Typo

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>

.github/workflows/codeql.yml

@@ -0,0 +1,72 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "master" ]
+  schedule:
+    - cron: '23 5 * * 4'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'cpp', 'python' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        
+        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+
+        
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    # - name: Autobuild
+    #  uses: github/codeql-action/autobuild@v2
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+    #   If the Autobuild fails above, remove it and uncomment the following three lines. 
+    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+
+    - run: |
+       echo "Run, Build Application using script"
+       ./workflows/autobuild.sh
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2

.gitmodules

@@ -1,3 +1,3 @@
-[submodule "pico-ccid"]
-	path = pico-ccid
-	url = https://github.com/polhenarejos/pico-ccid
+[submodule "pico-hsm-sdk"]
+	path = pico-hsm-sdk
+	url = ../pico-hsm-sdk

CMakeLists.txt

@@ -1,17 +1,17 @@
- # 
+ #
  # This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
  # Copyright (c) 2022 Pol Henarejos.
- # 
- # This program is free software: you can redistribute it and/or modify  
- # it under the terms of the GNU General Public License as published by  
+ #
+ # This program is free software: you can redistribute it and/or modify
+ # it under the terms of the GNU General Public License as published by
  # the Free Software Foundation, version 3.
  #
- # This program is distributed in the hope that it will be useful, but 
- # WITHOUT ANY WARRANTY; without even the implied warranty of 
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
+ # This program is distributed in the hope that it will be useful, but
+ # WITHOUT ANY WARRANTY; without even the implied warranty of
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  # General Public License for more details.
  #
- # You should have received a copy of the GNU General Public License 
+ # You should have received a copy of the GNU General Public License
  # along with this program. If not, see <http://www.gnu.org/licenses/>.
  #
 
@@ -28,74 +28,45 @@ pico_sdk_init()
 
 add_executable(pico_hsm)
 
-if (NOT DEFINED USB_VID)
-    set(USB_VID 0xFEFF)
-endif()
-add_definitions(-DUSB_VID=${USB_VID})
-if (NOT DEFINED USB_PID)
-    set(USB_PID 0xFCFD)
-endif()
-add_definitions(-DUSB_PID=${USB_PID})
-
-find_package( PythonInterp 3.7 REQUIRED )
-        
-if (NOT EXISTS ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cvcerts.h)
-    execute_process(COMMAND ${PYTHON_EXECUTABLE} ${CMAKE_CURRENT_LIST_DIR}/burn-cvcerts.py ${CMAKE_CURRENT_LIST_DIR})
-    message("Burning CVCert")
-endif()
-
-configure_file(${CMAKE_CURRENT_LIST_DIR}/pico-ccid/config/mbedtls_config.h ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/include/mbedtls COPYONLY)
-
 target_sources(pico_hsm PUBLIC
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/usb/usb.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/usb/usb_descriptors.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/ccid/ccid2040.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/ccid/asn1.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/fs/file.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/fs/flash.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/fs/low_flash.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/rng/random.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/rng/neug.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/ccid/crypto_utils.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/ccid/eac.c
         ${CMAKE_CURRENT_LIST_DIR}/src/hsm/sc_hsm.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_select.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_list_keys.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_read_binary.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_verify.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_reset_retry.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_challenge.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_external_authenticate.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_mse.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_initialize.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_key_domain.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_key_wrap.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_keypair_gen.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_update_ef.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_delete_file.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_change_pin.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_key_gen.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_signature.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_key_unwrap.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_decrypt_asym.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_cipher_sym.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_derive_asym.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_extras.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_general_authenticate.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_session_pin.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_puk_auth.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_pso.c
         ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cvc.c
         ${CMAKE_CURRENT_LIST_DIR}/src/hsm/files.c
-        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/dkek.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/kek.c
         ${CMAKE_CURRENT_LIST_DIR}/src/hsm/oid.c
-        
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/aes.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/asn1write.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/bignum.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/cmac.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/cipher.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/cipher_wrap.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/constant_time.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/ecdsa.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/ecdh.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/ecp.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/ecp_curves.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/hkdf.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/md.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/md5.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/oid.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/platform_util.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/ripemd160.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/rsa.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/rsa_alt_helpers.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/sha1.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/sha256.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/sha512.c
+
         )
+set(HSM_DRIVER "ccid")
+include(pico-hsm-sdk/pico_hsm_sdk_import.cmake)
 
 target_include_directories(pico_hsm PUBLIC
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/fs
         ${CMAKE_CURRENT_LIST_DIR}/src/hsm
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/ccid
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/rng
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/usb
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/include
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library
         )
 
 target_compile_options(pico_hsm PUBLIC
@@ -105,7 +76,7 @@ target_compile_options(pico_hsm PUBLIC
 
 pico_add_extra_outputs(pico_hsm)
 
-target_link_libraries(pico_hsm PRIVATE pico_stdlib pico_multicore hardware_flash hardware_sync hardware_adc pico_unique_id hardware_rtc tinyusb_device tinyusb_board)
+target_link_libraries(pico_hsm PRIVATE pico_hsm_sdk pico_stdlib pico_multicore hardware_flash hardware_sync hardware_adc pico_unique_id hardware_rtc tinyusb_device tinyusb_board)
 
 #
 #project(flash_nuke C CXX ASM)

Dockerfile

@@ -0,0 +1,54 @@
+FROM debian:bullseye
+ENV DEBIAN_FRONTEND noninteractive
+RUN apt-get update && apt-get install -y \
+	build-essential \
+	git \
+	cmake \
+	gcc-arm-none-eabi \
+	libnewlib-arm-none-eabi \
+	libstdc++-arm-none-eabi-newlib \
+	python3 \
+	python3-pip
+
+RUN useradd -m builduser
+
+USER builduser
+
+WORKDIR /home/builduser
+
+VOLUME /home/builduser/release
+
+ARG VERSION_PICO_SDK 1.4.0
+
+RUN mkdir -p /home/builduser/Devel/pico
+RUN cd /home/builduser/Devel/pico \
+	&& git clone https://github.com/raspberrypi/pico-sdk.git \
+        && cd pico-sdk \
+        && git checkout $VERSION_PICO_SDK \
+        && git submodule update --init --recursive
+
+RUN pip install cryptography
+
+ARG VERSION_MAJOR 2
+ARG VERSION_MINOR 6
+
+RUN cd /home/builduser \
+	&& git clone https://github.com/polhenarejos/pico-hsm.git \
+	&& cd pico-hsm \
+	&& git checkout v${VERSION_MAJOR}.${VERSION_MINOR} \
+	&& git submodule update --init --recursive \
+	&& mkdir build_release
+
+ENV PICO_SDK_PATH /home/builduser/Devel/pico/pico-sdk
+
+
+
+ARG USB_VID 0xfeff
+ARG USB_PID 0xfcfd
+
+ARG PICO_BOARD waveshare_rp2040_zero 
+
+RUN cd /home/builduser/pico-hsm \
+	&& cd build_release \
+	&& cmake .. -DPICO_BOARD=$PICO_BOARD -DUSB_VID=${USB_VID} -DUSB_PID=${USB_PID} \
+	&& make -kj20

README.md

@@ -2,128 +2,128 @@
 This is a project to create a Hardware Security Module (HSM) with a Raspberry Pico. It converts your Pico board into a HSM which is able to generate and store private keys, encrypt or decrypt with AES or signing data without to disclose the private key. In detail, the private key never leaves the board and it cannot be retrieved as it is encrypted in the flash memory.
 
 ## Capabilities
-### Key generation and encrypted storage
+### > Key generation and encrypted storage
 Private and secret keys are stored with a master AES 256 key (DKEK). The DKEK is, at the same time, encrypted with a hashed and salted version of the PIN.
 **No private/secret keys, DKEK or PIN are stored in plain text ever. Never.**
 
-### RSA key generation from 1024 to 4096 bits
+### > RSA key generation from 1024 to 4096 bits
 RSA key generation in place for 1024, 2048, 3072 and 4096 bits. Private keys never leave the device.
 
-### ECDSA key generation from 192 to 521 bits
+### > ECDSA key generation from 192 to 521 bits
 ECDSA key generation in place for different curves, from 192 to 521 bits.
 
-### ECC curves
+### > ECC curves
 It supports secp192r1, secp256r1, secp384r1, secp521r1, brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp192k1 (insecure), secp256k1 curves.
 
-### SHA1, SHA224, SHA256, SHA384, SHA512 digests
+### > SHA1, SHA224, SHA256, SHA384, SHA512 digests
 ECDSA and RSA signature can be combined with SHA digest in place.
 
-### Multiple RSA signature algorithms
+### > Multiple RSA signature algorithms
 It supports RSA-PSS, RSA-PKCS and raw RSA signatures.
 
-### ECDSA raw and hash signature
+### > ECDSA raw and hash signature
 ECDSA signatures can be in raw or pre-hashed formats.
 
-### ECDH key derivation
+### > ECDH key derivation
 It supports the calculation of shared secrets with ECDH algorithm.
 
-### EC private key derivation
+### > EC private key derivation
 It allows ECDSA key derivation.[^1]
 
-### RSA-OEP and RSA-X-509 decryption
+### > RSA-OEP and RSA-X-509 decryption
 It allows private decryption in place with RSA-OEP and RSA-X-509 algorithms.
 
-### AES key generation
+### > AES key generation
 It supports AES key generation in place with keys of 128, 192 and 256 bits.
 
-### AES-CBC encryption/decryption
+### > AES-CBC encryption/decryption
 AES encryption and decryption is performed in place.
 
-### CMAC
+### > CMAC
 It supports AES-CMAC authentication.[^1]
 
-### AES derivation
+### > AES derivation
 It supports AES secret key derivation.[^1]
 
-### PIN authorization
+### > PIN authorization
 Private and secret keys cannot be used without prior PIN authentication. It supports alphanumeric PIN.
 
-### PKCS11 compliant interface
+### > PKCS11 compliant interface
 The module can be interfaced with PKCS11 standard.
 
-### HRNG (hardware random number generator)
+### > HRNG (hardware random number generator)
 It contains a harware random number generator properly modeled to guarantee maximum entropy.
 
-### Device Key Encryption Key (DKEK) shares
+### > Device Key Encryption Key (DKEK) shares
 It supports DKEK share imports. DKEK are used to wrap, unwrap and encrypt private and secret keys in the device.
 
-### DKEK n-of-m threshold scheme
+### > DKEK n-of-m threshold scheme
 It supports a n-of-m threshold scheme to minimize outage when a DKEK custodian is not available during the import process.
 
-### USB/CCID support with OpenSC, openssl, etc.
+### > USB/CCID support with OpenSC, openssl, etc.
 Pico HSM has a full USB CCID stack to communicate with the host via OpenSC and PCSC. It allows the use of frontend applications such as OpenSSL via PKCS11 module.
 
-### Extended APDU support
+### > Extended APDU support
 It supports extended APDU packets, which allows up to 65535 bytes.
 
-### CVC certificates
+### > CV Certificates
 Pico HSM manipulates CVC certificates and requests to minimize the storage of internal certificates.
 
-### Attestation
+### > Attestation
 Every generated key is attached to a certificate, signed by an external PKI to ensure that a particular key is effectively generated by this specific device.
 
-### Import external private keys and certificates
+### > Import external private keys and certificates
 It allows private key and certificates import via WKY or PKCS#12 files.[^2][^3]
 
-### Tranport PIN
+### > Tranport PIN
 It allows transport PIN for provisioning and forcing to set a new PIN.[^2] It is a tampered mechanism that ensures the device has not been unsealed during the transportation from the issuer to the legitimate user.
 
-### Press-to-confirm button
+### > Press-to-confirm button
 It allows the use of BOOTSEL button to confirm operations with private/secret keys, such as signatures and decryption. When a private/secret key is loaded, the user has 15 seconds to press the button to confirm the operation.
 This feature protects the user from unwanted uses from background applications that may sign data without user notice.
 
-### Store and retrieve binary data
+### > Store and retrieve binary data
 It allows the storage of arbitrary files with binary data.
 
-### Real time clock (RTC)
-Pico HSM has a RTC with external datetime setting and getting. 
+### > Real time clock (RTC)
+Pico HSM has a RTC with external datetime setting and getting.
 
-### Secure Messaging (secure channel)
+### > Secure Messaging (secure channel)
 Pico HSM supports secure channel, where the data packets between the host and device are encrypted to avoid man-in-the-middle attacks.
 
-### Session PIN
+### > Session PIN
 A specific session PIN can be set during the session opening to avoid the systemmatic use of PIN.
 
-### PKI CVCert remote issuing for Secure Message
+### > PKI CVCert remote issuing for Secure Message
 Secure channel messages are secured with a certificate issued by an external PKI.
 
-### Multiple key domains
-Key domains are domains to store separate private/secret keys. Each domain is protected by a DKEK, independent from the other domains. Private/secret keys can be generated in different key domains to be used with separated DKEK. 
+### > Multiple key domains
+Key domains are domains to store separate private/secret keys. Each domain is protected by a DKEK, independent from the other domains. Private/secret keys can be generated in different key domains to be used with separated DKEK.
 Therefore, a single device may contain different domains with independent keys.
 
-### Key usage counter
+### > Key usage counter
 A key usage counter is a counter that is reduced by 1 everytime that the private/secret key is used for signing, decrypting, derivation, etc. When it reaches 0, the key is disabled and cannot be used anymore.
 
 Key usage can also be used to perform and auditory and track the usage of a particular key.
 
-### Public Key Authentication
+### > Public Key Authentication
 Public Key Authentication (PKA) allows to authenticate by using a secondary device with a private key and a registered public key in the primary device. A challenge is generated by the primary Pico HSM and given to the secondary for signature. The secondary device signs the challenge and returns the signature. Then, the primary device verifies the signature with the registered public key and if it is valid, it grants full access, as normal PIN authentication.
 
-In PKA, neither PIN nor retry counters are used, since a private key is needed. Therefore, this mechanism provides a higher degree of security, since it needs a secondary Pico HSM to authenticate the primary one.
+In PKA, the PIN is used for protecting the DKEK, as classic method with only PIN, and PKA is used for adding an extra security layer. Therefore, this mechanism provides a higher degree of security, since it needs a secondary Pico HSM to authenticate the primary one.
 
 [^1]: PKCS11 modules (`pkcs11-tool` and `sc-tool`) do not support CMAC and key derivation. It must be processed through raw APDU command (`opensc-tool -s`).
 [^2]: Available via SCS3 tool. See [SCS3](/doc/scs3.md "SCS3") for more information.
-[^3]: Imports are available only if the Pico HSM is previously initialized with a DKEK and the DKEK shares are available during the import process. 
+[^3]: Imports are available only if the Pico HSM is previously initialized with a DKEK and the DKEK shares are available during the import process.
 
 ## Security considerations
-All secret keys (asymmetric and symmetric) are stored encrypted in the flash memory of the Raspberry Pico. DKEK is used as a 256 bit AES key to protect private and secret keys. Keys are never stored in RAM except for signature and decryption operations and only during the process. All keys (including DKEK) are loaded and cleared every time to avoid potential security flaws. 
+All secret keys (asymmetric and symmetric) are stored encrypted in the flash memory of the Raspberry Pico. DKEK is used as a 256 bit AES key to protect private and secret keys. Keys are never stored in RAM except for signature and decryption operations and only during the process. All keys (including DKEK) are loaded and cleared every time to avoid potential security flaws.
 
 At the same time, DKEK is encrypted with doubled salted and hashed PIN. Also, the PIN is hashed in memory during the session. Hence, PIN is never stored in plain text neither in flash nor in memory. Note that PIN is conveyed from the host to the HSM in plain text if no secure channel is provided.
 
 If the Pico is stolen the contents of private and secret keys cannot be read without the PIN, even if the flash memory is dumped.
 
 ## Download
-Please, go to the Release page and download the UF2 file for your board. 
+Please, go to the Release page and download the UF2 file for your board.
 
 Note that UF2 files are shiped with a dummy VID/PID to avoid license issues (FEFF:FCFD). If you are planning to use it with OpenSC or similar, you should modify Info.plist of CCID driver to add these VID/PID or use the VID/PID patcher as follows:
 `./patch_vidpid.sh VID:PID input_hsm_file.uf2 output_hsm_file.uf2`
@@ -145,6 +145,30 @@ Note that `PICO_BOARD`, `USB_VID` and `USB_PID` are optional. If not provided, `
 
 After `make` ends, the binary file `pico_hsm.uf2` will be generated. Put your pico board into loading mode, by pushing `BOOTSEL` button while pluging on, and copy the UF2 to the new fresh usb mass storage Pico device. Once copied, the pico mass storage will be disconnected automatically and the pico board will reset with the new firmware. A blinking led will indicate the device is ready to work.
 
+### Docker
+Independent from your Linux distribution or when using another OS that supports Docker, you could build a specific pico-hsm version in a Linux container.
+
+
+```
+sudo docker build \
+    --build-arg VERSION_PICO_SDK=1.4.0 \
+    --build-arg VERSION_MAJOR=2 \
+    --build-arg VERSION_MINOR=6 \
+    --build-arg PICO_BOARD=waveshare_rp2040_zero \
+    --build-arg USB_VID=0xfeff \
+    --build-arg USB_PID=0xfcfd \
+    -t pico-hsm-builder .
+
+sudo docker run \
+    --name mybuild \
+    -it pico-hsm-builder \
+    ls -l /home/builduser/pico-hsm/build_release/pico_hsm.uf2
+
+sudo docker cp mybuild:/home/builduser/pico-hsm/build_release/pico_hsm.uf2 .
+
+sudo docker rm mybuild
+```
+
 ## Usage
 The firmware uploaded to the Pico contains a reader and a virtual smart card. It is like having a physical reader with an inserted SIM card.
 We recommend the use of [OpenSC](http://github.com/opensc/opensc/ "OpenSC") to communicate with the reader. If it is not installed, you can download and build it or install the binaries for your system. The first command is to ensure that the Pico is detected as a HSM:
@@ -179,7 +203,7 @@ For Public Key Authentication, check [doc/public_key_authentication.md](/doc/pub
 
 ## Operation time
 ### Keypair generation
-Generating EC keys is almost instant. RSA keypair generation takes some time, specially for `3072` and `4096` bits. 
+Generating EC keys is almost instant. RSA keypair generation takes some time, specially for `3072` and `4096` bits.
 
 | RSA key length (bits) | Average time (seconds) |
 | :---: | :---: |
@@ -227,7 +251,7 @@ While processing, the Pico HSM is busy and cannot receive additional commands un
 
 ## Driver
 
-Pico HSM uses the `sc-hsm` driver provided by [OpenSC](https://github.com/OpenSC/OpenSC/ "OpenSC") or the `sc-hsm-embedded` driver provided by [CardContact](https://github.com/CardContact/sc-hsm-embedded "CardContact"). This driver utilizes the standardized PKCS#11 interface to communicate with the user and it can be used with many engines that accept PKCS#11 interface, such as OpenSSL, P11 library or pkcs11-tool. 
+Pico HSM uses the `sc-hsm` driver provided by [OpenSC](https://github.com/OpenSC/OpenSC/ "OpenSC") or the `sc-hsm-embedded` driver provided by [CardContact](https://github.com/CardContact/sc-hsm-embedded "CardContact"). This driver utilizes the standardized PKCS#11 interface to communicate with the user and it can be used with many engines that accept PKCS#11 interface, such as OpenSSL, P11 library or pkcs11-tool.
 
 Pico HSM relies on PKCS#15 structure to store and manipulate the internal files (PINs, private keys, certificates, etc.) and directories. Therefore, it accepts the commands from `pkcs15-tool`. For instance, `pkcs15-tool -D` will list all elements stored in the Pico HSM.
 

build_pico_hsm.sh

@@ -1,21 +1,53 @@
 #!/bin/bash
 
-VERSION_MAJOR="2"
-VERSION_MINOR="4"
+VERSION_MAJOR="3"
+VERSION_MINOR="0"
 
 rm -rf release/*
 cd build_release
 
-for board in adafruit_feather_rp2040 adafruit_itsybitsy_rp2040 adafruit_qtpy_rp2040 adafruit_trinkey_qt2040 arduino_nano_rp2040_connect melopero_shake_rp2040 pimoroni_interstate75 pimoroni_keybow2040 pimoroni_pga2040 pimoroni_picolipo_4mb pimoroni_picolipo_16mb pimoroni_picosystem pimoroni_plasma2040 pimoroni_tiny2040 pybstick26_rp2040 sparkfun_micromod sparkfun_promicro sparkfun_thingplus vgaboard waveshare_rp2040_lcd_0.96 waveshare_rp2040_plus_4mb waveshare_rp2040_plus_16mb waveshare_rp2040_zero
+for board in adafruit_feather_rp2040 \
+    adafruit_itsybitsy_rp2040 \
+    adafruit_kb2040 \
+    adafruit_macropad_rp2040 \
+    adafruit_qtpy_rp2040 \
+    adafruit_trinkey_qt2040 \
+    arduino_nano_rp2040_connect \
+    datanoisetv_rp2040_dsp \
+    eetree_gamekit_rp2040 \
+    garatronic_pybstick26_rp2040 \
+    melopero_shake_rp2040 \
+    pico \
+    pico_w \
+    pimoroni_badger2040 \
+    pimoroni_interstate75 \
+    pimoroni_keybow2040 \
+    pimoroni_motor2040 \
+    pimoroni_pga2040 \
+    pimoroni_picolipo_4mb \
+    pimoroni_picolipo_16mb \
+    pimoroni_picosystem \
+    pimoroni_plasma2040 \
+    pimoroni_servo2040 \
+    pimoroni_tiny2040 \
+    pimoroni_tiny2040_2mb \
+    seeed_xiao_rp2040 \
+    solderparty_rp2040_stamp \
+    solderparty_rp2040_stamp_carrier \
+    solderparty_rp2040_stamp_round_carrier \
+    sparkfun_micromod \
+    sparkfun_promicro \
+    sparkfun_thingplus \
+    vgaboard \
+    waveshare_rp2040_lcd_0.96 \
+    waveshare_rp2040_plus_4mb \
+    waveshare_rp2040_plus_16mb \
+    waveshare_rp2040_zero \
+    wiznet_w5100s_evb_pico
 do
     rm -rf *
-    PICO_SDK_PATH=~/Devel/pico/pico-sdk cmake .. -DPICO_BOARD=$board 
+    PICO_SDK_PATH=~/Devel/pico/pico-sdk cmake .. -DPICO_BOARD=$board
     make -kj20
     mv pico_hsm.uf2 ../release/pico_hsm_$board-$VERSION_MAJOR.$VERSION_MINOR.uf2
-    
-done
 
-rm -rf *
-PICO_SDK_PATH=~/Devel/pico/pico-sdk cmake ..
-make -kj20
-mv pico_hsm.uf2 ../release/pico_hsm_pico_generic-$VERSION_MAJOR.$VERSION_MINOR.uf2
+done

burn-cvcerts.py

@@ -1,116 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding: utf-8 -*-
-"""
-Created on Wed Apr 13 20:15:01 2022
-
-@author: Pol Henarejos
-"""
-
-from cryptography.hazmat.backends import default_backend
-from cryptography.hazmat.primitives import serialization
-from cryptography.hazmat.primitives.asymmetric import ec
-import base64
-import urllib.request
-import json
-import sys
-import ssl
-
-ssl._create_default_https_context = ssl._create_unverified_context
-
-def print_var(v, name):
-    s = '\n'
-    s += "static const unsigned char "+name+"[] = {\n"
-    s += "\t0x{:02x},0x{:02x},\n".format((len(v) & 0xff),((len(v)>> 8) & 0xff))
-    for i in range(len(v)):
-        if (i%16 == 0):
-            s += '\t'
-        s += "0x{:02x}".format((v[i]))
-        if (i < len(v)-1):
-            s += ','
-        if (i%16 == 15):
-            s += '\n'
-    s += '\n'
-    s += '};\n'
-    return s
-
-def main():
-    args = sys.argv[1:]
-    
-    private_key = ec.generate_private_key(ec.SECP192R1(), default_backend())
-    public_key = private_key.public_key()
-    pub_num = public_key.public_numbers()
-    pbk = base64.urlsafe_b64encode(b'\x04'+pub_num.x.to_bytes(24,'big')+pub_num.y.to_bytes(24,'big'))
-    
-    user_agent = 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7'
-    
-    data = urllib.parse.urlencode({'pubkey':pbk}).encode()
-    req = urllib.request.Request("https://www.henarejos.me/pico-hsm.php", method='POST', data=data, headers={'User-Agent':user_agent,} ) #The assembled request
-    response = urllib.request.urlopen(req)
-    resp = response.read().decode('utf-8')
-    j = json.loads(resp)
-    cvcert = base64.b64decode(j['cvcert'])
-    
-    dica = [
-        0x7f,0x21,0x81,0xc5,0x7f,0x4e,0x81,0x8e,0x5f,0x29,0x01,0x00,0x42,0x0e,0x45,0x53,
-        0x43,0x56,0x43,0x41,0x48,0x53,0x4d,0x30,0x30,0x30,0x30,0x31,0x7f,0x49,0x3f,0x06,
-        0x0a,0x04,0x00,0x7f,0x00,0x07,0x02,0x02,0x02,0x02,0x03,0x86,0x31,0x04,0x93,0x7e,
-        0xdf,0xf1,0xa6,0xd2,0x40,0x7e,0xb4,0x71,0xb2,0x97,0x50,0xdb,0x7e,0xe1,0x70,0xfb,
-        0x6c,0xcd,0x06,0x47,0x2a,0x3e,0x9c,0x8d,0x59,0x56,0x57,0xbe,0x11,0x11,0x0a,0x08,
-        0x81,0x54,0xed,0x22,0xc0,0x83,0xac,0xa1,0x2e,0x39,0x7b,0xd4,0x65,0x1f,0x5f,0x20,
-        0x0e,0x45,0x53,0x44,0x56,0x43,0x41,0x48,0x53,0x4d,0x30,0x30,0x30,0x30,0x31,0x7f,
-        0x4c,0x12,0x06,0x09,0x04,0x00,0x7f,0x00,0x07,0x03,0x01,0x02,0x02,0x53,0x05,0x80,
-        0x00,0x00,0x00,0x04,0x5f,0x25,0x06,0x02,0x02,0x00,0x03,0x02,0x07,0x5f,0x24,0x06,
-        0x02,0x05,0x01,0x02,0x03,0x01,0x5f,0x37,0x30,0x8b,0xb2,0x01,0xb6,0x24,0xfe,0xe5,
-        0x4e,0x65,0x3a,0x02,0xa2,0xb2,0x27,0x2d,0x3d,0xb4,0xb0,0xc9,0xdd,0xbf,0x10,0x6d,
-        0x99,0x49,0x46,0xd6,0xd0,0x72,0xc1,0xf3,0x4c,0xab,0x4f,0x32,0x14,0x7c,0xb0,0x99,
-        0xb7,0x33,0x70,0xd6,0x00,0xff,0x73,0x0c,0x5d
-    ]
-    
-    cvca = [
-        0x7f, 0x21, 0x82, 0x01, 0x65, 0x7f, 0x4e, 0x82, 0x01, 0x2d, 0x5f, 0x29,
-        0x01, 0x00, 0x42, 0x0e, 0x45, 0x53, 0x43, 0x56, 0x43, 0x41, 0x48, 0x53,
-        0x4d, 0x30, 0x30, 0x30, 0x30, 0x31, 0x7f, 0x49, 0x81, 0xdd, 0x06, 0x0a,
-        0x04, 0x00, 0x7f, 0x00, 0x07, 0x02, 0x02, 0x02, 0x02, 0x03, 0x81, 0x18,
-        0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-        0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-        0x82, 0x18, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-        0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-        0xff, 0xfc, 0x83, 0x18, 0x64, 0x21, 0x05, 0x19, 0xe5, 0x9c, 0x80, 0xe7,
-        0x0f, 0xa7, 0xe9, 0xab, 0x72, 0x24, 0x30, 0x49, 0xfe, 0xb8, 0xde, 0xec,
-        0xc1, 0x46, 0xb9, 0xb1, 0x84, 0x31, 0x04, 0x18, 0x8d, 0xa8, 0x0e, 0xb0,
-        0x30, 0x90, 0xf6, 0x7c, 0xbf, 0x20, 0xeb, 0x43, 0xa1, 0x88, 0x00, 0xf4,
-        0xff, 0x0a, 0xfd, 0x82, 0xff, 0x10, 0x12, 0x07, 0x19, 0x2b, 0x95, 0xff,
-        0xc8, 0xda, 0x78, 0x63, 0x10, 0x11, 0xed, 0x6b, 0x24, 0xcd, 0xd5, 0x73,
-        0xf9, 0x77, 0xa1, 0x1e, 0x79, 0x48, 0x11, 0x85, 0x18, 0xff, 0xff, 0xff,
-        0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x99, 0xde, 0xf8,
-        0x36, 0x14, 0x6b, 0xc9, 0xb1, 0xb4, 0xd2, 0x28, 0x31, 0x86, 0x31, 0x04,
-        0x08, 0x8f, 0xcd, 0xfc, 0xce, 0x87, 0xed, 0xd2, 0x85, 0x92, 0x06, 0x15,
-        0xe6, 0x51, 0xd7, 0x64, 0x52, 0xd8, 0x57, 0xec, 0xbb, 0x40, 0x8c, 0x32,
-        0x7a, 0xdb, 0x48, 0xa2, 0xa5, 0x14, 0xc1, 0xc9, 0xbd, 0x77, 0xcc, 0x97,
-        0x83, 0x60, 0x7a, 0x74, 0x14, 0x93, 0xa7, 0x42, 0x74, 0x4a, 0xd1, 0x73,
-        0x87, 0x01, 0x01, 0x5f, 0x20, 0x0e, 0x45, 0x53, 0x43, 0x56, 0x43, 0x41,
-        0x48, 0x53, 0x4d, 0x30, 0x30, 0x30, 0x30, 0x31, 0x7f, 0x4c, 0x12, 0x06,
-        0x09, 0x04, 0x00, 0x7f, 0x00, 0x07, 0x03, 0x01, 0x02, 0x02, 0x53, 0x05,
-        0xc0, 0x00, 0x00, 0x00, 0x04, 0x5f, 0x25, 0x06, 0x02, 0x02, 0x00, 0x03,
-        0x02, 0x06, 0x5f, 0x24, 0x06, 0x03, 0x00, 0x01, 0x02, 0x03, 0x01, 0x5f,
-        0x37, 0x30, 0x72, 0x97, 0x77, 0x76, 0x64, 0xb6, 0x0c, 0x57, 0xa2, 0xc4,
-        0x5e, 0x7b, 0xfd, 0x12, 0xe5, 0x20, 0x14, 0x3e, 0xde, 0x90, 0x38, 0xbf,
-        0xb3, 0x02, 0x73, 0x91, 0x06, 0xf2, 0x73, 0x0d, 0x76, 0x06, 0x65, 0xd7,
-        0x46, 0x49, 0x91, 0x0c, 0x51, 0x90, 0x89, 0x84, 0x8d, 0x4f, 0xb6, 0xe5,
-        0x13, 0x40
-    ]
-    
-    s = '#ifndef _CVCERTS_H_\n#define _CVCERTS_H_\n'
-    s += print_var(cvca,'cvca')
-    s += print_var(dica,'dica')
-    s += print_var(cvcert,'termca')
-    
-    pvk = private_key.private_numbers().private_value.to_bytes(24,'big')
-    s += print_var(pvk,'termca_pk')
-    s += '\n#endif\n'
-    f = open(args[0] + '/src/hsm/cvcerts.h','w')
-    f.write(s)
-    f.close()
-    
-if __name__ == '__main__':
-    main()

doc/aes.md

@@ -54,4 +54,4 @@ Using decrypt algorithm AES-CBC
 This is a text.
 ```
 
-AES-CBC it is a block operation and it requires an input size multiple of 16 bytes. Thus, for a trivial data, a padding operation has to be performed beforehand. 
+AES-CBC it is a block operation and it requires an input size multiple of 16 bytes. Thus, for a trivial data, a padding operation has to be performed beforehand.

doc/asymmetric-ciphering.md

@@ -24,12 +24,12 @@ This algorithm uses the PKCSv1.5 padding. It is considered deprecated and insecu
 First, we encrypt the data with the public key:
 
 ```
-$ openssl rsautl -encrypt -inkey 1.pub -in data -pubin -out data.crypt 
+$ openssl rsautl -encrypt -inkey 1.pub -in data -pubin -out data.crypt
 ```
 
 Then, we decrypt with the private key inside the Pico HSM:
 
-``` 
+```
 $ pkcs11-tool --id 1 --pin 648219 --decrypt --mechanism RSA-PKCS -i data.crypt
 Using slot 0 with a present token (0x0)
 Using decrypt algorithm RSA-PKCS
@@ -54,7 +54,7 @@ $ openssl rsautl -encrypt -inkey 1.pub -in data_pad -pubin -out data.crypt -raw
 
 Then, we decrypt with the private key inside the Pico HSM:
 ```
-$ cat data.crypt|pkcs11-tool --id 4 --pin 648219 --decrypt --mechanism RSA-X-509 
+$ cat data.crypt|pkcs11-tool --id 4 --pin 648219 --decrypt --mechanism RSA-X-509
 Using slot 0 with a present token (0x0)
 Using decrypt algorithm RSA-X-509
 This is a test string. Be safe, be secure.
@@ -78,7 +78,7 @@ This is a test string. Be safe, be secure.
 ```
 
 ## ECDH-DERIVE
-ECC keys do not allow ciphering operations. Instead, the ECDH scheme provides a mechanism to exchange a shared symmetric key without transmitting it to the remote part. The shared key is composed by multiplying the local private key and the remote public key. 
+ECC keys do not allow ciphering operations. Instead, the ECDH scheme provides a mechanism to exchange a shared symmetric key without transmitting it to the remote part. The shared key is composed by multiplying the local private key and the remote public key.
 
 First, we create the remote part, Bob, by generating an ECC keypair and getting the public key:
 ```
@@ -104,8 +104,8 @@ No output is displayed if both are equal.
 
