Fix critical bug.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
Update extra_command.md
2022-06-14 11:46:44 +02:00 · 2022-06-14 11:27:49 +02:00 · 2022-06-13 19:39:35 +02:00 · 2022-06-13 15:03:46 +02:00 · 2022-06-13 14:58:09 +02:00 · 2022-06-13 14:33:33 +02:00
16 changed files with 970 additions and 47 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -62,6 +62,7 @@ target_sources(pico_hsm PUBLIC
        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cvc.c
        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/files.c
        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/dkek.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/oid.c
        
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/aes.c
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/asn1write.c
--- a/README.md
+++ b/README.md
@@ -106,6 +106,11 @@ A key usage counter is a counter that is reduced by 1 everytime that the private

 Key usage can also be used to perform and auditory and track the usage of a particular key.

+### Public Key Authentication
+Public Key Authentication (PKA) allows to authenticate by using a secondary device with a private key and a registered public key in the primary device. A challenge is generated by the primary Pico HSM and given to the secondary for signature. The secondary device signs the challenge and returns the signature. Then, the primary device verifies the signature with the registered public key and if it is valid, it grants full access, as normal PIN authentication.
+
+In PKA, neither PIN nor retry counters are used, since a private key is needed. Therefore, this mechanism provides a higher degree of security, since it needs a secondary Pico HSM to authenticate the primary one.
+
 [^1]: PKCS11 modules (`pkcs11-tool` and `sc-tool`) do not support CMAC and key derivation. It must be processed through raw APDU command (`opensc-tool -s`).
 [^2]: Available via SCS3 tool. See [SCS3](/doc/scs3.md "SCS3") for more information.
 [^3]: Imports are available only if the Pico HSM is previously initialized with a DKEK and the DKEK shares are available during the import process. 
@@ -170,6 +175,8 @@ For storing and retrieving arbitrary data, check [doc/store_data.md](/doc/store_

 For extra options, such as set/get real datetime or enable/disable press-to-confirm button, check [doc/extra_command.md](/doc/extra_command.md).

+For Public Key Authentication, check [doc/public_key_authentication.md](/doc/public_key_authentication.md).
+
 ## Operation time
 ### Keypair generation
 Generating EC keys is almost instant. RSA keypair generation takes some time, specially for `3072` and `4096` bits. 
--- a/build_pico_hsm.sh
+++ b/build_pico_hsm.sh
@@ -1,7 +1,7 @@
 #!/bin/bash

 VERSION_MAJOR="2"
-VERSION_MINOR="2"
+VERSION_MINOR="4"

 rm -rf release/*
 cd build_release
--- a/burn-cvcerts.py
+++ b/burn-cvcerts.py
@@ -13,6 +13,9 @@ import base64
 import urllib.request
 import json
 import sys
+import ssl
+
+ssl._create_default_https_context = ssl._create_unverified_context

 def print_var(v, name):
    s = '\n'
@@ -63,7 +66,42 @@ def main():
        0xb7,0x33,0x70,0xd6,0x00,0xff,0x73,0x0c,0x5d
    ]
    
+    cvca = [
+        0x7f, 0x21, 0x82, 0x01, 0x65, 0x7f, 0x4e, 0x82, 0x01, 0x2d, 0x5f, 0x29,
+        0x01, 0x00, 0x42, 0x0e, 0x45, 0x53, 0x43, 0x56, 0x43, 0x41, 0x48, 0x53,
+        0x4d, 0x30, 0x30, 0x30, 0x30, 0x31, 0x7f, 0x49, 0x81, 0xdd, 0x06, 0x0a,
+        0x04, 0x00, 0x7f, 0x00, 0x07, 0x02, 0x02, 0x02, 0x02, 0x03, 0x81, 0x18,
+        0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+        0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+        0x82, 0x18, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+        0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+        0xff, 0xfc, 0x83, 0x18, 0x64, 0x21, 0x05, 0x19, 0xe5, 0x9c, 0x80, 0xe7,
+        0x0f, 0xa7, 0xe9, 0xab, 0x72, 0x24, 0x30, 0x49, 0xfe, 0xb8, 0xde, 0xec,
+        0xc1, 0x46, 0xb9, 0xb1, 0x84, 0x31, 0x04, 0x18, 0x8d, 0xa8, 0x0e, 0xb0,
+        0x30, 0x90, 0xf6, 0x7c, 0xbf, 0x20, 0xeb, 0x43, 0xa1, 0x88, 0x00, 0xf4,
+        0xff, 0x0a, 0xfd, 0x82, 0xff, 0x10, 0x12, 0x07, 0x19, 0x2b, 0x95, 0xff,
+        0xc8, 0xda, 0x78, 0x63, 0x10, 0x11, 0xed, 0x6b, 0x24, 0xcd, 0xd5, 0x73,
+        0xf9, 0x77, 0xa1, 0x1e, 0x79, 0x48, 0x11, 0x85, 0x18, 0xff, 0xff, 0xff,
+        0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x99, 0xde, 0xf8,
+        0x36, 0x14, 0x6b, 0xc9, 0xb1, 0xb4, 0xd2, 0x28, 0x31, 0x86, 0x31, 0x04,
+        0x08, 0x8f, 0xcd, 0xfc, 0xce, 0x87, 0xed, 0xd2, 0x85, 0x92, 0x06, 0x15,
+        0xe6, 0x51, 0xd7, 0x64, 0x52, 0xd8, 0x57, 0xec, 0xbb, 0x40, 0x8c, 0x32,
+        0x7a, 0xdb, 0x48, 0xa2, 0xa5, 0x14, 0xc1, 0xc9, 0xbd, 0x77, 0xcc, 0x97,
+        0x83, 0x60, 0x7a, 0x74, 0x14, 0x93, 0xa7, 0x42, 0x74, 0x4a, 0xd1, 0x73,
+        0x87, 0x01, 0x01, 0x5f, 0x20, 0x0e, 0x45, 0x53, 0x43, 0x56, 0x43, 0x41,
+        0x48, 0x53, 0x4d, 0x30, 0x30, 0x30, 0x30, 0x31, 0x7f, 0x4c, 0x12, 0x06,
+        0x09, 0x04, 0x00, 0x7f, 0x00, 0x07, 0x03, 0x01, 0x02, 0x02, 0x53, 0x05,
+        0xc0, 0x00, 0x00, 0x00, 0x04, 0x5f, 0x25, 0x06, 0x02, 0x02, 0x00, 0x03,
+        0x02, 0x06, 0x5f, 0x24, 0x06, 0x03, 0x00, 0x01, 0x02, 0x03, 0x01, 0x5f,
+        0x37, 0x30, 0x72, 0x97, 0x77, 0x76, 0x64, 0xb6, 0x0c, 0x57, 0xa2, 0xc4,
+        0x5e, 0x7b, 0xfd, 0x12, 0xe5, 0x20, 0x14, 0x3e, 0xde, 0x90, 0x38, 0xbf,
+        0xb3, 0x02, 0x73, 0x91, 0x06, 0xf2, 0x73, 0x0d, 0x76, 0x06, 0x65, 0xd7,
+        0x46, 0x49, 0x91, 0x0c, 0x51, 0x90, 0x89, 0x84, 0x8d, 0x4f, 0xb6, 0xe5,
+        0x13, 0x40
+    ]
+    
    s = '#ifndef _CVCERTS_H_\n#define _CVCERTS_H_\n'
+    s += print_var(cvca,'cvca')
    s += print_var(dica,'dica')
    s += print_var(cvcert,'termca')
    
--- a/doc/extra_command.md
+++ b/doc/extra_command.md
@@ -60,6 +60,10 @@ Pico HSM support initialize options, such as setting Transport PIN or reset retr

 To specify a set of options, the `XX` parameter shall be set to `06`. The data parameter shall be 1 byte, where the options are combined with the or operand `|`. The length `YY` shall be set to `01`.

+Available options (counting from LSB):
+- Bit `0`: enable/disable press-to-confirm button.
+- Bit `1`: enable/disable key usage counter for all keys.
+
 ### Press-to-confirm button
 Press-to-confirm button offers an extra security layer by requiring the user confirmation everytime that a private/secret key is loaded. This avoids ghost applications thay may perform hidden opperations without noticing the user, such as signing or decrypting. Pico HSM will inform the user that is awaiting for a confirmation by making almost a fixed Led blink.

@@ -89,3 +93,23 @@ Pico HSM supports a key usage counter to audit the usage of a particular key. Fo
 This option is disabled by default. When enabled, each generated key in the device is attached to a counter, starting at `2^32-1` (`FFFFFFFEh`). Therefore, it allows to count how many times a key is used for signing or decryption.

