Typo

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>

.github/workflows/codeql.yml

@@ -0,0 +1,72 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "master" ]
+  schedule:
+    - cron: '23 5 * * 4'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'cpp', 'python' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        
+        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+
+        
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    # - name: Autobuild
+    #  uses: github/codeql-action/autobuild@v2
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+    #   If the Autobuild fails above, remove it and uncomment the following three lines. 
+    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+
+    - run: |
+       echo "Run, Build Application using script"
+       ./workflows/autobuild.sh
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2

.gitmodules

@@ -1,3 +1,3 @@
-[submodule "pico-ccid"]
-	path = pico-ccid
-	url = https://github.com/polhenarejos/pico-ccid
+[submodule "pico-hsm-sdk"]
+	path = pico-hsm-sdk
+	url = ../pico-hsm-sdk

CMakeLists.txt

@@ -28,74 +28,45 @@ pico_sdk_init()
 
 add_executable(pico_hsm)
 
-if (NOT DEFINED USB_VID)
-    set(USB_VID 0xFEFF)
-endif()
-add_definitions(-DUSB_VID=${USB_VID})
-if (NOT DEFINED USB_PID)
-    set(USB_PID 0xFCFD)
-endif()
-add_definitions(-DUSB_PID=${USB_PID})
-
-find_package( PythonInterp 3.7 REQUIRED )
-        
-if (NOT EXISTS ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cvcerts.h)
-    execute_process(COMMAND ${PYTHON_EXECUTABLE} ${CMAKE_CURRENT_LIST_DIR}/burn-cvcerts.py ${CMAKE_CURRENT_LIST_DIR})
-    message("Burning CVCert")
-endif()
-
-configure_file(${CMAKE_CURRENT_LIST_DIR}/pico-ccid/config/mbedtls_config.h ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/include/mbedtls COPYONLY)
-
 target_sources(pico_hsm PUBLIC
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/usb/usb.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/usb/usb_descriptors.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/ccid/ccid2040.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/ccid/asn1.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/fs/file.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/fs/flash.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/fs/low_flash.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/rng/random.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/rng/neug.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/ccid/crypto_utils.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/ccid/eac.c
         ${CMAKE_CURRENT_LIST_DIR}/src/hsm/sc_hsm.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_select.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_list_keys.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_read_binary.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_verify.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_reset_retry.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_challenge.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_external_authenticate.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_mse.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_initialize.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_key_domain.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_key_wrap.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_keypair_gen.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_update_ef.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_delete_file.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_change_pin.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_key_gen.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_signature.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_key_unwrap.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_decrypt_asym.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_cipher_sym.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_derive_asym.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_extras.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_general_authenticate.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_session_pin.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_puk_auth.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_pso.c
         ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cvc.c
         ${CMAKE_CURRENT_LIST_DIR}/src/hsm/files.c
-        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/dkek.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/kek.c
         ${CMAKE_CURRENT_LIST_DIR}/src/hsm/oid.c
 
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/aes.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/asn1write.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/bignum.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/cmac.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/cipher.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/cipher_wrap.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/constant_time.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/ecdsa.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/ecdh.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/ecp.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/ecp_curves.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/hkdf.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/md.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/md5.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/oid.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/platform_util.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/ripemd160.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/rsa.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/rsa_alt_helpers.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/sha1.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/sha256.c
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library/sha512.c
         )
+set(HSM_DRIVER "ccid")
+include(pico-hsm-sdk/pico_hsm_sdk_import.cmake)
 
 target_include_directories(pico_hsm PUBLIC
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/fs
         ${CMAKE_CURRENT_LIST_DIR}/src/hsm
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/ccid
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/rng
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/src/usb
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/include
-        ${CMAKE_CURRENT_LIST_DIR}/pico-ccid/mbedtls/library
         )
 
 target_compile_options(pico_hsm PUBLIC
@@ -105,7 +76,7 @@ target_compile_options(pico_hsm PUBLIC
 
 pico_add_extra_outputs(pico_hsm)
 
-target_link_libraries(pico_hsm PRIVATE pico_stdlib pico_multicore hardware_flash hardware_sync hardware_adc pico_unique_id hardware_rtc tinyusb_device tinyusb_board)
+target_link_libraries(pico_hsm PRIVATE pico_hsm_sdk pico_stdlib pico_multicore hardware_flash hardware_sync hardware_adc pico_unique_id hardware_rtc tinyusb_device tinyusb_board)
 
 #
 #project(flash_nuke C CXX ASM)

Dockerfile

@@ -0,0 +1,54 @@
+FROM debian:bullseye
+ENV DEBIAN_FRONTEND noninteractive
+RUN apt-get update && apt-get install -y \
+	build-essential \
+	git \
+	cmake \
+	gcc-arm-none-eabi \
+	libnewlib-arm-none-eabi \
+	libstdc++-arm-none-eabi-newlib \
+	python3 \
+	python3-pip
+
+RUN useradd -m builduser
+
+USER builduser
+
+WORKDIR /home/builduser
+
+VOLUME /home/builduser/release
+
+ARG VERSION_PICO_SDK 1.4.0
+
+RUN mkdir -p /home/builduser/Devel/pico
+RUN cd /home/builduser/Devel/pico \
+	&& git clone https://github.com/raspberrypi/pico-sdk.git \
+        && cd pico-sdk \
+        && git checkout $VERSION_PICO_SDK \
+        && git submodule update --init --recursive
+
+RUN pip install cryptography
+
+ARG VERSION_MAJOR 2
+ARG VERSION_MINOR 6
+
+RUN cd /home/builduser \
+	&& git clone https://github.com/polhenarejos/pico-hsm.git \
+	&& cd pico-hsm \
+	&& git checkout v${VERSION_MAJOR}.${VERSION_MINOR} \
+	&& git submodule update --init --recursive \
+	&& mkdir build_release
+
+ENV PICO_SDK_PATH /home/builduser/Devel/pico/pico-sdk
+
+
+
+ARG USB_VID 0xfeff
+ARG USB_PID 0xfcfd
+
+ARG PICO_BOARD waveshare_rp2040_zero 
+
+RUN cd /home/builduser/pico-hsm \
+	&& cd build_release \
+	&& cmake .. -DPICO_BOARD=$PICO_BOARD -DUSB_VID=${USB_VID} -DUSB_PID=${USB_PID} \
+	&& make -kj20

README.md

@@ -2,111 +2,111 @@
 This is a project to create a Hardware Security Module (HSM) with a Raspberry Pico. It converts your Pico board into a HSM which is able to generate and store private keys, encrypt or decrypt with AES or signing data without to disclose the private key. In detail, the private key never leaves the board and it cannot be retrieved as it is encrypted in the flash memory.
 
 ## Capabilities
-### Key generation and encrypted storage
+### > Key generation and encrypted storage
 Private and secret keys are stored with a master AES 256 key (DKEK). The DKEK is, at the same time, encrypted with a hashed and salted version of the PIN.
 **No private/secret keys, DKEK or PIN are stored in plain text ever. Never.**
 
-### RSA key generation from 1024 to 4096 bits
+### > RSA key generation from 1024 to 4096 bits
 RSA key generation in place for 1024, 2048, 3072 and 4096 bits. Private keys never leave the device.
 
-### ECDSA key generation from 192 to 521 bits
+### > ECDSA key generation from 192 to 521 bits
 ECDSA key generation in place for different curves, from 192 to 521 bits.
 
-### ECC curves
+### > ECC curves
 It supports secp192r1, secp256r1, secp384r1, secp521r1, brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp192k1 (insecure), secp256k1 curves.
 
-### SHA1, SHA224, SHA256, SHA384, SHA512 digests
+### > SHA1, SHA224, SHA256, SHA384, SHA512 digests
 ECDSA and RSA signature can be combined with SHA digest in place.
 
-### Multiple RSA signature algorithms
+### > Multiple RSA signature algorithms
 It supports RSA-PSS, RSA-PKCS and raw RSA signatures.
 
-### ECDSA raw and hash signature
+### > ECDSA raw and hash signature
 ECDSA signatures can be in raw or pre-hashed formats.
 
-### ECDH key derivation
+### > ECDH key derivation
 It supports the calculation of shared secrets with ECDH algorithm.
 
-### EC private key derivation
+### > EC private key derivation
 It allows ECDSA key derivation.[^1]
 
-### RSA-OEP and RSA-X-509 decryption
+### > RSA-OEP and RSA-X-509 decryption
 It allows private decryption in place with RSA-OEP and RSA-X-509 algorithms.
 
-### AES key generation
+### > AES key generation
 It supports AES key generation in place with keys of 128, 192 and 256 bits.
 
-### AES-CBC encryption/decryption
+### > AES-CBC encryption/decryption
 AES encryption and decryption is performed in place.
 
-### CMAC
+### > CMAC
 It supports AES-CMAC authentication.[^1]
 
-### AES derivation
+### > AES derivation
 It supports AES secret key derivation.[^1]
 
-### PIN authorization
+### > PIN authorization
 Private and secret keys cannot be used without prior PIN authentication. It supports alphanumeric PIN.
 
-### PKCS11 compliant interface
+### > PKCS11 compliant interface
 The module can be interfaced with PKCS11 standard.
 
-### HRNG (hardware random number generator)
+### > HRNG (hardware random number generator)
 It contains a harware random number generator properly modeled to guarantee maximum entropy.
 
-### Device Key Encryption Key (DKEK) shares
+### > Device Key Encryption Key (DKEK) shares
 It supports DKEK share imports. DKEK are used to wrap, unwrap and encrypt private and secret keys in the device.
 
-### DKEK n-of-m threshold scheme
+### > DKEK n-of-m threshold scheme
 It supports a n-of-m threshold scheme to minimize outage when a DKEK custodian is not available during the import process.
 
-### USB/CCID support with OpenSC, openssl, etc.
+### > USB/CCID support with OpenSC, openssl, etc.
 Pico HSM has a full USB CCID stack to communicate with the host via OpenSC and PCSC. It allows the use of frontend applications such as OpenSSL via PKCS11 module.
 
-### Extended APDU support
+### > Extended APDU support
 It supports extended APDU packets, which allows up to 65535 bytes.
 
-### CVC certificates
+### > CV Certificates
 Pico HSM manipulates CVC certificates and requests to minimize the storage of internal certificates.
 
-### Attestation
+### > Attestation
 Every generated key is attached to a certificate, signed by an external PKI to ensure that a particular key is effectively generated by this specific device.
 
-### Import external private keys and certificates
+### > Import external private keys and certificates
 It allows private key and certificates import via WKY or PKCS#12 files.[^2][^3]
 
-### Tranport PIN
+### > Tranport PIN
 It allows transport PIN for provisioning and forcing to set a new PIN.[^2] It is a tampered mechanism that ensures the device has not been unsealed during the transportation from the issuer to the legitimate user.
 
-### Press-to-confirm button
+### > Press-to-confirm button
 It allows the use of BOOTSEL button to confirm operations with private/secret keys, such as signatures and decryption. When a private/secret key is loaded, the user has 15 seconds to press the button to confirm the operation.
 This feature protects the user from unwanted uses from background applications that may sign data without user notice.
 
-### Store and retrieve binary data
+### > Store and retrieve binary data
 It allows the storage of arbitrary files with binary data.
 
-### Real time clock (RTC)
+### > Real time clock (RTC)
 Pico HSM has a RTC with external datetime setting and getting.
 
-### Secure Messaging (secure channel)
+### > Secure Messaging (secure channel)
 Pico HSM supports secure channel, where the data packets between the host and device are encrypted to avoid man-in-the-middle attacks.
 
-### Session PIN
+### > Session PIN
 A specific session PIN can be set during the session opening to avoid the systemmatic use of PIN.
 
-### PKI CVCert remote issuing for Secure Message
+### > PKI CVCert remote issuing for Secure Message
 Secure channel messages are secured with a certificate issued by an external PKI.
 
-### Multiple key domains
+### > Multiple key domains
 Key domains are domains to store separate private/secret keys. Each domain is protected by a DKEK, independent from the other domains. Private/secret keys can be generated in different key domains to be used with separated DKEK.
 Therefore, a single device may contain different domains with independent keys.
 
-### Key usage counter
+### > Key usage counter
 A key usage counter is a counter that is reduced by 1 everytime that the private/secret key is used for signing, decrypting, derivation, etc. When it reaches 0, the key is disabled and cannot be used anymore.
 
 Key usage can also be used to perform and auditory and track the usage of a particular key.
 
-### Public Key Authentication
+### > Public Key Authentication
 Public Key Authentication (PKA) allows to authenticate by using a secondary device with a private key and a registered public key in the primary device. A challenge is generated by the primary Pico HSM and given to the secondary for signature. The secondary device signs the challenge and returns the signature. Then, the primary device verifies the signature with the registered public key and if it is valid, it grants full access, as normal PIN authentication.
 
 In PKA, the PIN is used for protecting the DKEK, as classic method with only PIN, and PKA is used for adding an extra security layer. Therefore, this mechanism provides a higher degree of security, since it needs a secondary Pico HSM to authenticate the primary one.
@@ -145,6 +145,30 @@ Note that `PICO_BOARD`, `USB_VID` and `USB_PID` are optional. If not provided, `
 
 After `make` ends, the binary file `pico_hsm.uf2` will be generated. Put your pico board into loading mode, by pushing `BOOTSEL` button while pluging on, and copy the UF2 to the new fresh usb mass storage Pico device. Once copied, the pico mass storage will be disconnected automatically and the pico board will reset with the new firmware. A blinking led will indicate the device is ready to work.
 
