dearsky/pico-hsm
1
0
Fork 0
Code Issues 17 Pull Requests 4 Actions Packages Projects Releases 26 Wiki Activity

Compare commits

base: dearsky:v2.2
Branches Tags
dearsky:master dearsky:development
dearsky:nightly-development dearsky:nightly-master dearsky:v6.4 dearsky:v6.2 dearsky:v6.0-eddsa1 dearsky:v6.0 dearsky:v5.6 dearsky:v5.4-eddsa1 dearsky:v5.4 dearsky:v5.2 dearsky:v5.0-eddsa1 dearsky:v5.0 dearsky:v4.2-eddsa1 dearsky:v4.2 dearsky:v4.0-eddsa1 dearsky:v4.0 dearsky:v3.6-eddsa1 dearsky:v3.6 dearsky:v3.4 dearsky:v3.2 dearsky:v3.0 dearsky:v2.6 dearsky:v2.4 dearsky:v2.2 dearsky:v2.0 dearsky:v1.12 dearsky:v1.10 dearsky:v1.8 dearsky:v1.6 dearsky:v1.4 dearsky:v1.2 dearsky:v1.0
..
compare: dearsky:v2.6
Branches Tags
dearsky:development dearsky:master
dearsky:nightly-development dearsky:nightly-master dearsky:v6.4 dearsky:v6.2 dearsky:v6.0-eddsa1 dearsky:v6.0 dearsky:v5.6 dearsky:v5.4-eddsa1 dearsky:v5.4 dearsky:v5.2 dearsky:v5.0-eddsa1 dearsky:v5.0 dearsky:v4.2-eddsa1 dearsky:v4.2 dearsky:v4.0-eddsa1 dearsky:v4.0 dearsky:v3.6-eddsa1 dearsky:v3.6 dearsky:v3.4 dearsky:v3.2 dearsky:v3.0 dearsky:v2.6 dearsky:v2.4 dearsky:v2.2 dearsky:v2.0 dearsky:v1.12 dearsky:v1.10 dearsky:v1.8 dearsky:v1.6 dearsky:v1.4 dearsky:v1.2 dearsky:v1.0

56 Commits
v2.2 ... v2.6

Author SHA1 Message Date
Pol Henarejos
f122a9ab28 Upgrade to version 2.6. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-08-09 00:42:58 +02:00
Pol Henarejos
14dbad4dd7 Do not return PIN unitialized if PKA is enabled. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-08-09 00:27:53 +02:00
Pol Henarejos
cdce9ab50b Adding pka_enabled() to check whether the device is configured with PKA. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-08-09 00:26:56 +02:00
Pol Henarejos
30d3270e1d Adding clarification on setting PKA and PIN with SCS3. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-08-09 00:26:35 +02:00
Pol Henarejos
157923decc Clafiricate docs about PKA and PIN 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-08-06 01:44:24 +02:00
Pol Henarejos
7bbcbc57eb Removing unnecessary debug. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-08-06 01:36:03 +02:00
Pol Henarejos
9074463f4e Added clarification on PKA and PIN 
DKEK is protected in the device with a derived key from the PIN number. Unfortunately, SCS3 does not support the combination of PKA and PIN but OpenSC does. This is explained here.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-08-06 01:27:51 +02:00
Pol Henarejos
3ebf4fdff5 User authentication is unlinked from session_pin 
Due to PUK Authentication, user authentication is not linked to having a valid session_pin anymore. In case of enabled PUK Auth, session_pin is used only for unlocking DKEK, but not for granting auth privileges, as they only are granted when PUK Auth succeeds.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-08-06 01:13:09 +02:00
Pol Henarejos
77e5fa2d2b Added static files for device key and certiticate. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-15 15:57:54 +02:00
Pol Henarejos
6bd2e65459 Add function for building PrKD asn1 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-15 15:38:11 +02:00
Pol Henarejos
3363e9ad0c Updating ccid. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-14 19:12:31 +02:00
Pol Henarejos
d1f0f45525 Added support for native PKCS1.5 and OEP decryption. 
It is not tested, as it is not supported by pkcs11 modules. For instance, OpenSSL implements OEP in local side, calling a RAW decryption on the device.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-14 17:00:23 +02:00
Pol Henarejos
efc1b4a4ae Fix meta deletion. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-14 16:45:06 +02:00
Pol Henarejos
a45303d9e6 Added support for specific purposes. Added support for SHA512 operations. 
Keys can only be used for the specific purpose provided during the keypair generation.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-14 16:12:04 +02:00
Pol Henarejos
871ff69f56 Fix critical bug. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-14 11:46:44 +02:00
Pol Henarejos
d4b4289c0b Update extra_command.md 
Added explanation for Key usage counter.
 2022-06-14 11:27:49 +02:00
Pol Henarejos
32af000435 Upgrading to version 2.4. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-13 19:39:35 +02:00
Pol Henarejos
64178192ad Update README.md 
Added PKA description.
 2022-06-13 15:03:46 +02:00
Pol Henarejos
598752956f Update scs3.md 
Added macOS notes.
 2022-06-13 14:58:09 +02:00
Pol Henarejos
4dce0e5958 Update public_key_authentication.md 
Added screenshots.
 2022-06-13 14:33:33 +02:00
Pol Henarejos
9f02aef930 Add PKA doc. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-13 14:28:09 +02:00
Pol Henarejos
0c25b0968b Update scs3.md 
Added a patch.
 2022-06-13 11:59:28 +02:00
Pol Henarejos
ddc0bd7202 Updated SCS3 doc. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-13 11:57:33 +02:00
Pol Henarejos
20727e1508 Point to last checkout. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-12 18:10:59 +02:00
Pol Henarejos
3afc1964dc Store in dynamic memory PUK authentication. 
When a PUK is authenticated, session PIN is set to true.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-12 18:10:37 +02:00
Pol Henarejos
914020fd36 Added PUK authentication. 
Surprisingly, it works from the very beginning.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-12 17:43:50 +02:00
Pol Henarejos
168a8cd5a6 Fix selecting PUK for AUT. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-12 17:42:21 +02:00
Pol Henarejos
eb94ed7806 Separated routines for verifying and parsing CV certificates. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-10 20:04:48 +02:00
Pol Henarejos
db6b3ec427 Added select MSE for puk AUT. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-10 20:04:32 +02:00
Pol Henarejos
32d0cdcea7 Save cached challenge length. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-10 18:58:35 +02:00
Pol Henarejos
332fe8c884 Generated challenges are cached and dev_name (ESTERMXXXXX) based on terminal certificate. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-10 16:40:51 +02:00
Pol Henarejos
59f0cf7732 Fix CA certificates selection. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-10 16:33:53 +02:00
Pol Henarejos
b803505287 When a certificate is verified, the corresponding certificate description and the certificate are cached and saved. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-10 16:30:19 +02:00
Pol Henarejos
3542062ecd Added function to write the ASN1 certificate description. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-10 16:29:28 +02:00
Pol Henarejos
824c327a2c Added function to obtain EC params from root CA cert. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-10 16:28:55 +02:00
Pol Henarejos
76a41dffa1 Store all verified certificates (INS MSE) into CA_PREFIX files. 
When a certificate is sent for verification, it is always cached and saved onto a CA_PREFIX.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-10 11:59:06 +02:00
Pol Henarejos
65482cad9c Added dynamic public key references. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-10 11:09:39 +02:00
Pol Henarejos
a17a4c0a3c Finished key public registration. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-10 11:09:25 +02:00
Pol Henarejos
2437cf09d1 Added EF for PUKs 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-10 11:08:47 +02:00
Pol Henarejos
c4c394845d Updated pico-ccid. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-09 21:25:33 +02:00
Pol Henarejos
a4d4f9a944 Fix outer CAR value. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-09 21:25:17 +02:00
Pol Henarejos
5eb086935e Added INS_PSO. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-09 19:02:59 +02:00
Pol Henarejos
83a583a33f Fix CVC verification. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-09 19:02:22 +02:00
Pol Henarejos
143c2d279b Added cvc_verify to verify a cvcert with other CA cvcert. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-09 14:16:17 +02:00
Pol Henarejos
08dd596883 Added cvc_get_pub(). 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-09 14:15:35 +02:00
Pol Henarejos
a4ffcebb0f Added variable puk_store. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-09 14:15:17 +02:00
Pol Henarejos
8a14c22056 Added OID compilation. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-09 11:53:58 +02:00
Pol Henarejos
39f7b5284a Added OID definitions. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-09 11:53:35 +02:00
Pol Henarejos
4f58cd255b Adding PUK store. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-08 20:01:37 +02:00
Pol Henarejos
d96d7a533e Added procedure for verifying CVC (unfinished). 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-08 20:01:23 +02:00
Pol Henarejos
0e59166c64 Added MSE for B6 CRT. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-08 17:35:30 +02:00
Pol Henarejos
6d8161de73 Added functions to retrieve CAR and CHR from certs. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-08 17:34:17 +02:00
Pol Henarejos
494df64674 Added CVCA to burnt certificates. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-08 17:33:48 +02:00
Pol Henarejos
d057729675 Fix returning the status of PIN1 when it is not initialized. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-07 19:58:21 +02:00
Pol Henarejos
b14a323ef8 Added INS PUK with status query. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-07 19:44:47 +02:00
Pol Henarejos
f2b66468ec Adding Public Key Authentication file template. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2022-06-07 19:44:33 +02:00
17 changed files with 1156 additions and 85 deletions
Expand all files Collapse all files

1
CMakeLists.txt
View File

@@ -62,6 +62,7 @@ target_sources(pico_hsm PUBLIC
${CMAKE_CURRENT_LIST_DIR}/src/hsm/cvc.c
${CMAKE_CURRENT_LIST_DIR}/src/hsm/files.c
${CMAKE_CURRENT_LIST_DIR}/src/hsm/dkek.c
${CMAKE_CURRENT_LIST_DIR}/src/hsm/oid.c
${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/aes.c
${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/asn1write.c

7
README.md
View File

@@ -106,6 +106,11 @@ A key usage counter is a counter that is reduced by 1 everytime that the private
Key usage can also be used to perform and auditory and track the usage of a particular key.
### Public Key Authentication
Public Key Authentication (PKA) allows to authenticate by using a secondary device with a private key and a registered public key in the primary device. A challenge is generated by the primary Pico HSM and given to the secondary for signature. The secondary device signs the challenge and returns the signature. Then, the primary device verifies the signature with the registered public key and if it is valid, it grants full access, as normal PIN authentication.
In PKA, the PIN is used for protecting the DKEK, as classic method with only PIN, and PKA is used for adding an extra security layer. Therefore, this mechanism provides a higher degree of security, since it needs a secondary Pico HSM to authenticate the primary one.
[^1]: PKCS11 modules (`pkcs11-tool` and `sc-tool`) do not support CMAC and key derivation. It must be processed through raw APDU command (`opensc-tool -s`).
[^2]: Available via SCS3 tool. See [SCS3](/doc/scs3.md "SCS3") for more information.
[^3]: Imports are available only if the Pico HSM is previously initialized with a DKEK and the DKEK shares are available during the import process.
@@ -170,6 +175,8 @@ For storing and retrieving arbitrary data, check [doc/store_data.md](/doc/store_
For extra options, such as set/get real datetime or enable/disable press-to-confirm button, check [doc/extra_command.md](/doc/extra_command.md).
For Public Key Authentication, check [doc/public_key_authentication.md](/doc/public_key_authentication.md).
## Operation time
### Keypair generation
Generating EC keys is almost instant. RSA keypair generation takes some time, specially for `3072` and `4096` bits.