 You can also view the contents of both keys:
 ```
-$ xxd -p bob-mine.der             
+$ xxd -p bob-mine.der
 9874558aefa9d92cc051e5da6d1753987e5314925d6d78bf
-$ xxd -p mine-bob.der             
+$ xxd -p mine-bob.der
 9874558aefa9d92cc051e5da6d1753987e5314925d6d78bf
 ```

doc/backup-and-restore.md

@@ -29,15 +29,15 @@ symbols.
 Please keep the generated DKEK share file in a safe location. We also recommend to keep a
 paper printout, in case the electronic version becomes unavailable. A printable version
 of the file can be generated using "openssl base64 -in <filename>".
-Enter password to encrypt DKEK share : 
+Enter password to encrypt DKEK share :
 
-Please retype password to confirm : 
+Please retype password to confirm :
 
 Enciphering DKEK share, please wait...
 DKEK share created and saved to dkek.pbe
 ```
 
-The generated file `dkek.pbe` contains the DKEK. Technically, it contains a share. But if a device is initialized with one share, it is equivalent to contain the full DKEK. 
+The generated file `dkek.pbe` contains the DKEK. Technically, it contains a share. But if a device is initialized with one share, it is equivalent to contain the full DKEK.
 
 Keep these file in a safe place. If this file is lost, you can export the private keys but you will not be able to import into another device or in the same device if it is initialized again.
 
@@ -52,7 +52,7 @@ At this moment, the Pico HSM expects the DKEK. It is loaded with the following c
 ```
 $ sc-hsm-tool --import-dkek-share dkek.pbe
 Using reader with a card: Free Software Initiative of Japan Gnuk
-Enter password to decrypt DKEK share : 
+Enter password to decrypt DKEK share :
 
 Deciphering DKEK share, please wait...
 DKEK share imported
@@ -81,7 +81,7 @@ And finally, all are imported one after the other, without special order:
 ```
 $ sc-hsm-tool --import-dkek-share dkek-share-1.pbe
 Using reader with a card: Free Software Initiative of Japan Gnuk
-Enter password to decrypt DKEK share : 
+Enter password to decrypt DKEK share :
 
 Deciphering DKEK share, please wait...
 DKEK share imported
@@ -90,7 +90,7 @@ DKEK import pending, 2 share(s) still missing
 
 $ sc-hsm-tool --import-dkek-share dkek-share-2.pbe
 Using reader with a card: Free Software Initiative of Japan Gnuk
-Enter password to decrypt DKEK share : 
+Enter password to decrypt DKEK share :
 
 Deciphering DKEK share, please wait...
 DKEK share imported
@@ -99,7 +99,7 @@ DKEK import pending, 1 share(s) still missing
 
 $ sc-hsm-tool --import-dkek-share dkek-share-1.pbe
 Using reader with a card: Free Software Initiative of Japan Gnuk
-Enter password to decrypt DKEK share : 
+Enter password to decrypt DKEK share :
 
 Deciphering DKEK share, please wait...
 DKEK share imported
@@ -110,7 +110,7 @@ DKEK key check value : 4B7DA256ACD4EF62
 ### DKEK n-of-m threshold scheme
 This scheme provides an extra level of flexiblity, as not all custodians are necessary to import the DKEK share. For instance, with the previous schemes, if a custodian gets unavailable, the initialization will block until the missing custodian can got to finalize the initialization.
 
-With n-of-m threshold scheme, it flexibilizes the number of required custodians to reduce failure points. If a share is lost, the DKEK can still be recovered without major implications. 
+With n-of-m threshold scheme, it flexibilizes the number of required custodians to reduce failure points. If a share is lost, the DKEK can still be recovered without major implications.
 
 This scheme is not a replacement of DKEK shares. Instead, it splits the DKEK share encryption password amongst the n-of-m threshold scheme. For instance, if you define 2 shares and a scheme of 3-of-5 threshold for each share, it will imply 10 different custodians, where 6 are necessary to load both shares. You can also mix one share with traditional passphrase and the other with the n-of-m threshold scheme.
 
@@ -123,7 +123,7 @@ Using reader with a card:Free Software Initiative of Japan Gnuk
 The DKEK will be enciphered using a randomly generated 64 bit password.
 This password is split using a (3-of-5) threshold scheme.
 
-Please keep the generated and encrypted DKEK file in a safe location. We also recommend 
+Please keep the generated and encrypted DKEK file in a safe location. We also recommend
 to keep a paper printout, in case the electronic version becomes unavailable. A printable version
 of the file can be generated using "openssl base64 -in <filename>".
 
@@ -191,7 +191,7 @@ Private RSA Key [Certificate]
 ...
 ```
 
-Note that `Key ref` and `ID` may be different. Whilst different keys may share the same `ID` (highly discouraged), the `Key ref` is a value internally computed and unique. 
+Note that `Key ref` and `ID` may be different. Whilst different keys may share the same `ID` (highly discouraged), the `Key ref` is a value internally computed and unique.
 
 To export and wrap the private key:
 
@@ -199,10 +199,10 @@ To export and wrap the private key:
 $ sc-hsm-tool --wrap-key wrap-key.bin --key-reference 1 --pin 648219
 ```
 
-A file named `wrap-key.bin` is created with the private key encrypted securely with the DKEK. 
+A file named `wrap-key.bin` is created with the private key encrypted securely with the DKEK.
 
 ## Restore
-To restore the wraped key, a device initialized with the same DKEK is mandatory. 
+To restore the wraped key, a device initialized with the same DKEK is mandatory.
 
 To unwrap the key:
 

doc/extra_command.md

@@ -1,6 +1,6 @@
 # Extra command
 
-Pico HSM supports a customized extra command to use with different options. Since the drivers in the market do not support the following features, a raw APDU command shall be sent. 
+Pico HSM supports a customized extra command to use with different options. Since the drivers in the market do not support the following features, a raw APDU command shall be sent.
 
 To send a raw APDU command, `opensc-tool -s <APDU>` can be used. The `APDU` parameter is a string of hexadecimal numbers and it takes the following form:
 ```
@@ -27,7 +27,7 @@ For example, to obtain the current datetime:
 ```
 $ opensc-tool -s 80640A0008
 Using reader with a card: Free Software Initiative of Japan Gnuk
-Sending: 80 64 0A 00 08 
+Sending: 80 64 0A 00 08
 Received (SW1=0x90, SW2=0x00):
 07 E6 04 06 03 13 29 1E ......).
 ```
@@ -49,7 +49,7 @@ To set the reference datetime, a datetime string must be provided. For example:
 ```
 $ opensc-tool -s 80640A000807E6040603132917
 Using reader with a card: Free Software Initiative of Japan Gnuk
-Sending: 80 64 0A 00 08 07 E6 04 06 03 13 29 17 
+Sending: 80 64 0A 00 08 07 E6 04 06 03 13 29 17
 Received (SW1=0x90, SW2=0x00)
 ```
 
@@ -72,7 +72,7 @@ This feature is disabled by default but can be enabled rapidly by setting the LS
 ```
 $ opensc-tool -s 806406000101
 Using reader with a card: Free Software Initiative of Japan Gnuk
-Sending: 80 64 06 00 01 01 
+Sending: 80 64 06 00 01 01
 Received (SW1=0x90, SW2=0x00)
 ```
 
@@ -99,7 +99,7 @@ This feature is disabled by default but can be enabled rapidly by setting the 2n
 ```
 $ opensc-tool -s 806406000102
 Using reader with a card: Free Software Initiative of Japan Gnuk
-Sending: 80 64 06 00 01 01 
+Sending: 80 64 06 00 01 01
 Received (SW1=0x90, SW2=0x00)
 ```
 

doc/public_key_authentication.md

@@ -1,6 +1,6 @@
 # Public Key Authentication
 
-Public Key Authentication (PKA) is a mechanism to authenticate a legit user without introducing any PIN. The authentication is performed by signing a challenge and checking the signature result.
+Public Key Authentication (PKA) is a mechanism to authenticate a legit user without introducing any PIN (see Notes below). The authentication is performed by signing a challenge and checking the signature result.
 
 1. A Pico HSM #A contains a private key, whose public key will be used for authentication.
 2. The public key of #A is registered into a second Pico HSM #B.
@@ -9,8 +9,6 @@ Public Key Authentication (PKA) is a mechanism to authenticate a legit user with
 5. #B verifies the signature against the challenge with the public key of #A, previously registered.
 6. If the signature is valid, #B grants access to the user.
 
-This mechanism has no retry counter or PIN throttling, as no PIN is set up on the device.
-
 To enable PKA, the device must be initialized beforehand. In case the device has secret/private keys, all shall be exported and reimported when the set up is finished.
 
 ## Requirements
@@ -18,8 +16,8 @@ To enable PKA, the device must be initialized beforehand. In case the device has
 To take advantage of PKA, the following is required:
 
 1. Two Pico HSM: one will be used only for authentication (it can be any device able to generate a private key and sign arbitrary data).
-2. [SCS3](/doc/scs3.md "SCS3") tool to authenticate the user. At this time, OpenSC does not support PKA.
-3. A secret key of ECC 256 bits. SCS3 does not support other curves.
+2. [SCS3](/doc/scs3.md "SCS3") tool to authenticate the user. At this time, OpenSC does not support PKA, only initialization.
+3. A secret key of ECC 256 bits.
 
 ## Usage
 
@@ -29,35 +27,71 @@ Before using SCS3, it must be patched [scs3.patch.txt](https://github.com/polhen
 
 On a secondary device, generate a private key, on the ECC 256 bits (`brainpoolP256r1` or `secp192r1`). Label it with an easy name, such as "Authentication".
 
-<img width="1037" alt="Captura de Pantalla 2022-06-13 a les 12 11 00" src="https://user-images.githubusercontent.com/55573252/173353764-4620ece4-0d82-4a23-a153-99bf912621a7.png">
+<img width="1037" src="https://user-images.githubusercontent.com/55573252/173353764-4620ece4-0d82-4a23-a153-99bf912621a7.png">
 
-Once finished, export the public key. 
+Once finished, export the public key.
 
-<img width="350" alt="Captura de Pantalla 2022-06-13 a les 12 11 39" src="https://user-images.githubusercontent.com/55573252/173353732-63f40572-a42f-4e5c-a9ab-6e52a083956b.png">
+<img width="350" src="https://user-images.githubusercontent.com/55573252/173353732-63f40572-a42f-4e5c-a9ab-6e52a083956b.png">
 
 ### Initialization
 
 On the primary device, initialize it. When prompting for an authentication mechanism, select "Public Key Authentication".
 
-<img width="412" alt="Captura de Pantalla 2022-06-13 a les 12 05 09" src="https://user-images.githubusercontent.com/55573252/173353661-17caf6db-0c76-4903-9b70-5afa79f5ae54.png"><img width="1037" alt="Captura de Pantalla 2022-06-13 a les 12 14 48" src="https://user-images.githubusercontent.com/55573252/173353822-310219dc-7c7d-4ece-9fd9-c7835c2688df.png">
+<img width="412" src="https://user-images.githubusercontent.com/55573252/173353661-17caf6db-0c76-4903-9b70-5afa79f5ae54.png"><img width="1037" alt="Captura de Pantalla 2022-06-13 a les 12 14 48" src="https://user-images.githubusercontent.com/55573252/173353822-310219dc-7c7d-4ece-9fd9-c7835c2688df.png">
 
 Once finished, register the exported public key. A message of `0 authenticated public key(s) in 1 of 1 scheme` will appear if it is properly registered.
 
-<img width="342" alt="Captura de Pantalla 2022-06-13 a les 12 15 44" src="https://user-images.githubusercontent.com/55573252/173353917-f3f99405-c7ff-43ce-8914-6f3b713df952.png"><img width="1037" alt="Captura de Pantalla 2022-06-13 a les 12 16 17" src="https://user-images.githubusercontent.com/55573252/173353946-ee7eacf9-cead-4804-ac7a-57848f7c822b.png">
-
+<img width="342" src="https://user-images.githubusercontent.com/55573252/173353917-f3f99405-c7ff-43ce-8914-6f3b713df952.png"><img width="1037" alt="Captura de Pantalla 2022-06-13 a les 12 16 17" src="https://user-images.githubusercontent.com/55573252/173353946-ee7eacf9-cead-4804-ac7a-57848f7c822b.png">
 
 ### Authentication
 
 Plug the secondary device that stores the private key (do not load the device in the SCS3 tool) and initiate the public key authentication.
 
-<img width="321" alt="Captura de Pantalla 2022-06-13 a les 12 19 47" src="https://user-images.githubusercontent.com/55573252/173353998-8f418ec6-d90d-4168-801f-51008c78824d.png">
+<img width="321" src="https://user-images.githubusercontent.com/55573252/173353998-8f418ec6-d90d-4168-801f-51008c78824d.png">
 
 Select the secondary card and the Authentication private key (or the name you labeled it).
 
-<img width="435" alt="Captura de Pantalla 2022-06-13 a les 14 25 25" src="https://user-images.githubusercontent.com/55573252/173354044-50163113-829e-4d80-bbda-7b589849af73.png">
+<img width="435" src="https://user-images.githubusercontent.com/55573252/173354044-50163113-829e-4d80-bbda-7b589849af73.png">
 
 Introduce the PIN of the secondary device.
 
 If the private key matches with the registered public key, the primary device will grant access and it will display `User PIN authenticated (9000)` (despite no PIN is provided).
 
 From now on, you have full access and can operate normally with the primary device.
+
+## Notes on DKEK
+
+Pico HSM uses the PIN to protect the DKEK, which is lately used to protect private/secret keys and wrap/unwrap. However, when PKA is enabled, the authentication is not performed by introducing any PIN.
+Authenticated privileges are granted when PKA succeeds, regardless of PIN, which is optional.
+
+Nevertheless, **it is extremely recommended to combine PKA with PIN**. Note that when combined, only PKA grants authenticated privileges. Therefore, if both schemes are setup, it is necessary to unlock the DKEK with PIN verification.
+Otherwise, it will not be possible to operate with private/secret keys despite the user will be logged in.
+
+With this scheme, multiple custodians may authenticate the device individually and remotely and, when fully authenticated, the master user can unlock the DKEK with the PIN.
+
+Moreover, with this approach the device is kept safe and neither the DKEK nor the private/secret keys are stored in plain text in the device.
+Even though the flash memory is dumped by an attacker, it will not be possible to decipher any sensitive data or key.
+
+Initialization of the device with PKA **and** PIN can be achieved with SCS3 or OpenSC:
+
+**Note:** do not import any DKEK share or DKEK operation before PKA and PIN setup.
+
+### With OpenSC
+
+Use the following command (or similar), which accepts the use of PIN parameter **and** PKA configuration:
+
+```
+sc-hsm-tool -X --so-pin 1234567890123456 --pin 648219 -K 1 -n 1 -s 1
+```
+
+and PKA and PIN are enabled, jointly with DKEK protection.
+
+### With SCS3
+
+Unfortunately, SCS3 does not allow to initialize the device with PKA and PIN at the same time, though it can be achieved in separated steps:
+
+1. Initialize the device with PKA. When done, the PIN will not be initialized but it will advice that 3 attemps can be performed.
+2. There is NO default PIN. So, DO NOT attempt to log in yet. A reset PIN shall be requested.
+3. Click on ``Reset User-PIN``, introduce the SO-PIN configured during the initialization and introduce the desired User-PIN.
+
+When done, the device will be configured with PIN **and** PKA.

doc/scs3.md

@@ -4,16 +4,16 @@ SCS3 tool is a specific tool developed by CardContact to manage HSM. Thanks to i
 
 - Import PKCS12 private keys and certificates.
 - Import private keys and certificates from other Pico HSM devices in WKY format.
-- 
+-
 
 Unfortunately, there is no pkcs11 tool or equivalent capable to perform the import. Since it uses the SC-HSM driver, it also supports the communication with the [SCS3 tool](https://www.openscdp.org/scsh3/ "SCS3 tool"). It can be downloaded from [here](https://www.openscdp.org/scsh3/download.html "here").
 
-However, SCS3 only works with those HSM manufactured by CardContact. The check is performed by means of trust store against the manufacturing certificates. For obvious reasons, these certificates can only be signed with the private keys of the Certificate Authorities listed in the trust store. 
+However, SCS3 only works with those HSM manufactured by CardContact. The check is performed by means of trust store against the manufacturing certificates. For obvious reasons, these certificates can only be signed with the private keys of the Certificate Authorities listed in the trust store.
 
 Pico HSM is shipped with its own CA certificates. To load this certificate onto the trust store of SCS3, the following line has to be appended to `SmartCardHSM.rootCerts` variable, near line `235` in the file `scs3/scsh/sc-hsm/SmartCardHSM.js`.
 
 ```
-ESCVCAHSM00001: new CVC(new ByteString("7F218201657F4E82012D5F290100420E45534356434148534D30303030317F4981DD060A04007F000702020202038118FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF8218FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC831864210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1843104188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF101207192B95FFC8DA78631011ED6B24CDD573F977A11E7948118518FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831863104088FCDFCCE87EDD285920615E651D76452D857ECBB408C327ADB48A2A514C1C9BD77CC9783607A741493A742744AD1738701015F200E45534356434148534D30303030317F4C12060904007F0007030102025305C0000000045F25060202000302065F24060300010203015F37307297777664B60C57A2C45E7BFD12E520143EDE9038BFB302739106F2730D760665D74649910C519089848D4FB6E51340", HEX))
+ESPICOHSMCA00001: new CVC(new ByteString("7F218201BA7F4E8201725F290100421045535049434F48534D434130303030317F4982011D060A04007F000702020202038120FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF8220FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC83205AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B8441046B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C2964FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F58520FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC6325518641046A82C0A4FEAF41D6A1336AE7E992D81AD4F827929145DD0D777E1AB63D7E3325C8F7DAC0F74B6EAE13A72F6366777EC133AC5C28F456868E5F2C315044EB54EF8701015F201045535049434F48534D434130303030317F4C12060904007F0007030102025305C0000000005F25060202000801085F24060203000801085F3740601E974F57DDE060875FE6121AEF5BC02E10FC655311C7A32CA822FD18E53A80298EDC56E0D5EBF38FB470DC12987B1600AE91A0ADB5B22C4D80080782E278AD", HEX))
 ```
 
 Therefore, the whole variable becomes:
@@ -22,26 +22,27 @@ Therefore, the whole variable becomes:
 SmartCardHSM.rootCerts = {
 	DESRCACC100001: new CVC(new ByteString("7F218201B47F4E82016C5F290100420E44455352434143433130303030317F4982011D060A04007F000702020202038120A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E537782207D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9832026DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B68441048BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F0469978520A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A78641046D025A8026CDBA245F10DF1B72E9880FFF746DAB40A43A3D5C6BEBF27707C30F6DEA72430EE3287B0665C1EAA6EAA4FA26C46303001983F82BD1AA31E03DA0628701015F200E44455352434143433130303030317F4C10060B2B0601040181C31F0301015301C05F25060102010100095F24060302010100085F37409DBB382B1711D2BAACB0C623D40C6267D0B52BA455C01F56333DC9554810B9B2878DAF9EC3ADA19C7B065D780D6C9C3C2ECEDFD78DEB18AF40778ADF89E861CA", HEX)),
 	UTSRCACC100001: new CVC(new ByteString("7F218201B47F4E82016C5F290100420E55545352434143433130303030317F4982011D060A04007F000702020202038120A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E537782207D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9832026DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B68441048BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F0469978520A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7864104A041FEB2FD116B2AD19CA6B7EACD71C9892F941BB88D67DCEEC92501F070011957E22122BA6C2CF5FF02936F482E35A6129CCBBA8E9383836D3106879C408EF08701015F200E55545352434143433130303030317F4C10060B2B0601040181C31F0301015301C05F25060102010100095F24060302010100085F3740914DD0FA00615C44048D1467435400423A4AD1BD37FD98D6DE84FD8037489582325C72956D4FDFABC6EDBA48184A754F37F1BE5142DD1C27D66569308CE19AAF", HEX)),
-	ESCVCAHSM00001: new CVC(new ByteString("7F218201657F4E82012D5F290100420E45534356434148534D30303030317F4981DD060A04007F000702020202038118FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF8218FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC831864210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1843104188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF101207192B95FFC8DA78631011ED6B24CDD573F977A11E7948118518FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831863104088FCDFCCE87EDD285920615E651D76452D857ECBB408C327ADB48A2A514C1C9BD77CC9783607A741493A742744AD1738701015F200E45534356434148534D30303030317F4C12060904007F0007030102025305C0000000045F25060202000302065F24060300010203015F37307297777664B60C57A2C45E7BFD12E520143EDE9038BFB302739106F2730D760665D74649910C519089848D4FB6E51340", HEX))
+	ESPICOHSMCA00001: new CVC(new ByteString("7F218201BA7F4E8201725F290100421045535049434F48534D434130303030317F4982011D060A04007F000702020202038120FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF8220FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC83205AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B8441046B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C2964FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F58520FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC6325518641046A82C0A4FEAF41D6A1336AE7E992D81AD4F827929145DD0D777E1AB63D7E3325C8F7DAC0F74B6EAE13A72F6366777EC133AC5C28F456868E5F2C315044EB54EF8701015F201045535049434F48534D434130303030317F4C12060904007F0007030102025305C0000000005F25060202000801085F24060203000801085F3740601E974F57DDE060875FE6121AEF5BC02E10FC655311C7A32CA822FD18E53A80298EDC56E0D5EBF38FB470DC12987B1600AE91A0ADB5B22C4D80080782E278AD", HEX))
 }
 ```
 
 Similarly, replace the line `1531` in file `scs3/keymanager/keymanager.js` with:
 
 ```
-	assert(devcert.verifyWith(this.crypto, dicacert.getPublicKey(SmartCardHSM.rootCerts.ESCVCAHSM00001.getPublicKey()), dicacert.getPublicKeyOID()));
+	assert(devcert.verifyWith(this.crypto, dicacert.getPublicKey(SmartCardHSM.rootCerts.ESPICOHSMCA00001.getPublicKey()), dicacert.getPublicKeyOID()));
 ```
 
-Alternatively, this patch [scs3.patch.txt](https://github.com/polhenarejos/pico-hsm/files/8890050/scs3.patch.txt) can be applied.
+
+Alternatively, this patch [scs3.patch.txt](https://github.com/polhenarejos/pico-hsm/files/9415877/scs3.patch.txt) can be applied.
 
 After this ammendment, the program can be started and the KeyManager can be invoked (CTRL+M) and it will output something similar to:
 ```
 >load("keymanager/keymanager.js");
 
-SmartCard-HSM Version 1.6 on JCOP          Free memory 217104 byte
-Issuer Certificate : CVC id-AT DV (official domestic) CAR=ESCVCAHSM00001 CHR=ESDVCAHSM00001 CED=27 / de març / 2022 CXD=31 / de desembre / 2025 
-Device Certificate : CVC id-AT Terminal CAR=ESDVCAHSM00001 CHR=ESTERMHSM00001 CED=27 / de març / 2022 CXD=31 / de desembre / 2023 
-Default Key Domain : 0F89B400975EDD2D425ABF85F2FBD318779B3D85475E65D4
+SmartCard-HSM Version 2.6 on JCOP          Free memory 215512 byte
+Issuer Certificate : CVC id-AT DV (official domestic) CAR=ESPICOHSMCA00001 CHR=ESPICOHSMDV00001 CED=18 / d’agost / 2022 CXD=14 / de juny / 2023 
+Device Certificate : CVC id-AT Terminal CAR=ESPICOHSMDV00001 CHR=ESPICOHSMTRYZRGW CED=22 / d’agost / 2022 CXD=22 / d’agost / 2023 
+Default Key Domain : 223CD8D8F794889AC163305881BF8C04960BBB8658120491F1C0601F6BF97183
 -------------------------------------------------------------------
 Please right-click on nodes in the outline to see possible actions.
 For most operations you will need to authenticate first using a
@@ -60,7 +61,7 @@ It can be executed in a Terminal via
 ```
 ## DKEK requirement
 
-In order to perform the import, private keys must be wrapped with the same DKEK present in the Pico HSM. Thus, the Pico HSM must be previously initialized with at minimum of 1 DKEK share. This share will be used to wrap the private key before import. 
+In order to perform the import, private keys must be wrapped with the same DKEK present in the Pico HSM. Thus, the Pico HSM must be previously initialized with at minimum of 1 DKEK share. This share will be used to wrap the private key before import.
 
 Note that the DKEK share shall be available before the import. In this way, all custodians must be present during the import process, since they will have to introduce their respective DKEK.
 

doc/sign-verify.md

@@ -1,7 +1,7 @@
 # Sign and verify
 
 Pico HSM supports in place signature of arbitrary data. It supports the following algorithms:
-* RSA-PKCS 
+* RSA-PKCS
 * RSA-X-509
 * SHA1-RSA-PKCS
 * SHA256-RSA-PKCS
@@ -32,7 +32,7 @@ $ openssl rsa -inform DER -outform PEM -in 1.der -pubin > 1.pub
 At this moment, you are able to verify with the public key in `1.pub`. The signature is computed inside the Pico HSM with the private key. It never leaves the device.
 
 ## RSA-PKCS
-This algorithm is used to sign raw data. 
+This algorithm is used to sign raw data.
 
 To sign the data:
 ```
@@ -91,7 +91,7 @@ This algorithm uses the RSA-PKCS with PSS salt to randomize the signature. Pico
 To sign the data:
 ```
 $ pkcs11-tool --id 1 --sign --pin 648219 --mechanism RSA-PKCS-PSS -i data.sha1 -o data.sig
-``` 
+```
 
 To verify the signature:
 ```
@@ -105,7 +105,7 @@ This algorithm takes the file as the input and sends its hash for signing with t
 To sign the data:
 ```
 $ pkcs11-tool --id 1 --sign --pin 648219 --mechanism SHA1-RSA-PKCS-PSS -i data -o data.sig
-``` 
+```
 
 To verify the signature:
 ```
@@ -118,14 +118,14 @@ This is a raw ECDSA signature, which is usually used to sign a hashed message. `
 
 To sign the data:
 ```
-$ pkcs11-tool --id 11 --sign --pin 648219 --mechanism ECDSA -i data.sha1 -o data.sig --signature-format openssl     
+$ pkcs11-tool --id 11 --sign --pin 648219 --mechanism ECDSA -i data.sha1 -o data.sig --signature-format openssl
 Using slot 0 with a present token (0x0)
 Using signature algorithm ECDSA
 ```
 
 To verify the signature:
 ```
-$ openssl pkeyutl -verify -pubin -inkey 11.pub -in data.sha1 -sigfile data.sig                                      
+$ openssl pkeyutl -verify -pubin -inkey 11.pub -in data.sha1 -sigfile data.sig
 Signature Verified Successfully
 ```
 
@@ -143,6 +143,6 @@ Using signature algorithm ECDSA-SHA256
 
 The signature is verified with the hash:
 ```
-$ openssl pkeyutl -verify -pubin -inkey 11.pub -in data.sha1 -sigfile data.sig                              
+$ openssl pkeyutl -verify -pubin -inkey 11.pub -in data.sha1 -sigfile data.sig
 Signature Verified Successfully
 ```

doc/store_data.md

@@ -9,7 +9,7 @@ Before writting a file into the Pico HSM, we generate the data file with the fol
 
 ```
 $ echo 'Pico HSM is awesome!' > test
-``` 
+```
 
 Then, we can store the data file with the following command:
 
@@ -43,7 +43,7 @@ Always provide a unique `--label`, as it will be used to index and reference the
 To view the stored file, we can use the following command with the same label we employed:
 
