Typo

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
Adding support for changing SO-PIN.
2022-10-10 00:39:32 +02:00 · 2022-10-10 00:37:56 +02:00 · 2022-10-10 00:37:33 +02:00 · 2022-10-10 00:27:46 +02:00 · 2022-10-09 22:27:11 +02:00 · 2022-10-09 22:26:45 +02:00
58 changed files with 3816 additions and 2499 deletions
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,72 @@
 # For most projects, this workflow file will not need changing; you simply need
 # to commit it to your repository.
 #
 # You may wish to alter this file to override the set of languages analyzed,
 # or to provide custom queries or build logic.
 #
 # ******** NOTE ********
 # We have attempted to detect the languages in your repository. Please check
 # the `language` matrix defined below to confirm you have the correct set of
 # supported CodeQL languages.
 #
 name: "CodeQL"
 on:
  push:
    branches: [ "master" ]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [ "master" ]
  schedule:
    - cron: '23 5 * * 4'
 jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    strategy:
      fail-fast: false
      matrix:
        language: [ 'cpp', 'python' ]
        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
    steps:
    - name: Checkout repository
      uses: actions/checkout@v3
    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
      uses: github/codeql-action/init@v2
      with:
        languages: ${{ matrix.language }}
        # If you wish to specify custom queries, you can do so here or in a config file.
        # By default, queries listed here will override any specified in a config file.
        # Prefix the list here with "+" to use these queries and those in the config file.
        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
        # queries: security-extended,security-and-quality
    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
    # If this step fails, then you should remove it and run the build manually (see below)
    # - name: Autobuild
    #  uses: github/codeql-action/autobuild@v2
    # ℹ️ Command-line programs to run using the OS shell.
    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
    #   If the Autobuild fails above, remove it and uncomment the following three lines. 
    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
    - run: |
       echo "Run, Build Application using script"
       ./workflows/autobuild.sh
    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v2
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,3 +1,3 @@
-[submodule "pico-ccid"]
+[submodule "pico-hsm-sdk"]
-	path = pico-ccid
+	path = pico-hsm-sdk
-	url = https://github.com/polhenarejos/pico-ccid
+	url = ../pico-hsm-sdk
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1,17 +1,17 @@
- # 
+ #
 # This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 # Copyright (c) 2022 Pol Henarejos.
- # 
+ #
- # This program is free software: you can redistribute it and/or modify  
+ # This program is free software: you can redistribute it and/or modify
- # it under the terms of the GNU General Public License as published by  
+ # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3.
 #
- # This program is distributed in the hope that it will be useful, but 
+ # This program is distributed in the hope that it will be useful, but
- # WITHOUT ANY WARRANTY; without even the implied warranty of 
+ # WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 # General Public License for more details.
 #
- # You should have received a copy of the GNU General Public License 
+ # You should have received a copy of the GNU General Public License
 # along with this program. If not, see <http://www.gnu.org/licenses/>.
 #
@@ -28,74 +28,45 @@ pico_sdk_init()
 add_executable(pico_hsm)
 if (NOT DEFINED USB_VID)
    set(USB_VID 0xFEFF)
 endif()
 add_definitions(-DUSB_VID=${USB_VID})
 if (NOT DEFINED USB_PID)
    set(USB_PID 0xFCFD)
 endif()
 add_definitions(-DUSB_PID=${USB_PID})
 find_package( PythonInterp 3.7 REQUIRED )
 if (NOT EXISTS ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cvcerts.h)
    execute_process(COMMAND ${PYTHON_EXECUTABLE} ${CMAKE_CURRENT_LIST_DIR}/burn-cvcerts.py ${CMAKE_CURRENT_LIST_DIR})
    message("Burning CVCert")
 endif()
 configure_file(${CMAKE_CURRENT_LIST_DIR}/pico-ccid/config/mbedtls_config.h ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/include/mbedtls COPYONLY)
 target_sources(pico_hsm PUBLIC
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/usb/usb.c
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/usb/usb_descriptors.c
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/ccid/ccid2040.c
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/ccid/asn1.c
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/fs/file.c
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/fs/flash.c
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/fs/low_flash.c
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/rng/random.c
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/rng/neug.c
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/ccid/crypto_utils.c
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/ccid/eac.c
        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/sc_hsm.c
        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_select.c
        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_list_keys.c
        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_read_binary.c
        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_verify.c
        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_reset_retry.c
        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_challenge.c
        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_external_authenticate.c
        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_mse.c
        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_initialize.c
        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_key_domain.c
        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_key_wrap.c
        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_keypair_gen.c
        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_update_ef.c
        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_delete_file.c
        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_change_pin.c
        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_key_gen.c
        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_signature.c
        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_key_unwrap.c
        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_decrypt_asym.c
        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_cipher_sym.c
        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_derive_asym.c
        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_extras.c
        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_general_authenticate.c
        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_session_pin.c
        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_puk_auth.c
        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_pso.c
        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cvc.c
        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/files.c
-        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/dkek.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/kek.c
        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/oid.c
-        
+
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/aes.c
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/asn1write.c
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/bignum.c
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/cmac.c
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/cipher.c
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/cipher_wrap.c
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/constant_time.c
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/ecdsa.c
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/ecdh.c
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/ecp.c
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/ecp_curves.c
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/hkdf.c
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/md.c
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/md5.c
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/oid.c
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/platform_util.c
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/ripemd160.c
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/rsa.c
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/rsa_alt_helpers.c
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/sha1.c
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/sha256.c
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/sha512.c
        )
 set(HSM_DRIVER "ccid")
 include(pico-hsm-sdk/pico_hsm_sdk_import.cmake)
 target_include_directories(pico_hsm PUBLIC
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/fs
        ${CMAKE_CURRENT_LIST_DIR}/src/hsm
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/ccid
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/rng
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/usb
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/include
        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library
        )
 target_compile_options(pico_hsm PUBLIC
@@ -105,7 +76,7 @@ target_compile_options(pico_hsm PUBLIC
 pico_add_extra_outputs(pico_hsm)
-target_link_libraries(pico_hsm PRIVATE pico_stdlib pico_multicore hardware_flash hardware_sync hardware_adc pico_unique_id hardware_rtc tinyusb_device tinyusb_board)
+target_link_libraries(pico_hsm PRIVATE pico_hsm_sdk pico_stdlib pico_multicore hardware_flash hardware_sync hardware_adc pico_unique_id hardware_rtc tinyusb_device tinyusb_board)
 #
 #project(flash_nuke C CXX ASM)
--- a/54
+++ b/54
@@ -0,0 +1,54 @@
 FROM debian:bullseye
 ENV DEBIAN_FRONTEND noninteractive
 RUN apt-get update && apt-get install -y \
 	build-essential \
 	git \
 	cmake \
 	gcc-arm-none-eabi \
 	libnewlib-arm-none-eabi \
 	libstdc++-arm-none-eabi-newlib \
 	python3 \
 	python3-pip
 RUN useradd -m builduser
 USER builduser
 WORKDIR /home/builduser
 VOLUME /home/builduser/release
 ARG VERSION_PICO_SDK 1.4.0
 RUN mkdir -p /home/builduser/Devel/pico
 RUN cd /home/builduser/Devel/pico \
 	&& git clone https://github.com/raspberrypi/pico-sdk.git \
        && cd pico-sdk \
        && git checkout $VERSION_PICO_SDK \
        && git submodule update --init --recursive
 RUN pip install cryptography
 ARG VERSION_MAJOR 2
 ARG VERSION_MINOR 6
 RUN cd /home/builduser \
 	&& git clone https://github.com/polhenarejos/pico-hsm.git \
 	&& cd pico-hsm \
 	&& git checkout v${VERSION_MAJOR}.${VERSION_MINOR} \
 	&& git submodule update --init --recursive \
 	&& mkdir build_release
 ENV PICO_SDK_PATH /home/builduser/Devel/pico/pico-sdk
 ARG USB_VID 0xfeff
 ARG USB_PID 0xfcfd
 ARG PICO_BOARD waveshare_rp2040_zero 
 RUN cd /home/builduser/pico-hsm \
 	&& cd build_release \
 	&& cmake .. -DPICO_BOARD=$PICO_BOARD -DUSB_VID=${USB_VID} -DUSB_PID=${USB_PID} \
 	&& make -kj20
--- a/README.md
+++ b/README.md
@@ -2,128 +2,128 @@
 This is a project to create a Hardware Security Module (HSM) with a Raspberry Pico. It converts your Pico board into a HSM which is able to generate and store private keys, encrypt or decrypt with AES or signing data without to disclose the private key. In detail, the private key never leaves the board and it cannot be retrieved as it is encrypted in the flash memory.
 ## Capabilities
-### Key generation and encrypted storage
+### > Key generation and encrypted storage
 Private and secret keys are stored with a master AES 256 key (DKEK). The DKEK is, at the same time, encrypted with a hashed and salted version of the PIN.
 **No private/secret keys, DKEK or PIN are stored in plain text ever. Never.**
-### RSA key generation from 1024 to 4096 bits
+### > RSA key generation from 1024 to 4096 bits
 RSA key generation in place for 1024, 2048, 3072 and 4096 bits. Private keys never leave the device.
-### ECDSA key generation from 192 to 521 bits
+### > ECDSA key generation from 192 to 521 bits
 ECDSA key generation in place for different curves, from 192 to 521 bits.
-### ECC curves
+### > ECC curves
 It supports secp192r1, secp256r1, secp384r1, secp521r1, brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp192k1 (insecure), secp256k1 curves.
-### SHA1, SHA224, SHA256, SHA384, SHA512 digests
+### > SHA1, SHA224, SHA256, SHA384, SHA512 digests
 ECDSA and RSA signature can be combined with SHA digest in place.
-### Multiple RSA signature algorithms
+### > Multiple RSA signature algorithms
 It supports RSA-PSS, RSA-PKCS and raw RSA signatures.
-### ECDSA raw and hash signature
+### > ECDSA raw and hash signature
 ECDSA signatures can be in raw or pre-hashed formats.
-### ECDH key derivation
+### > ECDH key derivation
 It supports the calculation of shared secrets with ECDH algorithm.
-### EC private key derivation
+### > EC private key derivation
 It allows ECDSA key derivation.[^1]
-### RSA-OEP and RSA-X-509 decryption
+### > RSA-OEP and RSA-X-509 decryption
 It allows private decryption in place with RSA-OEP and RSA-X-509 algorithms.
-### AES key generation
+### > AES key generation
 It supports AES key generation in place with keys of 128, 192 and 256 bits.
-### AES-CBC encryption/decryption
+### > AES-CBC encryption/decryption
 AES encryption and decryption is performed in place.
-### CMAC
+### > CMAC
 It supports AES-CMAC authentication.[^1]
-### AES derivation
+### > AES derivation
 It supports AES secret key derivation.[^1]
-### PIN authorization
+### > PIN authorization
 Private and secret keys cannot be used without prior PIN authentication. It supports alphanumeric PIN.
-### PKCS11 compliant interface
+### > PKCS11 compliant interface
 The module can be interfaced with PKCS11 standard.
-### HRNG (hardware random number generator)
+### > HRNG (hardware random number generator)
 It contains a harware random number generator properly modeled to guarantee maximum entropy.
-### Device Key Encryption Key (DKEK) shares
+### > Device Key Encryption Key (DKEK) shares
 It supports DKEK share imports. DKEK are used to wrap, unwrap and encrypt private and secret keys in the device.
-### DKEK n-of-m threshold scheme
+### > DKEK n-of-m threshold scheme
 It supports a n-of-m threshold scheme to minimize outage when a DKEK custodian is not available during the import process.
-### USB/CCID support with OpenSC, openssl, etc.
+### > USB/CCID support with OpenSC, openssl, etc.
 Pico HSM has a full USB CCID stack to communicate with the host via OpenSC and PCSC. It allows the use of frontend applications such as OpenSSL via PKCS11 module.
-### Extended APDU support
+### > Extended APDU support
 It supports extended APDU packets, which allows up to 65535 bytes.
-### CVC certificates
+### > CV Certificates
 Pico HSM manipulates CVC certificates and requests to minimize the storage of internal certificates.
-### Attestation
+### > Attestation
 Every generated key is attached to a certificate, signed by an external PKI to ensure that a particular key is effectively generated by this specific device.
-### Import external private keys and certificates
+### > Import external private keys and certificates
 It allows private key and certificates import via WKY or PKCS#12 files.[^2][^3]
-### Tranport PIN
+### > Tranport PIN
 It allows transport PIN for provisioning and forcing to set a new PIN.[^2] It is a tampered mechanism that ensures the device has not been unsealed during the transportation from the issuer to the legitimate user.
-### Press-to-confirm button
+### > Press-to-confirm button
 It allows the use of BOOTSEL button to confirm operations with private/secret keys, such as signatures and decryption. When a private/secret key is loaded, the user has 15 seconds to press the button to confirm the operation.
 This feature protects the user from unwanted uses from background applications that may sign data without user notice.
-### Store and retrieve binary data
+### > Store and retrieve binary data
 It allows the storage of arbitrary files with binary data.
-### Real time clock (RTC)
+### > Real time clock (RTC)
-Pico HSM has a RTC with external datetime setting and getting. 
+Pico HSM has a RTC with external datetime setting and getting.
-### Secure Messaging (secure channel)
+### > Secure Messaging (secure channel)
 Pico HSM supports secure channel, where the data packets between the host and device are encrypted to avoid man-in-the-middle attacks.
-### Session PIN
+### > Session PIN
 A specific session PIN can be set during the session opening to avoid the systemmatic use of PIN.
-### PKI CVCert remote issuing for Secure Message
+### > PKI CVCert remote issuing for Secure Message
 Secure channel messages are secured with a certificate issued by an external PKI.
-### Multiple key domains
+### > Multiple key domains
-Key domains are domains to store separate private/secret keys. Each domain is protected by a DKEK, independent from the other domains. Private/secret keys can be generated in different key domains to be used with separated DKEK. 
+Key domains are domains to store separate private/secret keys. Each domain is protected by a DKEK, independent from the other domains. Private/secret keys can be generated in different key domains to be used with separated DKEK.
 Therefore, a single device may contain different domains with independent keys.
-### Key usage counter
+### > Key usage counter
 A key usage counter is a counter that is reduced by 1 everytime that the private/secret key is used for signing, decrypting, derivation, etc. When it reaches 0, the key is disabled and cannot be used anymore.
 Key usage can also be used to perform and auditory and track the usage of a particular key.
-### Public Key Authentication
+### > Public Key Authentication
 Public Key Authentication (PKA) allows to authenticate by using a secondary device with a private key and a registered public key in the primary device. A challenge is generated by the primary Pico HSM and given to the secondary for signature. The secondary device signs the challenge and returns the signature. Then, the primary device verifies the signature with the registered public key and if it is valid, it grants full access, as normal PIN authentication.
 In PKA, the PIN is used for protecting the DKEK, as classic method with only PIN, and PKA is used for adding an extra security layer. Therefore, this mechanism provides a higher degree of security, since it needs a secondary Pico HSM to authenticate the primary one.
 [^1]: PKCS11 modules (`pkcs11-tool` and `sc-tool`) do not support CMAC and key derivation. It must be processed through raw APDU command (`opensc-tool -s`).
 [^2]: Available via SCS3 tool. See [SCS3](/doc/scs3.md "SCS3") for more information.
-[^3]: Imports are available only if the Pico HSM is previously initialized with a DKEK and the DKEK shares are available during the import process. 
+[^3]: Imports are available only if the Pico HSM is previously initialized with a DKEK and the DKEK shares are available during the import process.
 ## Security considerations
-All secret keys (asymmetric and symmetric) are stored encrypted in the flash memory of the Raspberry Pico. DKEK is used as a 256 bit AES key to protect private and secret keys. Keys are never stored in RAM except for signature and decryption operations and only during the process. All keys (including DKEK) are loaded and cleared every time to avoid potential security flaws. 
+All secret keys (asymmetric and symmetric) are stored encrypted in the flash memory of the Raspberry Pico. DKEK is used as a 256 bit AES key to protect private and secret keys. Keys are never stored in RAM except for signature and decryption operations and only during the process. All keys (including DKEK) are loaded and cleared every time to avoid potential security flaws.
 At the same time, DKEK is encrypted with doubled salted and hashed PIN. Also, the PIN is hashed in memory during the session. Hence, PIN is never stored in plain text neither in flash nor in memory. Note that PIN is conveyed from the host to the HSM in plain text if no secure channel is provided.
 If the Pico is stolen the contents of private and secret keys cannot be read without the PIN, even if the flash memory is dumped.
 ## Download
-Please, go to the Release page and download the UF2 file for your board. 
+Please, go to the Release page and download the UF2 file for your board.
 Note that UF2 files are shiped with a dummy VID/PID to avoid license issues (FEFF:FCFD). If you are planning to use it with OpenSC or similar, you should modify Info.plist of CCID driver to add these VID/PID or use the VID/PID patcher as follows:
 `./patch_vidpid.sh VID:PID input_hsm_file.uf2 output_hsm_file.uf2`
@@ -145,6 +145,30 @@ Note that `PICO_BOARD`, `USB_VID` and `USB_PID` are optional. If not provided, `
 After `make` ends, the binary file `pico_hsm.uf2` will be generated. Put your pico board into loading mode, by pushing `BOOTSEL` button while pluging on, and copy the UF2 to the new fresh usb mass storage Pico device. Once copied, the pico mass storage will be disconnected automatically and the pico board will reset with the new firmware. A blinking led will indicate the device is ready to work.
 ### Docker
 Independent from your Linux distribution or when using another OS that supports Docker, you could build a specific pico-hsm version in a Linux container.
 ```
 sudo docker build \
    --build-arg VERSION_PICO_SDK=1.4.0 \
    --build-arg VERSION_MAJOR=2 \
    --build-arg VERSION_MINOR=6 \
    --build-arg PICO_BOARD=waveshare_rp2040_zero \
    --build-arg USB_VID=0xfeff \
    --build-arg USB_PID=0xfcfd \
    -t pico-hsm-builder .
 sudo docker run \
    --name mybuild \
    -it pico-hsm-builder \
    ls -l /home/builduser/pico-hsm/build_release/pico_hsm.uf2
 sudo docker cp mybuild:/home/builduser/pico-hsm/build_release/pico_hsm.uf2 .
 sudo docker rm mybuild
 ```
 ## Usage
 The firmware uploaded to the Pico contains a reader and a virtual smart card. It is like having a physical reader with an inserted SIM card.
 We recommend the use of [OpenSC](http://github.com/opensc/opensc/ "OpenSC") to communicate with the reader. If it is not installed, you can download and build it or install the binaries for your system. The first command is to ensure that the Pico is detected as a HSM:
@@ -179,7 +203,7 @@ For Public Key Authentication, check [doc/public_key_authentication.md](/doc/pub
 ## Operation time
 ### Keypair generation
-Generating EC keys is almost instant. RSA keypair generation takes some time, specially for `3072` and `4096` bits. 
+Generating EC keys is almost instant. RSA keypair generation takes some time, specially for `3072` and `4096` bits.
 | RSA key length (bits) | Average time (seconds) |
 | :---: | :---: |
@@ -227,7 +251,7 @@ While processing, the Pico HSM is busy and cannot receive additional commands un
 ## Driver
-Pico HSM uses the `sc-hsm` driver provided by [OpenSC](https://github.com/OpenSC/OpenSC/ "OpenSC") or the `sc-hsm-embedded` driver provided by [CardContact](https://github.com/CardContact/sc-hsm-embedded "CardContact"). This driver utilizes the standardized PKCS#11 interface to communicate with the user and it can be used with many engines that accept PKCS#11 interface, such as OpenSSL, P11 library or pkcs11-tool. 
+Pico HSM uses the `sc-hsm` driver provided by [OpenSC](https://github.com/OpenSC/OpenSC/ "OpenSC") or the `sc-hsm-embedded` driver provided by [CardContact](https://github.com/CardContact/sc-hsm-embedded "CardContact"). This driver utilizes the standardized PKCS#11 interface to communicate with the user and it can be used with many engines that accept PKCS#11 interface, such as OpenSSL, P11 library or pkcs11-tool.
 Pico HSM relies on PKCS#15 structure to store and manipulate the internal files (PINs, private keys, certificates, etc.) and directories. Therefore, it accepts the commands from `pkcs15-tool`. For instance, `pkcs15-tool -D` will list all elements stored in the Pico HSM.
--- a/build_pico_hsm.sh
+++ b/build_pico_hsm.sh
@@ -1,21 +1,53 @@
 #!/bin/bash
-VERSION_MAJOR="2"
+VERSION_MAJOR="3"
-VERSION_MINOR="6"
+VERSION_MINOR="0"
 rm -rf release/*
 cd build_release
-for board in adafruit_feather_rp2040 adafruit_itsybitsy_rp2040 adafruit_qtpy_rp2040 adafruit_trinkey_qt2040 arduino_nano_rp2040_connect melopero_shake_rp2040 pimoroni_interstate75 pimoroni_keybow2040 pimoroni_pga2040 pimoroni_picolipo_4mb pimoroni_picolipo_16mb pimoroni_picosystem pimoroni_plasma2040 pimoroni_tiny2040 pybstick26_rp2040 sparkfun_micromod sparkfun_promicro sparkfun_thingplus vgaboard waveshare_rp2040_lcd_0.96 waveshare_rp2040_plus_4mb waveshare_rp2040_plus_16mb waveshare_rp2040_zero
+for board in adafruit_feather_rp2040 \
    adafruit_itsybitsy_rp2040 \
    adafruit_kb2040 \
    adafruit_macropad_rp2040 \
    adafruit_qtpy_rp2040 \
    adafruit_trinkey_qt2040 \
    arduino_nano_rp2040_connect \
    datanoisetv_rp2040_dsp \
    eetree_gamekit_rp2040 \
    garatronic_pybstick26_rp2040 \
    melopero_shake_rp2040 \
    pico \
    pico_w \
    pimoroni_badger2040 \
    pimoroni_interstate75 \
    pimoroni_keybow2040 \
    pimoroni_motor2040 \
    pimoroni_pga2040 \
    pimoroni_picolipo_4mb \
    pimoroni_picolipo_16mb \
    pimoroni_picosystem \
    pimoroni_plasma2040 \
    pimoroni_servo2040 \
    pimoroni_tiny2040 \
    pimoroni_tiny2040_2mb \
    seeed_xiao_rp2040 \
    solderparty_rp2040_stamp \
    solderparty_rp2040_stamp_carrier \
    solderparty_rp2040_stamp_round_carrier \
    sparkfun_micromod \
    sparkfun_promicro \
    sparkfun_thingplus \
    vgaboard \
    waveshare_rp2040_lcd_0.96 \
    waveshare_rp2040_plus_4mb \
    waveshare_rp2040_plus_16mb \
    waveshare_rp2040_zero \
    wiznet_w5100s_evb_pico
 do
    rm -rf *
-    PICO_SDK_PATH=~/Devel/pico/pico-sdk cmake .. -DPICO_BOARD=$board 
+    PICO_SDK_PATH=~/Devel/pico/pico-sdk cmake .. -DPICO_BOARD=$board
    make -kj20
    mv pico_hsm.uf2 ../release/pico_hsm_$board-$VERSION_MAJOR.$VERSION_MINOR.uf2
 done
-rm -rf *
+done
 PICO_SDK_PATH=~/Devel/pico/pico-sdk cmake ..
 make -kj20
 mv pico_hsm.uf2 ../release/pico_hsm_pico_generic-$VERSION_MAJOR.$VERSION_MINOR.uf2
--- a/burn-cvcerts.py
+++ b/burn-cvcerts.py
@@ -1,116 +0,0 @@
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
 """
 Created on Wed Apr 13 20:15:01 2022
@author: Pol Henarejos
 """
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import serialization
 from cryptography.hazmat.primitives.asymmetric import ec
 import base64
 import urllib.request
 import json
 import sys
 import ssl
 ssl._create_default_https_context = ssl._create_unverified_context
 def print_var(v, name):
    s = '\n'
    s += "static const unsigned char "+name+"[] = {\n"
    s += "\t0x{:02x},0x{:02x},\n".format((len(v) & 0xff),((len(v)>> 8) & 0xff))
    for i in range(len(v)):
        if (i%16 == 0):
            s += '\t'
        s += "0x{:02x}".format((v[i]))
        if (i < len(v)-1):
            s += ','
        if (i%16 == 15):
            s += '\n'
    s += '\n'
    s += '};\n'
    return s
 def main():
    args = sys.argv[1:]
    private_key = ec.generate_private_key(ec.SECP192R1(), default_backend())
    public_key = private_key.public_key()
    pub_num = public_key.public_numbers()
    pbk = base64.urlsafe_b64encode(b'\x04'+pub_num.x.to_bytes(24,'big')+pub_num.y.to_bytes(24,'big'))
    user_agent = 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7'
    data = urllib.parse.urlencode({'pubkey':pbk}).encode()
    req = urllib.request.Request("https://www.henarejos.me/pico-hsm.php", method='POST', data=data, headers={'User-Agent':user_agent,} ) #The assembled request
    response = urllib.request.urlopen(req)
    resp = response.read().decode('utf-8')
    j = json.loads(resp)
    cvcert = base64.b64decode(j['cvcert'])
    dica = [
        0x7f,0x21,0x81,0xc5,0x7f,0x4e,0x81,0x8e,0x5f,0x29,0x01,0x00,0x42,0x0e,0x45,0x53,
        0x43,0x56,0x43,0x41,0x48,0x53,0x4d,0x30,0x30,0x30,0x30,0x31,0x7f,0x49,0x3f,0x06,
        0x0a,0x04,0x00,0x7f,0x00,0x07,0x02,0x02,0x02,0x02,0x03,0x86,0x31,0x04,0x93,0x7e,
        0xdf,0xf1,0xa6,0xd2,0x40,0x7e,0xb4,0x71,0xb2,0x97,0x50,0xdb,0x7e,0xe1,0x70,0xfb,
        0x6c,0xcd,0x06,0x47,0x2a,0x3e,0x9c,0x8d,0x59,0x56,0x57,0xbe,0x11,0x11,0x0a,0x08,
        0x81,0x54,0xed,0x22,0xc0,0x83,0xac,0xa1,0x2e,0x39,0x7b,0xd4,0x65,0x1f,0x5f,0x20,
        0x0e,0x45,0x53,0x44,0x56,0x43,0x41,0x48,0x53,0x4d,0x30,0x30,0x30,0x30,0x31,0x7f,
        0x4c,0x12,0x06,0x09,0x04,0x00,0x7f,0x00,0x07,0x03,0x01,0x02,0x02,0x53,0x05,0x80,
        0x00,0x00,0x00,0x04,0x5f,0x25,0x06,0x02,0x02,0x00,0x03,0x02,0x07,0x5f,0x24,0x06,
        0x02,0x05,0x01,0x02,0x03,0x01,0x5f,0x37,0x30,0x8b,0xb2,0x01,0xb6,0x24,0xfe,0xe5,
        0x4e,0x65,0x3a,0x02,0xa2,0xb2,0x27,0x2d,0x3d,0xb4,0xb0,0xc9,0xdd,0xbf,0x10,0x6d,
        0x99,0x49,0x46,0xd6,0xd0,0x72,0xc1,0xf3,0x4c,0xab,0x4f,0x32,0x14,0x7c,0xb0,0x99,
        0xb7,0x33,0x70,0xd6,0x00,0xff,0x73,0x0c,0x5d
    ]
    cvca = [
        0x7f, 0x21, 0x82, 0x01, 0x65, 0x7f, 0x4e, 0x82, 0x01, 0x2d, 0x5f, 0x29,
        0x01, 0x00, 0x42, 0x0e, 0x45, 0x53, 0x43, 0x56, 0x43, 0x41, 0x48, 0x53,
        0x4d, 0x30, 0x30, 0x30, 0x30, 0x31, 0x7f, 0x49, 0x81, 0xdd, 0x06, 0x0a,
        0x04, 0x00, 0x7f, 0x00, 0x07, 0x02, 0x02, 0x02, 0x02, 0x03, 0x81, 0x18,
        0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
        0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
        0x82, 0x18, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
        0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
        0xff, 0xfc, 0x83, 0x18, 0x64, 0x21, 0x05, 0x19, 0xe5, 0x9c, 0x80, 0xe7,
        0x0f, 0xa7, 0xe9, 0xab, 0x72, 0x24, 0x30, 0x49, 0xfe, 0xb8, 0xde, 0xec,
        0xc1, 0x46, 0xb9, 0xb1, 0x84, 0x31, 0x04, 0x18, 0x8d, 0xa8, 0x0e, 0xb0,
        0x30, 0x90, 0xf6, 0x7c, 0xbf, 0x20, 0xeb, 0x43, 0xa1, 0x88, 0x00, 0xf4,
        0xff, 0x0a, 0xfd, 0x82, 0xff, 0x10, 0x12, 0x07, 0x19, 0x2b, 0x95, 0xff,
        0xc8, 0xda, 0x78, 0x63, 0x10, 0x11, 0xed, 0x6b, 0x24, 0xcd, 0xd5, 0x73,
        0xf9, 0x77, 0xa1, 0x1e, 0x79, 0x48, 0x11, 0x85, 0x18, 0xff, 0xff, 0xff,
        0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x99, 0xde, 0xf8,
        0x36, 0x14, 0x6b, 0xc9, 0xb1, 0xb4, 0xd2, 0x28, 0x31, 0x86, 0x31, 0x04,
        0x08, 0x8f, 0xcd, 0xfc, 0xce, 0x87, 0xed, 0xd2, 0x85, 0x92, 0x06, 0x15,
        0xe6, 0x51, 0xd7, 0x64, 0x52, 0xd8, 0x57, 0xec, 0xbb, 0x40, 0x8c, 0x32,
        0x7a, 0xdb, 0x48, 0xa2, 0xa5, 0x14, 0xc1, 0xc9, 0xbd, 0x77, 0xcc, 0x97,
        0x83, 0x60, 0x7a, 0x74, 0x14, 0x93, 0xa7, 0x42, 0x74, 0x4a, 0xd1, 0x73,
        0x87, 0x01, 0x01, 0x5f, 0x20, 0x0e, 0x45, 0x53, 0x43, 0x56, 0x43, 0x41,
        0x48, 0x53, 0x4d, 0x30, 0x30, 0x30, 0x30, 0x31, 0x7f, 0x4c, 0x12, 0x06,
        0x09, 0x04, 0x00, 0x7f, 0x00, 0x07, 0x03, 0x01, 0x02, 0x02, 0x53, 0x05,
        0xc0, 0x00, 0x00, 0x00, 0x04, 0x5f, 0x25, 0x06, 0x02, 0x02, 0x00, 0x03,
        0x02, 0x06, 0x5f, 0x24, 0x06, 0x03, 0x00, 0x01, 0x02, 0x03, 0x01, 0x5f,
        0x37, 0x30, 0x72, 0x97, 0x77, 0x76, 0x64, 0xb6, 0x0c, 0x57, 0xa2, 0xc4,
        0x5e, 0x7b, 0xfd, 0x12, 0xe5, 0x20, 0x14, 0x3e, 0xde, 0x90, 0x38, 0xbf,
        0xb3, 0x02, 0x73, 0x91, 0x06, 0xf2, 0x73, 0x0d, 0x76, 0x06, 0x65, 0xd7,
        0x46, 0x49, 0x91, 0x0c, 0x51, 0x90, 0x89, 0x84, 0x8d, 0x4f, 0xb6, 0xe5,
        0x13, 0x40
    ]
    s = '#ifndef _CVCERTS_H_\n#define _CVCERTS_H_\n'
    s += print_var(cvca,'cvca')
    s += print_var(dica,'dica')
    s += print_var(cvcert,'termca')
    pvk = private_key.private_numbers().private_value.to_bytes(24,'big')
    s += print_var(pvk,'termca_pk')
    s += '\n#endif\n'
    f = open(args[0] + '/src/hsm/cvcerts.h','w')
    f.write(s)
    f.close()
 if __name__ == '__main__':
    main()
--- a/doc/aes.md
+++ b/doc/aes.md
@@ -54,4 +54,4 @@ Using decrypt algorithm AES-CBC
 This is a text.
