ヘルプ
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

ECDSA verification for imported ECC public key within a X509 certification

キャンセル
提案をオンにする
自動提案では、入力時に可能な一致が提案されるので検索結果を素早く絞り込むことができます。
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 

ECDSA verification for imported ECC public key within a X509 certification

‎01-07-2025 05:22 AM
615件の閲覧回数
anakha
Contributor III

Hello there,

I am having issue with verification of a certification. Its signature algorithm is SHA256 with ECDSA and use curve as secp256r1.

I am receiving certificate via CAN and store. I wrote a parser to split TBS, public key, signature algorithm and signature itself as R and S values. 

I checked public key, R and S values and their lengths are correct. But EcdsaVerify() function returns HSE_SRV_RSP_VERIFY_FAILED.

What am I doing wrong or am I skip something? 

 

 

 

/* Verify X.509 certificate */

hseSrvResponse_t HseResponse;    
X509_Certificate parsedCert;
if (!X509_ParseCertificate(certificate, length, &parsedCert))
{
   return false; // failed
}
    // extract/parse R and S values
if (!ExtractSignatureRS(parsedCert.signature, parsedCert.signatureLen, &signR_Client, &signRLen_Client, &signS_Client, &signSLen_Client))
{
  return false;
}
    // Check Certificate signature
    /*Loads ECC Public Key stored into the RAM catalog*/
publicKeyEccExt = parsedCert.publicKey;
HseResponse = LoadEccUncompressedExternalPublicKey(&ECCImportedPubHandle, 0, HSE_EC_SEC_SECP256R1, (parsedCert.publicKeyLen / 2 * 8), publicKeyEccExt); //skip 1st byte (0x04) because it represent uncompressed
ASSERT(HSE_SRV_RSP_OK != HseResponse);

HseResponse = ImportFormattedCertEccKeyReq(ECCImportedPubHandle, HSE_KEY_TYPE_ECC_PUB_EXT, HSE_KF_USAGE_VERIFY, HSE_EC_SEC_SECP256R1, (parsedCert.publicKeyLen / 2 * 8), HSE_KEY_FORMAT_ECC_PUB_UNCOMPRESSED, parsedCert.publicKey, parsedCert.tbsCertificateLen, parsedCert.tbsCertificate);
ASSERT(HSE_SRV_RSP_OK != HseResponse);

	/* Verifies the signature with the public Key stored inn the RAM catalog using the signature generated above*/
HseResponse = EcdsaVerify(ECCImportedPubHandle, HSE_HASH_ALGO_SHA2_256, (uint32)parsedCert.tbsCertificateLen, (const uint8*)parsedCert.tbsCertificate, FALSE, 0U, &signRLen_Client, signR_Client, &signSLen_Client, signS_Client);
ASSERT(HSE_SRV_RSP_OK != HseResponse);

 

 

 

 

here are more details for key catalog definition:

 

 

 

#define CRYPTO_START_SEC_CONST_UNSPECIFIED
#include "Crypto_MemMap.h"

/* Table containing RAM key catalog entries */
const hseKeyGroupCfgEntry_t RAM_KeyCatalog[] =
{
    /* RamKeyGroup_RamKey */
    {(HSE_MU0_MASK), HSE_KEY_OWNER_ANY, HSE_KEY_TYPE_AES, 1U, 256U, {0U, 0U}},	/* AES GCM Authentication */
	{HSE_MU0_MASK, HSE_KEY_OWNER_ANY, HSE_KEY_TYPE_ECC_PUB, 1U, HSE_KEY521_BITS, {0U, 0U}}, /* ECC Public Key for signature Group*/
	{HSE_MU0_MASK, HSE_KEY_OWNER_ANY, HSE_KEY_TYPE_ECC_PUB_EXT, 1U, HSE_KEY521_BITS, {0U, 0U}}, /* ECC Public Key for imported certificate Group*/
    /* Marker to end the key catalog */
    {0U, 0U, 0U, 0U, 0U, {0U, 0U}}
};

#define CRYPTO_STOP_SEC_CONST_UNSPECIFIED
#include "Crypto_MemMap.h"

 

 

 

and its handle creation:

 

 

 

ECCImportedPubHandle = GET_KEY_HANDLE(HSE_KEY_CATALOG_ID_RAM,2,0);	//imported ECC public key from certificate

 

 

 

 

other HSE functions like self generate, sign and verification is success using ECC.

I am using RTD 4.0.0. without Autosar with S32K344

 

thanks in advance.

regards,

タグ(4)
0 件の賞賛
返信
0 返答(返信)