 ```
-$ pkcs11-tool --read-object --type data --label 'test1' 
+$ pkcs11-tool --read-object --type data --label 'test1'
 Using slot 0 with a present token (0x0)
 Pico HSM is awesome!
 ```
@@ -98,7 +98,7 @@ Data object 'test1'
 	applicationName: test1
 	Path:            e82b0601040181c31f0201::cf00
 	Data (21 bytes): 5069636F2048534D20697320617765736F6D65210A
-                  
+
 Data object 'test2'
 	applicationName: test2
 	Path:            e82b0601040181c31f0201::cd01

doc/usage.md

@@ -1,7 +1,7 @@
 # Usage
 
 ## Tools
-We use multiple tools and PKCS#11 drivers and modules, depending on the purpose. 
+We use multiple tools and PKCS#11 drivers and modules, depending on the purpose.
 * **pkcs11-tool**: from OpenSC. It interfaces with the HSM via PKCS#11 interface. It supports different drivers and modules.
 * **sc-tool**: an alias of pkcs11-tool with the sc-hsm-embedded module. It is mainly used for AES management and it is defined as:
 ```
@@ -22,20 +22,20 @@ init=0
 PIN=648219
 ```
 `opensc-pkcs11.so` can be replaced by `libsc-hsm-pkcs11.so` if desired.
-* **sc-hsm-tool**: from OpenSC. Used to initialize the device.
+* **pico-hsm-tool**: Used to initialize the device.
 * **opensc-tool**: from OpenSC. Used to list and detect the reader with the HSM.
 
 [^1]: `openssl version -a` will return the `OPENSSLDIR`, which contains `openssl.cnf` file and `ENGINESDIR`, which contains the p11 engine.
 
 ## Initialization
-The first step is to initialize the HSM:
+The first step is to initialize the HSM. To do so, use the `pico-hsm-tool.py` in `tools` folder:
 ```
-$ sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219
+$ python3 pico-hsm-tool initialize --so-pin 3537363231383830 --pin 648219
 ```
-The PIN number is used to manage all private keys in the device. It supports three attemps. After the third PIN failure, it gets blocked. 
+The PIN number is used to manage all private keys in the device. It supports three attemps. After the third PIN failure, it gets blocked.
 The PIN accepts from 6 to 16 characters.
 
-The SO-PIN is used to unblock the PIN. It accepts 15 attemps. After 15 failed attempts, the device will be completely blocked and will be necessary to initialize again, erasing all private keys and losing the access. Therefore, keep the SO-PIN in a safe place. 
+The SO-PIN is used to unblock the PIN. It accepts 15 attemps. After 15 failed attempts, the device will be completely blocked and will be necessary to initialize again, erasing all private keys and losing the access. Therefore, keep the SO-PIN in a safe place.
 The SO-PIN is always 16 hexadecimal characters.
 
 ## PIN and SO-PIN management
@@ -62,7 +62,7 @@ To generate a RSA 2048 bits, use the following command:
 $ pkcs11-tool -l --pin 648219 --keypairgen --key-type rsa:2048 --id 1 --label "RSA2K"
 Using slot 0 with a present token (0x0)
 Key pair generated:
-Private Key Object; RSA 
+Private Key Object; RSA
   label:      RSA2K
   ID:         1
   Usage:      decrypt, sign
@@ -77,7 +77,7 @@ The ID parameter is an internal hexadecimal number for easy identification. The
 
 Pico HSM accepts RSA of 1024 (`rsa:1024`), 2048 (`rsa:2048`) and 4096 bits (`rsa:4096`).
 
-**Caution**: RSA 2048 bits may take more than 20 seconds. RSA 4096 bits may take more than 20 minutes. The Pico HSM will work as normally and neither the HSM nor the host will block. But, in the meantime, the Pico HSM will not accept any command. 
+**Caution**: RSA 2048 bits may take more than 20 seconds. RSA 4096 bits may take more than 20 minutes. The Pico HSM will work as normally and neither the HSM nor the host will block. But, in the meantime, the Pico HSM will not accept any command.
 An alternative is to generate the private key locally and import it to the HSM. This approach, however, is less secure as it does not use a True RNG or HRNG like Pico HSM. Use this approach if you have plugged a TRNG or you are not worried about obtaining the highest entropy.
 
 Pico HSM also accepts ECDSA keypairs:
@@ -157,9 +157,9 @@ Certificate:
                     a0:30:b2:ec:d3:d6:0d:58:f3
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
-            X509v3 Subject Key Identifier: 
+            X509v3 Subject Key Identifier:
                 98:07:DA:13:B0:8E:A0:5C:97:83:68:FE:4A:25:8D:50:C4:DC:16:FA
-            X509v3 Authority Key Identifier: 
+            X509v3 Authority Key Identifier:
                 keyid:98:07:DA:13:B0:8E:A0:5C:97:83:68:FE:4A:25:8D:50:C4:DC:16:FA
 
             X509v3 Basic Constraints: critical
@@ -173,7 +173,7 @@ Certificate:
          99:2b:b2:82:66:c1:06:a7:2c:62:af:e2:e4:93:42:36:66:8d:
          c5:3f:e1:ec:5f:9a:f8:5f:b3:6a:8f:0e:12:5d:c9:46:38:ea:
          0b:08
-``` 
+```
 
 The resulting file `cert.pem` contains the signed certificate in PEM format. Convert it into DER format and load it into the Pico HSM:
 

src/hsm/cmd_challenge.c

@@ -0,0 +1,33 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "random.h"
+#include "sc_hsm.h"
+
+uint8_t challenge[256];
+uint8_t challenge_len = 0;
+
+int cmd_challenge() {
+    uint8_t *rb = (uint8_t *)random_bytes_get(apdu.ne);
+    if (!rb)
+        return SW_WRONG_LENGTH();
+    memcpy(res_APDU, rb, apdu.ne);
+    challenge_len = MIN(apdu.ne, sizeof(challenge));
+    memcpy(challenge, rb, challenge_len);
+    res_APDU_size = apdu.ne;
+    return SW_OK();
+}

src/hsm/cmd_change_pin.c

@@ -0,0 +1,67 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "crypto_utils.h"
+#include "sc_hsm.h"
+#include "kek.h"
+
+int cmd_change_pin() {
+    if (P1(apdu) == 0x0) {
+        if (P2(apdu) == 0x81 || P2(apdu) == 0x88) {
+            file_t *file_pin = NULL;
+            if (P2(apdu) == 0x81)
+                file_pin = file_pin1;
+            else if (P2(apdu) == 0x88)
+                file_pin = file_sopin;
+            if (!file_pin) {
+                return SW_FILE_NOT_FOUND();
+            }
+            if (!file_has_data(file_pin)) {
+                return SW_REFERENCE_NOT_FOUND();
+            }
+            uint8_t pin_len = file_read_uint8(file_get_data(file_pin));
+            int r = check_pin(file_pin, apdu.data, pin_len);
+            if (r != 0x9000)
+                return r;
+            uint8_t mkek[MKEK_SIZE];
+            r = load_mkek(mkek); //loads the MKEK with old pin
+            if (r != CCID_OK)
+                return SW_EXEC_ERROR();
+            //encrypt MKEK with new pin
+
+            if (P2(apdu) == 0x81) {
+                hash_multi(apdu.data+pin_len, apdu.nc-pin_len, session_pin);
+                has_session_pin = true;
+            }
+            else if (P2(apdu) == 0x88) {
+                hash_multi(apdu.data+pin_len, apdu.nc-pin_len, session_sopin);
+                has_session_sopin = true;
+            }
+            r = store_mkek(mkek);
+            release_mkek(mkek);
+            if (r != CCID_OK)
+                return SW_EXEC_ERROR();
+            uint8_t dhash[33];
+            dhash[0] = apdu.nc-pin_len;
+            double_hash_pin(apdu.data+pin_len, apdu.nc-pin_len, dhash+1);
+            flash_write_data_to_file(file_pin, dhash, sizeof(dhash));
+            low_flash_available();
+            return SW_OK();
+        }
+    }
+    return SW_WRONG_P1P2();
+}

src/hsm/cmd_cipher_sym.c

@@ -0,0 +1,113 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "common.h"
+#include "mbedtls/aes.h"
+#include "mbedtls/cmac.h"
+#include "mbedtls/hkdf.h"
+#include "crypto_utils.h"
+#include "sc_hsm.h"
+#include "kek.h"
+
+int cmd_cipher_sym() {
+    int key_id = P1(apdu);
+    int algo = P2(apdu);
+    if (!isUserAuthenticated)
+        return SW_SECURITY_STATUS_NOT_SATISFIED();
+    file_t *ef = search_dynamic_file((KEY_PREFIX << 8) | key_id);
+    if (!ef)
+        return SW_FILE_NOT_FOUND();
+    if (key_has_purpose(ef, algo) == false)
+        return SW_CONDITIONS_NOT_SATISFIED();
+    if ((apdu.nc % 16) != 0) {
+        return SW_WRONG_LENGTH();
+    }
+    if (wait_button_pressed() == true) // timeout
+        return SW_SECURE_MESSAGE_EXEC_ERROR();
+    int key_size = file_get_size(ef);
+    uint8_t kdata[32]; //maximum AES key size
+    memcpy(kdata, file_get_data(ef), key_size);
+    if (mkek_decrypt(kdata, key_size) != 0) {
+        return SW_EXEC_ERROR();
+    }
+    if (algo == ALGO_AES_CBC_ENCRYPT || algo == ALGO_AES_CBC_DECRYPT) {
+        mbedtls_aes_context aes;
+        mbedtls_aes_init(&aes);
+        uint8_t tmp_iv[IV_SIZE];
+        memset(tmp_iv, 0, sizeof(tmp_iv));
+        if (algo == ALGO_AES_CBC_ENCRYPT) {
+            int r = mbedtls_aes_setkey_enc(&aes, kdata, key_size*8);
+            if (r != 0) {
+                mbedtls_platform_zeroize(kdata, sizeof(kdata));
+                mbedtls_aes_free(&aes);
+                return SW_EXEC_ERROR();
+            }
+            r = mbedtls_aes_crypt_cbc(&aes, MBEDTLS_AES_ENCRYPT, apdu.nc, tmp_iv, apdu.data, res_APDU);
+            mbedtls_platform_zeroize(kdata, sizeof(kdata));
+            if (r != 0) {
+                mbedtls_aes_free(&aes);
+                return SW_EXEC_ERROR();
+            }
+        }
+        else if (algo == ALGO_AES_CBC_DECRYPT) {
+            int r = mbedtls_aes_setkey_dec(&aes, kdata, key_size*8);
+            if (r != 0) {
+                mbedtls_platform_zeroize(kdata, sizeof(kdata));
+                mbedtls_aes_free(&aes);
+                return SW_EXEC_ERROR();
+            }
+            r = mbedtls_aes_crypt_cbc(&aes, MBEDTLS_AES_DECRYPT, apdu.nc, tmp_iv, apdu.data, res_APDU);
+            mbedtls_platform_zeroize(kdata, sizeof(kdata));
+            if (r != 0) {
+                mbedtls_aes_free(&aes);
+                return SW_EXEC_ERROR();
+            }
+        }
+        res_APDU_size = apdu.nc;
+        mbedtls_aes_free(&aes);
+    }
+    else if (algo == ALGO_AES_CMAC) {
+        const mbedtls_cipher_info_t *cipher_info;
+        if (key_size == 16)
+            cipher_info = mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_128_ECB);
+        else if (key_size == 24)
+            cipher_info = mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_192_ECB);
+        else if (key_size == 32)
+            cipher_info = mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_256_ECB);
+        else {
+            mbedtls_platform_zeroize(kdata, sizeof(kdata));
+            return SW_WRONG_DATA();
+        }
+        int r = mbedtls_cipher_cmac(cipher_info, kdata, key_size*8, apdu.data, apdu.nc, res_APDU);
+        mbedtls_platform_zeroize(kdata, sizeof(kdata));
+        if (r != 0)
+            return SW_EXEC_ERROR();
+        res_APDU_size = 16;
+    }
+    else if (algo == ALGO_AES_DERIVE) {
+        int r = mbedtls_hkdf(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), NULL, 0, file_get_data(ef), key_size, apdu.data, apdu.nc, res_APDU, apdu.nc);
+        mbedtls_platform_zeroize(kdata, sizeof(kdata));
+        if (r != 0)
+            return SW_EXEC_ERROR();
+        res_APDU_size = apdu.nc;
+    }
+    else {
+        mbedtls_platform_zeroize(kdata, sizeof(kdata));
+        return SW_WRONG_P1P2();
+    }
+    return SW_OK();
+}

src/hsm/cmd_decrypt_asym.c

@@ -0,0 +1,170 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "common.h"
+#include "mbedtls/ecdh.h"
+#include "crypto_utils.h"
+#include "sc_hsm.h"
+#include "kek.h"
+#include "files.h"
+#include "asn1.h"
+#include "cvc.h"
+#include "random.h"
+#include "oid.h"
+
+int cmd_decrypt_asym() {
+    int key_id = P1(apdu);
+    uint8_t p2 = P2(apdu);
+    if (!isUserAuthenticated)
+        return SW_SECURITY_STATUS_NOT_SATISFIED();
+    file_t *ef = search_dynamic_file((KEY_PREFIX << 8) | key_id);
+    if (!ef)
+        return SW_FILE_NOT_FOUND();
+    if (get_key_counter(ef) == 0)
+        return SW_FILE_FULL();
+    if (key_has_purpose(ef, p2) == false)
+        return SW_CONDITIONS_NOT_SATISFIED();
+    if (p2 >= ALGO_RSA_DECRYPT && p2 <= ALGO_RSA_DECRYPT_OEP) {
+        mbedtls_rsa_context ctx;
+        mbedtls_rsa_init(&ctx);
+        if (p2 == ALGO_RSA_DECRYPT_OEP)
+            mbedtls_rsa_set_padding(&ctx, MBEDTLS_RSA_PKCS_V21, MBEDTLS_MD_NONE);
+        int r = load_private_key_rsa(&ctx, ef);
+        if (r != CCID_OK) {
+            mbedtls_rsa_free(&ctx);
+            if (r == CCID_VERIFICATION_FAILED)
+                return SW_SECURE_MESSAGE_EXEC_ERROR();
+            return SW_EXEC_ERROR();
+        }
+        int key_size = file_get_size(ef);
+        if (apdu.nc < key_size) //needs padding
+            memset(apdu.data+apdu.nc, 0, key_size-apdu.nc);
+        if (p2 == ALGO_RSA_DECRYPT_PKCS1 || p2 == ALGO_RSA_DECRYPT_OEP) {
+            size_t olen = apdu.nc;
+            r = mbedtls_rsa_pkcs1_decrypt(&ctx, random_gen, NULL, &olen, apdu.data, res_APDU, 512);
+            if (r == 0)
+                res_APDU_size = olen;
+        }
+        else {
+            r = mbedtls_rsa_private(&ctx, random_gen, NULL, apdu.data, res_APDU);
+            if (r == 0)
+                res_APDU_size = key_size;
+        }
+        if (r != 0) {
+            mbedtls_rsa_free(&ctx);
+            return SW_EXEC_ERROR();
+        }
+        mbedtls_rsa_free(&ctx);
+    }
+    else if (p2 == ALGO_EC_DH || p2 == ALGO_EC_DH_XKEK) {
+        mbedtls_ecdh_context ctx;
+        if (wait_button_pressed() == true) //timeout
+            return SW_SECURE_MESSAGE_EXEC_ERROR();
+        int key_size = file_get_size(ef);
+        uint8_t *kdata = (uint8_t *)calloc(1,key_size);
+        memcpy(kdata, file_get_data(ef), key_size);
+        if (mkek_decrypt(kdata, key_size) != 0) {
+            mbedtls_platform_zeroize(kdata, key_size);
+            free(kdata);
+            return SW_EXEC_ERROR();
+        }
+        mbedtls_ecdh_init(&ctx);
+        mbedtls_ecp_group_id gid = kdata[0];
+        int r = 0;
+        r = mbedtls_ecdh_setup(&ctx, gid);
+        if (r != 0) {
+            mbedtls_platform_zeroize(kdata, key_size);
+            mbedtls_ecdh_free(&ctx);
+            free(kdata);
+            return SW_DATA_INVALID();
+        }
+        r = mbedtls_mpi_read_binary(&ctx.ctx.mbed_ecdh.d, kdata+1, key_size-1);
+        mbedtls_platform_zeroize(kdata, key_size);
+        free(kdata);
+        if (r != 0) {
+            mbedtls_ecdh_free(&ctx);
+            return SW_DATA_INVALID();
+        }
+        r = -1;
+        if (p2 == ALGO_EC_DH)
+            r = mbedtls_ecdh_read_public(&ctx, apdu.data-1, apdu.nc+1);
+        else if (p2 == ALGO_EC_DH_XKEK) {
+            size_t pub_len = 0;
+            const uint8_t *pub = cvc_get_pub(apdu.data, apdu.nc, &pub_len);
+            if (pub) {
+                size_t t86_len = 0;
+                const uint8_t *t86 = cvc_get_field(pub, pub_len, &t86_len, 0x86);
+                if (t86) {
+                    r = mbedtls_ecdh_read_public(&ctx, t86-1, t86_len+1);
+                }
+            }
+        }
+        if (r != 0) {
+            mbedtls_ecdh_free(&ctx);
+            return SW_DATA_INVALID();
+        }
+        size_t olen = 0;
+        res_APDU[0] = 0x04;
+        r = mbedtls_ecdh_calc_secret(&ctx, &olen, res_APDU+1, MBEDTLS_ECP_MAX_BYTES, random_gen, NULL);
+        if (r != 0) {
+            mbedtls_ecdh_free(&ctx);
+            return SW_EXEC_ERROR();
+        }
+        if (p2 == ALGO_EC_DH)
+            res_APDU_size = olen+1;
+        else {
+            res_APDU_size = 0;
+            size_t ext_len = 0;
+            const uint8_t *ext = NULL;
+            if ((ext = cvc_get_ext(apdu.data, apdu.nc, &ext_len)) == NULL)
+                return SW_WRONG_DATA();
+            uint8_t *p = NULL, *tag_data = NULL, *kdom_uid = NULL;
+            uint16_t tag = 0;
+            size_t tag_len = 0, kdom_uid_len = 0;
+            while (walk_tlv(ext, ext_len, &p, &tag, &tag_len, &tag_data)) {
+                if (tag == 0x73) {
+                    size_t oid_len = 0;
+                    uint8_t *oid_data = NULL;
+                    if (asn1_find_tag(tag_data, tag_len, 0x6, &oid_len, &oid_data) == true && oid_len == strlen(OID_ID_KEY_DOMAIN_UID) && memcmp(oid_data, OID_ID_KEY_DOMAIN_UID, strlen(OID_ID_KEY_DOMAIN_UID)) == 0) {
+                        if (asn1_find_tag(tag_data, tag_len, 0x80, &kdom_uid_len, &kdom_uid) == false)
+                            return SW_WRONG_DATA();
+                        break;
+                    }
+                }
+            }
+            if (kdom_uid_len == 0 || kdom_uid == NULL)
+                return SW_WRONG_DATA();
+            for (int n = 0; n < MAX_KEY_DOMAINS; n++) {
+                file_t *tf = search_dynamic_file(EF_XKEK+n);
+                if (tf) {
+                    if (file_get_size(tf) == kdom_uid_len && memcmp(file_get_data(tf), kdom_uid, kdom_uid_len) == 0) {
+                        file_new(EF_DKEK+n);
+                        if (store_dkek_key(n, res_APDU+1) != CCID_OK)
+                            return SW_EXEC_ERROR();
+                        return SW_OK();
+                    }
+                }
+            }
+            return SW_REFERENCE_NOT_FOUND();
+        }
+        mbedtls_ecdh_free(&ctx);
+    }
+    else
+        return SW_WRONG_P1P2();
+    decrement_key_counter(ef);
+    return SW_OK();
+}

src/hsm/cmd_delete_file.c

@@ -0,0 +1,40 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "sc_hsm.h"
+
+int cmd_delete_file() {
+    file_t *ef = NULL;
+    if (!isUserAuthenticated)
+        return SW_SECURITY_STATUS_NOT_SATISFIED();
+
+    if (apdu.nc == 0) {
+        ef = currentEF;
+        if (!(ef = search_dynamic_file(ef->fid)))
+            return SW_FILE_NOT_FOUND();
+    }
+    else {
+        uint16_t fid = (apdu.data[0] << 8) | apdu.data[1];
+        if (!(ef = search_dynamic_file(fid)))
+            return SW_FILE_NOT_FOUND();
+    }
+    if (!authenticate_action(ef, ACL_OP_DELETE_SELF))
+        return SW_SECURITY_STATUS_NOT_SATISFIED();
+    if (delete_file(ef) != CCID_OK)
+        return SW_EXEC_ERROR();
+    return SW_OK();
+}

src/hsm/cmd_derive_asym.c

@@ -0,0 +1,102 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "common.h"
+#include "mbedtls/ecdsa.h"
+#include "crypto_utils.h"
+#include "sc_hsm.h"
+
+
+#define MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED -0x006E
+#define MOD_ADD( N )                                                    \
+    while( mbedtls_mpi_cmp_mpi( &(N), &grp->P ) >= 0 )                  \
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( &(N), &(N), &grp->P ) )
+static inline int mbedtls_mpi_add_mod( const mbedtls_ecp_group *grp,
+                                       mbedtls_mpi *X,
+                                       const mbedtls_mpi *A,
+                                       const mbedtls_mpi *B )
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( X, A, B ) );
+    MOD_ADD( *X );
+cleanup:
+    return( ret );
+}
+
+int cmd_derive_asym() {
+    uint8_t key_id = P1(apdu);
+    uint8_t dest_id = P2(apdu);
+    file_t *fkey;
+    if (!isUserAuthenticated)
+        return SW_SECURITY_STATUS_NOT_SATISFIED();
+    if (!(fkey = search_dynamic_file((KEY_PREFIX << 8) | key_id)) || !fkey->data || file_get_size(fkey) == 0)
+        return SW_FILE_NOT_FOUND();
+    if (key_has_purpose(fkey, ALGO_EC_DERIVE) == false)
+        return SW_CONDITIONS_NOT_SATISFIED();
+    if (apdu.nc == 0)
+        return SW_WRONG_LENGTH();
+    if (apdu.data[0] == ALGO_EC_DERIVE) {
+        mbedtls_ecdsa_context ctx;
+        mbedtls_ecdsa_init(&ctx);
+
+        int r;
+        r = load_private_key_ecdsa(&ctx, fkey);
+        if (r != CCID_OK) {
+            mbedtls_ecdsa_free(&ctx);
+            if (r == CCID_VERIFICATION_FAILED)
+                return SW_SECURE_MESSAGE_EXEC_ERROR();
+            return SW_EXEC_ERROR();
+        }
+        mbedtls_mpi a, nd;
+        mbedtls_mpi_init(&a);
+        mbedtls_mpi_init(&nd);
+        r = mbedtls_mpi_read_binary(&a, apdu.data+1, apdu.nc-1);
+        if (r != 0) {
+            mbedtls_ecdsa_free(&ctx);
+            mbedtls_mpi_free(&a);
+            mbedtls_mpi_free(&nd);
+            return SW_DATA_INVALID();
+        }
+        r = mbedtls_mpi_add_mod(&ctx.grp, &nd, &ctx.d, &a);
+        if (r != 0) {
+            mbedtls_ecdsa_free(&ctx);
+            mbedtls_mpi_free(&a);
+            mbedtls_mpi_free(&nd);
+            return SW_EXEC_ERROR();
+        }
+        r = mbedtls_mpi_copy(&ctx.d, &nd);
+        if (r != 0) {
+            mbedtls_ecdsa_free(&ctx);
+            mbedtls_mpi_free(&a);
+            mbedtls_mpi_free(&nd);
+            return SW_EXEC_ERROR();
+        }
+        r = store_keys(&ctx, HSM_KEY_EC, dest_id);
+        if (r != CCID_OK) {
+            mbedtls_ecdsa_free(&ctx);
+            mbedtls_mpi_free(&a);
+            mbedtls_mpi_free(&nd);
+            return SW_EXEC_ERROR();
+        }
+        mbedtls_ecdsa_free(&ctx);
+        mbedtls_mpi_free(&a);
+        mbedtls_mpi_free(&nd);
+    }
+    else
+        return SW_WRONG_DATA();
+    return SW_OK();
+}

src/hsm/cmd_external_authenticate.c

@@ -0,0 +1,54 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "crypto_utils.h"
+#include "sc_hsm.h"
+#include "cvc.h"
+#include "files.h"
+
+extern file_t *ef_puk_aut;
+extern uint8_t challenge[256];
+extern uint8_t challenge_len;
+
+int cmd_external_authenticate() {
+    if (P1(apdu) != 0x0 || P2(apdu) != 0x0)
+        return SW_INCORRECT_P1P2();
+    if (ef_puk_aut == NULL)
+        return SW_REFERENCE_NOT_FOUND();
+    if (apdu.nc == 0)
+        return SW_WRONG_LENGTH();
+    file_t *ef_puk = search_by_fid(EF_PUKAUT, NULL, SPECIFY_EF);
+    if (!ef_puk || !ef_puk->data || file_get_size(ef_puk) == 0)
+        return SW_FILE_NOT_FOUND();
+    uint8_t *puk_data = file_get_data(ef_puk);
+    uint8_t *input = (uint8_t *)calloc(dev_name_len+challenge_len, sizeof(uint8_t)), hash[32];
+    memcpy(input, dev_name, dev_name_len);
+    memcpy(input+dev_name_len, challenge, challenge_len);
+    hash256(input, dev_name_len+challenge_len, hash);
+    int r = puk_verify(apdu.data, apdu.nc, hash, 32, file_get_data(ef_puk_aut), file_get_size(ef_puk_aut));
+    free(input);
+    if (r != 0)
+        return SW_CONDITIONS_NOT_SATISFIED();
+    puk_status[ef_puk_aut->fid & (MAX_PUK-1)] = 1;
+    uint8_t auts = 0;
+    for (int i = 0; i < puk_data[0]; i++)
+        auts += puk_status[i];
+    if (auts >= puk_data[2]) {
+        isUserAuthenticated = true;
+    }
+    return SW_OK();
+}

src/hsm/cmd_extras.c

@@ -0,0 +1,72 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "sc_hsm.h"
+#include "hardware/rtc.h"
+#include "files.h"
+
+int cmd_extras() {
+    if (P2(apdu) != 0x0)
+        return SW_INCORRECT_P1P2();
+    if (P1(apdu) == 0xA) { //datetime operations
+        if (apdu.nc == 0) {
+            datetime_t dt;
+            if (!rtc_get_datetime(&dt))
+                return SW_EXEC_ERROR();
+            res_APDU[res_APDU_size++] = dt.year >> 8;
+            res_APDU[res_APDU_size++] = dt.year & 0xff;
+            res_APDU[res_APDU_size++] = dt.month;
+            res_APDU[res_APDU_size++] = dt.day;
+            res_APDU[res_APDU_size++] = dt.dotw;
+            res_APDU[res_APDU_size++] = dt.hour;
+            res_APDU[res_APDU_size++] = dt.min;
+            res_APDU[res_APDU_size++] = dt.sec;
+        }
+        else {
+            if (apdu.nc != 8)
+                return SW_WRONG_LENGTH();
+            datetime_t dt;
+            dt.year = (apdu.data[0] << 8) | (apdu.data[1]);
+            dt.month = apdu.data[2];
+            dt.day = apdu.data[3];
+            dt.dotw = apdu.data[4];
+            dt.hour = apdu.data[5];
+            dt.min = apdu.data[6];
+            dt.sec = apdu.data[7];
+            if (!rtc_set_datetime(&dt))
+                return SW_WRONG_DATA();
+        }
+    }
+    else if (P1(apdu) == 0x6) { //dynamic options
+        if (apdu.nc > sizeof(uint8_t))
+            return SW_WRONG_LENGTH();
+        uint16_t opts = get_device_options();
+        if (apdu.nc == 0) {
+            res_APDU[res_APDU_size++] = opts >> 8;
+            res_APDU[res_APDU_size++] = opts & 0xff;
+        }
+        else {
+            uint8_t newopts[] = { apdu.data[0], (opts & 0xff) };
+            file_t *tf = search_by_fid(EF_DEVOPS, NULL, SPECIFY_EF);
+            flash_write_data_to_file(tf, newopts, sizeof(newopts));
+            low_flash_available();
+        }
+    }
+    else
+        return SW_INCORRECT_P1P2();
+    return SW_OK();
+}

src/hsm/cmd_general_authenticate.c

@@ -0,0 +1,107 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "common.h"
+#include "mbedtls/ecdh.h"
+#include "asn1.h"
+#include "sc_hsm.h"
+#include "random.h"
+#include "oid.h"
+#include "eac.h"
+#include "files.h"
+
+int cmd_general_authenticate() {
+    if (P1(apdu) == 0x0 && P2(apdu) == 0x0) {
+        if (apdu.data[0] == 0x7C) {
+            int r = 0;
+            size_t pubkey_len = 0;
+            const uint8_t *pubkey = NULL;
+            uint16_t tag = 0x0;
+            uint8_t *tag_data = NULL, *p = NULL;
+            size_t tag_len = 0;
+            while (walk_tlv(apdu.data+2, apdu.nc-2, &p, &tag, &tag_len, &tag_data)) {
+                if (tag == 0x80) {
+                    pubkey = tag_data-1; //mbedtls ecdh starts reading one pos before
+                    pubkey_len = tag_len+1;
+                }
+            }
+            file_t *fkey = search_by_fid(EF_KEY_DEV, NULL, SPECIFY_EF);
+            if (!fkey)
+                return SW_EXEC_ERROR();
+            mbedtls_ecdsa_context ectx;
+            mbedtls_ecdsa_init(&ectx);
+            r = load_private_key_ecdsa(&ectx, fkey);
+            if (r != CCID_OK) {
+                mbedtls_ecdsa_free(&ectx);
+                return SW_EXEC_ERROR();
+            }
+            mbedtls_ecdh_context ctx;
+            mbedtls_ecdh_init(&ctx);
+            mbedtls_ecp_group_id gid = MBEDTLS_ECP_DP_SECP256R1;
+            r = mbedtls_ecdh_setup(&ctx, gid);
+            if (r != 0) {
+                mbedtls_ecdsa_free(&ectx);
+                mbedtls_ecdh_free(&ctx);
+                return SW_DATA_INVALID();
+            }
+            r = mbedtls_mpi_copy(&ctx.ctx.mbed_ecdh.d, &ectx.d);
+            mbedtls_ecdsa_free(&ectx);
+            if (r != 0) {
+                mbedtls_ecdh_free(&ctx);
+                return SW_DATA_INVALID();
+            }
+            r = mbedtls_ecdh_read_public(&ctx, pubkey, pubkey_len);
+            if (r != 0) {
+                mbedtls_ecdh_free(&ctx);
+                return SW_DATA_INVALID();
+            }
+            size_t olen = 0;
+            uint8_t derived[MBEDTLS_ECP_MAX_BYTES];
+            r = mbedtls_ecdh_calc_secret(&ctx, &olen, derived, MBEDTLS_ECP_MAX_BYTES, random_gen, NULL);
+            mbedtls_ecdh_free(&ctx);
+            if (r != 0) {
+                return SW_EXEC_ERROR();
+            }
+
+            sm_derive_all_keys(derived, olen);
+
+            uint8_t *t = (uint8_t *)calloc(1, pubkey_len+16);
+            memcpy(t, "\x7F\x49\x3F\x06\x0A", 5);
+            if (sm_get_protocol() == MSE_AES)
