private bool VerifyS3Message(byte[] s3Message)
{
// Convert S3 message from byte array into the compatible structure
object S3MessageObj = new SigmaDataStructs.SigmaS3Message();
GeneralUtils.ByteArrayToStructure(s3Message, ref S3MessageObj);
SigmaDataStructs.SigmaS3Message S3Message = (SigmaDataStructs.SigmaS3Message)S3MessageObj;
// Locate the data index in the message
int dataInd = Marshal.SizeOf(typeof(SigmaDataStructs.SigmaS3Message)) - 1 + 32;
// Copy S3 message data from the received message into the S3 strucure data field
S3Message.data = new byte[s3Message.Length - dataInd];
Array.Copy(s3Message, dataInd, S3Message.data, 0, S3Message.data.Length);
// Prepare data for HMAC
byte[] dataForHmac = new byte[s3Message.Length - S3Message.S3Icv.Length];
Array.Copy(s3Message, S3Message.S3Icv.Length, dataForHmac, 0, dataForHmac.Length);
// Verify HMAC
CdgResult retStat = CdgResult.CdgValid;
CdgStatus status;
status = CryptoDataGenWrapper.VerifyHmac(dataForHmac, dataForHmac.Length, S3Message.S3Icv, SigmaDataStructs.SIGMA_MAC_LEN, SMK, SigmaDataStructs.SIGMA_SMK_LENGTH, ref retStat);
if (status != CdgStatus.CdgStsOk || retStat != CdgResult.CdgValid)
{
return(false);
}
// Check whether BK exists in the signed message, as a part of the S3 message validation
byte[] GaGbSig = new byte[SigmaDataStructs.EPID_SIG_LEN];
if (!SigmaUtils.DoesBKExist(S3Message, ref GaGbSig))
{
return(false);
}
// groupCert contains the SIGMA 1.0 certificate for the specific EPID group ID
byte[] groupCert = SigmaUtils.GetSpecificEpidCertificate_SIGMA_1_0(epidGroupID);
// epidParamsCert contains the mathematic parameters
byte[] epidParamsData = File.ReadAllBytes(EPIDDataStructs.PRODUCTION_SIGNED_BIN_PARAMS_CERT_FILE);
// Verify message. If a revocation list is used - the dll function will also check that the platform was not revoked.
status = CryptoDataGenWrapper.MessageVerifyPch(groupCert, groupCert.Length, epidParamsData, GaGb, GaGb.Length, null, 0, GaGbSig, GaGbSig.Length, out retStat, null);
if (status != CdgStatus.CdgStsOk || retStat != CdgResult.CdgValid)
{
return(false);
}
return(true);
}
private CdgStatus ProcessS1Message(byte[] s1Msg)
{
// Convert S1 message from byte array into the compatible structure
object s1Message = new SigmaDataStructs.SigmaS1Message();
GeneralUtils.ByteArrayToStructure(s1Msg, ref s1Message);
// Extract S1 message
SigmaDataStructs.SigmaS1Message message = (SigmaDataStructs.SigmaS1Message)s1Message;
Ga = message.Ga; // Prover's ephemeral DH public key
OCSPReq = message.OcspReq; // An (optional) OCSP Request from the prover
epidGroupID = message.Gid; // Platform EPID group ID
// Derive SK (Session Confidentiality Key: 128 bit derived from SMK), MK(Session Integrity Key: 128bit derived from SMK) and SMK(Session Message Key)
byte[] Sk = new byte[SigmaDataStructs.SIGMA_SESSION_KEY_LEN];
byte[] Mk = new byte[SigmaDataStructs.SIGMA_MAC_KEY_LEN];
CdgStatus status = CryptoDataGenWrapper.DeriveSigmaKeys(Ga, Ga.Length, Gb, Gb.Length, Sk, Sk.Length, Mk, Mk.Length, SMK, SMK.Length);
return(status);
}
public override void HandleClientCommunication(object client)
{
try
{
TcpClient tcpClient = (TcpClient)client;
Socket socket = tcpClient.Client;
isClientConnected = socket.Connected;
while (isClientConnected)
{
// Receive adapted message (message prepared for verification)
int dataSize = socket.ReceiveMessageAsInt();
byte[] adaptedMessage = socket.ReceiveMessage(dataSize);
// Receive signature
dataSize = socket.ReceiveMessageAsInt();
byte[] signature = socket.ReceiveMessage(dataSize);
// Receive EPID group ID
int groupID = socket.ReceiveMessageAsInt();
// groupCert contains the SIGMA 1.1 certificate for the specific EPID group ID
byte[] groupCert = SigmaUtils.GetSpecificEpidCertificate_SIGMA_1_0((uint)groupID);
// epidParamsCert contains the mathematic parameters
byte[] epidParamsCert = File.ReadAllBytes(EPIDDataStructs.DEBUG_SIGNED_BIN_PARAMS_CERT_FILE);
// taskInfoArray is a data structure defined in the DAL implementation.
// It is prepended to the message by DAL prior to signing,
// and so has to be prepended by us prior to verification
byte[] taskInfoArray = GeneralUtils.StructureToByteArray(EPIDDataStructs.GetTaskInfo());
byte[] infoNonceMessage = new byte[taskInfoArray.Length + adaptedMessage.Length]; //TaskInfo || Nonce || Message
// Concatenate the info to infoNonceMessage
taskInfoArray.CopyTo(infoNonceMessage, 0);
// Concatenate the adapted message(including the nonce) to infoNonceMessage
adaptedMessage.CopyTo(infoNonceMessage, taskInfoArray.Length);
// Verify the signature
// When we call the MessageVerifyPch function, we can send
// baseName - the basename that will be signed as part of the signature
// privateKeyRevList - a list of the platforms that were revoked based on the platform’s private key
// SignatureRevList - a list of the platforms that were revoked based on the signature generated by the platform
// GroupRevList - a list of the EPID groups that were revoked based on the group public key
// as parameters.
