tem_ruby 0.13.0 → 0.14.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/CHANGELOG +2 -0
- data/Manifest +2 -2
- data/lib/tem/apdus/keys.rb +3 -2
- data/lib/tem/builders/crypto.rb +3 -2
- data/lib/tem/definitions/abi.rb +4 -4
- data/lib/tem/firmware/tc.cap +0 -0
- data/lib/tem/keys/asymmetric.rb +15 -8
- data/lib/tem/keys/key.rb +9 -2
- data/lib/tem/keys/symmetric.rb +109 -11
- data/lib/tem/secpack.rb +1 -0
- data/lib/tem/toolkit.rb +9 -7
- data/tem_ruby.gemspec +4 -4
- data/test/firmware/test_uploader.rb +1 -1
- data/test/tem_unit/test_tem_crypto_keys.rb +189 -0
- data/test/test_crypto_engine.rb +116 -0
- data/test/test_driver.rb +0 -52
- metadata +17 -15
- data/test/tem_unit/test_tem_crypto_asymmetric.rb +0 -123
data/CHANGELOG
CHANGED
data/Manifest
CHANGED
|
@@ -48,7 +48,6 @@ lib/tem/secpack.rb
|
|
|
48
48
|
lib/tem/tem.rb
|
|
49
49
|
lib/tem/toolkit.rb
|
|
50
50
|
lib/tem_ruby.rb
|
|
51
|
-
tem_ruby.gemspec
|
|
52
51
|
test/_test_cert.rb
|
|
53
52
|
test/builders/test_abi_builder.rb
|
|
54
53
|
test/firmware/test_uploader.rb
|
|
@@ -56,8 +55,8 @@ test/tem_test_case.rb
|
|
|
56
55
|
test/tem_unit/test_tem_alu.rb
|
|
57
56
|
test/tem_unit/test_tem_bound_secpack.rb
|
|
58
57
|
test/tem_unit/test_tem_branching.rb
|
|
59
|
-
test/tem_unit/test_tem_crypto_asymmetric.rb
|
|
60
58
|
test/tem_unit/test_tem_crypto_hash.rb
|
|
59
|
+
test/tem_unit/test_tem_crypto_keys.rb
|
|
61
60
|
test/tem_unit/test_tem_crypto_pstore.rb
|
|
62
61
|
test/tem_unit/test_tem_crypto_random.rb
|
|
63
62
|
test/tem_unit/test_tem_emit.rb
|
|
@@ -66,5 +65,6 @@ test/tem_unit/test_tem_memory_compare.rb
|
|
|
66
65
|
test/tem_unit/test_tem_output.rb
|
|
67
66
|
test/tem_unit/test_tem_yaml_secpack.rb
|
|
68
67
|
test/test_auto_conf.rb
|
|
68
|
+
test/test_crypto_engine.rb
|
|
69
69
|
test/test_driver.rb
|
|
70
70
|
test/test_exceptions.rb
|
data/lib/tem/apdus/keys.rb
CHANGED
|
@@ -8,8 +8,9 @@
|
|
|
8
8
|
module Tem::Apdus
|
|
9
9
|
|
|
10
10
|
module Keys
|
|
11
|
-
def devchip_generate_key_pair
|
|
12
|
-
response = @transport.iso_apdu! :ins => 0x40
|
|
11
|
+
def devchip_generate_key_pair(symmetric_key = false)
|
|
12
|
+
response = @transport.iso_apdu! :ins => 0x40,
|
|
13
|
+
:p1 => (symmetric_key ? 0x80 : 0x00)
|
|
13
14
|
return { :privkey_id => read_tem_byte(response, 0),
|
|
14
15
|
:pubkey_id => read_tem_byte(response, 1) }
|
|
15
16
|
end
|
data/lib/tem/builders/crypto.rb
CHANGED
|
@@ -67,12 +67,12 @@ class Crypto < Abi
|
|
|
67
67
|
:read => lambda { |k| Tem::Keys::Symmetric.new k },
|
|
68
68
|
:to => lambda { |k| k.ssl_key },
|
|
69
69
|
:new => lambda { |klass|
|
|
70
|
-
k = cipher_class cipher_name
|
|
70
|
+
k = cipher_class.new cipher_name
|
|
71
71
|
|
|
72
72
|
unless k.respond_to? :key
|
|
73
73
|
# Some ciphers don't give back the key that they receive.
|
|
74
74
|
# We need to synthesize that.
|
|
75
|
-
class <<
|
|
75
|
+
class <<k
|
|
76
76
|
def key=(new_key)
|
|
77
77
|
super
|
|
78
78
|
@_key = new_key
|
|
@@ -82,6 +82,7 @@ class Crypto < Abi
|
|
|
82
82
|
end
|
|
83
83
|
end
|
|
84
84
|
end
|
|
85
|
+
k
|
|
85
86
|
}
|
|
86
87
|
end
|
|
87
88
|
|
data/lib/tem/definitions/abi.rb
CHANGED
|
@@ -27,7 +27,7 @@ module Tem::Abi
|
|
|
27
27
|
[:p, :q, :dmp1, :dmq1, :iqmp], :signed => false, :big_endian => true
|
|
28
28
|
abi.packed_variable_length_numbers :tem_pubrsa_numbers, :tem_ushort,
|
|
29
29
|
[:e, :n], :signed => false, :big_endian => true
|
|
30
|
-
abi.fixed_length_string :
|
|
30
|
+
abi.fixed_length_string :tem_3des_key_string, 16
|
|
31
31
|
end
|
|
32
32
|
|
|
33
33
|
Tem::Builders::Crypto.define_crypto self do |crypto|
|
|
@@ -52,11 +52,11 @@ module Tem::Abi
|
|
|
52
52
|
Tem::Keys::Asymmetric.new key
|
|
53
53
|
}
|
|
54
54
|
|
|
55
|
-
crypto.symmetric_key :
|
|
56
|
-
:
|
|
55
|
+
crypto.symmetric_key :tem_3des_key, OpenSSL::Cipher::DES, 'EDE-CBC',
|
|
56
|
+
:tem_3des_key_string
|
|
57
57
|
|
|
58
58
|
crypto.conditional_wrapper :tem_key, 1,
|
|
59
|
-
[{:tag => [0x99], :type => :
|
|
59
|
+
[{:tag => [0x99], :type => :tem_3des_key,
|
|
60
60
|
:class => Tem::Keys::Symmetric },
|
|
61
61
|
{:tag => [0xAA], :type => :public_tem_rsa,
|
|
62
62
|
:class => Tem::Keys::Asymmetric,
|
data/lib/tem/firmware/tc.cap
CHANGED
|
Binary file
|
data/lib/tem/keys/asymmetric.rb
CHANGED
|
@@ -1,6 +1,13 @@
|
|
|
1
|
+
# Ruby implementation of the TEM's asymmetric key operations.
|
|
2
|
+
#
|
|
3
|
+
# Author:: Victor Costan
|
|
4
|
+
# Copyright:: Copyright (C) 2007 Massachusetts Institute of Technology
|
|
5
|
+
# License:: MIT
|
|
6
|
+
|
|
1
7
|
# :nodoc: namespace
|
|
2
8
|
module Tem::Keys
|
|
3
9
|
|
|
10
|
+
|
|
4
11
|
# Wraps a TEM asymmetric key, e.g. an RSA key.
|
|
5
12
|
class Asymmetric < Tem::Key
|
|
6
13
|
def self.new_from_array(array)
|
|
@@ -95,22 +102,22 @@ class Asymmetric < Tem::Key
|
|
|
95
102
|
i = 0
|
|
96
103
|
while i < data.length do
|
|
97
104
|
block_size = (data.length - i < in_size) ? data.length - i : in_size
|
|
98
|
-
if data.
|
|
99
|
-
block = data[i...(i+block_size)]
|
|
100
|
-
else
|
|
105
|
+
if data.respond_to? :pack
|
|
101
106
|
block = data[i...(i+block_size)].pack('C*')
|
|
107
|
+
else
|
|
108
|
+
block = data[i...(i+block_size)]
|
|
102
109
|
end
|
|
103
110
|
o_block = yield block
|
|
104
|
-
if data.