+                memcpy(t+5, OID_ID_CA_ECDH_AES_CBC_CMAC_128, 10);
+            t[15] = 0x86;
+            memcpy(t+16, pubkey, pubkey_len);
+
+            res_APDU[res_APDU_size++] = 0x7C;
+            res_APDU[res_APDU_size++] = 20;
+            res_APDU[res_APDU_size++] = 0x81;
+            res_APDU[res_APDU_size++] = 8;
+            memcpy(res_APDU+res_APDU_size, sm_get_nonce(), 8);
+            res_APDU_size += 8;
+            res_APDU[res_APDU_size++] = 0x82;
+            res_APDU[res_APDU_size++] = 8;
+
+            r = sm_sign(t, pubkey_len+16, res_APDU+res_APDU_size);
+
+            free(t);
+            if (r != CCID_OK)
+                return SW_EXEC_ERROR();
+            res_APDU_size += 8;
+        }
+    }
+    return SW_OK();
+}

src/hsm/cmd_initialize.c

@@ -0,0 +1,216 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "crypto_utils.h"
+#include "sc_hsm.h"
+#include "files.h"
+#include "random.h"
+#include "kek.h"
+#include "version.h"
+#include "asn1.h"
+#include "cvc.h"
+
+extern void scan_all();
+
+extern char __StackLimit;
+int heapLeft() {
+    char *p = malloc(256);   // try to avoid undue fragmentation
+    int left = &__StackLimit - p;
+    free(p);
+    return left;
+}
+
+int cmd_initialize() {
+    if (apdu.nc > 0) {
+        uint8_t mkek[MKEK_SIZE];
+        int ret_mkek = load_mkek(mkek); //Try loading MKEK with previous session
+        initialize_flash(true);
+        scan_all();
+        has_session_pin = has_session_sopin = false;
+        uint16_t tag = 0x0;
+        uint8_t *tag_data = NULL, *p = NULL, *kds = NULL, *dkeks = NULL;
+        size_t tag_len = 0;
+        while (walk_tlv(apdu.data, apdu.nc, &p, &tag, &tag_len, &tag_data)) {
+            if (tag == 0x80) { //options
+                file_t *tf = search_by_fid(EF_DEVOPS, NULL, SPECIFY_EF);
+                flash_write_data_to_file(tf, tag_data, tag_len);
+            }
+            else if (tag == 0x81) { //user pin
+                if (file_pin1 && file_pin1->data) {
+                    uint8_t dhash[33];
+                    dhash[0] = tag_len;
+                    double_hash_pin(tag_data, tag_len, dhash+1);
+                    flash_write_data_to_file(file_pin1, dhash, sizeof(dhash));
+                    hash_multi(tag_data, tag_len, session_pin);
+                    has_session_pin = true;
+                }
+            }
+            else if (tag == 0x82) { //sopin pin
+                if (file_sopin && file_sopin->data) {
+                    uint8_t dhash[33];
+                    dhash[0] = tag_len;
+                    double_hash_pin(tag_data, tag_len, dhash+1);
+                    flash_write_data_to_file(file_sopin, dhash, sizeof(dhash));
+                    hash_multi(tag_data, tag_len, session_sopin);
+                    has_session_sopin = true;
+                }
+            }
+            else if (tag == 0x91) { //retries user pin
+                file_t *tf = search_by_fid(0x1082, NULL, SPECIFY_EF);
+                if (tf && tf->data) {
+                    flash_write_data_to_file(tf, tag_data, tag_len);
+                }
+                if (file_retries_pin1 && file_retries_pin1->data) {
+                    flash_write_data_to_file(file_retries_pin1, tag_data, tag_len);
+                }
+            }
+            else if (tag == 0x92) {
+                dkeks = tag_data;
+                file_t *tf = file_new(EF_DKEK);
+                if (!tf) {
+                    release_mkek(mkek);
+                    return SW_MEMORY_FAILURE();
+                }
+                flash_write_data_to_file(tf, NULL, 0);
+            }
+            else if (tag == 0x93) {
+                file_t *ef_puk = search_by_fid(EF_PUKAUT, NULL, SPECIFY_EF);
+                if (!ef_puk) {
+                    release_mkek(mkek);
+                    return SW_MEMORY_FAILURE();
+                }
+                uint8_t pk_status[4], puks = MIN(tag_data[0],MAX_PUK);
+                memset(pk_status, 0, sizeof(pk_status));
+                pk_status[0] = puks;
+                pk_status[1] = puks;
+                pk_status[2] = tag_data[1];
+                flash_write_data_to_file(ef_puk, pk_status, sizeof(pk_status));
+                for (int i = 0; i < puks; i++) {
+                    file_t *tf = file_new(EF_PUK+i);
+                    if (!tf) {
+                        release_mkek(mkek);
+                        return SW_MEMORY_FAILURE();
+                    }
+                    flash_write_data_to_file(tf, NULL, 0);
+                }
+            }
+            else if (tag == 0x97) {
+                kds = tag_data;
+                /*
+                for (int i = 0; i < MIN(*kds,MAX_KEY_DOMAINS); i++) {
+                    file_t *tf = file_new(EF_DKEK+i);
+                    if (!tf)
+                        return SW_MEMORY_FAILURE();
+                    flash_write_data_to_file(tf, NULL, 0);
+                }
+                */
+            }
+        }
+        file_t *tf_kd = search_by_fid(EF_KEY_DOMAIN, NULL, SPECIFY_EF);
+        if (!tf_kd) {
+            release_mkek(mkek);
+            return SW_EXEC_ERROR();
+        }
+        if (ret_mkek != CCID_OK)
+            ret_mkek = load_mkek(mkek); //Try again with new PIN/SO-PIN just in case some is the same
+        if (store_mkek(ret_mkek == CCID_OK ? mkek : NULL) != CCID_OK) {
+            release_mkek(mkek);
+            return SW_EXEC_ERROR();
+        }
+        release_mkek(mkek);
+        if (dkeks) {
+            if (*dkeks > 0) {
+                uint16_t d = *dkeks;
+                if (flash_write_data_to_file(tf_kd, (const uint8_t *)&d, sizeof(d)) != CCID_OK)
+                    return SW_EXEC_ERROR();
+            }
+            else {
+                int r = save_dkek_key(0, random_bytes_get(32));
+                if (r != CCID_OK)
+                    return SW_EXEC_ERROR();
+                uint16_t d = 0x0101;
+                if (flash_write_data_to_file(tf_kd, (const uint8_t *)&d, sizeof(d)) != CCID_OK)
+                    return SW_EXEC_ERROR();
+            }
+        }
+        else {
+            uint16_t d = 0x0000;
+            if (flash_write_data_to_file(tf_kd, (const uint8_t *)&d, sizeof(d)) != CCID_OK)
+                return SW_EXEC_ERROR();
+        }
+        if (kds) {
+            uint8_t t[MAX_KEY_DOMAINS*2], k = MIN(*kds,MAX_KEY_DOMAINS);
+            memset(t, 0xff, 2*k);
+            if (flash_write_data_to_file(tf_kd, t, 2*k) != CCID_OK)
+                return SW_EXEC_ERROR();
+        }
+        /* When initialized, it has all credentials */
+        isUserAuthenticated = true;
+        /* Create terminal private key */
+        file_t *fdkey = search_by_fid(EF_KEY_DEV, NULL, SPECIFY_EF);
+        if (!fdkey)
+            return SW_EXEC_ERROR();
+        int ret = 0;
+        if (ret_mkek != CCID_OK || file_get_size(fdkey) == 0 || file_get_data(fdkey) == NULL) {
+            mbedtls_ecdsa_context ecdsa;
+            mbedtls_ecdsa_init(&ecdsa);
+            mbedtls_ecp_group_id ec_id = MBEDTLS_ECP_DP_SECP256R1;
+            uint8_t index = 0, key_id = 0;
+            ret = mbedtls_ecdsa_genkey(&ecdsa, ec_id, random_gen, &index);
+            if (ret != 0) {
+                mbedtls_ecdsa_free(&ecdsa);
+                return SW_EXEC_ERROR();
+            }
+            ret = store_keys(&ecdsa, HSM_KEY_EC, key_id);
+            if (ret != CCID_OK) {
+                mbedtls_ecdsa_free(&ecdsa);
+                return SW_EXEC_ERROR();
+            }
+            size_t cvc_len = 0;
+            if ((cvc_len = asn1_cvc_aut(&ecdsa, HSM_KEY_EC, res_APDU, 4096, NULL, 0)) == 0) {
+                mbedtls_ecdsa_free(&ecdsa);
+                return SW_EXEC_ERROR();
+            }
+            mbedtls_ecdsa_free(&ecdsa);
+
+            file_t *fpk = search_by_fid(EF_EE_DEV, NULL, SPECIFY_EF);
+            ret = flash_write_data_to_file(fpk, res_APDU, cvc_len);
+            if (ret != 0)
+                return SW_EXEC_ERROR();
+
+            const uint8_t *keyid = (const uint8_t *)"\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0", *label = (const uint8_t *)"ESTERMHSM";
+            size_t prkd_len = asn1_build_prkd_ecc(label, strlen((const char *)label), keyid, 20, 192, res_APDU, 4096);
+            fpk = search_by_fid(EF_PRKD_DEV, NULL, SPECIFY_EF);
+            ret = flash_write_data_to_file(fpk, res_APDU, prkd_len);
+        }
+        if (ret != 0)
+            return SW_EXEC_ERROR();
+        low_flash_available();
+    }
+    else { //free memory bytes request
+        int heap_left = heapLeft();
+        res_APDU[0] = ((heap_left >> 24) & 0xff);
+        res_APDU[1] = ((heap_left >> 16) & 0xff);
+        res_APDU[2] = ((heap_left >> 8) & 0xff);
+        res_APDU[3] = ((heap_left >> 0) & 0xff);
+        res_APDU[4] = 0;
+        res_APDU[5] = HSM_VERSION_MAJOR;
+        res_APDU[6] = HSM_VERSION_MINOR;
+        res_APDU_size = 7;
+    }
+    return SW_OK();
+}

src/hsm/cmd_key_domain.c

@@ -0,0 +1,163 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "crypto_utils.h"
+#include "sc_hsm.h"
+#include "cvc.h"
+#include "kek.h"
+#include "files.h"
+
+uint8_t get_key_domain(file_t *fkey) {
+    size_t tag_len = 0;
+    const uint8_t *meta_tag = get_meta_tag(fkey, 0x92, &tag_len);
+    if (meta_tag)
+        return *meta_tag;
+    return 0xff;
+}
+
+int cmd_key_domain() {
+    //if (dkeks == 0)
+    //    return SW_COMMAND_NOT_ALLOWED();
+    uint8_t p1 = P1(apdu), p2 = P2(apdu);
+    if ((has_session_pin == false || isUserAuthenticated == false) && apdu.nc > 0)
+        return SW_CONDITIONS_NOT_SATISFIED();
+    if (p2 >= MAX_KEY_DOMAINS)
+        return SW_WRONG_P1P2();
+    file_t *tf_kd = search_by_fid(EF_KEY_DOMAIN, NULL, SPECIFY_EF);
+    if (!tf_kd)
+        return SW_EXEC_ERROR();
+    uint16_t tf_kd_size = file_get_size(tf_kd);
+    if (tf_kd_size == 0)
+        return SW_WRONG_P1P2();
+    uint8_t *kdata = file_get_data(tf_kd), dkeks = kdata ? kdata[2*p2] : 0, current_dkeks = kdata ? kdata[2*p2+1] : 0;
+    if (p1 == 0x0) { //dkek import
+        if (apdu.nc > 0) {
+            file_t *tf = file_new(EF_DKEK+p2);
+            if (!tf)
+                return SW_MEMORY_FAILURE();
+            if (apdu.nc < 32)
+                return SW_WRONG_LENGTH();
+            import_dkek_share(p2, apdu.data);
+            if (++current_dkeks >= dkeks) {
+                if (save_dkek_key(p2, NULL) != CCID_OK)
+                    return SW_FILE_NOT_FOUND();
+            }
+            uint8_t t[MAX_KEY_DOMAINS*2];
+            memcpy(t, kdata, tf_kd_size);
+            t[2*p2+1] = current_dkeks;
+            if (flash_write_data_to_file(tf_kd, t, tf_kd_size) != CCID_OK)
+                return SW_EXEC_ERROR();
+            low_flash_available();
+        }
+        else {
+            file_t *tf = search_dynamic_file(EF_XKEK+p2);
+            if (2*p2 >= tf_kd_size || current_dkeks == 0)
+                return SW_INCORRECT_P1P2();
+            if (current_dkeks == 0xff && !tf) //XKEK have always 0xff
+                return SW_REFERENCE_NOT_FOUND();
+        }
+    }
+    else if (p1 == 0x1 || p1 == 0x3 || p1 == 0x4) { //key domain setup
+        if (p1 == 0x1 && apdu.nc != 1)
+            return SW_WRONG_LENGTH();
+        if (p1 == 0x3) { //if key domain is not empty, command is denied
+            for (int i = 0; i < dynamic_files; i++) {
+                if (get_key_domain(&dynamic_file[i]) == p2)
+                    return SW_FILE_EXISTS();
+            }
+        }
+        uint8_t t[MAX_KEY_DOMAINS*2];
+        memcpy(t, kdata, tf_kd_size);
+        if (p1 == 0x1) {
+            t[2*p2] = dkeks = apdu.data[0];
+            t[2*p2+1] = current_dkeks = 0;
+        }
+        else if (p1 == 0x3) {
+            t[2*p2] = dkeks = 0xff;
+            t[2*p2+1] = 0xff;
+        }
+        else if (p1 == 0x4) {
+            t[2*p2+1] = current_dkeks = 0;
+        }
+        if (flash_write_data_to_file(tf_kd, t, tf_kd_size) != CCID_OK)
+            return SW_EXEC_ERROR();
+        file_t *tf = NULL;
+        if ((tf = search_dynamic_file(EF_DKEK+p2))) {
+            if (delete_file(tf) != CCID_OK)
+                return SW_EXEC_ERROR();
+        }
+        if (p1 == 0x3 && (tf = search_dynamic_file(EF_XKEK+p2))) {
+            if (delete_file(tf) != CCID_OK)
+                return SW_EXEC_ERROR();
+        }
+        low_flash_available();
+    }
+    else if (p1 == 0x2) { //XKEK Key Domain creation
+        if (apdu.nc > 0) {
+            size_t pub_len = 0;
+            file_t *fterm = search_by_fid(EF_TERMCA, NULL, SPECIFY_EF);
+            if (!fterm)
+                return SW_EXEC_ERROR();
+            const uint8_t *pub = cvc_get_pub(file_get_data(fterm), file_get_size(fterm), &pub_len);
+            if (!pub)
+                return SW_EXEC_ERROR();
+            size_t t86_len = 0;
+            const uint8_t *t86 = cvc_get_field(pub, pub_len, &t86_len, 0x86);
+            if (!t86 || t86[0] != 0x4)
+                return SW_EXEC_ERROR();
+            size_t t54_len = 0;
+            const uint8_t *t54 = cvc_get_field(apdu.data, apdu.nc, &t54_len, 0x54);
+            if (!t54)
+                return SW_WRONG_DATA();
+            uint8_t hash[32], *input = (uint8_t *)calloc(1, (t86_len-1)/2+1);
+            input[0] = 0x54;
+            memcpy(input+1, t86+1, (t86_len-1)/2);
+            hash256(input, (t86_len-1)/2+1, hash);
+            free(input);
+            int r = puk_verify(t54, t54_len, hash, 32, apdu.data, apdu.nc);
+            if (r != 0)
+                return SW_CONDITIONS_NOT_SATISFIED();
+            file_t *tf = file_new(EF_XKEK+p2);
+            if (!tf)
+                return SW_MEMORY_FAILURE();
+
+            //All checks done. Get Key Domain UID
+            pub = cvc_get_pub(apdu.data, apdu.nc, &pub_len);
+            if (pub) {
+                size_t t86_len = 0;
+                const uint8_t *t86 = cvc_get_field(pub, pub_len, &t86_len, 0x86);
+                if (t86) {
+                    flash_write_data_to_file(tf, t86+1, t86_len-1);
+                    low_flash_available();
+                }
+            }
+        }
+    }
+    else
+        return SW_INCORRECT_P1P2();
+    memset(res_APDU,0,10);
+    res_APDU[0] = dkeks;
+    res_APDU[1] = dkeks > current_dkeks ? dkeks-current_dkeks : 0;
+    dkek_kcv(p2, res_APDU+2);
+    res_APDU_size = 2+8;
+    file_t *tf = search_dynamic_file(EF_XKEK+p2);
+    if (tf) {
+        memcpy(res_APDU+10, file_get_data(tf), file_get_size(tf));
+        res_APDU_size += file_get_size(tf);
+    }
+    return SW_OK();
+}

src/hsm/cmd_key_gen.c

@@ -0,0 +1,52 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "crypto_utils.h"
+#include "sc_hsm.h"
+#include "random.h"
+
+int cmd_key_gen() {
+    uint8_t key_id = P1(apdu);
+    uint8_t p2 = P2(apdu);
+    uint8_t key_size = 32;
+    int r;
+    if (!isUserAuthenticated)
+        return SW_SECURITY_STATUS_NOT_SATISFIED();
+    if (p2 == 0xB2)
+        key_size = 32;
+    else if (p2 == 0xB1)
+        key_size = 24;
+    else if (p2 == 0xB0)
+        key_size = 16;
+    //at this moment, we do not use the template, as only CBC is supported by the driver (encrypt, decrypt and CMAC)
+    uint8_t aes_key[32]; //maximum AES key size
+    memcpy(aes_key, random_bytes_get(key_size), key_size);
+    int aes_type = 0x0;
+    if (key_size == 16)
+        aes_type = HSM_KEY_AES_128;
+    else if (key_size == 24)
+        aes_type = HSM_KEY_AES_192;
+    else if (key_size == 32)
+        aes_type = HSM_KEY_AES_256;
+    r = store_keys(aes_key, aes_type, key_id);
+    if (r != CCID_OK)
+        return SW_MEMORY_FAILURE();
+    if (find_and_store_meta_key(key_id) != CCID_OK)
+        return SW_EXEC_ERROR();
+    low_flash_available();
+    return SW_OK();
+}

src/hsm/cmd_key_unwrap.c

@@ -0,0 +1,106 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "crypto_utils.h"
+#include "sc_hsm.h"
+#include "kek.h"
+
+int cmd_key_unwrap() {
+    int key_id = P1(apdu), r = 0;
+    if (P2(apdu) != 0x93)
+        return SW_WRONG_P1P2();
+    if (!isUserAuthenticated)
+        return SW_SECURITY_STATUS_NOT_SATISFIED();
+    int key_type = dkek_type_key(apdu.data);
+    uint8_t kdom = -1, *allowed = NULL;
+    size_t allowed_len = 0;
+    if (key_type == 0x0)
+        return SW_DATA_INVALID();
+    if (key_type == HSM_KEY_RSA) {
+        mbedtls_rsa_context ctx;
+        mbedtls_rsa_init(&ctx);
+        do {
+            r = dkek_decode_key(++kdom, &ctx, apdu.data, apdu.nc, NULL, &allowed, &allowed_len);
+        } while((r == CCID_ERR_FILE_NOT_FOUND || r == CCID_WRONG_DKEK) && kdom < MAX_KEY_DOMAINS);
+        if (r != CCID_OK) {
+            mbedtls_rsa_free(&ctx);
+            return SW_EXEC_ERROR();
+        }
+        r = store_keys(&ctx, HSM_KEY_RSA, key_id);
+        mbedtls_rsa_free(&ctx);
+        if (r != CCID_OK) {
+            return SW_EXEC_ERROR();
+        }
+    }
+    else if (key_type == HSM_KEY_EC) {
+        mbedtls_ecdsa_context ctx;
+        mbedtls_ecdsa_init(&ctx);
+        do {
+            r = dkek_decode_key(++kdom, &ctx, apdu.data, apdu.nc, NULL, &allowed, &allowed_len);
+        } while((r == CCID_ERR_FILE_NOT_FOUND || r == CCID_WRONG_DKEK) && kdom < MAX_KEY_DOMAINS);
+        if (r != CCID_OK) {
+            mbedtls_ecdsa_free(&ctx);
+            return SW_EXEC_ERROR();
+        }
+        r = store_keys(&ctx, HSM_KEY_EC, key_id);
+        mbedtls_ecdsa_free(&ctx);
+        if (r != CCID_OK) {
+            return SW_EXEC_ERROR();
+        }
+    }
+    else if (key_type == HSM_KEY_AES) {
+        uint8_t aes_key[32];
+        int key_size = 0, aes_type = 0;
+        do {
+            r = dkek_decode_key(++kdom, aes_key, apdu.data, apdu.nc, &key_size, &allowed, &allowed_len);
+        } while((r == CCID_ERR_FILE_NOT_FOUND || r == CCID_WRONG_DKEK) && kdom < MAX_KEY_DOMAINS);
+        if (r != CCID_OK) {
+            return SW_EXEC_ERROR();
+        }
+        if (key_size == 32)
+            aes_type = HSM_KEY_AES_256;
+        else if (key_size == 24)
+            aes_type = HSM_KEY_AES_192;
+        else if (key_size == 16)
+            aes_type = HSM_KEY_AES_128;
+        else
+            return SW_EXEC_ERROR();
+        r = store_keys(aes_key, aes_type, key_id);
+        if (r != CCID_OK) {
+            return SW_EXEC_ERROR();
+        }
+    }
+    if ((allowed != NULL && allowed_len > 0) || kdom >= 0) {
+        size_t meta_len = (allowed_len > 0 ? 2+allowed_len : 0) + (kdom >= 0 ? 3 : 0);
+        uint8_t *meta = (uint8_t *)calloc(1,meta_len), *m = meta;
+        if (allowed_len > 0) {
+            *m++ = 0x91;
+            *m++ = allowed_len;
+            memcpy(m, allowed, allowed_len); m += allowed_len;
+        }
+        if (kdom >= 0) {
+            *m++ = 0x92;
+            *m++ = 1;
+            *m++ = kdom;
+        }
+        r = meta_add((KEY_PREFIX << 8) | key_id, meta, meta_len);
+        free(meta);
+        if (r != CCID_OK)
+            return r;
+    }
+    return SW_OK();
+}

src/hsm/cmd_key_wrap.c

@@ -0,0 +1,93 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "crypto_utils.h"
+#include "sc_hsm.h"
+#include "asn1.h"
+#include "kek.h"
+
+extern uint8_t get_key_domain(file_t *fkey);
+
+int cmd_key_wrap() {
+    int key_id = P1(apdu), r = 0;
+    if (P2(apdu) != 0x92)
+        return SW_WRONG_P1P2();
+    if (!isUserAuthenticated)
+        return SW_SECURITY_STATUS_NOT_SATISFIED();
+    file_t *ef = search_dynamic_file((KEY_PREFIX << 8) | key_id);
+    uint8_t kdom = get_key_domain(ef);
+    if (!ef)
+        return SW_FILE_NOT_FOUND();
+    if (key_has_purpose(ef, ALGO_WRAP) == false)
+        return SW_CONDITIONS_NOT_SATISFIED();
+    file_t *prkd = search_dynamic_file((PRKD_PREFIX << 8) | key_id);
+    if (!prkd)
+        return SW_FILE_NOT_FOUND();
+    const uint8_t *dprkd = file_get_data(prkd);
+    size_t wrap_len = MAX_DKEK_ENCODE_KEY_BUFFER;
+    size_t tag_len = 0;
+    const uint8_t *meta_tag = get_meta_tag(ef, 0x91, &tag_len);
+    if (*dprkd == P15_KEYTYPE_RSA) {
+        mbedtls_rsa_context ctx;
+        mbedtls_rsa_init(&ctx);
+        r = load_private_key_rsa(&ctx, ef);
+        if (r != CCID_OK) {
+            mbedtls_rsa_free(&ctx);
+            if (r == CCID_VERIFICATION_FAILED)
+                return SW_SECURE_MESSAGE_EXEC_ERROR();
+            return SW_EXEC_ERROR();
+        }
+        r = dkek_encode_key(kdom, &ctx, HSM_KEY_RSA, res_APDU, &wrap_len, meta_tag, tag_len);
+        mbedtls_rsa_free(&ctx);
+    }
+    else if (*dprkd == P15_KEYTYPE_ECC) {
+        mbedtls_ecdsa_context ctx;
+        mbedtls_ecdsa_init(&ctx);
+        r = load_private_key_ecdsa(&ctx, ef);
+        if (r != CCID_OK) {
+            mbedtls_ecdsa_free(&ctx);
+            if (r == CCID_VERIFICATION_FAILED)
+                return SW_SECURE_MESSAGE_EXEC_ERROR();
+            return SW_EXEC_ERROR();
+        }
+        r = dkek_encode_key(kdom, &ctx, HSM_KEY_EC, res_APDU, &wrap_len, meta_tag, tag_len);
+        mbedtls_ecdsa_free(&ctx);
+    }
+    else if (*dprkd == P15_KEYTYPE_AES) {
+        uint8_t kdata[32]; //maximum AES key size
+        if (wait_button_pressed() == true) //timeout
+            return SW_SECURE_MESSAGE_EXEC_ERROR();
+
+        int key_size = file_get_size(ef), aes_type = HSM_KEY_AES;
+        memcpy(kdata, file_get_data(ef), key_size);
+        if (mkek_decrypt(kdata, key_size) != 0) {
+            return SW_EXEC_ERROR();
+        }
+        if (key_size == 32)
+            aes_type = HSM_KEY_AES_256;
+        else if (key_size == 24)
+            aes_type = HSM_KEY_AES_192;
+        else if (key_size == 16)
+            aes_type = HSM_KEY_AES_128;
+        r = dkek_encode_key(kdom, kdata, aes_type, res_APDU, &wrap_len, meta_tag, tag_len);
+        mbedtls_platform_zeroize(kdata, sizeof(kdata));
+    }
+    if (r != CCID_OK)
+        return SW_EXEC_ERROR();
+    res_APDU_size = wrap_len;
+    return SW_OK();
+}

src/hsm/cmd_keypair_gen.c

@@ -0,0 +1,149 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "crypto_utils.h"
+#include "sc_hsm.h"
+#include "files.h"
+#include "asn1.h"
+#include "cvc.h"
+#include "oid.h"
+#include "random.h"
+#include "kek.h"
+
+int cmd_keypair_gen() {
+    uint8_t key_id = P1(apdu);
+    if (!isUserAuthenticated)
+        return SW_SECURITY_STATUS_NOT_SATISFIED();
+    int ret = 0;
+
+    size_t tout = 0;
+    //sc_asn1_print_tags(apdu.data, apdu.nc);
+    uint8_t *p = NULL;
+    if (asn1_find_tag(apdu.data, apdu.nc, 0x7f49, &tout, &p) && tout > 0 && p != NULL) {
+        size_t oid_len = 0;
+        uint8_t *oid = NULL;
+        if (asn1_find_tag(p, tout, 0x6, &oid_len, &oid) && oid_len > 0 && oid != NULL) {
+            if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_256, oid_len) == 0) { //RSA
+                size_t ex_len = 3, ks_len = 2;
+                uint8_t *ex = NULL, *ks = NULL;
+                uint32_t exponent = 65537, key_size = 2048;
+                if (asn1_find_tag(p, tout, 0x82, &ex_len, &ex) && ex_len > 0 && ex != NULL) {
+                    uint8_t *dt = ex;
+                    exponent = 0;
+                    for (int i = 0; i < ex_len; i++) {
+                        exponent = (exponent << 8) | *dt++;
+                    }
+                }
+                if (asn1_find_tag(p, tout, 0x2, &ks_len, &ks) && ks_len > 0 && ks != NULL) {
+                    uint8_t *dt = ks;
+                    key_size = 0;
+                    for (int i = 0; i < ks_len; i++) {
+                        key_size = (key_size << 8) | *dt++;
+                    }
+                }
+                printf("KEYPAIR RSA %ld (%lx)\r\n",key_size,exponent);
+                mbedtls_rsa_context rsa;
+                mbedtls_rsa_init(&rsa);
+                uint8_t index = 0;
+                ret = mbedtls_rsa_gen_key(&rsa, random_gen, &index, key_size, exponent);
+                if (ret != 0) {
+                        mbedtls_rsa_free(&rsa);
+                    return SW_EXEC_ERROR();
+                }
+                if ((res_APDU_size = asn1_cvc_aut(&rsa, HSM_KEY_RSA, res_APDU, 4096, NULL, 0)) == 0) {
+                    return SW_EXEC_ERROR();
+                }
+	            ret = store_keys(&rsa, HSM_KEY_RSA, key_id);
+	            if (ret != CCID_OK) {
+                    mbedtls_rsa_free(&rsa);
+                    return SW_EXEC_ERROR();
+                }
+                mbedtls_rsa_free(&rsa);
+            }
+            else if (memcmp(oid, OID_ID_TA_ECDSA_SHA_256,MIN(oid_len,10)) == 0) { //ECC
+                size_t prime_len;
+                uint8_t *prime = NULL;
+                if (asn1_find_tag(p, tout, 0x81, &prime_len, &prime) != true)
+                    return SW_WRONG_DATA();
+                mbedtls_ecp_group_id ec_id = ec_get_curve_from_prime(prime, prime_len);
+                printf("KEYPAIR ECC %d\r\n",ec_id);
+                if (ec_id == MBEDTLS_ECP_DP_NONE) {
+                    return SW_FUNC_NOT_SUPPORTED();
+                }
+                mbedtls_ecdsa_context ecdsa;
+                mbedtls_ecdsa_init(&ecdsa);
+                uint8_t index = 0;
+                ret = mbedtls_ecdsa_genkey(&ecdsa, ec_id, random_gen, &index);
+                if (ret != 0) {
+                    mbedtls_ecdsa_free(&ecdsa);
+                    return SW_EXEC_ERROR();
+                }
+                size_t l91 = 0, ext_len = 0;
+                uint8_t *p91 = NULL, *ext = NULL;
+                if (asn1_find_tag(apdu.data, apdu.nc, 0x91, &l91, &p91) && p91 != NULL && l91 > 0) {
+                    for (int n = 0; n < l91; n++) {
+                        if (p91[n] == ALGO_EC_DH_XKEK) {
+                            size_t l92 = 0;
+                            uint8_t *p92 = NULL;
+                            if (!asn1_find_tag(apdu.data, apdu.nc, 0x92, &l92, &p92) || p92 == NULL || l92 == 0)
+                                return SW_WRONG_DATA();
+                            if (p92[0] > MAX_KEY_DOMAINS)
+                                return SW_WRONG_DATA();
+                            file_t *tf_xkek = search_dynamic_file(EF_XKEK+p92[0]);
+                            if (!tf_xkek)
+                                return SW_WRONG_DATA();
+                            ext_len = 2+2+strlen(OID_ID_KEY_DOMAIN_UID)+2+file_get_size(tf_xkek);
+                            ext = (uint8_t *)calloc(1, ext_len);
+                            uint8_t *pe = ext;
+                            *pe++ = 0x73;
+                            *pe++ = ext_len-2;
+                            *pe++ = 0x6;
+                            *pe++ = strlen(OID_ID_KEY_DOMAIN_UID);
+                            memcpy(pe, OID_ID_KEY_DOMAIN_UID, strlen(OID_ID_KEY_DOMAIN_UID));
+                            pe += strlen(OID_ID_KEY_DOMAIN_UID);
+                            *pe++ = 0x80;
+                            *pe++ = file_get_size(tf_xkek);
+                            memcpy(pe, file_get_data(tf_xkek), file_get_size(tf_xkek));