 ```
-AES-CBC it is a block operation and it requires an input size multiple of 16 bytes. Thus, for a trivial data, a padding operation has to be performed beforehand. 
+AES-CBC it is a block operation and it requires an input size multiple of 16 bytes. Thus, for a trivial data, a padding operation has to be performed beforehand.
--- a/doc/asymmetric-ciphering.md
+++ b/doc/asymmetric-ciphering.md
@@ -24,12 +24,12 @@ This algorithm uses the PKCSv1.5 padding. It is considered deprecated and insecu
 First, we encrypt the data with the public key:
 ```
-$ openssl rsautl -encrypt -inkey 1.pub -in data -pubin -out data.crypt 
+$ openssl rsautl -encrypt -inkey 1.pub -in data -pubin -out data.crypt
 ```
 Then, we decrypt with the private key inside the Pico HSM:
-``` 
+```
 $ pkcs11-tool --id 1 --pin 648219 --decrypt --mechanism RSA-PKCS -i data.crypt
 Using slot 0 with a present token (0x0)
 Using decrypt algorithm RSA-PKCS
@@ -54,7 +54,7 @@ $ openssl rsautl -encrypt -inkey 1.pub -in data_pad -pubin -out data.crypt -raw
 Then, we decrypt with the private key inside the Pico HSM:
 ```
-$ cat data.crypt|pkcs11-tool --id 4 --pin 648219 --decrypt --mechanism RSA-X-509 
+$ cat data.crypt|pkcs11-tool --id 4 --pin 648219 --decrypt --mechanism RSA-X-509
 Using slot 0 with a present token (0x0)
 Using decrypt algorithm RSA-X-509
 This is a test string. Be safe, be secure.
@@ -78,7 +78,7 @@ This is a test string. Be safe, be secure.
 ```
 ## ECDH-DERIVE
-ECC keys do not allow ciphering operations. Instead, the ECDH scheme provides a mechanism to exchange a shared symmetric key without transmitting it to the remote part. The shared key is composed by multiplying the local private key and the remote public key. 
+ECC keys do not allow ciphering operations. Instead, the ECDH scheme provides a mechanism to exchange a shared symmetric key without transmitting it to the remote part. The shared key is composed by multiplying the local private key and the remote public key.
 First, we create the remote part, Bob, by generating an ECC keypair and getting the public key:
 ```
@@ -104,8 +104,8 @@ No output is displayed if both are equal.
 You can also view the contents of both keys:
 ```
-$ xxd -p bob-mine.der             
+$ xxd -p bob-mine.der
 9874558aefa9d92cc051e5da6d1753987e5314925d6d78bf
-$ xxd -p mine-bob.der             
+$ xxd -p mine-bob.der
 9874558aefa9d92cc051e5da6d1753987e5314925d6d78bf
 ```
--- a/doc/backup-and-restore.md
+++ b/doc/backup-and-restore.md
@@ -29,15 +29,15 @@ symbols.
 Please keep the generated DKEK share file in a safe location. We also recommend to keep a
 paper printout, in case the electronic version becomes unavailable. A printable version
 of the file can be generated using "openssl base64 -in <filename>".
-Enter password to encrypt DKEK share : 
+Enter password to encrypt DKEK share :
-Please retype password to confirm : 
+Please retype password to confirm :
 Enciphering DKEK share, please wait...
 DKEK share created and saved to dkek.pbe
 ```
-The generated file `dkek.pbe` contains the DKEK. Technically, it contains a share. But if a device is initialized with one share, it is equivalent to contain the full DKEK. 
+The generated file `dkek.pbe` contains the DKEK. Technically, it contains a share. But if a device is initialized with one share, it is equivalent to contain the full DKEK.
 Keep these file in a safe place. If this file is lost, you can export the private keys but you will not be able to import into another device or in the same device if it is initialized again.
@@ -52,7 +52,7 @@ At this moment, the Pico HSM expects the DKEK. It is loaded with the following c
 ```
 $ sc-hsm-tool --import-dkek-share dkek.pbe
 Using reader with a card: Free Software Initiative of Japan Gnuk
-Enter password to decrypt DKEK share : 
+Enter password to decrypt DKEK share :
 Deciphering DKEK share, please wait...
 DKEK share imported
@@ -81,7 +81,7 @@ And finally, all are imported one after the other, without special order:
 ```
 $ sc-hsm-tool --import-dkek-share dkek-share-1.pbe
 Using reader with a card: Free Software Initiative of Japan Gnuk
-Enter password to decrypt DKEK share : 
+Enter password to decrypt DKEK share :
 Deciphering DKEK share, please wait...
 DKEK share imported
@@ -90,7 +90,7 @@ DKEK import pending, 2 share(s) still missing
 $ sc-hsm-tool --import-dkek-share dkek-share-2.pbe
 Using reader with a card: Free Software Initiative of Japan Gnuk
-Enter password to decrypt DKEK share : 
+Enter password to decrypt DKEK share :
 Deciphering DKEK share, please wait...
 DKEK share imported
@@ -99,7 +99,7 @@ DKEK import pending, 1 share(s) still missing
 $ sc-hsm-tool --import-dkek-share dkek-share-1.pbe
 Using reader with a card: Free Software Initiative of Japan Gnuk
-Enter password to decrypt DKEK share : 
+Enter password to decrypt DKEK share :
 Deciphering DKEK share, please wait...
 DKEK share imported
@@ -110,7 +110,7 @@ DKEK key check value : 4B7DA256ACD4EF62
 ### DKEK n-of-m threshold scheme
 This scheme provides an extra level of flexiblity, as not all custodians are necessary to import the DKEK share. For instance, with the previous schemes, if a custodian gets unavailable, the initialization will block until the missing custodian can got to finalize the initialization.
-With n-of-m threshold scheme, it flexibilizes the number of required custodians to reduce failure points. If a share is lost, the DKEK can still be recovered without major implications. 
+With n-of-m threshold scheme, it flexibilizes the number of required custodians to reduce failure points. If a share is lost, the DKEK can still be recovered without major implications.
 This scheme is not a replacement of DKEK shares. Instead, it splits the DKEK share encryption password amongst the n-of-m threshold scheme. For instance, if you define 2 shares and a scheme of 3-of-5 threshold for each share, it will imply 10 different custodians, where 6 are necessary to load both shares. You can also mix one share with traditional passphrase and the other with the n-of-m threshold scheme.
@@ -123,7 +123,7 @@ Using reader with a card:Free Software Initiative of Japan Gnuk
 The DKEK will be enciphered using a randomly generated 64 bit password.
 This password is split using a (3-of-5) threshold scheme.
-Please keep the generated and encrypted DKEK file in a safe location. We also recommend 
+Please keep the generated and encrypted DKEK file in a safe location. We also recommend
 to keep a paper printout, in case the electronic version becomes unavailable. A printable version
 of the file can be generated using "openssl base64 -in <filename>".
@@ -191,7 +191,7 @@ Private RSA Key [Certificate]
 ...
 ```
-Note that `Key ref` and `ID` may be different. Whilst different keys may share the same `ID` (highly discouraged), the `Key ref` is a value internally computed and unique. 
+Note that `Key ref` and `ID` may be different. Whilst different keys may share the same `ID` (highly discouraged), the `Key ref` is a value internally computed and unique.
 To export and wrap the private key:
@@ -199,10 +199,10 @@ To export and wrap the private key:
 $ sc-hsm-tool --wrap-key wrap-key.bin --key-reference 1 --pin 648219
 ```
-A file named `wrap-key.bin` is created with the private key encrypted securely with the DKEK. 
+A file named `wrap-key.bin` is created with the private key encrypted securely with the DKEK.
 ## Restore
-To restore the wraped key, a device initialized with the same DKEK is mandatory. 
+To restore the wraped key, a device initialized with the same DKEK is mandatory.
 To unwrap the key:
--- a/doc/extra_command.md
+++ b/doc/extra_command.md
@@ -1,6 +1,6 @@
 # Extra command
-Pico HSM supports a customized extra command to use with different options. Since the drivers in the market do not support the following features, a raw APDU command shall be sent. 
+Pico HSM supports a customized extra command to use with different options. Since the drivers in the market do not support the following features, a raw APDU command shall be sent.
 To send a raw APDU command, `opensc-tool -s <APDU>` can be used. The `APDU` parameter is a string of hexadecimal numbers and it takes the following form:
 ```
@@ -27,7 +27,7 @@ For example, to obtain the current datetime:
 ```
 $ opensc-tool -s 80640A0008
 Using reader with a card: Free Software Initiative of Japan Gnuk
-Sending: 80 64 0A 00 08 
+Sending: 80 64 0A 00 08
 Received (SW1=0x90, SW2=0x00):
 07 E6 04 06 03 13 29 1E ......).
 ```
@@ -49,7 +49,7 @@ To set the reference datetime, a datetime string must be provided. For example:
 ```
 $ opensc-tool -s 80640A000807E6040603132917
 Using reader with a card: Free Software Initiative of Japan Gnuk
-Sending: 80 64 0A 00 08 07 E6 04 06 03 13 29 17 
+Sending: 80 64 0A 00 08 07 E6 04 06 03 13 29 17
 Received (SW1=0x90, SW2=0x00)
 ```
@@ -72,7 +72,7 @@ This feature is disabled by default but can be enabled rapidly by setting the LS
 ```
 $ opensc-tool -s 806406000101
 Using reader with a card: Free Software Initiative of Japan Gnuk
-Sending: 80 64 06 00 01 01 
+Sending: 80 64 06 00 01 01
 Received (SW1=0x90, SW2=0x00)
 ```
@@ -99,7 +99,7 @@ This feature is disabled by default but can be enabled rapidly by setting the 2n
 ```
 $ opensc-tool -s 806406000102
 Using reader with a card: Free Software Initiative of Japan Gnuk
-Sending: 80 64 06 00 01 01 
+Sending: 80 64 06 00 01 01
 Received (SW1=0x90, SW2=0x00)
 ```
--- a/doc/public_key_authentication.md
+++ b/doc/public_key_authentication.md
@@ -29,7 +29,7 @@ On a secondary device, generate a private key, on the ECC 256 bits (`brainpoolP2
 <img width="1037" src="https://user-images.githubusercontent.com/55573252/173353764-4620ece4-0d82-4a23-a153-99bf912621a7.png">
-Once finished, export the public key. 
+Once finished, export the public key.
 <img width="350" src="https://user-images.githubusercontent.com/55573252/173353732-63f40572-a42f-4e5c-a9ab-6e52a083956b.png">
@@ -64,17 +64,17 @@ From now on, you have full access and can operate normally with the primary devi
 Pico HSM uses the PIN to protect the DKEK, which is lately used to protect private/secret keys and wrap/unwrap. However, when PKA is enabled, the authentication is not performed by introducing any PIN.
 Authenticated privileges are granted when PKA succeeds, regardless of PIN, which is optional.
-Nevertheless, **it is extremely recommended to combine PKA with PIN**. Note that when combined, only PKA grants authenticated privileges. Therefore, if both schemes are setup, it is necessary to unlock the DKEK with PIN verification. 
+Nevertheless, **it is extremely recommended to combine PKA with PIN**. Note that when combined, only PKA grants authenticated privileges. Therefore, if both schemes are setup, it is necessary to unlock the DKEK with PIN verification.
 Otherwise, it will not be possible to operate with private/secret keys despite the user will be logged in.
 With this scheme, multiple custodians may authenticate the device individually and remotely and, when fully authenticated, the master user can unlock the DKEK with the PIN.
-Moreover, with this approach the device is kept safe and neither the DKEK nor the private/secret keys are stored in plain text in the device. 
+Moreover, with this approach the device is kept safe and neither the DKEK nor the private/secret keys are stored in plain text in the device.
 Even though the flash memory is dumped by an attacker, it will not be possible to decipher any sensitive data or key.
 Initialization of the device with PKA **and** PIN can be achieved with SCS3 or OpenSC:
-**Note:** do not import any DKEK share or DKEK operation before PKA and PIN setup. 
+**Note:** do not import any DKEK share or DKEK operation before PKA and PIN setup.
 ### With OpenSC
@@ -84,9 +84,9 @@ Use the following command (or similar), which accepts the use of PIN parameter *
 sc-hsm-tool -X --so-pin 1234567890123456 --pin 648219 -K 1 -n 1 -s 1
 ```
-and PKA and PIN are enabled, jointly with DKEK protection. 
+and PKA and PIN are enabled, jointly with DKEK protection.
-### With SCS3
+### With SCS3
 Unfortunately, SCS3 does not allow to initialize the device with PKA and PIN at the same time, though it can be achieved in separated steps:
@@ -94,4 +94,4 @@ Unfortunately, SCS3 does not allow to initialize the device with PKA and PIN at
 2. There is NO default PIN. So, DO NOT attempt to log in yet. A reset PIN shall be requested.
 3. Click on ``Reset User-PIN``, introduce the SO-PIN configured during the initialization and introduce the desired User-PIN.
-When done, the device will be configured with PIN **and** PKA. 
+When done, the device will be configured with PIN **and** PKA.
--- a/doc/scs3.md
+++ b/doc/scs3.md
@@ -4,16 +4,16 @@ SCS3 tool is a specific tool developed by CardContact to manage HSM. Thanks to i
 - Import PKCS12 private keys and certificates.
 - Import private keys and certificates from other Pico HSM devices in WKY format.
- 
+-
 Unfortunately, there is no pkcs11 tool or equivalent capable to perform the import. Since it uses the SC-HSM driver, it also supports the communication with the [SCS3 tool](https://www.openscdp.org/scsh3/ "SCS3 tool"). It can be downloaded from [here](https://www.openscdp.org/scsh3/download.html "here").
-However, SCS3 only works with those HSM manufactured by CardContact. The check is performed by means of trust store against the manufacturing certificates. For obvious reasons, these certificates can only be signed with the private keys of the Certificate Authorities listed in the trust store. 
+However, SCS3 only works with those HSM manufactured by CardContact. The check is performed by means of trust store against the manufacturing certificates. For obvious reasons, these certificates can only be signed with the private keys of the Certificate Authorities listed in the trust store.
 Pico HSM is shipped with its own CA certificates. To load this certificate onto the trust store of SCS3, the following line has to be appended to `SmartCardHSM.rootCerts` variable, near line `235` in the file `scs3/scsh/sc-hsm/SmartCardHSM.js`.
 ```
-ESCVCAHSM00001: new CVC(new ByteString("7F218201657F4E82012D5F290100420E45534356434148534D30303030317F4981DD060A04007F000702020202038118FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF8218FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC831864210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1843104188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF101207192B95FFC8DA78631011ED6B24CDD573F977A11E7948118518FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831863104088FCDFCCE87EDD285920615E651D76452D857ECBB408C327ADB48A2A514C1C9BD77CC9783607A741493A742744AD1738701015F200E45534356434148534D30303030317F4C12060904007F0007030102025305C0000000045F25060202000302065F24060300010203015F37307297777664B60C57A2C45E7BFD12E520143EDE9038BFB302739106F2730D760665D74649910C519089848D4FB6E51340", HEX))
+ESPICOHSMCA00001: new CVC(new ByteString("7F218201BA7F4E8201725F290100421045535049434F48534D434130303030317F4982011D060A04007F000702020202038120FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF8220FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC83205AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B8441046B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C2964FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F58520FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC6325518641046A82C0A4FEAF41D6A1336AE7E992D81AD4F827929145DD0D777E1AB63D7E3325C8F7DAC0F74B6EAE13A72F6366777EC133AC5C28F456868E5F2C315044EB54EF8701015F201045535049434F48534D434130303030317F4C12060904007F0007030102025305C0000000005F25060202000801085F24060203000801085F3740601E974F57DDE060875FE6121AEF5BC02E10FC655311C7A32CA822FD18E53A80298EDC56E0D5EBF38FB470DC12987B1600AE91A0ADB5B22C4D80080782E278AD", HEX))
 ```
 Therefore, the whole variable becomes:
@@ -22,26 +22,27 @@ Therefore, the whole variable becomes:
 SmartCardHSM.rootCerts = {
 	DESRCACC100001: new CVC(new ByteString("7F218201B47F4E82016C5F290100420E44455352434143433130303030317F4982011D060A04007F000702020202038120A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E537782207D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9832026DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B68441048BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F0469978520A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A78641046D025A8026CDBA245F10DF1B72E9880FFF746DAB40A43A3D5C6BEBF27707C30F6DEA72430EE3287B0665C1EAA6EAA4FA26C46303001983F82BD1AA31E03DA0628701015F200E44455352434143433130303030317F4C10060B2B0601040181C31F0301015301C05F25060102010100095F24060302010100085F37409DBB382B1711D2BAACB0C623D40C6267D0B52BA455C01F56333DC9554810B9B2878DAF9EC3ADA19C7B065D780D6C9C3C2ECEDFD78DEB18AF40778ADF89E861CA", HEX)),
 	UTSRCACC100001: new CVC(new ByteString("7F218201B47F4E82016C5F290100420E55545352434143433130303030317F4982011D060A04007F000702020202038120A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E537782207D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9832026DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B68441048BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F0469978520A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7864104A041FEB2FD116B2AD19CA6B7EACD71C9892F941BB88D67DCEEC92501F070011957E22122BA6C2CF5FF02936F482E35A6129CCBBA8E9383836D3106879C408EF08701015F200E55545352434143433130303030317F4C10060B2B0601040181C31F0301015301C05F25060102010100095F24060302010100085F3740914DD0FA00615C44048D1467435400423A4AD1BD37FD98D6DE84FD8037489582325C72956D4FDFABC6EDBA48184A754F37F1BE5142DD1C27D66569308CE19AAF", HEX)),
-	ESCVCAHSM00001: new CVC(new ByteString("7F218201657F4E82012D5F290100420E45534356434148534D30303030317F4981DD060A04007F000702020202038118FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF8218FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC831864210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1843104188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF101207192B95FFC8DA78631011ED6B24CDD573F977A11E7948118518FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831863104088FCDFCCE87EDD285920615E651D76452D857ECBB408C327ADB48A2A514C1C9BD77CC9783607A741493A742744AD1738701015F200E45534356434148534D30303030317F4C12060904007F0007030102025305C0000000045F25060202000302065F24060300010203015F37307297777664B60C57A2C45E7BFD12E520143EDE9038BFB302739106F2730D760665D74649910C519089848D4FB6E51340", HEX))
+	ESPICOHSMCA00001: new CVC(new ByteString("7F218201BA7F4E8201725F290100421045535049434F48534D434130303030317F4982011D060A04007F000702020202038120FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF8220FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC83205AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B8441046B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C2964FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F58520FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC6325518641046A82C0A4FEAF41D6A1336AE7E992D81AD4F827929145DD0D777E1AB63D7E3325C8F7DAC0F74B6EAE13A72F6366777EC133AC5C28F456868E5F2C315044EB54EF8701015F201045535049434F48534D434130303030317F4C12060904007F0007030102025305C0000000005F25060202000801085F24060203000801085F3740601E974F57DDE060875FE6121AEF5BC02E10FC655311C7A32CA822FD18E53A80298EDC56E0D5EBF38FB470DC12987B1600AE91A0ADB5B22C4D80080782E278AD", HEX))
 }
 ```
 Similarly, replace the line `1531` in file `scs3/keymanager/keymanager.js` with:
 ```
-	assert(devcert.verifyWith(this.crypto, dicacert.getPublicKey(SmartCardHSM.rootCerts.ESCVCAHSM00001.getPublicKey()), dicacert.getPublicKeyOID()));
+	assert(devcert.verifyWith(this.crypto, dicacert.getPublicKey(SmartCardHSM.rootCerts.ESPICOHSMCA00001.getPublicKey()), dicacert.getPublicKeyOID()));
 ```
-Alternatively, this patch [scs3.patch.txt](https://github.com/polhenarejos/pico-hsm/files/8890050/scs3.patch.txt) can be applied.
+
 Alternatively, this patch [scs3.patch.txt](https://github.com/polhenarejos/pico-hsm/files/9415877/scs3.patch.txt) can be applied.
 After this ammendment, the program can be started and the KeyManager can be invoked (CTRL+M) and it will output something similar to:
 ```
 >load("keymanager/keymanager.js");
-SmartCard-HSM Version 1.6 on JCOP          Free memory 217104 byte
+SmartCard-HSM Version 2.6 on JCOP          Free memory 215512 byte
-Issuer Certificate : CVC id-AT DV (official domestic) CAR=ESCVCAHSM00001 CHR=ESDVCAHSM00001 CED=27 / de març / 2022 CXD=31 / de desembre / 2025 
+Issuer Certificate : CVC id-AT DV (official domestic) CAR=ESPICOHSMCA00001 CHR=ESPICOHSMDV00001 CED=18 / d’agost / 2022 CXD=14 / de juny / 2023 
-Device Certificate : CVC id-AT Terminal CAR=ESDVCAHSM00001 CHR=ESTERMHSM00001 CED=27 / de març / 2022 CXD=31 / de desembre / 2023 
+Device Certificate : CVC id-AT Terminal CAR=ESPICOHSMDV00001 CHR=ESPICOHSMTRYZRGW CED=22 / d’agost / 2022 CXD=22 / d’agost / 2023 
-Default Key Domain : 0F89B400975EDD2D425ABF85F2FBD318779B3D85475E65D4
+Default Key Domain : 223CD8D8F794889AC163305881BF8C04960BBB8658120491F1C0601F6BF97183
 -------------------------------------------------------------------
 Please right-click on nodes in the outline to see possible actions.
 For most operations you will need to authenticate first using a
@@ -60,7 +61,7 @@ It can be executed in a Terminal via
 ```
 ## DKEK requirement
-In order to perform the import, private keys must be wrapped with the same DKEK present in the Pico HSM. Thus, the Pico HSM must be previously initialized with at minimum of 1 DKEK share. This share will be used to wrap the private key before import. 
+In order to perform the import, private keys must be wrapped with the same DKEK present in the Pico HSM. Thus, the Pico HSM must be previously initialized with at minimum of 1 DKEK share. This share will be used to wrap the private key before import.
 Note that the DKEK share shall be available before the import. In this way, all custodians must be present during the import process, since they will have to introduce their respective DKEK.
--- a/doc/sign-verify.md
+++ b/doc/sign-verify.md
@@ -1,7 +1,7 @@
 # Sign and verify
 Pico HSM supports in place signature of arbitrary data. It supports the following algorithms:
-* RSA-PKCS 
+* RSA-PKCS
 * RSA-X-509
 * SHA1-RSA-PKCS
 * SHA256-RSA-PKCS
@@ -32,7 +32,7 @@ $ openssl rsa -inform DER -outform PEM -in 1.der -pubin > 1.pub
 At this moment, you are able to verify with the public key in `1.pub`. The signature is computed inside the Pico HSM with the private key. It never leaves the device.
 ## RSA-PKCS
-This algorithm is used to sign raw data. 
+This algorithm is used to sign raw data.
 To sign the data:
 ```
@@ -91,7 +91,7 @@ This algorithm uses the RSA-PKCS with PSS salt to randomize the signature. Pico
 To sign the data:
 ```
 $ pkcs11-tool --id 1 --sign --pin 648219 --mechanism RSA-PKCS-PSS -i data.sha1 -o data.sig
-``` 
+```
 To verify the signature:
 ```
@@ -105,7 +105,7 @@ This algorithm takes the file as the input and sends its hash for signing with t
 To sign the data:
 ```
 $ pkcs11-tool --id 1 --sign --pin 648219 --mechanism SHA1-RSA-PKCS-PSS -i data -o data.sig
-``` 
+```
 To verify the signature:
 ```
@@ -118,14 +118,14 @@ This is a raw ECDSA signature, which is usually used to sign a hashed message. `
 To sign the data:
 ```
-$ pkcs11-tool --id 11 --sign --pin 648219 --mechanism ECDSA -i data.sha1 -o data.sig --signature-format openssl     
+$ pkcs11-tool --id 11 --sign --pin 648219 --mechanism ECDSA -i data.sha1 -o data.sig --signature-format openssl
 Using slot 0 with a present token (0x0)
 Using signature algorithm ECDSA
 ```
 To verify the signature:
 ```
-$ openssl pkeyutl -verify -pubin -inkey 11.pub -in data.sha1 -sigfile data.sig                                      
+$ openssl pkeyutl -verify -pubin -inkey 11.pub -in data.sha1 -sigfile data.sig
 Signature Verified Successfully
 ```
@@ -143,6 +143,6 @@ Using signature algorithm ECDSA-SHA256
 The signature is verified with the hash:
 ```
-$ openssl pkeyutl -verify -pubin -inkey 11.pub -in data.sha1 -sigfile data.sig                              
+$ openssl pkeyutl -verify -pubin -inkey 11.pub -in data.sha1 -sigfile data.sig
 Signature Verified Successfully
 ```
--- a/doc/store_data.md
+++ b/doc/store_data.md
@@ -9,7 +9,7 @@ Before writting a file into the Pico HSM, we generate the data file with the fol
 ```
 $ echo 'Pico HSM is awesome!' > test
-``` 
+```
 Then, we can store the data file with the following command:
@@ -43,7 +43,7 @@ Always provide a unique `--label`, as it will be used to index and reference the
 To view the stored file, we can use the following command with the same label we employed:
 ```
-$ pkcs11-tool --read-object --type data --label 'test1' 
+$ pkcs11-tool --read-object --type data --label 'test1'
 Using slot 0 with a present token (0x0)
 Pico HSM is awesome!
 ```
@@ -98,7 +98,7 @@ Data object 'test1'
 	applicationName: test1
 	Path:            e82b0601040181c31f0201::cf00
 	Data (21 bytes): 5069636F2048534D20697320617765736F6D65210A
-                  
+
 Data object 'test2'
 	applicationName: test2
 	Path:            e82b0601040181c31f0201::cd01
--- a/doc/usage.md
+++ b/doc/usage.md
@@ -1,7 +1,7 @@
 # Usage
 ## Tools
-We use multiple tools and PKCS#11 drivers and modules, depending on the purpose. 
+We use multiple tools and PKCS#11 drivers and modules, depending on the purpose.
 * **pkcs11-tool**: from OpenSC. It interfaces with the HSM via PKCS#11 interface. It supports different drivers and modules.
 * **sc-tool**: an alias of pkcs11-tool with the sc-hsm-embedded module. It is mainly used for AES management and it is defined as:
 ```
@@ -22,20 +22,20 @@ init=0
 PIN=648219
 ```
 `opensc-pkcs11.so` can be replaced by `libsc-hsm-pkcs11.so` if desired.
-* **sc-hsm-tool**: from OpenSC. Used to initialize the device.
+* **pico-hsm-tool**: Used to initialize the device.
 * **opensc-tool**: from OpenSC. Used to list and detect the reader with the HSM.
 [^1]: `openssl version -a` will return the `OPENSSLDIR`, which contains `openssl.cnf` file and `ENGINESDIR`, which contains the p11 engine.
 ## Initialization
-The first step is to initialize the HSM:
+The first step is to initialize the HSM. To do so, use the `pico-hsm-tool.py` in `tools` folder:
 ```
-$ sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219
+$ python3 pico-hsm-tool initialize --so-pin 3537363231383830 --pin 648219
 ```
-The PIN number is used to manage all private keys in the device. It supports three attemps. After the third PIN failure, it gets blocked. 
+The PIN number is used to manage all private keys in the device. It supports three attemps. After the third PIN failure, it gets blocked.
 The PIN accepts from 6 to 16 characters.
-The SO-PIN is used to unblock the PIN. It accepts 15 attemps. After 15 failed attempts, the device will be completely blocked and will be necessary to initialize again, erasing all private keys and losing the access. Therefore, keep the SO-PIN in a safe place. 
+The SO-PIN is used to unblock the PIN. It accepts 15 attemps. After 15 failed attempts, the device will be completely blocked and will be necessary to initialize again, erasing all private keys and losing the access. Therefore, keep the SO-PIN in a safe place.
 The SO-PIN is always 16 hexadecimal characters.
 ## PIN and SO-PIN management
@@ -62,7 +62,7 @@ To generate a RSA 2048 bits, use the following command:
 $ pkcs11-tool -l --pin 648219 --keypairgen --key-type rsa:2048 --id 1 --label "RSA2K"
 Using slot 0 with a present token (0x0)
 Key pair generated:
-Private Key Object; RSA 
+Private Key Object; RSA
  label:      RSA2K
  ID:         1
  Usage:      decrypt, sign
@@ -77,7 +77,7 @@ The ID parameter is an internal hexadecimal number for easy identification. The
 Pico HSM accepts RSA of 1024 (`rsa:1024`), 2048 (`rsa:2048`) and 4096 bits (`rsa:4096`).
-**Caution**: RSA 2048 bits may take more than 20 seconds. RSA 4096 bits may take more than 20 minutes. The Pico HSM will work as normally and neither the HSM nor the host will block. But, in the meantime, the Pico HSM will not accept any command. 
+**Caution**: RSA 2048 bits may take more than 20 seconds. RSA 4096 bits may take more than 20 minutes. The Pico HSM will work as normally and neither the HSM nor the host will block. But, in the meantime, the Pico HSM will not accept any command.
 An alternative is to generate the private key locally and import it to the HSM. This approach, however, is less secure as it does not use a True RNG or HRNG like Pico HSM. Use this approach if you have plugged a TRNG or you are not worried about obtaining the highest entropy.
