CMakeLists.txt

@@ -122,7 +122,7 @@ set(SOURCES ${SOURCES}
         )
 endif()
 
-SET_VERSION(ver_major ver_minor "${CMAKE_CURRENT_LIST_DIR}/src/fido/version.h" 2)
+SET_VERSION(ver_major ver_minor "${CMAKE_CURRENT_LIST_DIR}/src/fido/version.h" 3)
 if(ESP_PLATFORM)
     project(pico_fido)
 endif()

build_pico_fido.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 VERSION_MAJOR="7"
-VERSION_MINOR="2"
+VERSION_MINOR="4"
 SUFFIX="${VERSION_MAJOR}.${VERSION_MINOR}"
 #if ! [[ -z "${GITHUB_SHA}" ]]; then
 #    SUFFIX="${SUFFIX}.${GITHUB_SHA}"

src/fido/cbor_config.c

@@ -144,12 +144,6 @@ int cbor_config(const uint8_t *data, size_t len) {
     }
 
     if (subcommand == 0xFF) {
-#ifndef ENABLE_EMULATION
-        const bool is_phy = (vendorCommandId == CTAP_CONFIG_PHY_VIDPID ||
-            vendorCommandId == CTAP_CONFIG_PHY_LED_GPIO ||
-            vendorCommandId == CTAP_CONFIG_PHY_LED_BTNESS ||
-            vendorCommandId == CTAP_CONFIG_PHY_OPTS);
-#endif
         if (vendorCommandId == CTAP_CONFIG_AUT_DISABLE){
             if (!file_has_data(ef_keydev_enc)) {
                 CBOR_ERROR(CTAP2_ERR_NOT_ALLOWED);
@@ -192,25 +186,6 @@ int cbor_config(const uint8_t *data, size_t len) {
             file_put_data(ef_keydev, NULL, 0); // Set ef to 0 bytes
             low_flash_available();
         }
-
-#ifndef ENABLE_EMULATION
-        else if (vendorCommandId == CTAP_CONFIG_PHY_VIDPID) {
-            phy_data.vid = (vendorParamInt >> 16) & 0xFFFF;
-            phy_data.pid = vendorParamInt & 0xFFFF;
-            phy_data.vidpid_present = true;
-        }
-        else if (vendorCommandId == CTAP_CONFIG_PHY_LED_GPIO) {
-            phy_data.led_gpio = (uint8_t)vendorParamInt;
-            phy_data.led_gpio_present = true;
-        }
-        else if (vendorCommandId == CTAP_CONFIG_PHY_LED_BTNESS) {
-            phy_data.led_brightness = (uint8_t)vendorParamInt;
-            phy_data.led_brightness_present = true;
-        }
-        else if (vendorCommandId == CTAP_CONFIG_PHY_OPTS) {
-            phy_data.opts = (uint16_t)vendorParamInt;
-        }
-#endif
         else if (vendorCommandId == CTAP_CONFIG_EA_UPLOAD) {
             if (vendorParamByteString.present == false) {
                 CBOR_ERROR(CTAP2_ERR_MISSING_PARAMETER);
@@ -239,11 +214,6 @@ int cbor_config(const uint8_t *data, size_t len) {
         else {
             CBOR_ERROR(CTAP2_ERR_INVALID_SUBCOMMAND);
         }
-#ifndef ENABLE_EMULATION
-        if (is_phy && phy_save() != PICOKEY_OK) {
-            CBOR_ERROR(CTAP2_ERR_PROCESSING);
-        }
-#endif
         goto err;
     }
     else if (subcommand == 0x03) {

src/fido/cbor_vendor.c

@@ -243,41 +243,6 @@ int cbor_vendor_generic(uint8_t cmd, const uint8_t *data, size_t len) {
             CBOR_CHECK(cbor_encode_byte_string(&mapEncoder, buffer + sizeof(buffer) - ret, ret));
         }
     }
-#ifndef ENABLE_EMULATION
-    else if (cmd == CTAP_VENDOR_PHY_OPTS) {
-        if (vendorCmd == 0x01) {
-            uint16_t opts = 0;
-            if (file_has_data(ef_phy)) {
-                uint8_t *pdata = file_get_data(ef_phy);
-                opts = get_uint16_t_be(pdata + PHY_OPTS);
-            }
-            CBOR_CHECK(cbor_encoder_create_map(&encoder, &mapEncoder, 1));
-            CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x01));
-            CBOR_CHECK(cbor_encode_uint(&mapEncoder, opts));
-        }
-        else {
-            CBOR_ERROR(CTAP2_ERR_UNSUPPORTED_OPTION);
-        }
-    }
- #endif
-    else if (cmd == CTAP_VENDOR_MEMORY) {
-        if (vendorCmd == 0x01) {
-            CBOR_CHECK(cbor_encoder_create_map(&encoder, &mapEncoder, 5));
-            CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x01));
-            CBOR_CHECK(cbor_encode_uint(&mapEncoder, flash_free_space()));
-            CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x02));
-            CBOR_CHECK(cbor_encode_uint(&mapEncoder, flash_used_space()));
-            CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x03));
-            CBOR_CHECK(cbor_encode_uint(&mapEncoder, flash_total_space()));
-            CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x04));
-            CBOR_CHECK(cbor_encode_uint(&mapEncoder, flash_num_files()));
-            CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x05));
-            CBOR_CHECK(cbor_encode_uint(&mapEncoder, flash_size()));
-        }
-        else {
-            CBOR_ERROR(CTAP2_ERR_UNSUPPORTED_OPTION);
-        }
-    }
     else {
         CBOR_ERROR(CTAP2_ERR_UNSUPPORTED_OPTION);
     }