+### Docker
+Independent from your Linux distribution or when using another OS that supports Docker, you could build a specific pico-hsm version in a Linux container.
+
+
+```
+sudo docker build \
+    --build-arg VERSION_PICO_SDK=1.4.0 \
+    --build-arg VERSION_MAJOR=2 \
+    --build-arg VERSION_MINOR=6 \
+    --build-arg PICO_BOARD=waveshare_rp2040_zero \
+    --build-arg USB_VID=0xfeff \
+    --build-arg USB_PID=0xfcfd \
+    -t pico-hsm-builder .
+
+sudo docker run \
+    --name mybuild \
+    -it pico-hsm-builder \
+    ls -l /home/builduser/pico-hsm/build_release/pico_hsm.uf2
+
+sudo docker cp mybuild:/home/builduser/pico-hsm/build_release/pico_hsm.uf2 .
+
+sudo docker rm mybuild
+```
+
 ## Usage
 The firmware uploaded to the Pico contains a reader and a virtual smart card. It is like having a physical reader with an inserted SIM card.
 We recommend the use of [OpenSC](http://github.com/opensc/opensc/ "OpenSC") to communicate with the reader. If it is not installed, you can download and build it or install the binaries for your system. The first command is to ensure that the Pico is detected as a HSM:

build_pico_hsm.sh

@@ -1,12 +1,49 @@
 #!/bin/bash
 
-VERSION_MAJOR="2"
-VERSION_MINOR="6"
+VERSION_MAJOR="3"
+VERSION_MINOR="0"
 
 rm -rf release/*
 cd build_release
 
-for board in adafruit_feather_rp2040 adafruit_itsybitsy_rp2040 adafruit_qtpy_rp2040 adafruit_trinkey_qt2040 arduino_nano_rp2040_connect melopero_shake_rp2040 pimoroni_interstate75 pimoroni_keybow2040 pimoroni_pga2040 pimoroni_picolipo_4mb pimoroni_picolipo_16mb pimoroni_picosystem pimoroni_plasma2040 pimoroni_tiny2040 pybstick26_rp2040 sparkfun_micromod sparkfun_promicro sparkfun_thingplus vgaboard waveshare_rp2040_lcd_0.96 waveshare_rp2040_plus_4mb waveshare_rp2040_plus_16mb waveshare_rp2040_zero
+for board in adafruit_feather_rp2040 \
+    adafruit_itsybitsy_rp2040 \
+    adafruit_kb2040 \
+    adafruit_macropad_rp2040 \
+    adafruit_qtpy_rp2040 \
+    adafruit_trinkey_qt2040 \
+    arduino_nano_rp2040_connect \
+    datanoisetv_rp2040_dsp \
+    eetree_gamekit_rp2040 \
+    garatronic_pybstick26_rp2040 \
+    melopero_shake_rp2040 \
+    pico \
+    pico_w \
+    pimoroni_badger2040 \
+    pimoroni_interstate75 \
+    pimoroni_keybow2040 \
+    pimoroni_motor2040 \
+    pimoroni_pga2040 \
+    pimoroni_picolipo_4mb \
+    pimoroni_picolipo_16mb \
+    pimoroni_picosystem \
+    pimoroni_plasma2040 \
+    pimoroni_servo2040 \
+    pimoroni_tiny2040 \
+    pimoroni_tiny2040_2mb \
+    seeed_xiao_rp2040 \
+    solderparty_rp2040_stamp \
+    solderparty_rp2040_stamp_carrier \
+    solderparty_rp2040_stamp_round_carrier \
+    sparkfun_micromod \
+    sparkfun_promicro \
+    sparkfun_thingplus \
+    vgaboard \
+    waveshare_rp2040_lcd_0.96 \
+    waveshare_rp2040_plus_4mb \
+    waveshare_rp2040_plus_16mb \
+    waveshare_rp2040_zero \
+    wiznet_w5100s_evb_pico
 do
     rm -rf *
     PICO_SDK_PATH=~/Devel/pico/pico-sdk cmake .. -DPICO_BOARD=$board
@@ -14,8 +51,3 @@ do
     mv pico_hsm.uf2 ../release/pico_hsm_$board-$VERSION_MAJOR.$VERSION_MINOR.uf2
 
 done
-
-rm -rf *
-PICO_SDK_PATH=~/Devel/pico/pico-sdk cmake ..
-make -kj20
-mv pico_hsm.uf2 ../release/pico_hsm_pico_generic-$VERSION_MAJOR.$VERSION_MINOR.uf2

burn-cvcerts.py

@@ -1,116 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding: utf-8 -*-
-"""
-Created on Wed Apr 13 20:15:01 2022
-
-@author: Pol Henarejos
-"""
-
-from cryptography.hazmat.backends import default_backend
-from cryptography.hazmat.primitives import serialization
-from cryptography.hazmat.primitives.asymmetric import ec
-import base64
-import urllib.request
-import json
-import sys
-import ssl
-
-ssl._create_default_https_context = ssl._create_unverified_context
-
-def print_var(v, name):
-    s = '\n'
-    s += "static const unsigned char "+name+"[] = {\n"
-    s += "\t0x{:02x},0x{:02x},\n".format((len(v) & 0xff),((len(v)>> 8) & 0xff))
-    for i in range(len(v)):
-        if (i%16 == 0):
-            s += '\t'
-        s += "0x{:02x}".format((v[i]))
-        if (i < len(v)-1):
-            s += ','
-        if (i%16 == 15):
-            s += '\n'
-    s += '\n'
-    s += '};\n'
-    return s
-
-def main():
-    args = sys.argv[1:]
-    
-    private_key = ec.generate_private_key(ec.SECP192R1(), default_backend())
-    public_key = private_key.public_key()
-    pub_num = public_key.public_numbers()
-    pbk = base64.urlsafe_b64encode(b'\x04'+pub_num.x.to_bytes(24,'big')+pub_num.y.to_bytes(24,'big'))
-    
-    user_agent = 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7'
-    
-    data = urllib.parse.urlencode({'pubkey':pbk}).encode()
-    req = urllib.request.Request("https://www.henarejos.me/pico-hsm.php", method='POST', data=data, headers={'User-Agent':user_agent,} ) #The assembled request
-    response = urllib.request.urlopen(req)
-    resp = response.read().decode('utf-8')
-    j = json.loads(resp)
-    cvcert = base64.b64decode(j['cvcert'])
-    
-    dica = [
-        0x7f,0x21,0x81,0xc5,0x7f,0x4e,0x81,0x8e,0x5f,0x29,0x01,0x00,0x42,0x0e,0x45,0x53,
-        0x43,0x56,0x43,0x41,0x48,0x53,0x4d,0x30,0x30,0x30,0x30,0x31,0x7f,0x49,0x3f,0x06,
-        0x0a,0x04,0x00,0x7f,0x00,0x07,0x02,0x02,0x02,0x02,0x03,0x86,0x31,0x04,0x93,0x7e,
-        0xdf,0xf1,0xa6,0xd2,0x40,0x7e,0xb4,0x71,0xb2,0x97,0x50,0xdb,0x7e,0xe1,0x70,0xfb,
-        0x6c,0xcd,0x06,0x47,0x2a,0x3e,0x9c,0x8d,0x59,0x56,0x57,0xbe,0x11,0x11,0x0a,0x08,
-        0x81,0x54,0xed,0x22,0xc0,0x83,0xac,0xa1,0x2e,0x39,0x7b,0xd4,0x65,0x1f,0x5f,0x20,
-        0x0e,0x45,0x53,0x44,0x56,0x43,0x41,0x48,0x53,0x4d,0x30,0x30,0x30,0x30,0x31,0x7f,
-        0x4c,0x12,0x06,0x09,0x04,0x00,0x7f,0x00,0x07,0x03,0x01,0x02,0x02,0x53,0x05,0x80,
-        0x00,0x00,0x00,0x04,0x5f,0x25,0x06,0x02,0x02,0x00,0x03,0x02,0x07,0x5f,0x24,0x06,
-        0x02,0x05,0x01,0x02,0x03,0x01,0x5f,0x37,0x30,0x8b,0xb2,0x01,0xb6,0x24,0xfe,0xe5,
-        0x4e,0x65,0x3a,0x02,0xa2,0xb2,0x27,0x2d,0x3d,0xb4,0xb0,0xc9,0xdd,0xbf,0x10,0x6d,
-        0x99,0x49,0x46,0xd6,0xd0,0x72,0xc1,0xf3,0x4c,0xab,0x4f,0x32,0x14,0x7c,0xb0,0x99,
-        0xb7,0x33,0x70,0xd6,0x00,0xff,0x73,0x0c,0x5d
-    ]
-    
-    cvca = [
-        0x7f, 0x21, 0x82, 0x01, 0x65, 0x7f, 0x4e, 0x82, 0x01, 0x2d, 0x5f, 0x29,
-        0x01, 0x00, 0x42, 0x0e, 0x45, 0x53, 0x43, 0x56, 0x43, 0x41, 0x48, 0x53,
-        0x4d, 0x30, 0x30, 0x30, 0x30, 0x31, 0x7f, 0x49, 0x81, 0xdd, 0x06, 0x0a,
-        0x04, 0x00, 0x7f, 0x00, 0x07, 0x02, 0x02, 0x02, 0x02, 0x03, 0x81, 0x18,
-        0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-        0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-        0x82, 0x18, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-        0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-        0xff, 0xfc, 0x83, 0x18, 0x64, 0x21, 0x05, 0x19, 0xe5, 0x9c, 0x80, 0xe7,
-        0x0f, 0xa7, 0xe9, 0xab, 0x72, 0x24, 0x30, 0x49, 0xfe, 0xb8, 0xde, 0xec,
-        0xc1, 0x46, 0xb9, 0xb1, 0x84, 0x31, 0x04, 0x18, 0x8d, 0xa8, 0x0e, 0xb0,
-        0x30, 0x90, 0xf6, 0x7c, 0xbf, 0x20, 0xeb, 0x43, 0xa1, 0x88, 0x00, 0xf4,
-        0xff, 0x0a, 0xfd, 0x82, 0xff, 0x10, 0x12, 0x07, 0x19, 0x2b, 0x95, 0xff,
-        0xc8, 0xda, 0x78, 0x63, 0x10, 0x11, 0xed, 0x6b, 0x24, 0xcd, 0xd5, 0x73,
-        0xf9, 0x77, 0xa1, 0x1e, 0x79, 0x48, 0x11, 0x85, 0x18, 0xff, 0xff, 0xff,
-        0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x99, 0xde, 0xf8,
-        0x36, 0x14, 0x6b, 0xc9, 0xb1, 0xb4, 0xd2, 0x28, 0x31, 0x86, 0x31, 0x04,
-        0x08, 0x8f, 0xcd, 0xfc, 0xce, 0x87, 0xed, 0xd2, 0x85, 0x92, 0x06, 0x15,
-        0xe6, 0x51, 0xd7, 0x64, 0x52, 0xd8, 0x57, 0xec, 0xbb, 0x40, 0x8c, 0x32,
-        0x7a, 0xdb, 0x48, 0xa2, 0xa5, 0x14, 0xc1, 0xc9, 0xbd, 0x77, 0xcc, 0x97,
-        0x83, 0x60, 0x7a, 0x74, 0x14, 0x93, 0xa7, 0x42, 0x74, 0x4a, 0xd1, 0x73,
-        0x87, 0x01, 0x01, 0x5f, 0x20, 0x0e, 0x45, 0x53, 0x43, 0x56, 0x43, 0x41,
-        0x48, 0x53, 0x4d, 0x30, 0x30, 0x30, 0x30, 0x31, 0x7f, 0x4c, 0x12, 0x06,
-        0x09, 0x04, 0x00, 0x7f, 0x00, 0x07, 0x03, 0x01, 0x02, 0x02, 0x53, 0x05,
-        0xc0, 0x00, 0x00, 0x00, 0x04, 0x5f, 0x25, 0x06, 0x02, 0x02, 0x00, 0x03,
-        0x02, 0x06, 0x5f, 0x24, 0x06, 0x03, 0x00, 0x01, 0x02, 0x03, 0x01, 0x5f,
-        0x37, 0x30, 0x72, 0x97, 0x77, 0x76, 0x64, 0xb6, 0x0c, 0x57, 0xa2, 0xc4,
-        0x5e, 0x7b, 0xfd, 0x12, 0xe5, 0x20, 0x14, 0x3e, 0xde, 0x90, 0x38, 0xbf,
-        0xb3, 0x02, 0x73, 0x91, 0x06, 0xf2, 0x73, 0x0d, 0x76, 0x06, 0x65, 0xd7,
-        0x46, 0x49, 0x91, 0x0c, 0x51, 0x90, 0x89, 0x84, 0x8d, 0x4f, 0xb6, 0xe5,
-        0x13, 0x40
-    ]
-    
-    s = '#ifndef _CVCERTS_H_\n#define _CVCERTS_H_\n'
-    s += print_var(cvca,'cvca')
-    s += print_var(dica,'dica')
-    s += print_var(cvcert,'termca')
-    
-    pvk = private_key.private_numbers().private_value.to_bytes(24,'big')
-    s += print_var(pvk,'termca_pk')
-    s += '\n#endif\n'
-    f = open(args[0] + '/src/hsm/cvcerts.h','w')
-    f.write(s)
-    f.close()
-    
-if __name__ == '__main__':
-    main()

doc/public_key_authentication.md

@@ -86,7 +86,7 @@ sc-hsm-tool -X --so-pin 1234567890123456 --pin 648219 -K 1 -n 1 -s 1
 
 and PKA and PIN are enabled, jointly with DKEK protection.
 
-### With SCS3
+### With SCS3
 
 Unfortunately, SCS3 does not allow to initialize the device with PKA and PIN at the same time, though it can be achieved in separated steps:
 

doc/scs3.md

@@ -13,7 +13,7 @@ However, SCS3 only works with those HSM manufactured by CardContact. The check i
 Pico HSM is shipped with its own CA certificates. To load this certificate onto the trust store of SCS3, the following line has to be appended to `SmartCardHSM.rootCerts` variable, near line `235` in the file `scs3/scsh/sc-hsm/SmartCardHSM.js`.
 
 ```
-ESCVCAHSM00001: new CVC(new ByteString("7F218201657F4E82012D5F290100420E45534356434148534D30303030317F4981DD060A04007F000702020202038118FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF8218FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC831864210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1843104188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF101207192B95FFC8DA78631011ED6B24CDD573F977A11E7948118518FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831863104088FCDFCCE87EDD285920615E651D76452D857ECBB408C327ADB48A2A514C1C9BD77CC9783607A741493A742744AD1738701015F200E45534356434148534D30303030317F4C12060904007F0007030102025305C0000000045F25060202000302065F24060300010203015F37307297777664B60C57A2C45E7BFD12E520143EDE9038BFB302739106F2730D760665D74649910C519089848D4FB6E51340", HEX))
+ESPICOHSMCA00001: new CVC(new ByteString("7F218201BA7F4E8201725F290100421045535049434F48534D434130303030317F4982011D060A04007F000702020202038120FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF8220FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC83205AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B8441046B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C2964FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F58520FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC6325518641046A82C0A4FEAF41D6A1336AE7E992D81AD4F827929145DD0D777E1AB63D7E3325C8F7DAC0F74B6EAE13A72F6366777EC133AC5C28F456868E5F2C315044EB54EF8701015F201045535049434F48534D434130303030317F4C12060904007F0007030102025305C0000000005F25060202000801085F24060203000801085F3740601E974F57DDE060875FE6121AEF5BC02E10FC655311C7A32CA822FD18E53A80298EDC56E0D5EBF38FB470DC12987B1600AE91A0ADB5B22C4D80080782E278AD", HEX))
 ```
 
 Therefore, the whole variable becomes:
@@ -22,26 +22,27 @@ Therefore, the whole variable becomes:
 SmartCardHSM.rootCerts = {
 	DESRCACC100001: new CVC(new ByteString("7F218201B47F4E82016C5F290100420E44455352434143433130303030317F4982011D060A04007F000702020202038120A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E537782207D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9832026DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B68441048BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F0469978520A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A78641046D025A8026CDBA245F10DF1B72E9880FFF746DAB40A43A3D5C6BEBF27707C30F6DEA72430EE3287B0665C1EAA6EAA4FA26C46303001983F82BD1AA31E03DA0628701015F200E44455352434143433130303030317F4C10060B2B0601040181C31F0301015301C05F25060102010100095F24060302010100085F37409DBB382B1711D2BAACB0C623D40C6267D0B52BA455C01F56333DC9554810B9B2878DAF9EC3ADA19C7B065D780D6C9C3C2ECEDFD78DEB18AF40778ADF89E861CA", HEX)),
 	UTSRCACC100001: new CVC(new ByteString("7F218201B47F4E82016C5F290100420E55545352434143433130303030317F4982011D060A04007F000702020202038120A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E537782207D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9832026DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B68441048BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F0469978520A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7864104A041FEB2FD116B2AD19CA6B7EACD71C9892F941BB88D67DCEEC92501F070011957E22122BA6C2CF5FF02936F482E35A6129CCBBA8E9383836D3106879C408EF08701015F200E55545352434143433130303030317F4C10060B2B0601040181C31F0301015301C05F25060102010100095F24060302010100085F3740914DD0FA00615C44048D1467435400423A4AD1BD37FD98D6DE84FD8037489582325C72956D4FDFABC6EDBA48184A754F37F1BE5142DD1C27D66569308CE19AAF", HEX)),
-	ESCVCAHSM00001: new CVC(new ByteString("7F218201657F4E82012D5F290100420E45534356434148534D30303030317F4981DD060A04007F000702020202038118FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF8218FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC831864210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1843104188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF101207192B95FFC8DA78631011ED6B24CDD573F977A11E7948118518FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831863104088FCDFCCE87EDD285920615E651D76452D857ECBB408C327ADB48A2A514C1C9BD77CC9783607A741493A742744AD1738701015F200E45534356434148534D30303030317F4C12060904007F0007030102025305C0000000045F25060202000302065F24060300010203015F37307297777664B60C57A2C45E7BFD12E520143EDE9038BFB302739106F2730D760665D74649910C519089848D4FB6E51340", HEX))
+	ESPICOHSMCA00001: new CVC(new ByteString("7F218201BA7F4E8201725F290100421045535049434F48534D434130303030317F4982011D060A04007F000702020202038120FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF8220FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC83205AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B8441046B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C2964FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F58520FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC6325518641046A82C0A4FEAF41D6A1336AE7E992D81AD4F827929145DD0D777E1AB63D7E3325C8F7DAC0F74B6EAE13A72F6366777EC133AC5C28F456868E5F2C315044EB54EF8701015F201045535049434F48534D434130303030317F4C12060904007F0007030102025305C0000000005F25060202000801085F24060203000801085F3740601E974F57DDE060875FE6121AEF5BC02E10FC655311C7A32CA822FD18E53A80298EDC56E0D5EBF38FB470DC12987B1600AE91A0ADB5B22C4D80080782E278AD", HEX))
 }
 ```
 
 Similarly, replace the line `1531` in file `scs3/keymanager/keymanager.js` with:
 