 Pico HSM also accepts ECDSA keypairs:
@@ -157,9 +157,9 @@ Certificate:
                    a0:30:b2:ec:d3:d6:0d:58:f3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
+            X509v3 Subject Key Identifier:
                98:07:DA:13:B0:8E:A0:5C:97:83:68:FE:4A:25:8D:50:C4:DC:16:FA
-            X509v3 Authority Key Identifier: 
+            X509v3 Authority Key Identifier:
                keyid:98:07:DA:13:B0:8E:A0:5C:97:83:68:FE:4A:25:8D:50:C4:DC:16:FA
            X509v3 Basic Constraints: critical
@@ -173,7 +173,7 @@ Certificate:
         99:2b:b2:82:66:c1:06:a7:2c:62:af:e2:e4:93:42:36:66:8d:
         c5:3f:e1:ec:5f:9a:f8:5f:b3:6a:8f:0e:12:5d:c9:46:38:ea:
         0b:08
-``` 
+```
 The resulting file `cert.pem` contains the signed certificate in PEM format. Convert it into DER format and load it into the Pico HSM:
--- a/1
+++ b/1
--- a/1
+++ b/1
--- a/src/hsm/cmd_challenge.c
+++ b/src/hsm/cmd_challenge.c
@@ -0,0 +1,33 @@
 /*
 * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 * Copyright (c) 2022 Pol Henarejos.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 3.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
 #include "random.h"
 #include "sc_hsm.h"
 uint8_t challenge[256];
 uint8_t challenge_len = 0;
 int cmd_challenge() {
    uint8_t *rb = (uint8_t *)random_bytes_get(apdu.ne);
    if (!rb)
        return SW_WRONG_LENGTH();
    memcpy(res_APDU, rb, apdu.ne);
    challenge_len = MIN(apdu.ne, sizeof(challenge));
    memcpy(challenge, rb, challenge_len);
    res_APDU_size = apdu.ne;
    return SW_OK();
 }
--- a/src/hsm/cmd_change_pin.c
+++ b/src/hsm/cmd_change_pin.c
@@ -0,0 +1,67 @@
 /*
 * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 * Copyright (c) 2022 Pol Henarejos.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 3.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
 #include "crypto_utils.h"
 #include "sc_hsm.h"
 #include "kek.h"
 int cmd_change_pin() {
    if (P1(apdu) == 0x0) {
        if (P2(apdu) == 0x81 || P2(apdu) == 0x88) {
            file_t *file_pin = NULL;
            if (P2(apdu) == 0x81)
                file_pin = file_pin1;
            else if (P2(apdu) == 0x88)
                file_pin = file_sopin;
            if (!file_pin) {
                return SW_FILE_NOT_FOUND();
            }
            if (!file_has_data(file_pin)) {
                return SW_REFERENCE_NOT_FOUND();
            }
            uint8_t pin_len = file_read_uint8(file_get_data(file_pin));
            int r = check_pin(file_pin, apdu.data, pin_len);
            if (r != 0x9000)
                return r;
            uint8_t mkek[MKEK_SIZE];
            r = load_mkek(mkek); //loads the MKEK with old pin
            if (r != CCID_OK)
                return SW_EXEC_ERROR();
            //encrypt MKEK with new pin
            if (P2(apdu) == 0x81) {
                hash_multi(apdu.data+pin_len, apdu.nc-pin_len, session_pin);
                has_session_pin = true;
            }
            else if (P2(apdu) == 0x88) {
                hash_multi(apdu.data+pin_len, apdu.nc-pin_len, session_sopin);
                has_session_sopin = true;
            }
            r = store_mkek(mkek);
            release_mkek(mkek);
            if (r != CCID_OK)
                return SW_EXEC_ERROR();
            uint8_t dhash[33];
            dhash[0] = apdu.nc-pin_len;
            double_hash_pin(apdu.data+pin_len, apdu.nc-pin_len, dhash+1);
            flash_write_data_to_file(file_pin, dhash, sizeof(dhash));
            low_flash_available();
            return SW_OK();
        }
    }
    return SW_WRONG_P1P2();
 }
--- a/src/hsm/cmd_cipher_sym.c
+++ b/src/hsm/cmd_cipher_sym.c
@@ -0,0 +1,113 @@
 /*
 * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 * Copyright (c) 2022 Pol Henarejos.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 3.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
 #include "common.h"
 #include "mbedtls/aes.h"
 #include "mbedtls/cmac.h"
 #include "mbedtls/hkdf.h"
 #include "crypto_utils.h"
 #include "sc_hsm.h"
 #include "kek.h"
 int cmd_cipher_sym() {
    int key_id = P1(apdu);
    int algo = P2(apdu);
    if (!isUserAuthenticated)
        return SW_SECURITY_STATUS_NOT_SATISFIED();
    file_t *ef = search_dynamic_file((KEY_PREFIX << 8) | key_id);
    if (!ef)
        return SW_FILE_NOT_FOUND();
    if (key_has_purpose(ef, algo) == false)
        return SW_CONDITIONS_NOT_SATISFIED();
    if ((apdu.nc % 16) != 0) {
        return SW_WRONG_LENGTH();
    }
    if (wait_button_pressed() == true) // timeout
        return SW_SECURE_MESSAGE_EXEC_ERROR();
    int key_size = file_get_size(ef);
    uint8_t kdata[32]; //maximum AES key size
    memcpy(kdata, file_get_data(ef), key_size);
    if (mkek_decrypt(kdata, key_size) != 0) {
        return SW_EXEC_ERROR();
    }
    if (algo == ALGO_AES_CBC_ENCRYPT || algo == ALGO_AES_CBC_DECRYPT) {
        mbedtls_aes_context aes;
        mbedtls_aes_init(&aes);
        uint8_t tmp_iv[IV_SIZE];
        memset(tmp_iv, 0, sizeof(tmp_iv));
        if (algo == ALGO_AES_CBC_ENCRYPT) {
            int r = mbedtls_aes_setkey_enc(&aes, kdata, key_size*8);
            if (r != 0) {
                mbedtls_platform_zeroize(kdata, sizeof(kdata));
                mbedtls_aes_free(&aes);
                return SW_EXEC_ERROR();
            }
            r = mbedtls_aes_crypt_cbc(&aes, MBEDTLS_AES_ENCRYPT, apdu.nc, tmp_iv, apdu.data, res_APDU);
            mbedtls_platform_zeroize(kdata, sizeof(kdata));
            if (r != 0) {
                mbedtls_aes_free(&aes);
                return SW_EXEC_ERROR();
            }
        }
        else if (algo == ALGO_AES_CBC_DECRYPT) {
            int r = mbedtls_aes_setkey_dec(&aes, kdata, key_size*8);
            if (r != 0) {
                mbedtls_platform_zeroize(kdata, sizeof(kdata));
                mbedtls_aes_free(&aes);
                return SW_EXEC_ERROR();
            }
            r = mbedtls_aes_crypt_cbc(&aes, MBEDTLS_AES_DECRYPT, apdu.nc, tmp_iv, apdu.data, res_APDU);
            mbedtls_platform_zeroize(kdata, sizeof(kdata));
            if (r != 0) {
                mbedtls_aes_free(&aes);
                return SW_EXEC_ERROR();
            }
        }
        res_APDU_size = apdu.nc;
        mbedtls_aes_free(&aes);
    }
    else if (algo == ALGO_AES_CMAC) {
        const mbedtls_cipher_info_t *cipher_info;
        if (key_size == 16)
            cipher_info = mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_128_ECB);
        else if (key_size == 24)
            cipher_info = mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_192_ECB);
        else if (key_size == 32)
            cipher_info = mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_256_ECB);
        else {
            mbedtls_platform_zeroize(kdata, sizeof(kdata));
            return SW_WRONG_DATA();
        }
        int r = mbedtls_cipher_cmac(cipher_info, kdata, key_size*8, apdu.data, apdu.nc, res_APDU);
        mbedtls_platform_zeroize(kdata, sizeof(kdata));
        if (r != 0)
            return SW_EXEC_ERROR();
        res_APDU_size = 16;
    }
    else if (algo == ALGO_AES_DERIVE) {
        int r = mbedtls_hkdf(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), NULL, 0, file_get_data(ef), key_size, apdu.data, apdu.nc, res_APDU, apdu.nc);
        mbedtls_platform_zeroize(kdata, sizeof(kdata));
        if (r != 0)
            return SW_EXEC_ERROR();
        res_APDU_size = apdu.nc;
    }
    else {
        mbedtls_platform_zeroize(kdata, sizeof(kdata));
        return SW_WRONG_P1P2();
    }
    return SW_OK();
 }
--- a/src/hsm/cmd_decrypt_asym.c
+++ b/src/hsm/cmd_decrypt_asym.c
@@ -0,0 +1,170 @@
 /*
 * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 * Copyright (c) 2022 Pol Henarejos.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 3.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
 #include "common.h"
 #include "mbedtls/ecdh.h"
 #include "crypto_utils.h"
 #include "sc_hsm.h"
 #include "kek.h"
 #include "files.h"
 #include "asn1.h"
 #include "cvc.h"
 #include "random.h"
 #include "oid.h"
 int cmd_decrypt_asym() {
    int key_id = P1(apdu);
    uint8_t p2 = P2(apdu);
    if (!isUserAuthenticated)
        return SW_SECURITY_STATUS_NOT_SATISFIED();
    file_t *ef = search_dynamic_file((KEY_PREFIX << 8) | key_id);
    if (!ef)
        return SW_FILE_NOT_FOUND();
    if (get_key_counter(ef) == 0)
        return SW_FILE_FULL();
    if (key_has_purpose(ef, p2) == false)
        return SW_CONDITIONS_NOT_SATISFIED();
    if (p2 >= ALGO_RSA_DECRYPT && p2 <= ALGO_RSA_DECRYPT_OEP) {
        mbedtls_rsa_context ctx;
        mbedtls_rsa_init(&ctx);
        if (p2 == ALGO_RSA_DECRYPT_OEP)
            mbedtls_rsa_set_padding(&ctx, MBEDTLS_RSA_PKCS_V21, MBEDTLS_MD_NONE);
        int r = load_private_key_rsa(&ctx, ef);
        if (r != CCID_OK) {
            mbedtls_rsa_free(&ctx);
            if (r == CCID_VERIFICATION_FAILED)
                return SW_SECURE_MESSAGE_EXEC_ERROR();
            return SW_EXEC_ERROR();
        }
        int key_size = file_get_size(ef);
        if (apdu.nc < key_size) //needs padding
            memset(apdu.data+apdu.nc, 0, key_size-apdu.nc);
        if (p2 == ALGO_RSA_DECRYPT_PKCS1 || p2 == ALGO_RSA_DECRYPT_OEP) {
            size_t olen = apdu.nc;
            r = mbedtls_rsa_pkcs1_decrypt(&ctx, random_gen, NULL, &olen, apdu.data, res_APDU, 512);
            if (r == 0)
                res_APDU_size = olen;
        }
        else {
            r = mbedtls_rsa_private(&ctx, random_gen, NULL, apdu.data, res_APDU);
            if (r == 0)
                res_APDU_size = key_size;
        }
        if (r != 0) {
            mbedtls_rsa_free(&ctx);
            return SW_EXEC_ERROR();
        }
        mbedtls_rsa_free(&ctx);
    }
    else if (p2 == ALGO_EC_DH || p2 == ALGO_EC_DH_XKEK) {
        mbedtls_ecdh_context ctx;
        if (wait_button_pressed() == true) //timeout
            return SW_SECURE_MESSAGE_EXEC_ERROR();
        int key_size = file_get_size(ef);
        uint8_t *kdata = (uint8_t *)calloc(1,key_size);
        memcpy(kdata, file_get_data(ef), key_size);
        if (mkek_decrypt(kdata, key_size) != 0) {
            mbedtls_platform_zeroize(kdata, key_size);
            free(kdata);
            return SW_EXEC_ERROR();
        }
        mbedtls_ecdh_init(&ctx);
        mbedtls_ecp_group_id gid = kdata[0];
        int r = 0;
        r = mbedtls_ecdh_setup(&ctx, gid);
        if (r != 0) {
            mbedtls_platform_zeroize(kdata, key_size);
            mbedtls_ecdh_free(&ctx);
            free(kdata);
            return SW_DATA_INVALID();
        }
        r = mbedtls_mpi_read_binary(&ctx.ctx.mbed_ecdh.d, kdata+1, key_size-1);
        mbedtls_platform_zeroize(kdata, key_size);
        free(kdata);
        if (r != 0) {
            mbedtls_ecdh_free(&ctx);
            return SW_DATA_INVALID();
        }
        r = -1;
        if (p2 == ALGO_EC_DH)
            r = mbedtls_ecdh_read_public(&ctx, apdu.data-1, apdu.nc+1);
        else if (p2 == ALGO_EC_DH_XKEK) {
            size_t pub_len = 0;
            const uint8_t *pub = cvc_get_pub(apdu.data, apdu.nc, &pub_len);
            if (pub) {
                size_t t86_len = 0;
                const uint8_t *t86 = cvc_get_field(pub, pub_len, &t86_len, 0x86);
                if (t86) {
                    r = mbedtls_ecdh_read_public(&ctx, t86-1, t86_len+1);
                }
            }
        }
        if (r != 0) {
            mbedtls_ecdh_free(&ctx);
            return SW_DATA_INVALID();
        }
        size_t olen = 0;
        res_APDU[0] = 0x04;
        r = mbedtls_ecdh_calc_secret(&ctx, &olen, res_APDU+1, MBEDTLS_ECP_MAX_BYTES, random_gen, NULL);
        if (r != 0) {
            mbedtls_ecdh_free(&ctx);
            return SW_EXEC_ERROR();
        }
        if (p2 == ALGO_EC_DH)
            res_APDU_size = olen+1;
        else {
            res_APDU_size = 0;
            size_t ext_len = 0;
            const uint8_t *ext = NULL;
            if ((ext = cvc_get_ext(apdu.data, apdu.nc, &ext_len)) == NULL)
                return SW_WRONG_DATA();
            uint8_t *p = NULL, *tag_data = NULL, *kdom_uid = NULL;
            uint16_t tag = 0;
            size_t tag_len = 0, kdom_uid_len = 0;
            while (walk_tlv(ext, ext_len, &p, &tag, &tag_len, &tag_data)) {
                if (tag == 0x73) {
                    size_t oid_len = 0;
                    uint8_t *oid_data = NULL;
                    if (asn1_find_tag(tag_data, tag_len, 0x6, &oid_len, &oid_data) == true && oid_len == strlen(OID_ID_KEY_DOMAIN_UID) && memcmp(oid_data, OID_ID_KEY_DOMAIN_UID, strlen(OID_ID_KEY_DOMAIN_UID)) == 0) {
                        if (asn1_find_tag(tag_data, tag_len, 0x80, &kdom_uid_len, &kdom_uid) == false)
                            return SW_WRONG_DATA();
                        break;
                    }
                }
            }
            if (kdom_uid_len == 0 || kdom_uid == NULL)
                return SW_WRONG_DATA();
            for (int n = 0; n < MAX_KEY_DOMAINS; n++) {
                file_t *tf = search_dynamic_file(EF_XKEK+n);
                if (tf) {
                    if (file_get_size(tf) == kdom_uid_len && memcmp(file_get_data(tf), kdom_uid, kdom_uid_len) == 0) {
                        file_new(EF_DKEK+n);
                        if (store_dkek_key(n, res_APDU+1) != CCID_OK)
                            return SW_EXEC_ERROR();
                        return SW_OK();
                    }
                }
            }
            return SW_REFERENCE_NOT_FOUND();
        }
        mbedtls_ecdh_free(&ctx);
    }
    else
        return SW_WRONG_P1P2();
    decrement_key_counter(ef);
    return SW_OK();
 }
--- a/src/hsm/cmd_delete_file.c
+++ b/src/hsm/cmd_delete_file.c
@@ -0,0 +1,40 @@
 /*
 * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 * Copyright (c) 2022 Pol Henarejos.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 3.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
 #include "sc_hsm.h"
 int cmd_delete_file() {
    file_t *ef = NULL;
    if (!isUserAuthenticated)
        return SW_SECURITY_STATUS_NOT_SATISFIED();
    if (apdu.nc == 0) {
        ef = currentEF;
        if (!(ef = search_dynamic_file(ef->fid)))
            return SW_FILE_NOT_FOUND();
    }
    else {
        uint16_t fid = (apdu.data[0] << 8) | apdu.data[1];
        if (!(ef = search_dynamic_file(fid)))
            return SW_FILE_NOT_FOUND();
    }
    if (!authenticate_action(ef, ACL_OP_DELETE_SELF))
        return SW_SECURITY_STATUS_NOT_SATISFIED();
    if (delete_file(ef) != CCID_OK)
        return SW_EXEC_ERROR();
    return SW_OK();
 }
--- a/src/hsm/cmd_derive_asym.c
+++ b/src/hsm/cmd_derive_asym.c
@@ -0,0 +1,102 @@
 /*
 * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 * Copyright (c) 2022 Pol Henarejos.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 3.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
 #include "common.h"
 #include "mbedtls/ecdsa.h"
 #include "crypto_utils.h"
 #include "sc_hsm.h"
 #define MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED -0x006E
 #define MOD_ADD( N )                                                    \
    while( mbedtls_mpi_cmp_mpi( &(N), &grp->P ) >= 0 )                  \
        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( &(N), &(N), &grp->P ) )
 static inline int mbedtls_mpi_add_mod( const mbedtls_ecp_group *grp,
                                       mbedtls_mpi *X,
                                       const mbedtls_mpi *A,
                                       const mbedtls_mpi *B )
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
    MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( X, A, B ) );
    MOD_ADD( *X );
 cleanup:
    return( ret );
 }
 int cmd_derive_asym() {
    uint8_t key_id = P1(apdu);
    uint8_t dest_id = P2(apdu);
    file_t *fkey;
    if (!isUserAuthenticated)
        return SW_SECURITY_STATUS_NOT_SATISFIED();
    if (!(fkey = search_dynamic_file((KEY_PREFIX << 8) | key_id)) || !fkey->data || file_get_size(fkey) == 0)
        return SW_FILE_NOT_FOUND();
    if (key_has_purpose(fkey, ALGO_EC_DERIVE) == false)
        return SW_CONDITIONS_NOT_SATISFIED();
    if (apdu.nc == 0)
        return SW_WRONG_LENGTH();
    if (apdu.data[0] == ALGO_EC_DERIVE) {
        mbedtls_ecdsa_context ctx;
        mbedtls_ecdsa_init(&ctx);
        int r;
        r = load_private_key_ecdsa(&ctx, fkey);
        if (r != CCID_OK) {
            mbedtls_ecdsa_free(&ctx);
            if (r == CCID_VERIFICATION_FAILED)
                return SW_SECURE_MESSAGE_EXEC_ERROR();
            return SW_EXEC_ERROR();
        }
        mbedtls_mpi a, nd;
        mbedtls_mpi_init(&a);
        mbedtls_mpi_init(&nd);
        r = mbedtls_mpi_read_binary(&a, apdu.data+1, apdu.nc-1);
        if (r != 0) {
            mbedtls_ecdsa_free(&ctx);
            mbedtls_mpi_free(&a);
            mbedtls_mpi_free(&nd);
            return SW_DATA_INVALID();
        }
        r = mbedtls_mpi_add_mod(&ctx.grp, &nd, &ctx.d, &a);
        if (r != 0) {
            mbedtls_ecdsa_free(&ctx);
            mbedtls_mpi_free(&a);
            mbedtls_mpi_free(&nd);
            return SW_EXEC_ERROR();
        }
        r = mbedtls_mpi_copy(&ctx.d, &nd);
        if (r != 0) {
            mbedtls_ecdsa_free(&ctx);
            mbedtls_mpi_free(&a);
            mbedtls_mpi_free(&nd);
            return SW_EXEC_ERROR();
        }
        r = store_keys(&ctx, HSM_KEY_EC, dest_id);
        if (r != CCID_OK) {
            mbedtls_ecdsa_free(&ctx);
            mbedtls_mpi_free(&a);
            mbedtls_mpi_free(&nd);
            return SW_EXEC_ERROR();
        }
        mbedtls_ecdsa_free(&ctx);
        mbedtls_mpi_free(&a);
        mbedtls_mpi_free(&nd);
    }
    else
        return SW_WRONG_DATA();
    return SW_OK();
 }
--- a/src/hsm/cmd_external_authenticate.c
+++ b/src/hsm/cmd_external_authenticate.c
@@ -0,0 +1,54 @@
 /*
 * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 * Copyright (c) 2022 Pol Henarejos.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 3.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
 #include "crypto_utils.h"
 #include "sc_hsm.h"
 #include "cvc.h"
 #include "files.h"
 extern file_t *ef_puk_aut;
 extern uint8_t challenge[256];
 extern uint8_t challenge_len;
 int cmd_external_authenticate() {
    if (P1(apdu) != 0x0 || P2(apdu) != 0x0)
        return SW_INCORRECT_P1P2();
    if (ef_puk_aut == NULL)
        return SW_REFERENCE_NOT_FOUND();
    if (apdu.nc == 0)
        return SW_WRONG_LENGTH();
    file_t *ef_puk = search_by_fid(EF_PUKAUT, NULL, SPECIFY_EF);
    if (!ef_puk || !ef_puk->data || file_get_size(ef_puk) == 0)
        return SW_FILE_NOT_FOUND();
    uint8_t *puk_data = file_get_data(ef_puk);
    uint8_t *input = (uint8_t *)calloc(dev_name_len+challenge_len, sizeof(uint8_t)), hash[32];
    memcpy(input, dev_name, dev_name_len);
    memcpy(input+dev_name_len, challenge, challenge_len);
    hash256(input, dev_name_len+challenge_len, hash);
    int r = puk_verify(apdu.data, apdu.nc, hash, 32, file_get_data(ef_puk_aut), file_get_size(ef_puk_aut));
    free(input);
    if (r != 0)
        return SW_CONDITIONS_NOT_SATISFIED();
    puk_status[ef_puk_aut->fid & (MAX_PUK-1)] = 1;
    uint8_t auts = 0;
    for (int i = 0; i < puk_data[0]; i++)
        auts += puk_status[i];
    if (auts >= puk_data[2]) {
        isUserAuthenticated = true;
    }
    return SW_OK();
 }
--- a/src/hsm/cmd_extras.c
+++ b/src/hsm/cmd_extras.c
@@ -0,0 +1,72 @@
 /*
 * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 * Copyright (c) 2022 Pol Henarejos.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 3.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
 #include "sc_hsm.h"
 #include "hardware/rtc.h"
 #include "files.h"
 int cmd_extras() {
    if (P2(apdu) != 0x0)
        return SW_INCORRECT_P1P2();
    if (P1(apdu) == 0xA) { //datetime operations
        if (apdu.nc == 0) {
            datetime_t dt;
            if (!rtc_get_datetime(&dt))
                return SW_EXEC_ERROR();
            res_APDU[res_APDU_size++] = dt.year >> 8;
            res_APDU[res_APDU_size++] = dt.year & 0xff;
            res_APDU[res_APDU_size++] = dt.month;
            res_APDU[res_APDU_size++] = dt.day;
            res_APDU[res_APDU_size++] = dt.dotw;
            res_APDU[res_APDU_size++] = dt.hour;
            res_APDU[res_APDU_size++] = dt.min;
            res_APDU[res_APDU_size++] = dt.sec;
        }
        else {
            if (apdu.nc != 8)
                return SW_WRONG_LENGTH();
            datetime_t dt;
            dt.year = (apdu.data[0] << 8) | (apdu.data[1]);
            dt.month = apdu.data[2];
            dt.day = apdu.data[3];
            dt.dotw = apdu.data[4];
            dt.hour = apdu.data[5];
            dt.min = apdu.data[6];
            dt.sec = apdu.data[7];
            if (!rtc_set_datetime(&dt))
                return SW_WRONG_DATA();
        }
    }
    else if (P1(apdu) == 0x6) { //dynamic options
        if (apdu.nc > sizeof(uint8_t))
            return SW_WRONG_LENGTH();
        uint16_t opts = get_device_options();
        if (apdu.nc == 0) {
            res_APDU[res_APDU_size++] = opts >> 8;
            res_APDU[res_APDU_size++] = opts & 0xff;
        }
        else {
            uint8_t newopts[] = { apdu.data[0], (opts & 0xff) };
            file_t *tf = search_by_fid(EF_DEVOPS, NULL, SPECIFY_EF);
            flash_write_data_to_file(tf, newopts, sizeof(newopts));
            low_flash_available();
        }
    }
    else
        return SW_INCORRECT_P1P2();
    return SW_OK();
 }
--- a/src/hsm/cmd_general_authenticate.c
+++ b/src/hsm/cmd_general_authenticate.c
@@ -0,0 +1,107 @@
 /*
 * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 * Copyright (c) 2022 Pol Henarejos.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 3.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
 #include "common.h"
 #include "mbedtls/ecdh.h"
 #include "asn1.h"
 #include "sc_hsm.h"
 #include "random.h"
 #include "oid.h"
 #include "eac.h"
 #include "files.h"
 int cmd_general_authenticate() {
    if (P1(apdu) == 0x0 && P2(apdu) == 0x0) {
        if (apdu.data[0] == 0x7C) {
            int r = 0;
            size_t pubkey_len = 0;
            const uint8_t *pubkey = NULL;
            uint16_t tag = 0x0;
            uint8_t *tag_data = NULL, *p = NULL;
            size_t tag_len = 0;
            while (walk_tlv(apdu.data+2, apdu.nc-2, &p, &tag, &tag_len, &tag_data)) {
                if (tag == 0x80) {
                    pubkey = tag_data-1; //mbedtls ecdh starts reading one pos before
                    pubkey_len = tag_len+1;
                }
            }
            file_t *fkey = search_by_fid(EF_KEY_DEV, NULL, SPECIFY_EF);
            if (!fkey)
                return SW_EXEC_ERROR();
            mbedtls_ecdsa_context ectx;
            mbedtls_ecdsa_init(&ectx);
            r = load_private_key_ecdsa(&ectx, fkey);
            if (r != CCID_OK) {
                mbedtls_ecdsa_free(&ectx);
                return SW_EXEC_ERROR();
            }
            mbedtls_ecdh_context ctx;
            mbedtls_ecdh_init(&ctx);
            mbedtls_ecp_group_id gid = MBEDTLS_ECP_DP_SECP256R1;
            r = mbedtls_ecdh_setup(&ctx, gid);
            if (r != 0) {
                mbedtls_ecdsa_free(&ectx);
                mbedtls_ecdh_free(&ctx);
                return SW_DATA_INVALID();
            }
            r = mbedtls_mpi_copy(&ctx.ctx.mbed_ecdh.d, &ectx.d);
            mbedtls_ecdsa_free(&ectx);
            if (r != 0) {
                mbedtls_ecdh_free(&ctx);
                return SW_DATA_INVALID();
            }
            r = mbedtls_ecdh_read_public(&ctx, pubkey, pubkey_len);
            if (r != 0) {
                mbedtls_ecdh_free(&ctx);
                return SW_DATA_INVALID();
            }
            size_t olen = 0;
            uint8_t derived[MBEDTLS_ECP_MAX_BYTES];
            r = mbedtls_ecdh_calc_secret(&ctx, &olen, derived, MBEDTLS_ECP_MAX_BYTES, random_gen, NULL);
            mbedtls_ecdh_free(&ctx);
            if (r != 0) {
                return SW_EXEC_ERROR();
            }
            sm_derive_all_keys(derived, olen);
            uint8_t *t = (uint8_t *)calloc(1, pubkey_len+16);
            memcpy(t, "\x7F\x49\x3F\x06\x0A", 5);
            if (sm_get_protocol() == MSE_AES)
                memcpy(t+5, OID_ID_CA_ECDH_AES_CBC_CMAC_128, 10);
            t[15] = 0x86;
            memcpy(t+16, pubkey, pubkey_len);
            res_APDU[res_APDU_size++] = 0x7C;
            res_APDU[res_APDU_size++] = 20;
            res_APDU[res_APDU_size++] = 0x81;
            res_APDU[res_APDU_size++] = 8;
            memcpy(res_APDU+res_APDU_size, sm_get_nonce(), 8);
            res_APDU_size += 8;
            res_APDU[res_APDU_size++] = 0x82;
            res_APDU[res_APDU_size++] = 8;
            r = sm_sign(t, pubkey_len+16, res_APDU+res_APDU_size);
            free(t);
            if (r != CCID_OK)
                return SW_EXEC_ERROR();
            res_APDU_size += 8;
        }
    }
    return SW_OK();
 }
--- a/src/hsm/cmd_initialize.c
+++ b/src/hsm/cmd_initialize.c
@@ -0,0 +1,216 @@
 /*
 * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 * Copyright (c) 2022 Pol Henarejos.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 3.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
 #include "crypto_utils.h"
 #include "sc_hsm.h"
 #include "files.h"
 #include "random.h"
 #include "kek.h"
 #include "version.h"
 #include "asn1.h"
 #include "cvc.h"
 extern void scan_all();
 extern char __StackLimit;
 int heapLeft() {
    char *p = malloc(256);   // try to avoid undue fragmentation
    int left = &__StackLimit - p;
    free(p);
    return left;
 }
 int cmd_initialize() {
    if (apdu.nc > 0) {
        uint8_t mkek[MKEK_SIZE];
        int ret_mkek = load_mkek(mkek); //Try loading MKEK with previous session
        initialize_flash(true);
        scan_all();
        has_session_pin = has_session_sopin = false;
        uint16_t tag = 0x0;
        uint8_t *tag_data = NULL, *p = NULL, *kds = NULL, *dkeks = NULL;
        size_t tag_len = 0;
        while (walk_tlv(apdu.data, apdu.nc, &p, &tag, &tag_len, &tag_data)) {
            if (tag == 0x80) { //options
                file_t *tf = search_by_fid(EF_DEVOPS, NULL, SPECIFY_EF);
                flash_write_data_to_file(tf, tag_data, tag_len);
            }
            else if (tag == 0x81) { //user pin
                if (file_pin1 && file_pin1->data) {
                    uint8_t dhash[33];
                    dhash[0] = tag_len;
                    double_hash_pin(tag_data, tag_len, dhash+1);
                    flash_write_data_to_file(file_pin1, dhash, sizeof(dhash));
                    hash_multi(tag_data, tag_len, session_pin);
                    has_session_pin = true;
                }
            }
            else if (tag == 0x82) { //sopin pin
                if (file_sopin && file_sopin->data) {
                    uint8_t dhash[33];
                    dhash[0] = tag_len;
                    double_hash_pin(tag_data, tag_len, dhash+1);
                    flash_write_data_to_file(file_sopin, dhash, sizeof(dhash));
                    hash_multi(tag_data, tag_len, session_sopin);
                    has_session_sopin = true;
                }
            }
            else if (tag == 0x91) { //retries user pin
                file_t *tf = search_by_fid(0x1082, NULL, SPECIFY_EF);
                if (tf && tf->data) {
                    flash_write_data_to_file(tf, tag_data, tag_len);
                }
                if (file_retries_pin1 && file_retries_pin1->data) {
                    flash_write_data_to_file(file_retries_pin1, tag_data, tag_len);
                }
            }
            else if (tag == 0x92) {
                dkeks = tag_data;
                file_t *tf = file_new(EF_DKEK);
                if (!tf) {
                    release_mkek(mkek);
                    return SW_MEMORY_FAILURE();
                }
                flash_write_data_to_file(tf, NULL, 0);
            }
            else if (tag == 0x93) {
                file_t *ef_puk = search_by_fid(EF_PUKAUT, NULL, SPECIFY_EF);
                if (!ef_puk) {
                    release_mkek(mkek);
                    return SW_MEMORY_FAILURE();
                }
                uint8_t pk_status[4], puks = MIN(tag_data[0],MAX_PUK);
                memset(pk_status, 0, sizeof(pk_status));
                pk_status[0] = puks;
                pk_status[1] = puks;
                pk_status[2] = tag_data[1];
                flash_write_data_to_file(ef_puk, pk_status, sizeof(pk_status));
                for (int i = 0; i < puks; i++) {
                    file_t *tf = file_new(EF_PUK+i);
                    if (!tf) {
                        release_mkek(mkek);
                        return SW_MEMORY_FAILURE();
                    }
                    flash_write_data_to_file(tf, NULL, 0);
                }
            }
            else if (tag == 0x97) {
                kds = tag_data;
                /*
                for (int i = 0; i < MIN(*kds,MAX_KEY_DOMAINS); i++) {
                    file_t *tf = file_new(EF_DKEK+i);
                    if (!tf)
                        return SW_MEMORY_FAILURE();
                    flash_write_data_to_file(tf, NULL, 0);
                }
                */
            }
        }
        file_t *tf_kd = search_by_fid(EF_KEY_DOMAIN, NULL, SPECIFY_EF);
        if (!tf_kd) {
            release_mkek(mkek);
            return SW_EXEC_ERROR();
        }
        if (ret_mkek != CCID_OK)
            ret_mkek = load_mkek(mkek); //Try again with new PIN/SO-PIN just in case some is the same
        if (store_mkek(ret_mkek == CCID_OK ? mkek : NULL) != CCID_OK) {
            release_mkek(mkek);
            return SW_EXEC_ERROR();
        }