+                        }
+                    }
+                }
+                if ((res_APDU_size = asn1_cvc_aut(&ecdsa, HSM_KEY_EC, res_APDU, 4096, ext, ext_len)) == 0) {
+                    return SW_EXEC_ERROR();
+                }
+	            ret = store_keys(&ecdsa, HSM_KEY_EC, key_id);
+	            if (ret != CCID_OK) {
+                    mbedtls_ecdsa_free(&ecdsa);
+                    return SW_EXEC_ERROR();
+                }
+                mbedtls_ecdsa_free(&ecdsa);
+            }
+
+        }
+    }
+    else
+        return SW_WRONG_DATA();
+    if (find_and_store_meta_key(key_id) != CCID_OK)
+        return SW_EXEC_ERROR();
+    file_t *fpk = file_new((EE_CERTIFICATE_PREFIX << 8) | key_id);
+    ret = flash_write_data_to_file(fpk, res_APDU, res_APDU_size);
+    if (ret != 0)
+        return SW_EXEC_ERROR();
+    if (apdu.ne == 0)
+        apdu.ne = res_APDU_size;
+    low_flash_available();
+    return SW_OK();
+}

src/hsm/cmd_list_keys.c

@@ -0,0 +1,60 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "sc_hsm.h"
+#include "files.h"
+
+int cmd_list_keys()
+{
+    /* First we send DEV private key */
+    /* Both below conditions should be always TRUE */
+    if (search_by_fid(EF_PRKD_DEV, NULL, SPECIFY_EF)) {
+        res_APDU[res_APDU_size++] = EF_PRKD_DEV >> 8;
+        res_APDU[res_APDU_size++] = EF_PRKD_DEV & 0xff;
+    }
+    if (search_by_fid(EF_KEY_DEV, NULL, SPECIFY_EF)) {
+        res_APDU[res_APDU_size++] = EF_KEY_DEV >> 8;
+        res_APDU[res_APDU_size++] = EF_KEY_DEV & 0xff;
+    }
+    //first CC
+    for (int i = 0; i < dynamic_files; i++) {
+        file_t *f = &dynamic_file[i];
+        if ((f->fid & 0xff00) == (PRKD_PREFIX << 8)) {
+            res_APDU[res_APDU_size++] = PRKD_PREFIX;
+            res_APDU[res_APDU_size++] = f->fid & 0xff;
+            res_APDU[res_APDU_size++] = KEY_PREFIX;
+            res_APDU[res_APDU_size++] = f->fid & 0xff;
+        }
+    }
+    //second CD
+    for (int i = 0; i < dynamic_files; i++) {
+        file_t *f = &dynamic_file[i];
+        if ((f->fid & 0xff00) == (CD_PREFIX << 8)) {
+            res_APDU[res_APDU_size++] = CD_PREFIX;
+            res_APDU[res_APDU_size++] = f->fid & 0xff;
+        }
+    }
+
+    for (int i = 0; i < dynamic_files; i++) {
+        file_t *f = &dynamic_file[i];
+        if ((f->fid & 0xff00) == (DCOD_PREFIX << 8)) {
+            res_APDU[res_APDU_size++] = DCOD_PREFIX;
+            res_APDU[res_APDU_size++] = f->fid & 0xff;
+        }
+    }
+    return SW_OK();
+}

src/hsm/cmd_mse.c

@@ -0,0 +1,75 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "sc_hsm.h"
+#include "asn1.h"
+#include "oid.h"
+#include "eac.h"
+#include "files.h"
+#include "cvc.h"
+
+file_t *ef_puk_aut = NULL;
+
+int cmd_mse() {
+    int p1 = P1(apdu);
+    int p2 = P2(apdu);
+    if (p2 != 0xA4 && p2 != 0xA6 && p2 != 0xAA && p2 != 0xB4 && p2 != 0xB6 && p2 != 0xB8)
+        return SW_INCORRECT_P1P2();
+    if (p1 & 0x1) { //SET
+        uint16_t tag = 0x0;
+        uint8_t *tag_data = NULL, *p = NULL;
+        size_t tag_len = 0;
+        while (walk_tlv(apdu.data, apdu.nc, &p, &tag, &tag_len, &tag_data)) {
+            if (tag == 0x80) {
+                if (p2 == 0xA4) {
+                    if (tag_len == 10 && memcmp(tag_data, OID_ID_CA_ECDH_AES_CBC_CMAC_128, tag_len) == 0)
+                        sm_set_protocol(MSE_AES);
+                }
+            }
+            else if (tag == 0x83) {
+                if (tag_len == 1) {
+
+                }
+                else {
+                    if (p2 == 0xB6) {
+                        if (puk_store_select_chr(tag_data) == CCID_OK)
+                            return SW_OK();
+                    }
+                    else if (p2 == 0xA4) { /* Aut */
+                        for (int i = 0; i < MAX_PUK; i++) {
+                            file_t *ef = search_dynamic_file(EF_PUK+i);
+                            if (!ef)
+                                break;
+                            if (ef->data == NULL || file_get_size(ef) == 0)
+                                break;
+                            size_t chr_len = 0;
+                            const uint8_t *chr = cvc_get_chr(file_get_data(ef), file_get_size(ef), &chr_len);
+                            if (memcmp(chr, tag_data, chr_len) == 0) {
+                                ef_puk_aut = ef;
+                                return SW_OK();
+                            }
+                        }
+                    }
+                    return SW_REFERENCE_NOT_FOUND();
+                }
+            }
+        }
+    }
+    else
+        return SW_INCORRECT_P1P2();
+    return SW_OK();
+}

src/hsm/cmd_pso.c

@@ -0,0 +1,136 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "sc_hsm.h"
+#include "oid.h"
+#include "asn1.h"
+#include "cvc.h"
+
+extern int add_cert_puk_store(const uint8_t *data, size_t data_len, bool copy);
+extern PUK *current_puk;
+
+int cmd_pso() {
+    uint8_t p1 = P1(apdu), p2 = P2(apdu);
+    if (p1 == 0x0 && (p2 == 0x92 || p2 == 0xAE || p2 == 0xBE)) { /* Verify certificate */
+        if (apdu.nc == 0)
+            return SW_WRONG_LENGTH();
+        if (current_puk == NULL)
+            return SW_REFERENCE_NOT_FOUND();
+        if (apdu.data[0] != 0x7F || apdu.data[1] != 0x21) {
+            uint8_t tlv_len = 2+format_tlv_len(apdu.nc, NULL);
+            memmove(apdu.data+tlv_len, apdu.data, apdu.nc);
+            memcpy(apdu.data, "\x7F\x21", 2);
+            format_tlv_len(apdu.nc, apdu.data+2);
+            apdu.nc += tlv_len;
+        }
+        int r = cvc_verify(apdu.data, apdu.nc, current_puk->cvcert, current_puk->cvcert_len);
+        if (r != CCID_OK) {
+            if (r == CCID_WRONG_DATA)
+                return SW_DATA_INVALID();
+            else if (r == CCID_WRONG_SIGNATURE)
+                return SW_CONDITIONS_NOT_SATISFIED();
+            return SW_EXEC_ERROR();
+        }
+        for (int i = 0; i < 0xfe; i++) {
+            uint16_t fid = (CA_CERTIFICATE_PREFIX << 8) | i;
+            file_t *ca_ef = search_dynamic_file(fid);
+            if (!ca_ef) {
+                ca_ef = file_new(fid);
+                flash_write_data_to_file(ca_ef, apdu.data, apdu.nc);
+                if (add_cert_puk_store(file_get_data(ca_ef), file_get_size(ca_ef), false) != CCID_OK)
+                    return SW_FILE_FULL();
+
+                size_t chr_len = 0;
+                const uint8_t *chr = cvc_get_chr(apdu.data, apdu.nc, &chr_len);
+                if (chr == NULL)
+                    return SW_WRONG_DATA();
+                size_t puk_len = 0, puk_bin_len = 0;
+                const uint8_t *puk = cvc_get_pub(apdu.data, apdu.nc, &puk_len), *puk_bin = NULL;
+                if (puk == NULL)
+                    return SW_WRONG_DATA();
+                size_t oid_len = 0;
+                const uint8_t *oid = cvc_get_field(puk, puk_len, &oid_len, 0x6);
+                if (oid == NULL)
+                    return SW_WRONG_DATA();
+                if (memcmp(oid, OID_ID_TA_RSA, 9) == 0) { //RSA
+                    puk_bin = cvc_get_field(puk, puk_len, &puk_bin_len, 0x81);
+                    if (!puk_bin)
+                        return SW_WRONG_DATA();
+                }
+                else if (memcmp(oid, OID_ID_TA_ECDSA, 9) == 0) { //ECC
+                    mbedtls_ecp_group_id ec_id = cvc_inherite_ec_group(apdu.data, apdu.nc);
+                    mbedtls_ecp_group grp;
+                    mbedtls_ecp_group_init(&grp);
+                    if (mbedtls_ecp_group_load(&grp, ec_id) != 0) {
+                        mbedtls_ecp_group_free(&grp);
+                        return SW_WRONG_DATA();
+                    }
+                    size_t plen = mbedtls_mpi_size(&grp.P);
+                    size_t t86_len = 0;
+                    const uint8_t *t86 = cvc_get_field(puk, puk_len, &t86_len, 0x86);
+                    if (mbedtls_ecp_get_type(&grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
+                        if (plen != t86_len) {
+                            mbedtls_ecp_group_free(&grp);
+                            return SW_WRONG_DATA();
+                        }
+                        puk_bin = t86;
+                        puk_bin_len = t86_len;
+                    }
+                    else if (mbedtls_ecp_get_type(&grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
+                        if (t86[0] == 0x2 || t86[0] == 0x3) {
+                            if (t86_len != plen+1) {
+                                mbedtls_ecp_group_free(&grp);
+                                return SW_WRONG_DATA();
+                            }
+                        }
+                        else if (t86[0] == 0x4) {
+                            if (t86_len != 2*plen+1) {
+                                mbedtls_ecp_group_free(&grp);
+                                return SW_WRONG_DATA();
+                            }
+                        }
+                        else {
+                            mbedtls_ecp_group_free(&grp);
+                            return SW_WRONG_DATA();
+                        }
+                        puk_bin = t86+1;
+                        puk_bin_len = plen;
+                    }
+                    mbedtls_ecp_group_free(&grp);
+                    if (!puk_bin)
+                        return SW_WRONG_DATA();
+                }
+                file_t *cd_ef = file_new((CD_PREFIX << 8) | i);
+                size_t cd_len = asn1_build_cert_description(chr, chr_len, puk_bin, puk_bin_len, fid, NULL, 0);
+                if (cd_len == 0)
+                    return SW_EXEC_ERROR();
+                uint8_t *buf = (uint8_t *)calloc(cd_len, sizeof(uint8_t));
+                int r = asn1_build_cert_description(chr, chr_len, puk_bin, puk_bin_len, fid, buf, cd_len);
+                flash_write_data_to_file(cd_ef, buf, cd_len);
+                free(buf);
+                if (r == 0)
+                    return SW_EXEC_ERROR();
+                low_flash_available();
+                break;
+            }
+        }
+        return SW_OK();
+    }
+    else
+        return SW_INCORRECT_P1P2();
+    return SW_OK();
+}

src/hsm/cmd_puk_auth.c

@@ -0,0 +1,85 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "sc_hsm.h"
+#include "files.h"
+#include "cvc.h"
+
+int cmd_puk_auth() {
+    uint8_t p1 = P1(apdu), p2 = P2(apdu);
+    file_t *ef_puk = search_by_fid(EF_PUKAUT, NULL, SPECIFY_EF);
+    if (!ef_puk || !ef_puk->data || file_get_size(ef_puk) == 0)
+        return SW_FILE_NOT_FOUND();
+    uint8_t *puk_data = file_get_data(ef_puk);
+    if (apdu.nc > 0) {
+        if (p1 == 0x0 || p1 == 0x1) {
+            file_t *ef = NULL;
+            if (p1 == 0x0) { /* Add */
+                if (p2 != 0x0)
+                    return SW_INCORRECT_P1P2();
+                for (int i = 0; i < puk_data[0]; i++) {
+                    ef = search_dynamic_file(EF_PUK+i);
+                    if (!ef) /* Never should not happen */
+                        return SW_MEMORY_FAILURE();
+                    if (ef->data == NULL || file_get_size(ef) == 0) /* found first empty slot */
+                        break;
+                }
+                uint8_t *tmp = (uint8_t *)calloc(file_get_size(ef_puk), sizeof(uint8_t));
+                memcpy(tmp, puk_data, file_get_size(ef_puk));
+                tmp[1] = puk_data[1]-1;
+                flash_write_data_to_file(ef_puk, tmp, file_get_size(ef_puk));
+                puk_data = file_get_data(ef_puk);
+                free(tmp);
+            }
+            else if (p1 == 0x1) { /* Replace */
+                if (p2 >= puk_data[0])
+                    return SW_INCORRECT_P1P2();
+                ef = search_dynamic_file(EF_PUK+p2);
+                if (!ef) /* Never should not happen */
+                    return SW_MEMORY_FAILURE();
+            }
+            flash_write_data_to_file(ef, apdu.data, apdu.nc);
+            low_flash_available();
+        }
+        else
+            return SW_INCORRECT_P1P2();
+    }
+    if (p1 == 0x2) {
+        if (p2 >= puk_data[0])
+            return SW_INCORRECT_P1P2();
+        file_t *ef = search_dynamic_file(EF_PUK+p2);
+        if (!ef)
+            return SW_INCORRECT_P1P2();
+        if (ef->data == NULL || file_get_size(ef) == 0)
+            return SW_REFERENCE_NOT_FOUND();
+        size_t chr_len = 0;
+        const uint8_t *chr = cvc_get_chr(file_get_data(ef), file_get_size(ef), &chr_len);
+        if (chr) {
+            memcpy(res_APDU, chr, chr_len);
+            res_APDU_size = chr_len;
+        }
+        return set_res_sw(0x90, puk_status[p2]);
+    }
+    else {
+        memcpy(res_APDU, puk_data, 3);
+        res_APDU[3] = 0;
+        for (int i = 0; i < puk_data[0]; i++)
+            res_APDU[3] += puk_status[i];
+        res_APDU_size = 4;
+    }
+    return SW_OK();
+}

src/hsm/cmd_read_binary.c

@@ -0,0 +1,90 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "sc_hsm.h"
+
+int cmd_read_binary() {
+    uint16_t fid = 0x0;
+    uint32_t offset = 0;
+    uint8_t ins = INS(apdu), p1 = P1(apdu), p2 = P2(apdu);
+    const file_t *ef = NULL;
+
+    if ((ins & 0x1) == 0)
+    {
+        if ((p1 & 0x80) != 0) {
+            if (!(ef = search_by_fid(p1&0x1f, NULL, SPECIFY_EF)))
+                return SW_FILE_NOT_FOUND ();
+            offset = p2;
+        }
+        else {
+            offset = make_uint16_t(p1, p2) & 0x7fff;
+            ef = currentEF;
+        }
+    }
+    else {
+        if (p1 == 0 && (p2 & 0xE0) == 0 && (p2 & 0x1f) != 0 && (p2 & 0x1f) != 0x1f) {
+            if (!(ef = search_by_fid(p2&0x1f, NULL, SPECIFY_EF)))
+                return SW_FILE_NOT_FOUND ();
+        }
+        else {
+            uint16_t file_id = make_uint16_t(p1, p2); // & 0x7fff;
+            if (file_id == 0x0)
+                ef = currentEF;
+            else if (!(ef = search_by_fid(file_id, NULL, SPECIFY_EF)) && !(ef = search_dynamic_file(file_id)))
+                return SW_FILE_NOT_FOUND ();
+
+            if (apdu.data[0] != 0x54)
+                return SW_WRONG_DATA();
+
+            offset = 0;
+            for (int d = 0; d < apdu.data[1]; d++)
+                offset |= apdu.data[2+d]<<(apdu.data[1]-1-d)*8;
+        }
+    }
+
+    if ((fid >> 8) == KEY_PREFIX || !authenticate_action(ef, ACL_OP_READ_SEARCH)) {
+        return SW_SECURITY_STATUS_NOT_SATISFIED();
+    }
+    if (ef->data) {
+        if ((ef->type & FILE_DATA_FUNC) == FILE_DATA_FUNC) {
+            uint16_t data_len = ((int (*)(const file_t *, int))(ef->data))((const file_t *)ef, 1); //already copies content to res_APDU
+            if (offset > data_len)
+                return SW_WRONG_P1P2();
+            uint16_t maxle = data_len-offset;
+            if (apdu.ne > maxle)
+                apdu.ne = maxle;
+            if (offset) {
+                memmove(res_APDU, res_APDU+offset, res_APDU_size-offset);
+                //res_APDU += offset;
+                res_APDU_size -= offset;
+            }
+        }
+        else {
+            uint16_t data_len = file_get_size(ef);
+            if (offset > data_len)
+                return SW_WRONG_P1P2();
+
+            uint16_t maxle = data_len-offset;
+            if (apdu.ne > maxle)
+                apdu.ne = maxle;
+            memcpy(res_APDU, file_get_data(ef)+offset, data_len-offset);
+            res_APDU_size = data_len-offset;
+        }
+    }
+
+    return SW_OK();
+}

src/hsm/cmd_reset_retry.c

@@ -0,0 +1,95 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "crypto_utils.h"
+#include "sc_hsm.h"
+#include "kek.h"
+
+int cmd_reset_retry() {
+    if (P2(apdu) != 0x81)
+        return SW_REFERENCE_NOT_FOUND();
+    if (!file_sopin || !file_pin1) {
+        return SW_FILE_NOT_FOUND();
+    }
+    if (!file_sopin->data) {
+        return SW_REFERENCE_NOT_FOUND();
+    }
+    uint16_t opts = get_device_options();
+    if (!(opts & HSM_OPT_RRC))
+        return SW_COMMAND_NOT_ALLOWED();
+    if (P1(apdu) == 0x0 || P1(apdu) == 0x2) {
+        int newpin_len = 0;
+        if (P1(apdu) == 0x0) {
+            if (apdu.nc <= 8)
+                return SW_WRONG_LENGTH();
+            uint16_t r = check_pin(file_sopin, apdu.data, 8);
+            if (r != 0x9000)
+                return r;
+            newpin_len = apdu.nc-8;
+            has_session_sopin = true;
+            hash_multi(apdu.data, 8, session_sopin);
+        }
+        else if (P1(apdu) == 0x2) {
+            if (!has_session_sopin)
+                return SW_CONDITIONS_NOT_SATISFIED();
+            if (apdu.nc > 16)
+                return SW_WRONG_LENGTH();
+            newpin_len = apdu.nc;
+        }
+        uint8_t dhash[33];
+        dhash[0] = newpin_len;
+        double_hash_pin(apdu.data+(apdu.nc-newpin_len), newpin_len, dhash+1);
+        flash_write_data_to_file(file_pin1, dhash, sizeof(dhash));
+        if (pin_reset_retries(file_pin1, true) != CCID_OK)
+            return SW_MEMORY_FAILURE();
+        uint8_t mkek[MKEK_SIZE];
+        int r = load_mkek(mkek); //loads the MKEK with SO pin
+        if (r != CCID_OK)
+            return SW_EXEC_ERROR();
+        hash_multi(apdu.data+(apdu.nc-newpin_len), newpin_len, session_pin);
+        has_session_pin = true;
+        r = store_mkek(mkek);
+        release_mkek(mkek);
+        if (r != CCID_OK)
+            return SW_EXEC_ERROR();
+        low_flash_available();
+        return SW_OK();
+    }
+    else if (P1(apdu) == 0x1 || P1(apdu) == 0x3) {
+        if (!(opts & HSM_OPT_RRC_RESET_ONLY))
+            return SW_COMMAND_NOT_ALLOWED();
+        if (P1(apdu) == 0x1) {
+            if (apdu.nc != 8)
+                return SW_WRONG_LENGTH();
+            uint16_t r = check_pin(file_sopin, apdu.data, 8);
+            if (r != 0x9000)
+                return r;
+            has_session_sopin = true;
+            hash_multi(apdu.data, 8, session_sopin);
+        }
+        else if (P1(apdu) == 0x3) {
+            if (!has_session_sopin)
+                return SW_CONDITIONS_NOT_SATISFIED();
+            if (apdu.nc != 0)
+                return SW_WRONG_LENGTH();
+        }
+        if (pin_reset_retries(file_pin1, true) != CCID_OK)
+            return SW_MEMORY_FAILURE();
+        return SW_OK();
+    }
+    return SW_INCORRECT_P1P2();
+}

src/hsm/cmd_select.c

@@ -0,0 +1,132 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "sc_hsm.h"
+#include "version.h"
+
+void select_file(file_t *pe) {
+    if (!pe)
+    {
+        currentDF = (file_t *)MF;
+        currentEF = NULL;
+    }
+    else if (pe->type & FILE_TYPE_INTERNAL_EF) {
+        currentEF = pe;
+        currentDF = &file_entries[pe->parent];
+    }
+    else {
+        currentDF = pe;
+    }
+    if (currentEF == file_openpgp || currentEF == file_sc_hsm) {
+        selected_applet = currentEF;
+        //sc_hsm_unload(); //reset auth status
+    }
+}
+
+int cmd_select() {
+    uint8_t p1 = P1(apdu);
+    uint8_t p2 = P2(apdu);
+    file_t *pe = NULL;
+    uint16_t fid = 0x0;
+
+    // Only "first or only occurence" supported
+    //if ((p2 & 0xF3) != 0x00) {
+    //    return SW_INCORRECT_P1P2();
+    //}
+
+    if (apdu.nc >= 2)
+        fid = get_uint16_t(apdu.data, 0);
+
+    //if ((fid & 0xff00) == (KEY_PREFIX << 8))
+    //    fid = (PRKD_PREFIX << 8) | (fid & 0xff);
+
+    uint8_t pfx = fid >> 8;
+    if (pfx == PRKD_PREFIX ||
+        pfx == CD_PREFIX ||
+        pfx == CA_CERTIFICATE_PREFIX ||
+        pfx == KEY_PREFIX ||
+        pfx == EE_CERTIFICATE_PREFIX ||
+        pfx == DCOD_PREFIX ||
+        pfx == DATA_PREFIX ||
+        pfx == PROT_DATA_PREFIX) {
+        if (!(pe = search_dynamic_file(fid)) && !(pe = search_by_fid(fid, NULL, SPECIFY_EF)))
+            return SW_FILE_NOT_FOUND();
+    }
+    if (!pe) {
+        if (p1 == 0x0) { //Select MF, DF or EF - File identifier or absent
+            if (apdu.nc == 0) {
+            	pe = (file_t *)MF;
+            	//ac_fini();
+            }
+            else if (apdu.nc == 2) {
+                if (!(pe = search_by_fid(fid, NULL, SPECIFY_ANY))) {
+                    return SW_FILE_NOT_FOUND();
+                }
+            }
+        }
+        else if (p1 == 0x01) { //Select child DF - DF identifier
+            if (!(pe = search_by_fid(fid, currentDF, SPECIFY_DF))) {
+                return SW_FILE_NOT_FOUND();
+            }
+        }
+        else if (p1 == 0x02) { //Select EF under the current DF - EF identifier
+            if (!(pe = search_by_fid(fid, currentDF, SPECIFY_EF))) {
+                return SW_FILE_NOT_FOUND();
+            }
+        }
+        else if (p1 == 0x03) { //Select parent DF of the current DF - Absent
+            if (apdu.nc != 0)
+                return SW_FILE_NOT_FOUND();
+        }
+        else if (p1 == 0x04) { //Select by DF name - e.g., [truncated] application identifier
+            if (!(pe = search_by_name(apdu.data, apdu.nc))) {
+                return SW_FILE_NOT_FOUND();
+            }
+            if (card_terminated) {
+                return set_res_sw(0x62, 0x85);
+            }
+        }
+        else if (p1 == 0x08) { //Select from the MF - Path without the MF identifier
+            if (!(pe = search_by_path(apdu.data, apdu.nc, MF))) {
+                return SW_FILE_NOT_FOUND();
+            }
+        }
+        else if (p1 == 0x09) { //Select from the current DF - Path without the current DF identifier
+            if (!(pe = search_by_path(apdu.data, apdu.nc, currentDF))) {
+                return SW_FILE_NOT_FOUND();
+            }
+        }
+    }
+    if ((p2 & 0xfc) == 0x00 || (p2 & 0xfc) == 0x04) {
+        process_fci(pe,0);
+        if (pe == file_sc_hsm) {
+            res_APDU[res_APDU_size++] = 0x85;
+            res_APDU[res_APDU_size++] = 5;
+            uint16_t opts = get_device_options();
+            res_APDU[res_APDU_size++] = opts >> 8;
+            res_APDU[res_APDU_size++] = opts & 0xff;
+            res_APDU[res_APDU_size++] = 0xFF;
+            res_APDU[res_APDU_size++] = HSM_VERSION_MAJOR;
+            res_APDU[res_APDU_size++] = HSM_VERSION_MINOR;
+            res_APDU[1] = res_APDU_size-2;
+        }
+    }
+    else
+        return SW_INCORRECT_P1P2();
+    select_file(pe);
+    return SW_OK ();
+}

src/hsm/cmd_session_pin.c

@@ -0,0 +1,34 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "sc_hsm.h"
+#include "random.h"
+#include "eac.h"
+
+int cmd_session_pin() {
+    if (P1(apdu) == 0x01 && P2(apdu) == 0x81) {
+        memcpy(sm_session_pin, random_bytes_get(8), 8);
+        sm_session_pin_len = 8;
+
+        memcpy(res_APDU, sm_session_pin, sm_session_pin_len);
+        res_APDU_size = sm_session_pin_len;
+        apdu.ne = sm_session_pin_len;
+    }
+    else
+        return SW_INCORRECT_P1P2();
+    return SW_OK();
+}

src/hsm/cmd_signature.c

@@ -0,0 +1,241 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "crypto_utils.h"
+#include "sc_hsm.h"
+#include "asn1.h"
+#include "mbedtls/oid.h"
+#include "random.h"
+
+//-----
+/* From OpenSC */
+static const uint8_t hdr_md5[] = {
+	0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+	0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10
+};
+static const uint8_t hdr_sha1[] = {
+	0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a,
+	0x05, 0x00, 0x04, 0x14
+};
+static const uint8_t hdr_sha256[] = {
+	0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65,
+	0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20
+};
+static const uint8_t hdr_sha384[] = {
+	0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65,
+	0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30
+};
+static const uint8_t hdr_sha512[] = {
+	0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65,
+	0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40
+};
+static const uint8_t hdr_sha224[] = {
+	0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65,
+	0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c
+};
+static const uint8_t hdr_ripemd160[] = {
+	0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x24, 0x03, 0x02, 0x01,
+	0x05, 0x00, 0x04, 0x14
+};
+static const struct digest_info_prefix {
+	mbedtls_md_type_t algorithm;
+	const uint8_t *	hdr;
+	size_t hdr_len;
+	size_t hash_len;
+} digest_info_prefix[] = {
+      {	MBEDTLS_MD_MD5,	hdr_md5, sizeof(hdr_md5), 16 },
+      { MBEDTLS_MD_SHA1, hdr_sha1, sizeof(hdr_sha1), 20	},
+      { MBEDTLS_MD_SHA256, hdr_sha256, sizeof(hdr_sha256), 32 },
+      { MBEDTLS_MD_SHA384, hdr_sha384, sizeof(hdr_sha384), 48 },
+      { MBEDTLS_MD_SHA512, hdr_sha512, sizeof(hdr_sha512), 64 },
+      { MBEDTLS_MD_SHA224, hdr_sha224, sizeof(hdr_sha224), 28 },
+      { MBEDTLS_MD_RIPEMD160,hdr_ripemd160,	sizeof(hdr_ripemd160), 20 },
+      {	0, NULL, 0,	0 }
+};
+int pkcs1_strip_digest_info_prefix(mbedtls_md_type_t *algorithm, const uint8_t *in_dat, size_t in_len, uint8_t *out_dat, size_t *out_len)
+{
+	for (int i = 0; digest_info_prefix[i].algorithm != 0; i++) {
+		size_t hdr_len = digest_info_prefix[i].hdr_len, hash_len = digest_info_prefix[i].hash_len;
+		const uint8_t *hdr = digest_info_prefix[i].hdr;
+		if (in_len == (hdr_len + hash_len) && !memcmp(in_dat, hdr, hdr_len)) {
+			if (algorithm)
+				*algorithm = digest_info_prefix[i].algorithm;
+			if (out_dat == NULL)
+				return CCID_OK;
+			if (*out_len < hash_len)
+				return CCID_WRONG_DATA;
+			memmove(out_dat, in_dat + hdr_len, hash_len);
+			*out_len = hash_len;
+			return CCID_OK;
+		}
+	}
+	return CCID_EXEC_ERROR;
+}
+//-----
+
+int cmd_signature() {
+    uint8_t key_id = P1(apdu);
+    uint8_t p2 = P2(apdu);
+    mbedtls_md_type_t md = MBEDTLS_MD_NONE;
+    file_t *fkey;
+    if (!isUserAuthenticated)
+        return SW_SECURITY_STATUS_NOT_SATISFIED();
+    if (!(fkey = search_dynamic_file((KEY_PREFIX << 8) | key_id)) || !fkey->data || file_get_size(fkey) == 0)
+        return SW_FILE_NOT_FOUND();
+    if (get_key_counter(fkey) == 0)
+        return SW_FILE_FULL();
+    if (key_has_purpose(fkey, p2) == false)
+        return SW_CONDITIONS_NOT_SATISFIED();
+    int key_size = file_get_size(fkey);
+    if (p2 == ALGO_RSA_PKCS1_SHA1 || p2 == ALGO_RSA_PSS_SHA1 || p2 == ALGO_EC_SHA1)
+        md = MBEDTLS_MD_SHA1;
+    else if (p2 == ALGO_RSA_PKCS1_SHA256 || p2 == ALGO_RSA_PSS_SHA256 || p2 == ALGO_EC_SHA256)
+        md = MBEDTLS_MD_SHA256;
+    else if (p2 == ALGO_EC_SHA224)
+        md = MBEDTLS_MD_SHA224;
+    if (p2 == ALGO_RSA_PKCS1_SHA1 || p2 == ALGO_RSA_PSS_SHA1 || p2 == ALGO_EC_SHA1 || p2 == ALGO_RSA_PKCS1_SHA256 || p2 == ALGO_RSA_PSS_SHA256 || p2 == ALGO_EC_SHA256 || p2 == ALGO_EC_SHA224) {
+        generic_hash(md, apdu.data, apdu.nc, apdu.data);
+        apdu.nc = mbedtls_md_get_size(mbedtls_md_info_from_type(md));
+    }
+    if (p2 >= ALGO_RSA_RAW && p2 <= ALGO_RSA_PSS_SHA512) {
+        mbedtls_rsa_context ctx;
+        mbedtls_rsa_init(&ctx);
+
+        int r;
+        r = load_private_key_rsa(&ctx, fkey);
