PRS-500 Analysis of USB trace for flashing Reader

[balbes]

Quote:

Originally Posted by porkupan

I believe the key is actually 162 B long. You somehow lost 22 bytes. However, I tried to reproduce the code in RedHat linux, and this public key doesn't appear to veryfy the signature of the Fsk image:

Code:

23c219b68b720fad066722c27b59f2a6c8636e106c8166c060ca3f6f3b369a1ed52e2892132e6f777317ad884bbbc9cd82cb35fea2d6c04ffa90ae0f35636523a1f4cd07232d1d8e18d312716e3db7a7432f8ae3e94dd0cddbddea17197d88c2a6ba29cba5d1e08a53eda75589ee08f2f2d8f9f8461c367a2be379d13a992cf3

Code:

#include <stdio.h>

#include <tomcrypt.h>

unsigned char sigKeyPub[] = 
{
    0x30, 0x81, 0x9F, 0x30, 0xD, 6, 9, 0x2A, 0x86, 0x48,
    0x86, 0xF7, 0xD, 1, 1, 1, 5, 0, 3, 0x81, 0x8D, 0, 0x30,
    0x81, 0x89, 2, 0x81, 0x81, 0, 0xA3, 0x87, 0x8A, 0xAF,
    0xB, 0x17, 0xA9, 0x95, 0x71, 0xB6, 0xA7, 0x4A, 0x6D,
    0x87, 0xF5, 0x6E, 0xD4, 0xFB, 0xE2, 0x97, 0x87, 0x3D,
    0xB6, 0x3D, 0x7B, 0x5F, 0xCE, 0x85, 0x5C, 0xC5, 0xBC,
    0x99, 0xD2, 0xC2, 0x5B, 0x33, 0xBF, 0x26, 0x6D, 0xA8,
    0xF2, 0x7C, 0xF1, 0xDF, 0xB, 0x85, 0xDB, 0x31, 0xE4,
    0x4B, 0xB7, 0x8B, 0x98, 3, 0xD2, 0x67, 0xB4, 0xF2,
    0x8A, 0x8A, 0xE2, 0xF1, 0xD5, 0x6D, 0x4D, 0x8B, 0x56,
    0xFC, 0xE, 0xED, 0xDF, 0x87, 0x85, 0xA6, 0xE6, 0xC4,
    0x1C, 0xA6, 0x7E, 0xB0, 0x3C, 0x76, 0x12, 0xF8, 0x6E,
    0x6B, 0xAC, 0xD4, 0xBC, 0xC6, 0xD0, 0x51, 0x72, 0x6F,
    0xF1, 0x75, 0x88, 0x65, 0x34, 0x16, 0x80, 0xFE, 0xE8,
    0xF9, 0x57, 0xD, 0x51, 0xB5, 0xB0, 0x15, 0x74, 0x5D,
    0xB, 0xB7, 0xCB, 0x7E, 0x9A, 0x6E, 0x82, 0xD2, 0xB1,
    0xF, 0x9B, 0x58, 0x2F, 0x98, 0xB5, 0x31, 2, 3, 1, 0,
    1,
};

unsigned char signature[] =
{
  0x23, 0xc2, 0x19, 0xb6, 0x8b, 0x72, 0x0f, 0xad,
  0x06, 0x67, 0x22, 0xc2, 0x7b, 0x59, 0xf2, 0xa6,
  0xc8, 0x63, 0x6e, 0x10, 0x6c, 0x81, 0x66, 0xc0,
  0x60, 0xca, 0x3f, 0x6f, 0x3b, 0x36, 0x9a, 0x1e,
  0xd5, 0x2e, 0x28, 0x92, 0x13, 0x2e, 0x6f, 0x77,
  0x73, 0x17, 0xad, 0x88, 0x4b, 0xbb, 0xc9, 0xcd,
  0x82, 0xcb, 0x35, 0xfe, 0xa2, 0xd6, 0xc0, 0x4f,
  0xfa, 0x90, 0xae, 0x0f, 0x35, 0x63, 0x65, 0x23,
  0xa1, 0xf4, 0xcd, 0x07, 0x23, 0x2d, 0x1d, 0x8e,
  0x18, 0xd3, 0x12, 0x71, 0x6e, 0x3d, 0xb7, 0xa7,
  0x43, 0x2f, 0x8a, 0xe3, 0xe9, 0x4d, 0xd0, 0xcd,
  0xdb, 0xdd, 0xea, 0x17, 0x19, 0x7d, 0x88, 0xc2,
  0xa6, 0xba, 0x29, 0xcb, 0xa5, 0xd1, 0xe0, 0x8a,
  0x53, 0xed, 0xa7, 0x55, 0x89, 0xee, 0x08, 0xf2,
  0xf2, 0xd8, 0xf9, 0xf8, 0x46, 0x1c, 0x36, 0x7a,
  0x2b, 0xe3, 0x79, 0xd1, 0x3a, 0x99, 0x2c, 0xf3,
};