|
|
105
|
-
output += o_block
|
|
106
|
-
else
|
|
111
|
+
if data.respond_to? :pack
|
|
107
112
|
output += o_block.unpack('C*')
|
|
113
|
+
else
|
|
114
|
+
output += o_block
|
|
108
115
|
end
|
|
109
116
|
i += block_size
|
|
110
117
|
end
|
|
111
118
|
return output
|
|
112
119
|
end
|
|
113
120
|
private :chug_data
|
|
114
|
-
end
|
|
121
|
+
end # class Tem::Keys::Asymmetric
|
|
115
122
|
|
|
116
|
-
end # namespace Tem::Keys
|
|
123
|
+
end # namespace Tem::Keys
|
data/lib/tem/keys/key.rb
CHANGED
|
@@ -1,3 +1,10 @@
|
|
|
1
|
+
# Superclass for Ruby implementations of the TEM's key operations.
|
|
2
|
+
#
|
|
3
|
+
# Author:: Victor Costan
|
|
4
|
+
# Copyright:: Copyright (C) 2009 Massachusetts Institute of Technology
|
|
5
|
+
# License:: MIT
|
|
6
|
+
|
|
7
|
+
|
|
1
8
|
# Base class for the TEM keys.
|
|
2
9
|
#
|
|
3
10
|
# This class consists of stubs describing the interface implemented by
|
|
@@ -39,10 +46,10 @@ class Tem::Key
|
|
|
39
46
|
def self.new_from_ssl_key(ssl_key)
|
|
40
47
|
if ssl_key.kind_of? OpenSSL::PKey::PKey
|
|
41
48
|
Tem::Keys::Asymmetric.new ssl_key
|
|
42
|
-
elsif ssl_key.kind_of? OpenSSL::Cipher
|
|
49
|
+
elsif ssl_key.kind_of? OpenSSL::Cipher or ssl_key.kind_of? String
|
|
43
50
|
Tem::Keys::Symmetric.new ssl_key
|
|
44
51
|
else
|
|
45
52
|
raise "Can't handle keys of class #{ssl_key.class}"
|
|
46
53
|
end
|
|
47
54
|
end
|
|
48
|
-
end
|
|
55
|
+
end # class Tem::Key
|
data/lib/tem/keys/symmetric.rb
CHANGED
|
@@ -1,23 +1,55 @@
|
|
|
1
|
+
# Ruby implementation of the TEM's symmetric key operations.
|
|
2
|
+
#
|
|
3
|
+
# Author:: Victor Costan
|
|
4
|
+
# Copyright:: Copyright (C) 2009 Massachusetts Institute of Technology
|
|
5
|
+
# License:: MIT
|
|
6
|
+
|
|
1
7
|
# :nodoc: namespace
|
|
2
8
|
module Tem::Keys
|
|
3
9
|
|
|
10
|
+
|
|
4
11
|
# Wraps a TEM symmetric key, e.g. an AES key.
|
|
5
12
|
class Symmetric < Tem::Key
|
|
6
|
-
@@cipher_mode = '
|
|
13
|
+
@@cipher_mode = 'EDE-CBC'
|
|
14
|
+
@@signature_mode = 'CBC'
|
|
7
15
|
|
|
8
16
|
# Generates a new symmetric key.
|
|
9
17
|
def self.generate
|
|
10
|
-
cipher = OpenSSL::Cipher::
|
|
18
|
+
cipher = OpenSSL::Cipher::DES.new @@cipher_mode
|
|
11
19
|
key = cipher.random_key
|
|
12
20
|
self.new key
|
|
13
21
|
end
|
|
14
22
|
|
|
15
23
|
# Creates a new symmetric key based on an OpenSSL Cipher instance, augmented
|
|
16
24
|
# with a key accessor.
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
25
|
+
#
|
|
26
|
+
# Args:
|
|
27
|
+
# ssl_key:: the OpenSSL key, or a string containing the raw key
|
|
28
|
+
# raw_key:: if the OpenSSL key does not support calls to +key+, the raw key
|
|
29
|
+
def initialize(ssl_key, raw_key = nil)
|
|
30
|
+
if ssl_key.kind_of? OpenSSL::Cipher
|
|
31
|
+
@key = raw_key || ssl_key.key
|
|
32
|
+
@cipher_class = ssl_key.class
|
|
33
|
+
else
|
|
34
|
+
@key = ssl_key
|
|
35
|
+
@cipher_class = OpenSSL::Cipher::DES
|
|
36
|
+
end
|
|
37
|
+
|
|
38
|
+
# Create an OpenSSL wrapper for the key we received.
|
|
39
|
+
cipher = @cipher_class.new @@cipher_mode
|
|
40
|
+
class <<cipher
|
|
41
|
+
def key=(new_key)
|
|
42
|
+
super
|
|
43
|
+
@_key = new_key
|
|
44
|
+
end
|
|
45
|
+
def key
|
|
46
|
+
@_key
|
|
47
|
+
end
|
|
48
|
+
end
|
|
49
|
+
cipher.key = @key
|
|
50
|
+
cipher.iv = "\0" * 16
|
|
51
|
+
|
|
52
|
+
super cipher
|
|
21
53
|
end
|
|
22
54
|
public_class_method :new
|
|
23
55
|
|
|
@@ -26,22 +58,88 @@ class Symmetric < Tem::Key
|
|
|
26
58
|
do_encrypt ? cipher.encrypt : cipher.decrypt
|
|
27
59
|
cipher.key = @key
|
|
28
60
|
cipher.iv = "\0" * 16
|
|
61
|
+
cipher.padding = 0
|
|
62
|
+
|
|
63
|
+
pdata = data.respond_to?(:pack) ? data.pack('C*') : data
|
|
64
|
+
if do_encrypt
|
|
65
|
+
pdata << "\x80"
|
|
66
|
+
if pdata.length % cipher.block_size != 0
|
|
67
|
+
pdata << "\0" * (cipher.block_size - pdata.length % cipher.block_size)
|
|
68
|
+
end
|
|
69
|
+
end
|
|
70
|
+
|
|
71
|
+
result = cipher.update pdata
|
|
72
|
+
result += cipher.final
|
|
29
73
|
|
|
74
|
+
unless do_encrypt
|
|
75
|
+
result_length = result.length
|
|
76
|
+
loop do
|
|
77
|
+
result_length -= 1
|
|
78
|
+
next if result[result_length].ord == 0
|
|
79
|
+
raise "Invalid padding" unless result[result_length].ord == 0x80
|
|
80
|
+
break
|
|
81
|
+
end
|
|
82
|
+
result = result[0, result_length]
|
|
83
|
+
end
|
|
84
|
+
data.respond_to?(:pack) ? result.unpack('C*') : result
|
|
30
85
|
end
|
|
31
86
|
|
|
32
87
|
def encrypt(data)
|
|
33
|
-
|
|
88
|
+
encrypt_or_decrypt data, true
|
|
34
89
|
end
|
|
35
90
|
|
|
36
91
|
def decrypt(data)
|
|
37
|
-
|
|
92
|
+
encrypt_or_decrypt data, false
|
|
38
93
|
end
|
|
39
94
|
|
|
40
|
-
def sign(data)
|
|
95
|
+
def sign(data)
|
|
96
|
+
cipher = @cipher_class.new @@cipher_mode
|
|
97
|
+
cipher.encrypt
|
|
98
|
+
cipher.key = @key
|
|
99
|
+
cipher.iv = "\0" * 16
|
|
100
|
+
cipher.padding = 0
|
|
101
|
+
|
|
102
|
+
pdata = data.respond_to?(:pack) ? data.pack('C*') : data
|
|
103
|
+
pdata << "\x80"
|
|
104
|
+
if pdata.length % cipher.block_size != 0
|
|
105
|
+
pdata << "\0" * (cipher.block_size - pdata.length % cipher.block_size)
|
|
106
|
+
end
|
|
107
|
+
|
|
108
|
+
result = cipher.update pdata
|
|
109
|
+
result += cipher.final
|
|
110
|
+
result = result[-cipher.block_size, cipher.block_size]
|
|
111
|
+
data.respond_to?(:pack) ? result.unpack('C*') : result
|
|
112
|
+
end
|
|
113
|
+
|
|
114
|
+
def verify(data, signature)
|
|
115
|
+
hmac = sign(data)
|
|
116
|
+
hmac = hmac.pack('C*') if hmac.respond_to?(:pack)
|
|
117
|
+
signature = signature.pack('C*') if signature.respond_to?(:pack)
|
|
118
|
+
hmac == signature
|
|
41
119
|
end
|
|
42
120
|
|
|
43
|
-
def
|
|
121
|
+
def self.new_from_array(array)
