/* * test-rsa.c * ---------- * Test harness for RSA using Cryptech ModExp core. * * Authors: Rob Austein * Copyright (c) 2015, NORDUnet A/S * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are * met: * - Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * * - Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * - Neither the name of the NORDUnet nor the names of its contributors may * be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include #include #include #include #include #include #include "test-rsa.h" /* * Run one modexp test. */ static int test_modexp(const hal_core_t *core, const char * const kind, const rsa_tc_t * const tc, const rsa_tc_bn_t * const msg, /* Input message */ const rsa_tc_bn_t * const exp, /* Exponent */ const rsa_tc_bn_t * const val) /* Expected result */ { uint8_t result[tc->n.len]; printf("%s test for %lu-bit RSA key\n", kind, (unsigned long) tc->size); if (hal_modexp(core, msg->val, msg->len, exp->val, exp->len, tc->n.val, tc->n.len, result, sizeof(result)) != HAL_OK) return printf("ModExp failed\n"), 0; if (memcmp(result, val->val, val->len)) return printf("MISMATCH\n"), 0; return 1; } /* * Run one RSA CRT test. */ static int test_decrypt(const hal_core_t *core, const char * const kind, const rsa_tc_t * const tc) { printf("%s test for %lu-bit RSA key\n", kind, (unsigned long) tc->size); uint8_t keybuf[hal_rsa_key_t_size]; hal_rsa_key_t *key = NULL; hal_error_t err = HAL_OK; if ((err = hal_rsa_key_load_private(&key, keybuf, sizeof(keybuf), tc->n.val, tc->n.len, tc->e.val, tc->e.len, tc->d.val, tc->d.len, tc->p.val, tc->p.len, tc->q.val, tc->q.len, tc->u.val, tc->u.len, tc->dP.val, tc->dP.len, tc->dQ.val, tc->dQ.len)) != HAL_OK) return printf("RSA CRT key load failed: %s\n", hal_error_string(err)), 0; uint8_t result[tc->n.len]; if ((err = hal_rsa_decrypt(core, key, tc->m.val, tc->m.len, result, sizeof(result))) != HAL_OK) printf("RSA CRT failed: %s\n", hal_error_string(err)); const int mismatch = (err == HAL_OK && memcmp(result, tc->s.val, tc->s.len) != 0); if (mismatch) printf("MISMATCH\n"); hal_rsa_key_clear(key); return err == HAL_OK && !mismatch; } /* * Run one RSA key generation + CRT test. */ static int test_gen(const hal_core_t *core, const char * const kind, const rsa_tc_t * const tc) { printf("%s test for %lu-bit RSA key\n", kind, (unsigned long) tc->size); char fn[sizeof("test-rsa-private-key-xxxxxx.der")]; uint8_t keybuf1[hal_rsa_key_t_size], keybuf2[hal_rsa_key_t_size]; hal_rsa_key_t *key1 = NULL, *key2 = NULL; hal_error_t err = HAL_OK; FILE *f; const uint8_t f4[] = { 0x01, 0x00, 0x01 }; if ((err = hal_rsa_key_gen(core, &key1, keybuf1, sizeof(keybuf1), bitsToBytes(tc->size), f4, sizeof(f4))) != HAL_OK) return printf("RSA key generation failed: %s\n", hal_error_string(err)), 0; size_t der_len = 0; if ((err = hal_rsa_private_key_to_der(key1, NULL, &der_len, 0)) != HAL_OK) return printf("Getting DER length of RSA key failed: %s\n", hal_error_string(err)), 0; uint8_t der[der_len]; err = hal_rsa_private_key_to_der(key1, der, &der_len, sizeof(der)); snprintf(fn, sizeof(fn), "test-rsa-private-key-%04lu.der", (unsigned long) tc->size); printf("Writing %s\n", fn); if ((f = fopen(fn, "wb")) == NULL) return printf("Couldn't open %s: %s\n", fn, strerror(errno)), 0; if (fwrite(der, der_len, 1, f) != 1) return printf("Length mismatch writing %s\n", fn), 0; if (fclose(f) == EOF) return printf("Couldn't close %s: %s\n", fn, strerror(errno)), 0; /* Deferred error from hal_rsa_private_key_to_der() */ if (err != HAL_OK) return printf("Converting RSA private key to DER failed: %s\n", hal_error_string(err)), 0; if ((err = hal_rsa_private_key_from_der(&key2, keybuf2, sizeof(keybuf2), der, sizeof(der))) != HAL_OK) return printf("Converting RSA key back from DER failed: %s\n", hal_error_string(err)), 0; if (memcmp(keybuf1, keybuf2, hal_rsa_key_t_size) != 0) return printf("RSA private key mismatch after conversion to and back from DER\n"), 0; uint8_t result[tc->n.len]; if ((err = hal_rsa_decrypt(core, key1, tc->m.val, tc->m.len, result, sizeof(result))) != HAL_OK) printf("RSA CRT failed: %s\n", hal_error_string(err)); snprintf(fn, sizeof(fn), "test-rsa-sig-%04lu.der", (unsigned