dearsky/pico-hsm
1
0
Fork 0
Code Issues 17 Pull Requests 4 Actions Packages Projects Releases 26 Wiki Activity
465 Commits 2 Branches 32 Tags
300e19b612a2095bf6d6f34c7d7a8be586b46bc9
Commit Graph

157 Commits

Author SHA1 Message Date
Pol Henarejos
300e19b612 Moving to mbedtls_platform_zeroize() for better zeroization. 
Also added more zeroization when a private/secret key is loaded in memory.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-08-12 01:52:37 +02:00
Pol Henarejos
2666573050 Fix dkek status report when device is initialized without dkek. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-08-12 01:00:27 +02:00
Pol Henarejos
7b27cb7a1c MKEK is also stored with SO encryption. 
A copy of MKEK is also stored but encrypted with SO-PIN. Thus, we always ensure that we have an operative copy of MKEK, either with PIN and/or SO-PIN. If user resets PIN, the MKEK is loaded with SO-PIN and stored with the derived key from new PIN.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-08-12 00:41:04 +02:00
Pol Henarejos
1756ec49ad When user resets retry counter and sends the SO-PIN (P1=0x0) it becomes authenticated in this session. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-08-12 00:29:34 +02:00
Pol Henarejos
7b286b04b1 Introducing MKEK (Master Key Encryption Key). 
MKEK is used to encrypt all keys in the device, regardless of Key Domains or DKEK. From now on, all keys are encrypted using an AES 256-bit secret key. MKEK is also encrypted and stored based on a derived key from PIN. When user introduces the PIN, the MKEK can be unlocked to load the stored private/secret keys.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-08-12 00:20:02 +02:00
Pol Henarejos
356eeea505 Added support for ECDH_XKEK. 
Note that it is unfinished. ECDH_XKEK is utilized for deriving and setting the KEK, based on the calc DH secret. It should not return anything, just SW_OK (this is not what is happening right now).