|
|
122
|
+
cipher_class = array[0].split('::').inject(Kernel) do |scope, name|
|
|
123
|
+
scope.const_get name
|
|
124
|
+
end
|
|
125
|
+
|
|
126
|
+
# Cipher instance used solely to point to the right class.
|
|
127
|
+
cipher = cipher_class.new @@cipher_mode
|
|
128
|
+
self.new cipher, array[1]
|
|
129
|
+
end
|
|
130
|
+
|
|
131
|
+
def self.new_from_yaml_str(yaml_str)
|
|
132
|
+
array = YAML.load yaml_str
|
|
133
|
+
new_from_array array
|
|
134
|
+
end
|
|
135
|
+
|
|
136
|
+
def to_array
|
|
137
|
+
[@cipher_class.name, @key]
|
|
138
|
+
end
|
|
139
|
+
|
|
140
|
+
def to_yaml_str
|
|
141
|
+
self.to_array.to_yaml.to_s
|
|
44
142
|
end
|
|
45
|
-
end
|
|
143
|
+
end # class Tem::Keys::Symmetric
|
|
46
144
|
|
|
47
145
|
end # namespace Tem::Keys
|
data/lib/tem/secpack.rb
CHANGED
data/lib/tem/toolkit.rb
CHANGED
|
@@ -4,7 +4,7 @@ module Tem::Toolkit
|
|
|
4
4
|
s.ldbc authz.nil? ? 24 : 4
|
|
5
5
|
s.outnew
|
|
6
6
|
if authz.nil?
|
|
7
|
-
#
|
|
7
|
+
# No authorization given, must generate one.
|
|
8
8
|
s.ldbc 20
|
|
9
9
|
s.ldwc :key_auth
|
|
10
10
|
s.dupn :n => 2
|
|
@@ -12,10 +12,12 @@ module Tem::Toolkit
|
|
|
12
12
|
s.outvb
|
|
13
13
|
end
|
|
14
14
|
s.genkp :type => (type == :asymmetric) ? 0x00 : 0x80
|
|
15
|
-
s.authk :auth => :key_auth
|
|
16
|
-
s.outw
|
|
17
|
-
s.authk :auth => :key_auth
|
|
15
|
+
s.authk :auth => :key_auth
|
|
18
16
|
s.outw
|
|
17
|
+
if type == :asymmetric
|
|
18
|
+
s.authk :auth => :key_auth
|
|
19
|
+
s.outw
|
|
20
|
+
end
|
|
19
21
|
s.halt
|
|
20
22
|
s.label :key_auth
|
|
21
23
|
if authz.nil?
|
|
@@ -28,14 +30,14 @@ module Tem::Toolkit
|
|
|
28
30
|
|
|
29
31
|
kp_buffer = execute gen_sec
|
|
30
32
|
keys_offset = authz.nil? ? 20 : 0
|
|
31
|
-
k1id = read_tem_ushort kp_buffer, keys_offset
|
|
32
|
-
k2id = read_tem_ushort kp_buffer, keys_offset + 2
|
|
33
|
+
k1id = read_tem_ushort kp_buffer, keys_offset
|
|
34
|
+
k2id = read_tem_ushort kp_buffer, keys_offset + 2 if type == :asymmetric
|
|
33
35
|
if type == :asymmetric
|
|
34
36
|
return_val = { :pubk_id => k1id, :privk_id => k2id }
|
|
35
37
|
else
|
|
36
38
|
return_val = { :key_id => k1id }
|
|
37
39
|
end
|
|
38
|
-
return { :authz => authz
|
|
40
|
+
return { :authz => authz || kp_buffer[0...20] }.merge!(return_val)
|
|
39
41
|
end
|
|
40
42
|
|
|
41
43
|
def tk_read_key(key_id, authz)
|
data/tem_ruby.gemspec
CHANGED
|
@@ -2,23 +2,23 @@
|
|
|
2
2
|
|
|
3
3
|
Gem::Specification.new do |s|
|
|
4
4
|
s.name = %q{tem_ruby}
|
|
5
|
-
s.version = "0.
|
|
5
|
+
s.version = "0.14.0"
|
|
6
6
|
|
|
7
7
|
s.required_rubygems_version = Gem::Requirement.new(">= 1.2") if s.respond_to? :required_rubygems_version=
|
|
8
8
|
s.authors = ["Victor Costan"]
|
|
9
|
-
s.date = %q{2009-11-
|
|
9
|
+
s.date = %q{2009-11-12}
|
|
10
10
|
s.description = %q{TEM (Trusted Execution Module) driver, written in and for ruby.}
|
|
11
11
|
s.email = %q{victor@costan.us}
|
|
12
12
|
s.executables = ["tem_bench", "tem_ca", "tem_irb", "tem_proxy", "tem_stat", "tem_upload_fw"]
|
|
13
13
|
s.extra_rdoc_files = ["CHANGELOG", "LICENSE", "README", "bin/tem_bench", "bin/tem_ca", "bin/tem_irb", "bin/tem_proxy", "bin/tem_stat", "bin/tem_upload_fw", "lib/tem/_cert.rb", "lib/tem/apdus/buffers.rb", "lib/tem/apdus/keys.rb", "lib/tem/apdus/lifecycle.rb", "lib/tem/apdus/tag.rb", "lib/tem/auto_conf.rb", "lib/tem/benchmarks/benchmarks.rb", "lib/tem/benchmarks/blank_bound_secpack.rb", "lib/tem/benchmarks/blank_sec.rb", "lib/tem/benchmarks/devchip_decrypt.rb", "lib/tem/benchmarks/post_buffer.rb", "lib/tem/benchmarks/simple_apdu.rb", "lib/tem/benchmarks/vm_perf.rb", "lib/tem/benchmarks/vm_perf_bound.rb", "lib/tem/builders/abi.rb", "lib/tem/builders/assembler.rb", "lib/tem/builders/crypto.rb", "lib/tem/builders/isa.rb", "lib/tem/ca.rb", "lib/tem/definitions/abi.rb", "lib/tem/definitions/assembler.rb", "lib/tem/definitions/isa.rb", "lib/tem/ecert.rb", "lib/tem/firmware/tc.cap", "lib/tem/firmware/uploader.rb", "lib/tem/hive.rb", "lib/tem/keys/asymmetric.rb", "lib/tem/keys/key.rb", "lib/tem/keys/symmetric.rb", "lib/tem/sec_exec_error.rb", "lib/tem/seclosures.rb", "lib/tem/secpack.rb", "lib/tem/tem.rb", "lib/tem/toolkit.rb", "lib/tem_ruby.rb"]
|
|
14
|
-
s.files = ["CHANGELOG", "LICENSE", "Manifest", "README", "Rakefile", "bin/tem_bench", "bin/tem_ca", "bin/tem_irb", "bin/tem_proxy", "bin/tem_stat", "bin/tem_upload_fw", "dev_ca/ca_cert.cer", "dev_ca/ca_cert.pem", "dev_ca/ca_key.pem", "dev_ca/config.yml", "lib/tem/_cert.rb", "lib/tem/apdus/buffers.rb", "lib/tem/apdus/keys.rb", "lib/tem/apdus/lifecycle.rb", "lib/tem/apdus/tag.rb", "lib/tem/auto_conf.rb", "lib/tem/benchmarks/benchmarks.rb", "lib/tem/benchmarks/blank_bound_secpack.rb", "lib/tem/benchmarks/blank_sec.rb", "lib/tem/benchmarks/devchip_decrypt.rb", "lib/tem/benchmarks/post_buffer.rb", "lib/tem/benchmarks/simple_apdu.rb", "lib/tem/benchmarks/vm_perf.rb", "lib/tem/benchmarks/vm_perf_bound.rb", "lib/tem/builders/abi.rb", "lib/tem/builders/assembler.rb", "lib/tem/builders/crypto.rb", "lib/tem/builders/isa.rb", "lib/tem/ca.rb", "lib/tem/definitions/abi.rb", "lib/tem/definitions/assembler.rb", "lib/tem/definitions/isa.rb", "lib/tem/ecert.rb", "lib/tem/firmware/tc.cap", "lib/tem/firmware/uploader.rb", "lib/tem/hive.rb", "lib/tem/keys/asymmetric.rb", "lib/tem/keys/key.rb", "lib/tem/keys/symmetric.rb", "lib/tem/sec_exec_error.rb", "lib/tem/seclosures.rb", "lib/tem/secpack.rb", "lib/tem/tem.rb", "lib/tem/toolkit.rb", "lib/tem_ruby.rb", "
|
|
14
|
+