int _rsa_verify_hash(const unsigned char *sig,      unsigned long siglen,
                     const unsigned char *hash,     unsigned long hashlen,
                           int            hash_idx, unsigned long saltlen,
                           int           *stat,     rsa_key      *key)
{
  unsigned long modulus_bitlen, modulus_bytelen, x;
  int           err;
  unsigned char *tmpbuf;

  LTC_ARGCHK(hash  != NULL);
  LTC_ARGCHK(sig   != NULL);
  LTC_ARGCHK(stat  != NULL);
  LTC_ARGCHK(key   != NULL);

  /* default to invalid */
  *stat = 0;

  /* valid hash ? */
  if ((err = hash_is_valid(hash_idx)) != CRYPT_OK) {
     return err;
  }

  /* get modulus len in bits */
  modulus_bitlen = mp_count_bits( (key->N));

  /* outlen must be at least the size of the modulus */
  modulus_bytelen = mp_unsigned_bin_size( (key->N));
  if (modulus_bytelen != siglen) {
     return CRYPT_INVALID_PACKET;
  }

  /* allocate temp buffer for decoded sig */
  tmpbuf = XMALLOC(siglen);
  if (tmpbuf == NULL) {
     return CRYPT_MEM;
  }

  /* RSA decode it  */
  x = siglen;
  if ((err = ltc_mp.rsa_me(sig, siglen, tmpbuf, &x, PK_PUBLIC, key)) != CRYPT_OK) {
     XFREE(tmpbuf);
     return err;
  }

  if ((tmpbuf[0] != 0) || (tmpbuf[1] != 1))
     goto exit;
  for(x = 2; (x < siglen) && (tmpbuf[x] == 0xFF); ++x);
  if (siglen - x != hashlen + 1)
     goto exit;
  if (memcmp(&tmpbuf[siglen - hashlen], hash, hashlen) == 0)
     *stat = 1;
exit:
  XFREE(tmpbuf);
  return err;
}


int main(int ac, char *av[])
{
    int hashidx, res;
    unsigned long hashlen;
    unsigned char hash[128];
    rsa_key key;
    int stat;

    if (ac != 3)
    {
        fprintf(stderr, "Usage: %s <filename> <hashsum>\n", av[0]);
        return 1;
    }

    ltc_mp = ltm_desc;

    if (register_hash(&sha1_desc) != CRYPT_OK)
    {
        fprintf(stderr, "Unable to register hash algorithm\n");
        return 1;
    }
    hashidx = find_hash("sha1");
    if (hashidx >= 1)
    {
        fprintf(stderr, "Unable to find previously registered hash algorithm\n");
        return 1;
    }
    hashlen = sizeof(hash);
    if (hash_file(hashidx, av[1], hash, &hashlen) != CRYPT_OK)
    {
        fprintf(stderr, "Unable to calculate hash for %s\n", av[1]);
        return 1;
    }
    if (rsa_import(sigKeyPub, sizeof(sigKeyPub), &key) != CRYPT_OK)
    {
        fprintf(stderr, "Unable to import RSA key\n");
        return 1;
    }
    stat = 0;
    if ((res = _rsa_verify_hash(signature, sizeof(signature), hash, hashlen, hashidx, 0, &stat, &key)) != CRYPT_OK)
    {
        fprintf(stderr, "Hash sum is invalid: %d\n", res);
        return 1;
    }
    printf("Signature is %svalid\n", (stat != 0) ? "" : "not ");
    return stat;
}

The code has been ommited part for parsing checksum from command line.


WBR,
Paul.