tem_ruby 0.15.2 → 0.16.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
data/CHANGELOG CHANGED
@@ -1,3 +1,5 @@
1
+ v0.16.0. Faster migration by binding the migration SECpacks to a symmetric key (fw 1.16).
2
+
1
3
  v0.15.2. Bugfix: migrating a SECpack blew up the original.
2
4
 
3
5
  v0.15.1. SECpack migrations.
@@ -69,7 +69,7 @@ module Emit
69
69
  privek_auth = r[0...20]
70
70
  pubek_auth = (0...20).map {|i| 0}
71
71
  pubek = tem.tk_read_key 1, pubek_auth
72
- tem.tk_delete_key 1, pubek_auth
72
+ tem.release_key 1
73
73
  { :privek_auth => privek_auth, :pubek => pubek }
74
74
  end
75
75
 
@@ -12,6 +12,42 @@ module Tem::Admin
12
12
 
13
13
  # Logic for migrating SECpacks.
14
14
  module Migrate
15
+ # SEClosure that loads a symmetric key exclusively for SECpack execution.
16
+ #
17
+ # Args:
18
+ # key_bytes:: the key to be loaded in the TEM, serialized in TEM format
19
+ def self.skey_load_seclosure(key_bytes)
20
+ Tem::Assembler.assemble { |s|
21
+ s.ldwc :const => :key
22
+ s.rdk
23
+ s.ldwc :const => Tem::Abi.tem_hash_length
24
+ s.ldwc :const => :authz
25
+ s.rnd
26
+ s.authk :auth => :authz
27
+ s.ldbc :const => 1
28
+ s.outnew
29
+ s.outb
30
+ s.halt
31
+
32
+ s.label :secret
33
+ s.label :key
34
+ s.data :tem_ubyte, key_bytes
35
+ s.label :plain
36
+ s.label :authz
37
+ s.zeros :tem_hash, 1
38
+ s.stack 8
39
+ }
40
+ end
41
+
42
+ # Blank version of the SEClosure that loads a symmetric key for execution.
43
+ #
44
+ # The returned SEClosure is not suitable for execution. Its encrypted bytes
45
+ # should be replaced with the bytes from a SECpack generated with live data.
46
+ def self.blank_skey_load_seclosure
47
+ skey_load_seclosure [0] * (Tem::Abi.tem_3des_key_string_length + 1)
48
+ end
49
+
50
+
15
51
  # SEClosure that verifies the destination TEM's ECert.
16
52
  #
17
53
  # Args:
@@ -146,13 +182,19 @@ module Migrate
146
182
 
147
183
  # The key storing the encrypted bytes of the ecert_verify SECpack in the
148
184
  # TEM's tag.
149
- def self.ecert_verify_bytes_tag_key
185
+ def self.skey_load_tag_key
150
186
  0x11
151
187
  end
188
+
189
+ # The key storing the encrypted bytes of the ecert_verify SECpack in the
190
+ # TEM's tag.
191
+ def self.ecert_verify_bytes_tag_key
192
+ 0x12
193
+ end
152
194
 
153
195
  # The key storing the encrypted bytes of the migrate SECpack in the TEM's tag.
154
196
  def self.migrate_bytes_tag_key
155
- 0x12
197
+ 0x13
156
198
  end
157
199
 
158
200
  # Data to be included in a TEM's tag to support migration.
@@ -160,15 +202,20 @@ module Migrate
160
202
  # Returns a hash of tag key-values to be included in the TEM's tag during
161
203
  # emission.
162
204
  def self.tag_data(pubek, privek_authz)
205
+ skey = Tem::Keys::Symmetric.generate
206
+ ld_sec = skey_load_seclosure skey.to_tem_key
207
+ ld_sec.bind pubek
208
+
163
209
  ps_addr = OpenSSL::Random.random_bytes(Tem::Abi.tem_ps_addr_length).
164
210
  unpack('C*')
165
211
  ev_sec = ecert_verify_seclosure ps_addr, privek_authz
166
- ev_sec.bind pubek
212
+ ev_sec.bind skey
167
213
 
168
214
  m_sec = migrate_seclosure ps_addr, privek_authz
169
- m_sec.bind pubek
215
+ m_sec.bind skey
170
216
 
171
217
  {
218
+ skey_load_tag_key => ld_sec.encrypted_data,
172
219
  ecert_verify_bytes_tag_key => ev_sec.encrypted_data,
173
220
  migrate_bytes_tag_key => m_sec.encrypted_data
174
221
  }
@@ -178,6 +225,10 @@ module Migrate
178
225
  def self.seclosures_from_tag_data(tem)
179
226
  tag_data = tem.tag
180
227
 