s.files = ["CHANGELOG", "LICENSE", "Manifest", "README", "Rakefile", "bin/tem_bench", "bin/tem_ca", "bin/tem_irb", "bin/tem_proxy", "bin/tem_stat", "bin/tem_upload_fw", "dev_ca/ca_cert.cer", "dev_ca/ca_cert.pem", "dev_ca/ca_key.pem", "dev_ca/config.yml", "lib/tem/_cert.rb", "lib/tem/apdus/buffers.rb", "lib/tem/apdus/keys.rb", "lib/tem/apdus/lifecycle.rb", "lib/tem/apdus/tag.rb", "lib/tem/auto_conf.rb", "lib/tem/benchmarks/benchmarks.rb", "lib/tem/benchmarks/blank_bound_secpack.rb", "lib/tem/benchmarks/blank_sec.rb", "lib/tem/benchmarks/devchip_decrypt.rb", "lib/tem/benchmarks/post_buffer.rb", "lib/tem/benchmarks/simple_apdu.rb", "lib/tem/benchmarks/vm_perf.rb", "lib/tem/benchmarks/vm_perf_bound.rb", "lib/tem/builders/abi.rb", "lib/tem/builders/assembler.rb", "lib/tem/builders/crypto.rb", "lib/tem/builders/isa.rb", "lib/tem/ca.rb", "lib/tem/definitions/abi.rb", "lib/tem/definitions/assembler.rb", "lib/tem/definitions/isa.rb", "lib/tem/ecert.rb", "lib/tem/firmware/tc.cap", "lib/tem/firmware/uploader.rb", "lib/tem/hive.rb", "lib/tem/keys/asymmetric.rb", "lib/tem/keys/key.rb", "lib/tem/keys/symmetric.rb", "lib/tem/sec_exec_error.rb", "lib/tem/seclosures.rb", "lib/tem/secpack.rb", "lib/tem/tem.rb", "lib/tem/toolkit.rb", "lib/tem_ruby.rb", "test/_test_cert.rb", "test/builders/test_abi_builder.rb", "test/firmware/test_uploader.rb", "test/tem_test_case.rb", "test/tem_unit/test_tem_alu.rb", "test/tem_unit/test_tem_bound_secpack.rb", "test/tem_unit/test_tem_branching.rb", "test/tem_unit/test_tem_crypto_hash.rb", "test/tem_unit/test_tem_crypto_keys.rb", "test/tem_unit/test_tem_crypto_pstore.rb", "test/tem_unit/test_tem_crypto_random.rb", "test/tem_unit/test_tem_emit.rb", "test/tem_unit/test_tem_memory.rb", "test/tem_unit/test_tem_memory_compare.rb", "test/tem_unit/test_tem_output.rb", "test/tem_unit/test_tem_yaml_secpack.rb", "test/test_auto_conf.rb", "test/test_crypto_engine.rb", "test/test_driver.rb", "test/test_exceptions.rb", "tem_ruby.gemspec"]
|
|
15
15
|
s.homepage = %q{http://tem.rubyforge.org}
|
|
16
16
|
s.rdoc_options = ["--line-numbers", "--inline-source", "--title", "Tem_ruby", "--main", "README"]
|
|
17
17
|
s.require_paths = ["lib"]
|
|
18
18
|
s.rubyforge_project = %q{tem}
|
|
19
19
|
s.rubygems_version = %q{1.3.5}
|
|
20
20
|
s.summary = %q{TEM (Trusted Execution Module) driver, written in and for ruby.}
|
|
21
|
-
s.test_files = ["test/
|
|
21
|
+
s.test_files = ["test/builders/test_abi_builder.rb", "test/firmware/test_uploader.rb", "test/tem_unit/test_tem_alu.rb", "test/tem_unit/test_tem_bound_secpack.rb", "test/tem_unit/test_tem_branching.rb", "test/tem_unit/test_tem_crypto_hash.rb", "test/tem_unit/test_tem_crypto_keys.rb", "test/tem_unit/test_tem_crypto_pstore.rb", "test/tem_unit/test_tem_crypto_random.rb", "test/tem_unit/test_tem_emit.rb", "test/tem_unit/test_tem_memory.rb", "test/tem_unit/test_tem_memory_compare.rb", "test/tem_unit/test_tem_output.rb", "test/tem_unit/test_tem_yaml_secpack.rb", "test/test_auto_conf.rb", "test/test_crypto_engine.rb", "test/test_driver.rb", "test/test_exceptions.rb"]
|
|
22
22
|
|
|
23
23
|
if s.respond_to? :specification_version then
|
|
24
24
|
current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
|
|
@@ -0,0 +1,189 @@
|
|
|
1
|
+
require 'test/tem_test_case.rb'
|
|
2
|
+
|
|
3
|
+
class TemCryptoKeysTest < TemTestCase
|
|
4
|
+
def i_crypt(data, key_id, authz, mode = :encrypt, direct_io = true,
|
|
5
|
+
symmetric = false)
|
|
6
|
+
if symmetric
|
|
7
|
+
max_output = case mode
|
|
8
|
+
when :encrypt
|
|
9
|
+
((data.length + 8) / 8) * 8
|
|
10
|
+
when :decrypt
|
|
11
|
+
data.length
|
|
12
|
+
when :sign
|
|
13
|
+
8
|
|
14
|
+
end
|
|
15
|
+
else
|
|
16
|
+
max_output = case mode
|
|
17
|
+
when :encrypt
|
|
18
|
+
((data.length + 239) / 240) * 256
|
|
19
|
+
when :decrypt
|
|
20
|
+
data.length
|
|
21
|
+
when :sign
|
|
22
|
+
256
|
|
23
|
+
end
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
crypt_opcode =
|
|
27
|
+
{:encrypt => :kefxb, :decrypt => :kdfxb, :sign => :ksfxb}[mode]
|
|
28
|
+
ex_sec = @tem.assemble { |s|
|
|
29
|
+
s.ldwc :const => max_output
|
|
30
|
+
s.outnew
|
|
31
|
+
s.ldbc :const => key_id
|
|
32
|
+
s.authk :auth => :key_auth
|
|
33
|
+
s.send crypt_opcode, :from => :data, :size => data.length,
|
|
34
|
+
:to => (direct_io ? 0xFFFF : :outdata)
|
|
35
|
+
s.outvlb :from => :outdata unless direct_io
|
|
36
|
+
s.halt
|
|
37
|
+
|
|
38
|
+
s.label :key_auth
|
|
39
|
+
s.data :tem_ubyte, authz
|
|
40
|
+
s.label :data
|
|
41
|
+
s.data :tem_ubyte, data
|
|
42
|
+
unless direct_io
|
|
43
|
+
s.label :outdata
|
|
44
|
+
s.zeros :tem_ubyte, max_output
|
|
45
|
+
end
|
|
46
|
+
s.stack 5
|
|
47
|
+
}
|
|
48
|
+
return @tem.execute(ex_sec)
|
|
49
|
+
end
|
|
50
|
+
|
|
51
|
+
def i_verify(data, signature, key_id, authz)
|
|
52
|
+
sign_sec = @tem.assemble { |s|
|
|
53
|
+
s.ldbc :const => 1
|
|
54
|
+
s.outnew
|
|
55
|
+
s.ldbc :const => key_id
|
|
56
|
+
s.authk :auth => :key_auth
|
|
57
|
+
s.kvsfxb :from => :data, :size => data.length, :signature => :signature
|
|
58
|
+
s.outb
|
|
59
|
+
s.halt
|
|
60
|
+
|
|
61
|
+
s.label :key_auth
|
|
62
|
+
s.data :tem_ubyte, authz
|
|
63
|
+
s.label :data
|
|
64
|
+
s.data :tem_ubyte, data
|
|
65
|
+
s.label :signature
|
|
66
|
+
s.data :tem_ubyte, signature
|
|
67
|
+
s.stack 5
|
|
68
|
+
}
|
|
69
|
+
return @tem.execute(sign_sec)[0] == 1
|
|
70
|
+
end
|
|
71
|
+
|
|
72
|
+
def i_test_crypto_pks_ops(pubk_id, privk_id, pubk, privk, authz)