 ```
-	assert(devcert.verifyWith(this.crypto, dicacert.getPublicKey(SmartCardHSM.rootCerts.ESCVCAHSM00001.getPublicKey()), dicacert.getPublicKeyOID()));
+	assert(devcert.verifyWith(this.crypto, dicacert.getPublicKey(SmartCardHSM.rootCerts.ESPICOHSMCA00001.getPublicKey()), dicacert.getPublicKeyOID()));
 ```
 
-Alternatively, this patch [scs3.patch.txt](https://github.com/polhenarejos/pico-hsm/files/8890050/scs3.patch.txt) can be applied.
+
+Alternatively, this patch [scs3.patch.txt](https://github.com/polhenarejos/pico-hsm/files/9415877/scs3.patch.txt) can be applied.
 
 After this ammendment, the program can be started and the KeyManager can be invoked (CTRL+M) and it will output something similar to:
 ```
 >load("keymanager/keymanager.js");
 
-SmartCard-HSM Version 1.6 on JCOP          Free memory 217104 byte
-Issuer Certificate : CVC id-AT DV (official domestic) CAR=ESCVCAHSM00001 CHR=ESDVCAHSM00001 CED=27 / de març / 2022 CXD=31 / de desembre / 2025 
-Device Certificate : CVC id-AT Terminal CAR=ESDVCAHSM00001 CHR=ESTERMHSM00001 CED=27 / de març / 2022 CXD=31 / de desembre / 2023 
-Default Key Domain : 0F89B400975EDD2D425ABF85F2FBD318779B3D85475E65D4
+SmartCard-HSM Version 2.6 on JCOP          Free memory 215512 byte
+Issuer Certificate : CVC id-AT DV (official domestic) CAR=ESPICOHSMCA00001 CHR=ESPICOHSMDV00001 CED=18 / d’agost / 2022 CXD=14 / de juny / 2023 
+Device Certificate : CVC id-AT Terminal CAR=ESPICOHSMDV00001 CHR=ESPICOHSMTRYZRGW CED=22 / d’agost / 2022 CXD=22 / d’agost / 2023 
+Default Key Domain : 223CD8D8F794889AC163305881BF8C04960BBB8658120491F1C0601F6BF97183
 -------------------------------------------------------------------
 Please right-click on nodes in the outline to see possible actions.
 For most operations you will need to authenticate first using a