long) tc->size); printf("Writing %s\n", fn); if ((f = fopen(fn, "wb")) == NULL) return printf("Couldn't open %s: %s\n", fn, strerror(errno)), 0; if (fwrite(result, sizeof(result), 1, f) != 1) return printf("Length mismatch writing %s\n", fn), 0; if (fclose(f) == EOF) return printf("Couldn't close %s: %s\n", fn, strerror(errno)), 0; if (err != HAL_OK) /* Deferred failure from hal_rsa_decrypt(), above */ return 0; if ((err = hal_rsa_encrypt(core, key1, result, sizeof(result), result, sizeof(result))) != HAL_OK) printf("First RSA signature check failed: %s\n", hal_error_string(err)); int mismatch = 0; if (err == HAL_OK && memcmp(result, tc->m.val, tc->m.len) != 0) mismatch = (printf("MISMATCH\n"), 1); hal_rsa_key_clear(key2); key2 = NULL; if ((f = fopen(fn, "rb")) == NULL) return printf("Couldn't open %s: %s\n", fn, strerror(errno)), 0; if (fread(result, sizeof(result), 1, f) != 1) return printf("Length mismatch reading %s\n", fn), 0; if (fclose(f) == EOF) return printf("Couldn't close %s: %s\n", fn, strerror(errno)), 0; err = hal_rsa_public_key_to_der(key1, der, &der_len, sizeof(der)); snprintf(fn, sizeof(fn), "test-rsa-public-key-%04lu.der", (unsigned long) tc->size); printf("Writing %s\n", fn); if ((f = fopen(fn, "wb")) == NULL) return printf("Couldn't open %s: %s\n", fn, strerror(errno)), 0; if (fwrite(der, der_len, 1, f) != 1) return printf("Length mismatch writing %s\n", fn), 0; if (fclose(f) == EOF) return printf("Couldn't close %s: %s\n", fn, strerror(errno)), 0; /* Deferred error from hal_rsa_public_key_to_der() */ if (err != HAL_OK) return printf("Converting RSA public key to DER failed: %s\n", hal_error_string(err)), 0; if ((err = hal_rsa_public_key_from_der(&key2, keybuf2, sizeof(keybuf2), der, der_len)) != HAL_OK) return printf("Converting RSA public key back from DER failed: %s\n", hal_error_string(err)), 0; /* * Can't directly compare private key with public key. We could * extract and compare the public key components, not much point if * the public key passes the signature verification test below. */ if ((err = hal_rsa_encrypt(core, key2, result, sizeof(result), result, sizeof(result))) != HAL_OK) return printf("Second RSA signature check failed: %s\n", hal_error_string(err)), 0; if (err == HAL_OK && memcmp(result, tc->m.val, tc->m.len) != 0) mismatch = (printf("MISMATCH\n"), 1); hal_rsa_key_clear(key1); hal_rsa_key_clear(key2); return err == HAL_OK && !mismatch; } /* * Time a test. */ static void _time_check(const struct timeval t0, const int ok) { struct timeval t; gettimeofday(&t, NULL); t.tv_sec -= t0.tv_sec; t.tv_usec = t0.tv_usec; if (t.tv_usec < 0) { t.tv_usec += 1000000; t.tv_sec -= 1; } printf("Elapsed time %lu.%06lu seconds, %s\n", (unsigned long) t.tv_sec, (unsigned long) t.tv_usec, ok ? "OK" : "FAILED"); } #define time_check(_expr_) \ do { \ struct timeval _t; \ gettimeofday(&_t, NULL); \ int _ok = (_expr_); \ _time_check(_t, _ok); \ ok &= _ok; \ } while (0) /* * Test signature and exponentiation for one RSA keypair using * precompiled test vectors, then generate a key of the same length * and try generating a signature with that. */ static int test_rsa(const hal_core_t *core, const rsa_tc_t * const tc) { int ok = 1; /* RSA encryption */ time_check(test_modexp(core, "Verification", tc, &tc->s, &tc->e, &tc->m)); /* Brute force RSA decryption */ time_check(test_modexp(core, "Signature (ModExp)", tc, &tc->m, &tc->d, &tc->s)); /* RSA decyrption using CRT */ time_check(test_decrypt(core, "Signature (CRT)", tc)); /* Key generation and CRT -- not test vector, so writes key and sig to file */ time_check(test_gen(core, "Generation and CRT", tc)); return ok; } int main(int argc, char *argv[]) { const hal_core_t *core = hal_core_find(MODEXPS6_NAME, NULL); const hal_core_info_t *core_info = hal_core_info(core); if (core_info != NULL) printf("\"%8.8s\" \"%4.4s\"\n\n", core_info->name, core_info->version); /* * Run the test cases. */ hal_modexp_set_debug(1); /* Normal test */ for (int i = 0; i < (sizeof(rsa_tc)/sizeof(*rsa_tc)); i++) if (!test_rsa(core, &rsa_tc[i])) return 1; return 0; } /* * Local variables: * indent-tabs-mode: nil * End: */ '#n120'>120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 
164