 The counter can be viewed by using the SCS3 tool. More info at [doc/scs3.md](/doc/scs3.md).
+
+This feature is disabled by default but can be enabled rapidly by setting the 2nd LSB bit to 1:
+
+```
+$ opensc-tool -s 806406000102
+Using reader with a card: Free Software Initiative of Japan Gnuk
+Sending: 80 64 06 00 01 01 
+Received (SW1=0x90, SW2=0x00)
+```
+
+At this moment, when a private/secret key is loaded, the Pico HSM will wait for the pressed BOOTSEL button to confirm the operation.
+
+To disable, the LSB bit must be set to 0:
+
+```
+$ opensc-tool -s 806406000100
+Using reader with a card: Free Software Initiative of Japan Gnuk
+Sending: 80 64 06 00 01 00
+Received (SW1=0x90, SW2=0x00)
+```
--- a/doc/public_key_authentication.md
+++ b/doc/public_key_authentication.md
@@ -0,0 +1,63 @@
+# Public Key Authentication
+
+Public Key Authentication (PKA) is a mechanism to authenticate a legit user without introducing any PIN. The authentication is performed by signing a challenge and checking the signature result.
+
+1. A Pico HSM #A contains a private key, whose public key will be used for authentication.
+2. The public key of #A is registered into a second Pico HSM #B.
+3. When a user wants to login into #B, #B generates a challenge that is passed to #A for signature.
+4. #A signs the challenge and returns the signature.
+5. #B verifies the signature against the challenge with the public key of #A, previously registered.
+6. If the signature is valid, #B grants access to the user.
+
+This mechanism has no retry counter or PIN throttling, as no PIN is set up on the device.
+
+To enable PKA, the device must be initialized beforehand. In case the device has secret/private keys, all shall be exported and reimported when the set up is finished.
+
+## Requirements
+
+To take advantage of PKA, the following is required:
+
+1. Two Pico HSM: one will be used only for authentication (it can be any device able to generate a private key and sign arbitrary data).
+2. [SCS3](/doc/scs3.md "SCS3") tool to authenticate the user. At this time, OpenSC does not support PKA.
+3. A secret key of ECC 256 bits. SCS3 does not support other curves.
+
+## Usage
+
+Before using SCS3, it must be patched [scs3.patch.txt](https://github.com/polhenarejos/pico-hsm/files/8890050/scs3.patch.txt). See [SCS3](/doc/scs3.md "SCS3") for further details.
+
+### Generate the authentication key
+
+On a secondary device, generate a private key, on the ECC 256 bits (`brainpoolP256r1` or `secp192r1`). Label it with an easy name, such as "Authentication".
+
+<img width="1037" alt="Captura de Pantalla 2022-06-13 a les 12 11 00" src="https://user-images.githubusercontent.com/55573252/173353764-4620ece4-0d82-4a23-a153-99bf912621a7.png">
+
+Once finished, export the public key. 
+
+<img width="350" alt="Captura de Pantalla 2022-06-13 a les 12 11 39" src="https://user-images.githubusercontent.com/55573252/173353732-63f40572-a42f-4e5c-a9ab-6e52a083956b.png">
+
+### Initialization
+
+On the primary device, initialize it. When prompting for an authentication mechanism, select "Public Key Authentication".
+
+<img width="412" alt="Captura de Pantalla 2022-06-13 a les 12 05 09" src="https://user-images.githubusercontent.com/55573252/173353661-17caf6db-0c76-4903-9b70-5afa79f5ae54.png"><img width="1037" alt="Captura de Pantalla 2022-06-13 a les 12 14 48" src="https://user-images.githubusercontent.com/55573252/173353822-310219dc-7c7d-4ece-9fd9-c7835c2688df.png">
+
+Once finished, register the exported public key. A message of `0 authenticated public key(s) in 1 of 1 scheme` will appear if it is properly registered.
+
+<img width="342" alt="Captura de Pantalla 2022-06-13 a les 12 15 44" src="https://user-images.githubusercontent.com/55573252/173353917-f3f99405-c7ff-43ce-8914-6f3b713df952.png"><img width="1037" alt="Captura de Pantalla 2022-06-13 a les 12 16 17" src="https://user-images.githubusercontent.com/55573252/173353946-ee7eacf9-cead-4804-ac7a-57848f7c822b.png">
+
+
+### Authentication
+
+Plug the secondary device that stores the private key (do not load the device in the SCS3 tool) and initiate the public key authentication.
+
+<img width="321" alt="Captura de Pantalla 2022-06-13 a les 12 19 47" src="https://user-images.githubusercontent.com/55573252/173353998-8f418ec6-d90d-4168-801f-51008c78824d.png">
+
+Select the secondary card and the Authentication private key (or the name you labeled it).
+
+<img width="435" alt="Captura de Pantalla 2022-06-13 a les 14 25 25" src="https://user-images.githubusercontent.com/55573252/173354044-50163113-829e-4d80-bbda-7b589849af73.png">
+
+Introduce the PIN of the secondary device.
+
+If the private key matches with the registered public key, the primary device will grant access and it will display `User PIN authenticated (9000)` (despite no PIN is provided).
+
+From now on, you have full access and can operate normally with the primary device.
--- a/doc/scs3.md
+++ b/doc/scs3.md
@@ -1,5 +1,11 @@
 # SCS3 tool

+SCS3 tool is a specific tool developed by CardContact to manage HSM. Thanks to its interface, Pico HSM can be enhanced with more advanced functionalities, not present in the PKCS11 module:
+
+- Import PKCS12 private keys and certificates.
+- Import private keys and certificates from other Pico HSM devices in WKY format.
+- 
+
 Unfortunately, there is no pkcs11 tool or equivalent capable to perform the import. Since it uses the SC-HSM driver, it also supports the communication with the [SCS3 tool](https://www.openscdp.org/scsh3/ "SCS3 tool"). It can be downloaded from [here](https://www.openscdp.org/scsh3/download.html "here").

 However, SCS3 only works with those HSM manufactured by CardContact. The check is performed by means of trust store against the manufacturing certificates. For obvious reasons, these certificates can only be signed with the private keys of the Certificate Authorities listed in the trust store. 
@@ -20,7 +26,15 @@ SmartCardHSM.rootCerts = {
 }
 ```

-After this ammendment, the KeyManager can be invoked (CTRL+M) and it will output something similar to:
+Similarly, replace the line `1531` in file `scs3/keymanager/keymanager.js` with:
+
+```
+	assert(devcert.verifyWith(this.crypto, dicacert.getPublicKey(SmartCardHSM.rootCerts.ESCVCAHSM00001.getPublicKey()), dicacert.getPublicKeyOID()));
+```
+
+Alternatively, this patch [scs3.patch.txt](https://github.com/polhenarejos/pico-hsm/files/8890050/scs3.patch.txt) can be applied.
+
+After this ammendment, the program can be started and the KeyManager can be invoked (CTRL+M) and it will output something similar to:
 ```
 >load("keymanager/keymanager.js");

@@ -37,6 +51,13 @@ mechanism from the User PIN context menu.

 The SCS3 tool is ready to import private keys and certificates, wraped in WKY files or in PKCS#12 format. Also, all stored keys can be exported, combined with their respective certificates. Note that the user has to be previously logged in.

+## macOS users
+In macOS, the PCSC must be explicitly specified. Otherwise, the reader will not be found.
+
+It can be executed in a Terminal via
+```
+ java -Dsun.security.smartcardio.library=/System/Library/Frameworks/PCSC.framework/Versions/Current/PCSC -Dorg.bouncycastle.asn1.allow_unsafe_integer=true -Djava.library.path=./lib -classpath 'lib/*' de.cardcontact.scdp.scsh3.GUIShell
+```
 ## DKEK requirement

 In order to perform the import, private keys must be wrapped with the same DKEK present in the Pico HSM. Thus, the Pico HSM must be previously initialized with at minimum of 1 DKEK share. This share will be used to wrap the private key before import. 
--- a/2
+++ b/2
--- a/src/hsm/cvc.c
+++ b/src/hsm/cvc.c
@@ -15,8 +15,8 @@
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */

-#include "cvc.h"
 #include "common.h"
+#include "cvc.h"
 #include "mbedtls/rsa.h"
 #include "mbedtls/ecdsa.h"
 #include "cvcerts.h"
@@ -25,6 +25,8 @@
 #include "ccid2040.h"
 #include "crypto_utils.h"
 #include "random.h"
+#include "oid.h"
+#include "mbedtls/md.h"

 size_t asn1_cvc_public_key_rsa(mbedtls_rsa_context *rsa, uint8_t *buf, size_t buf_len) {
    const uint8_t oid_rsa[] = { 0x04, 0x00, 0x7F, 0x00, 0x07, 0x02, 0x02, 0x02, 0x01, 0x02 };
@@ -37,7 +39,7 @@ size_t asn1_cvc_public_key_rsa(mbedtls_rsa_context *rsa, uint8_t *buf, size_t bu
    if (buf_len < tot_len)
        return 0;
    uint8_t *p = buf;
-    memcpy(p, "\x7f\x49", 2); p += 2;
+    memcpy(p, "\x7F\x49", 2); p += 2;
    p += format_tlv_len(oid_len+ntot_size+etot_size, p);
    //oid
    *p++ = 0x6; p += format_tlv_len(sizeof(oid_rsa), p); memcpy(p, oid_rsa, sizeof(oid_rsa)); p += sizeof(oid_rsa);
@@ -74,7 +76,7 @@ size_t asn1_cvc_public_key_ecdsa(mbedtls_ecdsa_context *ecdsa, uint8_t *buf, siz
    if (buf_len < tot_len)
        return 0;
    uint8_t *p = buf;
-    memcpy(p, "\x7f\x49", 2); p += 2;
+    memcpy(p, "\x7F\x49", 2); p += 2;
    p += format_tlv_len(oid_len+ptot_size+atot_size+btot_size+gtot_size+otot_size+ytot_size+ctot_size, p);
    //oid
    *p++ = 0x6; p += format_tlv_len(sizeof(oid_ecdsa), p); memcpy(p, oid_ecdsa, sizeof(oid_ecdsa)); p += sizeof(oid_ecdsa);
@@ -135,7 +137,7 @@ size_t asn1_cvc_cert_body(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_
    if (buf_len < tot_len)
        return 0;
    uint8_t *p = buf;
-    memcpy(p, "\x7f\x4e", 2); p += 2;
+    memcpy(p, "\x7F\x4E", 2); p += 2;
    p += format_tlv_len(cpi_size+car_size+pubkey_size+chr_size, p);
    //cpi
    *p++ = 0x5f; *p++ = 0x29; *p++ = 1; *p++ = 0;
@@ -164,14 +166,14 @@ size_t asn1_cvc_cert(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf
    if (buf_len < tot_len)
        return 0;
    uint8_t *p = buf, *body = NULL;
-    memcpy(p, "\x7f\x21", 2); p += 2;
+    memcpy(p, "\x7F\x21", 2); p += 2;
    p += format_tlv_len(body_size+sig_size, p);
    body = p;
    p += asn1_cvc_cert_body(rsa_ecdsa, key_type, p, body_size);
    
    uint8_t hsh[32];
    hash256(body, body_size, hsh);
-    memcpy(p, "\x5f\x37", 2); p += 2;
+    memcpy(p, "\x5F\x37", 2); p += 2;
    p += format_tlv_len(key_size, p);
    if (key_type == HSM_KEY_RSA) {
        if (mbedtls_rsa_rsassa_pkcs1_v15_sign(rsa_ecdsa, random_gen, NULL, MBEDTLS_MD_SHA256, 32, hsh, p) != 0)
@@ -200,8 +202,9 @@ size_t asn1_cvc_cert(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf

