Skip to content
GitLab
Commits (2)
Hide whitespace changes
Inline Side-by-side
ttcn/Pki/LibItsPki_Functions.ttcn
View file @ c59baf96
......@@ -706,7 +706,7 @@ module LibItsPki_Functions {
var bitstring v_authorization_request_msg;
// Generate the InnerAtRequest
if (f_generate_inner_at_request(vc_eaCertificate, vc_eaHashedId8, p_ec_certificate, p_ec_private_key, p_private_key, p_public_key_compressed, p_compressed_key_mode, p_private_enc_key, p_public_compressed_enc_key, p_compressed_enc_key_mode, v_inner_at_request) == false) {
if (f_generate_inner_at_request(vc_aaCertificate, vc_aaHashedId8, vc_eaHashedId8, p_ec_certificate, p_ec_private_key, p_private_key, p_public_key_compressed, p_compressed_key_mode, p_private_enc_key, p_public_compressed_enc_key, p_compressed_enc_key_mode, v_inner_at_request) == false) {
log("*** f_http_build_authorization_request: ERROR: Failed to generate AuthorizationValidationRequest ***");
f_selfOrClientSyncAndVerdict("error", e_error);
return;
......@@ -1285,7 +1285,7 @@ module LibItsPki_Functions {
),
m_headerInfo_inner_pki_request(
-,
f_getCurrentTimeUtc()
(f_getCurrentTime() * 1000) //us
)
);
// Signed the encoded InnerEcRequestSignedForPop
......@@ -1387,7 +1387,8 @@ module LibItsPki_Functions {
group inner_at_xxx {
function f_generate_inner_at_request(
in Certificate p_ea_certificate,
in Certificate p_aa_certificate,
in Oct8 p_aa_hashed_id8,
in Oct8 p_ea_hashed_id8,
in Certificate p_ec_certificate,
in octetstring p_ec_private_key,
......@@ -1434,6 +1435,10 @@ module LibItsPki_Functions {
if (f_generate_key_pair(p_private_enc_key, v_public_enc_key_x, v_public_enc_key_y, p_public_compressed_enc_key, p_compressed_enc_key_mode) == false) {
log("f_generate_inner_at_request: Failed to generate encryption key");
return false;
} else {
log ("f_generate_inner_at_request: AT encryption private key: ", p_private_enc_key);
log ("f_generate_inner_at_request: AT encryption public compressed key: ", p_public_compressed_enc_key);
log ("f_generate_inner_at_request: AT encryption public compressed mode: ", p_compressed_enc_key_mode);
}
} else {
p_private_enc_key := ''O;
......@@ -1453,20 +1458,26 @@ module LibItsPki_Functions {
log("f_generate_inner_at_request: v_ec_hash= ", v_ec_hash);
// Generate 32 octets length secret key
v_hmac_key := f_hashWithSha256(int2oct(f_getCurrentTime(), 12));
v_hmac_key := f_hashWithSha256(int2oct((f_getCurrentTimeUtc() * 1000), 12));
log("f_generate_inner_at_request: v_hmac_key= ", v_hmac_key);
// Generate tag based on the concatenation of verification keys & encryption keys
v_message_to_tag := v_public_key_x & v_public_key_y & v_public_enc_key_x & v_public_enc_key_y;
log("f_generate_inner_at_request: v_message_to_tag= ", v_message_to_tag); // FIXME encryption keys could be optional
v_key_tag := fx_hmac_sha256(v_hmac_key, v_message_to_tag); // TODO Rename and use a wrapper function
v_key_tag := substr(
fx_hmac_sha256( // TODO Rename and use a wrapper function
v_hmac_key,
v_message_to_tag
),
0,
16); // Leftmost 128 bits of the HMAC-SHA256 tag computed previously
log("f_generate_inner_at_request: v_key_tag= ", v_key_tag);
// Build the SharedAtRequest
p_inner_at_request.sharedAtRequest := valueof(
m_shared_at_request(
p_ea_hashed_id8, // eaId identifies the EA certificate shared with EA entity
substr(v_key_tag, 0, 16), // Calculated keyTag
v_key_tag, // Calculated keyTag
valueof(
m_certificate_subject_attributes( // FIXME Review subjectPermissions
p_ec_certificate.toBeSigned.appPermissions,
......@@ -1486,7 +1497,7 @@ module LibItsPki_Functions {