2
build_pico_hsm.sh
View File

@@ -1,7 +1,7 @@
#!/bin/bash
VERSION_MAJOR="2"
VERSION_MINOR="2"
VERSION_MINOR="6"
rm -rf release/*
cd build_release

38
burn-cvcerts.py
View File

@@ -13,6 +13,9 @@ import base64
import urllib.request
import json
import sys
import ssl
ssl._create_default_https_context = ssl._create_unverified_context
def print_var(v, name):
s = '\n'
@@ -63,7 +66,42 @@ def main():
0xb7,0x33,0x70,0xd6,0x00,0xff,0x73,0x0c,0x5d
]
cvca = [
0x7f, 0x21, 0x82, 0x01, 0x65, 0x7f, 0x4e, 0x82, 0x01, 0x2d, 0x5f, 0x29,
0x01, 0x00, 0x42, 0x0e, 0x45, 0x53, 0x43, 0x56, 0x43, 0x41, 0x48, 0x53,
0x4d, 0x30, 0x30, 0x30, 0x30, 0x31, 0x7f, 0x49, 0x81, 0xdd, 0x06, 0x0a,
0x04, 0x00, 0x7f, 0x00, 0x07, 0x02, 0x02, 0x02, 0x02, 0x03, 0x81, 0x18,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0x82, 0x18, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xfc, 0x83, 0x18, 0x64, 0x21, 0x05, 0x19, 0xe5, 0x9c, 0x80, 0xe7,
0x0f, 0xa7, 0xe9, 0xab, 0x72, 0x24, 0x30, 0x49, 0xfe, 0xb8, 0xde, 0xec,
0xc1, 0x46, 0xb9, 0xb1, 0x84, 0x31, 0x04, 0x18, 0x8d, 0xa8, 0x0e, 0xb0,
0x30, 0x90, 0xf6, 0x7c, 0xbf, 0x20, 0xeb, 0x43, 0xa1, 0x88, 0x00, 0xf4,
0xff, 0x0a, 0xfd, 0x82, 0xff, 0x10, 0x12, 0x07, 0x19, 0x2b, 0x95, 0xff,
0xc8, 0xda, 0x78, 0x63, 0x10, 0x11, 0xed, 0x6b, 0x24, 0xcd, 0xd5, 0x73,
0xf9, 0x77, 0xa1, 0x1e, 0x79, 0x48, 0x11, 0x85, 0x18, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x99, 0xde, 0xf8,
0x36, 0x14, 0x6b, 0xc9, 0xb1, 0xb4, 0xd2, 0x28, 0x31, 0x86, 0x31, 0x04,
0x08, 0x8f, 0xcd, 0xfc, 0xce, 0x87, 0xed, 0xd2, 0x85, 0x92, 0x06, 0x15,
0xe6, 0x51, 0xd7, 0x64, 0x52, 0xd8, 0x57, 0xec, 0xbb, 0x40, 0x8c, 0x32,
0x7a, 0xdb, 0x48, 0xa2, 0xa5, 0x14, 0xc1, 0xc9, 0xbd, 0x77, 0xcc, 0x97,
0x83, 0x60, 0x7a, 0x74, 0x14, 0x93, 0xa7, 0x42, 0x74, 0x4a, 0xd1, 0x73,
0x87, 0x01, 0x01, 0x5f, 0x20, 0x0e, 0x45, 0x53, 0x43, 0x56, 0x43, 0x41,
0x48, 0x53, 0x4d, 0x30, 0x30, 0x30, 0x30, 0x31, 0x7f, 0x4c, 0x12, 0x06,
0x09, 0x04, 0x00, 0x7f, 0x00, 0x07, 0x03, 0x01, 0x02, 0x02, 0x53, 0x05,
0xc0, 0x00, 0x00, 0x00, 0x04, 0x5f, 0x25, 0x06, 0x02, 0x02, 0x00, 0x03,
0x02, 0x06, 0x5f, 0x24, 0x06, 0x03, 0x00, 0x01, 0x02, 0x03, 0x01, 0x5f,
0x37, 0x30, 0x72, 0x97, 0x77, 0x76, 0x64, 0xb6, 0x0c, 0x57, 0xa2, 0xc4,
0x5e, 0x7b, 0xfd, 0x12, 0xe5, 0x20, 0x14, 0x3e, 0xde, 0x90, 0x38, 0xbf,
0xb3, 0x02, 0x73, 0x91, 0x06, 0xf2, 0x73, 0x0d, 0x76, 0x06, 0x65, 0xd7,
0x46, 0x49, 0x91, 0x0c, 0x51, 0x90, 0x89, 0x84, 0x8d, 0x4f, 0xb6, 0xe5,
0x13, 0x40
]
s = '#ifndef _CVCERTS_H_\n#define _CVCERTS_H_\n'
s += print_var(cvca,'cvca')
s += print_var(dica,'dica')
s += print_var(cvcert,'termca')

24
doc/extra_command.md
View File

@@ -60,6 +60,10 @@ Pico HSM support initialize options, such as setting Transport PIN or reset retr
To specify a set of options, the `XX` parameter shall be set to `06`. The data parameter shall be 1 byte, where the options are combined with the or operand `|`. The length `YY` shall be set to `01`.
Available options (counting from LSB):
- Bit `0`: enable/disable press-to-confirm button.
- Bit `1`: enable/disable key usage counter for all keys.
### Press-to-confirm button
Press-to-confirm button offers an extra security layer by requiring the user confirmation everytime that a private/secret key is loaded. This avoids ghost applications thay may perform hidden opperations without noticing the user, such as signing or decrypting. Pico HSM will inform the user that is awaiting for a confirmation by making almost a fixed Led blink.
@@ -89,3 +93,23 @@ Pico HSM supports a key usage counter to audit the usage of a particular key. Fo
This option is disabled by default. When enabled, each generated key in the device is attached to a counter, starting at `2^32-1` (`FFFFFFFEh`). Therefore, it allows to count how many times a key is used for signing or decryption.
The counter can be viewed by using the SCS3 tool. More info at [doc/scs3.md](/doc/scs3.md).
This feature is disabled by default but can be enabled rapidly by setting the 2nd LSB bit to 1:
```
$ opensc-tool -s 806406000102
Using reader with a card: Free Software Initiative of Japan Gnuk
Sending: 80 64 06 00 01 01
Received (SW1=0x90, SW2=0x00)
```
At this moment, when a private/secret key is loaded, the Pico HSM will wait for the pressed BOOTSEL button to confirm the operation.
To disable, the LSB bit must be set to 0:
```
$ opensc-tool -s 806406000100
Using reader with a card: Free Software Initiative of Japan Gnuk
Sending: 80 64 06 00 01 00
Received (SW1=0x90, SW2=0x00)
```

97
doc/public_key_authentication.md Normal file
View File

@@ -0,0 +1,97 @@
# Public Key Authentication
Public Key Authentication (PKA) is a mechanism to authenticate a legit user without introducing any PIN (see Notes below). The authentication is performed by signing a challenge and checking the signature result.
1. A Pico HSM #A contains a private key, whose public key will be used for authentication.
2. The public key of #A is registered into a second Pico HSM #B.
3. When a user wants to login into #B, #B generates a challenge that is passed to #A for signature.
4. #A signs the challenge and returns the signature.
5. #B verifies the signature against the challenge with the public key of #A, previously registered.
6. If the signature is valid, #B grants access to the user.
To enable PKA, the device must be initialized beforehand. In case the device has secret/private keys, all shall be exported and reimported when the set up is finished.
## Requirements
To take advantage of PKA, the following is required:
1. Two Pico HSM: one will be used only for authentication (it can be any device able to generate a private key and sign arbitrary data).
2. [SCS3](/doc/scs3.md "SCS3") tool to authenticate the user. At this time, OpenSC does not support PKA, only initialization.
3. A secret key of ECC 256 bits.
## Usage
Before using SCS3, it must be patched [scs3.patch.txt](https://github.com/polhenarejos/pico-hsm/files/8890050/scs3.patch.txt). See [SCS3](/doc/scs3.md "SCS3") for further details.
### Generate the authentication key
On a secondary device, generate a private key, on the ECC 256 bits (`brainpoolP256r1` or `secp192r1`). Label it with an easy name, such as "Authentication".
<img width="1037" src="https://user-images.githubusercontent.com/55573252/173353764-4620ece4-0d82-4a23-a153-99bf912621a7.png">
Once finished, export the public key.
<img width="350" src="https://user-images.githubusercontent.com/55573252/173353732-63f40572-a42f-4e5c-a9ab-6e52a083956b.png">
### Initialization
On the primary device, initialize it. When prompting for an authentication mechanism, select "Public Key Authentication".
<img width="412" src="https://user-images.githubusercontent.com/55573252/173353661-17caf6db-0c76-4903-9b70-5afa79f5ae54.png"><img width="1037" alt="Captura de Pantalla 2022-06-13 a les 12 14 48" src="https://user-images.githubusercontent.com/55573252/173353822-310219dc-7c7d-4ece-9fd9-c7835c2688df.png">
Once finished, register the exported public key. A message of `0 authenticated public key(s) in 1 of 1 scheme` will appear if it is properly registered.
<img width="342" src="https://user-images.githubusercontent.com/55573252/173353917-f3f99405-c7ff-43ce-8914-6f3b713df952.png"><img width="1037" alt="Captura de Pantalla 2022-06-13 a les 12 16 17" src="https://user-images.githubusercontent.com/55573252/173353946-ee7eacf9-cead-4804-ac7a-57848f7c822b.png">
### Authentication
Plug the secondary device that stores the private key (do not load the device in the SCS3 tool) and initiate the public key authentication.
<img width="321" src="https://user-images.githubusercontent.com/55573252/173353998-8f418ec6-d90d-4168-801f-51008c78824d.png">
Select the secondary card and the Authentication private key (or the name you labeled it).
<img width="435" src="https://user-images.githubusercontent.com/55573252/173354044-50163113-829e-4d80-bbda-7b589849af73.png">
Introduce the PIN of the secondary device.
If the private key matches with the registered public key, the primary device will grant access and it will display `User PIN authenticated (9000)` (despite no PIN is provided).
From now on, you have full access and can operate normally with the primary device.
## Notes on DKEK
Pico HSM uses the PIN to protect the DKEK, which is lately used to protect private/secret keys and wrap/unwrap. However, when PKA is enabled, the authentication is not performed by introducing any PIN.
Authenticated privileges are granted when PKA succeeds, regardless of PIN, which is optional.
Nevertheless, **it is extremely recommended to combine PKA with PIN**. Note that when combined, only PKA grants authenticated privileges. Therefore, if both schemes are setup, it is necessary to unlock the DKEK with PIN verification.
Otherwise, it will not be possible to operate with private/secret keys despite the user will be logged in.
With this scheme, multiple custodians may authenticate the device individually and remotely and, when fully authenticated, the master user can unlock the DKEK with the PIN.
Moreover, with this approach the device is kept safe and neither the DKEK nor the private/secret keys are stored in plain text in the device.
Even though the flash memory is dumped by an attacker, it will not be possible to decipher any sensitive data or key.
Initialization of the device with PKA **and** PIN can be achieved with SCS3 or OpenSC:
**Note:** do not import any DKEK share or DKEK operation before PKA and PIN setup.
### With OpenSC
Use the following command (or similar), which accepts the use of PIN parameter **and** PKA configuration:
```
sc-hsm-tool -X --so-pin 1234567890123456 --pin 648219 -K 1 -n 1 -s 1
```
and PKA and PIN are enabled, jointly with DKEK protection.
### With SCS3
Unfortunately, SCS3 does not allow to initialize the device with PKA and PIN at the same time, though it can be achieved in separated steps:
1. Initialize the device with PKA. When done, the PIN will not be initialized but it will advice that 3 attemps can be performed.
2. There is NO default PIN. So, DO NOT attempt to log in yet. A reset PIN shall be requested.
3. Click on ``Reset User-PIN``, introduce the SO-PIN configured during the initialization and introduce the desired User-PIN.
When done, the device will be configured with PIN **and** PKA.