|
|
73
|
+
garbage = (0...569).map { |i| (i * i * 217 + i * 661 + 393) % 256 }
|
|
74
|
+
|
|
75
|
+
# SEC/priv-sign + CPU/pub-verify, direct IO.
|
|
76
|
+
signed_garbage = i_crypt garbage, privk_id, authz, :sign, true
|
|
77
|
+
assert privk.verify(garbage, signed_garbage),
|
|
78
|
+
'SEC priv-signing + CPU pub-verify failed on good data'
|
|
79
|
+
|
|
80
|
+
# SEC/priv-sign + CPU/pub-verify, indirect IO.
|
|
81
|
+
signed_garbage = i_crypt garbage, privk_id, authz, :sign, false
|
|
82
|
+
assert privk.verify(garbage, signed_garbage),
|
|
83
|
+
'SEC priv-signing + CPU pub-verify failed on good data'
|
|
84
|
+
|
|
85
|
+
# CPU/priv-sign + SEC/pub-verify.
|
|
86
|
+
signed_garbage = privk.sign garbage
|
|
87
|
+
assert i_verify(garbage, signed_garbage, pubk_id, authz),
|
|
88
|
+
'CPU priv-signing + SEC pub-verify failed on good data'
|
|
89
|
+
|
|
90
|
+
# CPU/priv-encrypt + SEC/pub-decrypt, indirect IO.
|
|
91
|
+
encrypted_garbage = privk.encrypt garbage
|
|
92
|
+
decrypted_garbage = i_crypt encrypted_garbage, pubk_id, authz, :decrypt,
|
|
93
|
+
false
|
|
94
|
+
assert_equal garbage, decrypted_garbage,
|
|
95
|
+
'CPU priv-encryption + SEC pub-decryption/i messed up the data'
|
|
96
|
+
|
|
97
|
+
# SEC/pub-encrypt + CPU/priv-decrypt, indirect IO.
|
|
98
|
+
encrypted_garbage = i_crypt garbage, pubk_id, authz, :encrypt, false
|
|
99
|
+
decrypted_garbage = privk.decrypt encrypted_garbage
|
|
100
|
+
assert_equal garbage, decrypted_garbage,
|
|
101
|
+
'SEC pub-encryption/i + CPU priv-decryption messed up the data'
|
|
102
|
+
|
|
103
|
+
# CPU/pub-encrypt + SEC/priv-decrypt, direct-IO.
|
|
104
|
+
encrypted_garbage = pubk.encrypt garbage
|
|
105
|
+
decrypted_garbage = i_crypt encrypted_garbage, privk_id, authz, :decrypt,
|
|
106
|
+
true
|
|
107
|
+
assert_equal garbage, decrypted_garbage,
|
|
108
|
+
'CPU pub-encryption + SEC priv-decryption messed up the data'
|
|
109
|
+
|
|
110
|
+
# SEC/priv-encrypt + CPU/pub-decrypt, direct-IO.
|
|
111
|
+
encrypted_garbage = i_crypt garbage, privk_id, authz, :encrypt, true
|
|
112
|
+
decrypted_garbage = pubk.decrypt encrypted_garbage
|
|
113
|
+
assert_equal garbage, decrypted_garbage,
|
|
114
|
+
'SEC priv-encryption + CPU pub-decryption messed up the data'
|
|
115
|
+
end
|
|
116
|
+
|
|
117
|
+
def test_crypto_asymmetric
|
|
118
|
+
# Crypto run with an internally generated key.
|
|
119
|
+
keyd = @tem.tk_gen_key :asymmetric
|
|
120
|
+
pubk = @tem.tk_read_key keyd[:pubk_id], keyd[:authz]
|
|
121
|
+
privk = @tem.tk_read_key keyd[:privk_id], keyd[:authz]
|
|
122
|
+
i_test_crypto_pks_ops keyd[:pubk_id], keyd[:privk_id], pubk, privk,
|
|
123
|
+
keyd[:authz]
|
|
124
|
+
|
|
125
|
+
# Crypto run with an externally generated key.
|
|
126
|
+
ekey = OpenSSL::PKey::RSA.generate(2048, 65537)
|
|
127
|
+
pubk = Tem::Key.new_from_ssl_key ekey.public_key
|
|
128
|
+
privk = Tem::Key.new_from_ssl_key ekey
|
|
129
|
+
pubk_id = @tem.tk_post_key pubk, keyd[:authz]
|
|
130
|
+
privk_id = @tem.tk_post_key privk, keyd[:authz]
|
|
131
|
+
i_test_crypto_pks_ops pubk_id, privk_id, pubk, privk, keyd[:authz]
|
|
132
|
+
end
|
|
133
|
+
|
|
134
|
+
def i_test_crypto_sks_ops(skey_id, skey, authz)
|
|
135
|
+
garbage = (0...569).map { |i| (i * i * 217 + i * 661 + 393) % 256 }
|
|
136
|
+
|
|
137
|
+
# SEC/sign + CPU/verify, direct IO.
|
|
138
|
+
signed_garbage = i_crypt garbage, skey_id, authz, :sign, true, true
|
|
139
|
+
assert skey.verify(garbage, signed_garbage),
|
|
140
|
+
'SEC signing + CPU verify failed on good data'
|
|
141
|
+
|
|
142
|
+
# SEC/sign + CPU/verify, indirect IO.
|
|
143
|
+
signed_garbage = i_crypt garbage, skey_id, authz, :sign, false, true
|
|
144
|
+
assert skey.verify(garbage, signed_garbage),
|
|
145
|
+
'SEC signing + CPU verify failed on good data'
|
|
146
|
+
|
|
147
|
+
# CPU/sign + SEC/verify.
|
|
148
|
+
signed_garbage = skey.sign garbage
|
|
149
|
+
assert i_verify(garbage, signed_garbage, skey_id, authz),
|
|
150
|
+
'CPU signing + SEC verify failed on good data'
|
|
151
|
+
|
|
152
|
+
# CPU/encrypt + SEC/decrypt, indirect IO.
|
|
153
|
+
encrypted_garbage = skey.encrypt garbage
|
|
154
|
+
decrypted_garbage = i_crypt encrypted_garbage, skey_id, authz, :decrypt,
|
|
155
|
+
false, true
|
|
156
|
+
assert_equal garbage, decrypted_garbage,
|
|
157
|
+
'CPU encryption + SEC decryption/i messed up the data'
|
|
158
|
+
|
|
159
|
+
# SEC/encrypt + CPU/decrypt, indirect IO.
|
|
160
|
+
encrypted_garbage = i_crypt garbage, skey_id, authz, :encrypt, false, true
|
|
161
|
+
decrypted_garbage = skey.decrypt encrypted_garbage
|
|
162
|
+
assert_equal garbage, decrypted_garbage,
|
|
163
|
+
'SEC encryption/i + CPU decryption messed up the data'
|
|
164
|
+
|
|
165
|
+
# CPU/encrypt + SEC/decrypt, direct IO.
|
|
166
|
+
encrypted_garbage = skey.encrypt garbage
|
|
167
|
+
decrypted_garbage = i_crypt encrypted_garbage, skey_id, authz, :decrypt,
|
|
168
|
+
true, true
|
|
169
|
+
assert_equal garbage, decrypted_garbage,
|
|
170
|
+
'CPU encryption + SEC decryption messed up the data'
|
|
171
|
+
|
|
172
|
+
# SEC/encrypt + CPU/decrypt, direct IO.
|
|
173
|
+
encrypted_garbage = i_crypt garbage, skey_id, authz, :encrypt, true, true
|
|
174
|
+
decrypted_garbage = skey.decrypt encrypted_garbage
|
|
175
|
+
assert_equal garbage, decrypted_garbage,
|
|
176
|
+
'SEC encryption + CPU decryption messed up the data'
|
|
177
|
+
end
|
|
178
|
+
|
|
179
|
+
def test_crypto_symmetric
|
|
180
|
+
keyd = @tem.tk_gen_key :symmetric
|
|
181
|
+
skey = @tem.tk_read_key keyd[:key_id], keyd[:authz]
|
|
182
|
+
i_test_crypto_sks_ops keyd[:key_id], skey, keyd[:authz]
|
|
183
|
+
|
|
184
|
+
ekey = OpenSSL::Cipher::Cipher.new('DES-EDE-CBC').random_key
|
|
185
|
+
skey = Tem::Key.new_from_ssl_key ekey
|
|
186
|
+
skey_id = @tem.tk_post_key skey, keyd[:authz]
|
|
187
|
+
i_test_crypto_sks_ops skey_id, skey, keyd[:authz]
|
|
188
|
+
end
|
|
189
|
+
end
|
|
@@ -0,0 +1,116 @@
|
|
|
1
|
+
require 'test/tem_test_case.rb'
|
|
2
|
+
|
|
3
|
+
|
|
4
|
+
class CryptoEngineTest < TemTestCase
|
|
5
|
+
def test_crypto_pks
|
|
6
|
+
garbage = (0...415).map { |i| (i * i * 217 + i * 661 + 393) % 256 }
|
|
7
|
+
key_pair = @tem.devchip_generate_key_pair
|
|
8
|
+
pubkey = @tem.devchip_save_key key_pair[:pubkey_id]
|
|
9
|
+
|
|
10
|
+
encrypted_garbage = @tem.devchip_encrypt garbage, key_pair[:privkey_id]
|
|
11
|
+
decrypted_garbage = pubkey.decrypt encrypted_garbage
|
|
12
|
+
assert_equal garbage, decrypted_garbage,
|
|
13
|
+
'Onchip-encryption + offchip-decryption messed up the data.'
