dearsky/pico-hsm
1
0
Fork 0
Code Issues 17 Pull Requests 4 Actions Packages Projects Releases 26 Wiki Activity

Add DV cert to PUK store.

Browse Source 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
This commit is contained in:
Pol Henarejos
2023-03-06 00:40:31 +01:00
parent 2c9fa8b19f
commit 3c160f69c0
1 changed files with 15 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
src/hsm/sc_hsm.c
View File

@@ -234,7 +234,12 @@ void init_sc_hsm() {
puk_store_entries = 0; puk_store_entries = 0;
file_t *fterm = search_by_fid(EF_TERMCA, NULL, SPECIFY_EF); file_t *fterm = search_by_fid(EF_TERMCA, NULL, SPECIFY_EF);
if (fterm) { if (fterm) {
add_cert_puk_store(file_get_data(fterm), file_get_size(fterm), false); uint8_t *p = NULL, *fterm_data = file_get_data(fterm), *pq = fterm_data;
size_t fterm_data_len = file_get_size(fterm);
while (walk_tlv(fterm_data, fterm_data_len, &p, NULL, NULL, NULL)) {
add_cert_puk_store(pq, p - pq, false);
pq = p;
}
} }
for (int i = 0; i < 0xfe; i++) { for (int i = 0; i < 0xfe; i++) {
file_t *ef = search_dynamic_file((CA_CERTIFICATE_PREFIX << 8) | i); file_t *ef = search_dynamic_file((CA_CERTIFICATE_PREFIX << 8) | i);
@@ -269,7 +274,7 @@ bool wait_button_pressed() {
uint16_t opts = get_device_options(); uint16_t opts = get_device_options();
if (opts & HSM_OPT_BOOTSEL_BUTTON) { if (opts & HSM_OPT_BOOTSEL_BUTTON) {
queue_try_add(&card_to_usb_q, &val); queue_try_add(&card_to_usb_q, &val);
do { do{
queue_remove_blocking(&usb_to_card_q, &val); queue_remove_blocking(&usb_to_card_q, &val);
} while (val != EV_BUTTON_PRESSED && val != EV_BUTTON_TIMEOUT); } while (val != EV_BUTTON_PRESSED && val != EV_BUTTON_TIMEOUT);
} }
@@ -309,7 +314,7 @@ int pin_reset_retries(const file_t *pin, bool force) {
return CCID_ERR_FILE_NOT_FOUND; return CCID_ERR_FILE_NOT_FOUND;
} }
uint8_t retries = file_read_uint8(file_get_data(act)); uint8_t retries = file_read_uint8(file_get_data(act));
if (retries == 0 && force == false) { //blocked if (retries == 0 && force == false) { // blocked
return CCID_ERR_BLOCKED; return CCID_ERR_BLOCKED;
} }
retries = file_read_uint8(file_get_data(max)); retries = file_read_uint8(file_get_data(max));
@@ -367,7 +372,7 @@ int check_pin(const file_t *pin, const uint8_t *data, size_t len) {
else { else {
uint8_t dhash[32]; uint8_t dhash[32];
double_hash_pin(data, len, dhash); double_hash_pin(data, len, dhash);
if (sizeof(dhash) != file_get_size(pin) - 1) { //1 byte for pin len if (sizeof(dhash) != file_get_size(pin) - 1) { // 1 byte for pin len
return SW_CONDITIONS_NOT_SATISFIED(); return SW_CONDITIONS_NOT_SATISFIED();
} }
if (memcmp(file_get_data(pin) + 1, dhash, sizeof(dhash)) != 0) { if (memcmp(file_get_data(pin) + 1, dhash, sizeof(dhash)) != 0) {
@@ -454,7 +459,7 @@ uint32_t decrement_key_counter(file_t *fkey) {
/* We cannot modify meta_data, as it comes from flash memory. It must be cpied to an aux buffer */ /* We cannot modify meta_data, as it comes from flash memory. It must be cpied to an aux buffer */
memcpy(cmeta, meta_data, meta_size); memcpy(cmeta, meta_data, meta_size);
while (walk_tlv(cmeta, meta_size, &p, &tag, &tag_len, &tag_data)) { while (walk_tlv(cmeta, meta_size, &p, &tag, &tag_len, &tag_data)) {
if (tag == 0x90) { //ofset tag if (tag == 0x90) { // ofset tag
uint32_t val = uint32_t val =
(tag_data[0] << 24) | (tag_data[1] << 16) | (tag_data[2] << 8) | tag_data[3]; (tag_data[0] << 24) | (tag_data[1] << 16) | (tag_data[2] << 8) | tag_data[3];
val--; val--;
@@ -477,10 +482,10 @@ uint32_t decrement_key_counter(file_t *fkey) {
return 0xffffffff; return 0xffffffff;
} }
//Stores the private and public keys in flash // Stores the private and public keys in flash
int store_keys(void *key_ctx, int type, uint8_t key_id) { int store_keys(void *key_ctx, int type, uint8_t key_id) {
int r, key_size = 0; int r, key_size = 0;
uint8_t kdata[4096 / 8]; //worst case uint8_t kdata[4096 / 8]; // worst case
if (type == HSM_KEY_RSA) { if (type == HSM_KEY_RSA) {
mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) key_ctx; mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) key_ctx;
key_size = mbedtls_mpi_size(&rsa->P) + mbedtls_mpi_size(&rsa->Q); key_size = mbedtls_mpi_size(&rsa->P) + mbedtls_mpi_size(&rsa->Q);
@@ -566,7 +571,7 @@ int find_and_store_meta_key(uint8_t key_id) {
} }
int load_private_key_rsa(mbedtls_rsa_context *ctx, file_t *fkey) { int load_private_key_rsa(mbedtls_rsa_context *ctx, file_t *fkey) {
if (wait_button_pressed() == true) { //timeout if (wait_button_pressed() == true) { // timeout
return CCID_VERIFICATION_FAILED; return CCID_VERIFICATION_FAILED;
} }
@@ -610,12 +615,12 @@ int load_private_key_rsa(mbedtls_rsa_context *ctx, file_t *fkey) {
} }
int load_private_key_ecdsa(mbedtls_ecdsa_context *ctx, file_t *fkey) { int load_private_key_ecdsa(mbedtls_ecdsa_context *ctx, file_t *fkey) {
if (wait_button_pressed() == true) { //timeout if (wait_button_pressed() == true) { // timeout
return CCID_VERIFICATION_FAILED; return CCID_VERIFICATION_FAILED;
} }
int key_size = file_get_size(fkey); int key_size = file_get_size(fkey);
uint8_t kdata[67]; //Worst case, 521 bit + 1byte uint8_t kdata[67]; // Worst case, 521 bit + 1byte
memcpy(kdata, file_get_data(fkey), key_size); memcpy(kdata, file_get_data(fkey), key_size);
if (mkek_decrypt(kdata, key_size) != 0) { if (mkek_decrypt(kdata, key_size) != 0) {
return CCID_EXEC_ERROR; return CCID_EXEC_ERROR;