doc/usage.md

@@ -22,15 +22,15 @@ init=0
 PIN=648219
 ```
 `opensc-pkcs11.so` can be replaced by `libsc-hsm-pkcs11.so` if desired.
-* **sc-hsm-tool**: from OpenSC. Used to initialize the device.
+* **pico-hsm-tool**: Used to initialize the device.
 * **opensc-tool**: from OpenSC. Used to list and detect the reader with the HSM.
 
 [^1]: `openssl version -a` will return the `OPENSSLDIR`, which contains `openssl.cnf` file and `ENGINESDIR`, which contains the p11 engine.
 
 ## Initialization
-The first step is to initialize the HSM:
+The first step is to initialize the HSM. To do so, use the `pico-hsm-tool.py` in `tools` folder:
 ```
-$ sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219
+$ python3 pico-hsm-tool initialize --so-pin 3537363231383830 --pin 648219
 ```
 The PIN number is used to manage all private keys in the device. It supports three attemps. After the third PIN failure, it gets blocked.
 The PIN accepts from 6 to 16 characters.

src/hsm/cmd_challenge.c

@@ -0,0 +1,33 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "random.h"
+#include "sc_hsm.h"
+
+uint8_t challenge[256];
+uint8_t challenge_len = 0;
+
+int cmd_challenge() {
+    uint8_t *rb = (uint8_t *)random_bytes_get(apdu.ne);
+    if (!rb)
+        return SW_WRONG_LENGTH();
+    memcpy(res_APDU, rb, apdu.ne);
+    challenge_len = MIN(apdu.ne, sizeof(challenge));
+    memcpy(challenge, rb, challenge_len);
+    res_APDU_size = apdu.ne;
+    return SW_OK();
+}

src/hsm/cmd_change_pin.c

@@ -0,0 +1,67 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "crypto_utils.h"
+#include "sc_hsm.h"
+#include "kek.h"
+
+int cmd_change_pin() {
+    if (P1(apdu) == 0x0) {
+        if (P2(apdu) == 0x81 || P2(apdu) == 0x88) {
+            file_t *file_pin = NULL;
+            if (P2(apdu) == 0x81)
+                file_pin = file_pin1;
+            else if (P2(apdu) == 0x88)
+                file_pin = file_sopin;
+            if (!file_pin) {
+                return SW_FILE_NOT_FOUND();
+            }
+            if (!file_has_data(file_pin)) {
+                return SW_REFERENCE_NOT_FOUND();
+            }
+            uint8_t pin_len = file_read_uint8(file_get_data(file_pin));
+            int r = check_pin(file_pin, apdu.data, pin_len);
+            if (r != 0x9000)
+                return r;
+            uint8_t mkek[MKEK_SIZE];
+            r = load_mkek(mkek); //loads the MKEK with old pin
+            if (r != CCID_OK)
+                return SW_EXEC_ERROR();
+            //encrypt MKEK with new pin
+
+            if (P2(apdu) == 0x81) {
+                hash_multi(apdu.data+pin_len, apdu.nc-pin_len, session_pin);
+                has_session_pin = true;
+            }
+            else if (P2(apdu) == 0x88) {
+                hash_multi(apdu.data+pin_len, apdu.nc-pin_len, session_sopin);
+                has_session_sopin = true;
+            }
+            r = store_mkek(mkek);
+            release_mkek(mkek);
+            if (r != CCID_OK)
+                return SW_EXEC_ERROR();
+            uint8_t dhash[33];
+            dhash[0] = apdu.nc-pin_len;
+            double_hash_pin(apdu.data+pin_len, apdu.nc-pin_len, dhash+1);
+            flash_write_data_to_file(file_pin, dhash, sizeof(dhash));
+            low_flash_available();
+            return SW_OK();
+        }
+    }
+    return SW_WRONG_P1P2();
+}

src/hsm/cmd_cipher_sym.c

@@ -0,0 +1,113 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "common.h"
+#include "mbedtls/aes.h"
+#include "mbedtls/cmac.h"
+#include "mbedtls/hkdf.h"
+#include "crypto_utils.h"
+#include "sc_hsm.h"
+#include "kek.h"
+
+int cmd_cipher_sym() {
+    int key_id = P1(apdu);
+    int algo = P2(apdu);
+    if (!isUserAuthenticated)
+        return SW_SECURITY_STATUS_NOT_SATISFIED();
+    file_t *ef = search_dynamic_file((KEY_PREFIX << 8) | key_id);
+    if (!ef)
+        return SW_FILE_NOT_FOUND();
+    if (key_has_purpose(ef, algo) == false)
+        return SW_CONDITIONS_NOT_SATISFIED();
+    if ((apdu.nc % 16) != 0) {
+        return SW_WRONG_LENGTH();
+    }
+    if (wait_button_pressed() == true) // timeout
+        return SW_SECURE_MESSAGE_EXEC_ERROR();
+    int key_size = file_get_size(ef);
+    uint8_t kdata[32]; //maximum AES key size
+    memcpy(kdata, file_get_data(ef), key_size);
+    if (mkek_decrypt(kdata, key_size) != 0) {
+        return SW_EXEC_ERROR();
+    }
+    if (algo == ALGO_AES_CBC_ENCRYPT || algo == ALGO_AES_CBC_DECRYPT) {
+        mbedtls_aes_context aes;
+        mbedtls_aes_init(&aes);
+        uint8_t tmp_iv[IV_SIZE];
+        memset(tmp_iv, 0, sizeof(tmp_iv));
+        if (algo == ALGO_AES_CBC_ENCRYPT) {
+            int r = mbedtls_aes_setkey_enc(&aes, kdata, key_size*8);
+            if (r != 0) {
+                mbedtls_platform_zeroize(kdata, sizeof(kdata));
+                mbedtls_aes_free(&aes);
+                return SW_EXEC_ERROR();
+            }
+            r = mbedtls_aes_crypt_cbc(&aes, MBEDTLS_AES_ENCRYPT, apdu.nc, tmp_iv, apdu.data, res_APDU);
+            mbedtls_platform_zeroize(kdata, sizeof(kdata));
+            if (r != 0) {
+                mbedtls_aes_free(&aes);
+                return SW_EXEC_ERROR();
+            }
+        }
+        else if (algo == ALGO_AES_CBC_DECRYPT) {
+            int r = mbedtls_aes_setkey_dec(&aes, kdata, key_size*8);
+            if (r != 0) {
+                mbedtls_platform_zeroize(kdata, sizeof(kdata));
+                mbedtls_aes_free(&aes);
+                return SW_EXEC_ERROR();
+            }
+            r = mbedtls_aes_crypt_cbc(&aes, MBEDTLS_AES_DECRYPT, apdu.nc, tmp_iv, apdu.data, res_APDU);
+            mbedtls_platform_zeroize(kdata, sizeof(kdata));
+            if (r != 0) {
+                mbedtls_aes_free(&aes);
+                return SW_EXEC_ERROR();
+            }
+        }
+        res_APDU_size = apdu.nc;
+        mbedtls_aes_free(&aes);
+    }
+    else if (algo == ALGO_AES_CMAC) {
+        const mbedtls_cipher_info_t *cipher_info;
+        if (key_size == 16)
+            cipher_info = mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_128_ECB);
+        else if (key_size == 24)
+            cipher_info = mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_192_ECB);
+        else if (key_size == 32)
+            cipher_info = mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_256_ECB);
+        else {
+            mbedtls_platform_zeroize(kdata, sizeof(kdata));
+            return SW_WRONG_DATA();
+        }
+        int r = mbedtls_cipher_cmac(cipher_info, kdata, key_size*8, apdu.data, apdu.nc, res_APDU);
+        mbedtls_platform_zeroize(kdata, sizeof(kdata));
+        if (r != 0)
+            return SW_EXEC_ERROR();
+        res_APDU_size = 16;
+    }
+    else if (algo == ALGO_AES_DERIVE) {
+        int r = mbedtls_hkdf(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), NULL, 0, file_get_data(ef), key_size, apdu.data, apdu.nc, res_APDU, apdu.nc);
+        mbedtls_platform_zeroize(kdata, sizeof(kdata));
+        if (r != 0)
+            return SW_EXEC_ERROR();
+        res_APDU_size = apdu.nc;
+    }
+    else {
+        mbedtls_platform_zeroize(kdata, sizeof(kdata));
+        return SW_WRONG_P1P2();
+    }
+    return SW_OK();
+}

src/hsm/cmd_decrypt_asym.c

@@ -0,0 +1,170 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "common.h"
+#include "mbedtls/ecdh.h"
+#include "crypto_utils.h"
+#include "sc_hsm.h"
+#include "kek.h"
+#include "files.h"
+#include "asn1.h"
+#include "cvc.h"
+#include "random.h"
+#include "oid.h"
+
+int cmd_decrypt_asym() {
+    int key_id = P1(apdu);
+    uint8_t p2 = P2(apdu);
+    if (!isUserAuthenticated)
+        return SW_SECURITY_STATUS_NOT_SATISFIED();
+    file_t *ef = search_dynamic_file((KEY_PREFIX << 8) | key_id);
+    if (!ef)
+        return SW_FILE_NOT_FOUND();
+    if (get_key_counter(ef) == 0)
+        return SW_FILE_FULL();
+    if (key_has_purpose(ef, p2) == false)
+        return SW_CONDITIONS_NOT_SATISFIED();
+    if (p2 >= ALGO_RSA_DECRYPT && p2 <= ALGO_RSA_DECRYPT_OEP) {
+        mbedtls_rsa_context ctx;
+        mbedtls_rsa_init(&ctx);
+        if (p2 == ALGO_RSA_DECRYPT_OEP)
+            mbedtls_rsa_set_padding(&ctx, MBEDTLS_RSA_PKCS_V21, MBEDTLS_MD_NONE);
+        int r = load_private_key_rsa(&ctx, ef);
+        if (r != CCID_OK) {
+            mbedtls_rsa_free(&ctx);
+            if (r == CCID_VERIFICATION_FAILED)
+                return SW_SECURE_MESSAGE_EXEC_ERROR();
+            return SW_EXEC_ERROR();
+        }
+        int key_size = file_get_size(ef);
+        if (apdu.nc < key_size) //needs padding
+            memset(apdu.data+apdu.nc, 0, key_size-apdu.nc);
+        if (p2 == ALGO_RSA_DECRYPT_PKCS1 || p2 == ALGO_RSA_DECRYPT_OEP) {
+            size_t olen = apdu.nc;
+            r = mbedtls_rsa_pkcs1_decrypt(&ctx, random_gen, NULL, &olen, apdu.data, res_APDU, 512);
+            if (r == 0)
+                res_APDU_size = olen;
+        }
+        else {
+            r = mbedtls_rsa_private(&ctx, random_gen, NULL, apdu.data, res_APDU);
+            if (r == 0)
+                res_APDU_size = key_size;
+        }
+        if (r != 0) {
+            mbedtls_rsa_free(&ctx);
+            return SW_EXEC_ERROR();
+        }
+        mbedtls_rsa_free(&ctx);
+    }
+    else if (p2 == ALGO_EC_DH || p2 == ALGO_EC_DH_XKEK) {
+        mbedtls_ecdh_context ctx;
+        if (wait_button_pressed() == true) //timeout
+            return SW_SECURE_MESSAGE_EXEC_ERROR();
+        int key_size = file_get_size(ef);
+        uint8_t *kdata = (uint8_t *)calloc(1,key_size);
+        memcpy(kdata, file_get_data(ef), key_size);
+        if (mkek_decrypt(kdata, key_size) != 0) {
+            mbedtls_platform_zeroize(kdata, key_size);
+            free(kdata);
+            return SW_EXEC_ERROR();
+        }
+        mbedtls_ecdh_init(&ctx);
+        mbedtls_ecp_group_id gid = kdata[0];
+        int r = 0;
+        r = mbedtls_ecdh_setup(&ctx, gid);
+        if (r != 0) {
+            mbedtls_platform_zeroize(kdata, key_size);
+            mbedtls_ecdh_free(&ctx);
+            free(kdata);
+            return SW_DATA_INVALID();
+        }
+        r = mbedtls_mpi_read_binary(&ctx.ctx.mbed_ecdh.d, kdata+1, key_size-1);
+        mbedtls_platform_zeroize(kdata, key_size);
+        free(kdata);
+        if (r != 0) {
+            mbedtls_ecdh_free(&ctx);
+            return SW_DATA_INVALID();
+        }
+        r = -1;
+        if (p2 == ALGO_EC_DH)
+            r = mbedtls_ecdh_read_public(&ctx, apdu.data-1, apdu.nc+1);
+        else if (p2 == ALGO_EC_DH_XKEK) {
+            size_t pub_len = 0;
+            const uint8_t *pub = cvc_get_pub(apdu.data, apdu.nc, &pub_len);
+            if (pub) {
+                size_t t86_len = 0;
+                const uint8_t *t86 = cvc_get_field(pub, pub_len, &t86_len, 0x86);
+                if (t86) {
+                    r = mbedtls_ecdh_read_public(&ctx, t86-1, t86_len+1);
+                }
+            }
+        }
+        if (r != 0) {
+            mbedtls_ecdh_free(&ctx);
+            return SW_DATA_INVALID();
+        }
+        size_t olen = 0;
+        res_APDU[0] = 0x04;
+        r = mbedtls_ecdh_calc_secret(&ctx, &olen, res_APDU+1, MBEDTLS_ECP_MAX_BYTES, random_gen, NULL);
+        if (r != 0) {
+            mbedtls_ecdh_free(&ctx);
+            return SW_EXEC_ERROR();
+        }
+        if (p2 == ALGO_EC_DH)
+            res_APDU_size = olen+1;
+        else {
+            res_APDU_size = 0;
+            size_t ext_len = 0;
+            const uint8_t *ext = NULL;
+            if ((ext = cvc_get_ext(apdu.data, apdu.nc, &ext_len)) == NULL)
+                return SW_WRONG_DATA();
+            uint8_t *p = NULL, *tag_data = NULL, *kdom_uid = NULL;
+            uint16_t tag = 0;
+            size_t tag_len = 0, kdom_uid_len = 0;
+            while (walk_tlv(ext, ext_len, &p, &tag, &tag_len, &tag_data)) {
+                if (tag == 0x73) {
+                    size_t oid_len = 0;
+                    uint8_t *oid_data = NULL;
+                    if (asn1_find_tag(tag_data, tag_len, 0x6, &oid_len, &oid_data) == true && oid_len == strlen(OID_ID_KEY_DOMAIN_UID) && memcmp(oid_data, OID_ID_KEY_DOMAIN_UID, strlen(OID_ID_KEY_DOMAIN_UID)) == 0) {
+                        if (asn1_find_tag(tag_data, tag_len, 0x80, &kdom_uid_len, &kdom_uid) == false)
+                            return SW_WRONG_DATA();
+                        break;
+                    }
+                }
+            }
+            if (kdom_uid_len == 0 || kdom_uid == NULL)
+                return SW_WRONG_DATA();
+            for (int n = 0; n < MAX_KEY_DOMAINS; n++) {
+                file_t *tf = search_dynamic_file(EF_XKEK+n);
+                if (tf) {
+                    if (file_get_size(tf) == kdom_uid_len && memcmp(file_get_data(tf), kdom_uid, kdom_uid_len) == 0) {
+                        file_new(EF_DKEK+n);
+                        if (store_dkek_key(n, res_APDU+1) != CCID_OK)
+                            return SW_EXEC_ERROR();
+                        return SW_OK();
+                    }
+                }
+            }
+            return SW_REFERENCE_NOT_FOUND();
+        }
+        mbedtls_ecdh_free(&ctx);
+    }
+    else
+        return SW_WRONG_P1P2();
+    decrement_key_counter(ef);
+    return SW_OK();
+}

src/hsm/cmd_delete_file.c

@@ -0,0 +1,40 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "sc_hsm.h"
+
+int cmd_delete_file() {
+    file_t *ef = NULL;
+    if (!isUserAuthenticated)
+        return SW_SECURITY_STATUS_NOT_SATISFIED();
+
+    if (apdu.nc == 0) {
+        ef = currentEF;
+        if (!(ef = search_dynamic_file(ef->fid)))
+            return SW_FILE_NOT_FOUND();
+    }
+    else {
+        uint16_t fid = (apdu.data[0] << 8) | apdu.data[1];
+        if (!(ef = search_dynamic_file(fid)))
+            return SW_FILE_NOT_FOUND();
+    }
+    if (!authenticate_action(ef, ACL_OP_DELETE_SELF))
+        return SW_SECURITY_STATUS_NOT_SATISFIED();
+    if (delete_file(ef) != CCID_OK)
+        return SW_EXEC_ERROR();
+    return SW_OK();
+}

src/hsm/cmd_derive_asym.c

@@ -0,0 +1,102 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "common.h"
+#include "mbedtls/ecdsa.h"
+#include "crypto_utils.h"
+#include "sc_hsm.h"
+
+
+#define MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED -0x006E
+#define MOD_ADD( N )                                                    \
+    while( mbedtls_mpi_cmp_mpi( &(N), &grp->P ) >= 0 )                  \
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( &(N), &(N), &grp->P ) )
+static inline int mbedtls_mpi_add_mod( const mbedtls_ecp_group *grp,
+                                       mbedtls_mpi *X,
+                                       const mbedtls_mpi *A,
+                                       const mbedtls_mpi *B )
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( X, A, B ) );
+    MOD_ADD( *X );
+cleanup:
+    return( ret );
+}
+
+int cmd_derive_asym() {
+    uint8_t key_id = P1(apdu);
+    uint8_t dest_id = P2(apdu);
+    file_t *fkey;
+    if (!isUserAuthenticated)
+        return SW_SECURITY_STATUS_NOT_SATISFIED();
+    if (!(fkey = search_dynamic_file((KEY_PREFIX << 8) | key_id)) || !fkey->data || file_get_size(fkey) == 0)
+        return SW_FILE_NOT_FOUND();
+    if (key_has_purpose(fkey, ALGO_EC_DERIVE) == false)
+        return SW_CONDITIONS_NOT_SATISFIED();
+    if (apdu.nc == 0)
+        return SW_WRONG_LENGTH();
+    if (apdu.data[0] == ALGO_EC_DERIVE) {
+        mbedtls_ecdsa_context ctx;