        release_mkek(mkek);
        if (dkeks) {
            if (*dkeks > 0) {
                uint16_t d = *dkeks;
                if (flash_write_data_to_file(tf_kd, (const uint8_t *)&d, sizeof(d)) != CCID_OK)
                    return SW_EXEC_ERROR();
            }
            else {
                int r = save_dkek_key(0, random_bytes_get(32));
                if (r != CCID_OK)
                    return SW_EXEC_ERROR();
                uint16_t d = 0x0101;
                if (flash_write_data_to_file(tf_kd, (const uint8_t *)&d, sizeof(d)) != CCID_OK)
                    return SW_EXEC_ERROR();
            }
        }
        else {
            uint16_t d = 0x0000;
            if (flash_write_data_to_file(tf_kd, (const uint8_t *)&d, sizeof(d)) != CCID_OK)
                return SW_EXEC_ERROR();
        }
        if (kds) {
            uint8_t t[MAX_KEY_DOMAINS*2], k = MIN(*kds,MAX_KEY_DOMAINS);
            memset(t, 0xff, 2*k);
            if (flash_write_data_to_file(tf_kd, t, 2*k) != CCID_OK)
                return SW_EXEC_ERROR();
        }
        /* When initialized, it has all credentials */
        isUserAuthenticated = true;
        /* Create terminal private key */
        file_t *fdkey = search_by_fid(EF_KEY_DEV, NULL, SPECIFY_EF);
        if (!fdkey)
            return SW_EXEC_ERROR();
        int ret = 0;
        if (ret_mkek != CCID_OK || file_get_size(fdkey) == 0 || file_get_data(fdkey) == NULL) {
            mbedtls_ecdsa_context ecdsa;
            mbedtls_ecdsa_init(&ecdsa);
            mbedtls_ecp_group_id ec_id = MBEDTLS_ECP_DP_SECP256R1;
            uint8_t index = 0, key_id = 0;
            ret = mbedtls_ecdsa_genkey(&ecdsa, ec_id, random_gen, &index);
            if (ret != 0) {
                mbedtls_ecdsa_free(&ecdsa);
                return SW_EXEC_ERROR();
            }
            ret = store_keys(&ecdsa, HSM_KEY_EC, key_id);
            if (ret != CCID_OK) {
                mbedtls_ecdsa_free(&ecdsa);
                return SW_EXEC_ERROR();
            }
            size_t cvc_len = 0;
            if ((cvc_len = asn1_cvc_aut(&ecdsa, HSM_KEY_EC, res_APDU, 4096, NULL, 0)) == 0) {
                mbedtls_ecdsa_free(&ecdsa);
                return SW_EXEC_ERROR();
            }
            mbedtls_ecdsa_free(&ecdsa);
            file_t *fpk = search_by_fid(EF_EE_DEV, NULL, SPECIFY_EF);
            ret = flash_write_data_to_file(fpk, res_APDU, cvc_len);
            if (ret != 0)
                return SW_EXEC_ERROR();
            const uint8_t *keyid = (const uint8_t *)"\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0", *label = (const uint8_t *)"ESTERMHSM";
            size_t prkd_len = asn1_build_prkd_ecc(label, strlen((const char *)label), keyid, 20, 192, res_APDU, 4096);
            fpk = search_by_fid(EF_PRKD_DEV, NULL, SPECIFY_EF);
            ret = flash_write_data_to_file(fpk, res_APDU, prkd_len);
        }
        if (ret != 0)
            return SW_EXEC_ERROR();
        low_flash_available();
    }
    else { //free memory bytes request
        int heap_left = heapLeft();
        res_APDU[0] = ((heap_left >> 24) & 0xff);
        res_APDU[1] = ((heap_left >> 16) & 0xff);
        res_APDU[2] = ((heap_left >> 8) & 0xff);
        res_APDU[3] = ((heap_left >> 0) & 0xff);
        res_APDU[4] = 0;
        res_APDU[5] = HSM_VERSION_MAJOR;
        res_APDU[6] = HSM_VERSION_MINOR;
        res_APDU_size = 7;
    }
    return SW_OK();
 }
--- a/src/hsm/cmd_key_domain.c
+++ b/src/hsm/cmd_key_domain.c
@@ -0,0 +1,163 @@
 /*
 * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 * Copyright (c) 2022 Pol Henarejos.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 3.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
 #include "crypto_utils.h"
 #include "sc_hsm.h"
 #include "cvc.h"
 #include "kek.h"
 #include "files.h"
 uint8_t get_key_domain(file_t *fkey) {
    size_t tag_len = 0;
    const uint8_t *meta_tag = get_meta_tag(fkey, 0x92, &tag_len);
    if (meta_tag)
        return *meta_tag;
    return 0xff;
 }
 int cmd_key_domain() {
    //if (dkeks == 0)
    //    return SW_COMMAND_NOT_ALLOWED();
    uint8_t p1 = P1(apdu), p2 = P2(apdu);
    if ((has_session_pin == false || isUserAuthenticated == false) && apdu.nc > 0)
        return SW_CONDITIONS_NOT_SATISFIED();
    if (p2 >= MAX_KEY_DOMAINS)
        return SW_WRONG_P1P2();
    file_t *tf_kd = search_by_fid(EF_KEY_DOMAIN, NULL, SPECIFY_EF);
    if (!tf_kd)
        return SW_EXEC_ERROR();
    uint16_t tf_kd_size = file_get_size(tf_kd);
    if (tf_kd_size == 0)
        return SW_WRONG_P1P2();
    uint8_t *kdata = file_get_data(tf_kd), dkeks = kdata ? kdata[2*p2] : 0, current_dkeks = kdata ? kdata[2*p2+1] : 0;
    if (p1 == 0x0) { //dkek import
        if (apdu.nc > 0) {
            file_t *tf = file_new(EF_DKEK+p2);
            if (!tf)
                return SW_MEMORY_FAILURE();
            if (apdu.nc < 32)
                return SW_WRONG_LENGTH();
            import_dkek_share(p2, apdu.data);
            if (++current_dkeks >= dkeks) {
                if (save_dkek_key(p2, NULL) != CCID_OK)
                    return SW_FILE_NOT_FOUND();
            }
            uint8_t t[MAX_KEY_DOMAINS*2];
            memcpy(t, kdata, tf_kd_size);
            t[2*p2+1] = current_dkeks;
            if (flash_write_data_to_file(tf_kd, t, tf_kd_size) != CCID_OK)
                return SW_EXEC_ERROR();
            low_flash_available();
        }
        else {
            file_t *tf = search_dynamic_file(EF_XKEK+p2);
            if (2*p2 >= tf_kd_size || current_dkeks == 0)
                return SW_INCORRECT_P1P2();
            if (current_dkeks == 0xff && !tf) //XKEK have always 0xff
                return SW_REFERENCE_NOT_FOUND();
        }
    }
    else if (p1 == 0x1 || p1 == 0x3 || p1 == 0x4) { //key domain setup
        if (p1 == 0x1 && apdu.nc != 1)
            return SW_WRONG_LENGTH();
        if (p1 == 0x3) { //if key domain is not empty, command is denied
            for (int i = 0; i < dynamic_files; i++) {
                if (get_key_domain(&dynamic_file[i]) == p2)
                    return SW_FILE_EXISTS();
            }
        }
        uint8_t t[MAX_KEY_DOMAINS*2];
        memcpy(t, kdata, tf_kd_size);
        if (p1 == 0x1) {
            t[2*p2] = dkeks = apdu.data[0];
            t[2*p2+1] = current_dkeks = 0;
        }
        else if (p1 == 0x3) {
            t[2*p2] = dkeks = 0xff;
            t[2*p2+1] = 0xff;
        }
        else if (p1 == 0x4) {
            t[2*p2+1] = current_dkeks = 0;
        }
        if (flash_write_data_to_file(tf_kd, t, tf_kd_size) != CCID_OK)
            return SW_EXEC_ERROR();
        file_t *tf = NULL;
        if ((tf = search_dynamic_file(EF_DKEK+p2))) {
            if (delete_file(tf) != CCID_OK)
                return SW_EXEC_ERROR();
        }
        if (p1 == 0x3 && (tf = search_dynamic_file(EF_XKEK+p2))) {
            if (delete_file(tf) != CCID_OK)
                return SW_EXEC_ERROR();
        }
        low_flash_available();
    }
    else if (p1 == 0x2) { //XKEK Key Domain creation
        if (apdu.nc > 0) {
            size_t pub_len = 0;
            file_t *fterm = search_by_fid(EF_TERMCA, NULL, SPECIFY_EF);
            if (!fterm)
                return SW_EXEC_ERROR();
            const uint8_t *pub = cvc_get_pub(file_get_data(fterm), file_get_size(fterm), &pub_len);
            if (!pub)
                return SW_EXEC_ERROR();
            size_t t86_len = 0;
            const uint8_t *t86 = cvc_get_field(pub, pub_len, &t86_len, 0x86);
            if (!t86 || t86[0] != 0x4)
                return SW_EXEC_ERROR();
            size_t t54_len = 0;
            const uint8_t *t54 = cvc_get_field(apdu.data, apdu.nc, &t54_len, 0x54);
            if (!t54)
                return SW_WRONG_DATA();
            uint8_t hash[32], *input = (uint8_t *)calloc(1, (t86_len-1)/2+1);
            input[0] = 0x54;
            memcpy(input+1, t86+1, (t86_len-1)/2);
            hash256(input, (t86_len-1)/2+1, hash);
            free(input);
            int r = puk_verify(t54, t54_len, hash, 32, apdu.data, apdu.nc);
            if (r != 0)
                return SW_CONDITIONS_NOT_SATISFIED();
            file_t *tf = file_new(EF_XKEK+p2);
            if (!tf)
                return SW_MEMORY_FAILURE();
            //All checks done. Get Key Domain UID
            pub = cvc_get_pub(apdu.data, apdu.nc, &pub_len);
            if (pub) {
                size_t t86_len = 0;
                const uint8_t *t86 = cvc_get_field(pub, pub_len, &t86_len, 0x86);
                if (t86) {
                    flash_write_data_to_file(tf, t86+1, t86_len-1);
                    low_flash_available();
                }
            }
        }
    }
    else
        return SW_INCORRECT_P1P2();
    memset(res_APDU,0,10);
    res_APDU[0] = dkeks;
    res_APDU[1] = dkeks > current_dkeks ? dkeks-current_dkeks : 0;
    dkek_kcv(p2, res_APDU+2);
    res_APDU_size = 2+8;
    file_t *tf = search_dynamic_file(EF_XKEK+p2);
    if (tf) {
        memcpy(res_APDU+10, file_get_data(tf), file_get_size(tf));
        res_APDU_size += file_get_size(tf);
    }
    return SW_OK();
 }
--- a/src/hsm/cmd_key_gen.c
+++ b/src/hsm/cmd_key_gen.c
@@ -0,0 +1,52 @@
 /*
 * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 * Copyright (c) 2022 Pol Henarejos.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 3.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
 #include "crypto_utils.h"
 #include "sc_hsm.h"
 #include "random.h"
 int cmd_key_gen() {
    uint8_t key_id = P1(apdu);
    uint8_t p2 = P2(apdu);
    uint8_t key_size = 32;
    int r;
    if (!isUserAuthenticated)
        return SW_SECURITY_STATUS_NOT_SATISFIED();
    if (p2 == 0xB2)
        key_size = 32;
    else if (p2 == 0xB1)
        key_size = 24;
    else if (p2 == 0xB0)
        key_size = 16;
    //at this moment, we do not use the template, as only CBC is supported by the driver (encrypt, decrypt and CMAC)
    uint8_t aes_key[32]; //maximum AES key size
    memcpy(aes_key, random_bytes_get(key_size), key_size);
    int aes_type = 0x0;
    if (key_size == 16)
        aes_type = HSM_KEY_AES_128;
    else if (key_size == 24)
        aes_type = HSM_KEY_AES_192;
    else if (key_size == 32)
        aes_type = HSM_KEY_AES_256;
    r = store_keys(aes_key, aes_type, key_id);
    if (r != CCID_OK)
        return SW_MEMORY_FAILURE();
    if (find_and_store_meta_key(key_id) != CCID_OK)
        return SW_EXEC_ERROR();
    low_flash_available();
    return SW_OK();
 }
--- a/src/hsm/cmd_key_unwrap.c
+++ b/src/hsm/cmd_key_unwrap.c
@@ -0,0 +1,106 @@
 /*
 * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 * Copyright (c) 2022 Pol Henarejos.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 3.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
 #include "crypto_utils.h"
 #include "sc_hsm.h"
 #include "kek.h"
 int cmd_key_unwrap() {
    int key_id = P1(apdu), r = 0;
    if (P2(apdu) != 0x93)
        return SW_WRONG_P1P2();
    if (!isUserAuthenticated)
        return SW_SECURITY_STATUS_NOT_SATISFIED();
    int key_type = dkek_type_key(apdu.data);
    uint8_t kdom = -1, *allowed = NULL;
    size_t allowed_len = 0;
    if (key_type == 0x0)
        return SW_DATA_INVALID();
    if (key_type == HSM_KEY_RSA) {
        mbedtls_rsa_context ctx;
        mbedtls_rsa_init(&ctx);
        do {
            r = dkek_decode_key(++kdom, &ctx, apdu.data, apdu.nc, NULL, &allowed, &allowed_len);
        } while((r == CCID_ERR_FILE_NOT_FOUND || r == CCID_WRONG_DKEK) && kdom < MAX_KEY_DOMAINS);
        if (r != CCID_OK) {
            mbedtls_rsa_free(&ctx);
            return SW_EXEC_ERROR();
        }
        r = store_keys(&ctx, HSM_KEY_RSA, key_id);
        mbedtls_rsa_free(&ctx);
        if (r != CCID_OK) {
            return SW_EXEC_ERROR();
        }
    }
    else if (key_type == HSM_KEY_EC) {
        mbedtls_ecdsa_context ctx;
        mbedtls_ecdsa_init(&ctx);
        do {
            r = dkek_decode_key(++kdom, &ctx, apdu.data, apdu.nc, NULL, &allowed, &allowed_len);
        } while((r == CCID_ERR_FILE_NOT_FOUND || r == CCID_WRONG_DKEK) && kdom < MAX_KEY_DOMAINS);
        if (r != CCID_OK) {
            mbedtls_ecdsa_free(&ctx);
            return SW_EXEC_ERROR();
        }
        r = store_keys(&ctx, HSM_KEY_EC, key_id);
        mbedtls_ecdsa_free(&ctx);
        if (r != CCID_OK) {
            return SW_EXEC_ERROR();
        }
    }
    else if (key_type == HSM_KEY_AES) {
        uint8_t aes_key[32];
        int key_size = 0, aes_type = 0;
        do {
            r = dkek_decode_key(++kdom, aes_key, apdu.data, apdu.nc, &key_size, &allowed, &allowed_len);
        } while((r == CCID_ERR_FILE_NOT_FOUND || r == CCID_WRONG_DKEK) && kdom < MAX_KEY_DOMAINS);
        if (r != CCID_OK) {
            return SW_EXEC_ERROR();
        }
        if (key_size == 32)
            aes_type = HSM_KEY_AES_256;
        else if (key_size == 24)
            aes_type = HSM_KEY_AES_192;
        else if (key_size == 16)
            aes_type = HSM_KEY_AES_128;
        else
            return SW_EXEC_ERROR();
        r = store_keys(aes_key, aes_type, key_id);
        if (r != CCID_OK) {
            return SW_EXEC_ERROR();
        }
    }
    if ((allowed != NULL && allowed_len > 0) || kdom >= 0) {
        size_t meta_len = (allowed_len > 0 ? 2+allowed_len : 0) + (kdom >= 0 ? 3 : 0);
        uint8_t *meta = (uint8_t *)calloc(1,meta_len), *m = meta;
        if (allowed_len > 0) {
            *m++ = 0x91;
            *m++ = allowed_len;
            memcpy(m, allowed, allowed_len); m += allowed_len;
        }
        if (kdom >= 0) {
            *m++ = 0x92;
            *m++ = 1;
            *m++ = kdom;
        }
        r = meta_add((KEY_PREFIX << 8) | key_id, meta, meta_len);
        free(meta);
        if (r != CCID_OK)
            return r;
    }
    return SW_OK();
 }
--- a/src/hsm/cmd_key_wrap.c
+++ b/src/hsm/cmd_key_wrap.c
@@ -0,0 +1,93 @@
 /*
 * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 * Copyright (c) 2022 Pol Henarejos.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 3.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
 #include "crypto_utils.h"
 #include "sc_hsm.h"
 #include "asn1.h"
 #include "kek.h"
 extern uint8_t get_key_domain(file_t *fkey);
 int cmd_key_wrap() {
    int key_id = P1(apdu), r = 0;
    if (P2(apdu) != 0x92)
        return SW_WRONG_P1P2();
    if (!isUserAuthenticated)
        return SW_SECURITY_STATUS_NOT_SATISFIED();
    file_t *ef = search_dynamic_file((KEY_PREFIX << 8) | key_id);
    uint8_t kdom = get_key_domain(ef);
    if (!ef)
        return SW_FILE_NOT_FOUND();
    if (key_has_purpose(ef, ALGO_WRAP) == false)
        return SW_CONDITIONS_NOT_SATISFIED();
    file_t *prkd = search_dynamic_file((PRKD_PREFIX << 8) | key_id);
    if (!prkd)
        return SW_FILE_NOT_FOUND();
    const uint8_t *dprkd = file_get_data(prkd);
    size_t wrap_len = MAX_DKEK_ENCODE_KEY_BUFFER;
    size_t tag_len = 0;
    const uint8_t *meta_tag = get_meta_tag(ef, 0x91, &tag_len);
    if (*dprkd == P15_KEYTYPE_RSA) {
        mbedtls_rsa_context ctx;
        mbedtls_rsa_init(&ctx);
        r = load_private_key_rsa(&ctx, ef);
        if (r != CCID_OK) {
            mbedtls_rsa_free(&ctx);
            if (r == CCID_VERIFICATION_FAILED)
                return SW_SECURE_MESSAGE_EXEC_ERROR();
            return SW_EXEC_ERROR();
        }
        r = dkek_encode_key(kdom, &ctx, HSM_KEY_RSA, res_APDU, &wrap_len, meta_tag, tag_len);
        mbedtls_rsa_free(&ctx);
    }
    else if (*dprkd == P15_KEYTYPE_ECC) {
        mbedtls_ecdsa_context ctx;
        mbedtls_ecdsa_init(&ctx);
        r = load_private_key_ecdsa(&ctx, ef);
        if (r != CCID_OK) {
            mbedtls_ecdsa_free(&ctx);
            if (r == CCID_VERIFICATION_FAILED)
                return SW_SECURE_MESSAGE_EXEC_ERROR();
            return SW_EXEC_ERROR();
        }
        r = dkek_encode_key(kdom, &ctx, HSM_KEY_EC, res_APDU, &wrap_len, meta_tag, tag_len);
        mbedtls_ecdsa_free(&ctx);
    }
    else if (*dprkd == P15_KEYTYPE_AES) {
        uint8_t kdata[32]; //maximum AES key size
        if (wait_button_pressed() == true) //timeout
            return SW_SECURE_MESSAGE_EXEC_ERROR();
        int key_size = file_get_size(ef), aes_type = HSM_KEY_AES;
        memcpy(kdata, file_get_data(ef), key_size);
        if (mkek_decrypt(kdata, key_size) != 0) {
            return SW_EXEC_ERROR();
        }
        if (key_size == 32)
            aes_type = HSM_KEY_AES_256;
        else if (key_size == 24)
            aes_type = HSM_KEY_AES_192;
        else if (key_size == 16)
            aes_type = HSM_KEY_AES_128;
        r = dkek_encode_key(kdom, kdata, aes_type, res_APDU, &wrap_len, meta_tag, tag_len);
        mbedtls_platform_zeroize(kdata, sizeof(kdata));
    }
    if (r != CCID_OK)
        return SW_EXEC_ERROR();
    res_APDU_size = wrap_len;
    return SW_OK();
 }
--- a/src/hsm/cmd_keypair_gen.c
+++ b/src/hsm/cmd_keypair_gen.c
@@ -0,0 +1,149 @@
 /*
 * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 * Copyright (c) 2022 Pol Henarejos.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 3.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
 #include "crypto_utils.h"
 #include "sc_hsm.h"
 #include "files.h"
 #include "asn1.h"
 #include "cvc.h"
 #include "oid.h"
 #include "random.h"
 #include "kek.h"
 int cmd_keypair_gen() {
    uint8_t key_id = P1(apdu);
    if (!isUserAuthenticated)
        return SW_SECURITY_STATUS_NOT_SATISFIED();
    int ret = 0;
    size_t tout = 0;
    //sc_asn1_print_tags(apdu.data, apdu.nc);
    uint8_t *p = NULL;
    if (asn1_find_tag(apdu.data, apdu.nc, 0x7f49, &tout, &p) && tout > 0 && p != NULL) {
        size_t oid_len = 0;
        uint8_t *oid = NULL;
        if (asn1_find_tag(p, tout, 0x6, &oid_len, &oid) && oid_len > 0 && oid != NULL) {
            if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_256, oid_len) == 0) { //RSA
                size_t ex_len = 3, ks_len = 2;
                uint8_t *ex = NULL, *ks = NULL;
                uint32_t exponent = 65537, key_size = 2048;
                if (asn1_find_tag(p, tout, 0x82, &ex_len, &ex) && ex_len > 0 && ex != NULL) {
                    uint8_t *dt = ex;
                    exponent = 0;
                    for (int i = 0; i < ex_len; i++) {
                        exponent = (exponent << 8) | *dt++;
                    }
                }
                if (asn1_find_tag(p, tout, 0x2, &ks_len, &ks) && ks_len > 0 && ks != NULL) {
                    uint8_t *dt = ks;
                    key_size = 0;
                    for (int i = 0; i < ks_len; i++) {
                        key_size = (key_size << 8) | *dt++;
                    }
                }
                printf("KEYPAIR RSA %ld (%lx)\r\n",key_size,exponent);
                mbedtls_rsa_context rsa;
                mbedtls_rsa_init(&rsa);
                uint8_t index = 0;
                ret = mbedtls_rsa_gen_key(&rsa, random_gen, &index, key_size, exponent);
                if (ret != 0) {
                        mbedtls_rsa_free(&rsa);
                    return SW_EXEC_ERROR();
                }
                if ((res_APDU_size = asn1_cvc_aut(&rsa, HSM_KEY_RSA, res_APDU, 4096, NULL, 0)) == 0) {
                    return SW_EXEC_ERROR();
                }
 	            ret = store_keys(&rsa, HSM_KEY_RSA, key_id);
 	            if (ret != CCID_OK) {
                    mbedtls_rsa_free(&rsa);
                    return SW_EXEC_ERROR();
                }
                mbedtls_rsa_free(&rsa);
            }
            else if (memcmp(oid, OID_ID_TA_ECDSA_SHA_256,MIN(oid_len,10)) == 0) { //ECC
                size_t prime_len;
                uint8_t *prime = NULL;
                if (asn1_find_tag(p, tout, 0x81, &prime_len, &prime) != true)
                    return SW_WRONG_DATA();
                mbedtls_ecp_group_id ec_id = ec_get_curve_from_prime(prime, prime_len);
                printf("KEYPAIR ECC %d\r\n",ec_id);
                if (ec_id == MBEDTLS_ECP_DP_NONE) {
                    return SW_FUNC_NOT_SUPPORTED();
                }
                mbedtls_ecdsa_context ecdsa;
                mbedtls_ecdsa_init(&ecdsa);
                uint8_t index = 0;
                ret = mbedtls_ecdsa_genkey(&ecdsa, ec_id, random_gen, &index);
                if (ret != 0) {
                    mbedtls_ecdsa_free(&ecdsa);
                    return SW_EXEC_ERROR();
                }
                size_t l91 = 0, ext_len = 0;
                uint8_t *p91 = NULL, *ext = NULL;
                if (asn1_find_tag(apdu.data, apdu.nc, 0x91, &l91, &p91) && p91 != NULL && l91 > 0) {
                    for (int n = 0; n < l91; n++) {
                        if (p91[n] == ALGO_EC_DH_XKEK) {
                            size_t l92 = 0;
                            uint8_t *p92 = NULL;
                            if (!asn1_find_tag(apdu.data, apdu.nc, 0x92, &l92, &p92) || p92 == NULL || l92 == 0)
                                return SW_WRONG_DATA();
                            if (p92[0] > MAX_KEY_DOMAINS)
                                return SW_WRONG_DATA();
                            file_t *tf_xkek = search_dynamic_file(EF_XKEK+p92[0]);
                            if (!tf_xkek)
                                return SW_WRONG_DATA();
                            ext_len = 2+2+strlen(OID_ID_KEY_DOMAIN_UID)+2+file_get_size(tf_xkek);
                            ext = (uint8_t *)calloc(1, ext_len);
                            uint8_t *pe = ext;
                            *pe++ = 0x73;
                            *pe++ = ext_len-2;
                            *pe++ = 0x6;
                            *pe++ = strlen(OID_ID_KEY_DOMAIN_UID);
                            memcpy(pe, OID_ID_KEY_DOMAIN_UID, strlen(OID_ID_KEY_DOMAIN_UID));
                            pe += strlen(OID_ID_KEY_DOMAIN_UID);
                            *pe++ = 0x80;
                            *pe++ = file_get_size(tf_xkek);
                            memcpy(pe, file_get_data(tf_xkek), file_get_size(tf_xkek));
                        }
                    }
                }
                if ((res_APDU_size = asn1_cvc_aut(&ecdsa, HSM_KEY_EC, res_APDU, 4096, ext, ext_len)) == 0) {
                    return SW_EXEC_ERROR();
                }
 	            ret = store_keys(&ecdsa, HSM_KEY_EC, key_id);
 	            if (ret != CCID_OK) {
                    mbedtls_ecdsa_free(&ecdsa);
                    return SW_EXEC_ERROR();
                }
                mbedtls_ecdsa_free(&ecdsa);
            }
        }
    }
    else
        return SW_WRONG_DATA();
    if (find_and_store_meta_key(key_id) != CCID_OK)
        return SW_EXEC_ERROR();
    file_t *fpk = file_new((EE_CERTIFICATE_PREFIX << 8) | key_id);
    ret = flash_write_data_to_file(fpk, res_APDU, res_APDU_size);
    if (ret != 0)
        return SW_EXEC_ERROR();
    if (apdu.ne == 0)
        apdu.ne = res_APDU_size;
    low_flash_available();
    return SW_OK();
 }
--- a/src/hsm/cmd_list_keys.c
+++ b/src/hsm/cmd_list_keys.c
@@ -0,0 +1,60 @@
 /*
 * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 * Copyright (c) 2022 Pol Henarejos.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 3.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
 #include "sc_hsm.h"
 #include "files.h"
 int cmd_list_keys()
 {
    /* First we send DEV private key */
    /* Both below conditions should be always TRUE */
    if (search_by_fid(EF_PRKD_DEV, NULL, SPECIFY_EF)) {
        res_APDU[res_APDU_size++] = EF_PRKD_DEV >> 8;
        res_APDU[res_APDU_size++] = EF_PRKD_DEV & 0xff;
    }
    if (search_by_fid(EF_KEY_DEV, NULL, SPECIFY_EF)) {
        res_APDU[res_APDU_size++] = EF_KEY_DEV >> 8;
        res_APDU[res_APDU_size++] = EF_KEY_DEV & 0xff;
    }
    //first CC
    for (int i = 0; i < dynamic_files; i++) {
        file_t *f = &dynamic_file[i];
        if ((f->fid & 0xff00) == (PRKD_PREFIX << 8)) {
            res_APDU[res_APDU_size++] = PRKD_PREFIX;
            res_APDU[res_APDU_size++] = f->fid & 0xff;
            res_APDU[res_APDU_size++] = KEY_PREFIX;
            res_APDU[res_APDU_size++] = f->fid & 0xff;
        }
    }
    //second CD
    for (int i = 0; i < dynamic_files; i++) {
        file_t *f = &dynamic_file[i];
        if ((f->fid & 0xff00) == (CD_PREFIX << 8)) {
            res_APDU[res_APDU_size++] = CD_PREFIX;
            res_APDU[res_APDU_size++] = f->fid & 0xff;
        }
    }
    for (int i = 0; i < dynamic_files; i++) {
        file_t *f = &dynamic_file[i];
        if ((f->fid & 0xff00) == (DCOD_PREFIX << 8)) {
            res_APDU[res_APDU_size++] = DCOD_PREFIX;
            res_APDU[res_APDU_size++] = f->fid & 0xff;
        }
    }
    return SW_OK();
 }
--- a/src/hsm/cmd_mse.c
+++ b/src/hsm/cmd_mse.c
@@ -0,0 +1,75 @@
 /*
 * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 * Copyright (c) 2022 Pol Henarejos.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 3.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
 #include "sc_hsm.h"
 #include "asn1.h"
 #include "oid.h"
 #include "eac.h"
 #include "files.h"
 #include "cvc.h"
 file_t *ef_puk_aut = NULL;
 int cmd_mse() {
    int p1 = P1(apdu);
    int p2 = P2(apdu);
    if (p2 != 0xA4 && p2 != 0xA6 && p2 != 0xAA && p2 != 0xB4 && p2 != 0xB6 && p2 != 0xB8)
        return SW_INCORRECT_P1P2();
    if (p1 & 0x1) { //SET
        uint16_t tag = 0x0;
        uint8_t *tag_data = NULL, *p = NULL;
        size_t tag_len = 0;
        while (walk_tlv(apdu.data, apdu.nc, &p, &tag, &tag_len, &tag_data)) {
            if (tag == 0x80) {
                if (p2 == 0xA4) {
                    if (tag_len == 10 && memcmp(tag_data, OID_ID_CA_ECDH_AES_CBC_CMAC_128, tag_len) == 0)
                        sm_set_protocol(MSE_AES);
                }
            }
            else if (tag == 0x83) {
                if (tag_len == 1) {
                }
                else {
                    if (p2 == 0xB6) {
                        if (puk_store_select_chr(tag_data) == CCID_OK)
                            return SW_OK();
                    }
                    else if (p2 == 0xA4) { /* Aut */
                        for (int i = 0; i < MAX_PUK; i++) {
                            file_t *ef = search_dynamic_file(EF_PUK+i);
                            if (!ef)
                                break;
                            if (ef->data == NULL || file_get_size(ef) == 0)
                                break;
                            size_t chr_len = 0;
                            const uint8_t *chr = cvc_get_chr(file_get_data(ef), file_get_size(ef), &chr_len);
                            if (memcmp(chr, tag_data, chr_len) == 0) {
                                ef_puk_aut = ef;
                                return SW_OK();
                            }
                        }
                    }
                    return SW_REFERENCE_NOT_FOUND();
                }
            }
        }
    }
    else
        return SW_INCORRECT_P1P2();
    return SW_OK();
 }
--- a/src/hsm/cmd_pso.c
+++ b/src/hsm/cmd_pso.c
@@ -0,0 +1,136 @@
 /*
 * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 * Copyright (c) 2022 Pol Henarejos.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 3.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
 #include "sc_hsm.h"
 #include "oid.h"
 #include "asn1.h"
 #include "cvc.h"
 extern int add_cert_puk_store(const uint8_t *data, size_t data_len, bool copy);
 extern PUK *current_puk;
 int cmd_pso() {
    uint8_t p1 = P1(apdu), p2 = P2(apdu);
    if (p1 == 0x0 && (p2 == 0x92 || p2 == 0xAE || p2 == 0xBE)) { /* Verify certificate */
        if (apdu.nc == 0)
            return SW_WRONG_LENGTH();
        if (current_puk == NULL)
            return SW_REFERENCE_NOT_FOUND();
        if (apdu.data[0] != 0x7F || apdu.data[1] != 0x21) {
            uint8_t tlv_len = 2+format_tlv_len(apdu.nc, NULL);
            memmove(apdu.data+tlv_len, apdu.data, apdu.nc);
            memcpy(apdu.data, "\x7F\x21", 2);
            format_tlv_len(apdu.nc, apdu.data+2);
            apdu.nc += tlv_len;
        }
        int r = cvc_verify(apdu.data, apdu.nc, current_puk->cvcert, current_puk->cvcert_len);
        if (r != CCID_OK) {
            if (r == CCID_WRONG_DATA)
                return SW_DATA_INVALID();
            else if (r == CCID_WRONG_SIGNATURE)
                return SW_CONDITIONS_NOT_SATISFIED();
            return SW_EXEC_ERROR();
        }
        for (int i = 0; i < 0xfe; i++) {
            uint16_t fid = (CA_CERTIFICATE_PREFIX << 8) | i;
            file_t *ca_ef = search_dynamic_file(fid);
            if (!ca_ef) {
                ca_ef = file_new(fid);
                flash_write_data_to_file(ca_ef, apdu.data, apdu.nc);
                if (add_cert_puk_store(file_get_data(ca_ef), file_get_size(ca_ef), false) != CCID_OK)
                    return SW_FILE_FULL();
                size_t chr_len = 0;
                const uint8_t *chr = cvc_get_chr(apdu.data, apdu.nc, &chr_len);
                if (chr == NULL)
                    return SW_WRONG_DATA();
                size_t puk_len = 0, puk_bin_len = 0;
                const uint8_t *puk = cvc_get_pub(apdu.data, apdu.nc, &puk_len), *puk_bin = NULL;
                if (puk == NULL)
                    return SW_WRONG_DATA();
                size_t oid_len = 0;
                const uint8_t *oid = cvc_get_field(puk, puk_len, &oid_len, 0x6);
                if (oid == NULL)
                    return SW_WRONG_DATA();
                if (memcmp(oid, OID_ID_TA_RSA, 9) == 0) { //RSA
                    puk_bin = cvc_get_field(puk, puk_len, &puk_bin_len, 0x81);
                    if (!puk_bin)
                        return SW_WRONG_DATA();
                }
                else if (memcmp(oid, OID_ID_TA_ECDSA, 9) == 0) { //ECC
                    mbedtls_ecp_group_id ec_id = cvc_inherite_ec_group(apdu.data, apdu.nc);