228
+ skey_load = blank_skey_load_seclosure
229
+ skey_load.fake_bind
230
+ skey_load.encrypted_data = tag_data[skey_load_tag_key]
231
+
181
232
  ecert_verify = blank_ecert_verify_seclosure
182
233
  ecert_verify.fake_bind
183
234
  ecert_verify.encrypted_data = tag_data[ecert_verify_bytes_tag_key]
@@ -186,7 +237,8 @@ module Migrate
186
237
  migrate.fake_bind
187
238
  migrate.encrypted_data = tag_data[migrate_bytes_tag_key]
188
239
 
189
- { :ecert_verify => ecert_verify, :migrate => migrate }
240
+ { :skey_load => skey_load, :ecert_verify => ecert_verify,
241
+ :migrate => migrate }
190
242
  end
191
243
 
192
244
  # Migrates a SECpack to another TEM.
@@ -200,18 +252,23 @@ module Migrate
200
252
  def migrate(secpack, ecert)
201
253
  migrated = secpack.copy
202
254
  secpacks = Tem::Admin::Migrate.seclosures_from_tag_data self
255
+
256
+ skey_ld = secpacks[:skey_load]
257
+ skey_id = Tem::Abi.read_tem_ubyte execute(skey_ld), 0
203
258
 
204
259
  verify = secpacks[:ecert_verify]
205
260
  verify.set_bytes :pubek,
206
261
  Tem::Key.new_from_ssl_key(ecert.public_key).to_tem_key
207
- return nil if execute(verify) != [1]
262
+ return nil if execute(verify, skey_id) != [1]
208
263
 
209
264
  migrate = secpacks[:migrate]
210
265
  migrate.set_value :secpack_secret_size, :tem_short, secpack.secret_bytes +
211
266
  Tem::Abi.tem_hash_length
212
267
  migrate.set_bytes :secpack_encrypted, migrated.encrypted_data
213
- return nil unless new_encrypted_data = execute(migrate)
268
+ return nil unless new_encrypted_data = execute(migrate, skey_id)
214
269
  migrated.encrypted_data = new_encrypted_data
270
+
271
+ release_key skey_id
215
272
  migrated
216
273
  end
217
274
  end # module Tem::Admin::Migrate
@@ -15,13 +15,16 @@ module Keys
15
15
  :pubkey_id => read_tem_byte(response, 1) }
16
16
  end
17
17
 
18
- def devchip_release_key(key_id)
19
- @transport.iso_apdu! :ins => 0x41, :p1 => key_id
18
+ # NOTE: this is the only method that is not devchip-only. It needs to be in
19
+ # the production driver to prevent from DOSing the TEM by filling its
20
+ # key store.
21
+ def release_key(key_id)
22
+ @transport.iso_apdu! :ins => 0x28, :p1 => key_id
20
23
  return true
21
24
  end
22
25
 
23
26
  def devchip_save_key(key_id)
24
- response = @transport.iso_apdu! :ins => 0x43, :p1 => key_id
27
+ response = @transport.iso_apdu! :ins => 0x42, :p1 => key_id
25
28
  buffer_id = read_tem_byte response, 0
26
29
  buffer_length = read_tem_short response, 1
27
30
  key_buffer = read_buffer buffer_id
@@ -47,10 +50,10 @@ module Keys
47
50
  return data_buffer[0, buffer_length]
48
51
  end
49
52
  def devchip_encrypt(data, key_id)
50
- devchip_encrypt_decrypt data, key_id, 0x44
53
+ devchip_encrypt_decrypt data, key_id, 0x43
51
54
  end
52
55
  def devchip_decrypt(data, key_id)
53
- devchip_encrypt_decrypt data, key_id, 0x45
56
+ devchip_encrypt_decrypt data, key_id, 0x44
54
57
  end
55
58
 
56
59
  def stat_keys
@@ -30,6 +30,6 @@ class Tem::Benchmarks
30
30
  "#{blank_seclosure_outcount} bytes\n"
31
31
  do_timing { @tem.execute secpack, key_id }
32
32
 
33
- @tem.tk_delete_key key_id, authz
33
+ @tem.release_key key_id
34
34
  end
35
35
  end
@@ -27,7 +27,7 @@ class Tem::Benchmarks
27
27
  encrypted_data = key.encrypt data
28
28
  print "3DES-encrypted blob has #{encrypted_data.length} bytes\n"
29
29
  do_timing { @tem.devchip_decrypt encrypted_data, key_id }
30
- @tem.tk_delete_key key_id, authz
30
+ @tem.release_key key_id
31
31
  end
32
32
 