 size_t asn1_cvc_aut(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_len) {
    size_t cvcert_size = asn1_cvc_cert(rsa_ecdsa, key_type, NULL, 0);
-    uint8_t *outcar = (uint8_t *)"ESHSM00001";
-    size_t lenoutcar = strlen((char *)outcar), outcar_size = asn1_len_tag(0x42, lenoutcar);
+    size_t outcar_len = 0;
+    const uint8_t *outcar = cvc_get_chr((uint8_t *)termca+2, (termca[1] << 8) | termca[0], &outcar_len);
+    size_t outcar_size = asn1_len_tag(0x42, outcar_len);
    int key_size = 2*file_read_uint16(termca_pk), ret = 0;
    size_t outsig_size = asn1_len_tag(0x5f37, key_size), tot_len = asn1_len_tag(0x67, cvcert_size+outcar_size+outsig_size);
    if (buf_len == 0 || buf == NULL)
@@ -215,7 +218,7 @@ size_t asn1_cvc_aut(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_
    //cvcert
    p += asn1_cvc_cert(rsa_ecdsa, key_type, p, cvcert_size);
    //outcar
-    *p++ = 0x42; p += format_tlv_len(lenoutcar, p); memcpy(p, outcar, lenoutcar); p += lenoutcar;
+    *p++ = 0x42; p += format_tlv_len(outcar_len, p); memcpy(p, outcar, outcar_len); p += outcar_len;
    mbedtls_ecdsa_context ctx;
    mbedtls_ecdsa_init(&ctx);
    if (mbedtls_ecp_read_key(MBEDTLS_ECP_DP_SECP192R1, &ctx, termca_pk+2, file_read_uint16(termca_pk)) != 0)
@@ -240,3 +243,324 @@ size_t asn1_cvc_aut(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_
    mbedtls_mpi_free(&s);
    return p-buf;
 }
+
+size_t asn1_build_cert_description(const uint8_t *label, size_t label_len, const uint8_t *puk, size_t puk_len, uint16_t fid, uint8_t *buf, size_t buf_len) {
+    size_t opt_len = 2;
+    size_t seq1_size = asn1_len_tag(0x30, asn1_len_tag(0xC, label_len)+asn1_len_tag(0x3, opt_len));
+    size_t seq2_size = asn1_len_tag(0x30, asn1_len_tag(0x4, 20)); /* SHA1 is 20 bytes length */
+    size_t seq3_size = asn1_len_tag(0xA1, asn1_len_tag(0x30, asn1_len_tag(0x30, asn1_len_tag(0x4, sizeof(uint16_t)))));
+    size_t tot_len = asn1_len_tag(0x30, seq1_size+seq2_size+seq3_size);
+    if (buf_len == 0 || buf == NULL)
+        return tot_len;
+    if (buf_len < tot_len)
+        return 0;
+    uint8_t *p = buf;
+    *p++ = 0x30;
+    p += format_tlv_len(seq1_size+seq2_size+seq3_size, p);
+    //Seq 1
+    *p++ = 0x30;
+    p += format_tlv_len(asn1_len_tag(0xC, label_len)+asn1_len_tag(0x3, opt_len), p);
+    *p++ = 0xC;
+    p += format_tlv_len(label_len, p);
+    memcpy(p, label, label_len); p += label_len;
+    *p++ = 0x3;
+    p += format_tlv_len(opt_len, p);
+    memcpy(p, "\x06\x40", 2); p += 2;
+    
+    //Seq 2
+    *p++ = 0x30;
+    p += format_tlv_len(asn1_len_tag(0x4, 20), p);
+    *p++ = 0x4;
+    p += format_tlv_len(20, p);
+    mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_SHA1), puk, puk_len, p);  p += 20;
+    
+    //Seq 3
+    *p++ = 0xA1;
+    p += format_tlv_len(asn1_len_tag(0x30, asn1_len_tag(0x30, asn1_len_tag(0x4, sizeof(uint16_t)))), p);
+    *p++ = 0x30;
+    p += format_tlv_len(asn1_len_tag(0x30, asn1_len_tag(0x4, sizeof(uint16_t))), p);
+    *p++ = 0x30;
+    p += format_tlv_len(asn1_len_tag(0x4, sizeof(uint16_t)), p);
+    *p++ = 0x4;
+    p += format_tlv_len(sizeof(uint16_t), p);
+    *p++ = fid >> 8;
+    *p++ = fid & 0xff;
+    return p-buf;
+}
+
+const uint8_t *cvc_get_field(const uint8_t *data, size_t len, size_t *olen, uint16_t tag) {
+    uint8_t *rdata = NULL;
+    if (data == NULL || len == 0)
+        return NULL;
+    if (asn1_find_tag(data, len, tag, olen, &rdata) == false)
+        return NULL;
+    return rdata;
+}
+
+const uint8_t *cvc_get_body(const uint8_t *data, size_t len, size_t *olen) {
+    const uint8_t *bkdata = data;
+    if ((data = cvc_get_field(data, len, olen, 0x67)) == NULL) /* Check for CSR */
+        data = bkdata;
+    if ((data = cvc_get_field(data, len, olen, 0x7F21)) != NULL) {
+        return cvc_get_field(data, len, olen, 0x7F4E);
+    }
+    return NULL;
+}
+
+const uint8_t *cvc_get_sig(const uint8_t *data, size_t len, size_t *olen) {
+    const uint8_t *bkdata = data;
+    if ((data = cvc_get_field(data, len, olen, 0x67)) == NULL) /* Check for CSR */
+        data = bkdata;
+    if ((data = cvc_get_field(data, len, olen, 0x7F21)) != NULL) {
+        return cvc_get_field(data, len, olen, 0x5F37);
+    }
+    return NULL;
+}
+
+const uint8_t *cvc_get_car(const uint8_t *data, size_t len, size_t *olen) {
+    if ((data = cvc_get_body(data, len, olen)) != NULL) {
+        return cvc_get_field(data, len, olen, 0x42);
+    }
+    return NULL;
+}
+
+const uint8_t *cvc_get_chr(const uint8_t *data, size_t len, size_t *olen) {
+    if ((data = cvc_get_body(data, len, olen)) != NULL) {
+        return cvc_get_field(data, len, olen, 0x5F20);
+    }
+    return NULL;
+}
+
+const uint8_t *cvc_get_pub(const uint8_t *data, size_t len, size_t *olen) {
+    if ((data = cvc_get_body(data, len, olen)) != NULL) {
+        return cvc_get_field(data, len, olen, 0x7F49);
+    }
+    return NULL;
+}
+
+extern PUK puk_store[MAX_PUK_STORE_ENTRIES];
+extern int puk_store_entries;
+
+int puk_store_index(const uint8_t *chr, size_t chr_len) {
+    for (int i = 0; i < puk_store_entries; i++) {
+        if (memcmp(puk_store[i].chr, chr, chr_len) == 0)
+            return i;
+    }
+    return -1;
+}
+
+mbedtls_ecp_group_id cvc_inherite_ec_group(const uint8_t *ca, size_t ca_len) {
+    size_t chr_len = 0, car_len = 0;
+    const uint8_t *chr = NULL, *car = NULL;
+    int eq = -1;
+    do {
+        chr = cvc_get_chr(ca, ca_len, &chr_len);
+        car = cvc_get_car(ca, ca_len, &car_len);
+        eq = memcmp(car, chr, MAX(car_len, chr_len));
+        if (car && eq != 0) {
+            int idx = puk_store_index(car, car_len);
+            if (idx != -1) {
+                ca = puk_store[idx].cvcert;
+                ca_len = puk_store[idx].cvcert_len;
+            }
+            else
+                ca = NULL;
+        }
+    } while (car && chr && eq != 0);
+    size_t ca_puk_len = 0;
+    const uint8_t *ca_puk = cvc_get_pub(ca, ca_len, &ca_puk_len);
+    if (!ca_puk)
+        return MBEDTLS_ECP_DP_NONE;
+    size_t t81_len = 0;
+    const uint8_t *t81 = cvc_get_field(ca_puk, ca_puk_len, &t81_len, 0x81);
+    if (!t81)
+        return MBEDTLS_ECP_DP_NONE;
+    
+    return ec_get_curve_from_prime(t81, t81_len);
+}
+
+int puk_verify(const uint8_t *sig, size_t sig_len, const uint8_t *hash, size_t hash_len, const uint8_t *ca, size_t ca_len) {
+    size_t puk_len = 0;
+    const uint8_t *puk = cvc_get_pub(ca, ca_len, &puk_len);
+    if (!puk)
+        return CCID_WRONG_DATA;
+    size_t oid_len = 0;
+    const uint8_t *oid = cvc_get_field(puk, puk_len, &oid_len, 0x6);
+    if (!oid)
+        return CCID_WRONG_DATA;
+    if (memcmp(oid, OID_ID_TA_RSA, 9) == 0) { //RSA
+        size_t t81_len = 0, t82_len = 0;
+        const uint8_t *t81 = cvc_get_field(puk, puk_len, &t81_len, 0x81), *t82 = cvc_get_field(puk, puk_len, &t81_len, 0x82);
+        if (!t81 || !t82)
+            return CCID_WRONG_DATA;
+        mbedtls_rsa_context rsa;
+        mbedtls_rsa_init(&rsa);
+        mbedtls_md_type_t md = MBEDTLS_MD_NONE;
+        if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_1, oid_len) == 0) 
+            md = MBEDTLS_MD_SHA1;
+        else if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_256, oid_len) == 0) 
+            md = MBEDTLS_MD_SHA256;
+        else if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_512, oid_len) == 0) 
+            md = MBEDTLS_MD_SHA512;
+        else if (memcmp(oid, OID_ID_TA_RSA_PSS_SHA_1, oid_len) == 0) {
+            md = MBEDTLS_MD_SHA1;
+            mbedtls_rsa_set_padding(&rsa, MBEDTLS_RSA_PKCS_V21, md);
+        }
+        else if (memcmp(oid, OID_ID_TA_RSA_PSS_SHA_256, oid_len) == 0) {
+            md = MBEDTLS_MD_SHA256;
+            mbedtls_rsa_set_padding(&rsa, MBEDTLS_RSA_PKCS_V21, md);
+        }
+        else if (memcmp(oid, OID_ID_TA_RSA_PSS_SHA_512, oid_len) == 0) {
+            md = MBEDTLS_MD_SHA512;
+            mbedtls_rsa_set_padding(&rsa, MBEDTLS_RSA_PKCS_V21, md);
+        }
+        if (md == MBEDTLS_MD_NONE) {
+            mbedtls_rsa_free(&rsa);
+            return CCID_WRONG_DATA;
+        }
+        int r = mbedtls_mpi_read_binary(&rsa.N, t81, t81_len);
+        if (r != 0) {
+            mbedtls_rsa_free(&rsa);
+            return CCID_EXEC_ERROR;
+        }
+        r = mbedtls_mpi_read_binary(&rsa.E, t82, t82_len);
+        if (r != 0) {
+            mbedtls_rsa_free(&rsa);
+            return CCID_EXEC_ERROR;
+        }
+        r = mbedtls_rsa_complete(&rsa);
+        if (r != 0) {
+            mbedtls_rsa_free(&rsa);
+            return CCID_EXEC_ERROR;
+        }
+        r = mbedtls_rsa_check_pubkey(&rsa);
+        if (r != 0) {
+            mbedtls_rsa_free(&rsa);
+            return CCID_EXEC_ERROR;
+        }
+        r = mbedtls_rsa_pkcs1_verify(&rsa, md, hash_len, hash, sig);
+        mbedtls_rsa_free(&rsa);
+        if (r != 0)
+            return CCID_WRONG_SIGNATURE;
+    }
+    else if (memcmp(oid, OID_ID_TA_ECDSA, 9) == 0) { //ECC
+        mbedtls_md_type_t md = MBEDTLS_MD_NONE;
+        if (memcmp(oid, OID_IT_TA_ECDSA_SHA_1, oid_len) == 0) 
+            md = MBEDTLS_MD_SHA1;
+        else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_224, oid_len) == 0) 
+            md = MBEDTLS_MD_SHA224;
+        else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_256, oid_len) == 0) 
+            md = MBEDTLS_MD_SHA256;
+        else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_384, oid_len) == 0) 
+            md = MBEDTLS_MD_SHA384;
+        else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_512, oid_len) == 0) 
+            md = MBEDTLS_MD_SHA512;
+        if (md == MBEDTLS_MD_NONE) 
+            return CCID_WRONG_DATA;
+        
+        size_t t86_len = 0;
+        const uint8_t *t86 = cvc_get_field(puk, puk_len, &t86_len, 0x86);
+        if (!t86)
+            return CCID_WRONG_DATA;
+        mbedtls_ecp_group_id ec_id = cvc_inherite_ec_group(ca, ca_len);
+        if (ec_id == MBEDTLS_ECP_DP_NONE)
+            return CCID_WRONG_DATA;
+        mbedtls_ecdsa_context ecdsa;
+        mbedtls_ecdsa_init(&ecdsa);
+        int ret = mbedtls_ecp_group_load(&ecdsa.grp, ec_id);
+        if (ret != 0) {
+            mbedtls_ecdsa_free(&ecdsa);
+            return CCID_WRONG_DATA;
+        }
+        ret = mbedtls_ecp_point_read_binary(&ecdsa.grp, &ecdsa.Q, t86, t86_len);
+        if (ret != 0) {
+            mbedtls_ecdsa_free(&ecdsa);
+            return CCID_EXEC_ERROR;
+        }
+        ret = mbedtls_ecp_check_pubkey(&ecdsa.grp, &ecdsa.Q);
+        if (ret != 0) {
+            mbedtls_ecdsa_free(&ecdsa);
+            return CCID_EXEC_ERROR;
+        }
+        mbedtls_mpi r, s;
+        mbedtls_mpi_init(&r);
+        mbedtls_mpi_init(&s);
+        ret = mbedtls_mpi_read_binary(&r, sig, sig_len/2);
+        if (ret != 0) {
+            mbedtls_mpi_free(&r);
+            mbedtls_mpi_free(&s);
+            mbedtls_ecdsa_free(&ecdsa);
+            return CCID_EXEC_ERROR;
+        }
+        ret = mbedtls_mpi_read_binary(&s, sig+sig_len/2, sig_len/2);
+        if (ret != 0) {
+            mbedtls_mpi_free(&r);
+            mbedtls_mpi_free(&s);
+            mbedtls_ecdsa_free(&ecdsa);
+            return CCID_EXEC_ERROR;
+        }
+        ret = mbedtls_ecdsa_verify(&ecdsa.grp, hash, hash_len, &ecdsa.Q, &r, &s);
+        mbedtls_mpi_free(&r);
+        mbedtls_mpi_free(&s);
+        mbedtls_ecdsa_free(&ecdsa);
+        if (ret != 0)
+            return CCID_WRONG_SIGNATURE;
+    }
+    return CCID_OK;
+}
+
+int cvc_verify(const uint8_t *cert, size_t cert_len, const uint8_t *ca, size_t ca_len) {
+    size_t puk_len = 0;
+    const uint8_t *puk = cvc_get_pub(ca, ca_len, &puk_len);
+    if (!puk)
+        return CCID_WRONG_DATA;
+    size_t oid_len = 0, cv_body_len = 0, sig_len = 0;
+    const uint8_t *oid = cvc_get_field(puk, puk_len, &oid_len, 0x6);
+    const uint8_t *cv_body = cvc_get_body(cert, cert_len, &cv_body_len);
+    const uint8_t *sig = cvc_get_sig(cert, cert_len, &sig_len);
+    if (!sig)
+        return CCID_WRONG_DATA;
+    if (!cv_body)
+        return CCID_WRONG_DATA;
+    if (!oid)
+        return CCID_WRONG_DATA;
+    mbedtls_md_type_t md = MBEDTLS_MD_NONE;
+    if (memcmp(oid, OID_ID_TA_RSA, 9) == 0) { //RSA
+        if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_1, oid_len) == 0) 
+            md = MBEDTLS_MD_SHA1;
+        else if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_256, oid_len) == 0) 
+            md = MBEDTLS_MD_SHA256;
+        else if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_512, oid_len) == 0) 
+            md = MBEDTLS_MD_SHA512;
+        else if (memcmp(oid, OID_ID_TA_RSA_PSS_SHA_1, oid_len) == 0)
+            md = MBEDTLS_MD_SHA1;
+        else if (memcmp(oid, OID_ID_TA_RSA_PSS_SHA_256, oid_len) == 0)
+            md = MBEDTLS_MD_SHA256;
+        else if (memcmp(oid, OID_ID_TA_RSA_PSS_SHA_512, oid_len) == 0)
+            md = MBEDTLS_MD_SHA512;
+    }
+    else if (memcmp(oid, OID_ID_TA_ECDSA, 9) == 0) { //ECC
+        if (memcmp(oid, OID_IT_TA_ECDSA_SHA_1, oid_len) == 0) 
+            md = MBEDTLS_MD_SHA1;
+        else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_224, oid_len) == 0) 
+            md = MBEDTLS_MD_SHA224;
+        else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_256, oid_len) == 0) 
+            md = MBEDTLS_MD_SHA256;
+        else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_384, oid_len) == 0) 
+            md = MBEDTLS_MD_SHA384;
+        else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_512, oid_len) == 0) 
+            md = MBEDTLS_MD_SHA512;
+    }
+    if (md == MBEDTLS_MD_NONE) 
+        return CCID_WRONG_DATA;
+    const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md);
+    uint8_t hash[64], hash_len = mbedtls_md_get_size(md_info);
+    uint8_t tlv_body = 2+format_tlv_len(cv_body_len, NULL);
+    int r = mbedtls_md(md_info, cv_body-tlv_body, cv_body_len+tlv_body, hash);
+    if (r != 0)
+        return CCID_EXEC_ERROR;
+    r = puk_verify(sig, sig_len, hash, hash_len, ca, ca_len);
+    if (r != 0)
+        return CCID_WRONG_SIGNATURE;
+    return CCID_OK;
+}
--- a/src/hsm/cvc.h
+++ b/src/hsm/cvc.h
@@ -20,8 +20,31 @@