23
doc/scs3.md
View File

@@ -1,5 +1,11 @@
# SCS3 tool
SCS3 tool is a specific tool developed by CardContact to manage HSM. Thanks to its interface, Pico HSM can be enhanced with more advanced functionalities, not present in the PKCS11 module:
- Import PKCS12 private keys and certificates.
- Import private keys and certificates from other Pico HSM devices in WKY format.
-
Unfortunately, there is no pkcs11 tool or equivalent capable to perform the import. Since it uses the SC-HSM driver, it also supports the communication with the [SCS3 tool](https://www.openscdp.org/scsh3/ "SCS3 tool"). It can be downloaded from [here](https://www.openscdp.org/scsh3/download.html "here").
However, SCS3 only works with those HSM manufactured by CardContact. The check is performed by means of trust store against the manufacturing certificates. For obvious reasons, these certificates can only be signed with the private keys of the Certificate Authorities listed in the trust store.
@@ -20,7 +26,15 @@ SmartCardHSM.rootCerts = {
}
```
After this ammendment, the KeyManager can be invoked (CTRL+M) and it will output something similar to:
Similarly, replace the line `1531` in file `scs3/keymanager/keymanager.js` with:
```
assert(devcert.verifyWith(this.crypto, dicacert.getPublicKey(SmartCardHSM.rootCerts.ESCVCAHSM00001.getPublicKey()), dicacert.getPublicKeyOID()));
```
Alternatively, this patch [scs3.patch.txt](https://github.com/polhenarejos/pico-hsm/files/8890050/scs3.patch.txt) can be applied.
After this ammendment, the program can be started and the KeyManager can be invoked (CTRL+M) and it will output something similar to:
```
>load("keymanager/keymanager.js");
@@ -37,6 +51,13 @@ mechanism from the User PIN context menu.
The SCS3 tool is ready to import private keys and certificates, wraped in WKY files or in PKCS#12 format. Also, all stored keys can be exported, combined with their respective certificates. Note that the user has to be previously logged in.
## macOS users
In macOS, the PCSC must be explicitly specified. Otherwise, the reader will not be found.
It can be executed in a Terminal via
```
java -Dsun.security.smartcardio.library=/System/Library/Frameworks/PCSC.framework/Versions/Current/PCSC -Dorg.bouncycastle.asn1.allow_unsafe_integer=true -Djava.library.path=./lib -classpath 'lib/*' de.cardcontact.scdp.scsh3.GUIShell
```
## DKEK requirement
In order to perform the import, private keys must be wrapped with the same DKEK present in the Pico HSM. Thus, the Pico HSM must be previously initialized with at minimum of 1 DKEK share. This share will be used to wrap the private key before import.