src/fido/fido.c

@@ -549,7 +549,7 @@ int cmd_vendor() {
     int ret = cbor_vendor(apdu.data, apdu.nc);
     res_APDU = old_buf;
     if (ret != 0) {
-        return SW_EXEC_ERROR();
+        return set_res_sw(0x64, ret);
     }
     res_APDU_size += 1;
     memcpy(res_APDU, ctap_resp->init.data, res_APDU_size);
@@ -562,7 +562,7 @@ int cmd_cbor() {
     int ret = cbor_parse(0x90, apdu.data, apdu.nc);
     res_APDU = old_buf;
     if (ret != 0) {
-        return SW_EXEC_ERROR();
+        return set_res_sw(0x64, ret);
     }
     res_APDU_size += 1;
     memcpy(res_APDU, ctap_resp->init.data, res_APDU_size);

src/fido/version.h

@@ -18,7 +18,7 @@
 #ifndef __VERSION_H_
 #define __VERSION_H_
 
-#define PICO_FIDO_VERSION 0x0702
+#define PICO_FIDO_VERSION 0x0704
 
 #define PICO_FIDO_VERSION_MAJOR ((PICO_FIDO_VERSION >> 8) & 0xff)
 #define PICO_FIDO_VERSION_MINOR (PICO_FIDO_VERSION & 0xff)

tools/secure_key/macos.py

@@ -1,61 +0,0 @@
-import sys
-import keyring
-
-DOMAIN = "PicoKeys.com"
-USERNAME = "Pico-Fido"
-
-try:
-    import keyring
-    from keyrings.osx_keychain_keys.backend import OSXKeychainKeysBackend, OSXKeychainKeyType, OSXKeyChainKeyClassType
-except:
-    print('ERROR: keyring module not found! Install keyring package.\nTry with `pip install keyrings.osx-keychain-keys`')
-    sys.exit(-1)
-
-try:
-    from cryptography.hazmat.primitives.serialization import Encoding, PrivateFormat, NoEncryption
-except:
-    print('ERROR: cryptography module not found! Install cryptography package.\nTry with `pip install cryptography`')
-    sys.exit(-1)
-
-
-def get_backend(use_secure_enclave=False):
-    backend = OSXKeychainKeysBackend(
-        key_type=OSXKeychainKeyType.EC, # Key type, e.g. RSA, RC, DSA, ...
-        key_class_type=OSXKeyChainKeyClassType.Private, # Private key, Public key, Symmetric-key
-        key_size_in_bits=256,
-        is_permanent=True, # If set, saves the key in keychain; else, returns a transient key
-        use_secure_enclave=use_secure_enclave, # Saves the key in the T2 (TPM) chip, requires a code-signed interpreter
-        access_group=None, # Limits key management and retrieval to set group, requires a code-signed interpreter
-        is_extractable=True # If set, private key is extractable; else, it can't be retrieved, but only operated against
-    )
-    return backend
-
-def generate_secure_key(use_secure_enclave=False):
-    backend = get_backend(use_secure_enclave)
-    backend.set_password(DOMAIN, USERNAME, password=None)
-    return backend.get_password(DOMAIN, USERNAME)
-
-def get_d(key):
-    return key.private_numbers().private_value.to_bytes(32, 'big')
-
-def set_secure_key(pk):
-    backend = get_backend(False)
-    try:
-        backend.delete_password(DOMAIN, USERNAME)
-    except:
-        pass
-    backend.set_password(DOMAIN, USERNAME, pk.private_bytes(Encoding.PEM, PrivateFormat.TraditionalOpenSSL, NoEncryption()))
-
-def get_secure_key():
-    key = None
-    try:
-        backend = get_backend(False)
-        key = backend.get_password(DOMAIN, USERNAME)[0]
-        if (key is None):
-            raise TypeError
-    except (keyring.errors.KeyringError, TypeError):
-        try:
-            key = generate_secure_key(False)[0] # It should be True, but secure enclave causes python segfault
-        except keyring.errors.PasswordSetError:
-            key = generate_secure_key(False)[0]
-    return get_d(key)

tools/secure_key/windows.py

@@ -1,44 +0,0 @@
-import sys
-
-DOMAIN = "PicoKeys.com"
-USERNAME = "Pico-Fido"
-
-try:
-    import keyring
-except:
-    print('ERROR: keyring module not found! Install keyring package.\nTry with `pip install keyring`')
-    sys.exit(-1)
-
-try:
-    from cryptography.hazmat.primitives.serialization import Encoding, PrivateFormat, NoEncryption, load_pem_private_key
-    from cryptography.hazmat.primitives.asymmetric import ec
-except:
-    print('ERROR: cryptography module not found! Install cryptography package.\nTry with `pip install cryptography`')
-    sys.exit(-1)
-
-
-
-def generate_secure_key():
-    pkey = ec.generate_private_key(ec.SECP256R1())
-    set_secure_key(pkey)
-    return keyring.get_password(DOMAIN, USERNAME)
-
-def get_d(key):
-    return load_pem_private_key(key, password=None).private_numbers().private_value.to_bytes(32, 'big')
-
-def set_secure_key(pk):
-    try:
-        keyring.delete_password(DOMAIN, USERNAME)
-    except:
-        pass
-    keyring.set_password(DOMAIN, USERNAME, pk.private_bytes(Encoding.PEM, PrivateFormat.PKCS8, NoEncryption()).decode())
-
-def get_secure_key():
-    key = None
-    try:
-        key = keyring.get_password(DOMAIN, USERNAME)
-        if (key is None):
-            raise TypeError
-    except (keyring.errors.KeyringError, TypeError):
-        key = generate_secure_key()
-    return get_d(key.encode())