+        if (r != CCID_OK) {
+            mbedtls_rsa_free(&ctx);
+            if (r == CCID_VERIFICATION_FAILED)
+                return SW_SECURE_MESSAGE_EXEC_ERROR();
+            return SW_EXEC_ERROR();
+        }
+        uint8_t *hash = apdu.data;
+        size_t hash_len = apdu.nc;
+        if (p2 == ALGO_RSA_PKCS1) { //DigestInfo attached
+            size_t nc = apdu.nc;
+            if (pkcs1_strip_digest_info_prefix(&md, apdu.data, apdu.nc, apdu.data, &nc) != CCID_OK) //gets the MD algo id and strips it off
+                return SW_EXEC_ERROR();
+            apdu.nc = nc;
+        }
+        else {
+            //sc_asn1_print_tags(apdu.data, apdu.nc);
+            size_t tout = 0, oid_len = 0;
+            uint8_t *p = NULL, *oid = NULL;
+            if (asn1_find_tag(apdu.data, apdu.nc, 0x30, &tout, &p) && tout > 0 && p != NULL) {
+                size_t tout30 = 0;
+                uint8_t *c30 = NULL;
+                if (asn1_find_tag(p, tout, 0x30, &tout30, &c30) && tout30 > 0 && c30 != NULL) {
+                    asn1_find_tag(c30, tout30, 0x6, &oid_len, &oid);
+                }
+                asn1_find_tag(p, tout, 0x4, &hash_len, &hash);
+            }
+            if (oid && oid_len > 0) {
+                if (memcmp(oid, MBEDTLS_OID_DIGEST_ALG_SHA1, oid_len) == 0)
+                    md = MBEDTLS_MD_SHA1;
+                else if (memcmp(oid, MBEDTLS_OID_DIGEST_ALG_SHA224, oid_len) == 0)
+                    md = MBEDTLS_MD_SHA224;
+                else if (memcmp(oid, MBEDTLS_OID_DIGEST_ALG_SHA256, oid_len) == 0)
+                    md = MBEDTLS_MD_SHA256;
+                else if (memcmp(oid, MBEDTLS_OID_DIGEST_ALG_SHA384, oid_len) == 0)
+                    md = MBEDTLS_MD_SHA384;
+                else if (memcmp(oid, MBEDTLS_OID_DIGEST_ALG_SHA512, oid_len) == 0)
+                    md = MBEDTLS_MD_SHA512;
+            }
+            if (p2 >= ALGO_RSA_PSS && p2 <= ALGO_RSA_PSS_SHA512) {
+                if (p2 == ALGO_RSA_PSS && !oid) {
+                    if (apdu.nc == 20) //default is sha1
+                        md = MBEDTLS_MD_SHA1;
+                    else if (apdu.nc == 28)
+                        md = MBEDTLS_MD_SHA224;
+                    else if (apdu.nc == 32)
+                        md = MBEDTLS_MD_SHA256;
+                    else if (apdu.nc == 48)
+                        md = MBEDTLS_MD_SHA384;
+                    else if (apdu.nc == 64)
+                        md = MBEDTLS_MD_SHA512;
+                }
+                mbedtls_rsa_set_padding(&ctx, MBEDTLS_RSA_PKCS_V21, md);
+            }
+        }
+        if (md == MBEDTLS_MD_NONE) {
+            if (apdu.nc < key_size) //needs padding
+                memset(apdu.data+apdu.nc, 0, key_size-apdu.nc);
+            r = mbedtls_rsa_private(&ctx, random_gen, NULL, apdu.data, res_APDU);
+        }
+        else {
+            uint8_t *signature = (uint8_t *)calloc(key_size, sizeof(uint8_t));
+            r = mbedtls_rsa_pkcs1_sign(&ctx, random_gen, NULL, md, hash_len, hash, signature);
+            memcpy(res_APDU, signature, key_size);
+            free(signature);
+        }
+        if (r != 0) {
+            mbedtls_rsa_free(&ctx);
+            return SW_EXEC_ERROR();
+        }
+        res_APDU_size = key_size;
+        apdu.ne = key_size;
+        mbedtls_rsa_free(&ctx);
+    }
+    else if (p2 >= ALGO_EC_RAW && p2 <= ALGO_EC_SHA512) {
+        mbedtls_ecdsa_context ctx;
+        mbedtls_ecdsa_init(&ctx);
+        md = MBEDTLS_MD_SHA256;
+        if (p2 == ALGO_EC_RAW) {
+            if (apdu.nc == 32)
+                md = MBEDTLS_MD_SHA256;
+            else if (apdu.nc == 20)
+                md = MBEDTLS_MD_SHA1;
+            else if (apdu.nc == 28)
+                md = MBEDTLS_MD_SHA224;
+            else if (apdu.nc == 48)
+                md = MBEDTLS_MD_SHA384;
+            else if (apdu.nc == 64)
+                md = MBEDTLS_MD_SHA512;
+        }
+        if (p2 == ALGO_EC_SHA1)
+            md = MBEDTLS_MD_SHA1;
+        else if (p2 == ALGO_EC_SHA224)
+            md = MBEDTLS_MD_SHA224;
+        else if (p2 == ALGO_EC_SHA256)
+            md = MBEDTLS_MD_SHA256;
+        else if (p2 == ALGO_EC_SHA384)
+            md = MBEDTLS_MD_SHA384;
+        else if (p2 == ALGO_EC_SHA512)
+            md = MBEDTLS_MD_SHA512;
+        int r;
+        r = load_private_key_ecdsa(&ctx, fkey);
+        if (r != CCID_OK) {
+            mbedtls_ecdsa_free(&ctx);
+            if (r == CCID_VERIFICATION_FAILED)
+                return SW_SECURE_MESSAGE_EXEC_ERROR();
+            return SW_EXEC_ERROR();
+        }
+        size_t olen = 0;
+        uint8_t buf[MBEDTLS_ECDSA_MAX_LEN];
+        if (mbedtls_ecdsa_write_signature(&ctx, md, apdu.data, apdu.nc, buf, MBEDTLS_ECDSA_MAX_LEN, &olen, random_gen, NULL) != 0) {
+            mbedtls_ecdsa_free(&ctx);
+            return SW_EXEC_ERROR();
+        }
+        memcpy(res_APDU, buf, olen);
+        res_APDU_size = olen;
+        mbedtls_ecdsa_free(&ctx);
+    }
+    else
+        return SW_INCORRECT_P1P2();
+    decrement_key_counter(fkey);
+    return SW_OK();
+}

src/hsm/cmd_update_ef.c

@@ -0,0 +1,86 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "sc_hsm.h"
+#include "asn1.h"
+
+extern void select_file(file_t *pe);
+
+int cmd_update_ef() {
+    uint8_t p1 = P1(apdu), p2 = P2(apdu);
+    uint16_t fid = (p1 << 8) | p2;
+    uint8_t *data = NULL;
+    uint16_t offset = 0;
+    uint16_t data_len = 0;
+    file_t *ef = NULL;
+    if (!isUserAuthenticated)
+        return SW_SECURITY_STATUS_NOT_SATISFIED();
+    if (fid == 0x0)
+        ef = currentEF;
+    else if (p1 != EE_CERTIFICATE_PREFIX && p1 != PRKD_PREFIX && p1 != CA_CERTIFICATE_PREFIX && p1 != CD_PREFIX && p1 != DATA_PREFIX && p1 != DCOD_PREFIX && p1 != PROT_DATA_PREFIX)
+        return SW_INCORRECT_P1P2();
+
+    if (ef && !authenticate_action(ef, ACL_OP_UPDATE_ERASE))
+        return SW_SECURITY_STATUS_NOT_SATISFIED();
+
+    uint16_t tag = 0x0;
+    uint8_t *tag_data = NULL, *p = NULL;
+    size_t tag_len = 0;
+    while (walk_tlv(apdu.data, apdu.nc, &p, &tag, &tag_len, &tag_data)) {
+        if (tag == 0x54) { //ofset tag
+            for (int i = 1; i <= tag_len; i++)
+                offset |= (*tag_data++ << (8*(tag_len-i)));
+        }
+        else if (tag == 0x53) { //data
+            data_len = tag_len;
+            data = tag_data;
+        }
+    }
+    if (data_len == 0 && offset == 0) { //new file
+        ef = file_new(fid);
+        //if ((fid & 0xff00) == (EE_CERTIFICATE_PREFIX << 8))
+        //    add_file_to_chain(ef, &ef_pukdf);
+        select_file(ef);
+    }
+    else {
+        if (fid == 0x0 && !ef)
+            return SW_FILE_NOT_FOUND();
+        else if (fid != 0x0 && !(ef = search_by_fid(fid, NULL, SPECIFY_EF)) && !(ef = search_dynamic_file(fid))) { //if does not exist, create it
+            //return SW_FILE_NOT_FOUND();
+            ef = file_new(fid);
+        }
+        if (offset == 0) {
+            int r = flash_write_data_to_file(ef, data, data_len);
+            if (r != CCID_OK)
+                return SW_MEMORY_FAILURE();
+        }
+        else {
+            if (!ef->data)
+                return SW_DATA_INVALID();
+
+            uint8_t *data_merge = (uint8_t *)calloc(1, offset+data_len);
+            memcpy(data_merge, file_get_data(ef), offset);
+            memcpy(data_merge+offset, data, data_len);
+            int r = flash_write_data_to_file(ef, data_merge, offset+data_len);
+            free(data_merge);
+            if (r != CCID_OK)
+                return SW_MEMORY_FAILURE();
+        }
+        low_flash_available();
+    }
+    return SW_OK();
+}

src/hsm/cmd_verify.c

@@ -0,0 +1,58 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "sc_hsm.h"
+
+int cmd_verify() {
+    uint8_t p1 = P1(apdu);
+    uint8_t p2 = P2(apdu);
+
+    if (p1 != 0x0 || (p2 & 0x60) != 0x0)
+        return SW_WRONG_P1P2();
+
+    if (p2 == 0x81) { //UserPin
+        uint16_t opts = get_device_options();
+        if (opts & HSM_OPT_TRANSPORT_PIN)
+            return SW_DATA_INVALID();
+        if (has_session_pin && apdu.nc == 0)
+            return SW_OK();
+        if (*file_get_data(file_pin1) == 0 && pka_enabled() == false) //not initialized
+            return SW_REFERENCE_NOT_FOUND();
+        if (apdu.nc > 0) {
+            return check_pin(file_pin1, apdu.data, apdu.nc);
+        }
+        if (file_read_uint8(file_get_data(file_retries_pin1)) == 0)
+            return SW_PIN_BLOCKED();
+        return set_res_sw(0x63, 0xc0 | file_read_uint8(file_get_data(file_retries_pin1)));
+    }
+    else if (p2 == 0x88) { //SOPin
+        if (file_read_uint8(file_get_data(file_sopin)) == 0) //not initialized
+            return SW_REFERENCE_NOT_FOUND();
+        if (apdu.nc > 0) {
+            return check_pin(file_sopin, apdu.data, apdu.nc);
+        }
+        if (file_read_uint8(file_get_data(file_retries_sopin)) == 0)
+            return SW_PIN_BLOCKED();
+        if (has_session_sopin)
+            return SW_OK();
+        return set_res_sw(0x63, 0xc0 | file_read_uint8(file_get_data(file_retries_sopin)));
+    }
+    else if (p2 == 0x85) {
+        return SW_OK();
+    }
+    return SW_REFERENCE_NOT_FOUND();
+}

src/hsm/cvc.c

@@ -1,32 +1,35 @@
-/* 
+/*
  * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
  * Copyright (c) 2022 Pol Henarejos.
- * 
- * This program is free software: you can redistribute it and/or modify  
- * it under the terms of the GNU General Public License as published by  
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
  * the Free Software Foundation, version 3.
  *
- * This program is distributed in the hope that it will be useful, but 
- * WITHOUT ANY WARRANTY; without even the implied warranty of 
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  * General Public License for more details.
  *
- * You should have received a copy of the GNU General Public License 
+ * You should have received a copy of the GNU General Public License
  * along with this program. If not, see <http://www.gnu.org/licenses/>.
  */
 
 #include "common.h"
 #include "cvc.h"
+#include "sc_hsm.h"
 #include "mbedtls/rsa.h"
 #include "mbedtls/ecdsa.h"
-#include "cvcerts.h"
 #include <string.h>
 #include "asn1.h"
-#include "ccid2040.h"
 #include "crypto_utils.h"
 #include "random.h"
 #include "oid.h"
 #include "mbedtls/md.h"
+#include "files.h"
+
+extern const uint8_t *dev_name;
+extern size_t dev_name_len;
 
 size_t asn1_cvc_public_key_rsa(mbedtls_rsa_context *rsa, uint8_t *buf, size_t buf_len) {
     const uint8_t oid_rsa[] = { 0x04, 0x00, 0x7F, 0x00, 0x07, 0x02, 0x02, 0x02, 0x01, 0x02 };
@@ -109,36 +112,39 @@ size_t asn1_cvc_public_key_ecdsa(mbedtls_ecdsa_context *ecdsa, uint8_t *buf, siz
     return tot_len;
 }
 
-size_t asn1_cvc_cert_body(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_len) {
+size_t asn1_cvc_cert_body(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_len, const uint8_t *ext, size_t ext_len) {
     size_t pubkey_size = 0;
     if (key_type == HSM_KEY_RSA)
         pubkey_size = asn1_cvc_public_key_rsa(rsa_ecdsa, NULL, 0);
     else if (key_type == HSM_KEY_EC)
         pubkey_size = asn1_cvc_public_key_ecdsa(rsa_ecdsa, NULL, 0);
     size_t cpi_size = 4;
-    
+    size_t ext_size = 0;
+    if (ext && ext_len > 0)
+        ext_size = asn1_len_tag(0x65, ext_len);
+
     uint8_t *car = NULL, *chr = NULL;
     size_t lencar = 0, lenchr = 0;
-    
+
     if (asn1_find_tag(apdu.data, apdu.nc, 0x42, &lencar, &car) == false || lencar == 0 || car == NULL) {
-        car = (uint8_t *)"UTSRCACC100001";
-        lencar = strlen((char *)car);
+        car = (uint8_t *)dev_name;
+        lencar = dev_name_len;
     }
     if (asn1_find_tag(apdu.data, apdu.nc, 0x5f20, &lenchr, &chr) == false || lenchr == 0 || chr == NULL) {
-        chr = (uint8_t *)"ESHSMCVCA00001";
-        lenchr = strlen((char *)chr);
+        chr = (uint8_t *)dev_name;
+        lenchr = dev_name_len;
     }
     size_t car_size = asn1_len_tag(0x42, lencar), chr_size = asn1_len_tag(0x5f20, lenchr);
-    
-    size_t tot_len = asn1_len_tag(0x7f4e, cpi_size+car_size+pubkey_size+chr_size);
-    
+
+    size_t tot_len = asn1_len_tag(0x7f4e, cpi_size+car_size+pubkey_size+chr_size+ext_size);
+
     if (buf_len == 0 || buf == NULL)
         return tot_len;
     if (buf_len < tot_len)
         return 0;
     uint8_t *p = buf;
     memcpy(p, "\x7F\x4E", 2); p += 2;
-    p += format_tlv_len(cpi_size+car_size+pubkey_size+chr_size, p);
+    p += format_tlv_len(cpi_size+car_size+pubkey_size+chr_size+ext_size, p);
     //cpi
     *p++ = 0x5f; *p++ = 0x29; *p++ = 1; *p++ = 0;
     //car
@@ -150,16 +156,22 @@ size_t asn1_cvc_cert_body(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_
         p += asn1_cvc_public_key_ecdsa(rsa_ecdsa, p, pubkey_size);
     //chr
     *p++ = 0x5f; *p++ = 0x20; p += format_tlv_len(lenchr, p); memcpy(p, chr, lenchr); p += lenchr;
+    if (ext && ext_len > 0) {
+        *p++ = 0x65;
+        p += format_tlv_len(ext_len, p);
+        memcpy(p, ext, ext_len);
+        p += ext_len;
+    }
     return tot_len;
 }
 
-size_t asn1_cvc_cert(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_len) {
+size_t asn1_cvc_cert(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_len, const uint8_t *ext, size_t ext_len) {
     size_t key_size = 0;
     if (key_type == HSM_KEY_RSA)
         key_size = mbedtls_mpi_size(&((mbedtls_rsa_context *)rsa_ecdsa)->N);
     else if (key_type == HSM_KEY_EC)
         key_size = 2*mbedtls_mpi_size(&((mbedtls_ecdsa_context *)rsa_ecdsa)->d);
-    size_t body_size = asn1_cvc_cert_body(rsa_ecdsa, key_type, NULL, 0), sig_size = asn1_len_tag(0x5f37, key_size);
+    size_t body_size = asn1_cvc_cert_body(rsa_ecdsa, key_type, NULL, 0, ext, ext_len), sig_size = asn1_len_tag(0x5f37, key_size);
     size_t tot_len = asn1_len_tag(0x7f21, body_size+sig_size);
     if (buf_len == 0 || buf == NULL)
         return tot_len;
@@ -169,8 +181,7 @@ size_t asn1_cvc_cert(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf
     memcpy(p, "\x7F\x21", 2); p += 2;
     p += format_tlv_len(body_size+sig_size, p);
     body = p;
-    p += asn1_cvc_cert_body(rsa_ecdsa, key_type, p, body_size);
-    
+    p += asn1_cvc_cert_body(rsa_ecdsa, key_type, p, body_size, ext, ext_len);
     uint8_t hsh[32];
     hash256(body, body_size, hsh);
     memcpy(p, "\x5F\x37", 2); p += 2;
@@ -200,12 +211,21 @@ size_t asn1_cvc_cert(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf
     return p-buf;
 }
 
-size_t asn1_cvc_aut(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_len) {
-    size_t cvcert_size = asn1_cvc_cert(rsa_ecdsa, key_type, NULL, 0);
-    size_t outcar_len = 0;
-    const uint8_t *outcar = cvc_get_chr((uint8_t *)termca+2, (termca[1] << 8) | termca[0], &outcar_len);
+size_t asn1_cvc_aut(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_len, const uint8_t *ext, size_t ext_len) {
+    size_t cvcert_size = asn1_cvc_cert(rsa_ecdsa, key_type, NULL, 0, ext, ext_len);
+    size_t outcar_len = dev_name_len;
+    const uint8_t *outcar = dev_name;
     size_t outcar_size = asn1_len_tag(0x42, outcar_len);
-    int key_size = 2*file_read_uint16(termca_pk), ret = 0;
+    file_t *fkey = search_by_fid(EF_KEY_DEV, NULL, SPECIFY_EF);
+    if (!fkey)
+        return 0;
+    mbedtls_ecdsa_context ectx;
+    mbedtls_ecdsa_init(&ectx);
+    if (load_private_key_ecdsa(&ectx, fkey) != CCID_OK) {
+        mbedtls_ecdsa_free(&ectx);
+        return 0;
+    }
+    int ret = 0, key_size = 2*mbedtls_mpi_size(&ectx.d);
     size_t outsig_size = asn1_len_tag(0x5f37, key_size), tot_len = asn1_len_tag(0x67, cvcert_size+outcar_size+outsig_size);
     if (buf_len == 0 || buf == NULL)
         return tot_len;
@@ -216,13 +236,9 @@ size_t asn1_cvc_aut(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_
     p += format_tlv_len(cvcert_size+outcar_size+outsig_size, p);
     uint8_t *body = p;
     //cvcert
-    p += asn1_cvc_cert(rsa_ecdsa, key_type, p, cvcert_size);
+    p += asn1_cvc_cert(rsa_ecdsa, key_type, p, cvcert_size, ext, ext_len);
     //outcar
     *p++ = 0x42; p += format_tlv_len(outcar_len, p); memcpy(p, outcar, outcar_len); p += outcar_len;
-    mbedtls_ecdsa_context ctx;
-    mbedtls_ecdsa_init(&ctx);
-    if (mbedtls_ecp_read_key(MBEDTLS_ECP_DP_SECP192R1, &ctx, termca_pk+2, file_read_uint16(termca_pk)) != 0)
-        return 0;
     uint8_t hsh[32];
     memcpy(p, "\x5f\x37", 2); p += 2;
     p += format_tlv_len(key_size, p);
@@ -230,8 +246,8 @@ size_t asn1_cvc_aut(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_
     mbedtls_mpi r, s;
     mbedtls_mpi_init(&r);
     mbedtls_mpi_init(&s);
-    ret = mbedtls_ecdsa_sign(&ctx.grp, &r, &s, &ctx.d, hsh, sizeof(hsh), random_gen, NULL);
-    mbedtls_ecdsa_free(&ctx);
+    ret = mbedtls_ecdsa_sign(&ectx.grp, &r, &s, &ectx.d, hsh, sizeof(hsh), random_gen, NULL);
+    mbedtls_ecdsa_free(&ectx);
     if (ret != 0) {
         mbedtls_mpi_free(&r);
         mbedtls_mpi_free(&s);
@@ -266,14 +282,14 @@ size_t asn1_build_cert_description(const uint8_t *label, size_t label_len, const
     *p++ = 0x3;
     p += format_tlv_len(opt_len, p);
     memcpy(p, "\x06\x40", 2); p += 2;
-    
+
     //Seq 2
     *p++ = 0x30;
     p += format_tlv_len(asn1_len_tag(0x4, 20), p);
     *p++ = 0x4;
     p += format_tlv_len(20, p);
     mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_SHA1), puk, puk_len, p);  p += 20;
-    
+
     //Seq 3
     *p++ = 0xA1;
     p += format_tlv_len(asn1_len_tag(0x30, asn1_len_tag(0x30, asn1_len_tag(0x4, sizeof(uint16_t)))), p);
@@ -288,6 +304,51 @@ size_t asn1_build_cert_description(const uint8_t *label, size_t label_len, const
     return p-buf;
 }
 
+size_t asn1_build_prkd_ecc(const uint8_t *label, size_t label_len, const uint8_t *keyid, size_t keyid_len, size_t keysize, uint8_t *buf, size_t buf_len) {
+    size_t seq1_size = asn1_len_tag(0x30, asn1_len_tag(0xC, label_len));
+    size_t seq2_size = asn1_len_tag(0x30, asn1_len_tag(0x4, keyid_len)+asn1_len_tag(0x3, 3));
+    size_t seq3_size = asn1_len_tag(0xA1, asn1_len_tag(0x30, asn1_len_tag(0x30, asn1_len_tag(0x4, 0))+asn1_len_tag(0x2,2)));
+    size_t tot_len = asn1_len_tag(0xA0, seq1_size+seq2_size+seq3_size);
+    if (buf_len == 0 || buf == NULL)
+        return tot_len;
+    if (buf_len < tot_len)
+        return 0;
+    uint8_t *p = buf;
+    *p++ = 0xA0;
+    p += format_tlv_len(seq1_size+seq2_size+seq3_size, p);
+    //Seq 1
+    *p++ = 0x30;
+    p += format_tlv_len(asn1_len_tag(0xC, label_len), p);
+    *p++ = 0xC;
+    p += format_tlv_len(label_len, p);
+    memcpy(p, label, label_len); p += label_len;
+
+    //Seq 2
+    *p++ = 0x30;
+    p += format_tlv_len(asn1_len_tag(0x4, keyid_len)+asn1_len_tag(0x3, 3), p);
+    *p++ = 0x4;
+    p += format_tlv_len(keyid_len, p);
+    memcpy(p, keyid, keyid_len); p += keyid_len;
+    *p++ = 0x3;
+    p += format_tlv_len(3, p);
+    memcpy(p, "\x07\x20\x80", 3); p += 3;
+
+    //Seq 3
+    *p++ = 0xA1;
+    p += format_tlv_len(asn1_len_tag(0x30, asn1_len_tag(0x30, asn1_len_tag(0x4, 0))+asn1_len_tag(0x2,2)), p);
+    *p++ = 0x30;
+    p += format_tlv_len(asn1_len_tag(0x30, asn1_len_tag(0x4, 0))+asn1_len_tag(0x2,2), p);
+    *p++ = 0x30;
+    p += format_tlv_len(asn1_len_tag(0x4, 0), p);
+    *p++ = 0x4;
+    p += format_tlv_len(0, p);
+    *p++ = 0x2;
+    p += format_tlv_len(2, p);
+    *p++ = (keysize >> 8) & 0xff;
+    *p++ = keysize & 0xff;
+    return p-buf;
+}
+
 const uint8_t *cvc_get_field(const uint8_t *data, size_t len, size_t *olen, uint16_t tag) {
     uint8_t *rdata = NULL;
     if (data == NULL || len == 0)
@@ -338,6 +399,13 @@ const uint8_t *cvc_get_pub(const uint8_t *data, size_t len, size_t *olen) {
     return NULL;
 }
 
+const uint8_t *cvc_get_ext(const uint8_t *data, size_t len, size_t *olen) {
+    if ((data = cvc_get_body(data, len, olen)) != NULL) {
+        return cvc_get_field(data, len, olen, 0x65);
+    }
+    return NULL;
+}
+
 extern PUK puk_store[MAX_PUK_STORE_ENTRIES];
 extern int puk_store_entries;
 
@@ -375,7 +443,7 @@ mbedtls_ecp_group_id cvc_inherite_ec_group(const uint8_t *ca, size_t ca_len) {
     const uint8_t *t81 = cvc_get_field(ca_puk, ca_puk_len, &t81_len, 0x81);
     if (!t81)
         return MBEDTLS_ECP_DP_NONE;
-    
+
     return ec_get_curve_from_prime(t81, t81_len);
 }
 
@@ -396,11 +464,11 @@ int puk_verify(const uint8_t *sig, size_t sig_len, const uint8_t *hash, size_t h
         mbedtls_rsa_context rsa;
         mbedtls_rsa_init(&rsa);
         mbedtls_md_type_t md = MBEDTLS_MD_NONE;
-        if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_1, oid_len) == 0) 
+        if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_1, oid_len) == 0)
             md = MBEDTLS_MD_SHA1;
-        else if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_256, oid_len) == 0) 
+        else if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_256, oid_len) == 0)
             md = MBEDTLS_MD_SHA256;
-        else if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_512, oid_len) == 0) 
+        else if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_512, oid_len) == 0)
             md = MBEDTLS_MD_SHA512;
         else if (memcmp(oid, OID_ID_TA_RSA_PSS_SHA_1, oid_len) == 0) {
             md = MBEDTLS_MD_SHA1;
@@ -445,19 +513,19 @@ int puk_verify(const uint8_t *sig, size_t sig_len, const uint8_t *hash, size_t h
     }
     else if (memcmp(oid, OID_ID_TA_ECDSA, 9) == 0) { //ECC
         mbedtls_md_type_t md = MBEDTLS_MD_NONE;
-        if (memcmp(oid, OID_IT_TA_ECDSA_SHA_1, oid_len) == 0) 
+        if (memcmp(oid, OID_ID_TA_ECDSA_SHA_1, oid_len) == 0)
             md = MBEDTLS_MD_SHA1;
-        else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_224, oid_len) == 0) 
+        else if (memcmp(oid, OID_ID_TA_ECDSA_SHA_224, oid_len) == 0)
             md = MBEDTLS_MD_SHA224;
-        else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_256, oid_len) == 0) 
+        else if (memcmp(oid, OID_ID_TA_ECDSA_SHA_256, oid_len) == 0)
             md = MBEDTLS_MD_SHA256;
-        else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_384, oid_len) == 0) 
+        else if (memcmp(oid, OID_ID_TA_ECDSA_SHA_384, oid_len) == 0)
             md = MBEDTLS_MD_SHA384;
-        else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_512, oid_len) == 0) 
+        else if (memcmp(oid, OID_ID_TA_ECDSA_SHA_512, oid_len) == 0)
             md = MBEDTLS_MD_SHA512;
-        if (md == MBEDTLS_MD_NONE) 
+        if (md == MBEDTLS_MD_NONE)
             return CCID_WRONG_DATA;
-        
+
         size_t t86_len = 0;
         const uint8_t *t86 = cvc_get_field(puk, puk_len, &t86_len, 0x86);
         if (!t86)
@@ -526,11 +594,11 @@ int cvc_verify(const uint8_t *cert, size_t cert_len, const uint8_t *ca, size_t c
         return CCID_WRONG_DATA;
     mbedtls_md_type_t md = MBEDTLS_MD_NONE;
     if (memcmp(oid, OID_ID_TA_RSA, 9) == 0) { //RSA
-        if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_1, oid_len) == 0) 
+        if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_1, oid_len) == 0)
             md = MBEDTLS_MD_SHA1;
-        else if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_256, oid_len) == 0) 
+        else if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_256, oid_len) == 0)
             md = MBEDTLS_MD_SHA256;
-        else if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_512, oid_len) == 0) 
+        else if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_512, oid_len) == 0)
             md = MBEDTLS_MD_SHA512;
         else if (memcmp(oid, OID_ID_TA_RSA_PSS_SHA_1, oid_len) == 0)
             md = MBEDTLS_MD_SHA1;
@@ -540,18 +608,18 @@ int cvc_verify(const uint8_t *cert, size_t cert_len, const uint8_t *ca, size_t c
             md = MBEDTLS_MD_SHA512;
     }
     else if (memcmp(oid, OID_ID_TA_ECDSA, 9) == 0) { //ECC
-        if (memcmp(oid, OID_IT_TA_ECDSA_SHA_1, oid_len) == 0) 
+        if (memcmp(oid, OID_ID_TA_ECDSA_SHA_1, oid_len) == 0)
             md = MBEDTLS_MD_SHA1;
-        else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_224, oid_len) == 0) 
+        else if (memcmp(oid, OID_ID_TA_ECDSA_SHA_224, oid_len) == 0)
             md = MBEDTLS_MD_SHA224;
-        else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_256, oid_len) == 0) 
+        else if (memcmp(oid, OID_ID_TA_ECDSA_SHA_256, oid_len) == 0)
             md = MBEDTLS_MD_SHA256;
-        else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_384, oid_len) == 0) 
+        else if (memcmp(oid, OID_ID_TA_ECDSA_SHA_384, oid_len) == 0)
             md = MBEDTLS_MD_SHA384;
-        else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_512, oid_len) == 0) 
+        else if (memcmp(oid, OID_ID_TA_ECDSA_SHA_512, oid_len) == 0)
             md = MBEDTLS_MD_SHA512;
     }
-    if (md == MBEDTLS_MD_NONE) 
+    if (md == MBEDTLS_MD_NONE)
         return CCID_WRONG_DATA;
     const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md);
     uint8_t hash[64], hash_len = mbedtls_md_get_size(md_info);

src/hsm/cvc.h

@@ -1,17 +1,17 @@
-/* 
+/*
  * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
  * Copyright (c) 2022 Pol Henarejos.
- * 
- * This program is free software: you can redistribute it and/or modify  
- * it under the terms of the GNU General Public License as published by  
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
  * the Free Software Foundation, version 3.
  *
- * This program is distributed in the hope that it will be useful, but 
- * WITHOUT ANY WARRANTY; without even the implied warranty of 
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  * General Public License for more details.
  *
- * You should have received a copy of the GNU General Public License 
+ * You should have received a copy of the GNU General Public License
  * along with this program. If not, see <http://www.gnu.org/licenses/>.
  */
 
@@ -36,15 +36,17 @@ typedef struct PUK {
 
 #define MAX_PUK_STORE_ENTRIES 4
 
-extern size_t asn1_cvc_cert(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_len);
-extern size_t asn1_cvc_aut(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_len);
+extern size_t asn1_cvc_cert(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_len, const uint8_t *ext, size_t ext_len);
+extern size_t asn1_cvc_aut(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_len, const uint8_t *ext, size_t ext_len);
 extern size_t asn1_build_cert_description(const uint8_t *label, size_t label_len, const uint8_t *puk, size_t puk_len, uint16_t fid, uint8_t *buf, size_t buf_len);
 extern const uint8_t *cvc_get_field(const uint8_t *data, size_t len, size_t *olen, uint16_t tag);
 extern const uint8_t *cvc_get_car(const uint8_t *data, size_t len, size_t *olen);
 extern const uint8_t *cvc_get_chr(const uint8_t *data, size_t len, size_t *olen);
 extern const uint8_t *cvc_get_pub(const uint8_t *data, size_t len, size_t *olen);