+        mbedtls_ecdsa_init(&ctx);
+
+        int r;
+        r = load_private_key_ecdsa(&ctx, fkey);
+        if (r != CCID_OK) {
+            mbedtls_ecdsa_free(&ctx);
+            if (r == CCID_VERIFICATION_FAILED)
+                return SW_SECURE_MESSAGE_EXEC_ERROR();
+            return SW_EXEC_ERROR();
+        }
+        mbedtls_mpi a, nd;
+        mbedtls_mpi_init(&a);
+        mbedtls_mpi_init(&nd);
+        r = mbedtls_mpi_read_binary(&a, apdu.data+1, apdu.nc-1);
+        if (r != 0) {
+            mbedtls_ecdsa_free(&ctx);
+            mbedtls_mpi_free(&a);
+            mbedtls_mpi_free(&nd);
+            return SW_DATA_INVALID();
+        }
+        r = mbedtls_mpi_add_mod(&ctx.grp, &nd, &ctx.d, &a);
+        if (r != 0) {
+            mbedtls_ecdsa_free(&ctx);
+            mbedtls_mpi_free(&a);
+            mbedtls_mpi_free(&nd);
+            return SW_EXEC_ERROR();
+        }
+        r = mbedtls_mpi_copy(&ctx.d, &nd);
+        if (r != 0) {
+            mbedtls_ecdsa_free(&ctx);
+            mbedtls_mpi_free(&a);
+            mbedtls_mpi_free(&nd);
+            return SW_EXEC_ERROR();
+        }
+        r = store_keys(&ctx, HSM_KEY_EC, dest_id);
+        if (r != CCID_OK) {
+            mbedtls_ecdsa_free(&ctx);
+            mbedtls_mpi_free(&a);
+            mbedtls_mpi_free(&nd);
+            return SW_EXEC_ERROR();
+        }
+        mbedtls_ecdsa_free(&ctx);
+        mbedtls_mpi_free(&a);
+        mbedtls_mpi_free(&nd);
+    }
+    else
+        return SW_WRONG_DATA();
+    return SW_OK();
+}

src/hsm/cmd_external_authenticate.c

@@ -0,0 +1,54 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "crypto_utils.h"
+#include "sc_hsm.h"
+#include "cvc.h"
+#include "files.h"
+
+extern file_t *ef_puk_aut;
+extern uint8_t challenge[256];
+extern uint8_t challenge_len;
+
+int cmd_external_authenticate() {
+    if (P1(apdu) != 0x0 || P2(apdu) != 0x0)
+        return SW_INCORRECT_P1P2();
+    if (ef_puk_aut == NULL)
+        return SW_REFERENCE_NOT_FOUND();
+    if (apdu.nc == 0)
+        return SW_WRONG_LENGTH();
+    file_t *ef_puk = search_by_fid(EF_PUKAUT, NULL, SPECIFY_EF);
+    if (!ef_puk || !ef_puk->data || file_get_size(ef_puk) == 0)
+        return SW_FILE_NOT_FOUND();
+    uint8_t *puk_data = file_get_data(ef_puk);
+    uint8_t *input = (uint8_t *)calloc(dev_name_len+challenge_len, sizeof(uint8_t)), hash[32];
+    memcpy(input, dev_name, dev_name_len);
+    memcpy(input+dev_name_len, challenge, challenge_len);
+    hash256(input, dev_name_len+challenge_len, hash);
+    int r = puk_verify(apdu.data, apdu.nc, hash, 32, file_get_data(ef_puk_aut), file_get_size(ef_puk_aut));
+    free(input);
+    if (r != 0)
+        return SW_CONDITIONS_NOT_SATISFIED();
+    puk_status[ef_puk_aut->fid & (MAX_PUK-1)] = 1;
+    uint8_t auts = 0;
+    for (int i = 0; i < puk_data[0]; i++)
+        auts += puk_status[i];
+    if (auts >= puk_data[2]) {
+        isUserAuthenticated = true;
+    }
+    return SW_OK();
+}

src/hsm/cmd_extras.c

@@ -0,0 +1,72 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "sc_hsm.h"
+#include "hardware/rtc.h"
+#include "files.h"
+
+int cmd_extras() {
+    if (P2(apdu) != 0x0)
+        return SW_INCORRECT_P1P2();
+    if (P1(apdu) == 0xA) { //datetime operations
+        if (apdu.nc == 0) {
+            datetime_t dt;
+            if (!rtc_get_datetime(&dt))
+                return SW_EXEC_ERROR();
+            res_APDU[res_APDU_size++] = dt.year >> 8;
+            res_APDU[res_APDU_size++] = dt.year & 0xff;
+            res_APDU[res_APDU_size++] = dt.month;
+            res_APDU[res_APDU_size++] = dt.day;
+            res_APDU[res_APDU_size++] = dt.dotw;
+            res_APDU[res_APDU_size++] = dt.hour;
+            res_APDU[res_APDU_size++] = dt.min;
+            res_APDU[res_APDU_size++] = dt.sec;
+        }
+        else {
+            if (apdu.nc != 8)
+                return SW_WRONG_LENGTH();
+            datetime_t dt;
+            dt.year = (apdu.data[0] << 8) | (apdu.data[1]);
+            dt.month = apdu.data[2];
+            dt.day = apdu.data[3];
+            dt.dotw = apdu.data[4];
+            dt.hour = apdu.data[5];
+            dt.min = apdu.data[6];
+            dt.sec = apdu.data[7];
+            if (!rtc_set_datetime(&dt))
+                return SW_WRONG_DATA();
+        }
+    }
+    else if (P1(apdu) == 0x6) { //dynamic options
+        if (apdu.nc > sizeof(uint8_t))
+            return SW_WRONG_LENGTH();
+        uint16_t opts = get_device_options();
+        if (apdu.nc == 0) {
+            res_APDU[res_APDU_size++] = opts >> 8;
+            res_APDU[res_APDU_size++] = opts & 0xff;
+        }
+        else {
+            uint8_t newopts[] = { apdu.data[0], (opts & 0xff) };
+            file_t *tf = search_by_fid(EF_DEVOPS, NULL, SPECIFY_EF);
+            flash_write_data_to_file(tf, newopts, sizeof(newopts));
+            low_flash_available();
+        }
+    }
+    else
+        return SW_INCORRECT_P1P2();
+    return SW_OK();
+}

src/hsm/cmd_general_authenticate.c

@@ -0,0 +1,107 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "common.h"
+#include "mbedtls/ecdh.h"
+#include "asn1.h"
+#include "sc_hsm.h"
+#include "random.h"
+#include "oid.h"
+#include "eac.h"
+#include "files.h"
+
+int cmd_general_authenticate() {
+    if (P1(apdu) == 0x0 && P2(apdu) == 0x0) {
+        if (apdu.data[0] == 0x7C) {
+            int r = 0;
+            size_t pubkey_len = 0;
+            const uint8_t *pubkey = NULL;
+            uint16_t tag = 0x0;
+            uint8_t *tag_data = NULL, *p = NULL;
+            size_t tag_len = 0;
+            while (walk_tlv(apdu.data+2, apdu.nc-2, &p, &tag, &tag_len, &tag_data)) {
+                if (tag == 0x80) {
+                    pubkey = tag_data-1; //mbedtls ecdh starts reading one pos before
+                    pubkey_len = tag_len+1;
+                }
+            }
+            file_t *fkey = search_by_fid(EF_KEY_DEV, NULL, SPECIFY_EF);
+            if (!fkey)
+                return SW_EXEC_ERROR();
+            mbedtls_ecdsa_context ectx;
+            mbedtls_ecdsa_init(&ectx);
+            r = load_private_key_ecdsa(&ectx, fkey);
+            if (r != CCID_OK) {
+                mbedtls_ecdsa_free(&ectx);
+                return SW_EXEC_ERROR();
+            }
+            mbedtls_ecdh_context ctx;
+            mbedtls_ecdh_init(&ctx);
+            mbedtls_ecp_group_id gid = MBEDTLS_ECP_DP_SECP256R1;
+            r = mbedtls_ecdh_setup(&ctx, gid);
+            if (r != 0) {
+                mbedtls_ecdsa_free(&ectx);
+                mbedtls_ecdh_free(&ctx);
+                return SW_DATA_INVALID();
+            }
+            r = mbedtls_mpi_copy(&ctx.ctx.mbed_ecdh.d, &ectx.d);
+            mbedtls_ecdsa_free(&ectx);
+            if (r != 0) {
+                mbedtls_ecdh_free(&ctx);
+                return SW_DATA_INVALID();
+            }
+            r = mbedtls_ecdh_read_public(&ctx, pubkey, pubkey_len);
+            if (r != 0) {
+                mbedtls_ecdh_free(&ctx);
+                return SW_DATA_INVALID();
+            }
+            size_t olen = 0;
+            uint8_t derived[MBEDTLS_ECP_MAX_BYTES];
+            r = mbedtls_ecdh_calc_secret(&ctx, &olen, derived, MBEDTLS_ECP_MAX_BYTES, random_gen, NULL);
+            mbedtls_ecdh_free(&ctx);
+            if (r != 0) {
+                return SW_EXEC_ERROR();
+            }
+
+            sm_derive_all_keys(derived, olen);
+
+            uint8_t *t = (uint8_t *)calloc(1, pubkey_len+16);
+            memcpy(t, "\x7F\x49\x3F\x06\x0A", 5);
+            if (sm_get_protocol() == MSE_AES)
+                memcpy(t+5, OID_ID_CA_ECDH_AES_CBC_CMAC_128, 10);
+            t[15] = 0x86;
+            memcpy(t+16, pubkey, pubkey_len);
+
+            res_APDU[res_APDU_size++] = 0x7C;
+            res_APDU[res_APDU_size++] = 20;
+            res_APDU[res_APDU_size++] = 0x81;
+            res_APDU[res_APDU_size++] = 8;
+            memcpy(res_APDU+res_APDU_size, sm_get_nonce(), 8);
+            res_APDU_size += 8;
+            res_APDU[res_APDU_size++] = 0x82;
+            res_APDU[res_APDU_size++] = 8;
+
+            r = sm_sign(t, pubkey_len+16, res_APDU+res_APDU_size);
+
+            free(t);
+            if (r != CCID_OK)
+                return SW_EXEC_ERROR();
+            res_APDU_size += 8;
+        }
+    }
+    return SW_OK();
+}

src/hsm/cmd_initialize.c

@@ -0,0 +1,216 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "crypto_utils.h"
+#include "sc_hsm.h"
+#include "files.h"
+#include "random.h"
+#include "kek.h"
+#include "version.h"
+#include "asn1.h"
+#include "cvc.h"
+
+extern void scan_all();
+
+extern char __StackLimit;
+int heapLeft() {
+    char *p = malloc(256);   // try to avoid undue fragmentation
+    int left = &__StackLimit - p;
+    free(p);
+    return left;
+}
+
+int cmd_initialize() {
+    if (apdu.nc > 0) {
+        uint8_t mkek[MKEK_SIZE];
+        int ret_mkek = load_mkek(mkek); //Try loading MKEK with previous session
+        initialize_flash(true);
+        scan_all();
+        has_session_pin = has_session_sopin = false;
+        uint16_t tag = 0x0;
+        uint8_t *tag_data = NULL, *p = NULL, *kds = NULL, *dkeks = NULL;
+        size_t tag_len = 0;
+        while (walk_tlv(apdu.data, apdu.nc, &p, &tag, &tag_len, &tag_data)) {
+            if (tag == 0x80) { //options
+                file_t *tf = search_by_fid(EF_DEVOPS, NULL, SPECIFY_EF);
+                flash_write_data_to_file(tf, tag_data, tag_len);
+            }
+            else if (tag == 0x81) { //user pin
+                if (file_pin1 && file_pin1->data) {
+                    uint8_t dhash[33];
+                    dhash[0] = tag_len;
+                    double_hash_pin(tag_data, tag_len, dhash+1);
+                    flash_write_data_to_file(file_pin1, dhash, sizeof(dhash));
+                    hash_multi(tag_data, tag_len, session_pin);
+                    has_session_pin = true;
+                }
+            }
+            else if (tag == 0x82) { //sopin pin
+                if (file_sopin && file_sopin->data) {
+                    uint8_t dhash[33];
+                    dhash[0] = tag_len;
+                    double_hash_pin(tag_data, tag_len, dhash+1);
+                    flash_write_data_to_file(file_sopin, dhash, sizeof(dhash));
+                    hash_multi(tag_data, tag_len, session_sopin);
+                    has_session_sopin = true;
+                }
+            }
+            else if (tag == 0x91) { //retries user pin
+                file_t *tf = search_by_fid(0x1082, NULL, SPECIFY_EF);
+                if (tf && tf->data) {
+                    flash_write_data_to_file(tf, tag_data, tag_len);
+                }
+                if (file_retries_pin1 && file_retries_pin1->data) {
+                    flash_write_data_to_file(file_retries_pin1, tag_data, tag_len);
+                }
+            }
+            else if (tag == 0x92) {
+                dkeks = tag_data;
+                file_t *tf = file_new(EF_DKEK);
+                if (!tf) {
+                    release_mkek(mkek);
+                    return SW_MEMORY_FAILURE();
+                }
+                flash_write_data_to_file(tf, NULL, 0);
+            }
+            else if (tag == 0x93) {
+                file_t *ef_puk = search_by_fid(EF_PUKAUT, NULL, SPECIFY_EF);
+                if (!ef_puk) {
+                    release_mkek(mkek);
+                    return SW_MEMORY_FAILURE();
+                }
+                uint8_t pk_status[4], puks = MIN(tag_data[0],MAX_PUK);
+                memset(pk_status, 0, sizeof(pk_status));
+                pk_status[0] = puks;
+                pk_status[1] = puks;
+                pk_status[2] = tag_data[1];
+                flash_write_data_to_file(ef_puk, pk_status, sizeof(pk_status));
+                for (int i = 0; i < puks; i++) {
+                    file_t *tf = file_new(EF_PUK+i);
+                    if (!tf) {
+                        release_mkek(mkek);
+                        return SW_MEMORY_FAILURE();
+                    }
+                    flash_write_data_to_file(tf, NULL, 0);
+                }
+            }
+            else if (tag == 0x97) {
+                kds = tag_data;
+                /*
+                for (int i = 0; i < MIN(*kds,MAX_KEY_DOMAINS); i++) {
+                    file_t *tf = file_new(EF_DKEK+i);
+                    if (!tf)
+                        return SW_MEMORY_FAILURE();
+                    flash_write_data_to_file(tf, NULL, 0);
+                }
+                */
+            }
+        }
+        file_t *tf_kd = search_by_fid(EF_KEY_DOMAIN, NULL, SPECIFY_EF);
+        if (!tf_kd) {
+            release_mkek(mkek);
+            return SW_EXEC_ERROR();
+        }
+        if (ret_mkek != CCID_OK)
+            ret_mkek = load_mkek(mkek); //Try again with new PIN/SO-PIN just in case some is the same
+        if (store_mkek(ret_mkek == CCID_OK ? mkek : NULL) != CCID_OK) {
+            release_mkek(mkek);
+            return SW_EXEC_ERROR();
+        }
+        release_mkek(mkek);
+        if (dkeks) {
+            if (*dkeks > 0) {
+                uint16_t d = *dkeks;
+                if (flash_write_data_to_file(tf_kd, (const uint8_t *)&d, sizeof(d)) != CCID_OK)
+                    return SW_EXEC_ERROR();
+            }
+            else {
+                int r = save_dkek_key(0, random_bytes_get(32));
+                if (r != CCID_OK)
+                    return SW_EXEC_ERROR();
+                uint16_t d = 0x0101;
+                if (flash_write_data_to_file(tf_kd, (const uint8_t *)&d, sizeof(d)) != CCID_OK)
+                    return SW_EXEC_ERROR();
+            }
+        }
+        else {
+            uint16_t d = 0x0000;
+            if (flash_write_data_to_file(tf_kd, (const uint8_t *)&d, sizeof(d)) != CCID_OK)
+                return SW_EXEC_ERROR();
+        }
+        if (kds) {
+            uint8_t t[MAX_KEY_DOMAINS*2], k = MIN(*kds,MAX_KEY_DOMAINS);
+            memset(t, 0xff, 2*k);
+            if (flash_write_data_to_file(tf_kd, t, 2*k) != CCID_OK)
+                return SW_EXEC_ERROR();
+        }
+        /* When initialized, it has all credentials */
+        isUserAuthenticated = true;
+        /* Create terminal private key */
+        file_t *fdkey = search_by_fid(EF_KEY_DEV, NULL, SPECIFY_EF);
+        if (!fdkey)
+            return SW_EXEC_ERROR();
+        int ret = 0;
+        if (ret_mkek != CCID_OK || file_get_size(fdkey) == 0 || file_get_data(fdkey) == NULL) {
+            mbedtls_ecdsa_context ecdsa;
+            mbedtls_ecdsa_init(&ecdsa);
+            mbedtls_ecp_group_id ec_id = MBEDTLS_ECP_DP_SECP256R1;
+            uint8_t index = 0, key_id = 0;
+            ret = mbedtls_ecdsa_genkey(&ecdsa, ec_id, random_gen, &index);
+            if (ret != 0) {
+                mbedtls_ecdsa_free(&ecdsa);
+                return SW_EXEC_ERROR();
+            }
+            ret = store_keys(&ecdsa, HSM_KEY_EC, key_id);
+            if (ret != CCID_OK) {
+                mbedtls_ecdsa_free(&ecdsa);
+                return SW_EXEC_ERROR();
+            }
+            size_t cvc_len = 0;
+            if ((cvc_len = asn1_cvc_aut(&ecdsa, HSM_KEY_EC, res_APDU, 4096, NULL, 0)) == 0) {
+                mbedtls_ecdsa_free(&ecdsa);
+                return SW_EXEC_ERROR();
+            }
+            mbedtls_ecdsa_free(&ecdsa);
+
+            file_t *fpk = search_by_fid(EF_EE_DEV, NULL, SPECIFY_EF);
