pico-hsm

Author	SHA1	Message	Date
Pol Henarejos	aebb68724a	Removing trailing spaces. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-19 01:44:27 +02:00
Pol Henarejos	fec02ca733	Removing cvcerts.h dependency. A python script gets the public key of the device (EF_EE_DEV) and requests to our PKI for a CVC. Once got, it is updated to EF_TERMCA (0x2f02). termca_pk is now on EF_KEY_DEV and termca is on EF_TERMCA (concat with DICA). Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-18 18:17:48 +02:00
Pol Henarejos	6a16d4d55c	Fix returning store_keys(); Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-14 01:17:06 +02:00
Pol Henarejos	349df56b09	Missing header. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-13 15:00:05 +02:00
Pol Henarejos	e6f082d512	Splitting cmd_xxx() functions in separate files. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-13 14:59:27 +02:00
Pol Henarejos	87feed1222	Renaming KEK files. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-13 13:47:43 +02:00
Pol Henarejos	55c8a66613	Fix wrap/unwrap keys with specific allowed algorithms. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-13 02:58:36 +02:00
Pol Henarejos	2e88422c86	Fix deleting KEK when a key is present in the key domain. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-13 00:50:22 +02:00
Pol Henarejos	da841b82d4	Fix deleting KEK. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-13 00:48:05 +02:00
Pol Henarejos	9256a72c3e	Added XKEK derivation to save the KEK from XKEK key domain. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-13 00:43:55 +02:00
Pol Henarejos	12e5a586d2	Adding support for XKEK CVC extension. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 22:18:21 +02:00
Pol Henarejos	0556a528f3	Fix DKEK key domain creation. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 19:51:59 +02:00
Pol Henarejos	de789cef66	Fix Key Domain deletion. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 19:46:08 +02:00
Pol Henarejos	7208d01547	Adding XKEK Key Domain creation. It validates the membership and creates a XKEK Key Domain. XKEK Key Domains can only be created based on memberships for THAT device. A device can only create XKEK Key Domains with memberships issued for itself. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 19:36:10 +02:00
Pol Henarejos	46cb0a455d	Fix DKEK are only created when requested and not by default. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 14:01:19 +02:00
Pol Henarejos	300e19b612	Moving to mbedtls_platform_zeroize() for better zeroization. Also added more zeroization when a private/secret key is loaded in memory. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 01:52:37 +02:00
Pol Henarejos	2666573050	Fix dkek status report when device is initialized without dkek. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 01:00:27 +02:00
Pol Henarejos	7b27cb7a1c	MKEK is also stored with SO encryption. A copy of MKEK is also stored but encrypted with SO-PIN. Thus, we always ensure that we have an operative copy of MKEK, either with PIN and/or SO-PIN. If user resets PIN, the MKEK is loaded with SO-PIN and stored with the derived key from new PIN. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 00:41:04 +02:00
Pol Henarejos	1756ec49ad	When user resets retry counter and sends the SO-PIN (P1=0x0) it becomes authenticated in this session. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 00:29:34 +02:00
Pol Henarejos	7b286b04b1	Introducing MKEK (Master Key Encryption Key). MKEK is used to encrypt all keys in the device, regardless of Key Domains or DKEK. From now on, all keys are encrypted using an AES 256-bit secret key. MKEK is also encrypted and stored based on a derived key from PIN. When user introduces the PIN, the MKEK can be unlocked to load the stored private/secret keys. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 00:20:02 +02:00
Pol Henarejos	356eeea505	Added support for ECDH_XKEK. Note that it is unfinished. ECDH_XKEK is utilized for deriving and setting the KEK, based on the calc DH secret. It should not return anything, just SW_OK (this is not what is happening right now). Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-10 23:51:41 +02:00
Pol Henarejos	34d9469157	When creating XKEK domain, it returns key domain UID. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-10 23:29:08 +02:00
Pol Henarejos	14dbad4dd7	Do not return PIN unitialized if PKA is enabled. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-09 00:27:53 +02:00
Pol Henarejos	cdce9ab50b	Adding pka_enabled() to check whether the device is configured with PKA. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-09 00:26:56 +02:00