CdgResult retStatus;
CdgStatus status = CryptoDataGenWrapper.MessageVerifyPch(groupCert, groupCert.Length, epidParamsCert, infoNonceMessage, infoNonceMessage.Length, null, 0, signature, signature.Length, out retStatus, null, null, null);
int res = VERIFYNG_SUCCESS;
if (status != CdgStatus.CdgStsOk)
{
res = ERROR;
}
else if (retStatus != CdgResult.CdgValid)
{
res = VERIFYNG_FAILED;
}
// Send the signature verification result to the client
socket.SendInt(res);
}
Console.WriteLine("EPID Signing Sample Client disconnected.\n");
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
}
private bool GetS2Message(out byte[] S2MessageArray)
{
S2MessageArray = new byte[0];
byte[] cert = SigmaDataStructs.Sigma11_3PSignedCert; // Verifier's certificate
byte[] key = SigmaDataStructs.Sigma11_Signed3PKey; // Verifier's private key
// Get the OCSP (Online Certificate Status Protocol) response according to the request we've got from the prover
byte[] OCSPResp = SigmaUtils.GetOCSPResponseFromRealResponder(cert, OCSPReq.OcspNonce);
// If there is a problem with the OCSP server connection
if (OCSPResp == null)
{
return(false);
}
try
{
// Create S2 structure
SigmaDataStructs.SigmaS2Message S2Message = GenerateS2Structure();
// Build the OCSP response
OCSPResp = SigmaUtils.BuildOCSPResp(cert, OCSPResp);
// Composing - Data contains Verifier Cert, SIG_RL_HEADER followed by Revocation List , OCSP Response (If requested) VLRs in this order. SigRL is optional.
List <byte> VerifierCertAndOCSPRespList = new List <byte>();
// Generate X509 verifier certificate
byte[] x509VerifierCertArray = SigmaUtils.GenerateX509VerifierCert(cert);
// Add the x509VerifierCert to S2 message
VerifierCertAndOCSPRespList.AddRange(x509VerifierCertArray);
// Here you can generate SIG-RL in case you want to use it, and add it to s2List
// Add the OCSP response to S2 message
VerifierCertAndOCSPRespList.AddRange(OCSPResp);
// Convert VerifierCert and OCSPResp list to a byte array
byte[] VerifierCertAndOCSPResp = VerifierCertAndOCSPRespList.ToArray();
// Convert OCSP request from structure to a byte array
byte[] ocspReqArray = GeneralUtils.StructureToByteArray(S2Message.OcspReq);
// Preparing the HMAC
// Constructing HMAC data - Gb || Basename || OCSP Req || Verifier Cert || Sig-RL List || OCSPResp
byte[] dataForHmac = new byte[SigmaDataStructs.SIGMA_PUBLIC_KEY_LEN + SigmaDataStructs.BASE_NAME_LENGTH + DataStructs.INT_SIZE + SigmaDataStructs.OCSP_NONCE_LENGTH + VerifierCertAndOCSPResp.Length];
S2Message.Gb.CopyTo(dataForHmac, 0);
S2Message.Basename.CopyTo(dataForHmac, SigmaDataStructs.SIGMA_PUBLIC_KEY_LEN);
ocspReqArray.CopyTo(dataForHmac, SigmaDataStructs.SIGMA_PUBLIC_KEY_LEN + SigmaDataStructs.BASE_NAME_LENGTH);
VerifierCertAndOCSPResp.CopyTo(dataForHmac, SigmaDataStructs.SIGMA_PUBLIC_KEY_LEN + SigmaDataStructs.BASE_NAME_LENGTH + DataStructs.INT_SIZE + SigmaDataStructs.OCSP_NONCE_LENGTH);
// Create HMAC - HMAC_SHA256 of [Gb || Basename || OCSP Req || Verifier Cert || Sig-RL List ], using SMK
CdgStatus status;
S2Message.S2Icv = new byte[SigmaDataStructs.SIGMA_MAC_LEN];
status = CryptoDataGenWrapper.CreateHmac(dataForHmac, dataForHmac.Length, SMK, SigmaDataStructs.SIGMA_SMK_LENGTH, S2Message.S2Icv, SigmaDataStructs.SIGMA_HMAC_LENGTH);
if (status != CdgStatus.CdgStsOk)
{
return(false);
}
// Create Signed [Ga || Gb] using verifier ECDSA private key
S2Message.SigGaGb = new byte[SigmaDataStructs.ECDSA_SIGNATURE_LEN];
status = CryptoDataGenWrapper.MessageSign(key, key.Length, GaGb, SigmaDataStructs.SIGMA_KEY_LENGTH * 2, S2Message.SigGaGb, SigmaDataStructs.ECDSA_SIGNATURE_LEN);
if (status != CdgStatus.CdgStsOk)
{
return(false);
}
// Prepare final S2 message array contains S2 message structure + verifier cert + OCSP response
int s2MessageLen = Marshal.SizeOf(S2Message);
S2MessageArray = new byte[s2MessageLen + VerifierCertAndOCSPResp.Length];
GeneralUtils.StructureToByteArray(S2Message).CopyTo(S2MessageArray, 0);
VerifierCertAndOCSPResp.CopyTo(S2MessageArray, s2MessageLen);
return(true);
}
catch (Exception)
{
return(false);
}
}