165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196

                    

                          
 
 















































































                                                                        
                                                                          












































































                                                                                  
                                                                                        































                                                                                       

   

Title: UpgradeToKSNG
Date: 2016-12-22 22:33
Modified: 2016-12-22 22:53


Upgrading Cryptech Alpha HSM to "ksng" development package


This page attempts to explain the upgrade procedure for testing out
the new "ksng" development branch of the Cryptech Alpha firmware.


Cavats


This particular upgrade is more complicated than we would have
preferred, due to the interaction of two unrelated factors:


    

  1. As the name (obscurely) implies, the main feature in the ksng
   branch is a completely new HSM keystore implementation, which makes
   better use of the Alpha's keystore flash, allows a much larger
   number of keys, removes the need for an SQL database on the host,
   gets your laundry 25% brighter, and leaves your breath alone.
    2. 



We did not attempt to provide any sort of backwards compatability
   to the old minimalistic keystore implementation, so this upgrade
   process will wipe your keystore.  Sorry.  More importantly (from
   the limited viewpoint of the upgrade process), it will change how
   the HSM stores its PINs, which complicates the upgrade process.


    

  1. The "Device Field Upgrade" (DFU) capability in the Alpha's firmware
   was a last-minute addition before the Berlin workshop in July 2016,
   and, as last minute additions often do, it turned out to be buggy.
   There are three distinct pieces of software involved in the upgrade
   process, and they were all slightly buggy, in different ways.
   Because of this, one must perform the upgrade steps in a particular
   order to avoid bricking the HSM.  The upgrade includes fixes for
   all the (known) bugs in the DFU process, so we hope that this will
   be a one-time annoyance (famous last words).
    2. 



If something goes horribly wrong and you do somehow manage to brick
your Alpha, don't give up, recovery is still possible, it just
requires an ST-LINK debugger and cable (more on this below).


Overview


Because of the tricky nature of this particular upgrade, you must
perform these steps, in the specified order:


    

  • Install the new host software package using APT or Homebrew.
    • 

  • Wipe the HSM keystore to reset PINs back to the "factory" state.
    • 

  • Upgrade the main HSM firmware.
    • 

  • Upgrade the HSM bootloader.
    • 

  • Log in to upgraded HSM to set PINs, etc.
    • 



Upgrading the bootloader before the main firmware will brick your
Alpha.  So don't do that.


All of the operations here use the Alpha's "management" (MGMT) port,
so that cable must be connected to your Linux or OSX host machine.