|
|
14
|
+
|
|
15
|
+
encrypted_garbage = pubkey.encrypt garbage
|
|
16
|
+
decrypted_garbage = @tem.devchip_decrypt encrypted_garbage,
|
|
17
|
+
key_pair[:privkey_id]
|
|
18
|
+
assert_equal garbage, decrypted_garbage,
|
|
19
|
+
'Offchip-encryption + onchip-decryption messed up the data.'
|
|
20
|
+
|
|
21
|
+
key_stat = @tem.stat_keys
|
|
22
|
+
assert key_stat[:keys], 'Key stat does not contain key information.'
|
|
23
|
+
assert_equal :public, key_stat[:keys][key_pair[:pubkey_id]][:type],
|
|
24
|
+
'Key stat reports wrong type for public key.'
|
|
25
|
+
assert_equal :private, key_stat[:keys][key_pair[:privkey_id]][:type],
|
|
26
|
+
'Key stat reports wrong type for private key.'
|
|
27
|
+
assert_in_delta 2, 2048, key_stat[:keys][key_pair[:pubkey_id]][:bits],
|
|
28
|
+
'Key stat reports wrong size for public key.'
|
|
29
|
+
assert_in_delta 2, 2048, key_stat[:keys][key_pair[:privkey_id]][:bits],
|
|
30
|
+
'Key stat reports wrong size for private key.'
|
|
31
|
+
|
|
32
|
+
[:pubkey_id, :privkey_id].each do |key|
|
|
33
|
+
@tem.devchip_release_key key_pair[key]
|
|
34
|
+
end
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
def test_crypto_symmetric
|
|
38
|
+
garbage = (0...415).map { |i| (i * i * 217 + i * 661 + 393) % 256 }
|
|
39
|
+
key_pair = @tem.devchip_generate_key_pair true
|
|
40
|
+
assert_equal(-1, key_pair[:pubkey_id],
|
|
41
|
+
'Key generation should yield INVALID_KEY for the public key')
|
|
42
|
+
key = @tem.devchip_save_key key_pair[:privkey_id]
|
|
43
|
+
|
|
44
|
+
encrypted_garbage = @tem.devchip_encrypt garbage, key_pair[:privkey_id]
|
|
45
|
+
decrypted_garbage = key.decrypt encrypted_garbage
|
|
46
|
+
assert_equal garbage, decrypted_garbage,
|
|
47
|
+
'Onchip-encryption + offchip-decryption messed up the data'
|
|
48
|
+
|
|
49
|
+
encrypted_garbage = key.encrypt garbage
|
|
50
|
+
decrypted_garbage = @tem.devchip_decrypt encrypted_garbage,
|
|
51
|
+
key_pair[:privkey_id]
|
|
52
|
+
assert_equal garbage, decrypted_garbage,
|
|
53
|
+
'Offchip-encryption + onchip-decryption messed up the data.'
|
|
54
|
+
|
|
55
|
+
key_stat = @tem.stat_keys
|
|
56
|
+
assert key_stat[:keys], 'Key stat does not contain key information.'
|
|
57
|
+
assert_equal :symmetric, key_stat[:keys][key_pair[:privkey_id]][:type],
|
|
58
|
+
'Key stat reports wrong type for symmetric key.'
|
|
59
|
+
assert_equal 128, key_stat[:keys][key_pair[:privkey_id]][:bits],
|
|
60
|
+
'Key stat reports wrong size for symmetric key.'
|
|
61
|
+
|
|
62
|
+
@tem.devchip_release_key key_pair[:privkey_id]
|
|
63
|
+
end
|
|
64
|
+
|
|
65
|
+
def test_crypto_abi
|
|
66
|
+
ekey = OpenSSL::PKey::RSA.generate(2048, 65537)
|
|
67
|
+
pubk = Tem::Key.new_from_ssl_key ekey.public_key
|
|
68
|
+
privk = Tem::Key.new_from_ssl_key ekey
|
|
69
|
+
|
|
70
|
+
skey = OpenSSL::Cipher::Cipher.new('DES-EDE-CBC').random_key
|
|
71
|
+
symk = Tem::Key.new_from_ssl_key skey
|
|
72
|
+
|
|
73
|
+
# Array and string encryption/decryption.
|
|
74
|
+
garbage = (1...569).map { |i| (i * i * 217 + i * 661 + 393) % 256 }
|
|
75
|
+
[garbage, garbage.pack('C*')].each do |g|
|
|
76
|
+
encrypted_garbage = pubk.encrypt g
|
|
77
|
+
decrypted_garbage = privk.decrypt encrypted_garbage
|
|
78
|
+
assert_equal g, decrypted_garbage,
|
|
79
|
+
'Pub-encryption + priv-decryption messed up the data'
|
|
80
|
+
encrypted_garbage = privk.encrypt g
|
|
81
|
+
decrypted_garbage = pubk.decrypt encrypted_garbage
|
|
82
|
+
assert_equal g, decrypted_garbage,
|
|
83
|
+
'Priv-encryption + pub-decryption messed up the data'
|
|
84
|
+
|
|
85
|
+
encrypted_garbage = symk.encrypt g[0, 560]
|
|
86
|
+
decrypted_garbage = symk.decrypt encrypted_garbage
|
|
87
|
+
assert_equal g[0, 560], decrypted_garbage,
|
|
88
|
+
'Symmetric encryption + decryption messed up the data'
|
|
89
|
+
end
|
|
90
|
+
|
|
91
|
+
# Test key serialization/deserialization through encryption/decryption.
|
|
92
|
+
pubk_ys = pubk.to_yaml_str
|
|
93
|
+
pubk2 = Tem::Keys::Asymmetric.new_from_yaml_str pubk_ys
|
|
94
|
+
privk_ys = privk.to_yaml_str
|
|
95
|
+
privk2 = Tem::Keys::Asymmetric.new_from_yaml_str privk_ys
|
|
96
|
+
encrypted_garbage = pubk.encrypt garbage
|
|
97
|
+
decrypted_garbage = privk2.decrypt encrypted_garbage
|
|
98
|
+
assert_equal garbage, decrypted_garbage,
|
|
99
|
+
'YAML pub-encryption + priv-decryption messed up the data.'
|
|
100
|
+
encrypted_garbage = privk.encrypt garbage
|
|
101
|
+
decrypted_garbage = pubk2.decrypt encrypted_garbage
|
|
102
|
+
assert_equal garbage, decrypted_garbage,
|
|
103
|
+
'YAML priv-encryption + pub-decryption messed up the data.'