Pol Henarejos	7bbcbc57eb	Removing unnecessary debug. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-06 01:36:03 +02:00
Pol Henarejos	3ebf4fdff5	User authentication is unlinked from session_pin Due to PUK Authentication, user authentication is not linked to having a valid session_pin anymore. In case of enabled PUK Auth, session_pin is used only for unlocking DKEK, but not for granting auth privileges, as they only are granted when PUK Auth succeeds. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-06 01:13:09 +02:00
Pol Henarejos	d1f0f45525	Added support for native PKCS1.5 and OEP decryption. It is not tested, as it is not supported by pkcs11 modules. For instance, OpenSSL implements OEP in local side, calling a RAW decryption on the device. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-14 17:00:23 +02:00
Pol Henarejos	efc1b4a4ae	Fix meta deletion. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-14 16:45:06 +02:00
Pol Henarejos	a45303d9e6	Added support for specific purposes. Added support for SHA512 operations. Keys can only be used for the specific purpose provided during the keypair generation. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-14 16:12:04 +02:00
Pol Henarejos	871ff69f56	Fix critical bug. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-14 11:46:44 +02:00
Pol Henarejos	3afc1964dc	Store in dynamic memory PUK authentication. When a PUK is authenticated, session PIN is set to true. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-12 18:10:37 +02:00
Pol Henarejos	914020fd36	Added PUK authentication. Surprisingly, it works from the very beginning. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-12 17:43:50 +02:00
Pol Henarejos	168a8cd5a6	Fix selecting PUK for AUT. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-12 17:42:21 +02:00
Pol Henarejos	db6b3ec427	Added select MSE for puk AUT. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-10 20:04:32 +02:00
Pol Henarejos	32d0cdcea7	Save cached challenge length. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-10 18:58:35 +02:00
Pol Henarejos	332fe8c884	Generated challenges are cached and dev_name (ESTERMXXXXX) based on terminal certificate. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-10 16:40:51 +02:00
Pol Henarejos	59f0cf7732	Fix CA certificates selection. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-10 16:33:53 +02:00
Pol Henarejos	b803505287	When a certificate is verified, the corresponding certificate description and the certificate are cached and saved. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-10 16:30:19 +02:00
Pol Henarejos	76a41dffa1	Store all verified certificates (INS MSE) into CA_PREFIX files. When a certificate is sent for verification, it is always cached and saved onto a CA_PREFIX. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-10 11:59:06 +02:00
Pol Henarejos	a17a4c0a3c	Finished key public registration. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-10 11:09:25 +02:00
Pol Henarejos	5eb086935e	Added INS_PSO. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-09 19:02:59 +02:00
Pol Henarejos	a4ffcebb0f	Added variable puk_store. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-09 14:15:17 +02:00
Pol Henarejos	39f7b5284a	Added OID definitions. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-09 11:53:35 +02:00
Pol Henarejos	4f58cd255b	Adding PUK store. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-08 20:01:37 +02:00
Pol Henarejos	0e59166c64	Added MSE for B6 CRT. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-08 17:35:30 +02:00
Pol Henarejos	d057729675	Fix returning the status of PIN1 when it is not initialized. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-07 19:58:21 +02:00
Pol Henarejos	b14a323ef8	Added INS PUK with status query. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-07 19:44:47 +02:00
Pol Henarejos	4bf5a80a7a	Added key usage counter to decryption operations. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-03 20:13:18 +02:00
Pol Henarejos	40efcd71c3	Added device option KEY_COUNTER_ALL. When it is set, it enables the key usage counter for all keys when generated. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-03 20:10:53 +02:00
Pol Henarejos	aca291da9e	Key usage counter is added for every generated key. When a key is generated, a key usage counter is added. It starts from 2^32-1 and is decremented for every sign request. Once it reaches 0, it forbids more signatures for this key. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-03 20:04:14 +02:00

1 2 3 4

172 Commits