m_signedDataPayload_ext(v_hash_shared_at_request), // Payload containing extDataHash
m_headerInfo_inner_pki_request( // HeaderInfo
-,
f_getCurrentTimeUtc())
(f_getCurrentTime()) * 1000) //us
);
log("f_generate_inner_at_request: v_tbs= ", v_tbs);
// Signed ToBeSigned payload using the private key of EC certificate obtained from Enrolment request
......@@ -1563,11 +1574,11 @@ module LibItsPki_Functions {
// Use EA certificate for the encryption
if (PX_EC_ALG == e_nist_p256) {
if (ischosen(p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_0)) {
v_public_enc_key := p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_0;
if (ischosen(p_aa_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_0)) {
v_public_enc_key := p_aa_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_0;
v_compressed_mode := 0;
} else if (ischosen(p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_1)) {
v_public_enc_key := p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_1;
} else if (ischosen(p_aa_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_1)) {
v_public_enc_key := p_aa_certificate.toBeSigned.encryptionKey.publicKey.eciesNistP256.compressed_y_1;
v_compressed_mode := 1;
} else {
log("f_generate_inner_at_request: Wrong NistP256 encryption variant");
......@@ -1597,11 +1608,11 @@ module LibItsPki_Functions {
v_authentication_vector
)));
} else if (PX_EC_ALG == e_brainpool_p256_r1) {
if (ischosen(p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_0)) {
v_public_enc_key := p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_0;
if (ischosen(p_aa_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_0)) {
v_public_enc_key := p_aa_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_0;
v_compressed_mode := 0;
} else if (ischosen(p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_1)) {
v_public_enc_key := p_ea_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_1;
} else if (ischosen(p_aa_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_1)) {
v_public_enc_key := p_aa_certificate.toBeSigned.encryptionKey.publicKey.eciesBrainpoolP256r1.compressed_y_1;
v_compressed_mode := 1;
} else {
log("f_generate_inner_at_request: Wrong BrainpoolP256r1 encryption variant");
......@@ -1626,7 +1637,7 @@ module LibItsPki_Functions {
log("f_generate_inner_at_request: Wrong encryption variant");
return false;
}
v_recipientId := p_ea_hashed_id8; // RecipientId is the HashedId8 of the EA certificate
v_recipientId := p_aa_hashed_id8; // RecipientId is the HashedId8 of the EA certificate
log("v_recipientId= ", v_recipientId);
// Fill Certificate template with the public compressed keys (canonical form)
if (v_public_compressed_ephemeral_mode == 0) {
......@@ -1966,7 +1977,7 @@ module LibItsPki_Functions {
m_signedDataPayload(
m_etsiTs103097Data_unsecured(p_pki_message)
),
m_headerInfo_inner_pki_request(-, f_getCurrentTimeUtc())
m_headerInfo_inner_pki_request(-, (f_getCurrentTime() * 1000)/*us*/)
);
log("f_build_pki_secured_request_message_signed_with_pop: signer: ", p_signer_identifier);
if (PICS_SECPKI_REENROLMENT == false) { // This is the first enrolment, we used Factory keys
......@@ -2367,7 +2378,7 @@ module LibItsPki_Functions {
m_signedDataPayload(
m_etsiTs103097Data_unsecured(p_pki_message)
),
m_headerInfo_inner_pki_response(-, f_getCurrentTimeUtc())
m_headerInfo_inner_pki_response(-, (f_getCurrentTime() * 1000)/*us*/)
);
if (ischosen(p_signer_identifier.self_)) {
v_tbs_signed := f_signWithEcdsaNistp256WithSha256(bit2oct(encvalue(v_tbs)), int2oct(0, 32), p_private_key);
......