2
pico-ccid

Submodule pico-ccid updated: fe53f9a729...be86197b0b

387
src/hsm/cvc.c
View File

@@ -15,8 +15,8 @@
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "cvc.h"
#include "common.h"
#include "cvc.h"
#include "mbedtls/rsa.h"
#include "mbedtls/ecdsa.h"
#include "cvcerts.h"
@@ -25,6 +25,8 @@
#include "ccid2040.h"
#include "crypto_utils.h"
#include "random.h"
#include "oid.h"
#include "mbedtls/md.h"
size_t asn1_cvc_public_key_rsa(mbedtls_rsa_context *rsa, uint8_t *buf, size_t buf_len) {
const uint8_t oid_rsa[] = { 0x04, 0x00, 0x7F, 0x00, 0x07, 0x02, 0x02, 0x02, 0x01, 0x02 };
@@ -37,7 +39,7 @@ size_t asn1_cvc_public_key_rsa(mbedtls_rsa_context *rsa, uint8_t *buf, size_t bu
if (buf_len < tot_len)
return 0;
uint8_t *p = buf;
memcpy(p, "\x7f\x49", 2); p += 2;
memcpy(p, "\x7F\x49", 2); p += 2;
p += format_tlv_len(oid_len+ntot_size+etot_size, p);
//oid
*p++ = 0x6; p += format_tlv_len(sizeof(oid_rsa), p); memcpy(p, oid_rsa, sizeof(oid_rsa)); p += sizeof(oid_rsa);
@@ -74,7 +76,7 @@ size_t asn1_cvc_public_key_ecdsa(mbedtls_ecdsa_context *ecdsa, uint8_t *buf, siz
if (buf_len < tot_len)
return 0;
uint8_t *p = buf;
memcpy(p, "\x7f\x49", 2); p += 2;
memcpy(p, "\x7F\x49", 2); p += 2;
p += format_tlv_len(oid_len+ptot_size+atot_size+btot_size+gtot_size+otot_size+ytot_size+ctot_size, p);
//oid
*p++ = 0x6; p += format_tlv_len(sizeof(oid_ecdsa), p); memcpy(p, oid_ecdsa, sizeof(oid_ecdsa)); p += sizeof(oid_ecdsa);
@@ -135,7 +137,7 @@ size_t asn1_cvc_cert_body(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_
if (buf_len < tot_len)
return 0;
uint8_t *p = buf;
memcpy(p, "\x7f\x4e", 2); p += 2;
memcpy(p, "\x7F\x4E", 2); p += 2;
p += format_tlv_len(cpi_size+car_size+pubkey_size+chr_size, p);
//cpi
*p++ = 0x5f; *p++ = 0x29; *p++ = 1; *p++ = 0;
@@ -164,14 +166,14 @@ size_t asn1_cvc_cert(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf
if (buf_len < tot_len)
return 0;
uint8_t *p = buf, *body = NULL;
memcpy(p, "\x7f\x21", 2); p += 2;
memcpy(p, "\x7F\x21", 2); p += 2;
p += format_tlv_len(body_size+sig_size, p);
body = p;
p += asn1_cvc_cert_body(rsa_ecdsa, key_type, p, body_size);
uint8_t hsh[32];
hash256(body, body_size, hsh);
memcpy(p, "\x5f\x37", 2); p += 2;
memcpy(p, "\x5F\x37", 2); p += 2;
p += format_tlv_len(key_size, p);
if (key_type == HSM_KEY_RSA) {
if (mbedtls_rsa_rsassa_pkcs1_v15_sign(rsa_ecdsa, random_gen, NULL, MBEDTLS_MD_SHA256, 32, hsh, p) != 0)
@@ -200,8 +202,9 @@ size_t asn1_cvc_cert(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf
size_t asn1_cvc_aut(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_len) {
size_t cvcert_size = asn1_cvc_cert(rsa_ecdsa, key_type, NULL, 0);
uint8_t *outcar = (uint8_t *)"ESHSM00001";
size_t lenoutcar = strlen((char *)outcar), outcar_size = asn1_len_tag(0x42, lenoutcar);
size_t outcar_len = 0;
const uint8_t *outcar = cvc_get_chr((uint8_t *)termca+2, (termca[1] << 8) | termca[0], &outcar_len);
size_t outcar_size = asn1_len_tag(0x42, outcar_len);
int key_size = 2*file_read_uint16(termca_pk), ret = 0;
size_t outsig_size = asn1_len_tag(0x5f37, key_size), tot_len = asn1_len_tag(0x67, cvcert_size+outcar_size+outsig_size);
if (buf_len == 0 || buf == NULL)
@@ -215,7 +218,7 @@ size_t asn1_cvc_aut(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_
//cvcert
p += asn1_cvc_cert(rsa_ecdsa, key_type, p, cvcert_size);
//outcar
*p++ = 0x42; p += format_tlv_len(lenoutcar, p); memcpy(p, outcar, lenoutcar); p += lenoutcar;
*p++ = 0x42; p += format_tlv_len(outcar_len, p); memcpy(p, outcar, outcar_len); p += outcar_len;
mbedtls_ecdsa_context ctx;
mbedtls_ecdsa_init(&ctx);
if (mbedtls_ecp_read_key(MBEDTLS_ECP_DP_SECP192R1, &ctx, termca_pk+2, file_read_uint16(termca_pk)) != 0)
@@ -240,3 +243,369 @@ size_t asn1_cvc_aut(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_
mbedtls_mpi_free(&s);
return p-buf;
}
size_t asn1_build_cert_description(const uint8_t *label, size_t label_len, const uint8_t *puk, size_t puk_len, uint16_t fid, uint8_t *buf, size_t buf_len) {
size_t opt_len = 2;
size_t seq1_size = asn1_len_tag(0x30, asn1_len_tag(0xC, label_len)+asn1_len_tag(0x3, opt_len));
size_t seq2_size = asn1_len_tag(0x30, asn1_len_tag(0x4, 20)); /* SHA1 is 20 bytes length */
size_t seq3_size = asn1_len_tag(0xA1, asn1_len_tag(0x30, asn1_len_tag(0x30, asn1_len_tag(0x4, sizeof(uint16_t)))));
size_t tot_len = asn1_len_tag(0x30, seq1_size+seq2_size+seq3_size);
if (buf_len == 0 || buf == NULL)
return tot_len;
if (buf_len < tot_len)
return 0;
uint8_t *p = buf;
*p++ = 0x30;
p += format_tlv_len(seq1_size+seq2_size+seq3_size, p);
//Seq 1
*p++ = 0x30;
p += format_tlv_len(asn1_len_tag(0xC, label_len)+asn1_len_tag(0x3, opt_len), p);
*p++ = 0xC;
p += format_tlv_len(label_len, p);
memcpy(p, label, label_len); p += label_len;
*p++ = 0x3;
p += format_tlv_len(opt_len, p);
memcpy(p, "\x06\x40", 2); p += 2;
//Seq 2
*p++ = 0x30;
p += format_tlv_len(asn1_len_tag(0x4, 20), p);
*p++ = 0x4;
p += format_tlv_len(20, p);
mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_SHA1), puk, puk_len, p); p += 20;
//Seq 3
*p++ = 0xA1;
p += format_tlv_len(asn1_len_tag(0x30, asn1_len_tag(0x30, asn1_len_tag(0x4, sizeof(uint16_t)))), p);
*p++ = 0x30;
p += format_tlv_len(asn1_len_tag(0x30, asn1_len_tag(0x4, sizeof(uint16_t))), p);
*p++ = 0x30;
p += format_tlv_len(asn1_len_tag(0x4, sizeof(uint16_t)), p);
*p++ = 0x4;
p += format_tlv_len(sizeof(uint16_t), p);
*p++ = fid >> 8;
*p++ = fid & 0xff;
return p-buf;
}
size_t asn1_build_prkd_ecc(const uint8_t *label, size_t label_len, const uint8_t *keyid, size_t keyid_len, size_t keysize, uint8_t *buf, size_t buf_len) {
size_t seq1_size = asn1_len_tag(0x30, asn1_len_tag(0xC, label_len));
size_t seq2_size = asn1_len_tag(0x30, asn1_len_tag(0x4, keyid_len)+asn1_len_tag(0x3, 3));
size_t seq3_size = asn1_len_tag(0xA1, asn1_len_tag(0x30, asn1_len_tag(0x30, asn1_len_tag(0x4, 0))+asn1_len_tag(0x2,2)));
size_t tot_len = asn1_len_tag(0xA0, seq1_size+seq2_size+seq3_size);
if (buf_len == 0 || buf == NULL)
return tot_len;
if (buf_len < tot_len)
return 0;
uint8_t *p = buf;
*p++ = 0xA0;
p += format_tlv_len(seq1_size+seq2_size+seq3_size, p);
//Seq 1
*p++ = 0x30;
p += format_tlv_len(asn1_len_tag(0xC, label_len), p);
*p++ = 0xC;
p += format_tlv_len(label_len, p);
memcpy(p, label, label_len); p += label_len;
//Seq 2
*p++ = 0x30;
p += format_tlv_len(asn1_len_tag(0x4, keyid_len)+asn1_len_tag(0x3, 3), p);
*p++ = 0x4;
p += format_tlv_len(keyid_len, p);
memcpy(p, keyid, keyid_len); p += keyid_len;
*p++ = 0x3;
p += format_tlv_len(3, p);
memcpy(p, "\x07\x20\x80", 3); p += 3;
//Seq 3
*p++ = 0xA1;
p += format_tlv_len(asn1_len_tag(0x30, asn1_len_tag(0x30, asn1_len_tag(0x4, 0))+asn1_len_tag(0x2,2)), p);
*p++ = 0x30;
p += format_tlv_len(asn1_len_tag(0x30, asn1_len_tag(0x4, 0))+asn1_len_tag(0x2,2), p);
*p++ = 0x30;
p += format_tlv_len(asn1_len_tag(0x4, 0), p);
*p++ = 0x4;
p += format_tlv_len(0, p);
*p++ = 0x2;
p += format_tlv_len(2, p);
*p++ = (keysize >> 8) & 0xff;
*p++ = keysize & 0xff;
return p-buf;
}
const uint8_t *cvc_get_field(const uint8_t *data, size_t len, size_t *olen, uint16_t tag) {
uint8_t *rdata = NULL;
if (data == NULL || len == 0)
return NULL;
if (asn1_find_tag(data, len, tag, olen, &rdata) == false)
return NULL;
return rdata;
}
const uint8_t *cvc_get_body(const uint8_t *data, size_t len, size_t *olen) {
const uint8_t *bkdata = data;
if ((data = cvc_get_field(data, len, olen, 0x67)) == NULL) /* Check for CSR */
data = bkdata;
if ((data = cvc_get_field(data, len, olen, 0x7F21)) != NULL) {
return cvc_get_field(data, len, olen, 0x7F4E);
}
return NULL;
}
const uint8_t *cvc_get_sig(const uint8_t *data, size_t len, size_t *olen) {
const uint8_t *bkdata = data;
if ((data = cvc_get_field(data, len, olen, 0x67)) == NULL) /* Check for CSR */
data = bkdata;
if ((data = cvc_get_field(data, len, olen, 0x7F21)) != NULL) {
return cvc_get_field(data, len, olen, 0x5F37);
}
return NULL;
}
const uint8_t *cvc_get_car(const uint8_t *data, size_t len, size_t *olen) {
if ((data = cvc_get_body(data, len, olen)) != NULL) {
return cvc_get_field(data, len, olen, 0x42);
}
return NULL;
}
const uint8_t *cvc_get_chr(const uint8_t *data, size_t len, size_t *olen) {
if ((data = cvc_get_body(data, len, olen)) != NULL) {
return cvc_get_field(data, len, olen, 0x5F20);
}
return NULL;
}
const uint8_t *cvc_get_pub(const uint8_t *data, size_t len, size_t *olen) {
if ((data = cvc_get_body(data, len, olen)) != NULL) {
return cvc_get_field(data, len, olen, 0x7F49);
}
return NULL;
}
extern PUK puk_store[MAX_PUK_STORE_ENTRIES];
extern int puk_store_entries;
int puk_store_index(const uint8_t *chr, size_t chr_len) {
for (int i = 0; i < puk_store_entries; i++) {
if (memcmp(puk_store[i].chr, chr, chr_len) == 0)
return i;
}
return -1;
}
mbedtls_ecp_group_id cvc_inherite_ec_group(const uint8_t *ca, size_t ca_len) {
size_t chr_len = 0, car_len = 0;
const uint8_t *chr = NULL, *car = NULL;
int eq = -1;
do {
chr = cvc_get_chr(ca, ca_len, &chr_len);
car = cvc_get_car(ca, ca_len, &car_len);
eq = memcmp(car, chr, MAX(car_len, chr_len));
if (car && eq != 0) {
int idx = puk_store_index(car, car_len);
if (idx != -1) {
ca = puk_store[idx].cvcert;
ca_len = puk_store[idx].cvcert_len;
}
else
ca = NULL;
}
} while (car && chr && eq != 0);
size_t ca_puk_len = 0;
const uint8_t *ca_puk = cvc_get_pub(ca, ca_len, &ca_puk_len);
if (!ca_puk)
return MBEDTLS_ECP_DP_NONE;
size_t t81_len = 0;
const uint8_t *t81 = cvc_get_field(ca_puk, ca_puk_len, &t81_len, 0x81);
if (!t81)
return MBEDTLS_ECP_DP_NONE;
return ec_get_curve_from_prime(t81, t81_len);
}
int puk_verify(const uint8_t *sig, size_t sig_len, const uint8_t *hash, size_t hash_len, const uint8_t *ca, size_t ca_len) {
size_t puk_len = 0;
const uint8_t *puk = cvc_get_pub(ca, ca_len, &puk_len);
if (!puk)
return CCID_WRONG_DATA;
size_t oid_len = 0;
const uint8_t *oid = cvc_get_field(puk, puk_len, &oid_len, 0x6);
if (!oid)
return CCID_WRONG_DATA;
if (memcmp(oid, OID_ID_TA_RSA, 9) == 0) { //RSA
size_t t81_len = 0, t82_len = 0;
const uint8_t *t81 = cvc_get_field(puk, puk_len, &t81_len, 0x81), *t82 = cvc_get_field(puk, puk_len, &t81_len, 0x82);
if (!t81 || !t82)
return CCID_WRONG_DATA;
mbedtls_rsa_context rsa;
mbedtls_rsa_init(&rsa);
mbedtls_md_type_t md = MBEDTLS_MD_NONE;
if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_1, oid_len) == 0)
md = MBEDTLS_MD_SHA1;
else if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_256, oid_len) == 0)
md = MBEDTLS_MD_SHA256;
else if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_512, oid_len) == 0)
md = MBEDTLS_MD_SHA512;
else if (memcmp(oid, OID_ID_TA_RSA_PSS_SHA_1, oid_len) == 0) {
md = MBEDTLS_MD_SHA1;
mbedtls_rsa_set_padding(&rsa, MBEDTLS_RSA_PKCS_V21, md);
}
else if (memcmp(oid, OID_ID_TA_RSA_PSS_SHA_256, oid_len) == 0) {
md = MBEDTLS_MD_SHA256;
mbedtls_rsa_set_padding(&rsa, MBEDTLS_RSA_PKCS_V21, md);
}
else if (memcmp(oid, OID_ID_TA_RSA_PSS_SHA_512, oid_len) == 0) {
md = MBEDTLS_MD_SHA512;
mbedtls_rsa_set_padding(&rsa, MBEDTLS_RSA_PKCS_V21, md);
}
if (md == MBEDTLS_MD_NONE) {
mbedtls_rsa_free(&rsa);
return CCID_WRONG_DATA;
}
int r = mbedtls_mpi_read_binary(&rsa.N, t81, t81_len);
if (r != 0) {
mbedtls_rsa_free(&rsa);
return CCID_EXEC_ERROR;
}
r = mbedtls_mpi_read_binary(&rsa.E, t82, t82_len);
if (r != 0) {
mbedtls_rsa_free(&rsa);
return CCID_EXEC_ERROR;
}
r = mbedtls_rsa_complete(&rsa);
if (r != 0) {
mbedtls_rsa_free(&rsa);
return CCID_EXEC_ERROR;
}
r = mbedtls_rsa_check_pubkey(&rsa);
if (r != 0) {
mbedtls_rsa_free(&rsa);
return CCID_EXEC_ERROR;
}
r = mbedtls_rsa_pkcs1_verify(&rsa, md, hash_len, hash, sig);
mbedtls_rsa_free(&rsa);
if (r != 0)
return CCID_WRONG_SIGNATURE;
}
else if (memcmp(oid, OID_ID_TA_ECDSA, 9) == 0) { //ECC
mbedtls_md_type_t md = MBEDTLS_MD_NONE;
if (memcmp(oid, OID_IT_TA_ECDSA_SHA_1, oid_len) == 0)
md = MBEDTLS_MD_SHA1;
else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_224, oid_len) == 0)
md = MBEDTLS_MD_SHA224;
else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_256, oid_len) == 0)
md = MBEDTLS_MD_SHA256;
else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_384, oid_len) == 0)
md = MBEDTLS_MD_SHA384;
else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_512, oid_len) == 0)
md = MBEDTLS_MD_SHA512;
if (md == MBEDTLS_MD_NONE)
return CCID_WRONG_DATA;
size_t t86_len = 0;
const uint8_t *t86 = cvc_get_field(puk, puk_len, &t86_len, 0x86);
if (!t86)
return CCID_WRONG_DATA;
mbedtls_ecp_group_id ec_id = cvc_inherite_ec_group(ca, ca_len);
if (ec_id == MBEDTLS_ECP_DP_NONE)
return CCID_WRONG_DATA;
mbedtls_ecdsa_context ecdsa;
mbedtls_ecdsa_init(&ecdsa);
int ret = mbedtls_ecp_group_load(&ecdsa.grp, ec_id);
if (ret != 0) {
mbedtls_ecdsa_free(&ecdsa);
return CCID_WRONG_DATA;
}
ret = mbedtls_ecp_point_read_binary(&ecdsa.grp, &ecdsa.Q, t86, t86_len);
if (ret != 0) {
mbedtls_ecdsa_free(&ecdsa);
return CCID_EXEC_ERROR;
}
ret = mbedtls_ecp_check_pubkey(&ecdsa.grp, &ecdsa.Q);
if (ret != 0) {
mbedtls_ecdsa_free(&ecdsa);
return CCID_EXEC_ERROR;
}
mbedtls_mpi r, s;
mbedtls_mpi_init(&r);
mbedtls_mpi_init(&s);
ret = mbedtls_mpi_read_binary(&r, sig, sig_len/2);
if (ret != 0) {
mbedtls_mpi_free(&r);
mbedtls_mpi_free(&s);
mbedtls_ecdsa_free(&ecdsa);
return CCID_EXEC_ERROR;
}
ret = mbedtls_mpi_read_binary(&s, sig+sig_len/2, sig_len/2);
if (ret != 0) {
mbedtls_mpi_free(&r);
mbedtls_mpi_free(&s);
mbedtls_ecdsa_free(&ecdsa);
return CCID_EXEC_ERROR;
}
ret = mbedtls_ecdsa_verify(&ecdsa.grp, hash, hash_len, &ecdsa.Q, &r, &s);
mbedtls_mpi_free(&r);
mbedtls_mpi_free(&s);
mbedtls_ecdsa_free(&ecdsa);
if (ret != 0)
return CCID_WRONG_SIGNATURE;
}
return CCID_OK;
}
int cvc_verify(const uint8_t *cert, size_t cert_len, const uint8_t *ca, size_t ca_len) {
size_t puk_len = 0;
const uint8_t *puk = cvc_get_pub(ca, ca_len, &puk_len);
if (!puk)
return CCID_WRONG_DATA;
size_t oid_len = 0, cv_body_len = 0, sig_len = 0;
const uint8_t *oid = cvc_get_field(puk, puk_len, &oid_len, 0x6);
const uint8_t *cv_body = cvc_get_body(cert, cert_len, &cv_body_len);
const uint8_t *sig = cvc_get_sig(cert, cert_len, &sig_len);
if (!sig)
return CCID_WRONG_DATA;
if (!cv_body)
return CCID_WRONG_DATA;
if (!oid)
return CCID_WRONG_DATA;
mbedtls_md_type_t md = MBEDTLS_MD_NONE;
if (memcmp(oid, OID_ID_TA_RSA, 9) == 0) { //RSA
if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_1, oid_len) == 0)
md = MBEDTLS_MD_SHA1;
else if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_256, oid_len) == 0)
md = MBEDTLS_MD_SHA256;
else if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_512, oid_len) == 0)
md = MBEDTLS_MD_SHA512;
else if (memcmp(oid, OID_ID_TA_RSA_PSS_SHA_1, oid_len) == 0)
md = MBEDTLS_MD_SHA1;
else if (memcmp(oid, OID_ID_TA_RSA_PSS_SHA_256, oid_len) == 0)
md = MBEDTLS_MD_SHA256;
else if (memcmp(oid, OID_ID_TA_RSA_PSS_SHA_512, oid_len) == 0)
md = MBEDTLS_MD_SHA512;
}
else if (memcmp(oid, OID_ID_TA_ECDSA, 9) == 0) { //ECC
if (memcmp(oid, OID_IT_TA_ECDSA_SHA_1, oid_len) == 0)
md = MBEDTLS_MD_SHA1;
else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_224, oid_len) == 0)
md = MBEDTLS_MD_SHA224;
else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_256, oid_len) == 0)
md = MBEDTLS_MD_SHA256;
else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_384, oid_len) == 0)
md = MBEDTLS_MD_SHA384;
else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_512, oid_len) == 0)
md = MBEDTLS_MD_SHA512;
}
if (md == MBEDTLS_MD_NONE)
return CCID_WRONG_DATA;
const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md);
uint8_t hash[64], hash_len = mbedtls_md_get_size(md_info);
uint8_t tlv_body = 2+format_tlv_len(cv_body_len, NULL);
int r = mbedtls_md(md_info, cv_body-tlv_body, cv_body_len+tlv_body, hash);
if (r != 0)
return CCID_EXEC_ERROR;
r = puk_verify(sig, sig_len, hash, hash_len, ca, ca_len);
if (r != 0)
return CCID_WRONG_SIGNATURE;
return CCID_OK;
}