 #include <stdlib.h>
 #include "pico/stdlib.h"
+#include "mbedtls/ecp.h"
+
+typedef struct PUK {
+    const uint8_t *puk;
+    size_t puk_len;
+    const uint8_t *car;
+    size_t car_len;
+    const uint8_t *chr;
+    size_t chr_len;
+    const uint8_t *cvcert;
+    size_t cvcert_len;
+    bool copied;
+} PUK;
+
+#define MAX_PUK_STORE_ENTRIES 4

 extern size_t asn1_cvc_cert(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_len);
 extern size_t asn1_cvc_aut(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_len);
+extern size_t asn1_build_cert_description(const uint8_t *label, size_t label_len, const uint8_t *puk, size_t puk_len, uint16_t fid, uint8_t *buf, size_t buf_len);
+extern const uint8_t *cvc_get_field(const uint8_t *data, size_t len, size_t *olen, uint16_t tag);
+extern const uint8_t *cvc_get_car(const uint8_t *data, size_t len, size_t *olen);
+extern const uint8_t *cvc_get_chr(const uint8_t *data, size_t len, size_t *olen);
+extern const uint8_t *cvc_get_pub(const uint8_t *data, size_t len, size_t *olen);
+extern int cvc_verify(const uint8_t *cert, size_t cert_len, const uint8_t *ca, size_t ca_len);
+extern mbedtls_ecp_group_id cvc_inherite_ec_group(const uint8_t *ca, size_t ca_len);
+extern int puk_verify(const uint8_t *sig, size_t sig_len, const uint8_t *hash, size_t hash_len, const uint8_t *ca, size_t ca_len);

