void PKCS12Serializable::Serialize(IStream &stream) const
{
// key
Key *keyPtr = getKey().get();
bool isAnyKeyPresent = (getKey().get() != NULL);
// logics if PKCS is correct or not is on the service side.
// sending number of keys and certificates to allow proper parsing on the service side.
// (what if no key or cert present? attempt to deserialize a not present key/cert would
// throw an error and close the connection).
Serialization::Serialize(stream, static_cast<size_t>(isAnyKeyPresent?1:0));
if (keyPtr) {
Serialization::Serialize(stream, DataType(keyPtr->getType()));
Serialization::Serialize(stream, keyPtr->getDER());
}
bool isAnyCertPresent = (getCertificate().get() != NULL);
Serialization::Serialize(stream, static_cast<size_t>(isAnyCertPresent?1:0));
if (isAnyCertPresent)
Serialization::Serialize(stream, getCertificate().get()->getDER());
// CA chain
Serialization::Serialize(stream, getCaCertificateShPtrVector().size());
for (auto it : getCaCertificateShPtrVector())
Serialization::Serialize(stream, it->getDER());
};
void
SecPublicInfo::refreshDefaultCertificate()
{
Name certName = getDefaultCertificateNameForIdentity(getDefaultIdentity());
if(certName.empty())
defaultCertificate_.reset();
else
defaultCertificate_ = getCertificate(certName);
}
void
SecPublicInfo::refreshDefaultCertificate()
{
try {
Name certName = getDefaultCertificateNameForIdentity(getDefaultIdentity());
m_defaultCertificate = getCertificate(certName);
}
catch (SecPublicInfo::Error&) {
m_defaultCertificate.reset();
}
}
void Immigrant::visit(std::shared_ptr<Courthouse> c) {
courthouse = c;
if (enter()) {
checkIn();
sitDown();
swear();
getCertificate();
leave();
}
}
ptr_lib::shared_ptr<IdentityCertificate>
IdentityStorage::getDefaultCertificate()
{
Name certName;
try {
certName = getDefaultCertificateNameForIdentity(getDefaultIdentity());
} catch (SecurityException&) {
// The default is not defined.
return ptr_lib::shared_ptr<IdentityCertificate>();
}
return getCertificate(certName);
}
ptr_lib::shared_ptr<IdentityCertificate>
IdentityManager::createIdentityCertificate(const Name& certificatePrefix,
const PublicKey& publicKey,
const Name& signerCertificateName,
const MillisecondsSince1970& notBefore,
const MillisecondsSince1970& notAfter)
{
ptr_lib::shared_ptr<IdentityCertificate> certificate(new IdentityCertificate());
Name keyName = getKeyNameFromCertificatePrefix(certificatePrefix);
Name certificateName = certificatePrefix;
MillisecondsSince1970 ti = ::ndn_getNowMilliseconds();
// Get the number of seconds.
ostringstream oss;
oss << floor(ti / 1000.0);
certificateName.append("ID-CERT").append(oss.str());
certificate->setName(certificateName);
certificate->setNotBefore(notBefore);
certificate->setNotAfter(notAfter);
certificate->setPublicKeyInfo(publicKey);
certificate->addSubjectDescription(CertificateSubjectDescription("2.5.4.41", keyName.toUri()));
certificate->encode();
ptr_lib::shared_ptr<Sha256WithRsaSignature> sha256Sig(new Sha256WithRsaSignature());
KeyLocator keyLocator;
keyLocator.setType(ndn_KeyLocatorType_KEYNAME);
keyLocator.setKeyName(signerCertificateName);
sha256Sig->setKeyLocator(keyLocator);
sha256Sig->getPublisherPublicKeyDigest().setPublisherPublicKeyDigest(publicKey.getDigest());
certificate->setSignature(*sha256Sig);
SignedBlob unsignedData = certificate->wireEncode();
ptr_lib::shared_ptr<IdentityCertificate> signerCertificate = getCertificate(signerCertificateName);
Name signerkeyName = signerCertificate->getPublicKeyName();
Blob sigBits = privateKeyStorage_->sign(unsignedData, signerkeyName);
sha256Sig->setSignature(sigBits);
return certificate;
}
ReturnValue BleApiTest_Enroll(pBleDevice dev, int expectedSW12)