24
src/hsm/cvc.h
View File

@@ -20,8 +20,32 @@
#include <stdlib.h>
#include "pico/stdlib.h"
#include "mbedtls/ecp.h"
typedef struct PUK {
const uint8_t *puk;
size_t puk_len;
const uint8_t *car;
size_t car_len;
const uint8_t *chr;
size_t chr_len;
const uint8_t *cvcert;
size_t cvcert_len;
bool copied;
} PUK;
#define MAX_PUK_STORE_ENTRIES 4
extern size_t asn1_cvc_cert(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_len);
extern size_t asn1_cvc_aut(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_len);
extern size_t asn1_build_cert_description(const uint8_t *label, size_t label_len, const uint8_t *puk, size_t puk_len, uint16_t fid, uint8_t *buf, size_t buf_len);
extern const uint8_t *cvc_get_field(const uint8_t *data, size_t len, size_t *olen, uint16_t tag);
extern const uint8_t *cvc_get_car(const uint8_t *data, size_t len, size_t *olen);
extern const uint8_t *cvc_get_chr(const uint8_t *data, size_t len, size_t *olen);
extern const uint8_t *cvc_get_pub(const uint8_t *data, size_t len, size_t *olen);
extern int cvc_verify(const uint8_t *cert, size_t cert_len, const uint8_t *ca, size_t ca_len);
extern mbedtls_ecp_group_id cvc_inherite_ec_group(const uint8_t *ca, size_t ca_len);
extern int puk_verify(const uint8_t *sig, size_t sig_len, const uint8_t *hash, size_t hash_len, const uint8_t *ca, size_t ca_len);
extern size_t asn1_build_prkd_ecc(const uint8_t *label, size_t label_len, const uint8_t *keyid, size_t keyid_len, size_t keysize, uint8_t *buf, size_t buf_len);
#endif

10
src/hsm/files.c
View File

@@ -46,9 +46,13 @@ file_t file_entries[] = {
/* 21 */ { .fid = EF_SKDFS , .parent = 5, .name = NULL, .type = FILE_TYPE_WORKING_EF, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} }, //EF.SKDFs
/* 22 */ { .fid = EF_KEY_DOMAIN, .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //Key domain options
/* 23 */ { .fid = EF_META , .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //EF.CDFs
///* 22 */ { .fid = 0x0000, .parent = 0, .name = openpgpcard_aid, .type = FILE_TYPE_WORKING_EF, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} },
/* 24 */ { .fid = 0x0000, .parent = 5, .name = sc_hsm_aid, .type = FILE_TYPE_WORKING_EF, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} },
/* 25 */ { .fid = 0x0000, .parent = 0xff, .name = NULL, .type = FILE_TYPE_UNKNOWN, .data = NULL, .ef_structure = 0, .acl = {0} } //end
/* 24 */ { .fid = EF_PUKAUT, .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //Public Key Authentication
/* 25 */ { .fid = EF_KEY_DEV, .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //Device Key
/* 26 */ { .fid = EF_PRKD_DEV, .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //PrKD Device
/* 27 */ { .fid = EF_EE_DEV, .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //End Entity Certificate Device
///* 28 */ { .fid = 0x0000, .parent = 0, .name = openpgpcard_aid, .type = FILE_TYPE_WORKING_EF, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} },
/* 29 */ { .fid = 0x0000, .parent = 5, .name = sc_hsm_aid, .type = FILE_TYPE_WORKING_EF, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} },
/* 30 */ { .fid = 0x0000, .parent = 0xff, .name = NULL, .type = FILE_TYPE_UNKNOWN, .data = NULL, .ef_structure = 0, .acl = {0} } //end
};
const file_t *MF = &file_entries[0];

6
src/hsm/files.h
View File

@@ -24,6 +24,8 @@
#define EF_DEVOPS 0x100E
#define EF_DKEK 0x1090
#define EF_KEY_DOMAIN 0x10A0
#define EF_PUKAUT 0x10C0
#define EF_PUK 0X10D0
#define EF_PRKDFS 0x6040
#define EF_PUKDFS 0x6041
#define EF_CDFS 0x6042
@@ -31,6 +33,10 @@
#define EF_DODFS 0x6044
#define EF_SKDFS 0x6045
#define EF_KEY_DEV 0xCC00
#define EF_PRKD_DEV 0xC400
#define EF_EE_DEV 0xCE00
extern file_t *file_pin1;
extern file_t *file_retries_pin1;
extern file_t *file_sopin;

18
src/hsm/oid.c Normal file
View File

@@ -0,0 +1,18 @@
/*
* This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
* Copyright (c) 2022 Pol Henarejos.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, version 3.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "oid.h"

81
src/hsm/oid.h Normal file
View File

@@ -0,0 +1,81 @@
/*
* This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
* Copyright (c) 2022 Pol Henarejos.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, version 3.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#ifndef _OID_H_
#define _OID_H_
#include <stdlib.h>
#include "pico/stdlib.h"
#define OID_BSI_DE "\x04\x00\x7F\x00\x07"
#define OID_ID_CA OID_BSI_DE "\x02\x02\x03"
#define OID_ID_CA_DH OID_ID_CA "\x01"
#define OID_ID_CA_DH_3DES_CBC_CBC OID_ID_CA_DH "\x01"
#define OID_ID_CA_DH_AES_CBC_CMAC_128 OID_ID_CA_DH "\x02"
#define OID_ID_CA_DH_AES_CBC_CMAC_192 OID_ID_CA_DH "\x03"
#define OID_ID_CA_DH_AES_CBC_CMAC_256 OID_ID_CA_DH "\x04"
#define OID_ID_CA_ECDH OID_ID_CA "\x02"
#define OID_ID_CA_ECDH_3DES_CBC_CBC OID_ID_CA_ECDH "\x01"
#define OID_ID_CA_ECDH_AES_CBC_CMAC_128 OID_ID_CA_ECDH "\x02"
#define OID_ID_CA_ECDH_AES_CBC_CMAC_192 OID_ID_CA_ECDH "\x03"
#define OID_ID_CA_ECDH_AES_CBC_CMAC_256 OID_ID_CA_ECDH "\x04"
#define OID_ID_PK OID_BSI_DE "\x02\x02\0x1"
#define OID_ID_PK_DH OID_ID_PK "\x01"
#define OID_ID_PK_ECDH OID_ID_PK "\x02"
#define OID_ID_TA OID_BSI_DE "\x02\x02\x02"
#define OID_ID_TA_RSA OID_ID_TA "\x01"
#define OID_ID_TA_RSA_V1_5_SHA_1 OID_ID_TA_RSA "\x01"
#define OID_ID_TA_RSA_V1_5_SHA_256 OID_ID_TA_RSA "\x02"
#define OID_ID_TA_RSA_PSS_SHA_1 OID_ID_TA_RSA "\x03"
#define OID_ID_TA_RSA_PSS_SHA_256 OID_ID_TA_RSA "\x04"
#define OID_ID_TA_RSA_V1_5_SHA_512 OID_ID_TA_RSA "\x05"
#define OID_ID_TA_RSA_PSS_SHA_512 OID_ID_TA_RSA "\x06"
#define OID_ID_TA_ECDSA OID_ID_TA "\x02"
#define OID_IT_TA_ECDSA_SHA_1 OID_ID_TA_ECDSA "\x01"
#define OID_IT_TA_ECDSA_SHA_224 OID_ID_TA_ECDSA "\x02"
#define OID_IT_TA_ECDSA_SHA_256 OID_ID_TA_ECDSA "\x03"
#define OID_IT_TA_ECDSA_SHA_384 OID_ID_TA_ECDSA "\x04"
#define OID_IT_TA_ECDSA_SHA_512 OID_ID_TA_ECDSA "\x05"
#define OID_ID_RI OID_BSI_DE "\x02\x02\x05"
#define OID_ID_RI_DH OID_ID_RI "\x01"
#define OID_ID_RI_DH_SHA_1 OID_ID_RI_DH "\x01"
#define OID_ID_RI_DH_SHA_224 OID_ID_RI_DH "\x02"
#define OID_ID_RI_DH_SHA_256 OID_ID_RI_DH "\x03"
#define OID_ID_RI_ECDH OID_ID_RI "\x02"
#define OID_ID_RI_ECDH_SHA_1 OID_ID_RI_ECDH "\x01"
#define OID_ID_RI_ECDH_SHA_224 OID_ID_RI_ECDH "\x02"
#define OID_ID_RI_ECDH_SHA_256 OID_ID_RI_ECDH "\x03"
#define OID_ID_CI OID_BSI_DE "\x02\x02\x06"
#endif