 #endif
--- a/src/hsm/files.c
+++ b/src/hsm/files.c
@@ -46,9 +46,10 @@ file_t file_entries[] = {
    /* 21 */ { .fid = EF_SKDFS  , .parent = 5, .name = NULL, .type = FILE_TYPE_WORKING_EF, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} }, //EF.SKDFs
    /* 22 */ { .fid = EF_KEY_DOMAIN, .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //Key domain options
    /* 23 */ { .fid = EF_META   , .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //EF.CDFs
-    ///* 22 */ { .fid = 0x0000, .parent = 0, .name = openpgpcard_aid, .type = FILE_TYPE_WORKING_EF, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} },
-    /* 24 */ { .fid = 0x0000, .parent = 5, .name = sc_hsm_aid, .type = FILE_TYPE_WORKING_EF, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} },
-    /* 25 */ { .fid = 0x0000, .parent = 0xff, .name = NULL, .type = FILE_TYPE_UNKNOWN, .data = NULL, .ef_structure = 0, .acl = {0} } //end
+    /* 24 */ { .fid = EF_PUKAUT, .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //Public Key Authentication
+    ///* 25 */ { .fid = 0x0000, .parent = 0, .name = openpgpcard_aid, .type = FILE_TYPE_WORKING_EF, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} },
+    /* 26 */ { .fid = 0x0000, .parent = 5, .name = sc_hsm_aid, .type = FILE_TYPE_WORKING_EF, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} },
+    /* 27 */ { .fid = 0x0000, .parent = 0xff, .name = NULL, .type = FILE_TYPE_UNKNOWN, .data = NULL, .ef_structure = 0, .acl = {0} } //end
 };

 const file_t *MF = &file_entries[0];
--- a/src/hsm/files.h
+++ b/src/hsm/files.h
@@ -24,6 +24,8 @@
 #define EF_DEVOPS       0x100E
 #define EF_DKEK         0x1090
 #define EF_KEY_DOMAIN   0x10A0
+#define EF_PUKAUT       0x10C0
+#define EF_PUK          0X10D0
 #define EF_PRKDFS       0x6040
 #define EF_PUKDFS       0x6041
 #define EF_CDFS         0x6042
--- a/src/hsm/oid.c
+++ b/src/hsm/oid.c
@@ -0,0 +1,18 @@
+/* 
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ * 
+ * This program is free software: you can redistribute it and/or modify  
+ * it under the terms of the GNU General Public License as published by  
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but 
+ * WITHOUT ANY WARRANTY; without even the implied warranty of 
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License 
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "oid.h"
--- a/src/hsm/oid.h
+++ b/src/hsm/oid.h
@@ -0,0 +1,81 @@
+/* 
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ * 
+ * This program is free software: you can redistribute it and/or modify  
+ * it under the terms of the GNU General Public License as published by  
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but 
+ * WITHOUT ANY WARRANTY; without even the implied warranty of 
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License 
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef _OID_H_
+#define _OID_H_
+
+#include <stdlib.h>
+#include "pico/stdlib.h"
+
+#define OID_BSI_DE                      "\x04\x00\x7F\x00\x07"
+
+#define OID_ID_CA                       OID_BSI_DE "\x02\x02\x03"
+
+#define OID_ID_CA_DH                    OID_ID_CA "\x01"
+
+#define OID_ID_CA_DH_3DES_CBC_CBC       OID_ID_CA_DH "\x01"
+#define OID_ID_CA_DH_AES_CBC_CMAC_128   OID_ID_CA_DH "\x02"
+#define OID_ID_CA_DH_AES_CBC_CMAC_192   OID_ID_CA_DH "\x03"
+#define OID_ID_CA_DH_AES_CBC_CMAC_256   OID_ID_CA_DH "\x04"
+
+#define OID_ID_CA_ECDH                  OID_ID_CA "\x02"
+
+#define OID_ID_CA_ECDH_3DES_CBC_CBC     OID_ID_CA_ECDH "\x01"
+#define OID_ID_CA_ECDH_AES_CBC_CMAC_128 OID_ID_CA_ECDH "\x02"
+#define OID_ID_CA_ECDH_AES_CBC_CMAC_192 OID_ID_CA_ECDH "\x03"
+#define OID_ID_CA_ECDH_AES_CBC_CMAC_256 OID_ID_CA_ECDH "\x04"
+
+#define OID_ID_PK                       OID_BSI_DE "\x02\x02\0x1"
+#define OID_ID_PK_DH                    OID_ID_PK "\x01"
+#define OID_ID_PK_ECDH                  OID_ID_PK "\x02"
+
+#define OID_ID_TA                       OID_BSI_DE "\x02\x02\x02"
+
+#define OID_ID_TA_RSA                   OID_ID_TA "\x01"
+
+#define OID_ID_TA_RSA_V1_5_SHA_1        OID_ID_TA_RSA "\x01"
+#define OID_ID_TA_RSA_V1_5_SHA_256      OID_ID_TA_RSA "\x02"
+#define OID_ID_TA_RSA_PSS_SHA_1         OID_ID_TA_RSA "\x03"
+#define OID_ID_TA_RSA_PSS_SHA_256       OID_ID_TA_RSA "\x04"
+#define OID_ID_TA_RSA_V1_5_SHA_512      OID_ID_TA_RSA "\x05"
+#define OID_ID_TA_RSA_PSS_SHA_512       OID_ID_TA_RSA "\x06"
+
+#define OID_ID_TA_ECDSA                 OID_ID_TA "\x02"
+
+#define OID_IT_TA_ECDSA_SHA_1           OID_ID_TA_ECDSA "\x01"
+#define OID_IT_TA_ECDSA_SHA_224         OID_ID_TA_ECDSA "\x02"
+#define OID_IT_TA_ECDSA_SHA_256         OID_ID_TA_ECDSA "\x03"
+#define OID_IT_TA_ECDSA_SHA_384         OID_ID_TA_ECDSA "\x04"
+#define OID_IT_TA_ECDSA_SHA_512         OID_ID_TA_ECDSA "\x05"
+
+#define OID_ID_RI                       OID_BSI_DE "\x02\x02\x05"
+
+#define OID_ID_RI_DH                    OID_ID_RI "\x01"
+
+#define OID_ID_RI_DH_SHA_1              OID_ID_RI_DH "\x01"
+#define OID_ID_RI_DH_SHA_224            OID_ID_RI_DH "\x02"
+#define OID_ID_RI_DH_SHA_256            OID_ID_RI_DH "\x03"
+
+#define OID_ID_RI_ECDH                  OID_ID_RI "\x02" 
+
+#define OID_ID_RI_ECDH_SHA_1            OID_ID_RI_ECDH "\x01"
+#define OID_ID_RI_ECDH_SHA_224          OID_ID_RI_ECDH "\x02"
+#define OID_ID_RI_ECDH_SHA_256          OID_ID_RI_ECDH "\x03"
+
+#define OID_ID_CI                       OID_BSI_DE "\x02\x02\x06"
+
+#endif
--- a/src/hsm/sc_hsm.c
+++ b/src/hsm/sc_hsm.c
@@ -35,6 +35,10 @@
 #include "eac.h"
 #include "cvc.h"
 #include "asn1.h"
+#include "oid.h"
+#include "mbedtls/oid.h"
+
+#define MAX_PUK 8

 const uint8_t sc_hsm_aid[] = {
    11, 
@@ -48,6 +52,8 @@ const uint8_t atr_sc_hsm[] = {

 uint8_t session_pin[32], session_sopin[32];
 bool has_session_pin = false, has_session_sopin = false;
+const uint8_t *dev_name = NULL;
+size_t dev_name_len = 0;

 static int sc_hsm_process_apdu();

@@ -148,11 +154,59 @@ void scan_all() {
    scan_files();
 }

+PUK puk_store[MAX_PUK_STORE_ENTRIES];
+int puk_store_entries = 0;
+PUK *current_puk = NULL;
+file_t *ef_puk_aut = NULL;
+uint8_t puk_status[MAX_PUK];
+
+int add_cert_puk_store(const uint8_t *data, size_t data_len, bool copy) {
+    if (data == NULL || data_len == 0)
+        return CCID_ERR_NULL_PARAM;
+    if (puk_store_entries == MAX_PUK_STORE_ENTRIES)
+        return CCID_ERR_MEMORY_FATAL;
+    
+    puk_store[puk_store_entries].copied = copy;
+    if (copy == true) {
+        uint8_t *tmp = (uint8_t *)calloc(data_len, sizeof(uint8_t));
+        memcpy(tmp, data, data_len);
+        puk_store[puk_store_entries].cvcert = tmp;
+    }
+    else
+        puk_store[puk_store_entries].cvcert = data;
+    puk_store[puk_store_entries].cvcert_len = data_len;
+    puk_store[puk_store_entries].chr = cvc_get_chr(puk_store[puk_store_entries].cvcert, data_len, &puk_store[puk_store_entries].chr_len);
+    puk_store[puk_store_entries].car = cvc_get_car(puk_store[puk_store_entries].cvcert, data_len, &puk_store[puk_store_entries].car_len);
+    puk_store[puk_store_entries].puk = cvc_get_pub(puk_store[puk_store_entries].cvcert, data_len, &puk_store[puk_store_entries].puk_len);
+    
+    puk_store_entries++;
+    return CCID_OK;
+}
+
 void init_sc_hsm() {
    scan_all();
    has_session_pin = has_session_sopin = false;
    isUserAuthenticated = false;
    cmd_select();
+    if (puk_store_entries > 0) { /* From previous session */
+        for (int i = 0; i < puk_store_entries; i++) {
+            if (puk_store[i].copied == true)
+                free((uint8_t *)puk_store[i].cvcert);
+        }
+    }
+    memset(puk_store, 0, sizeof(puk_store));
+    puk_store_entries = 0;
+    const uint8_t *cvcerts[] = { cvca, dica, termca };
+    for (int i = 0; i < sizeof(cvcerts)/sizeof(uint8_t *); i++) {
+        add_cert_puk_store(cvcerts[i]+2, (cvcerts[i][1] << 8) | cvcerts[i][0], false);
+    }
+    for (int i = 0; i < 0xfe; i++) {
+        file_t *ef = search_dynamic_file((CA_CERTIFICATE_PREFIX << 8) | i);
+        if (ef && file_get_size(ef) > 0)
+            add_cert_puk_store(file_get_data(ef), file_get_size(ef), false);
+    }
+    dev_name = cvc_get_chr(termca, (termca[1] << 8) | termca[0], &dev_name_len);
+    memset(puk_status, 0, sizeof(puk_status));
 }