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-08-10 23:51:41 +02:00
Pol Henarejos
34d9469157 When creating XKEK domain, it returns key domain UID. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-08-10 23:29:08 +02:00
Pol Henarejos
14dbad4dd7 Do not return PIN unitialized if PKA is enabled. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-08-09 00:27:53 +02:00
Pol Henarejos
cdce9ab50b Adding pka_enabled() to check whether the device is configured with PKA. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-08-09 00:26:56 +02:00
Pol Henarejos
7bbcbc57eb Removing unnecessary debug. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-08-06 01:36:03 +02:00
Pol Henarejos
3ebf4fdff5 User authentication is unlinked from session_pin 
Due to PUK Authentication, user authentication is not linked to having a valid session_pin anymore. In case of enabled PUK Auth, session_pin is used only for unlocking DKEK, but not for granting auth privileges, as they only are granted when PUK Auth succeeds.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-08-06 01:13:09 +02:00
Pol Henarejos
d1f0f45525 Added support for native PKCS1.5 and OEP decryption. 
It is not tested, as it is not supported by pkcs11 modules. For instance, OpenSSL implements OEP in local side, calling a RAW decryption on the device.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-14 17:00:23 +02:00
Pol Henarejos
efc1b4a4ae Fix meta deletion. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-14 16:45:06 +02:00
Pol Henarejos
a45303d9e6 Added support for specific purposes. Added support for SHA512 operations. 
Keys can only be used for the specific purpose provided during the keypair generation.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-14 16:12:04 +02:00
Pol Henarejos
871ff69f56 Fix critical bug. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-14 11:46:44 +02:00
Pol Henarejos
3afc1964dc Store in dynamic memory PUK authentication. 
When a PUK is authenticated, session PIN is set to true.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-12 18:10:37 +02:00
Pol Henarejos
914020fd36 Added PUK authentication. 
Surprisingly, it works from the very beginning.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-12 17:43:50 +02:00
Pol Henarejos
168a8cd5a6 Fix selecting PUK for AUT. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-12 17:42:21 +02:00
Pol Henarejos
db6b3ec427 Added select MSE for puk AUT. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-10 20:04:32 +02:00
Pol Henarejos
32d0cdcea7 Save cached challenge length. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-10 18:58:35 +02:00
Pol Henarejos
332fe8c884 Generated challenges are cached and dev_name (ESTERMXXXXX) based on terminal certificate. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-10 16:40:51 +02:00
Pol Henarejos
59f0cf7732 Fix CA certificates selection. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-10 16:33:53 +02:00
Pol Henarejos
b803505287 When a certificate is verified, the corresponding certificate description and the certificate are cached and saved. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-10 16:30:19 +02:00
Pol Henarejos
76a41dffa1 Store all verified certificates (INS MSE) into CA_PREFIX files. 
When a certificate is sent for verification, it is always cached and saved onto a CA_PREFIX.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-10 11:59:06 +02:00
Pol Henarejos
a17a4c0a3c Finished key public registration. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-10 11:09:25 +02:00
Pol Henarejos
5eb086935e Added INS_PSO. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-09 19:02:59 +02:00
Pol Henarejos
a4ffcebb0f Added variable puk_store. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-09 14:15:17 +02:00
Pol Henarejos
39f7b5284a Added OID definitions. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-09 11:53:35 +02:00
Pol Henarejos
4f58cd255b Adding PUK store. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-08 20:01:37 +02:00
Pol Henarejos
0e59166c64 Added MSE for B6 CRT. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-08 17:35:30 +02:00
Pol Henarejos
d057729675 Fix returning the status of PIN1 when it is not initialized. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-07 19:58:21 +02:00
Pol Henarejos
b14a323ef8 Added INS PUK with status query. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-07 19:44:47 +02:00
Pol Henarejos
4bf5a80a7a Added key usage counter to decryption operations. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-03 20:13:18 +02:00
Pol Henarejos
40efcd71c3 Added device option KEY_COUNTER_ALL. 
When it is set, it enables the key usage counter for all keys when generated.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-03 20:10:53 +02:00
Pol Henarejos
aca291da9e Key usage counter is added for every generated key. 
When a key is generated, a key usage counter is added. It starts from 2^32-1 and is decremented for every sign request. Once it reaches 0, it forbids more signatures for this key.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-03 20:04:14 +02:00
Pol Henarejos
7f6bcdfb11 Addded fast crc32 checksum for DKEK storage. 
It is for checking the integrity of the DKEK and thus, the scret keys, as they are encrypted with DKEK.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-03 15:51:52 +02:00
Pol Henarejos
696110a5b0 Key domain deletion and kek deletion are only allowed when key domain is empty. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-03 11:36:32 +02:00
Pol Henarejos
73fb61070f Added kek deletion in a particular key domain. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-03 11:30:08 +02:00
Pol Henarejos
23da8047bc Fix deleting key domain. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-03 11:22:15 +02:00
Pol Henarejos
bf70a08c9f Added key domain deletion. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-03 11:16:40 +02:00
Pol Henarejos
ce410dae65 Fix when setup a key domain. 
Now the dkek is cleared before imports.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-03 11:01:21 +02:00
Pol Henarejos
94a42c4267 Fix changing PIN with multiple domain. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-02 20:09:43 +02:00
Pol Henarejos
f4cc1fed36 Fix meta parsing. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-02 19:30:09 +02:00
Pol Henarejos
7c27be784b Fix parsing meta data on key generation. 2022-06-02 14:12:11 +02:00
Pol Henarejos
7d1b22c337 Added meta information for symmetric keys. 2022-06-02 12:12:12 +02:00
Pol Henarejos
7b79d7ffde Moving CVC procedures to a separate file. 2022-06-01 09:46:23 +02:00
Pol Henarejos
541d5b3c19 Fix CVC signature length. 
Since it is variable, it needs to be recomputed every time.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-05-31 20:38:30 +02:00
Pol Henarejos
d0098015fe Removing OpenSC dependency. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-05-31 19:26:00 +02:00
Pol Henarejos
3660a35c2c Implementing own functions for cvc manipulation. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-05-31 18:51:43 +02:00
Pol Henarejos
9132dd16f0 Fix decoding asn1 integer. 
It caused overflow.
 2022-05-31 01:14:09 +02:00