|
|
104
|
+
|
|
105
|
+
symk_ys = symk.to_yaml_str
|
|
106
|
+
symk2 = Tem::Keys::Symmetric.new_from_yaml_str symk_ys
|
|
107
|
+
encrypted_garbage = symk.encrypt garbage[0, 560]
|
|
108
|
+
decrypted_garbage = symk2.decrypt encrypted_garbage
|
|
109
|
+
assert_equal garbage[0, 560], decrypted_garbage,
|
|
110
|
+
'Symmetric encryption + YAML decryption messed up the data'
|
|
111
|
+
encrypted_garbage = symk2.encrypt garbage[0, 560]
|
|
112
|
+
decrypted_garbage = symk.decrypt encrypted_garbage
|
|
113
|
+
assert_equal garbage[0, 560], decrypted_garbage,
|
|
114
|
+
'YAML symmetric encryption + decryption messed up the data'
|
|
115
|
+
end
|
|
116
|
+
end
|
data/test/test_driver.rb
CHANGED
|
@@ -61,56 +61,4 @@ class DriverTest < TemTestCase
|
|
|
61
61
|
@tem.set_tag garbage
|
|
62
62
|
assert_equal garbage, @tem.get_tag, 'error in posted tag data'
|
|
63
63
|
end
|
|
64
|
-
|
|
65
|
-
def test_crypto
|
|
66
|
-
garbage = (1...415).map { |i| (i * i * 217 + i * 661 + 393) % 256 }
|
|
67
|
-
key_pair = @tem.devchip_generate_key_pair
|
|
68
|
-
pubkey = @tem.devchip_save_key key_pair[:pubkey_id]
|
|
69
|
-
|
|
70
|
-
encrypted_garbage = @tem.devchip_encrypt garbage, key_pair[:privkey_id]
|
|
71
|
-
decrypted_garbage = pubkey.decrypt encrypted_garbage
|
|
72
|
-
assert_equal garbage, decrypted_garbage, 'priv-encryption+pub-decryption messed up the data'
|
|
73
|
-
|
|
74
|
-
encrypted_garbage = pubkey.encrypt garbage
|
|
75
|
-
decrypted_garbage = @tem.devchip_decrypt encrypted_garbage, key_pair[:privkey_id]
|
|
76
|
-
assert_equal garbage, decrypted_garbage, 'pub-encryption+priv-decryption messed up the data'
|
|
77
|
-
|
|
78
|
-
key_stat = @tem.stat_keys
|
|
79
|
-
assert key_stat[:keys], 'key stat does not contain key information'
|
|
80
|
-
assert_equal :public, key_stat[:keys][key_pair[:pubkey_id]][:type], 'key stat reports wrong type for public key'
|
|
81
|
-
assert_equal :private, key_stat[:keys][key_pair[:privkey_id]][:type], 'key stat reports wrong type for private key'
|
|
82
|
-
assert_in_delta 2, 2048, key_stat[:keys][key_pair[:pubkey_id]][:bits], 'key stat reports wrong size for public key'
|
|
83
|
-
assert_in_delta 2, 2048, key_stat[:keys][key_pair[:privkey_id]][:bits], 'key stat reports wrong size for private key'
|
|
84
|
-
|
|
85
|
-
[:pubkey_id, :privkey_id].each { |ki| @tem.devchip_release_key key_pair[ki] }
|
|
86
|
-
end
|
|
87
|
-
|
|
88
|
-
def test_crypto_abi
|
|
89
|
-
ekey = OpenSSL::PKey::RSA.generate(2048, 65537)
|
|
90
|
-
pubk = Tem::Key.new_from_ssl_key ekey.public_key
|
|
91
|
-
privk = Tem::Key.new_from_ssl_key ekey
|
|
92
|
-
|
|
93
|
-
# array and string encryption/decryption
|
|
94
|
-
garbage = (1...569).map { |i| (i * i * 217 + i * 661 + 393) % 256 }
|
|
95
|
-
[garbage, garbage.pack('C*')].each do |g|
|
|
96
|
-
encrypted_garbage = pubk.encrypt g
|
|
97
|
-
decrypted_garbage = privk.decrypt encrypted_garbage
|
|
98
|
-
assert_equal g, decrypted_garbage, 'pub-encryption+priv-decryption messed up the data'
|
|
99
|
-
encrypted_garbage = privk.encrypt g
|
|
100
|
-
decrypted_garbage = pubk.decrypt encrypted_garbage
|
|
101
|
-
assert_equal g, decrypted_garbage, 'priv-encryption+pub-decryption messed up the data'
|
|
102
|
-
end
|
|
103
|
-
|
|
104
|
-
# test key serialization/deserialization through encryption/decryption
|
|
105
|
-
pubk_ys = pubk.to_yaml_str
|
|
106
|
-
pubk2 = Tem::Keys::Asymmetric.new_from_yaml_str(pubk_ys)
|
|
107
|
-
privk_ys = privk.to_yaml_str
|
|
108
|
-
privk2 = Tem::Keys::Asymmetric.new_from_yaml_str(privk_ys)
|
|
109
|
-
encrypted_garbage = pubk.encrypt garbage
|
|
110
|
-
decrypted_garbage = privk2.decrypt encrypted_garbage
|
|
111
|
-
assert_equal garbage, decrypted_garbage, 'pub-encryption+priv-decryption messed up the data'
|
|
112
|
-
encrypted_garbage = privk.encrypt garbage
|
|
113
|
-
decrypted_garbage = pubk2.decrypt encrypted_garbage
|
|
114
|
-
assert_equal garbage, decrypted_garbage, 'priv-encryption+pub-decryption messed up the data'
|
|
115
|
-
end
|
|
116
64
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: tem_ruby
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.14.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Victor Costan
|
|
@@ -9,7 +9,7 @@ autorequire:
|
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
11
|
|
|
12
|
-
date: 2009-11-
|
|
12
|
+
date: 2009-11-12 00:00:00 -05:00
|
|
13
13
|
default_executable:
|
|
14
14
|
dependencies:
|
|
15
15
|
- !ruby/object:Gem::Dependency
|
|
@@ -149,7 +149,6 @@ files:
|
|
|
149
149
|
- lib/tem/tem.rb
|
|
150
150
|
- lib/tem/toolkit.rb
|
|
151
151
|
- lib/tem_ruby.rb
|
|
152
|
-
- tem_ruby.gemspec
|
|
153
152
|
- test/_test_cert.rb
|
|
154
153
|
- test/builders/test_abi_builder.rb
|
|
155
154
|
- test/firmware/test_uploader.rb
|
|
@@ -157,8 +156,8 @@ files:
|
|
|
157
156
|
- test/tem_unit/test_tem_alu.rb
|
|
158
157
|
- test/tem_unit/test_tem_bound_secpack.rb
|
|
159
158
|
- test/tem_unit/test_tem_branching.rb
|
|
160
|
-
- test/tem_unit/test_tem_crypto_asymmetric.rb
|
|
161
159
|
- test/tem_unit/test_tem_crypto_hash.rb
|
|
160
|
+
- test/tem_unit/test_tem_crypto_keys.rb
|
|
162
161
|
- test/tem_unit/test_tem_crypto_pstore.rb
|
|
163
162
|
- test/tem_unit/test_tem_crypto_random.rb
|
|
164
163
|
- test/tem_unit/test_tem_emit.rb
|
|
@@ -167,8 +166,10 @@ files:
|
|
|
167
166
|
- test/tem_unit/test_tem_output.rb
|
|
168
167
|
- test/tem_unit/test_tem_yaml_secpack.rb
|
|
169
168
|
- test/test_auto_conf.rb
|
|
169
|
+
- test/test_crypto_engine.rb
|
|
170
170
|
- test/test_driver.rb
|
|
171
171
|
- test/test_exceptions.rb
|
|
172
|
+
- tem_ruby.gemspec
|
|
172
173
|
has_rdoc: true
|
|
173
174
|
homepage: http://tem.rubyforge.org
|
|
174
175
|
licenses: []
|
|
@@ -203,20 +204,21 @@ signing_key:
|
|
|
203
204
|
specification_version: 3
|
|
204
205
|
summary: TEM (Trusted Execution Module) driver, written in and for ruby.
|
|
205
206
|
test_files:
|
|
206
|
-
- test/test_driver.rb
|
|
207
|
-
- test/firmware/test_uploader.rb
|
|
208
|
-
- test/test_auto_conf.rb
|
|
209
207
|
- test/builders/test_abi_builder.rb
|
|
210
|
-
- test/
|
|
211
|
-
- test/tem_unit/test_tem_crypto_asymmetric.rb
|
|
212
|
-
- test/tem_unit/test_tem_yaml_secpack.rb
|
|
208
|
+
- test/firmware/test_uploader.rb
|
|
213
209
|
- test/tem_unit/test_tem_alu.rb
|
|
214
|
-
- test/tem_unit/test_tem_crypto_hash.rb
|
|
215
210
|
- test/tem_unit/test_tem_bound_secpack.rb
|
|
216
|
-
- test/tem_unit/test_tem_memory_compare.rb
|
|
217
|
-
- test/tem_unit/test_tem_output.rb
|
|
218
|
-
- test/tem_unit/test_tem_crypto_random.rb
|
|
219
|
-
- test/tem_unit/test_tem_memory.rb
|
|
220
211
|
- test/tem_unit/test_tem_branching.rb
|
|
212
|
+
- test/tem_unit/test_tem_crypto_hash.rb
|
|
213
|
+
- test/tem_unit/test_tem_crypto_keys.rb
|
|
221
214
|
- test/tem_unit/test_tem_crypto_pstore.rb
|
|
215
|
+
- test/tem_unit/test_tem_crypto_random.rb
|
|
216
|
+
- test/tem_unit/test_tem_emit.rb
|
|
217
|
+
- test/tem_unit/test_tem_memory.rb
|
|
218
|
+
- test/tem_unit/test_tem_memory_compare.rb
|
|
219
|
+
- test/tem_unit/test_tem_output.rb
|
|
220
|
+
- test/tem_unit/test_tem_yaml_secpack.rb
|
|
221
|
+
- test/test_auto_conf.rb
|
|
222
|
+
- test/test_crypto_engine.rb
|
|
223
|
+
- test/test_driver.rb
|
|
222
224
|
- test/test_exceptions.rb
|
|
@@ -1,123 +0,0 @@
|
|
|
1
|
-
require 'test/tem_test_case.rb'
|
|
2
|
-
|
|
3
|
-
class TemCryptoAsymmetricTest < TemTestCase
|
|
4
|
-
def i_crypt(data, key_id, authz, mode = :encrypt, direct_io = true, max_output = nil)
|
|
5
|
-
if max_output.nil?