 int sc_hsm_unload() {
@@ -183,7 +237,7 @@ void select_file(file_t *pe) {

 uint16_t get_device_options() {
    file_t *ef = search_by_fid(EF_DEVOPS, NULL, SPECIFY_EF);
-    if (ef && ef->data)
+    if (ef && ef->data && file_get_size(ef))
        return (file_read_uint8(file_get_data(ef)) << 8) | file_read_uint8(file_get_data(ef)+1);
    return 0x0;
 }
@@ -223,6 +277,7 @@ static int cmd_select() {
    uint8_t pfx = fid >> 8;
    if (pfx == PRKD_PREFIX || 
        pfx == CD_PREFIX || 
+        pfx == CA_CERTIFICATE_PREFIX || 
        pfx == KEY_PREFIX || 
        pfx == EE_CERTIFICATE_PREFIX || 
        pfx == DCOD_PREFIX || 
@@ -262,7 +317,7 @@ static int cmd_select() {
                return SW_FILE_NOT_FOUND();
            }
            if (card_terminated) {
-                return set_res_sw (0x62, 0x85);
+                return set_res_sw(0x62, 0x85);
            }        
        }
        else if (p1 == 0x08) { //Select from the MF - Path without the MF identifier
@@ -518,15 +573,15 @@ static int cmd_verify() {
        uint16_t opts = get_device_options();
        if (opts & HSM_OPT_TRANSPORT_PIN)
            return SW_DATA_INVALID();
-        if (file_get_data(file_pin1) == 0) //not initialized
+        if (has_session_pin && apdu.nc == 0) /* It can be true from PUK AUT */
+            return SW_OK();
+        if (*file_get_data(file_pin1) == 0) //not initialized
            return SW_REFERENCE_NOT_FOUND();
        if (apdu.nc > 0) {
            return check_pin(file_pin1, apdu.data, apdu.nc);
        }
        if (file_read_uint8(file_get_data(file_retries_pin1)) == 0)
            return SW_PIN_BLOCKED();
-        if (has_session_pin)
-            return SW_OK();
        return set_res_sw(0x63, 0xc0 | file_read_uint8(file_get_data(file_retries_pin1)));
    }
    else if (p2 == 0x88) { //SOPin
@@ -608,11 +663,16 @@ static int cmd_reset_retry() {
    return SW_INCORRECT_P1P2();
 }

+static uint8_t challenge[256];
+static uint8_t challenge_len = 0;
+
 static int cmd_challenge() {
    uint8_t *rb = (uint8_t *)random_bytes_get(apdu.ne);
    if (!rb)
        return SW_WRONG_LENGTH();
    memcpy(res_APDU, rb, apdu.ne);
+    challenge_len = MIN(apdu.ne, sizeof(challenge));
+    memcpy(challenge, rb, challenge_len);
    res_APDU_size = apdu.ne;
    return SW_OK();
 }
@@ -644,8 +704,7 @@ static int cmd_initialize() {
                    double_hash_pin(tag_data, tag_len, dhash+1);
                    flash_write_data_to_file(file_pin1, dhash, sizeof(dhash));
                    hash_multi(tag_data, tag_len, session_pin);
-                    has_session_pin = true;
-                } 
+                }
            }
            else if (tag == 0x82) { //sopin pin
                if (file_sopin && file_sopin->data) {
@@ -655,7 +714,7 @@ static int cmd_initialize() {
                    flash_write_data_to_file(file_sopin, dhash, sizeof(dhash));
                    hash_multi(tag_data, tag_len, session_sopin);
                    has_session_sopin = true;
-                } 
+                }
            }
            else if (tag == 0x91) { //retries user pin
                file_t *tf = search_by_fid(0x1082, NULL, SPECIFY_EF);
@@ -673,6 +732,23 @@ static int cmd_initialize() {
                    return SW_MEMORY_FAILURE();
                flash_write_data_to_file(tf, NULL, 0);
            }
+            else if (tag == 0x93) {
+                file_t *ef_puk = search_by_fid(EF_PUKAUT, NULL, SPECIFY_EF);
+                if (!ef_puk)
+                    return SW_MEMORY_FAILURE();
+                uint8_t pk_status[4], puks = MIN(tag_data[0],MAX_PUK);
+                memset(pk_status, 0, sizeof(pk_status));
+                pk_status[0] = puks;
+                pk_status[1] = puks;
+                pk_status[2] = tag_data[1];
+                flash_write_data_to_file(ef_puk, pk_status, sizeof(pk_status));
+                for (int i = 0; i < puks; i++) {
+                    file_t *tf = file_new(EF_PUK+i);
+                    if (!tf)
+                        return SW_MEMORY_FAILURE();
+                    flash_write_data_to_file(tf, NULL, 0);
+                }
+            }
            else if (tag == 0x97) {
                kds = tag_data;
                for (int i = 0; i < MIN(*kds,MAX_KEY_DOMAINS); i++) {
@@ -718,6 +794,9 @@ static int cmd_initialize() {
            if (flash_write_data_to_file(tf_kd, t, 2*k) != CCID_OK)
                return SW_EXEC_ERROR();
        }
+        /* When initialized, it has all credentials */
+        has_session_pin = true;
+        isUserAuthenticated = true;
        low_flash_available();
    }
    else { //free memory bytes request
@@ -983,7 +1062,7 @@ static int cmd_keypair_gen() {
            uint8_t *kdomd = NULL;
            if (asn1_find_tag(apdu.data, apdu.nc, 0x92, &kdom_size, &kdomd) && kdom_size > 0 && kdomd != NULL)
                kdom = *kdomd;
-            if (memcmp(oid, "\x4\x0\x7F\x0\x7\x2\x2\x2\x1\x2",MIN(oid_len,10)) == 0) { //RSA
+            if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_256, oid_len) == 0) { //RSA
                size_t ex_len = 3, ks_len = 2;
                uint8_t *ex = NULL, *ks = NULL;
                uint32_t exponent = 65537, key_size = 2048;
@@ -1020,7 +1099,7 @@ static int cmd_keypair_gen() {
                }
                mbedtls_rsa_free(&rsa);            
            }
-            else if (memcmp(oid, "\x4\x0\x7F\x0\x7\x2\x2\x2\x2\x3",MIN(oid_len,10)) == 0) { //ECC
+            else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_256,MIN(oid_len,10)) == 0) { //ECC
                size_t prime_len;
                uint8_t *prime = NULL;
                if (asn1_find_tag(p, tout, 0x81, &prime_len, &prime) != true)
@@ -1358,7 +1437,7 @@ static int cmd_signature() {
    file_t *fkey;
    if (!isUserAuthenticated)
        return SW_SECURITY_STATUS_NOT_SATISFIED();
-    if (!(fkey = search_dynamic_file((KEY_PREFIX << 8) | key_id)) || !fkey->data) 
+    if (!(fkey = search_dynamic_file((KEY_PREFIX << 8) | key_id)) || !fkey->data || file_get_size(fkey) == 0) 
        return SW_FILE_NOT_FOUND();
    if (get_key_counter(fkey) == 0)
        return SW_FILE_FULL();
@@ -1406,15 +1485,15 @@ static int cmd_signature() {
                asn1_find_tag(p, tout, 0x4, &hash_len, &hash);
            }
            if (oid && oid_len > 0) {
-                if (memcmp(oid, "\x2B\x0E\x03\x02\x1A", oid_len) == 0) 
+                if (memcmp(oid, MBEDTLS_OID_DIGEST_ALG_SHA1, oid_len) == 0) 
                    md = MBEDTLS_MD_SHA1;
-                else if (memcmp(oid, "\x60\x86\x48\x01\x65\x03\x04\x02\x04", oid_len) == 0) 
+                else if (memcmp(oid, MBEDTLS_OID_DIGEST_ALG_SHA224, oid_len) == 0) 
                    md = MBEDTLS_MD_SHA224;
-                else if (memcmp(oid, "\x60\x86\x48\x01\x65\x03\x04\x02\x01", oid_len) == 0) 
+                else if (memcmp(oid, MBEDTLS_OID_DIGEST_ALG_SHA256, oid_len) == 0) 
                    md = MBEDTLS_MD_SHA256;
-                else if (memcmp(oid, "\x60\x86\x48\x01\x65\x03\x04\x02\x02", oid_len) == 0) 
+                else if (memcmp(oid, MBEDTLS_OID_DIGEST_ALG_SHA384, oid_len) == 0) 
                    md = MBEDTLS_MD_SHA384;
-                else if (memcmp(oid, "\x60\x86\x48\x01\x65\x03\x04\x02\x03", oid_len) == 0) 
+                else if (memcmp(oid, MBEDTLS_OID_DIGEST_ALG_SHA512, oid_len) == 0) 
                    md = MBEDTLS_MD_SHA512;
            }
            if (p2 == ALGO_RSA_PSS || p2 == ALGO_RSA_PSS_SHA1 || p2 == ALGO_RSA_PSS_SHA256) {
@@ -1809,7 +1888,7 @@ static int cmd_derive_asym() {
    file_t *fkey;
    if (!isUserAuthenticated)
        return SW_SECURITY_STATUS_NOT_SATISFIED();
-    if (!(fkey = search_dynamic_file((KEY_PREFIX << 8) | key_id)) || !fkey->data) 
+    if (!(fkey = search_dynamic_file((KEY_PREFIX << 8) | key_id)) || !fkey->data || file_get_size(fkey) == 0) 
        return SW_FILE_NOT_FOUND();