{
uint64_t t = dev->TimeMs();
ReturnValue retval;
int i;
unsigned char reply[2048];
unsigned int replyLength = sizeof(reply);
unsigned char request[256];
unsigned int requestlen;
unsigned char replyCmd;
memset(reply, 0, sizeof(reply));
/* generate appid and nonce */
for (i = 0; i < sizeof(regReq.appId); i++)
regReq.appId[i] = (rand() & 0xFF);
for (i = 0; i < sizeof(regReq.nonce); i++)
regReq.nonce[i] = (rand() & 0xFF);
/* prepare register request */
request[0] = 0x00;
request[1] = 0x01;
request[2] = 0x00;
request[3] = 0x00;
request[4] = 0x00;
request[5] = 0x00;
request[6] = sizeof(regReq.nonce) + sizeof(regReq.appId);
memcpy(request + 7, regReq.nonce, sizeof(regReq.nonce));
memcpy(request + 7 + sizeof(regReq.nonce), regReq.appId,
sizeof(regReq.appId));
requestlen = 7 + sizeof(regReq.nonce) + sizeof(regReq.appId);
request[requestlen++] = 0x00;
request[requestlen++] = 0x00;
/* write command */
retval =
dev->CommandWrite(FIDO_BLE_CMD_MSG, request, requestlen, &replyCmd,
reply, &replyLength);
CHECK_EQ(retval, ReturnValue::BLEAPI_ERROR_SUCCESS);
if (expectedSW12 != FIDO_RESP_SUCCESS) {
CHECK_EQ(expectedSW12, bytes2short(reply, replyLength - 2), "Returned error does not match expected value.");
CHECK_EQ(replyLength, 2, "Returned value does not match expected length.");
return ReturnValue::BLEAPI_ERROR_SUCCESS;
}
/* check reply */
CHECK_EQ(replyCmd, FIDO_BLE_CMD_MSG, "Reply is not a FIDO_BLE_CMD_MSG (0x83)");
CHECK_EQ(FIDO_RESP_SUCCESS, bytes2short(reply, replyLength - 2), "Status code is not FIDO_RESP_SUCCESS (0x9000)");
CHECK_NE(replyLength, 2, "Reply length is only status code.");
CHECK_LE(replyLength - 2, sizeof(U2F_REGISTER_RESP), "Returned register response does not match expected length.");
memcpy(®Rsp, reply, replyLength - 2);
CHECK_EQ(regRsp.registerId, U2F_REGISTER_ID, "Register ID is not 0x05");
CHECK_EQ(regRsp.pubKey.format, UNCOMPRESSED_POINT, "Public Key format is not uncompressed point.");
INFO << "Enroll: " << (replyLength -
2) << " bytes in " << ((float)(dev->TimeMs() -
t)) /
1000.0 << "s";
// Check crypto of enroll response.
std::string cert;
CHECK_EQ(getCertificate(regRsp, &cert), true, "Cannot extract certificate.");
INFO << "cert: " << bytes2ascii(cert);
std::string pk;
CHECK_EQ(getSubjectPublicKey(cert, &pk), true, "Cannot extract public key.");
INFO << "pk : " << bytes2ascii(pk);
std::string sig;
CHECK_EQ(getSignature(regRsp, static_cast<int>(cert.size()), &sig), true, "Cannot extract signature.");
INFO << "sig : " << bytes2ascii(sig);
// Parse signature into two integers.
p256_int sig_r, sig_s;
CHECK_EQ(1, dsa_sig_unpack((uint8_t *) (sig.data()), static_cast<int>(sig.size()),
&sig_r, &sig_s), "Cannot unpack signature");
// Compute hash as integer.
const uint8_t *hash;
p256_int h;
SHA256_CTX sha;
SHA256_init(&sha);
uint8_t rfu = 0;
SHA256_update(&sha, &rfu, sizeof(rfu)); // 0x00
SHA256_update(&sha, regReq.appId, sizeof(regReq.appId)); // O
SHA256_update(&sha, regReq.nonce, sizeof(regReq.nonce)); // d
SHA256_update(&sha, regRsp.keyHandleCertSig, regRsp.keyHandleLen); // hk
SHA256_update(&sha, ®Rsp.pubKey, sizeof(regRsp.pubKey)); // pk
hash = SHA256_final(&sha);
p256_from_bin(hash, &h);
INFO << "hash : " << bytes2ascii((char *)hash, 32);
// Parse subject public key into two integers.
CHECK_EQ(pk.size(), P256_POINT_SIZE, "Public key does not match P256 point size.");
p256_int pk_x, pk_y;
p256_from_bin((uint8_t *) pk.data() + 1, &pk_x);
p256_from_bin((uint8_t *) pk.data() + 1 + P256_SCALAR_SIZE, &pk_y);
// Verify signature.
CHECK_EQ(1, p256_ecdsa_verify(&pk_x, &pk_y, &h, &sig_r, &sig_s), "Signature does not match.");
return ReturnValue::BLEAPI_ERROR_SUCCESS;
}
