1

我正在尝试使用 Thales Connect HSM 执行 ECDH。其中一部分需要一个DeriveKey操作,而该操作又需要导入一个模板键(它包含一个将附加到DeriveKey操作结果的 ACL)。

尽管尝试了我在 API 文档中可以找到的所有方法,但模板密钥的导入仍然失败 - 我得到Status_InvalidParameter了响应。希望有人将 API 用于类似的事情(尝试与 Thales 并行打开支持渠道)。

// Generate nested ACL
M_ACL nestedAcl;
memset(&nestedAcl, 0, sizeof(M_ACL));
nestedAcl.n_groups = 1;

M_PermissionGroup nestedAclPermGroup;
memset(&nestedAclPermGroup, 0, sizeof(M_PermissionGroup));
nestedAclPermGroup.n_actions = 1;
nestedAclPermGroup.flags = 0x0;
nestedAclPermGroup.n_limits = 0;
nestedAclPermGroup.certifier = NULL;

M_Action nestedAclAction0;
memset(&nestedAclAction0, 0, sizeof(M_Action));
nestedAclAction0.type = Act_OpPermissions;
nestedAclAction0.details.oppermissions.perms =
              Act_OpPermissions_Details_perms_Encrypt;

nestedAclPermGroup.actions = &nestedAclAction0;
nestedAcl.groups = &nestedAclPermGroup;

M_ByteBlock nestedAclBytes;

ret = NFastApp_MarshalACL(app, *connection, worldInfo, &nestedAcl, &nestedAclBytes);
if (ret != Status_OK)
{
   printf("Failed to create nested ACL: ret = %d \n", ret);
}

// Import template key
M_Command importTemplateKeyCmd;
M_Reply importTemplateKeyReply;
importTemplateKeyCmd.cmd = Cmd_Import;
importTemplateKeyCmd.args.import.data.type = KeyType_DKTemplate;
importTemplateKeyCmd.args.import.data.data.dktemplate.nested_acl = nestedAclBytes;

char appdataTemplateKey[] = "02020202";
memset(&appdataTemplateKey, 0, sizeof(M_AppData));
memcpy(importTemplateKeyCmd.args.import.appdata.bytes, appdataTemplateKey, strlen(appdataTemplateKey) < 64 ? strlen(appdataTemplateKey) : 63);

// Generate the import command ACL
NFKM_MakeACLParams templateKeyAclParams;
memset(&templateKeyAclParams, 0, sizeof(templateKeyAclParams));
templateKeyAclParams.f = 0x0;
templateKeyAclParams.op_base = Act_DeriveKey;
templateKeyAclParams.timelimit = 0;

M_ACL* templateKeyAcl;
templateKeyAcl = malloc(sizeof(M_ACL));
templateKeyAcl->n_groups = 1;
/*
M_PermissionGroup* templateKeyAclPermissionGroup;
templateKeyAclPermissionGroup = malloc(sizeof(M_PermissionGroup));
templateKeyAclPermissionGroup->flags = 0x0;
templateKeyAclPermissionGroup->n_limits = 0;
templateKeyAclPermissionGroup->n_actions = 1;
templateKeyAclPermissionGroup->certifier = NULL;

M_Action* templateKeyAction;
templateKeyAction = malloc(sizeof(M_Action));
templateKeyAction->type = Act_DeriveKey;
templateKeyAction->details.derivekey.flags = 0x0;
templateKeyAction->details.derivekey.role = DeriveRole_TemplateKey;
templateKeyAction->details.derivekey.mech = Mech_Any;
templateKeyAction->details.derivekey.n_otherkeys = 0;

templateKeyAclPermissionGroup->actions = templateKeyAction;

templateKeyAcl->groups = templateKeyAclPermissionGroup;
*/
// NF_MarshalFast_ACL(*connection, templateKeyAcl);

NFKM_MkACLHandle mkAclHandle;
mkAclHandle = malloc(sizeof(mkAclHandle));
NFKM_mkacl_create(app, *connection, &mkAclHandle, 0);
NFKM_mkacl_pgroup(mkAclHandle, 0x0, NULL);
NFKM_mkacl_derivekey(mkAclHandle, 0x0, DeriveRole_TemplateKey, DeriveMech_Any);
NFKM_mkacl_setacl(mkAclHandle, templateKeyAcl);
importTemplateKeyCmd.args.import.acl = *templateKeyAcl;

ret = (M_Status)NFastApp_Transact(*connection, 0, &importTemplateKeyCmd, &importTemplateKeyReply, 0);
if (ret != Status_OK)
{
   printf("Failed to import template key: %d (%d)\n", ret, importTemplateKeyReply.status);
}
4

1 回答 1

0

The approach that ended up working (suggested by Thales) was to break up the operation into two parts - do a CMD_Decrypt with Mech_ECDHKeyExchange to derive the shared secret and then a CMD_Hash on the resultant x-coordinate to derive the key.

于 2015-08-17T17:54:07.357 回答