Continue PKI ATS development

c59baf96 · Yann Garcia · 50f63dfd · c59baf96
Commit c59baf96 authored Feb 18, 2019 by Yann Garcia
--- a/ttcn/Pki/LibItsPki_Functions.ttcn
+++ b/ttcn/Pki/LibItsPki_Functions.ttcn
@@ -706,7 +706,7 @@ module LibItsPki_Functions {
      var bitstring v_authorization_request_msg;
      // Generate the InnerAtRequest
-      if (f_generate_inner_at_request(vc_eaCertificate, vc_eaHashedId8, p_ec_certificate, p_ec_private_key, p_private_key, p_public_key_compressed, p_compressed_key_mode, p_private_enc_key, p_public_compressed_enc_key, p_compressed_enc_key_mode, v_inner_at_request) == false) {
+      if (f_generate_inner_at_request(vc_aaCertificate, vc_aaHashedId8, vc_eaHashedId8, p_ec_certificate, p_ec_private_key, p_private_key, p_public_key_compressed, p_compressed_key_mode, p_private_enc_key, p_public_compressed_enc_key, p_compressed_enc_key_mode, v_inner_at_request) == false) {
        log("*** f_http_build_authorization_request: ERROR: Failed to generate AuthorizationValidationRequest ***");
        f_selfOrClientSyncAndVerdict("error", e_error);
        return;
@@ -1387,7 +1387,8 @@ module LibItsPki_Functions {
  group inner_at_xxx {
    function f_generate_inner_at_request(
-                                         in Certificate p_ea_certificate,
+                                         in Certificate p_aa_certificate,
+                                         in Oct8 p_aa_hashed_id8,
                                         in Oct8 p_ea_hashed_id8,
                                         in Certificate p_ec_certificate,
                                         in octetstring p_ec_private_key,
@@ -1434,6 +1435,10 @@ module LibItsPki_Functions {
        if (f_generate_key_pair(p_private_enc_key, v_public_enc_key_x, v_public_enc_key_y, p_public_compressed_enc_key, p_compressed_enc_key_mode) == false) {
          log("f_generate_inner_at_request: Failed to generate encryption key");
          return false;
+        } else {
+          log ("f_generate_inner_at_request: AT encryption private key: ", p_private_enc_key);
+          log ("f_generate_inner_at_request: AT encryption public compressed key: ", p_public_compressed_enc_key);
+          log ("f_generate_inner_at_request: AT encryption public compressed mode: ", p_compressed_enc_key_mode);
        }
      } else {
        p_private_enc_key := ''O;
@@ -1453,20 +1458,26 @@ module LibItsPki_Functions {
      log("f_generate_inner_at_request: v_ec_hash= ", v_ec_hash);
      // Generate 32 octets length secret key
-      v_hmac_key := f_hashWithSha256(int2oct(f_getCurrentTime(), 12));
+      v_hmac_key := f_hashWithSha256(int2oct((f_getCurrentTimeUtc() * 1000), 12));
      log("f_generate_inner_at_request: v_hmac_key= ", v_hmac_key);
      // Generate tag based on the concatenation of verification keys & encryption keys
      v_message_to_tag := v_public_key_x & v_public_key_y & v_public_enc_key_x & v_public_enc_key_y;
      log("f_generate_inner_at_request: v_message_to_tag= ", v_message_to_tag); // FIXME encryption keys could be optional
-      v_key_tag := fx_hmac_sha256(v_hmac_key, v_message_to_tag); // TODO Rename and use a wrapper function
+      v_key_tag := substr(
+                          fx_hmac_sha256( // TODO Rename and use a wrapper function
+                                         v_hmac_key,
+                                         v_message_to_tag
+                                         ),
+                          0,
+                          16); // Leftmost 128 bits of the HMAC-SHA256 tag computed previously
      log("f_generate_inner_at_request: v_key_tag= ", v_key_tag);
      // Build the SharedAtRequest
      p_inner_at_request.sharedAtRequest := valueof(
                                                    m_shared_at_request(
                                                                        p_ea_hashed_id8, // eaId identifies the EA certificate shared with EA entity
-                                                                        substr(v_key_tag, 0, 16), // Calculated keyTag
+                                                                        v_key_tag, // Calculated keyTag
                                                                        valueof(
                                                                                m_certificate_subject_attributes( // FIXME Review subjectPermissions
                                                                                                                 p_ec_certificate.toBeSigned.appPermissions,
@@ -1563,11 +1574,11 @@ module LibItsPki_Functions {
        // Use EA certificate for the encryption
        if (PX_EC_ALG == e_nist_p256) {
-          if (ischosen(p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_0)) {
+          if (ischosen(p_aa_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_0)) {
-            v_public_enc_key := p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_0;
+            v_public_enc_key := p_aa_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_0;
            v_compressed_mode := 0;
-          } else if (ischosen(p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_1)) {
+          } else if (ischosen(p_aa_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_1)) {
-            v_public_enc_key := p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_1;
+            v_public_enc_key := p_aa_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_1;
            v_compressed_mode := 1;
          } else {
            log("f_generate_inner_at_request: Wrong NistP256 encryption variant");
@@ -1597,11 +1608,11 @@ module LibItsPki_Functions {
                                                                                                                         v_authentication_vector
                                                                                                                         )));
        } else if (PX_EC_ALG == e_brainpool_p256_r1) {
-          if (ischosen(p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_0)) {
+          if (ischosen(p_aa_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_0)) {
-            v_public_enc_key := p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_0;
+            v_public_enc_key := p_aa_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_0;
            v_compressed_mode := 0;
-          } else if (ischosen(p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_1)) {
+          } else if (ischosen(p_aa_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_1)) {
-            v_public_enc_key := p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_1;
+            v_public_enc_key := p_aa_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_1;
            v_compressed_mode := 1;
          } else {
            log("f_generate_inner_at_request: Wrong BrainpoolP256r1 encryption variant");
@@ -1626,7 +1637,7 @@ module LibItsPki_Functions {
          log("f_generate_inner_at_request: Wrong encryption variant");
          return false;
        }
-        v_recipientId := p_ea_hashed_id8; // RecipientId is the HashedId8 of the EA certificate
+        v_recipientId := p_aa_hashed_id8; // RecipientId is the HashedId8 of the EA certificate
        log("v_recipientId= ", v_recipientId);
        // Fill Certificate template with the public compressed keys (canonical form)
        if (v_public_compressed_ephemeral_mode == 0) {