33
33
  def time_devchip_decrypt_3des_long
@@ -38,6 +38,6 @@ class Tem::Benchmarks
38
38
  encrypted_data = key.encrypt data
39
39
  print "3DES-encrypted blob has #{encrypted_data.length} bytes\n"
40
40
  do_timing { @tem.devchip_decrypt encrypted_data, key_id }
41
- @tem.tk_delete_key key_id, authz
41
+ @tem.release_key key_id
42
42
  end
43
43
  end
@@ -32,6 +32,6 @@ class Tem::Benchmarks
32
32
  "#{vm_perf_seclosure_outcount} bytes\n"
33
33
  do_timing { @tem.execute secpack, key_id }
34
34
 
35
- @tem.tk_delete_key key_id, authz
35
+ @tem.release_key key_id
36
36
  end
37
37
  end
@@ -22,7 +22,8 @@ module Tem::Isa
22
22
  isa.instruction 0x13, :div
23
23
  # 2 ST -> 1 ST
24
24
  isa.instruction 0x14, :mod
25
- # 2 ST -> 1 ST
25
+
26
+ # 2 ST -> 0 ST
26
27
  isa.instruction 0x1E, :rnd
27
28
 
28
29
 
Binary file
@@ -59,24 +59,6 @@ module Tem::Toolkit
59
59
  return read_tem_key(key_string, 0)
60
60
  end
61
61
 
62
- def tk_delete_key(key_id, authz)
63
- del_sec = assemble do |s|
64
- s.ldbc :const => key_id
65
- s.authk :auth => :key_auth
66
- s.relk
67
- s.ldbc :const => 1
68
- s.outnew
69
- s.ldbc :const => key_id
70
- s.outb
71
- s.halt
72
- s.label :key_auth
73
- s.data :tem_ubyte, authz
74
- s.stack 4
75
- end
76
-
77
- execute del_sec
78
- end
79
-
80
62
  def tk_post_key(key, authz)
81
63
  post_sec = assemble do |s|
82
64
  s.ldbc :const => 1
@@ -2,7 +2,7 @@
2
2
 
3
3
  Gem::Specification.new do |s|
4
4
  s.name = %q{tem_ruby}
5
- s.version = "0.15.2"
5
+ s.version = "0.16.0"
6
6
 
7
7
  s.required_rubygems_version = Gem::Requirement.new(">= 1.2") if s.respond_to? :required_rubygems_version=
8
8
  s.authors = ["Victor Costan"]
@@ -18,7 +18,7 @@ class UploaderTest < Test::Unit::TestCase
18
18
  end
19
19
 
20
20
  def test_fw_version
21
- assert_equal({:major => 1, :minor => 15}, Uploader.fw_version)
21
+ assert_equal({:major => 1, :minor => 16}, Uploader.fw_version)
22
22
  end
23
23
 
24
24
  def test_upload
@@ -38,7 +38,7 @@ class TemMigrateTest < TemTestCase
38
38
  privk_id = @tem.tk_post_key privk, authz
39
39
  assert_equal _migrate_test_secret, @tem.execute(migrated, privk_id),
40
40
  'Migrated SECpack executed incorrectly'
41
- @tem.tk_delete_key privk_id, authz
41
+ @tem.release_key privk_id
42
42
 
43
43
  assert_equal _migrate_test_secret, @tem.execute(sec),
44
44
  'Migration blew up original SECpack'
@@ -30,7 +30,7 @@ class CryptoEngineTest < TemTestCase
30
30
  'Key stat reports wrong size for private key.'
31
31
 
32
32
  [:pubkey_id, :privkey_id].each do |key|
33
- @tem.devchip_release_key key_pair[key]
33
+ @tem.release_key key_pair[key]
34
34
  end
35
35
  end
36
36
 
@@ -59,7 +59,7 @@ class CryptoEngineTest < TemTestCase
59
59
  assert_equal 128, key_stat[:keys][key_pair[:privkey_id]][:bits],
60
60
  'Key stat reports wrong size for symmetric key.'
61
61
 
62
- @tem.devchip_release_key key_pair[:privkey_id]
62
+ @tem.release_key key_pair[:privkey_id]
63
63
  end
64
64
 
65
65
  def test_crypto_abi
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: tem_ruby
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.15.2
4
+ version: 0.16.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Victor Costan