    if (apdu.nc == 0)
@@ -1922,24 +2001,53 @@ static int cmd_extras() {
 static int cmd_mse() {
    int p1 = P1(apdu);
    int p2 = P2(apdu);
+    if (p2 != 0xA4 && p2 != 0xA6 && p2 != 0xAA && p2 != 0xB4 && p2 != 0xB6 && p2 != 0xB8)
+        return SW_INCORRECT_P1P2();
    if (p1 & 0x1) { //SET
-        if (p2 == 0xA4) { //AT
-            uint16_t tag = 0x0;
-            uint8_t *tag_data = NULL, *p = NULL;
-            size_t tag_len = 0;    
-            while (walk_tlv(apdu.data, apdu.nc, &p, &tag, &tag_len, &tag_data)) {
-                if (tag == 0x80) {
-                    if (tag_len == 10 && memcmp(tag_data, "\x04\x00\x7F\x00\x07\x02\x02\x03\x02\x02", tag_len) == 0)
+        uint16_t tag = 0x0;
+        uint8_t *tag_data = NULL, *p = NULL;
+        size_t tag_len = 0;    
+        while (walk_tlv(apdu.data, apdu.nc, &p, &tag, &tag_len, &tag_data)) {
+            if (tag == 0x80) {
+                if (p2 == 0xA4) {
+                    if (tag_len == 10 && memcmp(tag_data, OID_ID_CA_ECDH_AES_CBC_CMAC_128, tag_len) == 0)
                        sm_set_protocol(MSE_AES);
-                    else if (tag_len == 10 && memcmp(tag_data, "\x04\x00\x7F\x00\x07\x02\x02\x03\x02\x01", tag_len) == 0)
+                    else if (tag_len == 10 && memcmp(tag_data, OID_ID_CA_ECDH_3DES_CBC_CBC, tag_len) == 0)
                        sm_set_protocol(MSE_3DES);
-                    else
-                        return SW_REFERENCE_NOT_FOUND();
+                }
+            }
+            else if (tag == 0x83) {
+                if (tag_len == 1) {
+                    
+                }
+                else {
+                    if (p2 == 0xB6) {
+                        for (int i = 0; i < puk_store_entries; i++) {
+                            if (memcmp(puk_store[i].chr, tag_data, puk_store[i].chr_len) == 0) {
+                                current_puk = &puk_store[i];
+                                return SW_OK();
+                            }
+                        }
+                    }
+                    else if (p2 == 0xA4) { /* Aut */
+                        for (int i = 0; i < MAX_PUK; i++) {
+                            file_t *ef = search_dynamic_file(EF_PUK+i);
+                            if (!ef)
+                                break;
+                            if (ef->data == NULL || file_get_size(ef) == 0)
+                                break;
+                            size_t chr_len = 0;
+                            const uint8_t *chr = cvc_get_chr(file_get_data(ef), file_get_size(ef), &chr_len);
+                            if (memcmp(chr, tag_data, chr_len) == 0) {
+                                ef_puk_aut = ef;
+                                return SW_OK();
+                            }
+                        }
+                    }
+                    return SW_REFERENCE_NOT_FOUND();
                }
            }
        }
-        else
-            return SW_INCORRECT_P1P2();
    }
    else
        return SW_INCORRECT_P1P2();
@@ -1993,9 +2101,9 @@ int cmd_general_authenticate() {
            uint8_t *t = (uint8_t *)calloc(1, pubkey_len+16);
            memcpy(t, "\x7F\x49\x3F\x06\x0A", 5);
            if (sm_get_protocol() == MSE_AES)
-                memcpy(t+5, "\x04\x00\x7F\x00\x07\x02\x02\x03\x02\x02", 10);
+                memcpy(t+5, OID_ID_CA_ECDH_AES_CBC_CMAC_128, 10);
            else if (sm_get_protocol() == MSE_3DES)
-                memcpy(t+5, "\x04\x00\x7F\x00\x07\x02\x02\x03\x02\x01", 10);
+                memcpy(t+5, OID_ID_CA_ECDH_3DES_CBC_CBC, 10);
            t[15] = 0x86;
            memcpy(t+16, pubkey, pubkey_len);
            
@@ -2033,6 +2141,212 @@ int cmd_session_pin() {
    return SW_OK();
 }

+int cmd_puk_auth() {
+    uint8_t p1 = P1(apdu), p2 = P2(apdu);
+    file_t *ef_puk = search_by_fid(EF_PUKAUT, NULL, SPECIFY_EF);
+    if (!ef_puk || !ef_puk->data || file_get_size(ef_puk) == 0)
+        return SW_FILE_NOT_FOUND();
+    uint8_t *puk_data = file_get_data(ef_puk);
+    if (apdu.nc > 0) {
+        if (p1 == 0x0 || p1 == 0x1) {
+            file_t *ef = NULL;
+            if (p1 == 0x0) { /* Add */
+                if (p2 != 0x0)
+                    return SW_INCORRECT_P1P2();
+                for (int i = 0; i < puk_data[0]; i++) {
+                    ef = search_dynamic_file(EF_PUK+i);
+                    if (!ef) /* Never should not happen */
+                        return SW_MEMORY_FAILURE();
+                    if (ef->data == NULL || file_get_size(ef) == 0) /* found first empty slot */
+                        break;
+                }
+                uint8_t *tmp = (uint8_t *)calloc(file_get_size(ef_puk), sizeof(uint8_t));
+                memcpy(tmp, puk_data, file_get_size(ef_puk));
+                tmp[1] = puk_data[1]-1;
+                flash_write_data_to_file(ef_puk, tmp, file_get_size(ef_puk));
+                puk_data = file_get_data(ef_puk);
+                free(tmp);
+            }
+            else if (p1 == 0x1) { /* Replace */
+                if (p2 >= puk_data[0])
+                    return SW_INCORRECT_P1P2();
+                ef = search_dynamic_file(EF_PUK+p2);
+                if (!ef) /* Never should not happen */
+                    return SW_MEMORY_FAILURE();
+            }
+            flash_write_data_to_file(ef, apdu.data, apdu.nc);
+            low_flash_available();
+        }
+        else
+            return SW_INCORRECT_P1P2();
+    }
+    if (p1 == 0x2) {
+        if (p2 >= puk_data[0])
+            return SW_INCORRECT_P1P2();
+        file_t *ef = search_dynamic_file(EF_PUK+p2);
+        if (!ef)
+            return SW_INCORRECT_P1P2();
+        if (ef->data == NULL || file_get_size(ef) == 0)
+            return SW_REFERENCE_NOT_FOUND();
+        size_t chr_len = 0;
+        const uint8_t *chr = cvc_get_chr(file_get_data(ef), file_get_size(ef), &chr_len);
+        if (chr) {
+            memcpy(res_APDU, chr, chr_len);
+            res_APDU_size = chr_len;
+        }
+        return set_res_sw(0x90, puk_status[p2]);
+    }
+    else {
+        memcpy(res_APDU, puk_data, 3);
+        res_APDU[3] = 0;
+        for (int i = 0; i < puk_data[0]; i++)
+            res_APDU[3] += puk_status[i];
+        res_APDU_size = 4;
+    }
+    return SW_OK();
+}
+
+int cmd_pso() {
+    uint8_t p1 = P1(apdu), p2 = P2(apdu);
+    if (p1 == 0x0 && (p2 == 0x92 || p2 == 0xAE || p2 == 0xBE)) { /* Verify certificate */
+        if (apdu.nc == 0)
+            return SW_WRONG_LENGTH();
+        if (current_puk == NULL)
+            return SW_REFERENCE_NOT_FOUND();
+        if (apdu.data[0] != 0x7F || apdu.data[1] != 0x21) {
+            uint8_t tlv_len = 2+format_tlv_len(apdu.nc, NULL);
+            memmove(apdu.data+tlv_len, apdu.data, apdu.nc);
+            memcpy(apdu.data, "\x7F\x21", 2);
+            format_tlv_len(apdu.nc, apdu.data+2);
+            apdu.nc += tlv_len;
+        }
+        int r = cvc_verify(apdu.data, apdu.nc, current_puk->cvcert, current_puk->cvcert_len);
+        if (r != CCID_OK) {
+            if (r == CCID_WRONG_DATA)
+                return SW_DATA_INVALID();
+            else if (r == CCID_WRONG_SIGNATURE)
+                return SW_CONDITIONS_NOT_SATISFIED();
+            return SW_EXEC_ERROR();
+        }
+        for (int i = 0; i < 0xfe; i++) {
+            uint16_t fid = (CA_CERTIFICATE_PREFIX << 8) | i;
+            file_t *ca_ef = search_dynamic_file(fid);
+            if (!ca_ef) {
+                ca_ef = file_new(fid);
+                flash_write_data_to_file(ca_ef, apdu.data, apdu.nc);
+                if (add_cert_puk_store(file_get_data(ca_ef), file_get_size(ca_ef), false) != CCID_OK)
+                    return SW_FILE_FULL();
+                
+                size_t chr_len = 0;
+                const uint8_t *chr = cvc_get_chr(apdu.data, apdu.nc, &chr_len);
+                if (chr == NULL)
+                    return SW_WRONG_DATA();
+                size_t puk_len = 0, puk_bin_len = 0;
+                const uint8_t *puk = cvc_get_pub(apdu.data, apdu.nc, &puk_len), *puk_bin = NULL;
+                if (puk == NULL)
+                    return SW_WRONG_DATA();
+                size_t oid_len = 0;
+                const uint8_t *oid = cvc_get_field(puk, puk_len, &oid_len, 0x6);
+                if (oid == NULL)
+                    return SW_WRONG_DATA();
+                if (memcmp(oid, OID_ID_TA_RSA, 9) == 0) { //RSA
+                    puk_bin = cvc_get_field(puk, puk_len, &puk_bin_len, 0x81);
+                    if (!puk_bin)
+                        return SW_WRONG_DATA();
+                }
+                else if (memcmp(oid, OID_ID_TA_ECDSA, 9) == 0) { //ECC
+                    mbedtls_ecp_group_id ec_id = cvc_inherite_ec_group(apdu.data, apdu.nc);
+                    mbedtls_ecp_group grp;
+                    mbedtls_ecp_group_init(&grp);
+                    if (mbedtls_ecp_group_load(&grp, ec_id) != 0) {
+                        mbedtls_ecp_group_free(&grp);
+                        return SW_WRONG_DATA();
+                    }
+                    size_t plen = mbedtls_mpi_size(&grp.P);
+                    size_t t86_len = 0;
+                    const uint8_t *t86 = cvc_get_field(puk, puk_len, &t86_len, 0x86);
+                    if (mbedtls_ecp_get_type(&grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
+                        if (plen != t86_len) {
+                            mbedtls_ecp_group_free(&grp);
+                            return SW_WRONG_DATA();
+                        }
+                        puk_bin = t86;
+                        puk_bin_len = t86_len;
+                    }
+                    else if (mbedtls_ecp_get_type(&grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
+                        if (t86[0] == 0x2 || t86[0] == 0x3) {
+                            if (t86_len != plen+1) {
+                                mbedtls_ecp_group_free(&grp);
+                                return SW_WRONG_DATA();
+                            }
+                        }
+                        else if (t86[0] == 0x4) {
+                            if (t86_len != 2*plen+1) {
+                                mbedtls_ecp_group_free(&grp);
+                                return SW_WRONG_DATA();
+                            }
+                        }
+                        else {
+                            mbedtls_ecp_group_free(&grp);
+                            return SW_WRONG_DATA();
+                        }
+                        puk_bin = t86+1;
+                        puk_bin_len = plen;
+                    }
+                    mbedtls_ecp_group_free(&grp);
+                    if (!puk_bin)
+                        return SW_WRONG_DATA();
+                }
+                file_t *cd_ef = file_new((CD_PREFIX << 8) | i);
+                size_t cd_len = asn1_build_cert_description(chr, chr_len, puk_bin, puk_bin_len, fid, NULL, 0);
+                if (cd_len == 0)
+                    return SW_EXEC_ERROR();
+                uint8_t *buf = (uint8_t *)calloc(cd_len, sizeof(uint8_t));
+                int r = asn1_build_cert_description(chr, chr_len, puk_bin, puk_bin_len, fid, buf, cd_len);
+                flash_write_data_to_file(cd_ef, buf, cd_len);
+                free(buf);
+                if (r == 0)
+                    return SW_EXEC_ERROR();
+                low_flash_available();
+                break;
+            }
+        }
+        return SW_OK();
+    }
+    else
+        return SW_INCORRECT_P1P2();
+    return SW_OK();
+}
+
+int cmd_external_authenticate() {
+    if (P1(apdu) != 0x0 || P2(apdu) != 0x0)
+        return SW_INCORRECT_P1P2();
+    if (ef_puk_aut == NULL)
+        return SW_REFERENCE_NOT_FOUND();
+    if (apdu.nc == 0)
+        return SW_WRONG_LENGTH();
+    file_t *ef_puk = search_by_fid(EF_PUKAUT, NULL, SPECIFY_EF);
+    if (!ef_puk || !ef_puk->data || file_get_size(ef_puk) == 0)
+        return SW_FILE_NOT_FOUND();
+    uint8_t *puk_data = file_get_data(ef_puk);
+    uint8_t *input = (uint8_t *)calloc(dev_name_len+challenge_len, sizeof(uint8_t)), hash[32];
+    memcpy(input, dev_name, dev_name_len);
+    memcpy(input+dev_name_len, challenge, challenge_len);
+    hash256(input, dev_name_len+challenge_len, hash);
+    int r = puk_verify(apdu.data, apdu.nc, hash, 32, file_get_data(ef_puk_aut), file_get_size(ef_puk_aut));
+    free(input);
+    if (r != 0)
+        return SW_CONDITIONS_NOT_SATISFIED();
+    puk_status[ef_puk_aut->fid & (MAX_PUK-1)] = 1;
+    uint8_t auts = 0;
+    for (int i = 0; i < puk_data[0]; i++)
+        auts += puk_status[i];
+    if (auts >= puk_data[2]) {
+        has_session_pin = isUserAuthenticated = true;
+    }
+    return SW_OK();
+}
+
 typedef struct cmd
 {
  uint8_t ins;
@@ -2042,11 +2356,13 @@ typedef struct cmd
 #define INS_VERIFY                  0x20
 #define INS_MSE                     0x22
 #define INS_CHANGE_PIN              0x24
+#define INS_PSO                     0x2A
 #define INS_RESET_RETRY             0x2C
 #define INS_KEYPAIR_GEN             0x46
 #define INS_KEY_GEN                 0x48
 #define INS_INITIALIZE              0x50
 #define INS_KEY_DOMAIN              0x52
+#define INS_PUK_AUTH                0x54
 #define INS_LIST_KEYS               0x58
 #define INS_SESSION_PIN             0x5A
 #define INS_DECRYPT_ASYM            0x62
@@ -2056,6 +2372,7 @@ typedef struct cmd
 #define INS_UNWRAP                  0x74
 #define INS_DERIVE_ASYM             0x76
 #define INS_CIPHER_SYM              0x78
+#define INS_EXTERNAL_AUTHENTICATE   0x82
 #define INS_CHALLENGE               0x84
 #define INS_GENERAL_AUTHENTICATE    0x86
 #define INS_SELECT_FILE				0xA4
@@ -2089,6 +2406,9 @@ static const cmd_t cmds[] = {
    { INS_MSE, cmd_mse },
    { INS_GENERAL_AUTHENTICATE, cmd_general_authenticate },
    { INS_SESSION_PIN, cmd_session_pin },
+    { INS_PUK_AUTH, cmd_puk_auth },
+    { INS_PSO, cmd_pso },
+    { INS_EXTERNAL_AUTHENTICATE, cmd_external_authenticate },
    { 0x00, 0x0}
 };

