate shared with EA entity p_ea_hashed_id8, // eaId identifies the EA certificate shared with EA entity substr(v_key_tag, 0, 16), // Calculated keyTag v_key_tag, // Calculated keyTag valueof( valueof( m_certificate_subject_attributes( // FIXME Review subjectPermissions m_certificate_subject_attributes( // FIXME Review subjectPermissions p_ec_certificate.toBeSigned.appPermissions, p_ec_certificate.toBeSigned.appPermissions, Loading Loading @@ -1563,11 +1574,11 @@ module LibItsPki_Functions { // Use EA certificate for the encryption // Use EA certificate for the encryption if (PX_EC_ALG == e_nist_p256) { if (PX_EC_ALG == e_nist_p256) { if (ischosen(p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_0)) { if (ischosen(p_aa_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_0)) { v_public_enc_key := p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_0; v_public_enc_key := p_aa_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_0; v_compressed_mode := 0; v_compressed_mode := 0; } else if (ischosen(p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_1)) { } else if (ischosen(p_aa_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_1)) { v_public_enc_key := p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_1; v_public_enc_key := p_aa_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_1; v_compressed_mode := 1; v_compressed_mode := 1; } else { } else { log("f_generate_inner_at_request: Wrong NistP256 encryption variant"); log("f_generate_inner_at_request: Wrong NistP256 encryption variant"); Loading Loading @@ -1597,11 +1608,11 @@ module LibItsPki_Functions { v_authentication_vector v_authentication_vector ))); ))); } else if (PX_EC_ALG == e_brainpool_p256_r1) { } else if (PX_EC_ALG == e_brainpool_p256_r1) { if (ischosen(p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_0)) { if (ischosen(p_aa_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_0)) { v_public_enc_key := p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_0; v_public_enc_key := p_aa_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_0; v_compressed_mode := 0; v_compressed_mode := 0; } else if (ischosen(p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_1)) { } else if (ischosen(p_aa_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_1)) { v_public_enc_key := p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_1; v_public_enc_key := p_aa_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_1; v_compressed_mode := 1; v_compressed_mode := 1; } else { } else { log("f_generate_inner_at_request: Wrong BrainpoolP256r1 encryption variant"); log("f_generate_inner_at_request: Wrong BrainpoolP256r1 encryption variant"); Loading @@ -1626,7 +1637,7 @@ module LibItsPki_Functions { log("f_generate_inner_at_request: Wrong encryption variant"); log("f_generate_inner_at_request: Wrong encryption variant"); return false; return false; } } v_recipientId := p_ea_hashed_id8; // RecipientId is the HashedId8 of the EA certificate v_recipientId := p_aa_hashed_id8; // RecipientId is the HashedId8 of the EA certificate log("v_recipientId= ", v_recipientId); log("v_recipientId= ", v_recipientId); // Fill Certificate template with the public compressed keys (canonical form) // Fill Certificate template with the public compressed keys (canonical form) if (v_public_compressed_ephemeral_mode == 0) { if (v_public_compressed_ephemeral_mode == 0) { Loading Loading
ttcn/Pki/LibItsPki_Functions.ttcn +25 −14 Original line number Original line Diff line number Diff line Loading @@ -706,7 +706,7 @@ module LibItsPki_Functions { var bitstring v_authorization_request_msg; var bitstring v_authorization_request_msg; // Generate the InnerAtRequest // Generate the InnerAtRequest if (f_generate_inner_at_request(vc_eaCertificate, vc_eaHashedId8, p_ec_certificate, p_ec_private_key, p_private_key, p_public_key_compressed, p_compressed_key_mode, p_private_enc_key, p_public_compressed_enc_key, p_compressed_enc_key_mode, v_inner_at_request) == false) { if (f_generate_inner_at_request(vc_aaCertificate, vc_aaHashedId8, vc_eaHashedId8, p_ec_certificate, p_ec_private_key, p_private_key, p_public_key_compressed, p_compressed_key_mode, p_private_enc_key, p_public_compressed_enc_key, p_compressed_enc_key_mode, v_inner_at_request) == false) { log("*** f_http_build_authorization_request: ERROR: Failed to generate AuthorizationValidationRequest ***"); log("*** f_http_build_authorization_request: ERROR: Failed to generate AuthorizationValidationRequest ***"); f_selfOrClientSyncAndVerdict("error", e_error); f_selfOrClientSyncAndVerdict("error", e_error); return; return; Loading Loading @@ -1387,7 +1387,8 @@ module LibItsPki_Functions { group inner_at_xxx { group inner_at_xxx { function f_generate_inner_at_request( function f_generate_inner_at_request( in Certificate p_ea_certificate, in Certificate p_aa_certificate, in Oct8 p_aa_hashed_id8, in Oct8 p_ea_hashed_id8, in Oct8 p_ea_hashed_id8, in Certificate p_ec_certificate, in Certificate p_ec_certificate, in octetstring p_ec_private_key, in octetstring p_ec_private_key, Loading Loading @@ -1434,6 +1435,10 @@ module LibItsPki_Functions { if (f_generate_key_pair(p_private_enc_key, v_public_enc_key_x, v_public_enc_key_y, p_public_compressed_enc_key, p_compressed_enc_key_mode) == false) { if (f_generate_key_pair(p_private_enc_key, v_public_enc_key_x, v_public_enc_key_y, p_public_compressed_enc_key, p_compressed_enc_key_mode) == false) { log("f_generate_inner_at_request: Failed to generate encryption key"); log("f_generate_inner_at_request: Failed to generate encryption