+            ret = flash_write_data_to_file(fpk, res_APDU, cvc_len);
+            if (ret != 0)
+                return SW_EXEC_ERROR();
+
+            const uint8_t *keyid = (const uint8_t *)"\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0", *label = (const uint8_t *)"ESTERMHSM";
+            size_t prkd_len = asn1_build_prkd_ecc(label, strlen((const char *)label), keyid, 20, 192, res_APDU, 4096);
+            fpk = search_by_fid(EF_PRKD_DEV, NULL, SPECIFY_EF);
+            ret = flash_write_data_to_file(fpk, res_APDU, prkd_len);
+        }
+        if (ret != 0)
+            return SW_EXEC_ERROR();
+        low_flash_available();
+    }
+    else { //free memory bytes request
+        int heap_left = heapLeft();
+        res_APDU[0] = ((heap_left >> 24) & 0xff);
+        res_APDU[1] = ((heap_left >> 16) & 0xff);
+        res_APDU[2] = ((heap_left >> 8) & 0xff);
+        res_APDU[3] = ((heap_left >> 0) & 0xff);
+        res_APDU[4] = 0;
+        res_APDU[5] = HSM_VERSION_MAJOR;
+        res_APDU[6] = HSM_VERSION_MINOR;
+        res_APDU_size = 7;
+    }
+    return SW_OK();
+}

src/hsm/cmd_key_domain.c

@@ -0,0 +1,163 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "crypto_utils.h"
+#include "sc_hsm.h"
+#include "cvc.h"
+#include "kek.h"
+#include "files.h"
+
+uint8_t get_key_domain(file_t *fkey) {
+    size_t tag_len = 0;
+    const uint8_t *meta_tag = get_meta_tag(fkey, 0x92, &tag_len);
+    if (meta_tag)
+        return *meta_tag;
+    return 0xff;
+}
+
+int cmd_key_domain() {
+    //if (dkeks == 0)
+    //    return SW_COMMAND_NOT_ALLOWED();
+    uint8_t p1 = P1(apdu), p2 = P2(apdu);
+    if ((has_session_pin == false || isUserAuthenticated == false) && apdu.nc > 0)
+        return SW_CONDITIONS_NOT_SATISFIED();
+    if (p2 >= MAX_KEY_DOMAINS)
+        return SW_WRONG_P1P2();
+    file_t *tf_kd = search_by_fid(EF_KEY_DOMAIN, NULL, SPECIFY_EF);
+    if (!tf_kd)
+        return SW_EXEC_ERROR();
+    uint16_t tf_kd_size = file_get_size(tf_kd);
+    if (tf_kd_size == 0)
+        return SW_WRONG_P1P2();
+    uint8_t *kdata = file_get_data(tf_kd), dkeks = kdata ? kdata[2*p2] : 0, current_dkeks = kdata ? kdata[2*p2+1] : 0;
+    if (p1 == 0x0) { //dkek import
+        if (apdu.nc > 0) {
+            file_t *tf = file_new(EF_DKEK+p2);
+            if (!tf)
+                return SW_MEMORY_FAILURE();
+            if (apdu.nc < 32)
+                return SW_WRONG_LENGTH();
+            import_dkek_share(p2, apdu.data);
+            if (++current_dkeks >= dkeks) {
+                if (save_dkek_key(p2, NULL) != CCID_OK)
+                    return SW_FILE_NOT_FOUND();
+            }
+            uint8_t t[MAX_KEY_DOMAINS*2];
+            memcpy(t, kdata, tf_kd_size);
+            t[2*p2+1] = current_dkeks;
+            if (flash_write_data_to_file(tf_kd, t, tf_kd_size) != CCID_OK)
+                return SW_EXEC_ERROR();
+            low_flash_available();
+        }
+        else {
+            file_t *tf = search_dynamic_file(EF_XKEK+p2);
+            if (2*p2 >= tf_kd_size || current_dkeks == 0)
+                return SW_INCORRECT_P1P2();
+            if (current_dkeks == 0xff && !tf) //XKEK have always 0xff
+                return SW_REFERENCE_NOT_FOUND();
+        }
+    }
+    else if (p1 == 0x1 || p1 == 0x3 || p1 == 0x4) { //key domain setup
+        if (p1 == 0x1 && apdu.nc != 1)
+            return SW_WRONG_LENGTH();
+        if (p1 == 0x3) { //if key domain is not empty, command is denied
+            for (int i = 0; i < dynamic_files; i++) {
+                if (get_key_domain(&dynamic_file[i]) == p2)
+                    return SW_FILE_EXISTS();
+            }
+        }
+        uint8_t t[MAX_KEY_DOMAINS*2];
+        memcpy(t, kdata, tf_kd_size);
+        if (p1 == 0x1) {
+            t[2*p2] = dkeks = apdu.data[0];
+            t[2*p2+1] = current_dkeks = 0;
+        }
+        else if (p1 == 0x3) {
+            t[2*p2] = dkeks = 0xff;
+            t[2*p2+1] = 0xff;
+        }
+        else if (p1 == 0x4) {
+            t[2*p2+1] = current_dkeks = 0;
+        }
+        if (flash_write_data_to_file(tf_kd, t, tf_kd_size) != CCID_OK)
+            return SW_EXEC_ERROR();
+        file_t *tf = NULL;
+        if ((tf = search_dynamic_file(EF_DKEK+p2))) {
+            if (delete_file(tf) != CCID_OK)
+                return SW_EXEC_ERROR();
+        }
+        if (p1 == 0x3 && (tf = search_dynamic_file(EF_XKEK+p2))) {
+            if (delete_file(tf) != CCID_OK)
+                return SW_EXEC_ERROR();
+        }
+        low_flash_available();
+    }
+    else if (p1 == 0x2) { //XKEK Key Domain creation
+        if (apdu.nc > 0) {
+            size_t pub_len = 0;
+            file_t *fterm = search_by_fid(EF_TERMCA, NULL, SPECIFY_EF);
+            if (!fterm)
+                return SW_EXEC_ERROR();
+            const uint8_t *pub = cvc_get_pub(file_get_data(fterm), file_get_size(fterm), &pub_len);
+            if (!pub)
+                return SW_EXEC_ERROR();
+            size_t t86_len = 0;
+            const uint8_t *t86 = cvc_get_field(pub, pub_len, &t86_len, 0x86);
+            if (!t86 || t86[0] != 0x4)
+                return SW_EXEC_ERROR();
+            size_t t54_len = 0;
+            const uint8_t *t54 = cvc_get_field(apdu.data, apdu.nc, &t54_len, 0x54);
+            if (!t54)
+                return SW_WRONG_DATA();
+            uint8_t hash[32], *input = (uint8_t *)calloc(1, (t86_len-1)/2+1);
+            input[0] = 0x54;
+            memcpy(input+1, t86+1, (t86_len-1)/2);
+            hash256(input, (t86_len-1)/2+1, hash);
+            free(input);
+            int r = puk_verify(t54, t54_len, hash, 32, apdu.data, apdu.nc);
+            if (r != 0)
+                return SW_CONDITIONS_NOT_SATISFIED();
+            file_t *tf = file_new(EF_XKEK+p2);
+            if (!tf)
+                return SW_MEMORY_FAILURE();
+
+            //All checks done. Get Key Domain UID
+            pub = cvc_get_pub(apdu.data, apdu.nc, &pub_len);
+            if (pub) {
+                size_t t86_len = 0;
+                const uint8_t *t86 = cvc_get_field(pub, pub_len, &t86_len, 0x86);
+                if (t86) {
+                    flash_write_data_to_file(tf, t86+1, t86_len-1);
+                    low_flash_available();
+                }
+            }
+        }
+    }
+    else
+        return SW_INCORRECT_P1P2();
+    memset(res_APDU,0,10);
+    res_APDU[0] = dkeks;
+    res_APDU[1] = dkeks > current_dkeks ? dkeks-current_dkeks : 0;
+    dkek_kcv(p2, res_APDU+2);
+    res_APDU_size = 2+8;
+    file_t *tf = search_dynamic_file(EF_XKEK+p2);
+    if (tf) {
+        memcpy(res_APDU+10, file_get_data(tf), file_get_size(tf));
+        res_APDU_size += file_get_size(tf);
+    }
+    return SW_OK();
+}

src/hsm/cmd_key_gen.c

@@ -0,0 +1,52 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "crypto_utils.h"
+#include "sc_hsm.h"
+#include "random.h"
+
+int cmd_key_gen() {
+    uint8_t key_id = P1(apdu);
+    uint8_t p2 = P2(apdu);
+    uint8_t key_size = 32;
+    int r;
+    if (!isUserAuthenticated)
+        return SW_SECURITY_STATUS_NOT_SATISFIED();
+    if (p2 == 0xB2)
+        key_size = 32;
+    else if (p2 == 0xB1)
+        key_size = 24;
+    else if (p2 == 0xB0)
+        key_size = 16;
+    //at this moment, we do not use the template, as only CBC is supported by the driver (encrypt, decrypt and CMAC)
+    uint8_t aes_key[32]; //maximum AES key size
+    memcpy(aes_key, random_bytes_get(key_size), key_size);
+    int aes_type = 0x0;
+    if (key_size == 16)
+        aes_type = HSM_KEY_AES_128;
+    else if (key_size == 24)
+        aes_type = HSM_KEY_AES_192;
+    else if (key_size == 32)
+        aes_type = HSM_KEY_AES_256;
+    r = store_keys(aes_key, aes_type, key_id);
+    if (r != CCID_OK)
+        return SW_MEMORY_FAILURE();
+    if (find_and_store_meta_key(key_id) != CCID_OK)
+        return SW_EXEC_ERROR();
+    low_flash_available();
+    return SW_OK();
+}

src/hsm/cmd_key_unwrap.c

@@ -0,0 +1,106 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "crypto_utils.h"
+#include "sc_hsm.h"
+#include "kek.h"
+
+int cmd_key_unwrap() {
+    int key_id = P1(apdu), r = 0;
+    if (P2(apdu) != 0x93)
+        return SW_WRONG_P1P2();
+    if (!isUserAuthenticated)
+        return SW_SECURITY_STATUS_NOT_SATISFIED();
+    int key_type = dkek_type_key(apdu.data);
+    uint8_t kdom = -1, *allowed = NULL;
+    size_t allowed_len = 0;
+    if (key_type == 0x0)
+        return SW_DATA_INVALID();
+    if (key_type == HSM_KEY_RSA) {
+        mbedtls_rsa_context ctx;
+        mbedtls_rsa_init(&ctx);
+        do {
+            r = dkek_decode_key(++kdom, &ctx, apdu.data, apdu.nc, NULL, &allowed, &allowed_len);
+        } while((r == CCID_ERR_FILE_NOT_FOUND || r == CCID_WRONG_DKEK) && kdom < MAX_KEY_DOMAINS);
+        if (r != CCID_OK) {
+            mbedtls_rsa_free(&ctx);
+            return SW_EXEC_ERROR();
+        }
+        r = store_keys(&ctx, HSM_KEY_RSA, key_id);
+        mbedtls_rsa_free(&ctx);
+        if (r != CCID_OK) {
+            return SW_EXEC_ERROR();
+        }
+    }
+    else if (key_type == HSM_KEY_EC) {
+        mbedtls_ecdsa_context ctx;
+        mbedtls_ecdsa_init(&ctx);
+        do {
+            r = dkek_decode_key(++kdom, &ctx, apdu.data, apdu.nc, NULL, &allowed, &allowed_len);
+        } while((r == CCID_ERR_FILE_NOT_FOUND || r == CCID_WRONG_DKEK) && kdom < MAX_KEY_DOMAINS);
+        if (r != CCID_OK) {
+            mbedtls_ecdsa_free(&ctx);
+            return SW_EXEC_ERROR();
+        }
+        r = store_keys(&ctx, HSM_KEY_EC, key_id);
+        mbedtls_ecdsa_free(&ctx);
+        if (r != CCID_OK) {
+            return SW_EXEC_ERROR();
+        }
+    }
+    else if (key_type == HSM_KEY_AES) {
+        uint8_t aes_key[32];
+        int key_size = 0, aes_type = 0;
+        do {
+            r = dkek_decode_key(++kdom, aes_key, apdu.data, apdu.nc, &key_size, &allowed, &allowed_len);
+        } while((r == CCID_ERR_FILE_NOT_FOUND || r == CCID_WRONG_DKEK) && kdom < MAX_KEY_DOMAINS);
+        if (r != CCID_OK) {
+            return SW_EXEC_ERROR();
+        }
+        if (key_size == 32)
+            aes_type = HSM_KEY_AES_256;
+        else if (key_size == 24)
+            aes_type = HSM_KEY_AES_192;
+        else if (key_size == 16)
+            aes_type = HSM_KEY_AES_128;
+        else
+            return SW_EXEC_ERROR();
+        r = store_keys(aes_key, aes_type, key_id);
+        if (r != CCID_OK) {
+            return SW_EXEC_ERROR();
+        }
+    }
+    if ((allowed != NULL && allowed_len > 0) || kdom >= 0) {
+        size_t meta_len = (allowed_len > 0 ? 2+allowed_len : 0) + (kdom >= 0 ? 3 : 0);
+        uint8_t *meta = (uint8_t *)calloc(1,meta_len), *m = meta;
+        if (allowed_len > 0) {
+            *m++ = 0x91;
+            *m++ = allowed_len;
+            memcpy(m, allowed, allowed_len); m += allowed_len;
+        }
+        if (kdom >= 0) {
+            *m++ = 0x92;
+            *m++ = 1;
+            *m++ = kdom;
+        }
+        r = meta_add((KEY_PREFIX << 8) | key_id, meta, meta_len);
+        free(meta);
+        if (r != CCID_OK)
+            return r;
+    }
+    return SW_OK();
+}

src/hsm/cmd_key_wrap.c

@@ -0,0 +1,93 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "crypto_utils.h"
+#include "sc_hsm.h"
+#include "asn1.h"
+#include "kek.h"
+
+extern uint8_t get_key_domain(file_t *fkey);
+
+int cmd_key_wrap() {
+    int key_id = P1(apdu), r = 0;
+    if (P2(apdu) != 0x92)
+        return SW_WRONG_P1P2();
+    if (!isUserAuthenticated)
+        return SW_SECURITY_STATUS_NOT_SATISFIED();
+    file_t *ef = search_dynamic_file((KEY_PREFIX << 8) | key_id);
+    uint8_t kdom = get_key_domain(ef);
+    if (!ef)
+        return SW_FILE_NOT_FOUND();
+    if (key_has_purpose(ef, ALGO_WRAP) == false)
+        return SW_CONDITIONS_NOT_SATISFIED();
+    file_t *prkd = search_dynamic_file((PRKD_PREFIX << 8) | key_id);
+    if (!prkd)
+        return SW_FILE_NOT_FOUND();
+    const uint8_t *dprkd = file_get_data(prkd);
+    size_t wrap_len = MAX_DKEK_ENCODE_KEY_BUFFER;
+    size_t tag_len = 0;
+    const uint8_t *meta_tag = get_meta_tag(ef, 0x91, &tag_len);
+    if (*dprkd == P15_KEYTYPE_RSA) {
+        mbedtls_rsa_context ctx;
+        mbedtls_rsa_init(&ctx);
+        r = load_private_key_rsa(&ctx, ef);
+        if (r != CCID_OK) {
+            mbedtls_rsa_free(&ctx);
+            if (r == CCID_VERIFICATION_FAILED)
+                return SW_SECURE_MESSAGE_EXEC_ERROR();
+            return SW_EXEC_ERROR();
+        }
+        r = dkek_encode_key(kdom, &ctx, HSM_KEY_RSA, res_APDU, &wrap_len, meta_tag, tag_len);
+        mbedtls_rsa_free(&ctx);
+    }
+    else if (*dprkd == P15_KEYTYPE_ECC) {
+        mbedtls_ecdsa_context ctx;
+        mbedtls_ecdsa_init(&ctx);
+        r = load_private_key_ecdsa(&ctx, ef);
+        if (r != CCID_OK) {
+            mbedtls_ecdsa_free(&ctx);
+            if (r == CCID_VERIFICATION_FAILED)
+                return SW_SECURE_MESSAGE_EXEC_ERROR();
+            return SW_EXEC_ERROR();
+        }
+        r = dkek_encode_key(kdom, &ctx, HSM_KEY_EC, res_APDU, &wrap_len, meta_tag, tag_len);
+        mbedtls_ecdsa_free(&ctx);
+    }
+    else if (*dprkd == P15_KEYTYPE_AES) {
+        uint8_t kdata[32]; //maximum AES key size
+        if (wait_button_pressed() == true) //timeout
+            return SW_SECURE_MESSAGE_EXEC_ERROR();
+
+        int key_size = file_get_size(ef), aes_type = HSM_KEY_AES;
+        memcpy(kdata, file_get_data(ef), key_size);
+        if (mkek_decrypt(kdata, key_size) != 0) {
+            return SW_EXEC_ERROR();
+        }
+        if (key_size == 32)
+            aes_type = HSM_KEY_AES_256;
+        else if (key_size == 24)
+            aes_type = HSM_KEY_AES_192;
+        else if (key_size == 16)
+            aes_type = HSM_KEY_AES_128;
+        r = dkek_encode_key(kdom, kdata, aes_type, res_APDU, &wrap_len, meta_tag, tag_len);
+        mbedtls_platform_zeroize(kdata, sizeof(kdata));
+    }
+    if (r != CCID_OK)
+        return SW_EXEC_ERROR();
+    res_APDU_size = wrap_len;
+    return SW_OK();
+}

src/hsm/cmd_keypair_gen.c

@@ -0,0 +1,149 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "crypto_utils.h"
+#include "sc_hsm.h"
+#include "files.h"
+#include "asn1.h"
+#include "cvc.h"
+#include "oid.h"
+#include "random.h"
+#include "kek.h"
+
+int cmd_keypair_gen() {
+    uint8_t key_id = P1(apdu);
+    if (!isUserAuthenticated)
+        return SW_SECURITY_STATUS_NOT_SATISFIED();
+    int ret = 0;
+
+    size_t tout = 0;
+    //sc_asn1_print_tags(apdu.data, apdu.nc);
+    uint8_t *p = NULL;
+    if (asn1_find_tag(apdu.data, apdu.nc, 0x7f49, &tout, &p) && tout > 0 && p != NULL) {
+        size_t oid_len = 0;
+        uint8_t *oid = NULL;
+        if (asn1_find_tag(p, tout, 0x6, &oid_len, &oid) && oid_len > 0 && oid != NULL) {
+            if (memcmp(oid, OID_ID_TA_RSA_V1_5_SHA_256, oid_len) == 0) { //RSA
+                size_t ex_len = 3, ks_len = 2;
+                uint8_t *ex = NULL, *ks = NULL;
+                uint32_t exponent = 65537, key_size = 2048;
+                if (asn1_find_tag(p, tout, 0x82, &ex_len, &ex) && ex_len > 0 && ex != NULL) {
+                    uint8_t *dt = ex;
+                    exponent = 0;
+                    for (int i = 0; i < ex_len; i++) {
+                        exponent = (exponent << 8) | *dt++;
+                    }
+                }
+                if (asn1_find_tag(p, tout, 0x2, &ks_len, &ks) && ks_len > 0 && ks != NULL) {