--- a/src/hsm/version.h
+++ b/src/hsm/version.h
@@ -18,7 +18,7 @@
 #ifndef __VERSION_H_
 #define __VERSION_H_

-#define HSM_VERSION 0x0202
+#define HSM_VERSION 0x0204

 #define HSM_VERSION_MAJOR ((HSM_VERSION >> 8) & 0xff)
 #define HSM_VERSION_MINOR (HSM_VERSION & 0xff)
Author	SHA1	Message	Date
Pol Henarejos	871ff69f56	Fix critical bug. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-14 11:46:44 +02:00
Pol Henarejos	d4b4289c0b	Update extra_command.md Added explanation for Key usage counter.	2022-06-14 11:27:49 +02:00
Pol Henarejos	32af000435	Upgrading to version 2.4. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-13 19:39:35 +02:00
Pol Henarejos	64178192ad	Update README.md Added PKA description.	2022-06-13 15:03:46 +02:00
Pol Henarejos	598752956f	Update scs3.md Added macOS notes.	2022-06-13 14:58:09 +02:00
Pol Henarejos	4dce0e5958	Update public_key_authentication.md Added screenshots.	2022-06-13 14:33:33 +02:00
Pol Henarejos	9f02aef930	Add PKA doc. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-13 14:28:09 +02:00
Pol Henarejos	0c25b0968b	Update scs3.md Added a patch.	2022-06-13 11:59:28 +02:00
Pol Henarejos	ddc0bd7202	Updated SCS3 doc. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-13 11:57:33 +02:00
Pol Henarejos	20727e1508	Point to last checkout. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-12 18:10:59 +02:00
Pol Henarejos	3afc1964dc	Store in dynamic memory PUK authentication. When a PUK is authenticated, session PIN is set to true. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-12 18:10:37 +02:00
Pol Henarejos	914020fd36	Added PUK authentication. Surprisingly, it works from the very beginning. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-12 17:43:50 +02:00
Pol Henarejos	168a8cd5a6	Fix selecting PUK for AUT. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-12 17:42:21 +02:00
Pol Henarejos	eb94ed7806	Separated routines for verifying and parsing CV certificates. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-10 20:04:48 +02:00
Pol Henarejos	db6b3ec427	Added select MSE for puk AUT. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-10 20:04:32 +02:00
Pol Henarejos	32d0cdcea7	Save cached challenge length. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-10 18:58:35 +02:00
Pol Henarejos	332fe8c884	Generated challenges are cached and dev_name (ESTERMXXXXX) based on terminal certificate. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-10 16:40:51 +02:00
Pol Henarejos	59f0cf7732	Fix CA certificates selection. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-10 16:33:53 +02:00
Pol Henarejos	b803505287	When a certificate is verified, the corresponding certificate description and the certificate are cached and saved. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-10 16:30:19 +02:00
Pol Henarejos	3542062ecd	Added function to write the ASN1 certificate description. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-10 16:29:28 +02:00
Pol Henarejos	824c327a2c	Added function to obtain EC params from root CA cert. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-10 16:28:55 +02:00
Pol Henarejos	76a41dffa1	Store all verified certificates (INS MSE) into CA_PREFIX files. When a certificate is sent for verification, it is always cached and saved onto a CA_PREFIX. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-10 11:59:06 +02:00
Pol Henarejos	65482cad9c	Added dynamic public key references. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-10 11:09:39 +02:00
Pol Henarejos	a17a4c0a3c	Finished key public registration. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-10 11:09:25 +02:00
Pol Henarejos	2437cf09d1	Added EF for PUKs Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-10 11:08:47 +02:00
Pol Henarejos	c4c394845d	Updated pico-ccid. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-09 21:25:33 +02:00
Pol Henarejos	a4d4f9a944	Fix outer CAR value. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-09 21:25:17 +02:00
Pol Henarejos	5eb086935e	Added INS_PSO. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-09 19:02:59 +02:00
Pol Henarejos	83a583a33f	Fix CVC verification. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-09 19:02:22 +02:00
Pol Henarejos	143c2d279b	Added cvc_verify to verify a cvcert with other CA cvcert. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-09 14:16:17 +02:00
Pol Henarejos	08dd596883	Added cvc_get_pub(). Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-09 14:15:35 +02:00
Pol Henarejos	a4ffcebb0f	Added variable puk_store. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-09 14:15:17 +02:00
Pol Henarejos	8a14c22056	Added OID compilation. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-09 11:53:58 +02:00
Pol Henarejos	39f7b5284a	Added OID definitions. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-09 11:53:35 +02:00
Pol Henarejos	4f58cd255b	Adding PUK store. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-08 20:01:37 +02:00
Pol Henarejos	d96d7a533e	Added procedure for verifying CVC (unfinished). Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-08 20:01:23 +02:00
Pol Henarejos	0e59166c64	Added MSE for B6 CRT. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-08 17:35:30 +02:00
Pol Henarejos	6d8161de73	Added functions to retrieve CAR and CHR from certs. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-08 17:34:17 +02:00
Pol Henarejos	494df64674	Added CVCA to burnt certificates. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-08 17:33:48 +02:00
Pol Henarejos	d057729675	Fix returning the status of PIN1 when it is not initialized. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-07 19:58:21 +02:00
Pol Henarejos	b14a323ef8	Added INS PUK with status query. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-07 19:44:47 +02:00
Pol Henarejos	f2b66468ec	Adding Public Key Authentication file template. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-07 19:44:33 +02:00