This upgrade procedure was tested on Debian Jessie, with an Alpha
whose firmware had been rolled back to the version from the Berlin
workshop (APT/Homebrew package version 2.0.1468584175, commit
cd445b69b2caa7205f4e1c368aa2c6bf8c2d7692 in repository
https://git.cryptech.is/releng/alpha.git).


Install cryptech-alpha-ksng package using apt-get or Homebrew


Binaries for the "ksng" branch are available as a separate set of
"cryptech-alpha-ksng" packages, which replace the "cryptech-alpha"
packages for the master branch.  This seemed the simplest way of
letting people experiment with the new code while falling back to the
old if necessary.  The "cryptech-alpha-ksng" packages are declared to
conflict with the "cryptech-alpha" packages, because they install
programs by the same name in the same places and you need the version
of the host software which goes with the HSM firmware your running.


APT handles package conflicts differently from the way that Homebrew
does.  If you have "cryptech-alpha" installed and try to install
"cryptech-alpha-ksng", APT assumes you meant what you said and will
just replace the old package with the new one.  Homebrew, on the other
hand, reports the conflict and refuses to proceed until you sort it out.


The following assumes that you already had the Cryptech APT repository
or Homebrew tap configured; if not, see  BinaryPackages.


Installing cryptech-alpha-ksng package using apt-get on Debian or Ubuntu Linux


$ sudo apt-get update
$ sudo apt-get install cryptech-alpha-ksng




Installing cryptech-alpha-ksng package using Homebrew on OSX


$ brew update
$ brew uninstall cryptech-alpha
$ brew install cryptech-alpha-ksng




Set usual CRYPTECH_* environment variables


The upgrade process uses the CRYPTECH_CTY_CLIENT_SERIAL_DEVICE
environment variable.  The easiest way to set it is by using the
cryptech_probe script, just as you would for other usage of the
Alpha.


$ eval `cryptech_probe -v`




Clear the keystore flash


Sorry about this.  Yes, we know we need backup and restore, we'll get
there.  But for this upgrade, it's safest to wipe the keystore.


$ cryptech_miniterm

Username: wheel
Password: <your-wheel-pin-goes-here>

cryptech> keystore erase YesIAmSure

^]




Upgrade the main HSM firmware


$ cryptech_upload --firmware --user wheel
PIN: YouReallyNeedToChangeThisPINRightNowWeAreNotKidding




Upgrade the bootloader


$ cryptech_upload --bootloader --user wheel --simon-says-whack-my-bootloader
PIN: YouReallyNeedToChangeThisPINRightNowWeAreNotKidding




Log in and set PINs, masterkey, etcetera


$ cryptech_miniterm

Username: wheel
PIN: YouReallyNeedToChangeThisPINRightNowWeAreNotKidding

cryptech> keystore set pin wheel fnord
cryptech> keystore set pin so    fnord
cryptech> keystore set pin user  fnord
cryptech> masterkey set

^]




What to do if you manage to brick your Alpha


If the above procedure somehow goes horribly wrong and bricks your
alpha, you can still recover, but you'll need an ST-LINK programmer.
There's some discussion of this at GitRepositories/sw/stm32.


Possible sources for the ST-LINK programmer and a suitable cable:


    

  • http://www.mouser.com/search/ProductDetail.aspx?R=0virtualkey0virtualkeyNUCLEO-F411RE
    • 

  • https://www.sparkfun.com/products/10376
    • 



These are relatively cheap, you'll probably pay as much for the
postage as for the parts themselves.  If you have a better source, go
for it.


The programmer is the important part, you can use any sort of cabling
you like so long as it connects the right pins of the programmer to
the corresponding pins on the Alpha; the SparkFun cable just happens
to be a tidy package which matches the relevant SWD headers.


We'll include a more detailed description of the recovery process here
if anybody needs it, but the short version is:


    

  • Install OpenOCD on your host machine.
    • 

  • Open up the Alpha's case, take the board out.
    • 

  • Connect the programmer and power the board back up.
    • 

  • Use the flash-target script from the sw/stm32 repository to
    • 



stuff the hsm.elf and bootloader.elf files from the binary
  firmware tarball into the HSM.


    

  • Power down, disconnect the programmer, put the Alpha back in its
    • 



case, done.