+                    uint8_t *dt = ks;
+                    key_size = 0;
+                    for (int i = 0; i < ks_len; i++) {
+                        key_size = (key_size << 8) | *dt++;
+                    }
+                }
+                printf("KEYPAIR RSA %ld (%lx)\r\n",key_size,exponent);
+                mbedtls_rsa_context rsa;
+                mbedtls_rsa_init(&rsa);
+                uint8_t index = 0;
+                ret = mbedtls_rsa_gen_key(&rsa, random_gen, &index, key_size, exponent);
+                if (ret != 0) {
+                        mbedtls_rsa_free(&rsa);
+                    return SW_EXEC_ERROR();
+                }
+                if ((res_APDU_size = asn1_cvc_aut(&rsa, HSM_KEY_RSA, res_APDU, 4096, NULL, 0)) == 0) {
+                    return SW_EXEC_ERROR();
+                }
+	            ret = store_keys(&rsa, HSM_KEY_RSA, key_id);
+	            if (ret != CCID_OK) {
+                    mbedtls_rsa_free(&rsa);
+                    return SW_EXEC_ERROR();
+                }
+                mbedtls_rsa_free(&rsa);
+            }
+            else if (memcmp(oid, OID_ID_TA_ECDSA_SHA_256,MIN(oid_len,10)) == 0) { //ECC
+                size_t prime_len;
+                uint8_t *prime = NULL;
+                if (asn1_find_tag(p, tout, 0x81, &prime_len, &prime) != true)
+                    return SW_WRONG_DATA();
+                mbedtls_ecp_group_id ec_id = ec_get_curve_from_prime(prime, prime_len);
+                printf("KEYPAIR ECC %d\r\n",ec_id);
+                if (ec_id == MBEDTLS_ECP_DP_NONE) {
+                    return SW_FUNC_NOT_SUPPORTED();
+                }
+                mbedtls_ecdsa_context ecdsa;
+                mbedtls_ecdsa_init(&ecdsa);
+                uint8_t index = 0;
+                ret = mbedtls_ecdsa_genkey(&ecdsa, ec_id, random_gen, &index);
+                if (ret != 0) {
+                    mbedtls_ecdsa_free(&ecdsa);
+                    return SW_EXEC_ERROR();
+                }
+                size_t l91 = 0, ext_len = 0;
+                uint8_t *p91 = NULL, *ext = NULL;
+                if (asn1_find_tag(apdu.data, apdu.nc, 0x91, &l91, &p91) && p91 != NULL && l91 > 0) {
+                    for (int n = 0; n < l91; n++) {
+                        if (p91[n] == ALGO_EC_DH_XKEK) {
+                            size_t l92 = 0;
+                            uint8_t *p92 = NULL;
+                            if (!asn1_find_tag(apdu.data, apdu.nc, 0x92, &l92, &p92) || p92 == NULL || l92 == 0)
+                                return SW_WRONG_DATA();
+                            if (p92[0] > MAX_KEY_DOMAINS)
+                                return SW_WRONG_DATA();
+                            file_t *tf_xkek = search_dynamic_file(EF_XKEK+p92[0]);
+                            if (!tf_xkek)
+                                return SW_WRONG_DATA();
+                            ext_len = 2+2+strlen(OID_ID_KEY_DOMAIN_UID)+2+file_get_size(tf_xkek);
+                            ext = (uint8_t *)calloc(1, ext_len);
+                            uint8_t *pe = ext;
+                            *pe++ = 0x73;
+                            *pe++ = ext_len-2;
+                            *pe++ = 0x6;
+                            *pe++ = strlen(OID_ID_KEY_DOMAIN_UID);
+                            memcpy(pe, OID_ID_KEY_DOMAIN_UID, strlen(OID_ID_KEY_DOMAIN_UID));
+                            pe += strlen(OID_ID_KEY_DOMAIN_UID);
+                            *pe++ = 0x80;
+                            *pe++ = file_get_size(tf_xkek);
+                            memcpy(pe, file_get_data(tf_xkek), file_get_size(tf_xkek));
+                        }
+                    }
+                }
+                if ((res_APDU_size = asn1_cvc_aut(&ecdsa, HSM_KEY_EC, res_APDU, 4096, ext, ext_len)) == 0) {
+                    return SW_EXEC_ERROR();
+                }
+	            ret = store_keys(&ecdsa, HSM_KEY_EC, key_id);
+	            if (ret != CCID_OK) {
+                    mbedtls_ecdsa_free(&ecdsa);
+                    return SW_EXEC_ERROR();
+                }
+                mbedtls_ecdsa_free(&ecdsa);
+            }
+
+        }
+    }
+    else
+        return SW_WRONG_DATA();
+    if (find_and_store_meta_key(key_id) != CCID_OK)
+        return SW_EXEC_ERROR();
+    file_t *fpk = file_new((EE_CERTIFICATE_PREFIX << 8) | key_id);
+    ret = flash_write_data_to_file(fpk, res_APDU, res_APDU_size);
+    if (ret != 0)
+        return SW_EXEC_ERROR();
+    if (apdu.ne == 0)
+        apdu.ne = res_APDU_size;
+    low_flash_available();
+    return SW_OK();
+}

src/hsm/cmd_list_keys.c

@@ -0,0 +1,60 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "sc_hsm.h"
+#include "files.h"
+
+int cmd_list_keys()
+{
+    /* First we send DEV private key */
+    /* Both below conditions should be always TRUE */
+    if (search_by_fid(EF_PRKD_DEV, NULL, SPECIFY_EF)) {
+        res_APDU[res_APDU_size++] = EF_PRKD_DEV >> 8;
+        res_APDU[res_APDU_size++] = EF_PRKD_DEV & 0xff;
+    }
+    if (search_by_fid(EF_KEY_DEV, NULL, SPECIFY_EF)) {
+        res_APDU[res_APDU_size++] = EF_KEY_DEV >> 8;
+        res_APDU[res_APDU_size++] = EF_KEY_DEV & 0xff;
+    }
+    //first CC
+    for (int i = 0; i < dynamic_files; i++) {
+        file_t *f = &dynamic_file[i];
+        if ((f->fid & 0xff00) == (PRKD_PREFIX << 8)) {
+            res_APDU[res_APDU_size++] = PRKD_PREFIX;
+            res_APDU[res_APDU_size++] = f->fid & 0xff;
+            res_APDU[res_APDU_size++] = KEY_PREFIX;
+            res_APDU[res_APDU_size++] = f->fid & 0xff;
+        }
+    }
+    //second CD
+    for (int i = 0; i < dynamic_files; i++) {
+        file_t *f = &dynamic_file[i];
+        if ((f->fid & 0xff00) == (CD_PREFIX << 8)) {
+            res_APDU[res_APDU_size++] = CD_PREFIX;
+            res_APDU[res_APDU_size++] = f->fid & 0xff;
+        }
+    }
+
+    for (int i = 0; i < dynamic_files; i++) {
+        file_t *f = &dynamic_file[i];
+        if ((f->fid & 0xff00) == (DCOD_PREFIX << 8)) {
+            res_APDU[res_APDU_size++] = DCOD_PREFIX;
+            res_APDU[res_APDU_size++] = f->fid & 0xff;
+        }
+    }
+    return SW_OK();
+}

src/hsm/cmd_mse.c

@@ -0,0 +1,75 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "sc_hsm.h"
+#include "asn1.h"
+#include "oid.h"
+#include "eac.h"
+#include "files.h"
+#include "cvc.h"
+
+file_t *ef_puk_aut = NULL;
+
+int cmd_mse() {
+    int p1 = P1(apdu);
+    int p2 = P2(apdu);
+    if (p2 != 0xA4 && p2 != 0xA6 && p2 != 0xAA && p2 != 0xB4 && p2 != 0xB6 && p2 != 0xB8)
+        return SW_INCORRECT_P1P2();
+    if (p1 & 0x1) { //SET
+        uint16_t tag = 0x0;
+        uint8_t *tag_data = NULL, *p = NULL;
+        size_t tag_len = 0;
+        while (walk_tlv(apdu.data, apdu.nc, &p, &tag, &tag_len, &tag_data)) {
+            if (tag == 0x80) {
+                if (p2 == 0xA4) {
+                    if (tag_len == 10 && memcmp(tag_data, OID_ID_CA_ECDH_AES_CBC_CMAC_128, tag_len) == 0)
+                        sm_set_protocol(MSE_AES);
+                }
+            }
+            else if (tag == 0x83) {
+                if (tag_len == 1) {
+
+                }
+                else {
+                    if (p2 == 0xB6) {
+                        if (puk_store_select_chr(tag_data) == CCID_OK)
+                            return SW_OK();
+                    }
+                    else if (p2 == 0xA4) { /* Aut */
+                        for (int i = 0; i < MAX_PUK; i++) {
+                            file_t *ef = search_dynamic_file(EF_PUK+i);
+                            if (!ef)
+                                break;
+                            if (ef->data == NULL || file_get_size(ef) == 0)
+                                break;
+                            size_t chr_len = 0;
+                            const uint8_t *chr = cvc_get_chr(file_get_data(ef), file_get_size(ef), &chr_len);
+                            if (memcmp(chr, tag_data, chr_len) == 0) {
+                                ef_puk_aut = ef;
+                                return SW_OK();
+                            }
+                        }
+                    }
+                    return SW_REFERENCE_NOT_FOUND();
+                }
+            }
+        }
+    }
+    else
+        return SW_INCORRECT_P1P2();
+    return SW_OK();
+}

src/hsm/cmd_pso.c

@@ -0,0 +1,136 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "sc_hsm.h"
+#include "oid.h"
+#include "asn1.h"
+#include "cvc.h"
+
+extern int add_cert_puk_store(const uint8_t *data, size_t data_len, bool copy);
+extern PUK *current_puk;
+
+int cmd_pso() {
+    uint8_t p1 = P1(apdu), p2 = P2(apdu);
+    if (p1 == 0x0 && (p2 == 0x92 || p2 == 0xAE || p2 == 0xBE)) { /* Verify certificate */
+        if (apdu.nc == 0)
+            return SW_WRONG_LENGTH();
+        if (current_puk == NULL)
+            return SW_REFERENCE_NOT_FOUND();
+        if (apdu.data[0] != 0x7F || apdu.data[1] != 0x21) {
+            uint8_t tlv_len = 2+format_tlv_len(apdu.nc, NULL);
+            memmove(apdu.data+tlv_len, apdu.data, apdu.nc);
+            memcpy(apdu.data, "\x7F\x21", 2);
+            format_tlv_len(apdu.nc, apdu.data+2);
+            apdu.nc += tlv_len;
+        }
+        int r = cvc_verify(apdu.data, apdu.nc, current_puk->cvcert, current_puk->cvcert_len);
+        if (r != CCID_OK) {
+            if (r == CCID_WRONG_DATA)
+                return SW_DATA_INVALID();
+            else if (r == CCID_WRONG_SIGNATURE)
+                return SW_CONDITIONS_NOT_SATISFIED();
+            return SW_EXEC_ERROR();
+        }
+        for (int i = 0; i < 0xfe; i++) {
+            uint16_t fid = (CA_CERTIFICATE_PREFIX << 8) | i;
+            file_t *ca_ef = search_dynamic_file(fid);
+            if (!ca_ef) {
+                ca_ef = file_new(fid);
+                flash_write_data_to_file(ca_ef, apdu.data, apdu.nc);
+                if (add_cert_puk_store(file_get_data(ca_ef), file_get_size(ca_ef), false) != CCID_OK)
+                    return SW_FILE_FULL();
+
+                size_t chr_len = 0;
+                const uint8_t *chr = cvc_get_chr(apdu.data, apdu.nc, &chr_len);
+                if (chr == NULL)
+                    return SW_WRONG_DATA();
+                size_t puk_len = 0, puk_bin_len = 0;
+                const uint8_t *puk = cvc_get_pub(apdu.data, apdu.nc, &puk_len), *puk_bin = NULL;
+                if (puk == NULL)
+                    return SW_WRONG_DATA();
+                size_t oid_len = 0;
+                const uint8_t *oid = cvc_get_field(puk, puk_len, &oid_len, 0x6);
+                if (oid == NULL)
+                    return SW_WRONG_DATA();
+                if (memcmp(oid, OID_ID_TA_RSA, 9) == 0) { //RSA
+                    puk_bin = cvc_get_field(puk, puk_len, &puk_bin_len, 0x81);
+                    if (!puk_bin)
+                        return SW_WRONG_DATA();
+                }
+                else if (memcmp(oid, OID_ID_TA_ECDSA, 9) == 0) { //ECC
+                    mbedtls_ecp_group_id ec_id = cvc_inherite_ec_group(apdu.data, apdu.nc);
+                    mbedtls_ecp_group grp;
+                    mbedtls_ecp_group_init(&grp);
+                    if (mbedtls_ecp_group_load(&grp, ec_id) != 0) {
+                        mbedtls_ecp_group_free(&grp);
+                        return SW_WRONG_DATA();
+                    }
+                    size_t plen = mbedtls_mpi_size(&grp.P);
+                    size_t t86_len = 0;
+                    const uint8_t *t86 = cvc_get_field(puk, puk_len, &t86_len, 0x86);
+                    if (mbedtls_ecp_get_type(&grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) {
+                        if (plen != t86_len) {
+                            mbedtls_ecp_group_free(&grp);
+                            return SW_WRONG_DATA();
+                        }
+                        puk_bin = t86;
+                        puk_bin_len = t86_len;
+                    }
+                    else if (mbedtls_ecp_get_type(&grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
+                        if (t86[0] == 0x2 || t86[0] == 0x3) {
+                            if (t86_len != plen+1) {
+                                mbedtls_ecp_group_free(&grp);
+                                return SW_WRONG_DATA();
+                            }
+                        }
+                        else if (t86[0] == 0x4) {
+                            if (t86_len != 2*plen+1) {
+                                mbedtls_ecp_group_free(&grp);
+                                return SW_WRONG_DATA();
+                            }
+                        }
+                        else {
+                            mbedtls_ecp_group_free(&grp);
+                            return SW_WRONG_DATA();
+                        }
+                        puk_bin = t86+1;
+                        puk_bin_len = plen;
+                    }
+                    mbedtls_ecp_group_free(&grp);
+                    if (!puk_bin)
+                        return SW_WRONG_DATA();
+                }
+                file_t *cd_ef = file_new((CD_PREFIX << 8) | i);
+                size_t cd_len = asn1_build_cert_description(chr, chr_len, puk_bin, puk_bin_len, fid, NULL, 0);
+                if (cd_len == 0)
+                    return SW_EXEC_ERROR();
+                uint8_t *buf = (uint8_t *)calloc(cd_len, sizeof(uint8_t));
+                int r = asn1_build_cert_description(chr, chr_len, puk_bin, puk_bin_len, fid, buf, cd_len);
+                flash_write_data_to_file(cd_ef, buf, cd_len);
+                free(buf);
+                if (r == 0)
+                    return SW_EXEC_ERROR();
+                low_flash_available();
+                break;
+            }
+        }
+        return SW_OK();
+    }
+    else
+        return SW_INCORRECT_P1P2();
+    return SW_OK();
+}

src/hsm/cmd_puk_auth.c

@@ -0,0 +1,85 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "sc_hsm.h"
+#include "files.h"
+#include "cvc.h"
+
+int cmd_puk_auth() {
+    uint8_t p1 = P1(apdu), p2 = P2(apdu);
+    file_t *ef_puk = search_by_fid(EF_PUKAUT, NULL, SPECIFY_EF);
+    if (!ef_puk || !ef_puk->data || file_get_size(ef_puk) == 0)
+        return SW_FILE_NOT_FOUND();
+    uint8_t *puk_data = file_get_data(ef_puk);
+    if (apdu.nc > 0) {
+        if (p1 == 0x0 || p1 == 0x1) {
+            file_t *ef = NULL;
+            if (p1 == 0x0) { /* Add */
+                if (p2 != 0x0)
+                    return SW_INCORRECT_P1P2();
+                for (int i = 0; i < puk_data[0]; i++) {
+                    ef = search_dynamic_file(EF_PUK+i);
+                    if (!ef) /* Never should not happen */
+                        return SW_MEMORY_FAILURE();
+                    if (ef->data == NULL || file_get_size(ef) == 0) /* found first empty slot */
+                        break;
+                }
+                uint8_t *tmp = (uint8_t *)calloc(file_get_size(ef_puk), sizeof(uint8_t));
+                memcpy(tmp, puk_data, file_get_size(ef_puk));
+                tmp[1] = puk_data[1]-1;
+                flash_write_data_to_file(ef_puk, tmp, file_get_size(ef_puk));
+                puk_data = file_get_data(ef_puk);
+                free(tmp);
+            }
+            else if (p1 == 0x1) { /* Replace */
+                if (p2 >= puk_data[0])
+                    return SW_INCORRECT_P1P2();
+                ef = search_dynamic_file(EF_PUK+p2);