                    mbedtls_ecp_group grp;
                    mbedtls_ecp_group_init(&grp);
                    if (mbedtls_ecp_group_load(&grp, ec_id) != 0) {
                        mbedtls_ecp_group_free(&grp);
                        return SW_WRONG_DATA();
                    }
                    size_t plen = mbedtls_mpi_size(&grp.P);
                    size_t t86_len = 0;
                    const uint8_t *t86 = cvc_get_field(puk, puk_len, &t86_len, 0x86);
                    if (mbedtls_ecp_get_type(&grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
                        if (plen != t86_len) {
                            mbedtls_ecp_group_free(&grp);
                            return SW_WRONG_DATA();
                        }
                        puk_bin = t86;
                        puk_bin_len = t86_len;
                    }
                    else if (mbedtls_ecp_get_type(&grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
                        if (t86[0] == 0x2 || t86[0] == 0x3) {
                            if (t86_len != plen+1) {
                                mbedtls_ecp_group_free(&grp);
                                return SW_WRONG_DATA();
                            }
                        }
                        else if (t86[0] == 0x4) {
                            if (t86_len != 2*plen+1) {
                                mbedtls_ecp_group_free(&grp);
                                return SW_WRONG_DATA();
                            }
                        }
                        else {
                            mbedtls_ecp_group_free(&grp);
                            return SW_WRONG_DATA();
                        }
                        puk_bin = t86+1;
                        puk_bin_len = plen;
                    }
                    mbedtls_ecp_group_free(&grp);
                    if (!puk_bin)
                        return SW_WRONG_DATA();
                }
                file_t *cd_ef = file_new((CD_PREFIX << 8) | i);
                size_t cd_len = asn1_build_cert_description(chr, chr_len, puk_bin, puk_bin_len, fid, NULL, 0);
                if (cd_len == 0)
                    return SW_EXEC_ERROR();
                uint8_t *buf = (uint8_t *)calloc(cd_len, sizeof(uint8_t));
                int r = asn1_build_cert_description(chr, chr_len, puk_bin, puk_bin_len, fid, buf, cd_len);
                flash_write_data_to_file(cd_ef, buf, cd_len);
                free(buf);
                if (r == 0)
                    return SW_EXEC_ERROR();
                low_flash_available();
                break;
            }
        }
        return SW_OK();
    }
    else
        return SW_INCORRECT_P1P2();
    return SW_OK();
 }
--- a/src/hsm/cmd_puk_auth.c
+++ b/src/hsm/cmd_puk_auth.c
@@ -0,0 +1,85 @@
 /*
 * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 * Copyright (c) 2022 Pol Henarejos.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 3.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
 #include "sc_hsm.h"
 #include "files.h"
 #include "cvc.h"
 int cmd_puk_auth() {
    uint8_t p1 = P1(apdu), p2 = P2(apdu);
    file_t *ef_puk = search_by_fid(EF_PUKAUT, NULL, SPECIFY_EF);
    if (!ef_puk || !ef_puk->data || file_get_size(ef_puk) == 0)
        return SW_FILE_NOT_FOUND();
    uint8_t *puk_data = file_get_data(ef_puk);
    if (apdu.nc > 0) {
        if (p1 == 0x0 || p1 == 0x1) {
            file_t *ef = NULL;
            if (p1 == 0x0) { /* Add */
                if (p2 != 0x0)
                    return SW_INCORRECT_P1P2();
                for (int i = 0; i < puk_data[0]; i++) {
                    ef = search_dynamic_file(EF_PUK+i);
                    if (!ef) /* Never should not happen */
                        return SW_MEMORY_FAILURE();
                    if (ef->data == NULL || file_get_size(ef) == 0) /* found first empty slot */
                        break;
                }
                uint8_t *tmp = (uint8_t *)calloc(file_get_size(ef_puk), sizeof(uint8_t));
                memcpy(tmp, puk_data, file_get_size(ef_puk));
                tmp[1] = puk_data[1]-1;
                flash_write_data_to_file(ef_puk, tmp, file_get_size(ef_puk));
                puk_data = file_get_data(ef_puk);
                free(tmp);
            }
            else if (p1 == 0x1) { /* Replace */
                if (p2 >= puk_data[0])
                    return SW_INCORRECT_P1P2();
                ef = search_dynamic_file(EF_PUK+p2);
                if (!ef) /* Never should not happen */
                    return SW_MEMORY_FAILURE();
            }
            flash_write_data_to_file(ef, apdu.data, apdu.nc);
            low_flash_available();
        }
        else
            return SW_INCORRECT_P1P2();
    }
    if (p1 == 0x2) {
        if (p2 >= puk_data[0])
            return SW_INCORRECT_P1P2();
        file_t *ef = search_dynamic_file(EF_PUK+p2);
        if (!ef)
            return SW_INCORRECT_P1P2();
        if (ef->data == NULL || file_get_size(ef) == 0)
            return SW_REFERENCE_NOT_FOUND();
        size_t chr_len = 0;
        const uint8_t *chr = cvc_get_chr(file_get_data(ef), file_get_size(ef), &chr_len);
        if (chr) {
            memcpy(res_APDU, chr, chr_len);
            res_APDU_size = chr_len;
        }
        return set_res_sw(0x90, puk_status[p2]);
    }
    else {
        memcpy(res_APDU, puk_data, 3);
        res_APDU[3] = 0;
        for (int i = 0; i < puk_data[0]; i++)
            res_APDU[3] += puk_status[i];
        res_APDU_size = 4;
    }
    return SW_OK();
 }
--- a/src/hsm/cmd_read_binary.c
+++ b/src/hsm/cmd_read_binary.c
@@ -0,0 +1,90 @@
 /*
 * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 * Copyright (c) 2022 Pol Henarejos.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 3.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
 #include "sc_hsm.h"
 int cmd_read_binary() {
    uint16_t fid = 0x0;
    uint32_t offset = 0;
    uint8_t ins = INS(apdu), p1 = P1(apdu), p2 = P2(apdu);
    const file_t *ef = NULL;
    if ((ins & 0x1) == 0)
    {
        if ((p1 & 0x80) != 0) {
            if (!(ef = search_by_fid(p1&0x1f, NULL, SPECIFY_EF)))
                return SW_FILE_NOT_FOUND ();
            offset = p2;
        }
        else {
            offset = make_uint16_t(p1, p2) & 0x7fff;
            ef = currentEF;
        }
    }
    else {
        if (p1 == 0 && (p2 & 0xE0) == 0 && (p2 & 0x1f) != 0 && (p2 & 0x1f) != 0x1f) {
            if (!(ef = search_by_fid(p2&0x1f, NULL, SPECIFY_EF)))
                return SW_FILE_NOT_FOUND ();
        }
        else {
            uint16_t file_id = make_uint16_t(p1, p2); // & 0x7fff;
            if (file_id == 0x0)
                ef = currentEF;
            else if (!(ef = search_by_fid(file_id, NULL, SPECIFY_EF)) && !(ef = search_dynamic_file(file_id)))
                return SW_FILE_NOT_FOUND ();
            if (apdu.data[0] != 0x54)
                return SW_WRONG_DATA();
            offset = 0;
            for (int d = 0; d < apdu.data[1]; d++)
                offset |= apdu.data[2+d]<<(apdu.data[1]-1-d)*8;
        }
    }
    if ((fid >> 8) == KEY_PREFIX || !authenticate_action(ef, ACL_OP_READ_SEARCH)) {
        return SW_SECURITY_STATUS_NOT_SATISFIED();
    }
    if (ef->data) {
        if ((ef->type & FILE_DATA_FUNC) == FILE_DATA_FUNC) {
            uint16_t data_len = ((int (*)(const file_t *, int))(ef->data))((const file_t *)ef, 1); //already copies content to res_APDU
            if (offset > data_len)
                return SW_WRONG_P1P2();
            uint16_t maxle = data_len-offset;
            if (apdu.ne > maxle)
                apdu.ne = maxle;
            if (offset) {
                memmove(res_APDU, res_APDU+offset, res_APDU_size-offset);
                //res_APDU += offset;
                res_APDU_size -= offset;
            }
        }
        else {
            uint16_t data_len = file_get_size(ef);
            if (offset > data_len)
                return SW_WRONG_P1P2();
            uint16_t maxle = data_len-offset;
            if (apdu.ne > maxle)
                apdu.ne = maxle;
            memcpy(res_APDU, file_get_data(ef)+offset, data_len-offset);
            res_APDU_size = data_len-offset;
        }
    }
    return SW_OK();
 }
--- a/src/hsm/cmd_reset_retry.c
+++ b/src/hsm/cmd_reset_retry.c
@@ -0,0 +1,95 @@
 /*
 * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 * Copyright (c) 2022 Pol Henarejos.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 3.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
 #include "crypto_utils.h"
 #include "sc_hsm.h"
 #include "kek.h"
 int cmd_reset_retry() {
    if (P2(apdu) != 0x81)
        return SW_REFERENCE_NOT_FOUND();
    if (!file_sopin || !file_pin1) {
        return SW_FILE_NOT_FOUND();
    }
    if (!file_sopin->data) {
        return SW_REFERENCE_NOT_FOUND();
    }
    uint16_t opts = get_device_options();
    if (!(opts & HSM_OPT_RRC))
        return SW_COMMAND_NOT_ALLOWED();
    if (P1(apdu) == 0x0 || P1(apdu) == 0x2) {
        int newpin_len = 0;
        if (P1(apdu) == 0x0) {
            if (apdu.nc <= 8)
                return SW_WRONG_LENGTH();
            uint16_t r = check_pin(file_sopin, apdu.data, 8);
            if (r != 0x9000)
                return r;
            newpin_len = apdu.nc-8;
            has_session_sopin = true;
            hash_multi(apdu.data, 8, session_sopin);
        }
        else if (P1(apdu) == 0x2) {
            if (!has_session_sopin)
                return SW_CONDITIONS_NOT_SATISFIED();
            if (apdu.nc > 16)
                return SW_WRONG_LENGTH();
            newpin_len = apdu.nc;
        }
        uint8_t dhash[33];
        dhash[0] = newpin_len;
        double_hash_pin(apdu.data+(apdu.nc-newpin_len), newpin_len, dhash+1);
        flash_write_data_to_file(file_pin1, dhash, sizeof(dhash));
        if (pin_reset_retries(file_pin1, true) != CCID_OK)
            return SW_MEMORY_FAILURE();
        uint8_t mkek[MKEK_SIZE];
        int r = load_mkek(mkek); //loads the MKEK with SO pin
        if (r != CCID_OK)
            return SW_EXEC_ERROR();
        hash_multi(apdu.data+(apdu.nc-newpin_len), newpin_len, session_pin);
        has_session_pin = true;
        r = store_mkek(mkek);
        release_mkek(mkek);
        if (r != CCID_OK)
            return SW_EXEC_ERROR();
        low_flash_available();
        return SW_OK();
    }
    else if (P1(apdu) == 0x1 || P1(apdu) == 0x3) {
        if (!(opts & HSM_OPT_RRC_RESET_ONLY))
            return SW_COMMAND_NOT_ALLOWED();
        if (P1(apdu) == 0x1) {
            if (apdu.nc != 8)
                return SW_WRONG_LENGTH();
            uint16_t r = check_pin(file_sopin, apdu.data, 8);
            if (r != 0x9000)
                return r;
            has_session_sopin = true;
            hash_multi(apdu.data, 8, session_sopin);
        }
        else if (P1(apdu) == 0x3) {
            if (!has_session_sopin)
                return SW_CONDITIONS_NOT_SATISFIED();
            if (apdu.nc != 0)
                return SW_WRONG_LENGTH();
        }
        if (pin_reset_retries(file_pin1, true) != CCID_OK)
            return SW_MEMORY_FAILURE();
        return SW_OK();
    }
    return SW_INCORRECT_P1P2();
 }
--- a/src/hsm/cmd_select.c
+++ b/src/hsm/cmd_select.c
@@ -0,0 +1,132 @@
 /*
 * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 * Copyright (c) 2022 Pol Henarejos.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 3.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
 #include "sc_hsm.h"
 #include "version.h"
 void select_file(file_t *pe) {
    if (!pe)
    {
        currentDF = (file_t *)MF;
        currentEF = NULL;
    }
    else if (pe->type & FILE_TYPE_INTERNAL_EF) {
        currentEF = pe;
        currentDF = &file_entries[pe->parent];
    }
    else {
        currentDF = pe;
    }
    if (currentEF == file_openpgp || currentEF == file_sc_hsm) {
        selected_applet = currentEF;
        //sc_hsm_unload(); //reset auth status
    }
 }
 int cmd_select() {
    uint8_t p1 = P1(apdu);
    uint8_t p2 = P2(apdu);
    file_t *pe = NULL;
    uint16_t fid = 0x0;
    // Only "first or only occurence" supported
    //if ((p2 & 0xF3) != 0x00) {
    //    return SW_INCORRECT_P1P2();
    //}
    if (apdu.nc >= 2)
        fid = get_uint16_t(apdu.data, 0);
    //if ((fid & 0xff00) == (KEY_PREFIX << 8))
    //    fid = (PRKD_PREFIX << 8) | (fid & 0xff);
    uint8_t pfx = fid >> 8;
    if (pfx == PRKD_PREFIX ||
        pfx == CD_PREFIX ||
        pfx == CA_CERTIFICATE_PREFIX ||
        pfx == KEY_PREFIX ||
        pfx == EE_CERTIFICATE_PREFIX ||
        pfx == DCOD_PREFIX ||
        pfx == DATA_PREFIX ||
        pfx == PROT_DATA_PREFIX) {
        if (!(pe = search_dynamic_file(fid)) && !(pe = search_by_fid(fid, NULL, SPECIFY_EF)))
            return SW_FILE_NOT_FOUND();
    }
    if (!pe) {
        if (p1 == 0x0) { //Select MF, DF or EF - File identifier or absent
            if (apdu.nc == 0) {
            	pe = (file_t *)MF;
            	//ac_fini();
            }
            else if (apdu.nc == 2) {
                if (!(pe = search_by_fid(fid, NULL, SPECIFY_ANY))) {
                    return SW_FILE_NOT_FOUND();
                }
            }
        }
        else if (p1 == 0x01) { //Select child DF - DF identifier
            if (!(pe = search_by_fid(fid, currentDF, SPECIFY_DF))) {
                return SW_FILE_NOT_FOUND();
            }
        }
        else if (p1 == 0x02) { //Select EF under the current DF - EF identifier
            if (!(pe = search_by_fid(fid, currentDF, SPECIFY_EF))) {
                return SW_FILE_NOT_FOUND();
            }
        }
        else if (p1 == 0x03) { //Select parent DF of the current DF - Absent
            if (apdu.nc != 0)
                return SW_FILE_NOT_FOUND();
        }
        else if (p1 == 0x04) { //Select by DF name - e.g., [truncated] application identifier
            if (!(pe = search_by_name(apdu.data, apdu.nc))) {
                return SW_FILE_NOT_FOUND();
            }
            if (card_terminated) {
                return set_res_sw(0x62, 0x85);
            }
        }
        else if (p1 == 0x08) { //Select from the MF - Path without the MF identifier
            if (!(pe = search_by_path(apdu.data, apdu.nc, MF))) {
                return SW_FILE_NOT_FOUND();
            }
        }
        else if (p1 == 0x09) { //Select from the current DF - Path without the current DF identifier
            if (!(pe = search_by_path(apdu.data, apdu.nc, currentDF))) {
                return SW_FILE_NOT_FOUND();
            }
        }
    }
    if ((p2 & 0xfc) == 0x00 || (p2 & 0xfc) == 0x04) {
        process_fci(pe,0);
        if (pe == file_sc_hsm) {
            res_APDU[res_APDU_size++] = 0x85;
            res_APDU[res_APDU_size++] = 5;
            uint16_t opts = get_device_options();
            res_APDU[res_APDU_size++] = opts >> 8;
            res_APDU[res_APDU_size++] = opts & 0xff;
            res_APDU[res_APDU_size++] = 0xFF;
            res_APDU[res_APDU_size++] = HSM_VERSION_MAJOR;
            res_APDU[res_APDU_size++] = HSM_VERSION_MINOR;
            res_APDU[1] = res_APDU_size-2;
        }
    }
    else
        return SW_INCORRECT_P1P2();
    select_file(pe);
    return SW_OK ();
 }
--- a/src/hsm/cmd_session_pin.c
+++ b/src/hsm/cmd_session_pin.c
@@ -0,0 +1,34 @@
 /*
 * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 * Copyright (c) 2022 Pol Henarejos.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 3.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
 #include "sc_hsm.h"
 #include "random.h"
 #include "eac.h"
 int cmd_session_pin() {
    if (P1(apdu) == 0x01 && P2(apdu) == 0x81) {
        memcpy(sm_session_pin, random_bytes_get(8), 8);
        sm_session_pin_len = 8;
        memcpy(res_APDU, sm_session_pin, sm_session_pin_len);
        res_APDU_size = sm_session_pin_len;
        apdu.ne = sm_session_pin_len;
    }
    else
        return SW_INCORRECT_P1P2();
    return SW_OK();
 }
--- a/src/hsm/cmd_signature.c
+++ b/src/hsm/cmd_signature.c
@@ -0,0 +1,241 @@
 /*
 * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 * Copyright (c) 2022 Pol Henarejos.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 3.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
 #include "crypto_utils.h"
 #include "sc_hsm.h"
 #include "asn1.h"
 #include "mbedtls/oid.h"
 #include "random.h"
 //-----
 /* From OpenSC */
 static const uint8_t hdr_md5[] = {
 	0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7,
 	0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10
 };
 static const uint8_t hdr_sha1[] = {
 	0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a,
 	0x05, 0x00, 0x04, 0x14
 };
 static const uint8_t hdr_sha256[] = {
 	0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65,
 	0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20
 };
 static const uint8_t hdr_sha384[] = {
 	0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65,
 	0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30
 };
 static const uint8_t hdr_sha512[] = {
 	0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65,
 	0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40
 };
 static const uint8_t hdr_sha224[] = {
 	0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65,
 	0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c
 };
 static const uint8_t hdr_ripemd160[] = {
 	0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x24, 0x03, 0x02, 0x01,
 	0x05, 0x00, 0x04, 0x14
 };
 static const struct digest_info_prefix {
 	mbedtls_md_type_t algorithm;
 	const uint8_t *	hdr;
 	size_t hdr_len;
 	size_t hash_len;
 } digest_info_prefix[] = {
      {	MBEDTLS_MD_MD5,	hdr_md5, sizeof(hdr_md5), 16 },
      { MBEDTLS_MD_SHA1, hdr_sha1, sizeof(hdr_sha1), 20	},
      { MBEDTLS_MD_SHA256, hdr_sha256, sizeof(hdr_sha256), 32 },
      { MBEDTLS_MD_SHA384, hdr_sha384, sizeof(hdr_sha384), 48 },
      { MBEDTLS_MD_SHA512, hdr_sha512, sizeof(hdr_sha512), 64 },
      { MBEDTLS_MD_SHA224, hdr_sha224, sizeof(hdr_sha224), 28 },
      { MBEDTLS_MD_RIPEMD160,hdr_ripemd160,	sizeof(hdr_ripemd160), 20 },
      {	0, NULL, 0,	0 }
 };
 int pkcs1_strip_digest_info_prefix(mbedtls_md_type_t *algorithm, const uint8_t *in_dat, size_t in_len, uint8_t *out_dat, size_t *out_len)
 {
 	for (int i = 0; digest_info_prefix[i].algorithm != 0; i++) {
 		size_t hdr_len = digest_info_prefix[i].hdr_len, hash_len = digest_info_prefix[i].hash_len;
 		const uint8_t *hdr = digest_info_prefix[i].hdr;
 		if (in_len == (hdr_len + hash_len) && !memcmp(in_dat, hdr, hdr_len)) {
 			if (algorithm)
 				*algorithm = digest_info_prefix[i].algorithm;
 			if (out_dat == NULL)
 				return CCID_OK;
 			if (*out_len < hash_len)
 				return CCID_WRONG_DATA;
 			memmove(out_dat, in_dat + hdr_len, hash_len);
 			*out_len = hash_len;
 			return CCID_OK;
 		}
 	}
 	return CCID_EXEC_ERROR;
 }
 //-----
 int cmd_signature() {
    uint8_t key_id = P1(apdu);
    uint8_t p2 = P2(apdu);
    mbedtls_md_type_t md = MBEDTLS_MD_NONE;
    file_t *fkey;
    if (!isUserAuthenticated)
        return SW_SECURITY_STATUS_NOT_SATISFIED();
    if (!(fkey = search_dynamic_file((KEY_PREFIX << 8) | key_id)) || !fkey->data || file_get_size(fkey) == 0)
        return SW_FILE_NOT_FOUND();
    if (get_key_counter(fkey) == 0)
        return SW_FILE_FULL();
    if (key_has_purpose(fkey, p2) == false)
        return SW_CONDITIONS_NOT_SATISFIED();
    int key_size = file_get_size(fkey);
    if (p2 == ALGO_RSA_PKCS1_SHA1 || p2 == ALGO_RSA_PSS_SHA1 || p2 == ALGO_EC_SHA1)
        md = MBEDTLS_MD_SHA1;
    else if (p2 == ALGO_RSA_PKCS1_SHA256 || p2 == ALGO_RSA_PSS_SHA256 || p2 == ALGO_EC_SHA256)
        md = MBEDTLS_MD_SHA256;
    else if (p2 == ALGO_EC_SHA224)
        md = MBEDTLS_MD_SHA224;
    if (p2 == ALGO_RSA_PKCS1_SHA1 || p2 == ALGO_RSA_PSS_SHA1 || p2 == ALGO_EC_SHA1 || p2 == ALGO_RSA_PKCS1_SHA256 || p2 == ALGO_RSA_PSS_SHA256 || p2 == ALGO_EC_SHA256 || p2 == ALGO_EC_SHA224) {
        generic_hash(md, apdu.data, apdu.nc, apdu.data);
        apdu.nc = mbedtls_md_get_size(mbedtls_md_info_from_type(md));
    }
    if (p2 >= ALGO_RSA_RAW && p2 <= ALGO_RSA_PSS_SHA512) {
        mbedtls_rsa_context ctx;
        mbedtls_rsa_init(&ctx);
        int r;
        r = load_private_key_rsa(&ctx, fkey);
        if (r != CCID_OK) {
            mbedtls_rsa_free(&ctx);
            if (r == CCID_VERIFICATION_FAILED)
                return SW_SECURE_MESSAGE_EXEC_ERROR();
            return SW_EXEC_ERROR();
        }
        uint8_t *hash = apdu.data;
        size_t hash_len = apdu.nc;
        if (p2 == ALGO_RSA_PKCS1) { //DigestInfo attached
            size_t nc = apdu.nc;
            if (pkcs1_strip_digest_info_prefix(&md, apdu.data, apdu.nc, apdu.data, &nc) != CCID_OK) //gets the MD algo id and strips it off
                return SW_EXEC_ERROR();
            apdu.nc = nc;
        }
        else {
            //sc_asn1_print_tags(apdu.data, apdu.nc);
            size_t tout = 0, oid_len = 0;
            uint8_t *p = NULL, *oid = NULL;
            if (asn1_find_tag(apdu.data, apdu.nc, 0x30, &tout, &p) && tout > 0 && p != NULL) {
                size_t tout30 = 0;
                uint8_t *c30 = NULL;
                if (asn1_find_tag(p, tout, 0x30, &tout30, &c30) && tout30 > 0 && c30 != NULL) {
                    asn1_find_tag(c30, tout30, 0x6, &oid_len, &oid);
                }
                asn1_find_tag(p, tout, 0x4, &hash_len, &hash);
            }
            if (oid && oid_len > 0) {
                if (memcmp(oid, MBEDTLS_OID_DIGEST_ALG_SHA1, oid_len) == 0)
                    md = MBEDTLS_MD_SHA1;
                else if (memcmp(oid, MBEDTLS_OID_DIGEST_ALG_SHA224, oid_len) == 0)
                    md = MBEDTLS_MD_SHA224;
                else if (memcmp(oid, MBEDTLS_OID_DIGEST_ALG_SHA256, oid_len) == 0)
                    md = MBEDTLS_MD_SHA256;
                else if (memcmp(oid, MBEDTLS_OID_DIGEST_ALG_SHA384, oid_len) == 0)
                    md = MBEDTLS_MD_SHA384;
                else if (memcmp(oid, MBEDTLS_OID_DIGEST_ALG_SHA512, oid_len) == 0)
                    md = MBEDTLS_MD_SHA512;
            }
            if (p2 >= ALGO_RSA_PSS && p2 <= ALGO_RSA_PSS_SHA512) {
                if (p2 == ALGO_RSA_PSS && !oid) {
                    if (apdu.nc == 20) //default is sha1
                        md = MBEDTLS_MD_SHA1;
                    else if (apdu.nc == 28)
                        md = MBEDTLS_MD_SHA224;
                    else if (apdu.nc == 32)
                        md = MBEDTLS_MD_SHA256;
                    else if (apdu.nc == 48)
                        md = MBEDTLS_MD_SHA384;
                    else if (apdu.nc == 64)
                        md = MBEDTLS_MD_SHA512;
                }
                mbedtls_rsa_set_padding(&ctx, MBEDTLS_RSA_PKCS_V21, md);
            }
        }
        if (md == MBEDTLS_MD_NONE) {
            if (apdu.nc < key_size) //needs padding
                memset(apdu.data+apdu.nc, 0, key_size-apdu.nc);
            r = mbedtls_rsa_private(&ctx, random_gen, NULL, apdu.data, res_APDU);
        }
        else {
            uint8_t *signature = (uint8_t *)calloc(key_size, sizeof(uint8_t));
            r = mbedtls_rsa_pkcs1_sign(&ctx, random_gen, NULL, md, hash_len, hash, signature);
            memcpy(res_APDU, signature, key_size);
            free(signature);
        }
        if (r != 0) {
            mbedtls_rsa_free(&ctx);
            return SW_EXEC_ERROR();
        }
        res_APDU_size = key_size;
        apdu.ne = key_size;
        mbedtls_rsa_free(&ctx);
    }
    else if (p2 >= ALGO_EC_RAW && p2 <= ALGO_EC_SHA512) {
        mbedtls_ecdsa_context ctx;
        mbedtls_ecdsa_init(&ctx);
        md = MBEDTLS_MD_SHA256;
        if (p2 == ALGO_EC_RAW) {
            if (apdu.nc == 32)
                md = MBEDTLS_MD_SHA256;
            else if (apdu.nc == 20)
                md = MBEDTLS_MD_SHA1;
            else if (apdu.nc == 28)
                md = MBEDTLS_MD_SHA224;
            else if (apdu.nc == 48)
                md = MBEDTLS_MD_SHA384;
            else if (apdu.nc == 64)
                md = MBEDTLS_MD_SHA512;
        }
        if (p2 == ALGO_EC_SHA1)
            md = MBEDTLS_MD_SHA1;
        else if (p2 == ALGO_EC_SHA224)
            md = MBEDTLS_MD_SHA224;
        else if (p2 == ALGO_EC_SHA256)
            md = MBEDTLS_MD_SHA256;
        else if (p2 == ALGO_EC_SHA384)
            md = MBEDTLS_MD_SHA384;
        else if (p2 == ALGO_EC_SHA512)
            md = MBEDTLS_MD_SHA512;
        int r;
        r = load_private_key_ecdsa(&ctx, fkey);
        if (r != CCID_OK) {
            mbedtls_ecdsa_free(&ctx);
            if (r == CCID_VERIFICATION_FAILED)
                return SW_SECURE_MESSAGE_EXEC_ERROR();
            return SW_EXEC_ERROR();
        }
        size_t olen = 0;
        uint8_t buf[MBEDTLS_ECDSA_MAX_LEN];
        if (mbedtls_ecdsa_write_signature(&ctx, md, apdu.data, apdu.nc, buf, MBEDTLS_ECDSA_MAX_LEN, &olen, random_gen, NULL) != 0) {
            mbedtls_ecdsa_free(&ctx);
            return SW_EXEC_ERROR();
        }
        memcpy(res_APDU, buf, olen);
        res_APDU_size = olen;
        mbedtls_ecdsa_free(&ctx);
    }
    else
        return SW_INCORRECT_P1P2();
    decrement_key_counter(fkey);
    return SW_OK();
 }
--- a/src/hsm/cmd_update_ef.c
+++ b/src/hsm/cmd_update_ef.c
@@ -0,0 +1,86 @@
 /*
 * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 * Copyright (c) 2022 Pol Henarejos.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 3.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
 #include "sc_hsm.h"
 #include "asn1.h"
 extern void select_file(file_t *pe);
 int cmd_update_ef() {
    uint8_t p1 = P1(apdu), p2 = P2(apdu);
    uint16_t fid = (p1 << 8) | p2;
    uint8_t *data = NULL;
    uint16_t offset = 0;
    uint16_t data_len = 0;
    file_t *ef = NULL;
    if (!isUserAuthenticated)
        return SW_SECURITY_STATUS_NOT_SATISFIED();
    if (fid == 0x0)
        ef = currentEF;
    else if (p1 != EE_CERTIFICATE_PREFIX && p1 != PRKD_PREFIX && p1 != CA_CERTIFICATE_PREFIX && p1 != CD_PREFIX && p1 != DATA_PREFIX && p1 != DCOD_PREFIX && p1 != PROT_DATA_PREFIX)
        return SW_INCORRECT_P1P2();
    if (ef && !authenticate_action(ef, ACL_OP_UPDATE_ERASE))
        return SW_SECURITY_STATUS_NOT_SATISFIED();
    uint16_t tag = 0x0;
    uint8_t *tag_data = NULL, *p = NULL;
    size_t tag_len = 0;
    while (walk_tlv(apdu.data, apdu.nc, &p, &tag, &tag_len, &tag_data)) {
        if (tag == 0x54) { //ofset tag
            for (int i = 1; i <= tag_len; i++)
                offset |= (*tag_data++ << (8*(tag_len-i)));
        }
        else if (tag == 0x53) { //data
            data_len = tag_len;
            data = tag_data;
        }
    }
    if (data_len == 0 && offset == 0) { //new file
        ef = file_new(fid);
        //if ((fid & 0xff00) == (EE_CERTIFICATE_PREFIX << 8))
        //    add_file_to_chain(ef, &ef_pukdf);
        select_file(ef);
    }
    else {
        if (fid == 0x0 && !ef)
            return SW_FILE_NOT_FOUND();
        else if (fid != 0x0 && !(ef = search_by_fid(fid, NULL, SPECIFY_EF)) && !(ef = search_dynamic_file(fid))) { //if does not exist, create it
            //return SW_FILE_NOT_FOUND();
            ef = file_new(fid);
        }
        if (offset == 0) {
            int r = flash_write_data_to_file(ef, data, data_len);
            if (r != CCID_OK)
                return SW_MEMORY_FAILURE();
        }
        else {
            if (!ef->data)
                return SW_DATA_INVALID();
            uint8_t *data_merge = (uint8_t *)calloc(1, offset+data_len);
            memcpy(data_merge, file_get_data(ef), offset);
            memcpy(data_merge+offset, data, data_len);
            int r = flash_write_data_to_file(ef, data_merge, offset+data_len);
            free(data_merge);
            if (r != CCID_OK)
                return SW_MEMORY_FAILURE();
        }
        low_flash_available();
    }
    return SW_OK();
 }
--- a/src/hsm/cmd_verify.c
+++ b/src/hsm/cmd_verify.c
@@ -0,0 +1,58 @@
 /*
 * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 * Copyright (c) 2022 Pol Henarejos.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 3.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
 #include "sc_hsm.h"
 int cmd_verify() {
    uint8_t p1 = P1(apdu);
    uint8_t p2 = P2(apdu);
    if (p1 != 0x0 || (p2 & 0x60) != 0x0)
        return SW_WRONG_P1P2();
    if (p2 == 0x81) { //UserPin
        uint16_t opts = get_device_options();
        if (opts & HSM_OPT_TRANSPORT_PIN)
            return SW_DATA_INVALID();
        if (has_session_pin && apdu.nc == 0)
            return SW_OK();
        if (*file_get_data(file_pin1) == 0 && pka_enabled() == false) //not initialized
            return SW_REFERENCE_NOT_FOUND();
        if (apdu.nc > 0) {
            return check_pin(file_pin1, apdu.data, apdu.nc);
        }
        if (file_read_uint8(file_get_data(file_retries_pin1)) == 0)
            return SW_PIN_BLOCKED();
        return set_res_sw(0x63, 0xc0 | file_read_uint8(file_get_data(file_retries_pin1)));
    }
    else if (p2 == 0x88) { //SOPin
        if (file_read_uint8(file_get_data(file_sopin)) == 0) //not initialized
            return SW_REFERENCE_NOT_FOUND();
        if (apdu.nc > 0) {
            return check_pin(file_sopin, apdu.data, apdu.nc);
        }
        if (file_read_uint8(file_get_data(file_retries_sopin)) == 0)
            return SW_PIN_BLOCKED();
        if (has_session_sopin)
            return SW_OK();
        return set_res_sw(0x63, 0xc0 | file_read_uint8(file_get_data(file_retries_sopin)));
    }
    else if (p2 == 0x85) {
        return SW_OK();
    }
    return SW_REFERENCE_NOT_FOUND();
 }
--- a/src/hsm/cvc.c
+++ b/src/hsm/cvc.c
@@ -1,32 +1,35 @@
-/* 
+/*
 * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 * Copyright (c) 2022 Pol Henarejos.
