Milestone: PKIMessage protection

synrc · Jul 31, 2023 · c4bff3c · c4bff3c
1 parent 2bc5eb2
commit c4bff3c
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 26 deletions.
diff --git a/lib/cmp.ex b/lib/cmp.ex
@@ -39,7 +39,6 @@ defmodule CA.CMP do
     def mac(bin, salt, iter) do
         base_key = :lists.foldl(fn x, acc ->
             :crypto.hash(:sha256, acc) end, bin <> salt, :lists.seq(1,iter))
-#        :binary.part(base_key, 0, 32)
     end
 
     def message(socket, header, {:ir, req} = body, code) do
@@ -77,26 +76,19 @@ defmodule CA.CMP do
            extensions: [subject_alt_name: X509.Certificate.Extension.subject_alt_name(["synrc.com"]) ])
 
         reply = CA."CertRepMessage"(response:
-              [ CA."CertResponse"(certReqId: 1,
+              [ CA."CertResponse"(certReqId: -1,
                 certifiedKeyPair: CA."CertifiedKeyPair"(certOrEncCert:
                   {:certificate, {:x509v3PKCert, convertOTPtoPKIX(cert)}}),
                 status: CA."PKIStatusInfo"(status: 0))])
 
         incomingProtection = CA."ProtectedPart"(header: header, body: body)
         {:ok, bin} = :"PKIXCMP-2009".encode(:'ProtectedPart', incomingProtection)
-        verifyKey  = mac("ThisIsClassified", salt, counter)
-        verifyKey2 = :crypto.pbkdf2_hmac(:sha256, "ThisIsClassified", salt, counter, 20)
-        verify     = :crypto.mac(:hmac, :sha256, verifyKey, bin)
-        verify2    = :crypto.mac(:hmac, :sha256, verifyKey2, bin)
+        verifyKey  = mac("1111", salt, counter)
+        verify     = :crypto.mac(:hmac, CA.KDF.hs(:erlang.size(code)), verifyKey, bin)
+        verify     = code
 
         :io.format 'code: ~p~n', [code]
-        :io.format 'vfyK1: ~p~n', [verifyKey]
-        :io.format 'vfyK2: ~p~n', [verifyKey2]
-        :io.format 'vfy1: ~p~n', [verify]
-        :io.format 'vfy2: ~p~n', [verify2]
         :io.format 'pvno: ~p~n', [pvno]
-#       :io.format 'from: ~p~n', [from]
-#       :io.format 'to: ~p~n', [to]
         :io.format 'messageTime: ~p~n', [messageTime]
         :io.format 'protectionAlgortihm: ~p~n', [CA.ALG.lookup(oid)]
         :io.format 'senderKID: ~p~n', [senderKID]
@@ -114,18 +106,17 @@ defmodule CA.CMP do
 #       :io.format 'issuedPKIX: ~p~n', [convertOTPtoPKIX(cert)]
 
         pkibody = {:cp, reply}
-        pkiheader = CA."PKIHeader"(sender: to, recipient: from, pvno: pvno,
+        pkiheader = CA."PKIHeader"(sender: to, recipient: from, pvno: pvno, recipNonce: senderNonce,
             transactionID: transactionID, protectionAlg: protectionAlg, messageTime: messageTime)
-        outgoingProtection = CA."ProtectedPart"(header: pkiheader, body: pkibody)
 
-        {:ok, out} = :"PKIXCMP-2009".encode(:'ProtectedPart', outgoingProtection)
-        overifyKey  = mac("ThisIsClassified", salt, counter)
-        overifyKey2 = :crypto.pbkdf2_hmac(:sha256, "ThisIsClassified", salt, counter, 32)
-        overify     = :crypto.mac(:hmac, :sha256, overifyKey, out)
-        overify2    = :crypto.mac(:hmac, :sha256, overifyKey2, out)
-        :io.format 'protection: ~p~n', [overify]
+        answer(socket, pkiheader, pkibody, code)
+    end
 
-        answer(socket, pkiheader, pkibody, :asn1_NOVALUE)
+    def message(_socket, _header, {:certConf, statuses} = body, _code) do
+        :logger.info 'CERTCONF request ~p', [1]
+        :lists.map(fn {:CertStatus,bin,no,{:PKIStatusInfo, :accepted, _, _}} -> 
+            :logger.info 'PKIX ~p accepted ~p', [no,bin]
+        end, statuses)
     end
 
     def message(_socket, _header, body, _code) do
@@ -140,7 +131,17 @@ defmodule CA.CMP do
         {oid, salt, owf, mac, counter}
     end
 
-    def answer(socket, header, body, code) do
+    def answer(socket, header, body, size) do
+        {:PKIHeader, pvno, from, to, messageTime, protectionAlg, senderKID, recipKID,
+           transactionID, senderNonce, recipNonce, freeText, generalInfo} = header
+        {oid, salt, owf, mac, counter} = protection(protectionAlg)
+
+        outgoingProtection = CA."ProtectedPart"(header: header, body: body)
+        {:ok, out} = :"PKIXCMP-2009".encode(:'ProtectedPart', outgoingProtection)
+        overifyKey  = mac("1111", salt, counter)
+        code     = :crypto.mac(:hmac, CA.KDF.hs(:erlang.size(size)), overifyKey, out)
+        :io.format 'protection: ~p~n', [code]
+
         message = CA."PKIMessage"(header: header, body: body, protection: code)
         {:ok, bytes} = :'PKIXCMP-2009'.encode(:'PKIMessage', message)
         res =  "HTTP/1.0 200 OK\r\n"

diff --git a/lib/kdf.ex b/lib/kdf.ex
@@ -1,6 +1,13 @@
 defmodule CA.KDF do
   @moduledoc "CA/KDF library."
 
+  def hs(16), do: :md5
+  def hs(20), do: :sha
+  def hs(28), do: :sha224
+  def hs(32), do: :sha256
+  def hs(48), do: :sha384
+  def hs(64), do: :sha512
+
   def hl(:md5),    do: 16
   def hl(:sha),    do: 20
   def hl(:sha224), do: 28

diff --git a/p10cr.sh b/p10cr.sh
@@ -2,8 +2,6 @@
 
 export client=maxim
 
-#            -secret pass:0000 
-
-openssl cmp -cmd p10cr -server localhost:1829 \
-            -path . -srvcert ca.pem -ref cmptestp10cr -unprotected_requests \
+openssl cmp -cmd p10cr -server localhost:1829 -secret pass:1111 \
+            -path . -srvcert ca.pem -ref cmptestp10cr  \
             -certout $client.pem -csr $client.csr