503
src/hsm/sc_hsm.c
View File

@@ -35,6 +35,10 @@
#include "eac.h"
#include "cvc.h"
#include "asn1.h"
#include "oid.h"
#include "mbedtls/oid.h"
#define MAX_PUK 8
const uint8_t sc_hsm_aid[] = {
11,
@@ -48,6 +52,8 @@ const uint8_t atr_sc_hsm[] = {
uint8_t session_pin[32], session_sopin[32];
bool has_session_pin = false, has_session_sopin = false;
const uint8_t *dev_name = NULL;
size_t dev_name_len = 0;
static int sc_hsm_process_apdu();
@@ -148,11 +154,59 @@ void scan_all() {
scan_files();
}
PUK puk_store[MAX_PUK_STORE_ENTRIES];
int puk_store_entries = 0;
PUK *current_puk = NULL;
file_t *ef_puk_aut = NULL;
uint8_t puk_status[MAX_PUK];
int add_cert_puk_store(const uint8_t *data, size_t data_len, bool copy) {
if (data == NULL || data_len == 0)
return CCID_ERR_NULL_PARAM;
if (puk_store_entries == MAX_PUK_STORE_ENTRIES)
return CCID_ERR_MEMORY_FATAL;
puk_store[puk_store_entries].copied = copy;
if (copy == true) {
uint8_t *tmp = (uint8_t *)calloc(data_len, sizeof(uint8_t));
memcpy(tmp, data, data_len);
puk_store[puk_store_entries].cvcert = tmp;
}
else
puk_store[puk_store_entries].cvcert = data;
puk_store[puk_store_entries].cvcert_len = data_len;
puk_store[puk_store_entries].chr = cvc_get_chr(puk_store[puk_store_entries].cvcert, data_len, &puk_store[puk_store_entries].chr_len);
puk_store[puk_store_entries].car = cvc_get_car(puk_store[puk_store_entries].cvcert, data_len, &puk_store[puk_store_entries].car_len);
puk_store[puk_store_entries].puk = cvc_get_pub(puk_store[puk_store_entries].cvcert, data_len, &puk_store[puk_store_entries].puk_len);
puk_store_entries++;
return CCID_OK;
}
void init_sc_hsm() {
scan_all();
has_session_pin = has_session_sopin = false;
isUserAuthenticated = false;
cmd_select();
if (puk_store_entries > 0) { /* From previous session */
for (int i = 0; i < puk_store_entries; i++) {
if (puk_store[i].copied == true)
free((uint8_t *)puk_store[i].cvcert);
}
}
memset(puk_store, 0, sizeof(puk_store));
puk_store_entries = 0;
const uint8_t *cvcerts[] = { cvca, dica, termca };
for (int i = 0; i < sizeof(cvcerts)/sizeof(uint8_t *); i++) {
add_cert_puk_store(cvcerts[i]+2, (cvcerts[i][1] << 8) | cvcerts[i][0], false);
}
for (int i = 0; i < 0xfe; i++) {
file_t *ef = search_dynamic_file((CA_CERTIFICATE_PREFIX << 8) | i);
if (ef && file_get_size(ef) > 0)
add_cert_puk_store(file_get_data(ef), file_get_size(ef), false);
}
dev_name = cvc_get_chr(termca, (termca[1] << 8) | termca[0], &dev_name_len);
memset(puk_status, 0, sizeof(puk_status));
}
int sc_hsm_unload() {
@@ -183,7 +237,7 @@ void select_file(file_t *pe) {
uint16_t get_device_options() {
file_t *ef = search_by_fid(EF_DEVOPS, NULL, SPECIFY_EF);
if (ef && ef->data)
if (ef && ef->data && file_get_size(ef))
return (file_read_uint8(file_get_data(ef)) << 8) | file_read_uint8(file_get_data(ef)+1);
return 0x0;
}
@@ -223,6 +277,7 @@ static int cmd_select() {
uint8_t pfx = fid >> 8;
if (pfx == PRKD_PREFIX ||
pfx == CD_PREFIX ||
pfx == CA_CERTIFICATE_PREFIX ||
pfx == KEY_PREFIX ||
pfx == EE_CERTIFICATE_PREFIX ||
pfx == DCOD_PREFIX ||
@@ -262,7 +317,7 @@ static int cmd_select() {
return SW_FILE_NOT_FOUND();
}
if (card_terminated) {
return set_res_sw (0x62, 0x85);
return set_res_sw(0x62, 0x85);
}
}
else if (p1 == 0x08) { //Select from the MF - Path without the MF identifier
@@ -465,13 +520,17 @@ int pin_wrong_retry(const file_t *pin) {
return CCID_ERR_BLOCKED;
}
bool pka_enabled() {
file_t *ef_puk = search_by_fid(EF_PUKAUT, NULL, SPECIFY_EF);
return ef_puk && ef_puk->data && file_get_size(ef_puk) > 0 && file_read_uint8(file_get_data(ef_puk)) > 0;
}
int check_pin(const file_t *pin, const uint8_t *data, size_t len) {
if (!pin)
return SW_REFERENCE_NOT_FOUND();
if (!pin->data) {
if (!pin || !pin->data || file_get_size(pin) == 0) {
return SW_REFERENCE_NOT_FOUND();
}
isUserAuthenticated = false;
if (pka_enabled() == false)
isUserAuthenticated = false;
has_session_pin = has_session_sopin = false;
if (is_secured_apdu() && sm_session_pin_len > 0 && pin == file_pin1) {
if (len == sm_session_pin_len && memcmp(data, sm_session_pin, len) != 0) {
@@ -498,7 +557,8 @@ int check_pin(const file_t *pin, const uint8_t *data, size_t len) {
return SW_PIN_BLOCKED();
if (r != CCID_OK)
return SW_MEMORY_FAILURE();
isUserAuthenticated = true;
if (pka_enabled() == false)
isUserAuthenticated = true;
hash_multi(data, len, session_pin);
if (pin == file_pin1)
has_session_pin = true;
@@ -518,15 +578,15 @@ static int cmd_verify() {
uint16_t opts = get_device_options();
if (opts & HSM_OPT_TRANSPORT_PIN)
return SW_DATA_INVALID();
if (file_get_data(file_pin1) == 0) //not initialized
if (has_session_pin && apdu.nc == 0)
return SW_OK();
if (*file_get_data(file_pin1) == 0 && pka_enabled() == false) //not initialized
return SW_REFERENCE_NOT_FOUND();
if (apdu.nc > 0) {
return check_pin(file_pin1, apdu.data, apdu.nc);
}
if (file_read_uint8(file_get_data(file_retries_pin1)) == 0)
return SW_PIN_BLOCKED();
if (has_session_pin)
return SW_OK();
return set_res_sw(0x63, 0xc0 | file_read_uint8(file_get_data(file_retries_pin1)));
}
else if (p2 == 0x88) { //SOPin
@@ -608,11 +668,16 @@ static int cmd_reset_retry() {
return SW_INCORRECT_P1P2();
}
static uint8_t challenge[256];
static uint8_t challenge_len = 0;
static int cmd_challenge() {
uint8_t *rb = (uint8_t *)random_bytes_get(apdu.ne);
if (!rb)
return SW_WRONG_LENGTH();
memcpy(res_APDU, rb, apdu.ne);
challenge_len = MIN(apdu.ne, sizeof(challenge));
memcpy(challenge, rb, challenge_len);
res_APDU_size = apdu.ne;
return SW_OK();
}
@@ -644,8 +709,7 @@ static int cmd_initialize() {
double_hash_pin(tag_data, tag_len, dhash+1);
flash_write_data_to_file(file_pin1, dhash, sizeof(dhash));
hash_multi(tag_data, tag_len, session_pin);
has_session_pin = true;
}
}
}
else if (tag == 0x82) { //sopin pin
if (file_sopin && file_sopin->data) {
@@ -655,7 +719,7 @@ static int cmd_initialize() {
flash_write_data_to_file(file_sopin, dhash, sizeof(dhash));
hash_multi(tag_data, tag_len, session_sopin);
has_session_sopin = true;
}
}
}
else if (tag == 0x91) { //retries user pin
file_t *tf = search_by_fid(0x1082, NULL, SPECIFY_EF);
@@ -673,6 +737,23 @@ static int cmd_initialize() {
return SW_MEMORY_FAILURE();
flash_write_data_to_file(tf, NULL, 0);
}
else if (tag == 0x93) {
file_t *ef_puk = search_by_fid(EF_PUKAUT, NULL, SPECIFY_EF);
if (!ef_puk)
return SW_MEMORY_FAILURE();
uint8_t pk_status[4], puks = MIN(tag_data[0],MAX_PUK);
memset(pk_status, 0, sizeof(pk_status));
pk_status[0] = puks;
pk_status[1] = puks;
pk_status[2] = tag_data[1];
flash_write_data_to_file(ef_puk, pk_status, sizeof(pk_status));
for (int i = 0; i < puks; i++) {
file_t *tf = file_new(EF_PUK+i);
if (!tf)
return SW_MEMORY_FAILURE();
flash_write_data_to_file(tf, NULL, 0);
}
}
else if (tag == 0x97) {
kds = tag_data;
for (int i = 0; i < MIN(*kds,MAX_KEY_DOMAINS); i++) {
@@ -718,6 +799,9 @@ static int cmd_initialize() {
if (flash_write_data_to_file(tf_kd, t, 2*k) != CCID_OK)
return SW_EXEC_ERROR();
}
/* When initialized, it has all credentials */
has_session_pin = true;
isUserAuthenticated = true;
low_flash_available();
}
else { //free memory bytes request
@@ -734,42 +818,52 @@ static int cmd_initialize() {
return SW_OK();
}
uint8_t get_key_domain(file_t *fkey) {
if (!fkey)
return 0xff;
const uint8_t *get_meta_tag(file_t *ef, uint16_t meta_tag, size_t *tag_len) {
if (ef == NULL)
return NULL;
uint8_t *meta_data = NULL;
uint8_t meta_size = meta_find(fkey->fid, &meta_data);
uint8_t meta_size = meta_find(ef->fid, &meta_data);
if (meta_size > 0 && meta_data != NULL) {
uint16_t tag = 0x0;
uint8_t *tag_data = NULL, *p = NULL;
size_t tag_len = 0;
while (walk_tlv(meta_data, meta_size, &p, &tag, &tag_len, &tag_data)) {
if (tag == 0x92) { //ofset tag
return *tag_data;
while (walk_tlv(meta_data, meta_size, &p, &tag, tag_len, &tag_data)) {
if (tag == meta_tag) {
return tag_data;
}
}
}
return NULL;
}
uint8_t get_key_domain(file_t *fkey) {
size_t tag_len = 0;
const uint8_t *meta_tag = get_meta_tag(fkey, 0x92, &tag_len);
if (meta_tag)
return *meta_tag;
return 0;
}
uint32_t get_key_counter(file_t *fkey) {
if (!fkey)
return 0xffffff;
uint8_t *meta_data = NULL;
uint8_t meta_size = meta_find(fkey->fid, &meta_data);
if (meta_size > 0 && meta_data != NULL) {
uint16_t tag = 0x0;
uint8_t *tag_data = NULL, *p = NULL;
size_t tag_len = 0;
while (walk_tlv(meta_data, meta_size, &p, &tag, &tag_len, &tag_data)) {
if (tag == 0x90) { //ofset tag
return (tag_data[0] << 24) | (tag_data[1] << 16) | (tag_data[2] << 8) | tag_data[3];
}
}
}
size_t tag_len = 0;
const uint8_t *meta_tag = get_meta_tag(fkey, 0x90, &tag_len);
if (meta_tag)
return (meta_tag[0] << 24) | (meta_tag[1] << 16) | (meta_tag[2] << 8) | meta_tag[3];
return 0xffffffff;
}
bool key_has_purpose(file_t *ef, uint8_t purpose) {
size_t tag_len = 0;
const uint8_t *meta_tag = get_meta_tag(ef, 0x91, &tag_len);
if (meta_tag) {
for (int i = 0; i < tag_len; i++) {
if (meta_tag[i] == purpose)
return true;
}
return false;
}
return true;
}
uint32_t decrement_key_counter(file_t *fkey) {
if (!fkey)
return 0xffffff;
@@ -808,7 +902,7 @@ static int cmd_key_domain() {
//if (dkeks == 0)
// return SW_COMMAND_NOT_ALLOWED();
uint8_t p1 = P1(apdu), p2 = P2(apdu);
if (has_session_pin == false && apdu.nc > 0)
if ((has_session_pin == false || isUserAuthenticated == false) && apdu.nc > 0)
return SW_CONDITIONS_NOT_SATISFIED();
if (p2 >= MAX_KEY_DOMAINS)
return SW_WRONG_P1P2();
@@ -983,7 +1077,7 @@ static int cmd_keypair_gen() {
uint8_t *kdomd = NULL;
if (asn1_find_tag(apdu.data, apdu.nc, 0x92, &kdom_size, &kdomd) && kdom_size > 0 && kdomd != NULL)
kdom = *kdomd;
if (memcmp(oid, "\x4\x0\x7F\x0\x7\x2\x2\x2\x1\x2",MIN(oid_len,10)) == 0) { //RSA
if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_256, oid_len) == 0) { //RSA
size_t ex_len = 3, ks_len = 2;
uint8_t *ex = NULL, *ks = NULL;
uint32_t exponent = 65537, key_size = 2048;
@@ -1020,7 +1114,7 @@ static int cmd_keypair_gen() {
}
mbedtls_rsa_free(&rsa);
}
else if (memcmp(oid, "\x4\x0\x7F\x0\x7\x2\x2\x2\x2\x3",MIN(oid_len,10)) == 0) { //ECC
else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_256,MIN(oid_len,10)) == 0) { //ECC
size_t prime_len;
uint8_t *prime = NULL;
if (asn1_find_tag(p, tout, 0x81, &prime_len, &prime) != true)
@@ -1146,6 +1240,7 @@ static int cmd_delete_file() {
}
if (!authenticate_action(ef, ACL_OP_DELETE_SELF))
return SW_SECURITY_STATUS_NOT_SATISFIED();
meta_delete(ef->fid);
if (flash_clear_file(ef) != CCID_OK)
return SW_EXEC_ERROR();
if (delete_dynamic_file(ef) != CCID_OK)
@@ -1358,10 +1453,12 @@ static int cmd_signature() {
file_t *fkey;
if (!isUserAuthenticated)
return SW_SECURITY_STATUS_NOT_SATISFIED();
if (!(fkey = search_dynamic_file((KEY_PREFIX << 8) | key_id)) || !fkey->data)
if (!(fkey = search_dynamic_file((KEY_PREFIX << 8) | key_id)) || !fkey->data || file_get_size(fkey) == 0)
return SW_FILE_NOT_FOUND();
if (get_key_counter(fkey) == 0)
return SW_FILE_FULL();
if (key_has_purpose(fkey, p2) == false)
return SW_CONDITIONS_NOT_SATISFIED();
int key_size = file_get_size(fkey);
if (p2 == ALGO_RSA_PKCS1_SHA1 || p2 == ALGO_RSA_PSS_SHA1 || p2 == ALGO_EC_SHA1)
md = MBEDTLS_MD_SHA1;
@@ -1373,7 +1470,7 @@ static int cmd_signature() {
generic_hash(md, apdu.data, apdu.nc, apdu.data);
apdu.nc = mbedtls_md_get_size(mbedtls_md_info_from_type(md));
}
if (p2 == ALGO_RSA_RAW || p2 == ALGO_RSA_PKCS1 || p2 == ALGO_RSA_PKCS1_SHA1 || p2 == ALGO_RSA_PKCS1_SHA256 || p2 == ALGO_RSA_PSS || p2 == ALGO_RSA_PSS_SHA1 || p2 == ALGO_RSA_PSS_SHA256) {
if (p2 >= ALGO_RSA_RAW && p2 <= ALGO_RSA_PSS_SHA512) {
mbedtls_rsa_context ctx;
mbedtls_rsa_init(&ctx);
@@ -1406,23 +1503,29 @@ static int cmd_signature() {
asn1_find_tag(p, tout, 0x4, &hash_len, &hash);
}
if (oid && oid_len > 0) {
if (memcmp(oid, "\x2B\x0E\x03\x02\x1A", oid_len) == 0)
if (memcmp(oid, MBEDTLS_OID_DIGEST_ALG_SHA1, oid_len) == 0)
md = MBEDTLS_MD_SHA1;
else if (memcmp(oid, "\x60\x86\x48\x01\x65\x03\x04\x02\x04", oid_len) == 0)
else if (memcmp(oid, MBEDTLS_OID_DIGEST_ALG_SHA224, oid_len) == 0)
md = MBEDTLS_MD_SHA224;
else if (memcmp(oid, "\x60\x86\x48\x01\x65\x03\x04\x02\x01", oid_len) == 0)
else if (memcmp(oid, MBEDTLS_OID_DIGEST_ALG_SHA256, oid_len) == 0)
md = MBEDTLS_MD_SHA256;
else if (memcmp(oid, "\x60\x86\x48\x01\x65\x03\x04\x02\x02", oid_len) == 0)
else if (memcmp(oid, MBEDTLS_OID_DIGEST_ALG_SHA384, oid_len) == 0)
md = MBEDTLS_MD_SHA384;
else if (memcmp(oid, "\x60\x86\x48\x01\x65\x03\x04\x02\x03", oid_len) == 0)
else if (memcmp(oid, MBEDTLS_OID_DIGEST_ALG_SHA512, oid_len) == 0)
md = MBEDTLS_MD_SHA512;
}
if (p2 == ALGO_RSA_PSS || p2 == ALGO_RSA_PSS_SHA1 || p2 == ALGO_RSA_PSS_SHA256) {
if (p2 >= ALGO_RSA_PSS && p2 <= ALGO_RSA_PSS_SHA512) {
if (p2 == ALGO_RSA_PSS && !oid) {
if (apdu.nc == 20) //default is sha1
md = MBEDTLS_MD_SHA1;
else if (apdu.nc == 32)
else if (apdu.nc == 28)
md = MBEDTLS_MD_SHA224;
else if (apdu.nc == 32)
md = MBEDTLS_MD_SHA256;
else if (apdu.nc == 48)
md = MBEDTLS_MD_SHA384;
else if (apdu.nc == 64)