- * 
+ *
- * This program is free software: you can redistribute it and/or modify  
+ * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by  
+ * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 3.
 *
- * This program is distributed in the hope that it will be useful, but 
+ * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of 
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
- * You should have received a copy of the GNU General Public License 
+ * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
 #include "common.h"
 #include "cvc.h"
 #include "sc_hsm.h"
 #include "mbedtls/rsa.h"
 #include "mbedtls/ecdsa.h"
 #include "cvcerts.h"
 #include <string.h>
 #include "asn1.h"
 #include "ccid2040.h"
 #include "crypto_utils.h"
 #include "random.h"
 #include "oid.h"
 #include "mbedtls/md.h"
 #include "files.h"
 extern const uint8_t *dev_name;
 extern size_t dev_name_len;
 size_t asn1_cvc_public_key_rsa(mbedtls_rsa_context *rsa, uint8_t *buf, size_t buf_len) {
    const uint8_t oid_rsa[] = { 0x04, 0x00, 0x7F, 0x00, 0x07, 0x02, 0x02, 0x02, 0x01, 0x02 };
@@ -109,36 +112,39 @@ size_t asn1_cvc_public_key_ecdsa(mbedtls_ecdsa_context *ecdsa, uint8_t *buf, siz
    return tot_len;
 }
-size_t asn1_cvc_cert_body(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_len) {
+size_t asn1_cvc_cert_body(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_len, const uint8_t *ext, size_t ext_len) {
    size_t pubkey_size = 0;
    if (key_type == HSM_KEY_RSA)
        pubkey_size = asn1_cvc_public_key_rsa(rsa_ecdsa, NULL, 0);
    else if (key_type == HSM_KEY_EC)
        pubkey_size = asn1_cvc_public_key_ecdsa(rsa_ecdsa, NULL, 0);
    size_t cpi_size = 4;
-    
+    size_t ext_size = 0;
    if (ext && ext_len > 0)
        ext_size = asn1_len_tag(0x65, ext_len);
    uint8_t *car = NULL, *chr = NULL;
    size_t lencar = 0, lenchr = 0;
-    
+
    if (asn1_find_tag(apdu.data, apdu.nc, 0x42, &lencar, &car) == false || lencar == 0 || car == NULL) {
-        car = (uint8_t *)"UTSRCACC100001";
+        car = (uint8_t *)dev_name;
-        lencar = strlen((char *)car);
+        lencar = dev_name_len;
    }
    if (asn1_find_tag(apdu.data, apdu.nc, 0x5f20, &lenchr, &chr) == false || lenchr == 0 || chr == NULL) {
-        chr = (uint8_t *)"ESHSMCVCA00001";
+        chr = (uint8_t *)dev_name;
-        lenchr = strlen((char *)chr);
+        lenchr = dev_name_len;
    }
    size_t car_size = asn1_len_tag(0x42, lencar), chr_size = asn1_len_tag(0x5f20, lenchr);
-    
+
-    size_t tot_len = asn1_len_tag(0x7f4e, cpi_size+car_size+pubkey_size+chr_size);
+    size_t tot_len = asn1_len_tag(0x7f4e, cpi_size+car_size+pubkey_size+chr_size+ext_size);
-    
+
    if (buf_len == 0 || buf == NULL)
        return tot_len;
    if (buf_len < tot_len)
        return 0;
    uint8_t *p = buf;
    memcpy(p, "\x7F\x4E", 2); p += 2;
-    p += format_tlv_len(cpi_size+car_size+pubkey_size+chr_size, p);
+    p += format_tlv_len(cpi_size+car_size+pubkey_size+chr_size+ext_size, p);
    //cpi
    *p++ = 0x5f; *p++ = 0x29; *p++ = 1; *p++ = 0;
    //car
@@ -150,16 +156,22 @@ size_t asn1_cvc_cert_body(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_
        p += asn1_cvc_public_key_ecdsa(rsa_ecdsa, p, pubkey_size);
    //chr
    *p++ = 0x5f; *p++ = 0x20; p += format_tlv_len(lenchr, p); memcpy(p, chr, lenchr); p += lenchr;
    if (ext && ext_len > 0) {
        *p++ = 0x65;
        p += format_tlv_len(ext_len, p);
        memcpy(p, ext, ext_len);
        p += ext_len;
    }
    return tot_len;
 }
-size_t asn1_cvc_cert(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_len) {
+size_t asn1_cvc_cert(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_len, const uint8_t *ext, size_t ext_len) {
    size_t key_size = 0;
    if (key_type == HSM_KEY_RSA)
        key_size = mbedtls_mpi_size(&((mbedtls_rsa_context *)rsa_ecdsa)->N);
    else if (key_type == HSM_KEY_EC)
        key_size = 2*mbedtls_mpi_size(&((mbedtls_ecdsa_context *)rsa_ecdsa)->d);
-    size_t body_size = asn1_cvc_cert_body(rsa_ecdsa, key_type, NULL, 0), sig_size = asn1_len_tag(0x5f37, key_size);
+    size_t body_size = asn1_cvc_cert_body(rsa_ecdsa, key_type, NULL, 0, ext, ext_len), sig_size = asn1_len_tag(0x5f37, key_size);
    size_t tot_len = asn1_len_tag(0x7f21, body_size+sig_size);
    if (buf_len == 0 || buf == NULL)
        return tot_len;
@@ -169,8 +181,7 @@ size_t asn1_cvc_cert(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf
    memcpy(p, "\x7F\x21", 2); p += 2;
    p += format_tlv_len(body_size+sig_size, p);
    body = p;
-    p += asn1_cvc_cert_body(rsa_ecdsa, key_type, p, body_size);
+    p += asn1_cvc_cert_body(rsa_ecdsa, key_type, p, body_size, ext, ext_len);
    uint8_t hsh[32];
    hash256(body, body_size, hsh);
    memcpy(p, "\x5F\x37", 2); p += 2;
@@ -200,12 +211,21 @@ size_t asn1_cvc_cert(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf
    return p-buf;
 }
-size_t asn1_cvc_aut(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_len) {
+size_t asn1_cvc_aut(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_len, const uint8_t *ext, size_t ext_len) {
-    size_t cvcert_size = asn1_cvc_cert(rsa_ecdsa, key_type, NULL, 0);
+    size_t cvcert_size = asn1_cvc_cert(rsa_ecdsa, key_type, NULL, 0, ext, ext_len);
-    size_t outcar_len = 0;
+    size_t outcar_len = dev_name_len;
-    const uint8_t *outcar = cvc_get_chr((uint8_t *)termca+2, (termca[1] << 8) | termca[0], &outcar_len);
+    const uint8_t *outcar = dev_name;
    size_t outcar_size = asn1_len_tag(0x42, outcar_len);
-    int key_size = 2*file_read_uint16(termca_pk), ret = 0;
+    file_t *fkey = search_by_fid(EF_KEY_DEV, NULL, SPECIFY_EF);
    if (!fkey)
        return 0;
    mbedtls_ecdsa_context ectx;
    mbedtls_ecdsa_init(&ectx);
    if (load_private_key_ecdsa(&ectx, fkey) != CCID_OK) {
        mbedtls_ecdsa_free(&ectx);
        return 0;
    }
    int ret = 0, key_size = 2*mbedtls_mpi_size(&ectx.d);
    size_t outsig_size = asn1_len_tag(0x5f37, key_size), tot_len = asn1_len_tag(0x67, cvcert_size+outcar_size+outsig_size);
    if (buf_len == 0 || buf == NULL)
        return tot_len;
@@ -216,13 +236,9 @@ size_t asn1_cvc_aut(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_
    p += format_tlv_len(cvcert_size+outcar_size+outsig_size, p);
    uint8_t *body = p;
    //cvcert
-    p += asn1_cvc_cert(rsa_ecdsa, key_type, p, cvcert_size);
+    p += asn1_cvc_cert(rsa_ecdsa, key_type, p, cvcert_size, ext, ext_len);
    //outcar
    *p++ = 0x42; p += format_tlv_len(outcar_len, p); memcpy(p, outcar, outcar_len); p += outcar_len;
    mbedtls_ecdsa_context ctx;
    mbedtls_ecdsa_init(&ctx);
    if (mbedtls_ecp_read_key(MBEDTLS_ECP_DP_SECP192R1, &ctx, termca_pk+2, file_read_uint16(termca_pk)) != 0)
        return 0;
    uint8_t hsh[32];
    memcpy(p, "\x5f\x37", 2); p += 2;
    p += format_tlv_len(key_size, p);
@@ -230,8 +246,8 @@ size_t asn1_cvc_aut(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_
    mbedtls_mpi r, s;
    mbedtls_mpi_init(&r);
    mbedtls_mpi_init(&s);
-    ret = mbedtls_ecdsa_sign(&ctx.grp, &r, &s, &ctx.d, hsh, sizeof(hsh), random_gen, NULL);
+    ret = mbedtls_ecdsa_sign(&ectx.grp, &r, &s, &ectx.d, hsh, sizeof(hsh), random_gen, NULL);
-    mbedtls_ecdsa_free(&ctx);
+    mbedtls_ecdsa_free(&ectx);
    if (ret != 0) {
        mbedtls_mpi_free(&r);
        mbedtls_mpi_free(&s);
@@ -266,14 +282,14 @@ size_t asn1_build_cert_description(const uint8_t *label, size_t label_len, const
    *p++ = 0x3;
    p += format_tlv_len(opt_len, p);
    memcpy(p, "\x06\x40", 2); p += 2;
-    
+
    //Seq 2
    *p++ = 0x30;
    p += format_tlv_len(asn1_len_tag(0x4, 20), p);
    *p++ = 0x4;
    p += format_tlv_len(20, p);
    mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_SHA1), puk, puk_len, p);  p += 20;
-    
+
    //Seq 3
    *p++ = 0xA1;
    p += format_tlv_len(asn1_len_tag(0x30, asn1_len_tag(0x30, asn1_len_tag(0x4, sizeof(uint16_t)))), p);
@@ -306,7 +322,7 @@ size_t asn1_build_prkd_ecc(const uint8_t *label, size_t label_len, const uint8_t
    *p++ = 0xC;
    p += format_tlv_len(label_len, p);
    memcpy(p, label, label_len); p += label_len;
-    
+
    //Seq 2
    *p++ = 0x30;
    p += format_tlv_len(asn1_len_tag(0x4, keyid_len)+asn1_len_tag(0x3, 3), p);
@@ -316,7 +332,7 @@ size_t asn1_build_prkd_ecc(const uint8_t *label, size_t label_len, const uint8_t
    *p++ = 0x3;
    p += format_tlv_len(3, p);
    memcpy(p, "\x07\x20\x80", 3); p += 3;
-    
+
    //Seq 3
    *p++ = 0xA1;
    p += format_tlv_len(asn1_len_tag(0x30, asn1_len_tag(0x30, asn1_len_tag(0x4, 0))+asn1_len_tag(0x2,2)), p);
@@ -383,6 +399,13 @@ const uint8_t *cvc_get_pub(const uint8_t *data, size_t len, size_t *olen) {
    return NULL;
 }
 const uint8_t *cvc_get_ext(const uint8_t *data, size_t len, size_t *olen) {
    if ((data = cvc_get_body(data, len, olen)) != NULL) {
        return cvc_get_field(data, len, olen, 0x65);
    }
    return NULL;
 }
 extern PUK puk_store[MAX_PUK_STORE_ENTRIES];
 extern int puk_store_entries;
@@ -420,7 +443,7 @@ mbedtls_ecp_group_id cvc_inherite_ec_group(const uint8_t *ca, size_t ca_len) {
    const uint8_t *t81 = cvc_get_field(ca_puk, ca_puk_len, &t81_len, 0x81);
    if (!t81)
        return MBEDTLS_ECP_DP_NONE;
-    
+
    return ec_get_curve_from_prime(t81, t81_len);
 }
@@ -441,11 +464,11 @@ int puk_verify(const uint8_t *sig, size_t sig_len, const uint8_t *hash, size_t h
        mbedtls_rsa_context rsa;
        mbedtls_rsa_init(&rsa);
        mbedtls_md_type_t md = MBEDTLS_MD_NONE;
-        if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_1, oid_len) == 0) 
+        if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_1, oid_len) == 0)
            md = MBEDTLS_MD_SHA1;
-        else if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_256, oid_len) == 0) 
+        else if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_256, oid_len) == 0)
            md = MBEDTLS_MD_SHA256;
-        else if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_512, oid_len) == 0) 
+        else if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_512, oid_len) == 0)
            md = MBEDTLS_MD_SHA512;
        else if (memcmp(oid, OID_ID_TA_RSA_PSS_SHA_1, oid_len) == 0) {
            md = MBEDTLS_MD_SHA1;
@@ -490,19 +513,19 @@ int puk_verify(const uint8_t *sig, size_t sig_len, const uint8_t *hash, size_t h
    }
    else if (memcmp(oid, OID_ID_TA_ECDSA, 9) == 0) { //ECC
        mbedtls_md_type_t md = MBEDTLS_MD_NONE;
-        if (memcmp(oid, OID_IT_TA_ECDSA_SHA_1, oid_len) == 0) 
+        if (memcmp(oid, OID_ID_TA_ECDSA_SHA_1, oid_len) == 0)
            md = MBEDTLS_MD_SHA1;
-        else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_224, oid_len) == 0) 
+        else if (memcmp(oid, OID_ID_TA_ECDSA_SHA_224, oid_len) == 0)
            md = MBEDTLS_MD_SHA224;
-        else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_256, oid_len) == 0) 
+        else if (memcmp(oid, OID_ID_TA_ECDSA_SHA_256, oid_len) == 0)
            md = MBEDTLS_MD_SHA256;
-        else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_384, oid_len) == 0) 
+        else if (memcmp(oid, OID_ID_TA_ECDSA_SHA_384, oid_len) == 0)
            md = MBEDTLS_MD_SHA384;
-        else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_512, oid_len) == 0) 
+        else if (memcmp(oid, OID_ID_TA_ECDSA_SHA_512, oid_len) == 0)
            md = MBEDTLS_MD_SHA512;
-        if (md == MBEDTLS_MD_NONE) 
+        if (md == MBEDTLS_MD_NONE)
            return CCID_WRONG_DATA;
-        
+
        size_t t86_len = 0;
        const uint8_t *t86 = cvc_get_field(puk, puk_len, &t86_len, 0x86);
        if (!t86)
@@ -571,11 +594,11 @@ int cvc_verify(const uint8_t *cert, size_t cert_len, const uint8_t *ca, size_t c
        return CCID_WRONG_DATA;
    mbedtls_md_type_t md = MBEDTLS_MD_NONE;
    if (memcmp(oid, OID_ID_TA_RSA, 9) == 0) { //RSA
-        if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_1, oid_len) == 0) 
+        if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_1, oid_len) == 0)
            md = MBEDTLS_MD_SHA1;
-        else if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_256, oid_len) == 0) 
+        else if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_256, oid_len) == 0)
            md = MBEDTLS_MD_SHA256;
-        else if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_512, oid_len) == 0) 
+        else if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_512, oid_len) == 0)
            md = MBEDTLS_MD_SHA512;
        else if (memcmp(oid, OID_ID_TA_RSA_PSS_SHA_1, oid_len) == 0)
            md = MBEDTLS_MD_SHA1;
@@ -585,18 +608,18 @@ int cvc_verify(const uint8_t *cert, size_t cert_len, const uint8_t *ca, size_t c
            md = MBEDTLS_MD_SHA512;
    }
    else if (memcmp(oid, OID_ID_TA_ECDSA, 9) == 0) { //ECC
-        if (memcmp(oid, OID_IT_TA_ECDSA_SHA_1, oid_len) == 0) 
+        if (memcmp(oid, OID_ID_TA_ECDSA_SHA_1, oid_len) == 0)
            md = MBEDTLS_MD_SHA1;
-        else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_224, oid_len) == 0) 
+        else if (memcmp(oid, OID_ID_TA_ECDSA_SHA_224, oid_len) == 0)
            md = MBEDTLS_MD_SHA224;
-        else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_256, oid_len) == 0) 
+        else if (memcmp(oid, OID_ID_TA_ECDSA_SHA_256, oid_len) == 0)
            md = MBEDTLS_MD_SHA256;
-        else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_384, oid_len) == 0) 
+        else if (memcmp(oid, OID_ID_TA_ECDSA_SHA_384, oid_len) == 0)
            md = MBEDTLS_MD_SHA384;
-        else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_512, oid_len) == 0) 
+        else if (memcmp(oid, OID_ID_TA_ECDSA_SHA_512, oid_len) == 0)
            md = MBEDTLS_MD_SHA512;
    }
-    if (md == MBEDTLS_MD_NONE) 
+    if (md == MBEDTLS_MD_NONE)
        return CCID_WRONG_DATA;
    const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md);
    uint8_t hash[64], hash_len = mbedtls_md_get_size(md_info);
--- a/src/hsm/cvc.h
+++ b/src/hsm/cvc.h
@@ -1,17 +1,17 @@
-/* 
+/*
 * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 * Copyright (c) 2022 Pol Henarejos.
- * 
+ *
- * This program is free software: you can redistribute it and/or modify  
+ * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by  
+ * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 3.
 *
- * This program is distributed in the hope that it will be useful, but 
+ * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of 
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
- * You should have received a copy of the GNU General Public License 
+ * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
@@ -36,13 +36,14 @@ typedef struct PUK {
 #define MAX_PUK_STORE_ENTRIES 4
-extern size_t asn1_cvc_cert(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_len);
+extern size_t asn1_cvc_cert(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_len, const uint8_t *ext, size_t ext_len);
-extern size_t asn1_cvc_aut(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_len);
+extern size_t asn1_cvc_aut(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_len, const uint8_t *ext, size_t ext_len);
 extern size_t asn1_build_cert_description(const uint8_t *label, size_t label_len, const uint8_t *puk, size_t puk_len, uint16_t fid, uint8_t *buf, size_t buf_len);
 extern const uint8_t *cvc_get_field(const uint8_t *data, size_t len, size_t *olen, uint16_t tag);
 extern const uint8_t *cvc_get_car(const uint8_t *data, size_t len, size_t *olen);
 extern const uint8_t *cvc_get_chr(const uint8_t *data, size_t len, size_t *olen);
 extern const uint8_t *cvc_get_pub(const uint8_t *data, size_t len, size_t *olen);
 extern const uint8_t *cvc_get_ext(const uint8_t *data, size_t len, size_t *olen);
 extern int cvc_verify(const uint8_t *cert, size_t cert_len, const uint8_t *ca, size_t ca_len);
 extern mbedtls_ecp_group_id cvc_inherite_ec_group(const uint8_t *ca, size_t ca_len);
 extern int puk_verify(const uint8_t *sig, size_t sig_len, const uint8_t *hash, size_t hash_len, const uint8_t *ca, size_t ca_len);
--- a/src/hsm/files.c
+++ b/src/hsm/files.c
@@ -1,17 +1,17 @@
-/* 
+/*
 * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 * Copyright (c) 2022 Pol Henarejos.
- * 
+ *
- * This program is free software: you can redistribute it and/or modify  
+ * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by  
+ * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 3.
 *
- * This program is distributed in the hope that it will be useful, but 
+ * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of 
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
- * You should have received a copy of the GNU General Public License 
+ * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
@@ -19,13 +19,12 @@
 extern const uint8_t sc_hsm_aid[];
 extern int parse_token_info(const file_t *f, int mode);
 extern int parse_cvca(const file_t *f, int mode);
 file_t file_entries[] = {
    /*  0 */ { .fid = 0x3f00    , .parent = 0xff, .name = NULL, .type = FILE_TYPE_DF, .data = NULL, .ef_structure = 0, .acl = {0} }, // MF
    /*  1 */ { .fid = 0x2f00    , .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} }, //EF.DIR
    /*  2 */ { .fid = 0x2f01    , .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} }, //EF.ATR
-    /*  3 */ { .fid = 0x2f02    , .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC,.data = (uint8_t *)parse_cvca, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} }, //EF.GDO
+    /*  3 */ { .fid = EF_TERMCA , .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH | FILE_PERSISTENT, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} }, //EF.GDO
    /*  4 */ { .fid = 0x2f03    , .parent = 5, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC,.data = (uint8_t *)parse_token_info, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} }, //EF.TokenInfo
    /*  5 */ { .fid = 0x5015    , .parent = 0, .name = NULL, .type = FILE_TYPE_DF, .data = NULL, .ef_structure = 0, .acl = {0} }, //DF.PKCS15
    /*  6 */ { .fid = 0x5031    , .parent = 5, .name = NULL, .type = FILE_TYPE_WORKING_EF, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} }, //EF.ODF
@@ -47,12 +46,14 @@ file_t file_entries[] = {
    /* 22 */ { .fid = EF_KEY_DOMAIN, .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //Key domain options
    /* 23 */ { .fid = EF_META   , .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //EF.CDFs
    /* 24 */ { .fid = EF_PUKAUT, .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //Public Key Authentication
-    /* 25 */ { .fid = EF_KEY_DEV, .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //Device Key
+    /* 25 */ { .fid = EF_KEY_DEV, .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH | FILE_PERSISTENT, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //Device Key
-    /* 26 */ { .fid = EF_PRKD_DEV, .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //PrKD Device
+    /* 26 */ { .fid = EF_PRKD_DEV, .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH | FILE_PERSISTENT, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //PrKD Device
-    /* 27 */ { .fid = EF_EE_DEV, .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //End Entity Certificate Device
+    /* 27 */ { .fid = EF_EE_DEV, .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH | FILE_PERSISTENT, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //End Entity Certificate Device
-    ///* 28 */ { .fid = 0x0000, .parent = 0, .name = openpgpcard_aid, .type = FILE_TYPE_WORKING_EF, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} },
+    /* 28 */ { .fid = EF_MKEK , .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH | FILE_PERSISTENT, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //MKEK
-    /* 29 */ { .fid = 0x0000, .parent = 5, .name = sc_hsm_aid, .type = FILE_TYPE_WORKING_EF, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} },
+    /* 29 */ { .fid = EF_MKEK_SO , .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH | FILE_PERSISTENT, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //MKEK with SO-PIN
-    /* 30 */ { .fid = 0x0000, .parent = 0xff, .name = NULL, .type = FILE_TYPE_UNKNOWN, .data = NULL, .ef_structure = 0, .acl = {0} } //end
+    ///* 30 */ { .fid = 0x0000, .parent = 0, .name = openpgpcard_aid, .type = FILE_TYPE_WORKING_EF, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} },
    /* 31 */ { .fid = 0x0000, .parent = 5, .name = sc_hsm_aid, .type = FILE_TYPE_WORKING_EF, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} },
    /* 32 */ { .fid = 0x0000, .parent = 0xff, .name = NULL, .type = FILE_TYPE_UNKNOWN, .data = NULL, .ef_structure = 0, .acl = {0} } //end
 };
 const file_t *MF = &file_entries[0];
--- a/src/hsm/files.h
+++ b/src/hsm/files.h
@@ -1,17 +1,17 @@
-/* 
+/*
 * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 * Copyright (c) 2022 Pol Henarejos.
- * 
+ *
- * This program is free software: you can redistribute it and/or modify  
+ * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by  
+ * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 3.
 *
- * This program is distributed in the hope that it will be useful, but 
+ * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of 
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
- * You should have received a copy of the GNU General Public License 
+ * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
@@ -22,6 +22,9 @@
 #include "file.h"
 #define EF_DEVOPS       0x100E
 #define EF_MKEK         0x100A
 #define EF_MKEK_SO      0x100B
 #define EF_XKEK         0x1080
 #define EF_DKEK         0x1090
 #define EF_KEY_DOMAIN   0x10A0
 #define EF_PUKAUT       0x10C0
@@ -37,6 +40,8 @@
 #define EF_PRKD_DEV     0xC400
 #define EF_EE_DEV       0xCE00
 #define EF_TERMCA       0x2f02
 extern file_t *file_pin1;
 extern file_t *file_retries_pin1;
 extern file_t *file_sopin;
--- a/src/hsm/dkek.c
+++ b/src/hsm/dkek.c
@@ -1,17 +1,17 @@
-/* 
+/*
 * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 * Copyright (c) 2022 Pol Henarejos.
- * 
+ *
- * This program is free software: you can redistribute it and/or modify  
+ * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by  
+ * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 3.