|
|
6
|
-
max_output = case mode
|
|
7
|
-
when :encrypt
|
|
8
|
-
((data.length + 239) / 240) * 256
|
|
9
|
-
when :decrypt
|
|
10
|
-
data.length
|
|
11
|
-
when :sign
|
|
12
|
-
256
|
|
13
|
-
end
|
|
14
|
-
end
|
|
15
|
-
|
|
16
|
-
crypt_opcode = {:encrypt => :kefxb, :decrypt => :kdfxb, :sign => :ksfxb}[mode]
|
|
17
|
-
ex_sec = @tem.assemble { |s|
|
|
18
|
-
# buffer
|
|
19
|
-
s.ldwc :const => max_output
|
|
20
|
-
s.outnew
|
|
21
|
-
s.ldbc :const => key_id
|
|
22
|
-
s.authk :auth => :key_auth
|
|
23
|
-
s.send crypt_opcode, :from => :data, :size => data.length, :to => (direct_io ? 0xFFFF : :outdata)
|
|
24
|
-
s.outvlb :from => :outdata unless direct_io
|
|
25
|
-
s.halt
|
|
26
|
-
|
|
27
|
-
s.label :key_auth
|
|
28
|
-
s.data :tem_ubyte, authz
|
|
29
|
-
s.label :data
|
|
30
|
-
s.data :tem_ubyte, data
|
|
31
|
-
unless direct_io
|
|
32
|
-
s.label :outdata
|
|
33
|
-
s.zeros :tem_ubyte, max_output
|
|
34
|
-
end
|
|
35
|
-
s.stack 5
|
|
36
|
-
}
|
|
37
|
-
return @tem.execute(ex_sec)
|
|
38
|
-
end
|
|
39
|
-
|
|
40
|
-
def i_verify(data, signature, key_id, authz)
|
|
41
|
-
sign_sec = @tem.assemble { |s|
|
|
42
|
-
# buffer
|
|
43
|
-
s.ldbc :const => 1
|
|
44
|
-
s.outnew
|
|
45
|
-
s.ldbc :const => key_id
|
|
46
|
-
s.authk :auth => :key_auth
|
|
47
|
-
s.kvsfxb :from => :data, :size => data.length, :signature => :signature
|
|
48
|
-
s.outb
|
|
49
|
-
s.halt
|
|
50
|
-
|
|
51
|
-
s.label :key_auth
|
|
52
|
-
s.data :tem_ubyte, authz
|
|
53
|
-
s.label :data
|
|
54
|
-
s.data :tem_ubyte, data
|
|
55
|
-
s.label :signature
|
|
56
|
-
s.data :tem_ubyte, signature
|
|
57
|
-
s.stack 5
|
|
58
|
-
}
|
|
59
|
-
return @tem.execute(sign_sec)[0] == 1
|
|
60
|
-
end
|
|
61
|
-
|
|
62
|
-
def i_test_crypto_pki_ops(pubk_id, privk_id, pubk, privk, authz)
|
|
63
|
-
garbage = (1...569).map { |i| (i * i * 217 + i * 661 + 393) % 256 }
|
|
64
|
-
|
|
65
|
-
# SEC/priv-sign + CPU/pub-verify, direct IO
|
|
66
|
-
signed_garbage = i_crypt garbage, privk_id, authz, :sign, true
|
|
67
|
-
assert privk.verify(garbage, signed_garbage),
|
|
68
|
-
'SEC priv-signing + CPU pub-verify failed on good data'
|
|
69
|
-
|
|
70
|
-
# SEC/priv-sign + CPU/pub-verify, indirect IO
|
|
71
|
-
signed_garbage = i_crypt garbage, privk_id, authz, :sign, false
|
|
72
|
-
assert privk.verify(garbage, signed_garbage),
|
|
73
|
-
'SEC priv-signing + CPU pub-verify failed on good data'
|
|
74
|
-
|
|
75
|
-
# CPU/priv-sign + SEC/pub-verify
|
|
76
|
-
signed_garbage = privk.sign garbage
|
|
77
|
-
assert i_verify(garbage, signed_garbage, pubk_id, authz),
|
|
78
|
-
'CPU priv-signing + SEC pub-verify failed on good data'
|
|
79
|
-
|
|
80
|
-
# CPU/priv-encrypt + SEC/pub-decrypt, indirect IO
|
|
81
|
-
encrypted_garbage = privk.encrypt garbage
|
|
82
|
-
decrypted_garbage = i_crypt encrypted_garbage, pubk_id, authz, :decrypt,
|
|
83
|
-
false
|
|
84
|
-
assert_equal garbage, decrypted_garbage,
|
|
85
|
-
'SEC priv-encryption + CPU pub-decryption messed up the data'
|
|
86
|
-
|
|
87
|
-
# SEC/pub-encrypt + CPU/priv-decrypt, indirect IO
|
|
88
|
-
encrypted_garbage = i_crypt garbage, pubk_id, authz, :encrypt, false
|
|
89
|
-
decrypted_garbage = privk.decrypt encrypted_garbage
|
|
90
|
-
assert_equal garbage, decrypted_garbage,
|
|
91
|
-
'SEC priv-encryption + CPU pub-decryption messed up the data'
|
|
92
|
-
|
|
93
|
-
# CPU/pub-encrypt + SEC/priv-decrypt, direct-IO
|
|
94
|
-
encrypted_garbage = pubk.encrypt garbage
|
|
95
|
-
decrypted_garbage = i_crypt encrypted_garbage, privk_id, authz, :decrypt,
|
|
96
|
-
true
|
|
97
|
-
assert_equal garbage, decrypted_garbage,
|
|
98
|
-
'CPU pub-encryption + SEC priv-decryption messed up the data'
|
|
99
|
-
|
|
100
|
-
# SEC/priv-encrypt + CPU/pub-decrypt, direct-IO
|
|
101
|
-
encrypted_garbage = i_crypt garbage, privk_id, authz, :encrypt, true
|
|
102
|
-
decrypted_garbage = pubk.decrypt encrypted_garbage
|
|
103
|
-
assert_equal garbage, decrypted_garbage,
|
|
104
|
-
'SEC priv-encryption + CPU pub-decryption messed up the data'
|
|
105
|
-
end
|
|
106
|
-
|
|
107
|
-
def test_crypto_asymmetric
|
|
108
|
-
# crypto run with an internally generated key
|
|
109
|
-
keyd = @tem.tk_gen_key :asymmetric
|
|
110
|
-
pubk = @tem.tk_read_key keyd[:pubk_id], keyd[:authz]
|
|
111
|
-
privk = @tem.tk_read_key keyd[:privk_id], keyd[:authz]
|
|
112
|
-
i_test_crypto_pki_ops keyd[:pubk_id], keyd[:privk_id], pubk, privk,
|
|
113
|
-
keyd[:authz]
|
|
114
|
-
|
|
115
|
-
# crypto run with an externally generated key
|
|
116
|
-
ekey = OpenSSL::PKey::RSA.generate(2048, 65537)
|
|
117
|
-
pubk = Tem::Key.new_from_ssl_key ekey.public_key
|
|
118
|
-
privk = Tem::Key.new_from_ssl_key ekey
|
|
119
|
-
pubk_id = @tem.tk_post_key pubk, keyd[:authz]
|
|
120
|
-
privk_id = @tem.tk_post_key privk, keyd[:authz]
|
|
121
|
-
i_test_crypto_pki_ops pubk_id, privk_id, pubk, privk, keyd[:authz]
|
|
122
|
-
end
|
|
123
|
-
end
|