DPP2: Add challengePassword into CSR

Derive challengePassword from bk and add it into the CSR. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-17 12:22:08 +03:00 · 2020-06-17 12:22:08 +03:00 · c98db9f1f8
parent dbbb0d5b82
commit c98db9f1f8
2 changed files with 25 additions and 0 deletions
--- a/src/common/dpp.h
+++ b/src/common/dpp.h
@ -120,6 +120,7 @@ enum dpp_connector_key {
 #define DPP_MAX_NONCE_LEN 32
 #define DPP_MAX_HASH_LEN 64
 #define DPP_MAX_SHARED_SECRET_LEN 66
+#define DPP_CP_LEN 64

 struct dpp_curve_params {
 	const char *name;
--- a/src/common/dpp_crypto.c
+++ b/src/common/dpp_crypto.c
@ -2677,6 +2677,10 @@ struct wpabuf * dpp_build_csr(struct dpp_authentication *auth)
 	unsigned int hash_len = auth->curve->hash_len;
 	EC_KEY *eckey;
 	BIO *out = NULL;
+	u8 cp[DPP_CP_LEN];
+	char *password;
+	size_t password_len;
+	int res;

 	/* TODO: use auth->csrattrs */

@ -2701,6 +2705,26 @@ struct wpabuf * dpp_build_csr(struct dpp_authentication *auth)
 	if (!req || !X509_REQ_set_pubkey(req, key))
 		goto fail;

+	/* cp = HKDF-Expand(bk, "CSR challengePassword", 64) */
+	if (dpp_hkdf_expand(hash_len, auth->bk, hash_len,
+			    "CSR challengePassword", cp, DPP_CP_LEN) < 0)
+		goto fail;
+	wpa_hexdump_key(MSG_DEBUG,
+			"DPP: cp = HKDF-Expand(bk, \"CSR challengePassword\", 64)",
+			cp, DPP_CP_LEN);
+	password = base64_encode_no_lf(cp, DPP_CP_LEN, &password_len);
+	forced_memzero(cp, DPP_CP_LEN);
+	if (!password)
+		goto fail;
+
+	res = X509_REQ_add1_attr_by_NID(req, NID_pkcs9_challengePassword,
+					V_ASN1_UTF8STRING,
+					(const unsigned char *) password,
+					password_len);
+	bin_clear_free(password, password_len);
+	if (!res)
+		goto fail;
+
 	/* TODO */

 	/* TODO: hash func selection based on csrAttrs */