key"); return false; return false; } else { log ("f_generate_inner_at_request: AT encryption private key: ", p_private_enc_key); log ("f_generate_inner_at_request: AT encryption public compressed key: ", p_public_compressed_enc_key); log ("f_generate_inner_at_request: AT encryption public compressed mode: ", p_compressed_enc_key_mode); } } } else { } else { p_private_enc_key := ''O; p_private_enc_key := ''O; Loading @@ -1453,20 +1458,26 @@ module LibItsPki_Functions { log("f_generate_inner_at_request: v_ec_hash= ", v_ec_hash); log("f_generate_inner_at_request: v_ec_hash= ", v_ec_hash); // Generate 32 octets length secret key // Generate 32 octets length secret key v_hmac_key := f_hashWithSha256(int2oct(f_getCurrentTime(), 12)); v_hmac_key := f_hashWithSha256(int2oct((f_getCurrentTimeUtc() * 1000), 12)); log("f_generate_inner_at_request: v_hmac_key= ", v_hmac_key); log("f_generate_inner_at_request: v_hmac_key= ", v_hmac_key); // Generate tag based on the concatenation of verification keys & encryption keys // Generate tag based on the concatenation of verification keys & encryption keys v_message_to_tag := v_public_key_x & v_public_key_y & v_public_enc_key_x & v_public_enc_key_y; v_message_to_tag := v_public_key_x & v_public_key_y & v_public_enc_key_x & v_public_enc_key_y; log("f_generate_inner_at_request: v_message_to_tag= ", v_message_to_tag); // FIXME encryption keys could be optional log("f_generate_inner_at_request: v_message_to_tag= ", v_message_to_tag); // FIXME encryption keys could be optional v_key_tag := fx_hmac_sha256(v_hmac_key, v_message_to_tag); // TODO Rename and use a wrapper function v_key_tag := substr( fx_hmac_sha256( // TODO Rename and use a wrapper function v_hmac_key, v_message_to_tag ), 0, 16); // Leftmost 128 bits of the HMAC-SHA256 tag computed previously log("f_generate_inner_at_request: v_key_tag= ", v_key_tag); log("f_generate_inner_at_request: v_key_tag= ", v_key_tag); // Build the SharedAtRequest // Build the SharedAtRequest p_inner_at_request.sharedAtRequest := valueof( p_inner_at_request.sharedAtRequest := valueof( m_shared_at_request( m_shared_at_request( p_ea_hashed_id8, // eaId identifies the EA certificate shared with EA entity p_ea_hashed_id8, // eaId identifies the EA certificate shared with EA entity substr(v_key_tag, 0, 16), // Calculated keyTag v_key_tag, // Calculated keyTag valueof( valueof( m_certificate_subject_attributes( // FIXME Review subjectPermissions m_certificate_subject_attributes( // FIXME Review subjectPermissions p_ec_certificate.toBeSigned.appPermissions, p_ec_certificate.toBeSigned.appPermissions, Loading Loading @@ -1563,11 +1574,11 @@ module LibItsPki_Functions { // Use EA certificate for the encryption // Use EA certificate for the encryption if (PX_EC_ALG == e_nist_p256) { if (PX_EC_ALG == e_nist_p256) { if (ischosen(p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_0)) { if (ischosen(p_aa_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_0)) { v_public_enc_key := p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_0; v_public_enc_key := p_aa_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_0; v_compressed_mode := 0; v_compressed_mode := 0; } else if (ischosen(p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_1)) { } else if (ischosen(p_aa_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_1)) { v_public_enc_key := p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_1; v_public_enc_key := p_aa_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_1; v_compressed_mode := 1; v_compressed_mode := 1; } else { } else { log("f_generate_inner_at_request: Wrong NistP256 encryption variant"); log("f_generate_inner_at_request: Wrong NistP256 encryption variant"); Loading Loading @@ -1597,11 +1608,11 @@ module LibItsPki_Functions { v_authentication_vector v_authentication_vector ))); ))); } else if (PX_EC_ALG == e_brainpool_p256_r1) { } else if (PX_EC_ALG == e_brainpool_p256_r1) { if (ischosen(p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_0)) { if (ischosen(p_aa_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_0)) { v_public_enc_key := p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_0; v_public_enc_key := p_aa_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_0; v_compressed_mode := 0; v_compressed_mode := 0; } else if (ischosen(p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_1)) { } else if (ischosen(p_aa_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_1)) { v_public_enc_key := p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_1; v_public_enc_key := p_aa_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_1; v_compressed_mode := 1; v_compressed_mode := 1; } else { } else { log("f_generate_inner_at_request: Wrong BrainpoolP256r1 encryption variant"); log("f_generate_inner_at_request: Wrong BrainpoolP256r1 encryption variant"); Loading @@ -1626,7 +1637,7 @@ module LibItsPki_Functions { log("f_generate_inner_at_request: Wrong encryption variant"); log("f_generate_inner_at_request: Wrong encryption variant"); return false; return false; } } v_recipientId := p_ea_hashed_id8; // RecipientId is the HashedId8 of the EA certificate v_recipientId := p_aa_hashed_id8; // RecipientId is the HashedId8 of the EA certificate log("v_recipientId= ", v_recipientId); log("v_recipientId= ", v_recipientId); // Fill Certificate template with the public compressed keys (canonical form) // Fill Certificate template with the public compressed keys (canonical form) if (v_public_compressed_ephemeral_mode == 0) { if (v_public_compressed_ephemeral_mode == 0) { Loading