 *
- * This program is distributed in the hope that it will be useful, but 
+ * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of 
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
- * You should have received a copy of the GNU General Public License 
+ * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
@@ -19,7 +19,7 @@
 #include "common.h"
 #include "stdlib.h"
 #include "pico/stdlib.h"
-#include "dkek.h"
+#include "kek.h"
 #include "crypto_utils.h"
 #include "random.h"
 #include "sc_hsm.h"
@@ -29,8 +29,8 @@
 #include "mbedtls/ecdsa.h"
 #include "files.h"
-extern bool has_session_pin;
+extern bool has_session_pin, has_session_sopin;
-extern uint8_t session_pin[32];
+extern uint8_t session_pin[32], session_sopin[32];
 #define POLY 0xedb88320
@@ -45,49 +45,110 @@ uint32_t crc32c(const uint8_t *buf, size_t len)
    return ~crc;
 }
-int load_dkek(uint8_t id, uint8_t *dkek) {
+int load_mkek(uint8_t *mkek) {
-    if (has_session_pin == false)
+    if (has_session_pin == false && has_session_sopin == false)
        return CCID_NO_LOGIN;
-    file_t *tf = search_dynamic_file(EF_DKEK+id);
+    const uint8_t *pin = NULL;
-    if (!tf)
+    if (pin == NULL && has_session_pin == true) {
-        return CCID_ERR_FILE_NOT_FOUND;
+        file_t *tf = search_by_fid(EF_MKEK, NULL, SPECIFY_EF);
-    memcpy(dkek, file_get_data(tf), DKEK_SIZE);
+        if (tf) {
-    int ret = aes_decrypt_cfb_256(session_pin, DKEK_IV(dkek), DKEK_KEY(dkek), DKEK_KEY_SIZE+DKEK_KEY_CS_SIZE);
+            memcpy(mkek, file_get_data(tf), MKEK_SIZE);
            pin = session_pin;
        }
    }
    if (pin == NULL && has_session_sopin == true) {
        file_t *tf = search_by_fid(EF_MKEK_SO, NULL, SPECIFY_EF);
        if (tf) {
            memcpy(mkek, file_get_data(tf), MKEK_SIZE);
            pin = session_sopin;
        }
    }
    if (pin == NULL) //Should never happen
        return CCID_EXEC_ERROR;
    int ret = aes_decrypt_cfb_256(pin, MKEK_IV(mkek), MKEK_KEY(mkek), MKEK_KEY_SIZE+MKEK_KEY_CS_SIZE);
    if (ret != 0)
        return CCID_EXEC_ERROR;
-    if (crc32c(DKEK_KEY(dkek), DKEK_KEY_SIZE) != *(uint32_t*)DKEK_CHECKSUM(dkek))
+    if (crc32c(MKEK_KEY(mkek), MKEK_KEY_SIZE) != *(uint32_t *)MKEK_CHECKSUM(mkek))
        return CCID_WRONG_DKEK;
    return CCID_OK;
 }
-void release_dkek(uint8_t *dkek) {
+int load_dkek(uint8_t id, uint8_t *dkek) {
-    memset(dkek, 0, DKEK_SIZE);
+    file_t *tf = search_dynamic_file(EF_DKEK+id);
    if (!tf)
        return CCID_ERR_FILE_NOT_FOUND;
    memcpy(dkek, file_get_data(tf), DKEK_KEY_SIZE);
    return mkek_decrypt(dkek, DKEK_KEY_SIZE);
 }
 void release_mkek(uint8_t *mkek) {
    mbedtls_platform_zeroize(mkek, MKEK_SIZE);
 }
 int store_mkek(const uint8_t *mkek) {
    if (has_session_pin == false && has_session_sopin == false)
        return CCID_NO_LOGIN;
    uint8_t tmp_mkek[MKEK_SIZE];
    if (mkek == NULL) {
        const uint8_t *rd = random_bytes_get(MKEK_IV_SIZE+MKEK_KEY_SIZE);
        memcpy(tmp_mkek, rd, MKEK_IV_SIZE+MKEK_KEY_SIZE);
    }
    else
        memcpy(tmp_mkek, mkek, MKEK_SIZE);
    *(uint32_t*)MKEK_CHECKSUM(tmp_mkek) = crc32c(MKEK_KEY(tmp_mkek), MKEK_KEY_SIZE);
    if (has_session_pin) {
        uint8_t tmp_mkek_pin[MKEK_SIZE];
        memcpy(tmp_mkek_pin, tmp_mkek, MKEK_SIZE);
        file_t *tf = search_by_fid(EF_MKEK, NULL, SPECIFY_EF);
        if (!tf) {
            release_mkek(tmp_mkek);
            release_mkek(tmp_mkek_pin);
            return CCID_ERR_FILE_NOT_FOUND;
        }
        aes_encrypt_cfb_256(session_pin, MKEK_IV(tmp_mkek_pin), MKEK_KEY(tmp_mkek_pin), MKEK_KEY_SIZE+MKEK_KEY_CS_SIZE);
        flash_write_data_to_file(tf, tmp_mkek_pin, MKEK_SIZE);
        release_mkek(tmp_mkek_pin);
    }
    if (has_session_sopin) {
        uint8_t tmp_mkek_sopin[MKEK_SIZE];
        memcpy(tmp_mkek_sopin, tmp_mkek, MKEK_SIZE);
        file_t *tf = search_by_fid(EF_MKEK_SO, NULL, SPECIFY_EF);
        if (!tf) {
            release_mkek(tmp_mkek);
            release_mkek(tmp_mkek_sopin);
            return CCID_ERR_FILE_NOT_FOUND;
        }
        aes_encrypt_cfb_256(session_sopin, MKEK_IV(tmp_mkek_sopin), MKEK_KEY(tmp_mkek_sopin), MKEK_KEY_SIZE + MKEK_KEY_CS_SIZE);
        flash_write_data_to_file(tf, tmp_mkek_sopin, MKEK_SIZE);
        release_mkek(tmp_mkek_sopin);
    }
    low_flash_available();
    release_mkek(tmp_mkek);
    return CCID_OK;
 }
 int store_dkek_key(uint8_t id, uint8_t *dkek) {
    file_t *tf = search_dynamic_file(EF_DKEK+id);
    if (!tf)
        return CCID_ERR_FILE_NOT_FOUND;
-    *(uint32_t*)DKEK_CHECKSUM(dkek) = crc32c(DKEK_KEY(dkek), DKEK_KEY_SIZE);
+    int r = mkek_encrypt(dkek, DKEK_KEY_SIZE);
-    aes_encrypt_cfb_256(session_pin, DKEK_IV(dkek), DKEK_KEY(dkek), DKEK_KEY_SIZE+DKEK_KEY_CS_SIZE);
+    if (r != CCID_OK)
-    flash_write_data_to_file(tf, dkek, DKEK_SIZE);
+        return r;
    flash_write_data_to_file(tf, dkek, DKEK_KEY_SIZE);
    low_flash_available();
    release_dkek(dkek);
    return CCID_OK;
 }
 int save_dkek_key(uint8_t id, const uint8_t *key) {
-    uint8_t dkek[DKEK_SIZE];
+    uint8_t dkek[DKEK_KEY_SIZE];
    const uint8_t *iv = random_bytes_get(32);
    memcpy(dkek, iv, DKEK_IV_SIZE);
    if (!key) {
        file_t *tf = search_dynamic_file(EF_DKEK+id);
        if (!tf)
            return CCID_ERR_FILE_NOT_FOUND;
-        memcpy(DKEK_KEY(dkek), file_get_data(tf), DKEK_KEY_SIZE);
+        memcpy(dkek, file_get_data(tf), DKEK_KEY_SIZE);
    }
    else
-        memcpy(DKEK_KEY(dkek), key, DKEK_KEY_SIZE);
+        memcpy(dkek, key, DKEK_KEY_SIZE);
    return store_dkek_key(id, dkek);
 }
@@ -107,87 +168,89 @@ int import_dkek_share(uint8_t id, const uint8_t *share) {
 }
 int dkek_kcv(uint8_t id, uint8_t *kcv) { //kcv 8 bytes
-    uint8_t hsh[32], dkek[DKEK_SIZE];
+    uint8_t hsh[32], dkek[DKEK_KEY_SIZE];
    memset(kcv, 0, 8);
    memset(hsh, 0, sizeof(hsh));
    int r = load_dkek(id, dkek);
    if (r != CCID_OK)
        return r;
-    hash256(DKEK_KEY(dkek), DKEK_KEY_SIZE, hsh);
+    hash256(dkek, DKEK_KEY_SIZE, hsh);
-    release_dkek(dkek);
+    mbedtls_platform_zeroize(dkek, sizeof(dkek));
    memcpy(kcv, hsh, 8);
    return CCID_OK;
 }
 int dkek_kenc(uint8_t id, uint8_t *kenc) { //kenc 32 bytes
-    uint8_t dkek[DKEK_SIZE+4];
+    uint8_t dkek[DKEK_KEY_SIZE+4];
    memset(kenc, 0, 32);
    int r = load_dkek(id, dkek);
    if (r != CCID_OK)
        return r;
-    memcpy(DKEK_KEY(dkek)+DKEK_KEY_SIZE, "\x0\x0\x0\x1", 4);
+    memcpy(dkek+DKEK_KEY_SIZE, "\x0\x0\x0\x1", 4);
-    hash256(DKEK_KEY(dkek), DKEK_KEY_SIZE+4, kenc);
+    hash256(dkek, sizeof(dkek), kenc);
-    release_dkek(dkek);
+    mbedtls_platform_zeroize(dkek, sizeof(dkek));
    return CCID_OK;
 }
 int dkek_kmac(uint8_t id, uint8_t *kmac) { //kmac 32 bytes
-    uint8_t dkek[DKEK_SIZE+4];
+    uint8_t dkek[DKEK_KEY_SIZE+4];
    memset(kmac, 0, 32);
    int r = load_dkek(id, dkek);
    if (r != CCID_OK)
        return r;
-    memcpy(DKEK_KEY(dkek)+DKEK_KEY_SIZE, "\x0\x0\x0\x2", 4);
+    memcpy(dkek+DKEK_KEY_SIZE, "\x0\x0\x0\x2", 4);
-    hash256(DKEK_KEY(dkek), DKEK_KEY_SIZE+4, kmac);
+    hash256(dkek, DKEK_KEY_SIZE+4, kmac);
-    release_dkek(dkek);
+    mbedtls_platform_zeroize(dkek, sizeof(dkek));
    return CCID_OK;
 }
-int dkek_encrypt(uint8_t id, uint8_t *data, size_t len) {
+int mkek_encrypt(uint8_t *data, size_t len) {
    int r;
-    uint8_t dkek[DKEK_SIZE+4];
+    uint8_t mkek[MKEK_SIZE+4];
-    if ((r = load_dkek(id, dkek)) != CCID_OK)
+    if ((r = load_mkek(mkek)) != CCID_OK)
        return r;
-    r = aes_encrypt_cfb_256(DKEK_KEY(dkek), DKEK_IV(dkek), data, len);
+    r = aes_encrypt_cfb_256(MKEK_KEY(mkek), MKEK_IV(mkek), data, len);
-    release_dkek(dkek);
+    release_mkek(mkek);
    return r;
 }
-int dkek_decrypt(uint8_t id, uint8_t *data, size_t len) {
+int mkek_decrypt(uint8_t *data, size_t len) {
    int r;
-    uint8_t dkek[DKEK_SIZE+4];
+    uint8_t mkek[MKEK_SIZE+4];
-    if ((r = load_dkek(id, dkek)) != CCID_OK)
+    if ((r = load_mkek(mkek)) != CCID_OK)
        return r;
-    r = aes_decrypt_cfb_256(DKEK_KEY(dkek), DKEK_IV(dkek), data, len);
+    r = aes_decrypt_cfb_256(MKEK_KEY(mkek), MKEK_IV(mkek), data, len);
-    release_dkek(dkek);
+    release_mkek(mkek);
    return r;
 }
-int dkek_encode_key(uint8_t id, void *key_ctx, int key_type, uint8_t *out, size_t *out_len) {
+int dkek_encode_key(uint8_t id, void *key_ctx, int key_type, uint8_t *out, size_t *out_len, const uint8_t *allowed, size_t allowed_len) {
    if (!(key_type & HSM_KEY_RSA) && !(key_type & HSM_KEY_EC) && !(key_type & HSM_KEY_AES))
        return CCID_WRONG_DATA;
-        
+
    uint8_t kb[8+2*4+2*4096/8+3+13]; //worst case: RSA-4096  (plus, 13 bytes padding)
    memset(kb, 0, sizeof(kb));
    int kb_len = 0, r = 0;
    uint8_t *algo = NULL;
    uint8_t algo_len = 0;
    uint8_t *allowed = NULL;
    uint8_t allowed_len = 0;
    uint8_t kenc[32];
    memset(kenc, 0, sizeof(kenc));
    r = dkek_kenc(id, kenc);
    if (r != CCID_OK)
        return r;
-    
+
    uint8_t kcv[8];
    memset(kcv, 0, sizeof(kcv));
    r = dkek_kcv(id, kcv);
    if (r != CCID_OK)
        return r;
-    
+
    uint8_t kmac[32];
    memset(kmac, 0, sizeof(kmac));
    r = dkek_kmac(id, kmac);
    if (r != CCID_OK)
        return r;
-    
+
    if (key_type & HSM_KEY_AES) {
        if (key_type & HSM_KEY_AES_128)
            kb_len = 16;
@@ -195,40 +258,38 @@ int dkek_encode_key(uint8_t id, void *key_ctx, int key_type, uint8_t *out, size_
            kb_len = 24;
        else if (key_type & HSM_KEY_AES_256)
            kb_len = 32;
-            
+
        if (kb_len != 16 && kb_len != 24 && kb_len != 32)
            return CCID_WRONG_DATA;
        if (*out_len < 8+1+10+6+4+(2+32+14)+16)
            return CCID_WRONG_LENGTH;
-        
+
        put_uint16_t(kb_len, kb+8);
        memcpy(kb+10, key_ctx, kb_len);
        kb_len += 2;
-        
+
        algo = (uint8_t *)"\x00\x08\x60\x86\x48\x01\x65\x03\x04\x01"; //2.16.840.1.101.3.4.1 (2+8)
        algo_len = 10;
        allowed = (uint8_t *)"\x00\x04\x10\x11\x18\x99"; //(2+4)
        allowed_len = 6;
    }
    else if (key_type & HSM_KEY_RSA) {
-        if (*out_len < 8+1+12+6+(8+2*4+2*4096/8+3+13)+16) //13 bytes pading 
+        if (*out_len < 8+1+12+6+(8+2*4+2*4096/8+3+13)+16) //13 bytes pading
            return CCID_WRONG_LENGTH;
        mbedtls_rsa_context *rsa = (mbedtls_rsa_context *)key_ctx;
        kb_len = 0;
        put_uint16_t(mbedtls_rsa_get_len(rsa)*8, kb+8+kb_len); kb_len += 2;
-        
+
        put_uint16_t(mbedtls_mpi_size(&rsa->D), kb+8+kb_len); kb_len += 2;
        mbedtls_mpi_write_binary(&rsa->D, kb+8+kb_len, mbedtls_mpi_size(&rsa->D)); kb_len += mbedtls_mpi_size(&rsa->D);
        put_uint16_t(mbedtls_mpi_size(&rsa->N), kb+8+kb_len); kb_len += 2;
        mbedtls_mpi_write_binary(&rsa->N, kb+8+kb_len, mbedtls_mpi_size(&rsa->N)); kb_len += mbedtls_mpi_size(&rsa->N);
        put_uint16_t(mbedtls_mpi_size(&rsa->E), kb+8+kb_len); kb_len += 2;
        mbedtls_mpi_write_binary(&rsa->E, kb+8+kb_len, mbedtls_mpi_size(&rsa->E)); kb_len += mbedtls_mpi_size(&rsa->E);
-        
+
        algo = (uint8_t *)"\x00\x0A\x04\x00\x7F\x00\x07\x02\x02\x02\x01\x02";
        algo_len = 12;
    }
    else if (key_type & HSM_KEY_EC) {
-        if (*out_len < 8+1+12+6+(8+2*8+9*66+2+4)+16) //4 bytes pading 
+        if (*out_len < 8+1+12+6+(8+2*8+9*66+2+4)+16) //4 bytes pading
            return CCID_WRONG_LENGTH;
        mbedtls_ecdsa_context *ecdsa = (mbedtls_ecdsa_context *)key_ctx;
        kb_len = 0;
@@ -251,16 +312,16 @@ int dkek_encode_key(uint8_t id, void *key_ctx, int key_type, uint8_t *out, size_
        kb[8+kb_len++] = 0x4;
        mbedtls_mpi_write_binary(&ecdsa->Q.X, kb+8+kb_len, mbedtls_mpi_size(&ecdsa->Q.X)); kb_len += mbedtls_mpi_size(&ecdsa->Q.X);
        mbedtls_mpi_write_binary(&ecdsa->Q.Y, kb+8+kb_len, mbedtls_mpi_size(&ecdsa->Q.Y)); kb_len += mbedtls_mpi_size(&ecdsa->Q.Y);
-        
+
        algo = (uint8_t *)"\x00\x0A\x04\x00\x7F\x00\x07\x02\x02\x02\x02\x03";
        algo_len = 12;
    }
    memset(out, 0, *out_len);
    *out_len = 0;
-    
+
    memcpy(out+*out_len, kcv, 8);
    *out_len += 8;
-    
+
    if (key_type & HSM_KEY_AES)
        out[*out_len] = 15;
    else if (key_type & HSM_KEY_RSA)
@@ -268,15 +329,16 @@ int dkek_encode_key(uint8_t id, void *key_ctx, int key_type, uint8_t *out, size_
    else if (key_type & HSM_KEY_EC)
        out[*out_len] = 12;
    *out_len += 1;
-    
+
    if (algo) {
        memcpy(out+*out_len, algo, algo_len);
        *out_len += algo_len;
    }
    else
        *out_len += 2;
-    
+
-    if (allowed) {
+    if (allowed && allowed_len > 0) {
        put_uint16_t(allowed_len, out+*out_len); *out_len += 2;
        memcpy(out+*out_len, allowed, allowed_len);
        *out_len += allowed_len;
    }
@@ -284,7 +346,7 @@ int dkek_encode_key(uint8_t id, void *key_ctx, int key_type, uint8_t *out, size_
        *out_len += 2;
    //add 4 zeros
    *out_len += 4;
-        
+
    memcpy(kb, random_bytes_get(8), 8);
    kb_len += 8; //8 random bytes
    int kb_len_pad = ((int)(kb_len/16))*16;
@@ -297,12 +359,12 @@ int dkek_encode_key(uint8_t id, void *key_ctx, int key_type, uint8_t *out, size_
    r = aes_encrypt(kenc, NULL, 256, HSM_AES_MODE_CBC, kb, kb_len_pad);
    if (r != CCID_OK)
        return r;
-    
+
    memcpy(out+*out_len, kb, kb_len_pad);
    *out_len += kb_len_pad;
    r = mbedtls_cipher_cmac(mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_256_ECB), kmac, 256, out, *out_len, out+*out_len);
-    
+
    *out_len += 16;
    if (r != 0)
        return r;
@@ -319,67 +381,69 @@ int dkek_type_key(const uint8_t *in) {
    return 0x0;
 }
-int dkek_decode_key(uint8_t id, void *key_ctx, const uint8_t *in, size_t in_len, int *key_size_out) {
+int dkek_decode_key(uint8_t id, void *key_ctx, const uint8_t *in, size_t in_len, int *key_size_out, uint8_t **allowed, size_t *allowed_len) {
    uint8_t kcv[8];
    int r = 0;
    memset(kcv, 0, sizeof(kcv));
    r = dkek_kcv(id, kcv);
    if (r != CCID_OK)
        return r;
-    
+
    uint8_t kmac[32];
    memset(kmac, 0, sizeof(kmac));
    r = dkek_kmac(id, kmac);
    if (r != CCID_OK)
        return r;
-    
+
    uint8_t kenc[32];
    memset(kenc, 0, sizeof(kenc));
    r = dkek_kenc(id, kenc);
    if (r != CCID_OK)
        return r;
-    
+
    if (memcmp(kcv, in, 8) != 0)
        return CCID_WRONG_DKEK;
-        
+
    uint8_t signature[16];
    r = mbedtls_cipher_cmac(mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_256_ECB), kmac, 256, in, in_len-16, signature);
    if (r != 0)
        return CCID_WRONG_SIGNATURE;
    if (memcmp(signature, in+in_len-16, 16) != 0)
        return CCID_WRONG_SIGNATURE;
-        
+
    int key_type = in[8];
    if (key_type != 5 && key_type != 6 && key_type != 12 && key_type != 15)
        return CCID_WRONG_DATA;
-    
+
    if ((key_type == 5 || key_type == 6) && memcmp(in+9, "\x00\x0A\x04\x00\x7F\x00\x07\x02\x02\x02\x01\x02", 12) != 0)
        return CCID_WRONG_DATA;
-        
+
    if (key_type == 12 && memcmp(in+9, "\x00\x0A\x04\x00\x7F\x00\x07\x02\x02\x02\x02\x03", 12) != 0)
        return CCID_WRONG_DATA;
-        
+
    if (key_type == 15 && memcmp(in+9, "\x00\x08\x60\x86\x48\x01\x65\x03\x04\x01", 10) != 0)
        return CCID_WRONG_DATA;
-        
+
    size_t ofs = 9;
-    
+
    //OID
    size_t len = get_uint16_t(in, ofs);
    ofs += len+2;
-    
+
    //Allowed algorithms
    len = get_uint16_t(in, ofs);
    *allowed = (uint8_t *)(in+ofs+2);
    *allowed_len = len;
    ofs += len+2;
-    
+
    //Access conditions
    len = get_uint16_t(in, ofs);
    ofs += len+2;
-    
+
    //Key OID
    len = get_uint16_t(in, ofs);
    ofs += len+2;
-    
+
    if ((in_len-16-ofs) % 16 != 0)
        return CCID_WRONG_PADDING;
    uint8_t kb[8+2*4+2*4096/8+3+13]; //worst case: RSA-4096  (plus, 13 bytes padding)
@@ -388,7 +452,7 @@ int dkek_decode_key(uint8_t id, void *key_ctx, const uint8_t *in, size_t in_len,
    r = aes_decrypt(kenc, NULL, 256, HSM_AES_MODE_CBC, kb, in_len-16-ofs);
    if (r != CCID_OK)
        return r;
-    
+
    int key_size = get_uint16_t(kb, 8);
    if (key_size_out)
        *key_size_out = key_size;
@@ -403,7 +467,7 @@ int dkek_decode_key(uint8_t id, void *key_ctx, const uint8_t *in, size_t in_len,
                mbedtls_rsa_free(rsa);
                return CCID_WRONG_DATA;
            }
-            
+
            len = get_uint16_t(kb, ofs); ofs += 2;
            r = mbedtls_mpi_read_binary(&rsa->N, kb+ofs, len); ofs += len;
            if (r != 0) {
@@ -414,20 +478,20 @@ int dkek_decode_key(uint8_t id, void *key_ctx, const uint8_t *in, size_t in_len,
        else if (key_type == 6) {
            //DP-1
            len = get_uint16_t(kb, ofs); ofs += len+2;
-            
+
            //DQ-1
            len = get_uint16_t(kb, ofs); ofs += len+2;
-            
+
            len = get_uint16_t(kb, ofs); ofs += 2;
            r = mbedtls_mpi_read_binary(&rsa->P, kb+ofs, len); ofs += len;
            if (r != 0) {
                mbedtls_rsa_free(rsa);
                return CCID_WRONG_DATA;
            }
-            
+
            //PQ
            len = get_uint16_t(kb, ofs); ofs += len+2;
-            
+
            len = get_uint16_t(kb, ofs); ofs += 2;
            r = mbedtls_mpi_read_binary(&rsa->Q, kb+ofs, len); ofs += len;
            if (r != 0) {
@@ -437,14 +501,14 @@ int dkek_decode_key(uint8_t id, void *key_ctx, const uint8_t *in, size_t in_len,
            //N
            len = get_uint16_t(kb, ofs); ofs += len+2;
        }
-        
+
        len = get_uint16_t(kb, ofs); ofs += 2;
        r = mbedtls_mpi_read_binary(&rsa->E, kb+ofs, len); ofs += len;
        if (r != 0) {
            mbedtls_rsa_free(rsa);
            return CCID_WRONG_DATA;
        }
-        
+
        if (key_type == 5) {
            r = mbedtls_rsa_import(rsa, &rsa->N, NULL, NULL, &rsa->D, &rsa->E);
            if (r != 0) {
@@ -459,7 +523,7 @@ int dkek_decode_key(uint8_t id, void *key_ctx, const uint8_t *in, size_t in_len,
                return CCID_EXEC_ERROR;
            }
        }
-        
+
        r = mbedtls_rsa_complete(rsa);
        if (r != 0) {
            mbedtls_rsa_free(rsa);
@@ -474,13 +538,13 @@ int dkek_decode_key(uint8_t id, void *key_ctx, const uint8_t *in, size_t in_len,
    else if (key_type == 12) {
        mbedtls_ecdsa_context *ecdsa = (mbedtls_ecdsa_context *)key_ctx;
        mbedtls_ecdsa_init(ecdsa);
-        
+
        //A
        len = get_uint16_t(kb, ofs); ofs += len+2;
-        
+
        //B
        len = get_uint16_t(kb, ofs); ofs += len+2;
-        
+
        //P
        len = get_uint16_t(kb, ofs); ofs += 2;
        mbedtls_ecp_group_id ec_id = ec_get_curve_from_prime(kb+ofs, len);
@@ -489,13 +553,13 @@ int dkek_decode_key(uint8_t id, void *key_ctx, const uint8_t *in, size_t in_len,
            return CCID_WRONG_DATA;
        }
        ofs += len;
-        
+
        //N
        len = get_uint16_t(kb, ofs); ofs += len+2;
-        
+
        //G
        len = get_uint16_t(kb, ofs); ofs += len+2;
-        
+
        //d
        len = get_uint16_t(kb, ofs); ofs += 2;
        r = mbedtls_ecp_read_key(ec_id, ecdsa, kb+ofs, len);
--- a/src/hsm/dkek.h
+++ b/src/hsm/dkek.h
@@ -1,46 +1,48 @@
-/* 
+/*
 * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 * Copyright (c) 2022 Pol Henarejos.
- * 
+ *
- * This program is free software: you can redistribute it and/or modify  
+ * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by  
+ * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 3.
 *
- * This program is distributed in the hope that it will be useful, but 
+ * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of 
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
- * You should have received a copy of the GNU General Public License 
+ * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
 #ifndef _DKEK_H_
 #define _DKEK_H_
-extern int load_dkek(uint8_t, uint8_t *);
+extern int load_mkek(uint8_t *);
 extern int store_mkek(const uint8_t *);
 extern int save_dkek_key(uint8_t, const uint8_t *key);
 extern int store_dkek_key(uint8_t, uint8_t *);
-extern void init_dkek();
+extern void init_mkek();
-extern void release_dkek(uint8_t *);
+extern void release_mkek(uint8_t *);
 extern int import_dkek_share(uint8_t, const uint8_t *share);
 extern int dkek_kcv(uint8_t, uint8_t *kcv);
-extern int dkek_encrypt(uint8_t, uint8_t *data, size_t len);
+extern int mkek_encrypt(uint8_t *data, size_t len);
-extern int dkek_decrypt(uint8_t, uint8_t *data, size_t len);
+extern int mkek_decrypt(uint8_t *data, size_t len);
-extern int dkek_encode_key(uint8_t, void *key_ctx, int key_type, uint8_t *out, size_t *out_len);
+extern int dkek_encode_key(uint8_t, void *key_ctx, int key_type, uint8_t *out, size_t *out_len, const uint8_t *, size_t);
 extern int dkek_type_key(const uint8_t *in);
-extern int dkek_decode_key(uint8_t, void *key_ctx, const uint8_t *in, size_t in_len, int *key_size_out);
+extern int dkek_decode_key(uint8_t, void *key_ctx, const uint8_t *in, size_t in_len, int *key_size_out, uint8_t **, size_t *);
 #define MAX_DKEK_ENCODE_KEY_BUFFER (8+1+12+6+(8+2*4+2*4096/8+3+13)+16)
 #define MAX_KEY_DOMAINS 16
-#define DKEK_IV_SIZE     (IV_SIZE)
+#define MKEK_IV_SIZE     (IV_SIZE)
 #define MKEK_KEY_SIZE    (32)
 #define MKEK_KEY_CS_SIZE (4)
 #define MKEK_SIZE        (MKEK_IV_SIZE+MKEK_KEY_SIZE+MKEK_KEY_CS_SIZE)
 #define MKEK_IV(p)       (p)
 #define MKEK_KEY(p)      (MKEK_IV(p)+MKEK_IV_SIZE)
 #define MKEK_CHECKSUM(p) (MKEK_KEY(p)+MKEK_KEY_SIZE)
 #define DKEK_KEY_SIZE    (32)
 #define DKEK_KEY_CS_SIZE (4)
 #define DKEK_SIZE        (DKEK_IV_SIZE+DKEK_KEY_SIZE+DKEK_KEY_CS_SIZE)
 #define DKEK_KEY(p)      (p+DKEK_IV_SIZE)
 #define DKEK_IV(p)       (p)
 #define DKEK_CHECKSUM(p) (p+DKEK_IV_SIZE+DKEK_KEY_SIZE)
 #endif
--- a/src/hsm/oid.c
+++ b/src/hsm/oid.c
@@ -1,17 +1,17 @@
-/* 
+/*
 * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 * Copyright (c) 2022 Pol Henarejos.
- * 
+ *
- * This program is free software: you can redistribute it and/or modify  
+ * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by  
+ * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 3.
 *
- * This program is distributed in the hope that it will be useful, but 
+ * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of 
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
- * You should have received a copy of the GNU General Public License 
+ * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
--- a/src/hsm/oid.h
+++ b/src/hsm/oid.h
@@ -1,17 +1,17 @@
-/* 
+/*
 * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 * Copyright (c) 2022 Pol Henarejos.
- * 
+ *
- * This program is free software: you can redistribute it and/or modify  
+ * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by  
+ * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 3.
 *
- * This program is distributed in the hope that it will be useful, but 
+ * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of 
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
- * You should have received a copy of the GNU General Public License 
+ * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
@@ -23,23 +23,7 @@
 #define OID_BSI_DE                      "\x04\x00\x7F\x00\x07"
-#define OID_ID_CA                       OID_BSI_DE "\x02\x02\x03"
+#define OID_ID_PK                       OID_BSI_DE "\x02\x02\x01"
 #define OID_ID_CA_DH                    OID_ID_CA "\x01"
 #define OID_ID_CA_DH_3DES_CBC_CBC       OID_ID_CA_DH "\x01"
 #define OID_ID_CA_DH_AES_CBC_CMAC_128   OID_ID_CA_DH "\x02"
 #define OID_ID_CA_DH_AES_CBC_CMAC_192   OID_ID_CA_DH "\x03"
 #define OID_ID_CA_DH_AES_CBC_CMAC_256   OID_ID_CA_DH "\x04"
 #define OID_ID_CA_ECDH                  OID_ID_CA "\x02"
 #define OID_ID_CA_ECDH_3DES_CBC_CBC     OID_ID_CA_ECDH "\x01"
 #define OID_ID_CA_ECDH_AES_CBC_CMAC_128 OID_ID_CA_ECDH "\x02"
 #define OID_ID_CA_ECDH_AES_CBC_CMAC_192 OID_ID_CA_ECDH "\x03"
 #define OID_ID_CA_ECDH_AES_CBC_CMAC_256 OID_ID_CA_ECDH "\x04"
 #define OID_ID_PK                       OID_BSI_DE "\x02\x02\0x1"
 #define OID_ID_PK_DH                    OID_ID_PK "\x01"
 #define OID_ID_PK_ECDH                  OID_ID_PK "\x02"
@@ -56,11 +40,25 @@
 #define OID_ID_TA_ECDSA                 OID_ID_TA "\x02"
-#define OID_IT_TA_ECDSA_SHA_1           OID_ID_TA_ECDSA "\x01"
+#define OID_ID_TA_ECDSA_SHA_1           OID_ID_TA_ECDSA "\x01"
-#define OID_IT_TA_ECDSA_SHA_224         OID_ID_TA_ECDSA "\x02"
+#define OID_ID_TA_ECDSA_SHA_224         OID_ID_TA_ECDSA "\x02"
-#define OID_IT_TA_ECDSA_SHA_256         OID_ID_TA_ECDSA "\x03"
+#define OID_ID_TA_ECDSA_SHA_256         OID_ID_TA_ECDSA "\x03"
-#define OID_IT_TA_ECDSA_SHA_384         OID_ID_TA_ECDSA "\x04"
+#define OID_ID_TA_ECDSA_SHA_384         OID_ID_TA_ECDSA "\x04"
-#define OID_IT_TA_ECDSA_SHA_512         OID_ID_TA_ECDSA "\x05"
+#define OID_ID_TA_ECDSA_SHA_512         OID_ID_TA_ECDSA "\x05"
 #define OID_ID_CA                       OID_BSI_DE "\x02\x02\x03"
 #define OID_ID_CA_DH                    OID_ID_CA "\x01"
 #define OID_ID_CA_DH_3DES_CBC_CBC       OID_ID_CA_DH "\x01"
 #define OID_ID_CA_DH_AES_CBC_CMAC_128   OID_ID_CA_DH "\x02"
 #define OID_ID_CA_DH_AES_CBC_CMAC_192   OID_ID_CA_DH "\x03"
 #define OID_ID_CA_DH_AES_CBC_CMAC_256   OID_ID_CA_DH "\x04"
 #define OID_ID_CA_ECDH                  OID_ID_CA "\x02"
 #define OID_ID_CA_ECDH_3DES_CBC_CBC     OID_ID_CA_ECDH "\x01"
 #define OID_ID_CA_ECDH_AES_CBC_CMAC_128 OID_ID_CA_ECDH "\x02"
 #define OID_ID_CA_ECDH_AES_CBC_CMAC_192 OID_ID_CA_ECDH "\x03"
 #define OID_ID_CA_ECDH_AES_CBC_CMAC_256 OID_ID_CA_ECDH "\x04"
 #define OID_ID_RI                       OID_BSI_DE "\x02\x02\x05"
@@ -70,7 +68,7 @@
 #define OID_ID_RI_DH_SHA_224            OID_ID_RI_DH "\x02"
 #define OID_ID_RI_DH_SHA_256            OID_ID_RI_DH "\x03"
-#define OID_ID_RI_ECDH                  OID_ID_RI "\x02" 
+#define OID_ID_RI_ECDH                  OID_ID_RI "\x02"
 #define OID_ID_RI_ECDH_SHA_1            OID_ID_RI_ECDH "\x01"
 #define OID_ID_RI_ECDH_SHA_224          OID_ID_RI_ECDH "\x02"
@@ -78,4 +76,31 @@
 #define OID_ID_CI                       OID_BSI_DE "\x02\x02\x06"
 #define OID_CARDCONTACT                 "\x2B\x06\x01\x04\x01\x81\xC3\x1F"
 #define OID_OPENSCDP                    OID_CARDCONTACT "\x01"
 #define OID_CC_ISO7816                  OID_CARDCONTACT "\x02"
 #define OID_CC_PKI                      OID_CARDCONTACT "\x03"
 #define OID_CC_FORMAT                   OID_CARDCONTACT "\x04"
 #define OID_CC_GP_PROFILES              OID_CARDCONTACT "\x10"
 #define OID_SCSH3                       OID_OPENSCDP "\x01"
 #define OID_SCSH3GUI                    OID_OPENSCDP "\x02"
 #define OID_SMARCARD_HSM                OID_CC_ISO7816 "\x01"
 #define OID_CC_APDUTEST                 OID_CC_ISO7816 "\x02"
 #define OID_CC_PACKAGES                 OID_CC_ISO7816 "\x7F"
 #define OID_CC_ROLES                    OID_CC_PKI "\x01"
 #define OID_CC_ROLE_SC_HSM              OID_CC_ROLES "\x01"
 #define OID_CC_EXTENSIONS               OID_CC_PKI "\x02"
 #define OID_ID_IMPU                     OID_CC_EXTENSIONS "\x01"
 #define OID_ID_KEY_DOMAIN_UID           OID_CC_EXTENSIONS "\x02"
 #define OID_CC_FF_DEVICEID              OID_CC_FORMAT "\x01"
 #define OID_CC_FF_KDM                   OID_CC_FORMAT "\x02"
 #define OID_CC_FF_PKA                   OID_CC_FORMAT "\x03"
 #define OID_CC_FF_KDA                   OID_CC_FORMAT "\x04"
 #endif
--- a/src/hsm/sc_hsm.c
+++ b/src/hsm/sc_hsm.c
--- a/src/hsm/sc_hsm.h
+++ b/src/hsm/sc_hsm.h
@@ -1,17 +1,17 @@
-/* 
+/*
 * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 * Copyright (c) 2022 Pol Henarejos.