md = MBEDTLS_MD_SHA512;
}
mbedtls_rsa_set_padding(&ctx, MBEDTLS_RSA_PKCS_V21, md);
}
@@ -1446,7 +1549,7 @@ static int cmd_signature() {
apdu.ne = key_size;
mbedtls_rsa_free(&ctx);
}
else if (p2 == ALGO_EC_RAW || p2 == ALGO_EC_SHA1 || p2 == ALGO_EC_SHA224 || p2 == ALGO_EC_SHA256) {
else if (p2 >= ALGO_EC_RAW && p2 <= ALGO_EC_SHA512) {
mbedtls_ecdsa_context ctx;
mbedtls_ecdsa_init(&ctx);
md = MBEDTLS_MD_SHA256;
@@ -1468,6 +1571,10 @@ static int cmd_signature() {
md = MBEDTLS_MD_SHA224;
else if (p2 == ALGO_EC_SHA256)
md = MBEDTLS_MD_SHA256;
else if (p2 == ALGO_EC_SHA384)
md = MBEDTLS_MD_SHA384;
else if (p2 == ALGO_EC_SHA512)
md = MBEDTLS_MD_SHA512;
int r;
r = load_private_key_ecdsa(&ctx, fkey);
if (r != CCID_OK) {
@@ -1502,6 +1609,8 @@ static int cmd_key_wrap() {
uint8_t kdom = get_key_domain(ef);
if (!ef)
return SW_FILE_NOT_FOUND();
if (key_has_purpose(ef, ALGO_WRAP) == false)
return SW_CONDITIONS_NOT_SATISFIED();
file_t *prkd = search_dynamic_file((PRKD_PREFIX << 8) | key_id);
if (!prkd)
return SW_FILE_NOT_FOUND();
@@ -1632,6 +1741,7 @@ static int cmd_key_unwrap() {
static int cmd_decrypt_asym() {
int key_id = P1(apdu);
uint8_t p2 = P2(apdu);
if (!isUserAuthenticated)
return SW_SECURITY_STATUS_NOT_SATISFIED();
file_t *ef = search_dynamic_file((KEY_PREFIX << 8) | key_id);
@@ -1639,9 +1749,13 @@ static int cmd_decrypt_asym() {
return SW_FILE_NOT_FOUND();
if (get_key_counter(ef) == 0)
return SW_FILE_FULL();
if (P2(apdu) == ALGO_RSA_DECRYPT) {
if (key_has_purpose(ef, p2) == false)
return SW_CONDITIONS_NOT_SATISFIED();
if (p2 >= ALGO_RSA_DECRYPT && p2 <= ALGO_RSA_DECRYPT_OEP) {
mbedtls_rsa_context ctx;
mbedtls_rsa_init(&ctx);
if (p2 == ALGO_RSA_DECRYPT_OEP)
mbedtls_rsa_set_padding(&ctx, MBEDTLS_RSA_PKCS_V21, MBEDTLS_MD_NONE);
int r = load_private_key_rsa(&ctx, ef);
if (r != CCID_OK) {
mbedtls_rsa_free(&ctx);
@@ -1652,15 +1766,24 @@ static int cmd_decrypt_asym() {
int key_size = file_get_size(ef);
if (apdu.nc < key_size) //needs padding
memset(apdu.data+apdu.nc, 0, key_size-apdu.nc);
r = mbedtls_rsa_private(&ctx, random_gen, NULL, apdu.data, res_APDU);
if (p2 == ALGO_RSA_DECRYPT_PKCS1 || p2 == ALGO_RSA_DECRYPT_OEP) {
size_t olen = apdu.nc;
r = mbedtls_rsa_pkcs1_decrypt(&ctx, random_gen, NULL, &olen, apdu.data, res_APDU, 512);
if (r == 0)
res_APDU_size = olen;
}
else {
r = mbedtls_rsa_private(&ctx, random_gen, NULL, apdu.data, res_APDU);
if (r == 0)
res_APDU_size = key_size;
}
if (r != 0) {
mbedtls_rsa_free(&ctx);
return SW_EXEC_ERROR();
}
res_APDU_size = key_size;
mbedtls_rsa_free(&ctx);
}
else if (P2(apdu) == ALGO_EC_DH) {
else if (p2 == ALGO_EC_DH) {
mbedtls_ecdh_context ctx;
if (wait_button() == true) //timeout
return SW_SECURE_MESSAGE_EXEC_ERROR();
@@ -1716,6 +1839,8 @@ static int cmd_cipher_sym() {
file_t *ef = search_dynamic_file((KEY_PREFIX << 8) | key_id);
if (!ef)
return SW_FILE_NOT_FOUND();
if (key_has_purpose(ef, algo) == false)
return SW_CONDITIONS_NOT_SATISFIED();
if ((apdu.nc % 16) != 0) {
return SW_WRONG_LENGTH();
}
@@ -1809,9 +1934,10 @@ static int cmd_derive_asym() {
file_t *fkey;
if (!isUserAuthenticated)
return SW_SECURITY_STATUS_NOT_SATISFIED();
if (!(fkey = search_dynamic_file((KEY_PREFIX << 8) | key_id)) || !fkey->data)
if (!(fkey = search_dynamic_file((KEY_PREFIX << 8) | key_id)) || !fkey->data || file_get_size(fkey) == 0)
return SW_FILE_NOT_FOUND();
if (key_has_purpose(fkey, ALGO_EC_DERIVE) == false)
return SW_CONDITIONS_NOT_SATISFIED();
if (apdu.nc == 0)
return SW_WRONG_LENGTH();
if (apdu.data[0] == ALGO_EC_DERIVE) {
@@ -1922,24 +2048,53 @@ static int cmd_extras() {
static int cmd_mse() {
int p1 = P1(apdu);
int p2 = P2(apdu);
if (p2 != 0xA4 && p2 != 0xA6 && p2 != 0xAA && p2 != 0xB4 && p2 != 0xB6 && p2 != 0xB8)
return SW_INCORRECT_P1P2();
if (p1 & 0x1) { //SET
if (p2 == 0xA4) { //AT
uint16_t tag = 0x0;
uint8_t *tag_data = NULL, *p = NULL;
size_t tag_len = 0;
while (walk_tlv(apdu.data, apdu.nc, &p, &tag, &tag_len, &tag_data)) {
if (tag == 0x80) {
if (tag_len == 10 && memcmp(tag_data, "\x04\x00\x7F\x00\x07\x02\x02\x03\x02\x02", tag_len) == 0)
uint16_t tag = 0x0;
uint8_t *tag_data = NULL, *p = NULL;
size_t tag_len = 0;
while (walk_tlv(apdu.data, apdu.nc, &p, &tag, &tag_len, &tag_data)) {
if (tag == 0x80) {
if (p2 == 0xA4) {
if (tag_len == 10 && memcmp(tag_data, OID_ID_CA_ECDH_AES_CBC_CMAC_128, tag_len) == 0)
sm_set_protocol(MSE_AES);
else if (tag_len == 10 && memcmp(tag_data, "\x04\x00\x7F\x00\x07\x02\x02\x03\x02\x01", tag_len) == 0)
else if (tag_len == 10 && memcmp(tag_data, OID_ID_CA_ECDH_3DES_CBC_CBC, tag_len) == 0)
sm_set_protocol(MSE_3DES);
else
return SW_REFERENCE_NOT_FOUND();
}
}
else if (tag == 0x83) {
if (tag_len == 1) {
}
else {
if (p2 == 0xB6) {
for (int i = 0; i < puk_store_entries; i++) {
if (memcmp(puk_store[i].chr, tag_data, puk_store[i].chr_len) == 0) {
current_puk = &puk_store[i];
return SW_OK();
}
}
}
else if (p2 == 0xA4) { /* Aut */
for (int i = 0; i < MAX_PUK; i++) {
file_t *ef = search_dynamic_file(EF_PUK+i);
if (!ef)
break;
if (ef->data == NULL || file_get_size(ef) == 0)
break;
size_t chr_len = 0;
const uint8_t *chr = cvc_get_chr(file_get_data(ef), file_get_size(ef), &chr_len);
if (memcmp(chr, tag_data, chr_len) == 0) {
ef_puk_aut = ef;
return SW_OK();
}
}
}
return SW_REFERENCE_NOT_FOUND();
}
}
}
else
return SW_INCORRECT_P1P2();
}
else
return SW_INCORRECT_P1P2();
@@ -1993,9 +2148,9 @@ int cmd_general_authenticate() {
uint8_t *t = (uint8_t *)calloc(1, pubkey_len+16);
memcpy(t, "\x7F\x49\x3F\x06\x0A", 5);
if (sm_get_protocol() == MSE_AES)
memcpy(t+5, "\x04\x00\x7F\x00\x07\x02\x02\x03\x02\x02", 10);
memcpy(t+5, OID_ID_CA_ECDH_AES_CBC_CMAC_128, 10);
else if (sm_get_protocol() == MSE_3DES)
memcpy(t+5, "\x04\x00\x7F\x00\x07\x02\x02\x03\x02\x01", 10);
memcpy(t+5, OID_ID_CA_ECDH_3DES_CBC_CBC, 10);
t[15] = 0x86;
memcpy(t+16, pubkey, pubkey_len);
@@ -2033,6 +2188,212 @@ int cmd_session_pin() {
return SW_OK();
}
int cmd_puk_auth() {
uint8_t p1 = P1(apdu), p2 = P2(apdu);
file_t *ef_puk = search_by_fid(EF_PUKAUT, NULL, SPECIFY_EF);
if (!ef_puk || !ef_puk->data || file_get_size(ef_puk) == 0)
return SW_FILE_NOT_FOUND();
uint8_t *puk_data = file_get_data(ef_puk);
if (apdu.nc > 0) {
if (p1 == 0x0 || p1 == 0x1) {
file_t *ef = NULL;
if (p1 == 0x0) { /* Add */
if (p2 != 0x0)
return SW_INCORRECT_P1P2();
for (int i = 0; i < puk_data[0]; i++) {
ef = search_dynamic_file(EF_PUK+i);
if (!ef) /* Never should not happen */
return SW_MEMORY_FAILURE();
if (ef->data == NULL || file_get_size(ef) == 0) /* found first empty slot */
break;
}
uint8_t *tmp = (uint8_t *)calloc(file_get_size(ef_puk), sizeof(uint8_t));
memcpy(tmp, puk_data, file_get_size(ef_puk));
tmp[1] = puk_data[1]-1;
flash_write_data_to_file(ef_puk, tmp, file_get_size(ef_puk));
puk_data = file_get_data(ef_puk);
free(tmp);
}
else if (p1 == 0x1) { /* Replace */
if (p2 >= puk_data[0])
return SW_INCORRECT_P1P2();
ef = search_dynamic_file(EF_PUK+p2);
if (!ef) /* Never should not happen */
return SW_MEMORY_FAILURE();
}
flash_write_data_to_file(ef, apdu.data, apdu.nc);
low_flash_available();
}
else
return SW_INCORRECT_P1P2();
}
if (p1 == 0x2) {
if (p2 >= puk_data[0])
return SW_INCORRECT_P1P2();
file_t *ef = search_dynamic_file(EF_PUK+p2);
if (!ef)
return SW_INCORRECT_P1P2();
if (ef->data == NULL || file_get_size(ef) == 0)
return SW_REFERENCE_NOT_FOUND();
size_t chr_len = 0;
const uint8_t *chr = cvc_get_chr(file_get_data(ef), file_get_size(ef), &chr_len);
if (chr) {
memcpy(res_APDU, chr, chr_len);
res_APDU_size = chr_len;
}
return set_res_sw(0x90, puk_status[p2]);
}
else {
memcpy(res_APDU, puk_data, 3);
res_APDU[3] = 0;
for (int i = 0; i < puk_data[0]; i++)
res_APDU[3] += puk_status[i];
res_APDU_size = 4;
}
return SW_OK();
}
int cmd_pso() {
uint8_t p1 = P1(apdu), p2 = P2(apdu);
if (p1 == 0x0 && (p2 == 0x92 || p2 == 0xAE || p2 == 0xBE)) { /* Verify certificate */
if (apdu.nc == 0)
return SW_WRONG_LENGTH();
if (current_puk == NULL)
return SW_REFERENCE_NOT_FOUND();
if (apdu.data[0] != 0x7F || apdu.data[1] != 0x21) {
uint8_t tlv_len = 2+format_tlv_len(apdu.nc, NULL);
memmove(apdu.data+tlv_len, apdu.data, apdu.nc);
memcpy(apdu.data, "\x7F\x21", 2);
format_tlv_len(apdu.nc, apdu.data+2);
apdu.nc += tlv_len;
}
int r = cvc_verify(apdu.data, apdu.nc, current_puk->cvcert, current_puk->cvcert_len);
if (r != CCID_OK) {
if (r == CCID_WRONG_DATA)
return SW_DATA_INVALID();
else if (r == CCID_WRONG_SIGNATURE)
return SW_CONDITIONS_NOT_SATISFIED();
return SW_EXEC_ERROR();
}
for (int i = 0; i < 0xfe; i++) {
uint16_t fid = (CA_CERTIFICATE_PREFIX << 8) | i;
file_t *ca_ef = search_dynamic_file(fid);
if (!ca_ef) {
ca_ef = file_new(fid);
flash_write_data_to_file(ca_ef, apdu.data, apdu.nc);
if (add_cert_puk_store(file_get_data(ca_ef), file_get_size(ca_ef), false) != CCID_OK)
return SW_FILE_FULL();
size_t chr_len = 0;
const uint8_t *chr = cvc_get_chr(apdu.data, apdu.nc, &chr_len);
if (chr == NULL)
return SW_WRONG_DATA();
size_t puk_len = 0, puk_bin_len = 0;
const uint8_t *puk = cvc_get_pub(apdu.data, apdu.nc, &puk_len), *puk_bin = NULL;
if (puk == NULL)
return SW_WRONG_DATA();
size_t oid_len = 0;
const uint8_t *oid = cvc_get_field(puk, puk_len, &oid_len, 0x6);
if (oid == NULL)
return SW_WRONG_DATA();
if (memcmp(oid, OID_ID_TA_RSA, 9) == 0) { //RSA
puk_bin = cvc_get_field(puk, puk_len, &puk_bin_len, 0x81);
if (!puk_bin)
return SW_WRONG_DATA();
}
else if (memcmp(oid, OID_ID_TA_ECDSA, 9) == 0) { //ECC
mbedtls_ecp_group_id ec_id = cvc_inherite_ec_group(apdu.data, apdu.nc);
mbedtls_ecp_group grp;
mbedtls_ecp_group_init(&grp);
if (mbedtls_ecp_group_load(&grp, ec_id) != 0) {
mbedtls_ecp_group_free(&grp);
return SW_WRONG_DATA();
}
size_t plen = mbedtls_mpi_size(&grp.P);
size_t t86_len = 0;
const uint8_t *t86 = cvc_get_field(puk, puk_len, &t86_len, 0x86);
if (mbedtls_ecp_get_type(&grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
if (plen != t86_len) {
mbedtls_ecp_group_free(&grp);
return SW_WRONG_DATA();
}
puk_bin = t86;
puk_bin_len = t86_len;
}
else if (mbedtls_ecp_get_type(&grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
if (t86[0] == 0x2 || t86[0] == 0x3) {
if (t86_len != plen+1) {
mbedtls_ecp_group_free(&grp);
return SW_WRONG_DATA();
}
}
else if (t86[0] == 0x4) {
if (t86_len != 2*plen+1) {
mbedtls_ecp_group_free(&grp);
return SW_WRONG_DATA();
}
}
else {
mbedtls_ecp_group_free(&grp);
return SW_WRONG_DATA();
}
puk_bin = t86+1;
puk_bin_len = plen;
}
mbedtls_ecp_group_free(&grp);
if (!puk_bin)
return SW_WRONG_DATA();
}
file_t *cd_ef = file_new((CD_PREFIX << 8) | i);
size_t cd_len = asn1_build_cert_description(chr, chr_len, puk_bin, puk_bin_len, fid, NULL, 0);
if (cd_len == 0)
return SW_EXEC_ERROR();
uint8_t *buf = (uint8_t *)calloc(cd_len, sizeof(uint8_t));
int r = asn1_build_cert_description(chr, chr_len, puk_bin, puk_bin_len, fid, buf, cd_len);
flash_write_data_to_file(cd_ef, buf, cd_len);
free(buf);
if (r == 0)
return SW_EXEC_ERROR();
low_flash_available();
break;
}
}
return SW_OK();
}
else
return SW_INCORRECT_P1P2();
return SW_OK();
}
int cmd_external_authenticate() {
if (P1(apdu) != 0x0 || P2(apdu) != 0x0)
return SW_INCORRECT_P1P2();
if (ef_puk_aut == NULL)
return SW_REFERENCE_NOT_FOUND();
if (apdu.nc == 0)
return SW_WRONG_LENGTH();
file_t *ef_puk = search_by_fid(EF_PUKAUT, NULL, SPECIFY_EF);
if (!ef_puk || !ef_puk->data || file_get_size(ef_puk) == 0)
return SW_FILE_NOT_FOUND();
uint8_t *puk_data = file_get_data(ef_puk);
uint8_t *input = (uint8_t *)calloc(dev_name_len+challenge_len, sizeof(uint8_t)), hash[32];
memcpy(input, dev_name, dev_name_len);
memcpy(input+dev_name_len, challenge, challenge_len);
hash256(input, dev_name_len+challenge_len, hash);
int r = puk_verify(apdu.data, apdu.nc, hash, 32, file_get_data(ef_puk_aut), file_get_size(ef_puk_aut));
free(input);
if (r != 0)
return SW_CONDITIONS_NOT_SATISFIED();
puk_status[ef_puk_aut->fid & (MAX_PUK-1)] = 1;
uint8_t auts = 0;
for (int i = 0; i < puk_data[0]; i++)
auts += puk_status[i];
if (auts >= puk_data[2]) {
isUserAuthenticated = true;
}
return SW_OK();
}
typedef struct cmd
{
uint8_t ins;
@@ -2042,11 +2403,13 @@ typedef struct cmd
#define INS_VERIFY 0x20
#define INS_MSE 0x22
#define INS_CHANGE_PIN 0x24
#define INS_PSO 0x2A
#define INS_RESET_RETRY 0x2C
#define INS_KEYPAIR_GEN 0x46
#define INS_KEY_GEN 0x48
#define INS_INITIALIZE 0x50
#define INS_KEY_DOMAIN 0x52
#define INS_PUK_AUTH 0x54
#define INS_LIST_KEYS 0x58
#define INS_SESSION_PIN 0x5A
#define INS_DECRYPT_ASYM 0x62
@@ -2056,6 +2419,7 @@ typedef struct cmd
#define INS_UNWRAP 0x74
#define INS_DERIVE_ASYM 0x76
#define INS_CIPHER_SYM 0x78
#define INS_EXTERNAL_AUTHENTICATE 0x82
#define INS_CHALLENGE 0x84
#define INS_GENERAL_AUTHENTICATE 0x86
#define INS_SELECT_FILE 0xA4
@@ -2089,6 +2453,9 @@ static const cmd_t cmds[] = {
{ INS_MSE, cmd_mse },
{ INS_GENERAL_AUTHENTICATE, cmd_general_authenticate },
{ INS_SESSION_PIN, cmd_session_pin },
{ INS_PUK_AUTH, cmd_puk_auth },
{ INS_PSO, cmd_pso },
{ INS_EXTERNAL_AUTHENTICATE, cmd_external_authenticate },
{ 0x00, 0x0}
};