+extern const uint8_t *cvc_get_ext(const uint8_t *data, size_t len, size_t *olen);
 extern int cvc_verify(const uint8_t *cert, size_t cert_len, const uint8_t *ca, size_t ca_len);
 extern mbedtls_ecp_group_id cvc_inherite_ec_group(const uint8_t *ca, size_t ca_len);
 extern int puk_verify(const uint8_t *sig, size_t sig_len, const uint8_t *hash, size_t hash_len, const uint8_t *ca, size_t ca_len);
+extern size_t asn1_build_prkd_ecc(const uint8_t *label, size_t label_len, const uint8_t *keyid, size_t keyid_len, size_t keysize, uint8_t *buf, size_t buf_len);
 
 #endif

src/hsm/files.c

@@ -1,17 +1,17 @@
-/* 
+/*
  * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
  * Copyright (c) 2022 Pol Henarejos.
- * 
- * This program is free software: you can redistribute it and/or modify  
- * it under the terms of the GNU General Public License as published by  
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
  * the Free Software Foundation, version 3.
  *
- * This program is distributed in the hope that it will be useful, but 
- * WITHOUT ANY WARRANTY; without even the implied warranty of 
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  * General Public License for more details.
  *
- * You should have received a copy of the GNU General Public License 
+ * You should have received a copy of the GNU General Public License
  * along with this program. If not, see <http://www.gnu.org/licenses/>.
  */
 
@@ -19,13 +19,12 @@
 
 extern const uint8_t sc_hsm_aid[];
 extern int parse_token_info(const file_t *f, int mode);
-extern int parse_cvca(const file_t *f, int mode);
 
 file_t file_entries[] = {
     /*  0 */ { .fid = 0x3f00    , .parent = 0xff, .name = NULL, .type = FILE_TYPE_DF, .data = NULL, .ef_structure = 0, .acl = {0} }, // MF
     /*  1 */ { .fid = 0x2f00    , .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} }, //EF.DIR
     /*  2 */ { .fid = 0x2f01    , .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} }, //EF.ATR
-    /*  3 */ { .fid = 0x2f02    , .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC,.data = (uint8_t *)parse_cvca, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} }, //EF.GDO
+    /*  3 */ { .fid = EF_TERMCA , .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH | FILE_PERSISTENT, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} }, //EF.GDO
     /*  4 */ { .fid = 0x2f03    , .parent = 5, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC,.data = (uint8_t *)parse_token_info, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} }, //EF.TokenInfo
     /*  5 */ { .fid = 0x5015    , .parent = 0, .name = NULL, .type = FILE_TYPE_DF, .data = NULL, .ef_structure = 0, .acl = {0} }, //DF.PKCS15
     /*  6 */ { .fid = 0x5031    , .parent = 5, .name = NULL, .type = FILE_TYPE_WORKING_EF, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} }, //EF.ODF
@@ -47,9 +46,14 @@ file_t file_entries[] = {
     /* 22 */ { .fid = EF_KEY_DOMAIN, .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //Key domain options
     /* 23 */ { .fid = EF_META   , .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //EF.CDFs
     /* 24 */ { .fid = EF_PUKAUT, .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //Public Key Authentication
-    ///* 25 */ { .fid = 0x0000, .parent = 0, .name = openpgpcard_aid, .type = FILE_TYPE_WORKING_EF, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} },
-    /* 26 */ { .fid = 0x0000, .parent = 5, .name = sc_hsm_aid, .type = FILE_TYPE_WORKING_EF, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} },
-    /* 27 */ { .fid = 0x0000, .parent = 0xff, .name = NULL, .type = FILE_TYPE_UNKNOWN, .data = NULL, .ef_structure = 0, .acl = {0} } //end
+    /* 25 */ { .fid = EF_KEY_DEV, .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH | FILE_PERSISTENT, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //Device Key
+    /* 26 */ { .fid = EF_PRKD_DEV, .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH | FILE_PERSISTENT, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //PrKD Device
+    /* 27 */ { .fid = EF_EE_DEV, .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH | FILE_PERSISTENT, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //End Entity Certificate Device
+    /* 28 */ { .fid = EF_MKEK , .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH | FILE_PERSISTENT, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //MKEK
+    /* 29 */ { .fid = EF_MKEK_SO , .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH | FILE_PERSISTENT, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //MKEK with SO-PIN
+    ///* 30 */ { .fid = 0x0000, .parent = 0, .name = openpgpcard_aid, .type = FILE_TYPE_WORKING_EF, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} },
+    /* 31 */ { .fid = 0x0000, .parent = 5, .name = sc_hsm_aid, .type = FILE_TYPE_WORKING_EF, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} },
+    /* 32 */ { .fid = 0x0000, .parent = 0xff, .name = NULL, .type = FILE_TYPE_UNKNOWN, .data = NULL, .ef_structure = 0, .acl = {0} } //end
 };
 
 const file_t *MF = &file_entries[0];

src/hsm/files.h

@@ -1,17 +1,17 @@
-/* 
+/*
  * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
  * Copyright (c) 2022 Pol Henarejos.
- * 
- * This program is free software: you can redistribute it and/or modify  
- * it under the terms of the GNU General Public License as published by  
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
  * the Free Software Foundation, version 3.
  *
- * This program is distributed in the hope that it will be useful, but 
- * WITHOUT ANY WARRANTY; without even the implied warranty of 
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  * General Public License for more details.
  *
- * You should have received a copy of the GNU General Public License 
+ * You should have received a copy of the GNU General Public License
  * along with this program. If not, see <http://www.gnu.org/licenses/>.
  */
 
@@ -22,6 +22,9 @@
 #include "file.h"
 
 #define EF_DEVOPS       0x100E
+#define EF_MKEK         0x100A
+#define EF_MKEK_SO      0x100B
+#define EF_XKEK         0x1080
 #define EF_DKEK         0x1090
 #define EF_KEY_DOMAIN   0x10A0
 #define EF_PUKAUT       0x10C0
@@ -33,6 +36,12 @@
 #define EF_DODFS        0x6044
 #define EF_SKDFS        0x6045
 
+#define EF_KEY_DEV      0xCC00
+#define EF_PRKD_DEV     0xC400
+#define EF_EE_DEV       0xCE00
+
+#define EF_TERMCA       0x2f02
+
 extern file_t *file_pin1;
 extern file_t *file_retries_pin1;
 extern file_t *file_sopin;

src/hsm/kek.c

@@ -1,17 +1,17 @@
-/* 
+/*
  * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
  * Copyright (c) 2022 Pol Henarejos.
- * 
- * This program is free software: you can redistribute it and/or modify  
- * it under the terms of the GNU General Public License as published by  
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
  * the Free Software Foundation, version 3.
  *
- * This program is distributed in the hope that it will be useful, but 
- * WITHOUT ANY WARRANTY; without even the implied warranty of 
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  * General Public License for more details.
  *
- * You should have received a copy of the GNU General Public License 
+ * You should have received a copy of the GNU General Public License
  * along with this program. If not, see <http://www.gnu.org/licenses/>.
  */
 
@@ -19,7 +19,7 @@
 #include "common.h"
 #include "stdlib.h"
 #include "pico/stdlib.h"
-#include "dkek.h"
+#include "kek.h"
 #include "crypto_utils.h"
 #include "random.h"
 #include "sc_hsm.h"
@@ -29,8 +29,8 @@
 #include "mbedtls/ecdsa.h"
 #include "files.h"
 
-extern bool has_session_pin;
-extern uint8_t session_pin[32];
+extern bool has_session_pin, has_session_sopin;
+extern uint8_t session_pin[32], session_sopin[32];
 
 #define POLY 0xedb88320
 
@@ -45,49 +45,110 @@ uint32_t crc32c(const uint8_t *buf, size_t len)
     return ~crc;
 }
 
-int load_dkek(uint8_t id, uint8_t *dkek) {
-    if (has_session_pin == false)
+int load_mkek(uint8_t *mkek) {
+    if (has_session_pin == false && has_session_sopin == false)
         return CCID_NO_LOGIN;
-    file_t *tf = search_dynamic_file(EF_DKEK+id);
-    if (!tf)
-        return CCID_ERR_FILE_NOT_FOUND;
-    memcpy(dkek, file_get_data(tf), DKEK_SIZE);
-    int ret = aes_decrypt_cfb_256(session_pin, DKEK_IV(dkek), DKEK_KEY(dkek), DKEK_KEY_SIZE+DKEK_KEY_CS_SIZE);
+    const uint8_t *pin = NULL;
+    if (pin == NULL && has_session_pin == true) {
+        file_t *tf = search_by_fid(EF_MKEK, NULL, SPECIFY_EF);
+        if (tf) {
+            memcpy(mkek, file_get_data(tf), MKEK_SIZE);
+            pin = session_pin;
+        }
+    }
+    if (pin == NULL && has_session_sopin == true) {
+        file_t *tf = search_by_fid(EF_MKEK_SO, NULL, SPECIFY_EF);
+        if (tf) {
+            memcpy(mkek, file_get_data(tf), MKEK_SIZE);
+            pin = session_sopin;
+        }
+    }
+    if (pin == NULL) //Should never happen
+        return CCID_EXEC_ERROR;
+    int ret = aes_decrypt_cfb_256(pin, MKEK_IV(mkek), MKEK_KEY(mkek), MKEK_KEY_SIZE+MKEK_KEY_CS_SIZE);
     if (ret != 0)
         return CCID_EXEC_ERROR;
-    if (crc32c(DKEK_KEY(dkek), DKEK_KEY_SIZE) != *(uint32_t*)DKEK_CHECKSUM(dkek))
+    if (crc32c(MKEK_KEY(mkek), MKEK_KEY_SIZE) != *(uint32_t *)MKEK_CHECKSUM(mkek))
         return CCID_WRONG_DKEK;
     return CCID_OK;
 }
 
-void release_dkek(uint8_t *dkek) {
-    memset(dkek, 0, DKEK_SIZE);
+int load_dkek(uint8_t id, uint8_t *dkek) {
+    file_t *tf = search_dynamic_file(EF_DKEK+id);
+    if (!tf)
+        return CCID_ERR_FILE_NOT_FOUND;
+    memcpy(dkek, file_get_data(tf), DKEK_KEY_SIZE);
+    return mkek_decrypt(dkek, DKEK_KEY_SIZE);
+}
+
+void release_mkek(uint8_t *mkek) {
+    mbedtls_platform_zeroize(mkek, MKEK_SIZE);
+}
+
+int store_mkek(const uint8_t *mkek) {
+    if (has_session_pin == false && has_session_sopin == false)
+        return CCID_NO_LOGIN;
+    uint8_t tmp_mkek[MKEK_SIZE];
+    if (mkek == NULL) {
+        const uint8_t *rd = random_bytes_get(MKEK_IV_SIZE+MKEK_KEY_SIZE);
+        memcpy(tmp_mkek, rd, MKEK_IV_SIZE+MKEK_KEY_SIZE);
+    }
+    else
+        memcpy(tmp_mkek, mkek, MKEK_SIZE);
+    *(uint32_t*)MKEK_CHECKSUM(tmp_mkek) = crc32c(MKEK_KEY(tmp_mkek), MKEK_KEY_SIZE);
+    if (has_session_pin) {
+        uint8_t tmp_mkek_pin[MKEK_SIZE];
+        memcpy(tmp_mkek_pin, tmp_mkek, MKEK_SIZE);
+        file_t *tf = search_by_fid(EF_MKEK, NULL, SPECIFY_EF);
+        if (!tf) {
+            release_mkek(tmp_mkek);
+            release_mkek(tmp_mkek_pin);
+            return CCID_ERR_FILE_NOT_FOUND;
+        }
+        aes_encrypt_cfb_256(session_pin, MKEK_IV(tmp_mkek_pin), MKEK_KEY(tmp_mkek_pin), MKEK_KEY_SIZE+MKEK_KEY_CS_SIZE);
+        flash_write_data_to_file(tf, tmp_mkek_pin, MKEK_SIZE);
+        release_mkek(tmp_mkek_pin);
+    }
+    if (has_session_sopin) {
+        uint8_t tmp_mkek_sopin[MKEK_SIZE];
+        memcpy(tmp_mkek_sopin, tmp_mkek, MKEK_SIZE);
+        file_t *tf = search_by_fid(EF_MKEK_SO, NULL, SPECIFY_EF);
+        if (!tf) {
+            release_mkek(tmp_mkek);
+            release_mkek(tmp_mkek_sopin);
+            return CCID_ERR_FILE_NOT_FOUND;
+        }
+        aes_encrypt_cfb_256(session_sopin, MKEK_IV(tmp_mkek_sopin), MKEK_KEY(tmp_mkek_sopin), MKEK_KEY_SIZE + MKEK_KEY_CS_SIZE);
+        flash_write_data_to_file(tf, tmp_mkek_sopin, MKEK_SIZE);
+        release_mkek(tmp_mkek_sopin);
+    }
+    low_flash_available();
+    release_mkek(tmp_mkek);
+    return CCID_OK;
 }
 
 int store_dkek_key(uint8_t id, uint8_t *dkek) {
     file_t *tf = search_dynamic_file(EF_DKEK+id);
     if (!tf)
         return CCID_ERR_FILE_NOT_FOUND;
-    *(uint32_t*)DKEK_CHECKSUM(dkek) = crc32c(DKEK_KEY(dkek), DKEK_KEY_SIZE);
-    aes_encrypt_cfb_256(session_pin, DKEK_IV(dkek), DKEK_KEY(dkek), DKEK_KEY_SIZE+DKEK_KEY_CS_SIZE);
-    flash_write_data_to_file(tf, dkek, DKEK_SIZE);
+    int r = mkek_encrypt(dkek, DKEK_KEY_SIZE);
+    if (r != CCID_OK)
+        return r;
+    flash_write_data_to_file(tf, dkek, DKEK_KEY_SIZE);
     low_flash_available();
-    release_dkek(dkek);
     return CCID_OK;
 }
 
 int save_dkek_key(uint8_t id, const uint8_t *key) {
-    uint8_t dkek[DKEK_SIZE];
-    const uint8_t *iv = random_bytes_get(32);
-    memcpy(dkek, iv, DKEK_IV_SIZE);
+    uint8_t dkek[DKEK_KEY_SIZE];
     if (!key) {
         file_t *tf = search_dynamic_file(EF_DKEK+id);
         if (!tf)
             return CCID_ERR_FILE_NOT_FOUND;
-        memcpy(DKEK_KEY(dkek), file_get_data(tf), DKEK_KEY_SIZE);
+        memcpy(dkek, file_get_data(tf), DKEK_KEY_SIZE);
     }
     else
-        memcpy(DKEK_KEY(dkek), key, DKEK_KEY_SIZE);
+        memcpy(dkek, key, DKEK_KEY_SIZE);
     return store_dkek_key(id, dkek);
 }
 
@@ -107,87 +168,89 @@ int import_dkek_share(uint8_t id, const uint8_t *share) {
 }
 
 int dkek_kcv(uint8_t id, uint8_t *kcv) { //kcv 8 bytes
-    uint8_t hsh[32], dkek[DKEK_SIZE];
+    uint8_t hsh[32], dkek[DKEK_KEY_SIZE];
+    memset(kcv, 0, 8);
+    memset(hsh, 0, sizeof(hsh));
     int r = load_dkek(id, dkek);
     if (r != CCID_OK)
         return r;
-    hash256(DKEK_KEY(dkek), DKEK_KEY_SIZE, hsh);
-    release_dkek(dkek);
+    hash256(dkek, DKEK_KEY_SIZE, hsh);
+    mbedtls_platform_zeroize(dkek, sizeof(dkek));
     memcpy(kcv, hsh, 8);
     return CCID_OK;
 }
 
 int dkek_kenc(uint8_t id, uint8_t *kenc) { //kenc 32 bytes
-    uint8_t dkek[DKEK_SIZE+4];
+    uint8_t dkek[DKEK_KEY_SIZE+4];
+    memset(kenc, 0, 32);
     int r = load_dkek(id, dkek);
     if (r != CCID_OK)
         return r;
-    memcpy(DKEK_KEY(dkek)+DKEK_KEY_SIZE, "\x0\x0\x0\x1", 4);
-    hash256(DKEK_KEY(dkek), DKEK_KEY_SIZE+4, kenc);
-    release_dkek(dkek);
+    memcpy(dkek+DKEK_KEY_SIZE, "\x0\x0\x0\x1", 4);
+    hash256(dkek, sizeof(dkek), kenc);
+    mbedtls_platform_zeroize(dkek, sizeof(dkek));
     return CCID_OK;
 }
 
 int dkek_kmac(uint8_t id, uint8_t *kmac) { //kmac 32 bytes
-    uint8_t dkek[DKEK_SIZE+4];
+    uint8_t dkek[DKEK_KEY_SIZE+4];
+    memset(kmac, 0, 32);
     int r = load_dkek(id, dkek);
     if (r != CCID_OK)
         return r;
-    memcpy(DKEK_KEY(dkek)+DKEK_KEY_SIZE, "\x0\x0\x0\x2", 4);
-    hash256(DKEK_KEY(dkek), DKEK_KEY_SIZE+4, kmac);
-    release_dkek(dkek);
+    memcpy(dkek+DKEK_KEY_SIZE, "\x0\x0\x0\x2", 4);
+    hash256(dkek, DKEK_KEY_SIZE+4, kmac);
+    mbedtls_platform_zeroize(dkek, sizeof(dkek));
     return CCID_OK;
 }
 
-int dkek_encrypt(uint8_t id, uint8_t *data, size_t len) {
+int mkek_encrypt(uint8_t *data, size_t len) {
     int r;
-    uint8_t dkek[DKEK_SIZE+4];
-    if ((r = load_dkek(id, dkek)) != CCID_OK)
+    uint8_t mkek[MKEK_SIZE+4];
+    if ((r = load_mkek(mkek)) != CCID_OK)
         return r;
-    r = aes_encrypt_cfb_256(DKEK_KEY(dkek), DKEK_IV(dkek), data, len);
-    release_dkek(dkek);
+    r = aes_encrypt_cfb_256(MKEK_KEY(mkek), MKEK_IV(mkek), data, len);
+    release_mkek(mkek);
     return r;
 }
 
-int dkek_decrypt(uint8_t id, uint8_t *data, size_t len) {
+int mkek_decrypt(uint8_t *data, size_t len) {
     int r;
-    uint8_t dkek[DKEK_SIZE+4];
-    if ((r = load_dkek(id, dkek)) != CCID_OK)
+    uint8_t mkek[MKEK_SIZE+4];
+    if ((r = load_mkek(mkek)) != CCID_OK)
         return r;
-    r = aes_decrypt_cfb_256(DKEK_KEY(dkek), DKEK_IV(dkek), data, len);
-    release_dkek(dkek);
+    r = aes_decrypt_cfb_256(MKEK_KEY(mkek), MKEK_IV(mkek), data, len);
+    release_mkek(mkek);
     return r;
 }
 
-int dkek_encode_key(uint8_t id, void *key_ctx, int key_type, uint8_t *out, size_t *out_len) {
+int dkek_encode_key(uint8_t id, void *key_ctx, int key_type, uint8_t *out, size_t *out_len, const uint8_t *allowed, size_t allowed_len) {
     if (!(key_type & HSM_KEY_RSA) && !(key_type & HSM_KEY_EC) && !(key_type & HSM_KEY_AES))
         return CCID_WRONG_DATA;
-        
+
     uint8_t kb[8+2*4+2*4096/8+3+13]; //worst case: RSA-4096  (plus, 13 bytes padding)
     memset(kb, 0, sizeof(kb));
     int kb_len = 0, r = 0;
     uint8_t *algo = NULL;
     uint8_t algo_len = 0;
-    uint8_t *allowed = NULL;
-    uint8_t allowed_len = 0;
     uint8_t kenc[32];
     memset(kenc, 0, sizeof(kenc));
     r = dkek_kenc(id, kenc);
     if (r != CCID_OK)
         return r;
-    
+
     uint8_t kcv[8];
     memset(kcv, 0, sizeof(kcv));
     r = dkek_kcv(id, kcv);
     if (r != CCID_OK)
         return r;
-    
+
     uint8_t kmac[32];
     memset(kmac, 0, sizeof(kmac));
     r = dkek_kmac(id, kmac);
     if (r != CCID_OK)
         return r;
-    
+
     if (key_type & HSM_KEY_AES) {
         if (key_type & HSM_KEY_AES_128)
             kb_len = 16;
@@ -195,40 +258,38 @@ int dkek_encode_key(uint8_t id, void *key_ctx, int key_type, uint8_t *out, size_
             kb_len = 24;
         else if (key_type & HSM_KEY_AES_256)
             kb_len = 32;
-            
+
         if (kb_len != 16 && kb_len != 24 && kb_len != 32)
             return CCID_WRONG_DATA;
         if (*out_len < 8+1+10+6+4+(2+32+14)+16)
             return CCID_WRONG_LENGTH;
-        
+
         put_uint16_t(kb_len, kb+8);
         memcpy(kb+10, key_ctx, kb_len);
         kb_len += 2;
-        
+
         algo = (uint8_t *)"\x00\x08\x60\x86\x48\x01\x65\x03\x04\x01"; //2.16.840.1.101.3.4.1 (2+8)
         algo_len = 10;
-        allowed = (uint8_t *)"\x00\x04\x10\x11\x18\x99"; //(2+4)
-        allowed_len = 6;
     }
     else if (key_type & HSM_KEY_RSA) {
-        if (*out_len < 8+1+12+6+(8+2*4+2*4096/8+3+13)+16) //13 bytes pading 
+        if (*out_len < 8+1+12+6+(8+2*4+2*4096/8+3+13)+16) //13 bytes pading
             return CCID_WRONG_LENGTH;
         mbedtls_rsa_context *rsa = (mbedtls_rsa_context *)key_ctx;
         kb_len = 0;
         put_uint16_t(mbedtls_rsa_get_len(rsa)*8, kb+8+kb_len); kb_len += 2;
-        
+
         put_uint16_t(mbedtls_mpi_size(&rsa->D), kb+8+kb_len); kb_len += 2;
         mbedtls_mpi_write_binary(&rsa->D, kb+8+kb_len, mbedtls_mpi_size(&rsa->D)); kb_len += mbedtls_mpi_size(&rsa->D);
         put_uint16_t(mbedtls_mpi_size(&rsa->N), kb+8+kb_len); kb_len += 2;
         mbedtls_mpi_write_binary(&rsa->N, kb+8+kb_len, mbedtls_mpi_size(&rsa->N)); kb_len += mbedtls_mpi_size(&rsa->N);
         put_uint16_t(mbedtls_mpi_size(&rsa->E), kb+8+kb_len); kb_len += 2;
         mbedtls_mpi_write_binary(&rsa->E, kb+8+kb_len, mbedtls_mpi_size(&rsa->E)); kb_len += mbedtls_mpi_size(&rsa->E);
-        
+
         algo = (uint8_t *)"\x00\x0A\x04\x00\x7F\x00\x07\x02\x02\x02\x01\x02";
         algo_len = 12;
     }
     else if (key_type & HSM_KEY_EC) {
-        if (*out_len < 8+1+12+6+(8+2*8+9*66+2+4)+16) //4 bytes pading 
+        if (*out_len < 8+1+12+6+(8+2*8+9*66+2+4)+16) //4 bytes pading
             return CCID_WRONG_LENGTH;
         mbedtls_ecdsa_context *ecdsa = (mbedtls_ecdsa_context *)key_ctx;
         kb_len = 0;
@@ -251,16 +312,16 @@ int dkek_encode_key(uint8_t id, void *key_ctx, int key_type, uint8_t *out, size_
         kb[8+kb_len++] = 0x4;
         mbedtls_mpi_write_binary(&ecdsa->Q.X, kb+8+kb_len, mbedtls_mpi_size(&ecdsa->Q.X)); kb_len += mbedtls_mpi_size(&ecdsa->Q.X);
         mbedtls_mpi_write_binary(&ecdsa->Q.Y, kb+8+kb_len, mbedtls_mpi_size(&ecdsa->Q.Y)); kb_len += mbedtls_mpi_size(&ecdsa->Q.Y);
-        
+
         algo = (uint8_t *)"\x00\x0A\x04\x00\x7F\x00\x07\x02\x02\x02\x02\x03";
         algo_len = 12;
     }
     memset(out, 0, *out_len);
     *out_len = 0;
-    
+
     memcpy(out+*out_len, kcv, 8);
     *out_len += 8;
-    
+
     if (key_type & HSM_KEY_AES)
         out[*out_len] = 15;
     else if (key_type & HSM_KEY_RSA)
@@ -268,15 +329,16 @@ int dkek_encode_key(uint8_t id, void *key_ctx, int key_type, uint8_t *out, size_
     else if (key_type & HSM_KEY_EC)
         out[*out_len] = 12;
     *out_len += 1;
-    
+
     if (algo) {
         memcpy(out+*out_len, algo, algo_len);
         *out_len += algo_len;
     }
     else
         *out_len += 2;
-    
-    if (allowed) {
+
+    if (allowed && allowed_len > 0) {
+        put_uint16_t(allowed_len, out+*out_len); *out_len += 2;
         memcpy(out+*out_len, allowed, allowed_len);
         *out_len += allowed_len;
     }
@@ -284,7 +346,7 @@ int dkek_encode_key(uint8_t id, void *key_ctx, int key_type, uint8_t *out, size_
         *out_len += 2;
     //add 4 zeros
     *out_len += 4;
-        
+
     memcpy(kb, random_bytes_get(8), 8);
     kb_len += 8; //8 random bytes
     int kb_len_pad = ((int)(kb_len/16))*16;
@@ -297,12 +359,12 @@ int dkek_encode_key(uint8_t id, void *key_ctx, int key_type, uint8_t *out, size_
     r = aes_encrypt(kenc, NULL, 256, HSM_AES_MODE_CBC, kb, kb_len_pad);
     if (r != CCID_OK)
         return r;
-    
+
     memcpy(out+*out_len, kb, kb_len_pad);
     *out_len += kb_len_pad;
 
     r = mbedtls_cipher_cmac(mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_256_ECB), kmac, 256, out, *out_len, out+*out_len);
-    
+
     *out_len += 16;
     if (r != 0)
         return r;
@@ -319,67 +381,69 @@ int dkek_type_key(const uint8_t *in) {
     return 0x0;
 }
 
-int dkek_decode_key(uint8_t id, void *key_ctx, const uint8_t *in, size_t in_len, int *key_size_out) {
+int dkek_decode_key(uint8_t id, void *key_ctx, const uint8_t *in, size_t in_len, int *key_size_out, uint8_t **allowed, size_t *allowed_len) {
     uint8_t kcv[8];
     int r = 0;
     memset(kcv, 0, sizeof(kcv));
     r = dkek_kcv(id, kcv);
     if (r != CCID_OK)
         return r;
-    
+
     uint8_t kmac[32];
     memset(kmac, 0, sizeof(kmac));
     r = dkek_kmac(id, kmac);
     if (r != CCID_OK)
         return r;
-    
+
     uint8_t kenc[32];
     memset(kenc, 0, sizeof(kenc));
     r = dkek_kenc(id, kenc);
     if (r != CCID_OK)
         return r;
-    
+
     if (memcmp(kcv, in, 8) != 0)
         return CCID_WRONG_DKEK;
-        
+
     uint8_t signature[16];
     r = mbedtls_cipher_cmac(mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_256_ECB), kmac, 256, in, in_len-16, signature);
     if (r != 0)
         return CCID_WRONG_SIGNATURE;
     if (memcmp(signature, in+in_len-16, 16) != 0)
         return CCID_WRONG_SIGNATURE;
-        
+
     int key_type = in[8];
     if (key_type != 5 && key_type != 6 && key_type != 12 && key_type != 15)
         return CCID_WRONG_DATA;
-    
+
     if ((key_type == 5 || key_type == 6) && memcmp(in+9, "\x00\x0A\x04\x00\x7F\x00\x07\x02\x02\x02\x01\x02", 12) != 0)
         return CCID_WRONG_DATA;
-        
+
     if (key_type == 12 && memcmp(in+9, "\x00\x0A\x04\x00\x7F\x00\x07\x02\x02\x02\x02\x03", 12) != 0)
         return CCID_WRONG_DATA;
-        
+
     if (key_type == 15 && memcmp(in+9, "\x00\x08\x60\x86\x48\x01\x65\x03\x04\x01", 10) != 0)
         return CCID_WRONG_DATA;
-        
+
     size_t ofs = 9;
-    
+
     //OID
     size_t len = get_uint16_t(in, ofs);
     ofs += len+2;
-    
+
     //Allowed algorithms
     len = get_uint16_t(in, ofs);
+    *allowed = (uint8_t *)(in+ofs+2);
+    *allowed_len = len;
     ofs += len+2;
-    
+
     //Access conditions
     len = get_uint16_t(in, ofs);
     ofs += len+2;
-    
+
     //Key OID
     len = get_uint16_t(in, ofs);
     ofs += len+2;
-    
+
     if ((in_len-16-ofs) % 16 != 0)
         return CCID_WRONG_PADDING;
     uint8_t kb[8+2*4+2*4096/8+3+13]; //worst case: RSA-4096  (plus, 13 bytes padding)
@@ -388,7 +452,7 @@ int dkek_decode_key(uint8_t id, void *key_ctx, const uint8_t *in, size_t in_len,
     r = aes_decrypt(kenc, NULL, 256, HSM_AES_MODE_CBC, kb, in_len-16-ofs);
     if (r != CCID_OK)
         return r;
-    
+
     int key_size = get_uint16_t(kb, 8);
     if (key_size_out)
         *key_size_out = key_size;
@@ -403,7 +467,7 @@ int dkek_decode_key(uint8_t id, void *key_ctx, const uint8_t *in, size_t in_len,
                 mbedtls_rsa_free(rsa);
                 return CCID_WRONG_DATA;
             }
-            
+
             len = get_uint16_t(kb, ofs); ofs += 2;
             r = mbedtls_mpi_read_binary(&rsa->N, kb+ofs, len); ofs += len;
             if (r != 0) {
@@ -414,20 +478,20 @@ int dkek_decode_key(uint8_t id, void *key_ctx, const uint8_t *in, size_t in_len,
         else if (key_type == 6) {
             //DP-1
             len = get_uint16_t(kb, ofs); ofs += len+2;
-            
+
             //DQ-1
             len = get_uint16_t(kb, ofs); ofs += len+2;
-            
+
             len = get_uint16_t(kb, ofs); ofs += 2;
             r = mbedtls_mpi_read_binary(&rsa->P, kb+ofs, len); ofs += len;
             if (r != 0) {
                 mbedtls_rsa_free(rsa);
                 return CCID_WRONG_DATA;
             }
-            
+
             //PQ
             len = get_uint16_t(kb, ofs); ofs += len+2;
-            
+
             len = get_uint16_t(kb, ofs); ofs += 2;
             r = mbedtls_mpi_read_binary(&rsa->Q, kb+ofs, len); ofs += len;
             if (r != 0) {
@@ -437,14 +501,14 @@ int dkek_decode_key(uint8_t id, void *key_ctx, const uint8_t *in, size_t in_len,
             //N
             len = get_uint16_t(kb, ofs); ofs += len+2;
         }
-        
+
         len = get_uint16_t(kb, ofs); ofs += 2;
         r = mbedtls_mpi_read_binary(&rsa->E, kb+ofs, len); ofs += len;
         if (r != 0) {
             mbedtls_rsa_free(rsa);
             return CCID_WRONG_DATA;
         }
-        
+
         if (key_type == 5) {
             r = mbedtls_rsa_import(rsa, &rsa->N, NULL, NULL, &rsa->D, &rsa->E);
             if (r != 0) {
@@ -459,7 +523,7 @@ int dkek_decode_key(uint8_t id, void *key_ctx, const uint8_t *in, size_t in_len,
                 return CCID_EXEC_ERROR;
             }
         }
-        
+
         r = mbedtls_rsa_complete(rsa);
         if (r != 0) {
             mbedtls_rsa_free(rsa);
@@ -474,13 +538,13 @@ int dkek_decode_key(uint8_t id, void *key_ctx, const uint8_t *in, size_t in_len,
     else if (key_type == 12) {
         mbedtls_ecdsa_context *ecdsa = (mbedtls_ecdsa_context *)key_ctx;
         mbedtls_ecdsa_init(ecdsa);
-        
+
         //A
         len = get_uint16_t(kb, ofs); ofs += len+2;
-        
+
         //B
         len = get_uint16_t(kb, ofs); ofs += len+2;
-        
+
         //P
         len = get_uint16_t(kb, ofs); ofs += 2;
         mbedtls_ecp_group_id ec_id = ec_get_curve_from_prime(kb+ofs, len);
@@ -489,13 +553,13 @@ int dkek_decode_key(uint8_t id, void *key_ctx, const uint8_t *in, size_t in_len,
             return CCID_WRONG_DATA;
         }
         ofs += len;
-        
+
         //N
         len = get_uint16_t(kb, ofs); ofs += len+2;
-        
+
         //G
         len = get_uint16_t(kb, ofs); ofs += len+2;
-        
+
         //d
         len = get_uint16_t(kb, ofs); ofs += 2;
         r = mbedtls_ecp_read_key(ec_id, ecdsa, kb+ofs, len);

src/hsm/kek.h

@@ -1,46 +1,48 @@
-/* 
+/*
  * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
  * Copyright (c) 2022 Pol Henarejos.
- * 
- * This program is free software: you can redistribute it and/or modify  
- * it under the terms of the GNU General Public License as published by  
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
  * the Free Software Foundation, version 3.
  *
- * This program is distributed in the hope that it will be useful, but 