- * 
+ *
- * This program is free software: you can redistribute it and/or modify  
+ * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by  
+ * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 3.
 *
- * This program is distributed in the hope that it will be useful, but 
+ * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of 
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
- * You should have received a copy of the GNU General Public License 
+ * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
@@ -19,12 +19,16 @@
 #define _SC_HSM_H_
 #include <stdlib.h>
 #include "common.h"
 #include "mbedtls/rsa.h"
 #include "mbedtls/ecdsa.h"
 #include "pico/stdlib.h"
-#include "ccid2040.h"
+#include "file.h"
 #include "apdu.h"
 #include "hsm.h"
 extern const uint8_t sc_hsm_aid[];
 #define ALGO_RSA_RAW			0x20		/* RSA signature with external padding */
 #define ALGO_RSA_DECRYPT		0x21		/* RSA raw decrypt */
 #define ALGO_RSA_DECRYPT_PKCS1  0x22
@@ -50,6 +54,8 @@ extern const uint8_t sc_hsm_aid[];
 #define ALGO_EC_SHA384          0x74
 #define ALGO_EC_SHA512          0x75
 #define ALGO_EC_DH				0x80        /* ECDH key derivation */
 #define ALGO_EC_DH_AUTPUK       0x83
 #define ALGO_EC_DH_XKEK         0x84
 #define ALGO_WRAP               0x92
 #define ALGO_UNWRAP             0x93
@@ -85,13 +91,32 @@ extern const uint8_t sc_hsm_aid[];
 #define P15_KEYTYPE_ECC     0xA0
 #define P15_KEYTYPE_AES     0xA8
 #define MAX_PUK 8
 extern int pin_reset_retries(const file_t *pin, bool);
 extern int pin_wrong_retry(const file_t *pin);
 extern void hash(const uint8_t *input, size_t len, uint8_t output[32]);
 extern void hash_multi(const uint8_t *input, size_t len, uint8_t output[32]);
 extern void double_hash_pin(const uint8_t *pin, size_t len, uint8_t output[32]);
-
+extern uint16_t get_device_options();
 extern bool has_session_pin, has_session_sopin;
 extern uint8_t session_pin[32], session_sopin[32];
 extern int check_pin(const file_t *pin, const uint8_t *data, size_t len);
 extern bool pka_enabled();
 extern const uint8_t *dev_name;
 extern size_t dev_name_len;
 extern uint8_t puk_status[MAX_PUK];
 extern int puk_store_select_chr(const uint8_t *chr);
 extern int delete_file(file_t *ef);
 extern const uint8_t *get_meta_tag(file_t *ef, uint16_t meta_tag, size_t *tag_len);
 extern bool key_has_purpose(file_t *ef, uint8_t purpose);
 extern int load_private_key_rsa(mbedtls_rsa_context *ctx, file_t *fkey);
 extern int load_private_key_ecdsa(mbedtls_ecdsa_context *ctx, file_t *fkey);
 extern bool wait_button_pressed();
 extern int store_keys(void *key_ctx, int type, uint8_t key_id);
 extern int find_and_store_meta_key(uint8_t key_id);
 extern uint32_t get_key_counter(file_t *fkey);
 extern uint32_t decrement_key_counter(file_t *fkey);
 #endif
--- a/src/hsm/version.h
+++ b/src/hsm/version.h
@@ -1,24 +1,24 @@
-/* 
+/*
 * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 * Copyright (c) 2022 Pol Henarejos.
- * 
+ *
- * This program is free software: you can redistribute it and/or modify  
+ * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by  
+ * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 3.
 *
- * This program is distributed in the hope that it will be useful, but 
+ * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of 
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
- * You should have received a copy of the GNU General Public License 
+ * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
 #ifndef __VERSION_H_
 #define __VERSION_H_
-#define HSM_VERSION 0x0206
+#define HSM_VERSION 0x0300
 #define HSM_VERSION_MAJOR ((HSM_VERSION >> 8) & 0xff)
 #define HSM_VERSION_MINOR (HSM_VERSION & 0xff)
--- a/tools/pico-hsm-patch-vidpid.sh
+++ b/tools/pico-hsm-patch-vidpid.sh
@@ -1,24 +1,24 @@
 #!/bin/bash
-# 
+#
 # This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 # Copyright (c) 2022 Pol Henarejos.
-# 
+#
-# This program is free software: you can redistribute it and/or modify  
+# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by  
+# it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, version 3.
 #
-# This program is distributed in the hope that it will be useful, but 
+# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of 
+# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 # General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License 
+# You should have received a copy of the GNU General Public License
 # along with this program. If not, see <http://www.gnu.org/licenses/>.
 #
-VERSION_MAJOR="2" #Version of Pico CCID Core
+VERSION_MAJOR="3" #Version of Pico CCID Core
-VERSION_MINOR="0"
+VERSION_MINOR="4"
 echo "----------------------------"
 echo "VID/PID patcher for Pico HSM"
--- a/tools/pico-hsm-tool.py
+++ b/tools/pico-hsm-tool.py
@@ -0,0 +1,304 @@
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
 """
 /*
 * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
 * Copyright (c) 2022 Pol Henarejos.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 3.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
 """
 from smartcard.CardType import AnyCardType
 from smartcard.CardRequest import CardRequest
 from smartcard.Exceptions import CardRequestTimeoutException
 from cvc.certificates import CVC
 from cvc.asn1 import ASN1
 from cvc.oid import oid2scheme
 from cvc.utils import scheme_rsa
 from cryptography.hazmat.primitives.asymmetric import ec
 import json
 import urllib.request
 import base64
 from binascii import hexlify
 import sys
 import argparse
 import os
 from datetime import datetime
 from argparse import RawTextHelpFormatter
 class APDUResponse(Exception):
    def __init__(self, sw1, sw2):
        self.sw1 = sw1
        self.sw2 = sw2
        super().__init__(f'SW:{sw1:02X}{sw2:02X}')
 def send_apdu(card, command, p1, p2, data=None):
    lc = []
    dataf = []
    if (data):
        lc = [0x00] + list(len(data).to_bytes(2, 'big'))
        dataf = data
    le = [0x00, 0x00]
    if (isinstance(command, list) and len(command) > 1):
        apdu = command
    else:
        apdu = [0x00, command]
    apdu = apdu + [p1, p2] + lc + dataf + le
    response, sw1, sw2 = card.connection.transmit(apdu)
    if (sw1 != 0x90):
        raise APDUResponse(sw1, sw2)
    return response
 def parse_args():
    parser = argparse.ArgumentParser()
    subparser = parser.add_subparsers(title="commands", dest="command")
    parser_init = subparser.add_parser('initialize', help='Performs the first initialization of the Pico HSM.')
    parser_init.add_argument('--pin', help='PIN number')
    parser_init.add_argument('--so-pin', help='SO-PIN number')
    parser_attestate = subparser.add_parser('attestate', help='Generates an attestation report for a private key and verifies the private key was generated in the devices or outside.')
    parser_attestate.add_argument('-k', '--key', help='The private key index', metavar='KEY_ID')
    parser_pki = subparser.add_parser('pki', help='Performs PKI operations.')
    subparser_pki = parser_pki.add_subparsers(title='commands', dest='subcommand')
    parser_pki_init = subparser_pki.add_parser('initialize', help='Initializes the Public Key Infrastructure (PKI)')
    parser_pki_init.add_argument('--certs-dir', help='Store the PKI certificates into this directory.', default='certs')
    parser_pki_init.add_argument('--default', help='Setups the default public PKI from public Pico HSM PKI.', action='store_true')
    parser_pki_init.add_argument('--force', help='Forces the download of certificates.', action='store_true')
    parser_rtc = subparser.add_parser('datetime', help='Datetime operations with the integrated Real Time Clock (RTC).')
    parser_rtc.add_argument('subcommand', choices=['set', 'get'], help='Sets or gets current datetime.')
    parser_opts = subparser.add_parser('options', help='Manage extra options.', formatter_class=RawTextHelpFormatter)
    parser_opts.add_argument('subcommand', choices=['set', 'get'], help='Sets or gets option OPT.')
    parser_opts.add_argument('opt', choices=['button', 'counter'], help='Button: press-to-confirm button.\nCounter: every generated key has an internal counter.')
    parser_opts.add_argument('onoff', choices=['on', 'off'], help='Toggles state ON or OFF', metavar='ON/OFF', nargs='?')
    args = parser.parse_args()
    return args
 def get_pki_data(url, data=None, method='GET'):
    user_agent = 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; '
    'rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7'
    method = 'GET'
    if (data is not None):
        method = 'POST'
    req = urllib.request.Request(f"https://www.henarejos.me/pico/pico-hsm/{url}/",
                                method=method,
                                data=data,
                                headers={'User-Agent': user_agent, })
    response = urllib.request.urlopen(req)
    resp = response.read().decode('utf-8')
    j = json.loads(resp)
    return j
 def get_pki_certs(certs_dir='certs', force=False):
    certs = get_pki_data('certs')
    if (os.path.exists(certs_dir) is False):
        os.mkdir(certs_dir)
    cvcap = os.path.join(certs_dir, certs['cvca']['CHR'])
    dvcap = os.path.join(certs_dir, certs['dvca']['CHR'])
    if (os.path.exists(cvcap) is False or force is True):
        with open(cvcap, 'wb') as f:
            f.write(base64.urlsafe_b64decode(certs['cvca']['cert']))
    if (os.path.exists(dvcap) is False or force is True):
        with open(dvcap, 'wb') as f:
            f.write(base64.urlsafe_b64decode(certs['dvca']['cert']))
    print(f'All PKI certificates are stored at {certs_dir} folder')
 def pki(card, args):
    if (args.subcommand == 'initialize'):
        if (args.default is True):
            get_pki_certs(certs_dir=args.certs_dir, force=args.force)
        else:
            print('Error: no PKI is passed. Use --default to retrieve default PKI.')
 def initialize(card, args):
    print('********************************')
    print('*   PLEASE READ IT CAREFULLY   *')
    print('********************************')
    print('')
    print('This tool will erase and reset your device. It will delete all '
        'private and secret keys.')
    print('Are you sure?')
    _ = input('[Press enter to confirm]')
    send_apdu(card, 0xA4, 0x04, 0x00, [0xE8, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x81, 0xC3, 0x1F, 0x02, 0x01])
    if (args.pin):
        pin = args.pin.encode()
        try:
            response = send_apdu(card, 0x20, 0x00, 0x81, list(pin))
        except APDUResponse:
            pass
    else:
            pin = b'648219'
    if (args.so_pin):
        so_pin = args.so_pin.encode()
        try:
            response = send_apdu(card, 0x20, 0x00, 0x82, list(so_pin))
        except APDUResponse:
            pass
    else:
            so_pin = b'57621880'
    pin_data = [0x81, len(pin)] + list(pin)
    so_pin_data = [0x82, len(so_pin)] + list(so_pin)
    reset_data = [0x80, 0x02, 0x00, 0x01] + pin_data + so_pin_data + [0x91, 0x01, 0x03]
    response = send_apdu(card, [0x80, 0x50], 0x00, 0x00, reset_data)
    response = send_apdu(card, 0xB1, 0xCE, 0x00, [0x54, 0x02, 0x00, 0x00])
    cert = bytearray(response)
    Y = CVC().decode(cert).pubkey().find(0x86).data()
    print(f'Public Point: {hexlify(Y).decode()}')
    pbk = base64.urlsafe_b64encode(Y)
    data = urllib.parse.urlencode({'pubkey': pbk}).encode()
    j = get_pki_data('cvc', data=data)
    print('Device name: '+j['devname'])
    dataef = base64.urlsafe_b64decode(
        j['cvcert']) + base64.urlsafe_b64decode(j['dvcert'])
    response = send_apdu(card, 0xa4, 0x00, 0x00, [0x2f, 0x02])
    response = send_apdu(card, 0x20, 0x00, 0x81, list(pin))
    apdu_data = [0x54, 0x02, 0x00, 0x00] + \
        list(ASN1.make_tag(0x53, dataef))
    response = send_apdu(card, 0xd7, 0x00, 0x00, apdu_data)
    print('Certificate uploaded successfully!')
    print('')
    print('Note that the device is initialized with a default PIN and '
        'configuration.')
    print('Now you can initialize the device as usual with your chosen PIN '
        'and configuration options.')
 def attestate(card, args):
    kid = int(args.key)
    try:
        response = send_apdu(card, 0xB1, 0x2F, 0x02, [0x54, 0x02, 0x00, 0x00])
    except APDUResponse as a:
        print('ERROR: There is an error with the device certificate.')
        sys.exit(1)
    devcert = ASN1().decode(response).find(0x7f21, pos=0).data(return_tag=True)
    try:
        cert = send_apdu(card, 0xB1, 0xCE, kid, [0x54, 0x02, 0x00, 0x00])
    except APDUResponse as a:
        if (a.sw1 == 0x6a and a.sw2 == 0x82):
            print('ERROR: Key not found')
            sys.exit(1)
    from binascii import hexlify
    print(hexlify(bytearray(cert)))
    print(f'Details of key {kid}:\n')
    print(f'  CAR: {(CVC().decode(cert).car()).decode()}')
    print('  Public Key:')
    puboid = CVC().decode(cert).pubkey().oid()
    print(f'    Scheme: {oid2scheme(puboid)}')
    chr = CVC().decode(cert).chr()
    car = CVC().decode(cert).car()
    if (scheme_rsa(puboid)):
        print(f'    Modulus: {hexlify(CVC().decode(cert).pubkey().find(0x81).data()).decode()}')
        print(f'    Exponent: {hexlify(CVC().decode(cert).pubkey().find(0x82).data()).decode()}')
    else:
        print(f'    Public Point: {hexlify(CVC().decode(cert).pubkey().find(0x86).data()).decode()}')
    print(f'  CHR: {chr.decode()}')
    print('  Key signature:')
    inret = CVC().decode(cert).verify()
    if (inret):
        print('    Status: VALID')
        print(f'      This certificate is signed with private key {kid}')
    else:
        print('    Status: NOT VALID')
        print(f'      This certificate is NOT signed with private key {kid}')
    print('  Cert signature:')
    print(f'    Outer CAR: {CVC().decode(cert).outer_car().decode()}')
    outret = CVC().decode(cert).verify(outer=True, dica=devcert, curve=ec.SECP256R1())
    if (outret):
        print('    Status: VALID')
        print('      This certificate is signed with the device key')
    else:
        print('    Status: NOT VALID')
        print('      This certificate is NOT signed with the device key')
    if (inret is True and outret is True):
        print(f'Key {kid} is generated by device {chr.decode()}')
    else:
        print(f'Key {kid} is NOT generated by device {chr.decode()}')
 def rtc(card, args):
    if (args.subcommand == 'set'):
        now = datetime.now()
        _ = send_apdu(card, [0x80, 0x64], 0x0A, 0x00, list(now.year.to_bytes(2, 'big')) + [now.month, now.day, now.weekday(), now.hour, now.minute, now.second ])
    elif (args.subcommand == 'get'):
        response = send_apdu(card, [0x80, 0x64], 0x0A, 0x00)
        dt = datetime(int.from_bytes(response[:2], 'big'), response[2], response[3], response[5], response[6], response[7])
        print(f'Current date and time is: {dt.ctime()}')
 def opts(card, args):
    opt = 0x0
    if (args.opt == 'button'):
        opt = 0x1
    elif (args.opt == 'counter'):
        opt = 0x2
    current = send_apdu(card, [0x80, 0x64], 0x6, 0x0)[0]
    if (args.subcommand == 'set'):
        if (args.onoff == 'on'):
            newopt = current | opt
        else:
            newopt = current & ~opt
        send_apdu(card, [0x80, 0x64], 0x6, 0x0, [newopt])
    elif (args.subcommand == 'get'):
        print(f'Option {args.opt.upper()} is {"ON" if current & opt else "OFF"}')
 def main(args):
    print('Pico HSM Tool v1.4')
    print('Author: Pol Henarejos')
    print('Report bugs to https://github.com/polhenarejos/pico-hsm/issues')
    print('')
    print('')
    cardtype = AnyCardType()
    try:
        # request card insertion
        cardrequest = CardRequest(timeout=10, cardType=cardtype)
        card = cardrequest.waitforcard()
        # connect to the card and perform a few transmits
        card.connection.connect()
    except CardRequestTimeoutException:
        print('time-out: no card inserted during last 10s')
    # Following commands may raise APDU exception on error
    if (args.command == 'initialize'):
        initialize(card, args)
    elif (args.command == 'attestate'):
        attestate(card, args)
    elif (args.command == 'pki'):
        pki(card, args)
    elif (args.command == 'datetime'):
        rtc(card, args)
    elif (args.command == 'options'):
        opts(card, args)
 def run():
    args = parse_args()
    main(args)
 if __name__ == "__main__":
    run()
--- a/workflows/autobuild.sh
+++ b/workflows/autobuild.sh
@@ -0,0 +1,13 @@
 #!/bin/bash
 git submodule update --init --recursive
 sudo apt update
 sudo apt install -y cmake gcc-arm-none-eabi libnewlib-arm-none-eabi libstdc++-arm-none-eabi-newlib
 git clone https://github.com/raspberrypi/pico-sdk
 cd pico-sdk
 git submodule update --init
 cd ..
 mkdir build
 cd build
 cmake -DPICO_SDK_PATH=../pico-sdk ..
 make
Author	SHA1	Message	Date
Pol Henarejos	1e39558fbc	Typo Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-10-10 00:39:32 +02:00
Pol Henarejos	a089cc279b	Adding support for changing SO-PIN. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-10-10 00:37:56 +02:00
Pol Henarejos	84f646dbad	Fix storing SO-PIN session when checking PIN with SO-PIN. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-10-10 00:37:33 +02:00
Pol Henarejos	b9ec473aaa	Fix critical bug saving SO-PIN securely. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-10-10 00:27:46 +02:00
Pol Henarejos	b7eb0dff02	Upgrade to Version 3.0. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-10-09 22:27:11 +02:00
Pol Henarejos	06f550cc04	Update usage.md	2022-10-09 22:26:45 +02:00
Pol Henarejos	1752b1aec7	Update usage.md	2022-10-09 22:25:35 +02:00
Pol Henarejos	67ea640a14	Fix endianness of patcher (again) Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-10-09 22:20:41 +02:00
Pol Henarejos	f593060007	Moving delete_file() outside. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-10-09 22:07:21 +02:00
Pol Henarejos	8504eed35c	Adding fixes and moving to Mbedtls 3.2.1 Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-10-09 22:07:10 +02:00
Pol Henarejos	8b29b137a8	Small fixes. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-10-09 22:04:30 +02:00
Pol Henarejos	08d3ca6d27	Update README.md	2022-10-09 19:57:52 +02:00
Pol Henarejos	e6767f4c0a	Moving pointer. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-09-25 23:25:16 +02:00
Pol Henarejos	9e5d65706e	Merge pull request #2 from rrottmann/master Building pico-hsm using Linux containers	2022-09-25 18:42:37 +02:00
Reiner Rottmann	61d7b6da38	Added Dockerfile for building pico-hsm and updated README.md with instructions.	2022-09-23 20:36:05 +02:00
Pol Henarejos	6affe64ec5	Adding missing file to pico-hsm-sdk.	2022-08-31 14:19:32 +02:00
Pol Henarejos	ab75718927	Using pico_hsm_sdk library instead.	2022-08-31 14:10:04 +02:00
Pol Henarejos	9e1747e539	Upgrading pico-hsm-sdk version to v3.0	2022-08-31 14:09:02 +02:00
Pol Henarejos	a7396dc698	Fix the endianness of vid/pid patcher.	2022-08-31 14:08:29 +02:00
Pol Henarejos	67699bd24c	Before initializing, we select the applet.	2022-08-30 17:55:56 +02:00
Pol Henarejos	62c72c48a5	Moving to new pico-hsm-sdk.	2022-08-30 17:55:42 +02:00
Pol Henarejos	3944c8437a	Moving to pico-hsm-sdk	2022-08-30 17:54:38 +02:00
Pol Henarejos	b7d603342e	Upgrading pico-ccid	2022-08-29 11:32:39 +02:00
Pol Henarejos	6e5db3c292	Upgrading pico-ccid to version 2.2	2022-08-29 11:31:47 +02:00
Pol Henarejos	4fb26559f4	Adding --so-pin flag for initialize command. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-25 13:47:42 +02:00
Pol Henarejos	c366c1d1a3	Added datetime and options menu to manipulate the RTC and options (press-to-confirm button and optional counter for each key). Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-25 13:38:09 +02:00
Pol Henarejos	e8cc6a169e	Try to recover MKEK twice: with previous PIN/SO-PIN or after setting the new PIN/SO-PIN just in case some is the same as previous. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-25 01:51:16 +02:00
Pol Henarejos	7d7b6b88ba	Trying to recover MKEK to preserver device private key. If not, all are generated again. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-25 01:51:16 +02:00
Pol Henarejos	138af5c113	Adding --pin parameter for initialization. If provided, it unlocks MKEK before initialization. If not, it will generate a new MKEK and device certificate. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-25 01:51:16 +02:00
Pol Henarejos	b3bcad9ce6	Making MKEK persistent. It must be persistent as it encrypts device private key and therefore it must survive across reinitializations. However, if no PIN is provided to unlock it, it will be lost, as with device private key. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-25 01:51:16 +02:00
Pol Henarejos	cd6f898f8e	Fix storing certs in DER format. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-25 01:51:16 +02:00
Pol Henarejos	9ef088971b	Integrate all commands to a single script Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-25 01:51:16 +02:00
Pol Henarejos	e399b1c0b1	Renaming the tools and moving to tools/ folder. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-25 01:51:16 +02:00
Pol Henarejos	59bacaf5b4	Update scs3.md Updated patch.	2022-08-24 14:11:14 +02:00
Pol Henarejos	d872a156c1	Update scs3.md Updated CA certs.	2022-08-24 14:04:14 +02:00
Pol Henarejos	c5e4583762	Add a tool for attestation of a private key. It looks for a particular private key and generates a report with some useful information and validates the source of the private key, whether it is generated in this device or outside. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-23 14:54:38 +02:00
Pol Henarejos	38b9c06138	Reformat oids. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-23 14:52:44 +02:00
Pol Henarejos	df18a1e917	Added header. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-23 00:50:07 +02:00
Pol Henarejos	2bc40771ca	Fix generating CVC REQ. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-23 00:50:06 +02:00
Pol Henarejos	5696c7a5da	Update public_key_authentication.md	2022-08-22 14:24:53 +02:00
Pol Henarejos	c5f980fc98	Fix curve for ECDH key. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-22 01:13:08 +02:00
Pol Henarejos	aebb68724a	Removing trailing spaces. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-19 01:44:27 +02:00
Pol Henarejos	1f2ccd8c1c	Not used. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-19 01:40:13 +02:00
Pol Henarejos	874058d86a	Pull last changes in pico-ccid. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-19 00:03:09 +02:00
Pol Henarejos	8fccb80295	New burn-certs is called after compilation, not before. Not needed anymore. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-18 23:58:38 +02:00
Pol Henarejos	c9c60575c7	Removed 3DES as it is unsecure. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-18 23:55:21 +02:00
Pol Henarejos	7e6ed20b26	Not downloading nested submodules for tinyusb Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-18 23:53:49 +02:00
Pol Henarejos	52c7be4e16	Also clone nested submodules Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-18 23:38:50 +02:00
Pol Henarejos	36d250fc2b	Github does not clone submodules. So, let's do it Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-18 23:33:52 +02:00
Pol Henarejos	84ba0e03de	Fix missing TinyUSB submodule Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-18 23:31:17 +02:00
Pol Henarejos	7d27c4b546	Fix autobuild Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-18 23:28:29 +02:00
Pol Henarejos	80b2bab0f8	Granting root to apt Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-18 23:23:58 +02:00
Pol Henarejos	79372ced2f	Just install the SDK in the workflow Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-18 23:21:42 +02:00
Pol Henarejos	6fc91962bd	Update codeql.yml	2022-08-18 23:13:02 +02:00
Pol Henarejos	fb76c23694	Let's try our autobuild Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-18 23:00:09 +02:00
Pol Henarejos	fc6c852e09	When used this tool, the device is always reset to default state. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-18 20:09:23 +02:00
Pol Henarejos	82f61ff1d4	When initialized, the device key (EF_KEY_DEV) is only generated if not found. To generate a new device key, it must be wiped. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-18 20:08:54 +02:00
Pol Henarejos	64052f4f70	Marked EF_DEV files as persistent to remain permanent. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-18 20:08:11 +02:00
Pol Henarejos	36c8150f25	Enhanced the procedure for burning the device certificate. When initialized, the device generates a private key in place and stores it encrypted. The publick key is recovered and sent to our PKI, which generates a CV certificate. This CV certificate is stored inside the device, jointly with the DV CVC. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-18 18:17:48 +02:00
Pol Henarejos	cb492728ec	Device key now uses SECP256R1 curve. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-18 18:17:48 +02:00
Pol Henarejos	fec02ca733	Removing cvcerts.h dependency. A python script gets the public key of the device (EF_EE_DEV) and requests to our PKI for a CVC. Once got, it is updated to EF_TERMCA (0x2f02). termca_pk is now on EF_KEY_DEV and termca is on EF_TERMCA (concat with DICA). Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-18 18:17:48 +02:00
Pol Henarejos	4e01a78286	Fix OID names. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-18 18:17:48 +02:00
Pol Henarejos	538b39386b	List keys returns the DEV key if exists. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-18 18:17:48 +02:00
Pol Henarejos	977aced343	Fix OID names. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-18 18:17:48 +02:00
Pol Henarejos	83b5753bb5	Fix saving DEV key. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-18 18:17:48 +02:00
Pol Henarejos	a57c3b691f	Fix passing DEBUG_APDU flag. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-18 18:17:48 +02:00
Pol Henarejos	648a374ebb	Create codeql.yml	2022-08-17 18:27:55 +02:00
Pol Henarejos	c3568e1211	Create the terminal private key with id = 0. This is the terminal private key, which will be signed by our PKI. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-14 01:20:54 +02:00
Pol Henarejos	6a16d4d55c	Fix returning store_keys(); Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-14 01:17:06 +02:00
Pol Henarejos	ab2e71cc40	By default, all CVC are self-generated (chr=car). Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-14 01:16:53 +02:00
Pol Henarejos	f79fe9f7d0	Fix when no DKEK is present. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-14 01:16:33 +02:00
Pol Henarejos	6956587106	Add newline at the end of file. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-13 23:31:09 +02:00
Pol Henarejos	349df56b09	Missing header. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-13 15:00:05 +02:00
Pol Henarejos	e6f082d512	Splitting cmd_xxx() functions in separate files. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-13 14:59:27 +02:00
Pol Henarejos	87feed1222	Renaming KEK files. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-13 13:47:43 +02:00
Pol Henarejos	55c8a66613	Fix wrap/unwrap keys with specific allowed algorithms. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-13 02:58:36 +02:00
Pol Henarejos	2e88422c86	Fix deleting KEK when a key is present in the key domain. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-13 00:50:22 +02:00
Pol Henarejos	da841b82d4	Fix deleting KEK. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-13 00:48:05 +02:00
Pol Henarejos	9256a72c3e	Added XKEK derivation to save the KEK from XKEK key domain. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-13 00:43:55 +02:00
Pol Henarejos	69120cc961	Added cvc_get_ext() to find CVC extensions. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-13 00:43:35 +02:00
Pol Henarejos	06aaf58f0b	Added extension optional parameter to be included in the CVC body. This field should be a concatenation of tag 73, which should include an OID and a context. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-13 00:07:24 +02:00
Pol Henarejos	12e5a586d2	Adding support for XKEK CVC extension. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 22:18:21 +02:00
Pol Henarejos	0e76ed7077	Adding OID for CVC extensions. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 21:12:56 +02:00
Pol Henarejos	be911a7aa7	Clearing hash, just in case. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 19:55:07 +02:00
Pol Henarejos	0556a528f3	Fix DKEK key domain creation. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 19:51:59 +02:00
Pol Henarejos	de789cef66	Fix Key Domain deletion. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 19:46:08 +02:00
Pol Henarejos	7208d01547	Adding XKEK Key Domain creation. It validates the membership and creates a XKEK Key Domain. XKEK Key Domains can only be created based on memberships for THAT device. A device can only create XKEK Key Domains with memberships issued for itself. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 19:36:10 +02:00
Pol Henarejos	46cb0a455d	Fix DKEK are only created when requested and not by default. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 14:01:19 +02:00
Pol Henarejos	300e19b612	Moving to mbedtls_platform_zeroize() for better zeroization. Also added more zeroization when a private/secret key is loaded in memory. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 01:52:37 +02:00
Pol Henarejos	2666573050	Fix dkek status report when device is initialized without dkek. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 01:00:27 +02:00
Pol Henarejos	5506b46c9d	Fix finding MKEK file. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 00:57:08 +02:00
Pol Henarejos	7b27cb7a1c	MKEK is also stored with SO encryption. A copy of MKEK is also stored but encrypted with SO-PIN. Thus, we always ensure that we have an operative copy of MKEK, either with PIN and/or SO-PIN. If user resets PIN, the MKEK is loaded with SO-PIN and stored with the derived key from new PIN. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 00:41:04 +02:00
Pol Henarejos	84a70a1de0	Adding MKEK_SO file descriptor. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 00:39:25 +02:00
Pol Henarejos	1756ec49ad	When user resets retry counter and sends the SO-PIN (P1=0x0) it becomes authenticated in this session. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 00:29:34 +02:00
Pol Henarejos	7b286b04b1	Introducing MKEK (Master Key Encryption Key). MKEK is used to encrypt all keys in the device, regardless of Key Domains or DKEK. From now on, all keys are encrypted using an AES 256-bit secret key. MKEK is also encrypted and stored based on a derived key from PIN. When user introduces the PIN, the MKEK can be unlocked to load the stored private/secret keys. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 00:20:02 +02:00
Pol Henarejos	a731e88c78	Adding MKEK ef id. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-11 22:59:54 +02:00
Pol Henarejos	ffd31f2ea7	Memset kcv to 0 always when called. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-10 23:58:01 +02:00
Pol Henarejos	356eeea505	Added support for ECDH_XKEK. Note that it is unfinished. ECDH_XKEK is utilized for deriving and setting the KEK, based on the calc DH secret. It should not return anything, just SW_OK (this is not what is happening right now). Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-10 23:51:41 +02:00
Pol Henarejos	34d9469157	When creating XKEK domain, it returns key domain UID. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-10 23:29:08 +02:00
Pol Henarejos	36b1bf9875	Added ECDH algorithms for XKEK and AUT. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-10 23:28:44 +02:00
Pol Henarejos	7badd19a07	Upgrading PICO SDK to v1.4 and adding new boards. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-09 01:28:39 +02:00