16
src/hsm/sc_hsm.h
View File

@@ -26,21 +26,35 @@ extern const uint8_t sc_hsm_aid[];
#define ALGO_RSA_RAW 0x20 /* RSA signature with external padding */
#define ALGO_RSA_DECRYPT 0x21 /* RSA decrypt */
#define ALGO_RSA_DECRYPT 0x21 /* RSA raw decrypt */
#define ALGO_RSA_DECRYPT_PKCS1 0x22
#define ALGO_RSA_DECRYPT_OEP 0x23
#define ALGO_RSA_PKCS1 0x30 /* RSA signature with DigestInfo input and PKCS#1 V1.5 padding */
#define ALGO_RSA_PKCS1_SHA1 0x31 /* RSA signature with SHA-1 hash and PKCS#1 V1.5 padding */
#define ALGO_RSA_PKCS1_SHA224 0x32
#define ALGO_RSA_PKCS1_SHA256 0x33 /* RSA signature with SHA-256 hash and PKCS#1 V1.5 padding */
#define ALGO_RSA_PKCS1_SHA384 0x34
#define ALGO_RSA_PKCS1_SHA512 0x35
#define ALGO_RSA_PSS 0x40 /* RSA signature with external hash and PKCS#1 PSS padding*/
#define ALGO_RSA_PSS_SHA1 0x41 /* RSA signature with SHA-1 hash and PKCS#1 PSS padding */
#define ALGO_RSA_PSS_SHA224 0x42
#define ALGO_RSA_PSS_SHA256 0x43 /* RSA signature with SHA-256 hash and PKCS#1 PSS padding */
#define ALGO_RSA_PSS_SHA384 0x44
#define ALGO_RSA_PSS_SHA512 0x45
#define ALGO_EC_RAW 0x70 /* ECDSA signature with hash input */
#define ALGO_EC_SHA1 0x71 /* ECDSA signature with SHA-1 hash */
#define ALGO_EC_SHA224 0x72 /* ECDSA signature with SHA-224 hash */
#define ALGO_EC_SHA256 0x73 /* ECDSA signature with SHA-256 hash */
#define ALGO_EC_SHA384 0x74
#define ALGO_EC_SHA512 0x75
#define ALGO_EC_DH 0x80 /* ECDH key derivation */
#define ALGO_WRAP 0x92
#define ALGO_UNWRAP 0x93
#define ALGO_REPLACE 0x94
#define ALGO_EC_DERIVE 0x98 /* Derive EC key from EC key */
#define ALGO_AES_CBC_ENCRYPT 0x10

2
src/hsm/version.h
View File

@@ -18,7 +18,7 @@
#ifndef __VERSION_H_
#define __VERSION_H_
#define HSM_VERSION 0x0202
#define HSM_VERSION 0x0206
#define HSM_VERSION_MAJOR ((HSM_VERSION >> 8) & 0xff)
#define HSM_VERSION_MINOR (HSM_VERSION & 0xff)