- * WITHOUT ANY WARRANTY; without even the implied warranty of 
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  * General Public License for more details.
  *
- * You should have received a copy of the GNU General Public License 
+ * You should have received a copy of the GNU General Public License
  * along with this program. If not, see <http://www.gnu.org/licenses/>.
  */
 
 #ifndef _DKEK_H_
 #define _DKEK_H_
 
-extern int load_dkek(uint8_t, uint8_t *);
+extern int load_mkek(uint8_t *);
+extern int store_mkek(const uint8_t *);
 extern int save_dkek_key(uint8_t, const uint8_t *key);
 extern int store_dkek_key(uint8_t, uint8_t *);
-extern void init_dkek();
-extern void release_dkek(uint8_t *);
+extern void init_mkek();
+extern void release_mkek(uint8_t *);
 extern int import_dkek_share(uint8_t, const uint8_t *share);
 extern int dkek_kcv(uint8_t, uint8_t *kcv);
-extern int dkek_encrypt(uint8_t, uint8_t *data, size_t len);
-extern int dkek_decrypt(uint8_t, uint8_t *data, size_t len);
-extern int dkek_encode_key(uint8_t, void *key_ctx, int key_type, uint8_t *out, size_t *out_len);
+extern int mkek_encrypt(uint8_t *data, size_t len);
+extern int mkek_decrypt(uint8_t *data, size_t len);
+extern int dkek_encode_key(uint8_t, void *key_ctx, int key_type, uint8_t *out, size_t *out_len, const uint8_t *, size_t);
 extern int dkek_type_key(const uint8_t *in);
-extern int dkek_decode_key(uint8_t, void *key_ctx, const uint8_t *in, size_t in_len, int *key_size_out);
+extern int dkek_decode_key(uint8_t, void *key_ctx, const uint8_t *in, size_t in_len, int *key_size_out, uint8_t **, size_t *);
 
 #define MAX_DKEK_ENCODE_KEY_BUFFER (8+1+12+6+(8+2*4+2*4096/8+3+13)+16)
 
 #define MAX_KEY_DOMAINS 16
 
-#define DKEK_IV_SIZE     (IV_SIZE)
+#define MKEK_IV_SIZE     (IV_SIZE)
+#define MKEK_KEY_SIZE    (32)
+#define MKEK_KEY_CS_SIZE (4)
+#define MKEK_SIZE        (MKEK_IV_SIZE+MKEK_KEY_SIZE+MKEK_KEY_CS_SIZE)
+#define MKEK_IV(p)       (p)
+#define MKEK_KEY(p)      (MKEK_IV(p)+MKEK_IV_SIZE)
+#define MKEK_CHECKSUM(p) (MKEK_KEY(p)+MKEK_KEY_SIZE)
 #define DKEK_KEY_SIZE    (32)
-#define DKEK_KEY_CS_SIZE (4)
-#define DKEK_SIZE        (DKEK_IV_SIZE+DKEK_KEY_SIZE+DKEK_KEY_CS_SIZE)
-#define DKEK_KEY(p)      (p+DKEK_IV_SIZE)
-#define DKEK_IV(p)       (p)
-#define DKEK_CHECKSUM(p) (p+DKEK_IV_SIZE+DKEK_KEY_SIZE)
 
 #endif

src/hsm/oid.c

@@ -1,17 +1,17 @@
-/* 
+/*
  * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
  * Copyright (c) 2022 Pol Henarejos.
- * 
- * This program is free software: you can redistribute it and/or modify  
- * it under the terms of the GNU General Public License as published by  
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
  * the Free Software Foundation, version 3.
  *
- * This program is distributed in the hope that it will be useful, but 
- * WITHOUT ANY WARRANTY; without even the implied warranty of 
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  * General Public License for more details.
  *
- * You should have received a copy of the GNU General Public License 
+ * You should have received a copy of the GNU General Public License
  * along with this program. If not, see <http://www.gnu.org/licenses/>.
  */
 

src/hsm/oid.h

@@ -1,17 +1,17 @@
-/* 
+/*
  * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
  * Copyright (c) 2022 Pol Henarejos.
- * 
- * This program is free software: you can redistribute it and/or modify  
- * it under the terms of the GNU General Public License as published by  
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
  * the Free Software Foundation, version 3.
  *
- * This program is distributed in the hope that it will be useful, but 
- * WITHOUT ANY WARRANTY; without even the implied warranty of 
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  * General Public License for more details.
  *
- * You should have received a copy of the GNU General Public License 
+ * You should have received a copy of the GNU General Public License
  * along with this program. If not, see <http://www.gnu.org/licenses/>.
  */
 
@@ -23,23 +23,7 @@
 
 #define OID_BSI_DE                      "\x04\x00\x7F\x00\x07"
 
-#define OID_ID_CA                       OID_BSI_DE "\x02\x02\x03"
-
-#define OID_ID_CA_DH                    OID_ID_CA "\x01"
-
-#define OID_ID_CA_DH_3DES_CBC_CBC       OID_ID_CA_DH "\x01"
-#define OID_ID_CA_DH_AES_CBC_CMAC_128   OID_ID_CA_DH "\x02"
-#define OID_ID_CA_DH_AES_CBC_CMAC_192   OID_ID_CA_DH "\x03"
-#define OID_ID_CA_DH_AES_CBC_CMAC_256   OID_ID_CA_DH "\x04"
-
-#define OID_ID_CA_ECDH                  OID_ID_CA "\x02"
-
-#define OID_ID_CA_ECDH_3DES_CBC_CBC     OID_ID_CA_ECDH "\x01"
-#define OID_ID_CA_ECDH_AES_CBC_CMAC_128 OID_ID_CA_ECDH "\x02"
-#define OID_ID_CA_ECDH_AES_CBC_CMAC_192 OID_ID_CA_ECDH "\x03"
-#define OID_ID_CA_ECDH_AES_CBC_CMAC_256 OID_ID_CA_ECDH "\x04"
-
-#define OID_ID_PK                       OID_BSI_DE "\x02\x02\0x1"
+#define OID_ID_PK                       OID_BSI_DE "\x02\x02\x01"
 #define OID_ID_PK_DH                    OID_ID_PK "\x01"
 #define OID_ID_PK_ECDH                  OID_ID_PK "\x02"
 
@@ -56,11 +40,25 @@
 
 #define OID_ID_TA_ECDSA                 OID_ID_TA "\x02"
 
-#define OID_IT_TA_ECDSA_SHA_1           OID_ID_TA_ECDSA "\x01"
-#define OID_IT_TA_ECDSA_SHA_224         OID_ID_TA_ECDSA "\x02"
-#define OID_IT_TA_ECDSA_SHA_256         OID_ID_TA_ECDSA "\x03"
-#define OID_IT_TA_ECDSA_SHA_384         OID_ID_TA_ECDSA "\x04"
-#define OID_IT_TA_ECDSA_SHA_512         OID_ID_TA_ECDSA "\x05"
+#define OID_ID_TA_ECDSA_SHA_1           OID_ID_TA_ECDSA "\x01"
+#define OID_ID_TA_ECDSA_SHA_224         OID_ID_TA_ECDSA "\x02"
+#define OID_ID_TA_ECDSA_SHA_256         OID_ID_TA_ECDSA "\x03"
+#define OID_ID_TA_ECDSA_SHA_384         OID_ID_TA_ECDSA "\x04"
+#define OID_ID_TA_ECDSA_SHA_512         OID_ID_TA_ECDSA "\x05"
+
+#define OID_ID_CA                       OID_BSI_DE "\x02\x02\x03"
+
+#define OID_ID_CA_DH                    OID_ID_CA "\x01"
+#define OID_ID_CA_DH_3DES_CBC_CBC       OID_ID_CA_DH "\x01"
+#define OID_ID_CA_DH_AES_CBC_CMAC_128   OID_ID_CA_DH "\x02"
+#define OID_ID_CA_DH_AES_CBC_CMAC_192   OID_ID_CA_DH "\x03"
+#define OID_ID_CA_DH_AES_CBC_CMAC_256   OID_ID_CA_DH "\x04"
+
+#define OID_ID_CA_ECDH                  OID_ID_CA "\x02"
+#define OID_ID_CA_ECDH_3DES_CBC_CBC     OID_ID_CA_ECDH "\x01"
+#define OID_ID_CA_ECDH_AES_CBC_CMAC_128 OID_ID_CA_ECDH "\x02"
+#define OID_ID_CA_ECDH_AES_CBC_CMAC_192 OID_ID_CA_ECDH "\x03"
+#define OID_ID_CA_ECDH_AES_CBC_CMAC_256 OID_ID_CA_ECDH "\x04"
 
 #define OID_ID_RI                       OID_BSI_DE "\x02\x02\x05"
 
@@ -70,7 +68,7 @@
 #define OID_ID_RI_DH_SHA_224            OID_ID_RI_DH "\x02"
 #define OID_ID_RI_DH_SHA_256            OID_ID_RI_DH "\x03"
 
-#define OID_ID_RI_ECDH                  OID_ID_RI "\x02" 
+#define OID_ID_RI_ECDH                  OID_ID_RI "\x02"
 
 #define OID_ID_RI_ECDH_SHA_1            OID_ID_RI_ECDH "\x01"
 #define OID_ID_RI_ECDH_SHA_224          OID_ID_RI_ECDH "\x02"
@@ -78,4 +76,31 @@
 
 #define OID_ID_CI                       OID_BSI_DE "\x02\x02\x06"
 
+#define OID_CARDCONTACT                 "\x2B\x06\x01\x04\x01\x81\xC3\x1F"
+
+#define OID_OPENSCDP                    OID_CARDCONTACT "\x01"
+#define OID_CC_ISO7816                  OID_CARDCONTACT "\x02"
+#define OID_CC_PKI                      OID_CARDCONTACT "\x03"
+#define OID_CC_FORMAT                   OID_CARDCONTACT "\x04"
+#define OID_CC_GP_PROFILES              OID_CARDCONTACT "\x10"
+
+#define OID_SCSH3                       OID_OPENSCDP "\x01"
+#define OID_SCSH3GUI                    OID_OPENSCDP "\x02"
+
+#define OID_SMARCARD_HSM                OID_CC_ISO7816 "\x01"
+#define OID_CC_APDUTEST                 OID_CC_ISO7816 "\x02"
+#define OID_CC_PACKAGES                 OID_CC_ISO7816 "\x7F"
+
+#define OID_CC_ROLES                    OID_CC_PKI "\x01"
+#define OID_CC_ROLE_SC_HSM              OID_CC_ROLES "\x01"
+
+#define OID_CC_EXTENSIONS               OID_CC_PKI "\x02"
+#define OID_ID_IMPU                     OID_CC_EXTENSIONS "\x01"
+#define OID_ID_KEY_DOMAIN_UID           OID_CC_EXTENSIONS "\x02"
+
+#define OID_CC_FF_DEVICEID              OID_CC_FORMAT "\x01"
+#define OID_CC_FF_KDM                   OID_CC_FORMAT "\x02"
+#define OID_CC_FF_PKA                   OID_CC_FORMAT "\x03"
+#define OID_CC_FF_KDA                   OID_CC_FORMAT "\x04"
+
 #endif

src/hsm/sc_hsm.h

@@ -1,17 +1,17 @@
-/* 
+/*
  * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
  * Copyright (c) 2022 Pol Henarejos.
- * 
- * This program is free software: you can redistribute it and/or modify  
- * it under the terms of the GNU General Public License as published by  
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
  * the Free Software Foundation, version 3.
  *
- * This program is distributed in the hope that it will be useful, but 
- * WITHOUT ANY WARRANTY; without even the implied warranty of 
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  * General Public License for more details.
  *
- * You should have received a copy of the GNU General Public License 
+ * You should have received a copy of the GNU General Public License
  * along with this program. If not, see <http://www.gnu.org/licenses/>.
  */
 
@@ -19,27 +19,47 @@
 #define _SC_HSM_H_
 
 #include <stdlib.h>
+#include "common.h"
+#include "mbedtls/rsa.h"
+#include "mbedtls/ecdsa.h"
 #include "pico/stdlib.h"
-#include "ccid2040.h"
+#include "file.h"
+#include "apdu.h"
+#include "hsm.h"
 
 extern const uint8_t sc_hsm_aid[];
 
-
 #define ALGO_RSA_RAW			0x20		/* RSA signature with external padding */
-#define ALGO_RSA_DECRYPT		0x21		/* RSA decrypt */
+#define ALGO_RSA_DECRYPT		0x21		/* RSA raw decrypt */
+#define ALGO_RSA_DECRYPT_PKCS1  0x22
+#define ALGO_RSA_DECRYPT_OEP    0x23
 #define ALGO_RSA_PKCS1			0x30		/* RSA signature with DigestInfo input and PKCS#1 V1.5 padding */
 #define ALGO_RSA_PKCS1_SHA1		0x31		/* RSA signature with SHA-1 hash and PKCS#1 V1.5 padding */
+#define ALGO_RSA_PKCS1_SHA224   0x32
 #define ALGO_RSA_PKCS1_SHA256	0x33		/* RSA signature with SHA-256 hash and PKCS#1 V1.5 padding */
+#define ALGO_RSA_PKCS1_SHA384   0x34
+#define ALGO_RSA_PKCS1_SHA512   0x35
 
 #define ALGO_RSA_PSS			0x40		/* RSA signature with external hash and PKCS#1 PSS padding*/
 #define ALGO_RSA_PSS_SHA1		0x41		/* RSA signature with SHA-1 hash and PKCS#1 PSS padding */
+#define ALGO_RSA_PSS_SHA224     0x42
 #define ALGO_RSA_PSS_SHA256		0x43		/* RSA signature with SHA-256 hash and PKCS#1 PSS padding */
+#define ALGO_RSA_PSS_SHA384     0x44
+#define ALGO_RSA_PSS_SHA512     0x45
 
 #define ALGO_EC_RAW				0x70		/* ECDSA signature with hash input */
 #define ALGO_EC_SHA1			0x71		/* ECDSA signature with SHA-1 hash */
 #define ALGO_EC_SHA224			0x72		/* ECDSA signature with SHA-224 hash */
 #define ALGO_EC_SHA256			0x73		/* ECDSA signature with SHA-256 hash */
+#define ALGO_EC_SHA384          0x74
+#define ALGO_EC_SHA512          0x75
 #define ALGO_EC_DH				0x80        /* ECDH key derivation */
+#define ALGO_EC_DH_AUTPUK       0x83
+#define ALGO_EC_DH_XKEK         0x84
+
+#define ALGO_WRAP               0x92
+#define ALGO_UNWRAP             0x93
+#define ALGO_REPLACE            0x94
 
 #define ALGO_EC_DERIVE		    0x98		/* Derive EC key from EC key */
 
@@ -71,13 +91,32 @@ extern const uint8_t sc_hsm_aid[];
 #define P15_KEYTYPE_ECC     0xA0
 #define P15_KEYTYPE_AES     0xA8
 
+#define MAX_PUK 8
+
 extern int pin_reset_retries(const file_t *pin, bool);
 extern int pin_wrong_retry(const file_t *pin);
 
 extern void hash(const uint8_t *input, size_t len, uint8_t output[32]);
 extern void hash_multi(const uint8_t *input, size_t len, uint8_t output[32]);
 extern void double_hash_pin(const uint8_t *pin, size_t len, uint8_t output[32]);
-
+extern uint16_t get_device_options();
+extern bool has_session_pin, has_session_sopin;
 extern uint8_t session_pin[32], session_sopin[32];
+extern int check_pin(const file_t *pin, const uint8_t *data, size_t len);
+extern bool pka_enabled();
+extern const uint8_t *dev_name;
+extern size_t dev_name_len;
+extern uint8_t puk_status[MAX_PUK];
+extern int puk_store_select_chr(const uint8_t *chr);
+extern int delete_file(file_t *ef);
+extern const uint8_t *get_meta_tag(file_t *ef, uint16_t meta_tag, size_t *tag_len);
+extern bool key_has_purpose(file_t *ef, uint8_t purpose);
+extern int load_private_key_rsa(mbedtls_rsa_context *ctx, file_t *fkey);
+extern int load_private_key_ecdsa(mbedtls_ecdsa_context *ctx, file_t *fkey);
+extern bool wait_button_pressed();
+extern int store_keys(void *key_ctx, int type, uint8_t key_id);
+extern int find_and_store_meta_key(uint8_t key_id);
+extern uint32_t get_key_counter(file_t *fkey);
+extern uint32_t decrement_key_counter(file_t *fkey);
 
 #endif

src/hsm/version.h

@@ -1,24 +1,24 @@
-/* 
+/*
  * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
  * Copyright (c) 2022 Pol Henarejos.
- * 
- * This program is free software: you can redistribute it and/or modify  
- * it under the terms of the GNU General Public License as published by  
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
  * the Free Software Foundation, version 3.
  *
- * This program is distributed in the hope that it will be useful, but 
- * WITHOUT ANY WARRANTY; without even the implied warranty of 
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  * General Public License for more details.
  *
- * You should have received a copy of the GNU General Public License 
+ * You should have received a copy of the GNU General Public License
  * along with this program. If not, see <http://www.gnu.org/licenses/>.
  */
 
 #ifndef __VERSION_H_
 #define __VERSION_H_
 
-#define HSM_VERSION 0x0204
+#define HSM_VERSION 0x0300
 
 #define HSM_VERSION_MAJOR ((HSM_VERSION >> 8) & 0xff)
 #define HSM_VERSION_MINOR (HSM_VERSION & 0xff)

tools/pico-hsm-patch-vidpid.sh

@@ -1,24 +1,24 @@
 #!/bin/bash
 
-# 
+#
 # This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 # Copyright (c) 2022 Pol Henarejos.
-# 
-# This program is free software: you can redistribute it and/or modify  
-# it under the terms of the GNU General Public License as published by  
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3.
 #
-# This program is distributed in the hope that it will be useful, but 
-# WITHOUT ANY WARRANTY; without even the implied warranty of 
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 # General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License 
+# You should have received a copy of the GNU General Public License
 # along with this program. If not, see <http://www.gnu.org/licenses/>.
 #
 
-VERSION_MAJOR="2" #Version of Pico CCID Core
-VERSION_MINOR="0"
+VERSION_MAJOR="3" #Version of Pico CCID Core
+VERSION_MINOR="4"
 
 echo "----------------------------"
 echo "VID/PID patcher for Pico HSM"

tools/pico-hsm-tool.py

@@ -0,0 +1,304 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+"""
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+"""
+
+from smartcard.CardType import AnyCardType
+from smartcard.CardRequest import CardRequest
+from smartcard.Exceptions import CardRequestTimeoutException
+from cvc.certificates import CVC
+from cvc.asn1 import ASN1
+from cvc.oid import oid2scheme
+from cvc.utils import scheme_rsa
+from cryptography.hazmat.primitives.asymmetric import ec
+import json
+import urllib.request
+import base64
+from binascii import hexlify
+import sys
+import argparse
+import os
+from datetime import datetime
+from argparse import RawTextHelpFormatter
+
+class APDUResponse(Exception):
+    def __init__(self, sw1, sw2):
+        self.sw1 = sw1
+        self.sw2 = sw2
+        super().__init__(f'SW:{sw1:02X}{sw2:02X}')
+
+
+def send_apdu(card, command, p1, p2, data=None):
+    lc = []
+    dataf = []
+    if (data):
+        lc = [0x00] + list(len(data).to_bytes(2, 'big'))
+        dataf = data
+    le = [0x00, 0x00]
+    if (isinstance(command, list) and len(command) > 1):
+        apdu = command
+    else:
+        apdu = [0x00, command]
+
+    apdu = apdu + [p1, p2] + lc + dataf + le
+    response, sw1, sw2 = card.connection.transmit(apdu)
+    if (sw1 != 0x90):
+        raise APDUResponse(sw1, sw2)
+    return response
+
+def parse_args():
+    parser = argparse.ArgumentParser()
+    subparser = parser.add_subparsers(title="commands", dest="command")
+    parser_init = subparser.add_parser('initialize', help='Performs the first initialization of the Pico HSM.')
+    parser_init.add_argument('--pin', help='PIN number')
+    parser_init.add_argument('--so-pin', help='SO-PIN number')
+
+    parser_attestate = subparser.add_parser('attestate', help='Generates an attestation report for a private key and verifies the private key was generated in the devices or outside.')
+    parser_attestate.add_argument('-k', '--key', help='The private key index', metavar='KEY_ID')
+
+    parser_pki = subparser.add_parser('pki', help='Performs PKI operations.')
+    subparser_pki = parser_pki.add_subparsers(title='commands', dest='subcommand')
+    parser_pki_init = subparser_pki.add_parser('initialize', help='Initializes the Public Key Infrastructure (PKI)')
+
+    parser_pki_init.add_argument('--certs-dir', help='Store the PKI certificates into this directory.', default='certs')
+    parser_pki_init.add_argument('--default', help='Setups the default public PKI from public Pico HSM PKI.', action='store_true')
+    parser_pki_init.add_argument('--force', help='Forces the download of certificates.', action='store_true')
+
+    parser_rtc = subparser.add_parser('datetime', help='Datetime operations with the integrated Real Time Clock (RTC).')
+    parser_rtc.add_argument('subcommand', choices=['set', 'get'], help='Sets or gets current datetime.')
+
+    parser_opts = subparser.add_parser('options', help='Manage extra options.', formatter_class=RawTextHelpFormatter)
+    parser_opts.add_argument('subcommand', choices=['set', 'get'], help='Sets or gets option OPT.')
+    parser_opts.add_argument('opt', choices=['button', 'counter'], help='Button: press-to-confirm button.\nCounter: every generated key has an internal counter.')
+    parser_opts.add_argument('onoff', choices=['on', 'off'], help='Toggles state ON or OFF', metavar='ON/OFF', nargs='?')
+
+    args = parser.parse_args()
+    return args
+
+def get_pki_data(url, data=None, method='GET'):
+    user_agent = 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; '
+    'rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7'
+    method = 'GET'
+    if (data is not None):
+        method = 'POST'
+    req = urllib.request.Request(f"https://www.henarejos.me/pico/pico-hsm/{url}/",
+                                method=method,
+                                data=data,
+                                headers={'User-Agent': user_agent, })
+    response = urllib.request.urlopen(req)
+    resp = response.read().decode('utf-8')
+    j = json.loads(resp)
+    return j
+
+def get_pki_certs(certs_dir='certs', force=False):
+    certs = get_pki_data('certs')
+    if (os.path.exists(certs_dir) is False):
+        os.mkdir(certs_dir)
+    cvcap = os.path.join(certs_dir, certs['cvca']['CHR'])
+    dvcap = os.path.join(certs_dir, certs['dvca']['CHR'])
+    if (os.path.exists(cvcap) is False or force is True):
+        with open(cvcap, 'wb') as f:
+            f.write(base64.urlsafe_b64decode(certs['cvca']['cert']))
+    if (os.path.exists(dvcap) is False or force is True):
+        with open(dvcap, 'wb') as f:
+            f.write(base64.urlsafe_b64decode(certs['dvca']['cert']))
+    print(f'All PKI certificates are stored at {certs_dir} folder')
+
+def pki(card, args):
+    if (args.subcommand == 'initialize'):
+        if (args.default is True):
+            get_pki_certs(certs_dir=args.certs_dir, force=args.force)
+        else:
+            print('Error: no PKI is passed. Use --default to retrieve default PKI.')
+
+def initialize(card, args):
+    print('********************************')
+    print('*   PLEASE READ IT CAREFULLY   *')
+    print('********************************')
+    print('')
+    print('This tool will erase and reset your device. It will delete all '
+        'private and secret keys.')
+    print('Are you sure?')
+    _ = input('[Press enter to confirm]')
+
+    send_apdu(card, 0xA4, 0x04, 0x00, [0xE8, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x81, 0xC3, 0x1F, 0x02, 0x01])
+    if (args.pin):
+        pin = args.pin.encode()
+        try:
+            response = send_apdu(card, 0x20, 0x00, 0x81, list(pin))
+        except APDUResponse:
+            pass
+    else:
+            pin = b'648219'
+    if (args.so_pin):
+        so_pin = args.so_pin.encode()
+        try:
+            response = send_apdu(card, 0x20, 0x00, 0x82, list(so_pin))
+        except APDUResponse:
+            pass
+    else:
+            so_pin = b'57621880'
+
+    pin_data = [0x81, len(pin)] + list(pin)
+    so_pin_data = [0x82, len(so_pin)] + list(so_pin)
+    reset_data = [0x80, 0x02, 0x00, 0x01] + pin_data + so_pin_data + [0x91, 0x01, 0x03]
+    response = send_apdu(card, [0x80, 0x50], 0x00, 0x00, reset_data)
+
+    response = send_apdu(card, 0xB1, 0xCE, 0x00, [0x54, 0x02, 0x00, 0x00])
+
+    cert = bytearray(response)
+    Y = CVC().decode(cert).pubkey().find(0x86).data()
+    print(f'Public Point: {hexlify(Y).decode()}')
+
+    pbk = base64.urlsafe_b64encode(Y)
+    data = urllib.parse.urlencode({'pubkey': pbk}).encode()
+    j = get_pki_data('cvc', data=data)
+    print('Device name: '+j['devname'])
+    dataef = base64.urlsafe_b64decode(
+        j['cvcert']) + base64.urlsafe_b64decode(j['dvcert'])
+
+    response = send_apdu(card, 0xa4, 0x00, 0x00, [0x2f, 0x02])
+    response = send_apdu(card, 0x20, 0x00, 0x81, list(pin))
+
+    apdu_data = [0x54, 0x02, 0x00, 0x00] + \
+        list(ASN1.make_tag(0x53, dataef))
+    response = send_apdu(card, 0xd7, 0x00, 0x00, apdu_data)
+
+    print('Certificate uploaded successfully!')
+    print('')
+    print('Note that the device is initialized with a default PIN and '
+        'configuration.')
+    print('Now you can initialize the device as usual with your chosen PIN '
+        'and configuration options.')
+
+def attestate(card, args):
+    kid = int(args.key)
+    try:
+        response = send_apdu(card, 0xB1, 0x2F, 0x02, [0x54, 0x02, 0x00, 0x00])
+    except APDUResponse as a:
+        print('ERROR: There is an error with the device certificate.')
+        sys.exit(1)
+
+    devcert = ASN1().decode(response).find(0x7f21, pos=0).data(return_tag=True)
+
+    try:
+        cert = send_apdu(card, 0xB1, 0xCE, kid, [0x54, 0x02, 0x00, 0x00])
+    except APDUResponse as a:
+        if (a.sw1 == 0x6a and a.sw2 == 0x82):
+            print('ERROR: Key not found')
+            sys.exit(1)
+    from binascii import hexlify
+    print(hexlify(bytearray(cert)))
+    print(f'Details of key {kid}:\n')
+    print(f'  CAR: {(CVC().decode(cert).car()).decode()}')
+    print('  Public Key:')
+    puboid = CVC().decode(cert).pubkey().oid()
+    print(f'    Scheme: {oid2scheme(puboid)}')
+    chr = CVC().decode(cert).chr()
+    car = CVC().decode(cert).car()
+    if (scheme_rsa(puboid)):
+        print(f'    Modulus: {hexlify(CVC().decode(cert).pubkey().find(0x81).data()).decode()}')
+        print(f'    Exponent: {hexlify(CVC().decode(cert).pubkey().find(0x82).data()).decode()}')
+    else:
+        print(f'    Public Point: {hexlify(CVC().decode(cert).pubkey().find(0x86).data()).decode()}')
+    print(f'  CHR: {chr.decode()}')
+    print('  Key signature:')
+    inret = CVC().decode(cert).verify()
+    if (inret):
+        print('    Status: VALID')
+        print(f'      This certificate is signed with private key {kid}')
+    else:
+        print('    Status: NOT VALID')
+        print(f'      This certificate is NOT signed with private key {kid}')
+    print('  Cert signature:')
+    print(f'    Outer CAR: {CVC().decode(cert).outer_car().decode()}')
+    outret = CVC().decode(cert).verify(outer=True, dica=devcert, curve=ec.SECP256R1())
+    if (outret):
+        print('    Status: VALID')
+        print('      This certificate is signed with the device key')
+    else:
+        print('    Status: NOT VALID')
+        print('      This certificate is NOT signed with the device key')
+
+    if (inret is True and outret is True):
+        print(f'Key {kid} is generated by device {chr.decode()}')
+    else:
+        print(f'Key {kid} is NOT generated by device {chr.decode()}')
+
+def rtc(card, args):
+    if (args.subcommand == 'set'):
+        now = datetime.now()
+        _ = send_apdu(card, [0x80, 0x64], 0x0A, 0x00, list(now.year.to_bytes(2, 'big')) + [now.month, now.day, now.weekday(), now.hour, now.minute, now.second ])
+    elif (args.subcommand == 'get'):
+        response = send_apdu(card, [0x80, 0x64], 0x0A, 0x00)
+        dt = datetime(int.from_bytes(response[:2], 'big'), response[2], response[3], response[5], response[6], response[7])
+        print(f'Current date and time is: {dt.ctime()}')
+
+def opts(card, args):
+    opt = 0x0
+    if (args.opt == 'button'):
+        opt = 0x1
+    elif (args.opt == 'counter'):
+        opt = 0x2
+    current = send_apdu(card, [0x80, 0x64], 0x6, 0x0)[0]
+    if (args.subcommand == 'set'):
+        if (args.onoff == 'on'):
+            newopt = current | opt
+        else:
+            newopt = current & ~opt
+        send_apdu(card, [0x80, 0x64], 0x6, 0x0, [newopt])
+    elif (args.subcommand == 'get'):
+        print(f'Option {args.opt.upper()} is {"ON" if current & opt else "OFF"}')
+
+def main(args):
+    print('Pico HSM Tool v1.4')
+    print('Author: Pol Henarejos')
+    print('Report bugs to https://github.com/polhenarejos/pico-hsm/issues')
+    print('')
+    print('')
+    cardtype = AnyCardType()
+    try:
+        # request card insertion
+        cardrequest = CardRequest(timeout=10, cardType=cardtype)
+        card = cardrequest.waitforcard()
+
+        # connect to the card and perform a few transmits
+        card.connection.connect()
+
+    except CardRequestTimeoutException:
+        print('time-out: no card inserted during last 10s')
+
+    # Following commands may raise APDU exception on error
+    if (args.command == 'initialize'):
+        initialize(card, args)
+    elif (args.command == 'attestate'):
+        attestate(card, args)
+    elif (args.command == 'pki'):
+        pki(card, args)
+    elif (args.command == 'datetime'):
+        rtc(card, args)
+    elif (args.command == 'options'):
+        opts(card, args)
+
+def run():
+    args = parse_args()
+    main(args)
+
+if __name__ == "__main__":
+    run()

workflows/autobuild.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+git submodule update --init --recursive
+sudo apt update
+sudo apt install -y cmake gcc-arm-none-eabi libnewlib-arm-none-eabi libstdc++-arm-none-eabi-newlib
+git clone https://github.com/raspberrypi/pico-sdk
+cd pico-sdk
+git submodule update --init
+cd ..
+mkdir build
+cd build
+cmake -DPICO_SDK_PATH=../pico-sdk ..
+make