pico-hsm

Author	SHA1	Message	Date
Pol Henarejos	a089cc279b	Adding support for changing SO-PIN. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-10-10 00:37:56 +02:00
Pol Henarejos	84f646dbad	Fix storing SO-PIN session when checking PIN with SO-PIN. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-10-10 00:37:33 +02:00
Pol Henarejos	b9ec473aaa	Fix critical bug saving SO-PIN securely. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-10-10 00:27:46 +02:00
Pol Henarejos	b7eb0dff02	Upgrade to Version 3.0. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-10-09 22:27:11 +02:00
Pol Henarejos	f593060007	Moving delete_file() outside. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-10-09 22:07:21 +02:00
Pol Henarejos	62c72c48a5	Moving to new pico-hsm-sdk.	2022-08-30 17:55:42 +02:00
Pol Henarejos	e8cc6a169e	Try to recover MKEK twice: with previous PIN/SO-PIN or after setting the new PIN/SO-PIN just in case some is the same as previous. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-25 01:51:16 +02:00
Pol Henarejos	7d7b6b88ba	Trying to recover MKEK to preserver device private key. If not, all are generated again. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-25 01:51:16 +02:00
Pol Henarejos	b3bcad9ce6	Making MKEK persistent. It must be persistent as it encrypts device private key and therefore it must survive across reinitializations. However, if no PIN is provided to unlock it, it will be lost, as with device private key. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-25 01:51:16 +02:00
Pol Henarejos	38b9c06138	Reformat oids. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-23 14:52:44 +02:00
Pol Henarejos	2bc40771ca	Fix generating CVC REQ. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-23 00:50:06 +02:00
Pol Henarejos	c5f980fc98	Fix curve for ECDH key. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-22 01:13:08 +02:00
Pol Henarejos	aebb68724a	Removing trailing spaces. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-19 01:44:27 +02:00
Pol Henarejos	1f2ccd8c1c	Not used. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-19 01:40:13 +02:00
Pol Henarejos	c9c60575c7	Removed 3DES as it is unsecure. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-18 23:55:21 +02:00
Pol Henarejos	82f61ff1d4	When initialized, the device key (EF_KEY_DEV) is only generated if not found. To generate a new device key, it must be wiped. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-18 20:08:54 +02:00
Pol Henarejos	64052f4f70	Marked EF_DEV files as persistent to remain permanent. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-18 20:08:11 +02:00
Pol Henarejos	cb492728ec	Device key now uses SECP256R1 curve. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-18 18:17:48 +02:00
Pol Henarejos	fec02ca733	Removing cvcerts.h dependency. A python script gets the public key of the device (EF_EE_DEV) and requests to our PKI for a CVC. Once got, it is updated to EF_TERMCA (0x2f02). termca_pk is now on EF_KEY_DEV and termca is on EF_TERMCA (concat with DICA). Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-18 18:17:48 +02:00
Pol Henarejos	4e01a78286	Fix OID names. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-18 18:17:48 +02:00
Pol Henarejos	538b39386b	List keys returns the DEV key if exists. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-18 18:17:48 +02:00
Pol Henarejos	977aced343	Fix OID names. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-18 18:17:48 +02:00
Pol Henarejos	83b5753bb5	Fix saving DEV key. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-18 18:17:48 +02:00
Pol Henarejos	c3568e1211	Create the terminal private key with id = 0. This is the terminal private key, which will be signed by our PKI. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-14 01:20:54 +02:00
Pol Henarejos	6a16d4d55c	Fix returning store_keys(); Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-14 01:17:06 +02:00
Pol Henarejos	ab2e71cc40	By default, all CVC are self-generated (chr=car). Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-14 01:16:53 +02:00
Pol Henarejos	f79fe9f7d0	Fix when no DKEK is present. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-14 01:16:33 +02:00
Pol Henarejos	6956587106	Add newline at the end of file. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-13 23:31:09 +02:00
Pol Henarejos	349df56b09	Missing header. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-13 15:00:05 +02:00
Pol Henarejos	e6f082d512	Splitting cmd_xxx() functions in separate files. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-13 14:59:27 +02:00
Pol Henarejos	87feed1222	Renaming KEK files. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-13 13:47:43 +02:00
Pol Henarejos	55c8a66613	Fix wrap/unwrap keys with specific allowed algorithms. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-13 02:58:36 +02:00
Pol Henarejos	2e88422c86	Fix deleting KEK when a key is present in the key domain. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-13 00:50:22 +02:00
Pol Henarejos	da841b82d4	Fix deleting KEK. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-13 00:48:05 +02:00
Pol Henarejos	9256a72c3e	Added XKEK derivation to save the KEK from XKEK key domain. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-13 00:43:55 +02:00
Pol Henarejos	69120cc961	Added cvc_get_ext() to find CVC extensions. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-13 00:43:35 +02:00
Pol Henarejos	06aaf58f0b	Added extension optional parameter to be included in the CVC body. This field should be a concatenation of tag 73, which should include an OID and a context. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-13 00:07:24 +02:00
Pol Henarejos	12e5a586d2	Adding support for XKEK CVC extension. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 22:18:21 +02:00
Pol Henarejos	0e76ed7077	Adding OID for CVC extensions. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 21:12:56 +02:00
Pol Henarejos	be911a7aa7	Clearing hash, just in case. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 19:55:07 +02:00
Pol Henarejos	0556a528f3	Fix DKEK key domain creation. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 19:51:59 +02:00
Pol Henarejos	de789cef66	Fix Key Domain deletion. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 19:46:08 +02:00
Pol Henarejos	7208d01547	Adding XKEK Key Domain creation. It validates the membership and creates a XKEK Key Domain. XKEK Key Domains can only be created based on memberships for THAT device. A device can only create XKEK Key Domains with memberships issued for itself. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 19:36:10 +02:00
Pol Henarejos	46cb0a455d	Fix DKEK are only created when requested and not by default. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 14:01:19 +02:00
Pol Henarejos	300e19b612	Moving to mbedtls_platform_zeroize() for better zeroization. Also added more zeroization when a private/secret key is loaded in memory. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 01:52:37 +02:00
Pol Henarejos	2666573050	Fix dkek status report when device is initialized without dkek. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 01:00:27 +02:00
Pol Henarejos	5506b46c9d	Fix finding MKEK file. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 00:57:08 +02:00
Pol Henarejos	7b27cb7a1c	MKEK is also stored with SO encryption. A copy of MKEK is also stored but encrypted with SO-PIN. Thus, we always ensure that we have an operative copy of MKEK, either with PIN and/or SO-PIN. If user resets PIN, the MKEK is loaded with SO-PIN and stored with the derived key from new PIN. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 00:41:04 +02:00
Pol Henarejos	84a70a1de0	Adding MKEK_SO file descriptor. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 00:39:25 +02:00
Pol Henarejos	1756ec49ad	When user resets retry counter and sends the SO-PIN (P1=0x0) it becomes authenticated in this session. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 00:29:34 +02:00

1 2 3 4 5 ...

256 Commits