+                if (!ef) /* Never should not happen */
+                    return SW_MEMORY_FAILURE();
+            }
+            flash_write_data_to_file(ef, apdu.data, apdu.nc);
+            low_flash_available();
+        }
+        else
+            return SW_INCORRECT_P1P2();
+    }
+    if (p1 == 0x2) {
+        if (p2 >= puk_data[0])
+            return SW_INCORRECT_P1P2();
+        file_t *ef = search_dynamic_file(EF_PUK+p2);
+        if (!ef)
+            return SW_INCORRECT_P1P2();
+        if (ef->data == NULL || file_get_size(ef) == 0)
+            return SW_REFERENCE_NOT_FOUND();
+        size_t chr_len = 0;
+        const uint8_t *chr = cvc_get_chr(file_get_data(ef), file_get_size(ef), &chr_len);
+        if (chr) {
+            memcpy(res_APDU, chr, chr_len);
+            res_APDU_size = chr_len;
+        }
+        return set_res_sw(0x90, puk_status[p2]);
+    }
+    else {
+        memcpy(res_APDU, puk_data, 3);
+        res_APDU[3] = 0;
+        for (int i = 0; i < puk_data[0]; i++)
+            res_APDU[3] += puk_status[i];
+        res_APDU_size = 4;
+    }
+    return SW_OK();
+}

src/hsm/cmd_read_binary.c

@@ -0,0 +1,90 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "sc_hsm.h"
+
+int cmd_read_binary() {
+    uint16_t fid = 0x0;
+    uint32_t offset = 0;
+    uint8_t ins = INS(apdu), p1 = P1(apdu), p2 = P2(apdu);
+    const file_t *ef = NULL;
+
+    if ((ins & 0x1) == 0)
+    {
+        if ((p1 & 0x80) != 0) {
+            if (!(ef = search_by_fid(p1&0x1f, NULL, SPECIFY_EF)))
+                return SW_FILE_NOT_FOUND ();
+            offset = p2;
+        }
+        else {
+            offset = make_uint16_t(p1, p2) & 0x7fff;
+            ef = currentEF;
+        }
+    }
+    else {
+        if (p1 == 0 && (p2 & 0xE0) == 0 && (p2 & 0x1f) != 0 && (p2 & 0x1f) != 0x1f) {
+            if (!(ef = search_by_fid(p2&0x1f, NULL, SPECIFY_EF)))
+                return SW_FILE_NOT_FOUND ();
+        }
+        else {
+            uint16_t file_id = make_uint16_t(p1, p2); // & 0x7fff;
+            if (file_id == 0x0)
+                ef = currentEF;
+            else if (!(ef = search_by_fid(file_id, NULL, SPECIFY_EF)) && !(ef = search_dynamic_file(file_id)))
+                return SW_FILE_NOT_FOUND ();
+
+            if (apdu.data[0] != 0x54)
+                return SW_WRONG_DATA();
+
+            offset = 0;
+            for (int d = 0; d < apdu.data[1]; d++)
+                offset |= apdu.data[2+d]<<(apdu.data[1]-1-d)*8;
+        }
+    }
+
+    if ((fid >> 8) == KEY_PREFIX || !authenticate_action(ef, ACL_OP_READ_SEARCH)) {
+        return SW_SECURITY_STATUS_NOT_SATISFIED();
+    }
+    if (ef->data) {
+        if ((ef->type & FILE_DATA_FUNC) == FILE_DATA_FUNC) {
+            uint16_t data_len = ((int (*)(const file_t *, int))(ef->data))((const file_t *)ef, 1); //already copies content to res_APDU
+            if (offset > data_len)
+                return SW_WRONG_P1P2();
+            uint16_t maxle = data_len-offset;
+            if (apdu.ne > maxle)
+                apdu.ne = maxle;
+            if (offset) {
+                memmove(res_APDU, res_APDU+offset, res_APDU_size-offset);
+                //res_APDU += offset;
+                res_APDU_size -= offset;
+            }
+        }
+        else {
+            uint16_t data_len = file_get_size(ef);
+            if (offset > data_len)
+                return SW_WRONG_P1P2();
+
+            uint16_t maxle = data_len-offset;
+            if (apdu.ne > maxle)
+                apdu.ne = maxle;
+            memcpy(res_APDU, file_get_data(ef)+offset, data_len-offset);
+            res_APDU_size = data_len-offset;
+        }
+    }
+
+    return SW_OK();
+}

src/hsm/cmd_reset_retry.c

@@ -0,0 +1,95 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "crypto_utils.h"
+#include "sc_hsm.h"
+#include "kek.h"
+
+int cmd_reset_retry() {
+    if (P2(apdu) != 0x81)
+        return SW_REFERENCE_NOT_FOUND();
+    if (!file_sopin || !file_pin1) {
+        return SW_FILE_NOT_FOUND();
+    }
+    if (!file_sopin->data) {
+        return SW_REFERENCE_NOT_FOUND();
+    }
+    uint16_t opts = get_device_options();
+    if (!(opts & HSM_OPT_RRC))
+        return SW_COMMAND_NOT_ALLOWED();
+    if (P1(apdu) == 0x0 || P1(apdu) == 0x2) {
+        int newpin_len = 0;
+        if (P1(apdu) == 0x0) {
+            if (apdu.nc <= 8)
+                return SW_WRONG_LENGTH();
+            uint16_t r = check_pin(file_sopin, apdu.data, 8);
+            if (r != 0x9000)
+                return r;
+            newpin_len = apdu.nc-8;
+            has_session_sopin = true;
+            hash_multi(apdu.data, 8, session_sopin);
+        }
+        else if (P1(apdu) == 0x2) {
+            if (!has_session_sopin)
+                return SW_CONDITIONS_NOT_SATISFIED();
+            if (apdu.nc > 16)
+                return SW_WRONG_LENGTH();
+            newpin_len = apdu.nc;
+        }
+        uint8_t dhash[33];
+        dhash[0] = newpin_len;
+        double_hash_pin(apdu.data+(apdu.nc-newpin_len), newpin_len, dhash+1);
+        flash_write_data_to_file(file_pin1, dhash, sizeof(dhash));
+        if (pin_reset_retries(file_pin1, true) != CCID_OK)
+            return SW_MEMORY_FAILURE();
+        uint8_t mkek[MKEK_SIZE];
+        int r = load_mkek(mkek); //loads the MKEK with SO pin
+        if (r != CCID_OK)
+            return SW_EXEC_ERROR();
+        hash_multi(apdu.data+(apdu.nc-newpin_len), newpin_len, session_pin);
+        has_session_pin = true;
+        r = store_mkek(mkek);
+        release_mkek(mkek);
+        if (r != CCID_OK)
+            return SW_EXEC_ERROR();
+        low_flash_available();
+        return SW_OK();
+    }
+    else if (P1(apdu) == 0x1 || P1(apdu) == 0x3) {
+        if (!(opts & HSM_OPT_RRC_RESET_ONLY))
+            return SW_COMMAND_NOT_ALLOWED();
+        if (P1(apdu) == 0x1) {
+            if (apdu.nc != 8)
+                return SW_WRONG_LENGTH();
+            uint16_t r = check_pin(file_sopin, apdu.data, 8);
+            if (r != 0x9000)
+                return r;
+            has_session_sopin = true;
+            hash_multi(apdu.data, 8, session_sopin);
+        }
+        else if (P1(apdu) == 0x3) {
+            if (!has_session_sopin)
+                return SW_CONDITIONS_NOT_SATISFIED();
+            if (apdu.nc != 0)
+                return SW_WRONG_LENGTH();
+        }
+        if (pin_reset_retries(file_pin1, true) != CCID_OK)
+            return SW_MEMORY_FAILURE();
+        return SW_OK();
+    }
+    return SW_INCORRECT_P1P2();
+}

src/hsm/cmd_select.c

@@ -0,0 +1,132 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "sc_hsm.h"
+#include "version.h"
+
+void select_file(file_t *pe) {
+    if (!pe)
+    {
+        currentDF = (file_t *)MF;
+        currentEF = NULL;
+    }
+    else if (pe->type & FILE_TYPE_INTERNAL_EF) {
+        currentEF = pe;
+        currentDF = &file_entries[pe->parent];
+    }
+    else {
+        currentDF = pe;
+    }
+    if (currentEF == file_openpgp || currentEF == file_sc_hsm) {
+        selected_applet = currentEF;
+        //sc_hsm_unload(); //reset auth status
+    }
+}
+
+int cmd_select() {
+    uint8_t p1 = P1(apdu);
+    uint8_t p2 = P2(apdu);
+    file_t *pe = NULL;
+    uint16_t fid = 0x0;
+
+    // Only "first or only occurence" supported
+    //if ((p2 & 0xF3) != 0x00) {
+    //    return SW_INCORRECT_P1P2();
+    //}
+
+    if (apdu.nc >= 2)
+        fid = get_uint16_t(apdu.data, 0);
+
+    //if ((fid & 0xff00) == (KEY_PREFIX << 8))
+    //    fid = (PRKD_PREFIX << 8) | (fid & 0xff);
+
+    uint8_t pfx = fid >> 8;
+    if (pfx == PRKD_PREFIX ||
+        pfx == CD_PREFIX ||
+        pfx == CA_CERTIFICATE_PREFIX ||
+        pfx == KEY_PREFIX ||
+        pfx == EE_CERTIFICATE_PREFIX ||
+        pfx == DCOD_PREFIX ||
+        pfx == DATA_PREFIX ||
+        pfx == PROT_DATA_PREFIX) {
+        if (!(pe = search_dynamic_file(fid)) && !(pe = search_by_fid(fid, NULL, SPECIFY_EF)))
+            return SW_FILE_NOT_FOUND();
+    }
+    if (!pe) {
+        if (p1 == 0x0) { //Select MF, DF or EF - File identifier or absent
+            if (apdu.nc == 0) {
+            	pe = (file_t *)MF;
+            	//ac_fini();
+            }
+            else if (apdu.nc == 2) {
+                if (!(pe = search_by_fid(fid, NULL, SPECIFY_ANY))) {
+                    return SW_FILE_NOT_FOUND();
+                }
+            }
+        }
+        else if (p1 == 0x01) { //Select child DF - DF identifier
+            if (!(pe = search_by_fid(fid, currentDF, SPECIFY_DF))) {
+                return SW_FILE_NOT_FOUND();
+            }
+        }
+        else if (p1 == 0x02) { //Select EF under the current DF - EF identifier
+            if (!(pe = search_by_fid(fid, currentDF, SPECIFY_EF))) {
+                return SW_FILE_NOT_FOUND();
+            }
+        }
+        else if (p1 == 0x03) { //Select parent DF of the current DF - Absent
+            if (apdu.nc != 0)
+                return SW_FILE_NOT_FOUND();
+        }
+        else if (p1 == 0x04) { //Select by DF name - e.g., [truncated] application identifier
+            if (!(pe = search_by_name(apdu.data, apdu.nc))) {
+                return SW_FILE_NOT_FOUND();
+            }
+            if (card_terminated) {
+                return set_res_sw(0x62, 0x85);
+            }
+        }
+        else if (p1 == 0x08) { //Select from the MF - Path without the MF identifier
+            if (!(pe = search_by_path(apdu.data, apdu.nc, MF))) {
+                return SW_FILE_NOT_FOUND();
+            }
+        }
+        else if (p1 == 0x09) { //Select from the current DF - Path without the current DF identifier
+            if (!(pe = search_by_path(apdu.data, apdu.nc, currentDF))) {
+                return SW_FILE_NOT_FOUND();
+            }
+        }
+    }
+    if ((p2 & 0xfc) == 0x00 || (p2 & 0xfc) == 0x04) {
+        process_fci(pe,0);
+        if (pe == file_sc_hsm) {
+            res_APDU[res_APDU_size++] = 0x85;
+            res_APDU[res_APDU_size++] = 5;
+            uint16_t opts = get_device_options();
+            res_APDU[res_APDU_size++] = opts >> 8;
+            res_APDU[res_APDU_size++] = opts & 0xff;
+            res_APDU[res_APDU_size++] = 0xFF;
+            res_APDU[res_APDU_size++] = HSM_VERSION_MAJOR;
+            res_APDU[res_APDU_size++] = HSM_VERSION_MINOR;
+            res_APDU[1] = res_APDU_size-2;
+        }
+    }
+    else
+        return SW_INCORRECT_P1P2();
+    select_file(pe);
+    return SW_OK ();
+}

src/hsm/cmd_session_pin.c

@@ -0,0 +1,34 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "sc_hsm.h"
+#include "random.h"
+#include "eac.h"
+
+int cmd_session_pin() {
+    if (P1(apdu) == 0x01 && P2(apdu) == 0x81) {
+        memcpy(sm_session_pin, random_bytes_get(8), 8);
+        sm_session_pin_len = 8;
+
+        memcpy(res_APDU, sm_session_pin, sm_session_pin_len);
+        res_APDU_size = sm_session_pin_len;
+        apdu.ne = sm_session_pin_len;
+    }
+    else
+        return SW_INCORRECT_P1P2();
+    return SW_OK();
+}

src/hsm/cmd_signature.c

@@ -0,0 +1,241 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "crypto_utils.h"
+#include "sc_hsm.h"
+#include "asn1.h"
+#include "mbedtls/oid.h"
+#include "random.h"
+
+//-----
+/* From OpenSC */
+static const uint8_t hdr_md5[] = {
+	0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+	0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10
+};
+static const uint8_t hdr_sha1[] = {
+	0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a,
+	0x05, 0x00, 0x04, 0x14
+};
+static const uint8_t hdr_sha256[] = {
+	0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65,
+	0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20
+};
+static const uint8_t hdr_sha384[] = {
+	0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65,
+	0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30
+};
+static const uint8_t hdr_sha512[] = {
+	0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65,
+	0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40
+};
+static const uint8_t hdr_sha224[] = {
+	0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65,
+	0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c
+};
+static const uint8_t hdr_ripemd160[] = {
+	0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x24, 0x03, 0x02, 0x01,
+	0x05, 0x00, 0x04, 0x14
+};
+static const struct digest_info_prefix {
+	mbedtls_md_type_t algorithm;
+	const uint8_t *	hdr;
+	size_t hdr_len;
+	size_t hash_len;
+} digest_info_prefix[] = {
+      {	MBEDTLS_MD_MD5,	hdr_md5, sizeof(hdr_md5), 16 },
+      { MBEDTLS_MD_SHA1, hdr_sha1, sizeof(hdr_sha1), 20	},
+      { MBEDTLS_MD_SHA256, hdr_sha256, sizeof(hdr_sha256), 32 },
+      { MBEDTLS_MD_SHA384, hdr_sha384, sizeof(hdr_sha384), 48 },
+      { MBEDTLS_MD_SHA512, hdr_sha512, sizeof(hdr_sha512), 64 },
+      { MBEDTLS_MD_SHA224, hdr_sha224, sizeof(hdr_sha224), 28 },
+      { MBEDTLS_MD_RIPEMD160,hdr_ripemd160,	sizeof(hdr_ripemd160), 20 },
+      {	0, NULL, 0,	0 }
+};
+int pkcs1_strip_digest_info_prefix(mbedtls_md_type_t *algorithm, const uint8_t *in_dat, size_t in_len, uint8_t *out_dat, size_t *out_len)
+{
+	for (int i = 0; digest_info_prefix[i].algorithm != 0; i++) {
+		size_t hdr_len = digest_info_prefix[i].hdr_len, hash_len = digest_info_prefix[i].hash_len;
+		const uint8_t *hdr = digest_info_prefix[i].hdr;
+		if (in_len == (hdr_len + hash_len) && !memcmp(in_dat, hdr, hdr_len)) {
+			if (algorithm)
+				*algorithm = digest_info_prefix[i].algorithm;
+			if (out_dat == NULL)
+				return CCID_OK;
+			if (*out_len < hash_len)
+				return CCID_WRONG_DATA;
+			memmove(out_dat, in_dat + hdr_len, hash_len);
+			*out_len = hash_len;
+			return CCID_OK;
+		}
+	}
+	return CCID_EXEC_ERROR;
+}
+//-----
+
+int cmd_signature() {
+    uint8_t key_id = P1(apdu);
+    uint8_t p2 = P2(apdu);
+    mbedtls_md_type_t md = MBEDTLS_MD_NONE;
+    file_t *fkey;
+    if (!isUserAuthenticated)
+        return SW_SECURITY_STATUS_NOT_SATISFIED();
+    if (!(fkey = search_dynamic_file((KEY_PREFIX << 8) | key_id)) || !fkey->data || file_get_size(fkey) == 0)
+        return SW_FILE_NOT_FOUND();
+    if (get_key_counter(fkey) == 0)
+        return SW_FILE_FULL();
+    if (key_has_purpose(fkey, p2) == false)
+        return SW_CONDITIONS_NOT_SATISFIED();
+    int key_size = file_get_size(fkey);
+    if (p2 == ALGO_RSA_PKCS1_SHA1 || p2 == ALGO_RSA_PSS_SHA1 || p2 == ALGO_EC_SHA1)
+        md = MBEDTLS_MD_SHA1;
+    else if (p2 == ALGO_RSA_PKCS1_SHA256 || p2 == ALGO_RSA_PSS_SHA256 || p2 == ALGO_EC_SHA256)
+        md = MBEDTLS_MD_SHA256;
+    else if (p2 == ALGO_EC_SHA224)
+        md = MBEDTLS_MD_SHA224;
+    if (p2 == ALGO_RSA_PKCS1_SHA1 || p2 == ALGO_RSA_PSS_SHA1 || p2 == ALGO_EC_SHA1 || p2 == ALGO_RSA_PKCS1_SHA256 || p2 == ALGO_RSA_PSS_SHA256 || p2 == ALGO_EC_SHA256 || p2 == ALGO_EC_SHA224) {
+        generic_hash(md, apdu.data, apdu.nc, apdu.data);
+        apdu.nc = mbedtls_md_get_size(mbedtls_md_info_from_type(md));
+    }
+    if (p2 >= ALGO_RSA_RAW && p2 <= ALGO_RSA_PSS_SHA512) {
+        mbedtls_rsa_context ctx;
+        mbedtls_rsa_init(&ctx);
+
+        int r;
+        r = load_private_key_rsa(&ctx, fkey);
+        if (r != CCID_OK) {
+            mbedtls_rsa_free(&ctx);
+            if (r == CCID_VERIFICATION_FAILED)
+                return SW_SECURE_MESSAGE_EXEC_ERROR();
+            return SW_EXEC_ERROR();
+        }
+        uint8_t *hash = apdu.data;
+        size_t hash_len = apdu.nc;
+        if (p2 == ALGO_RSA_PKCS1) { //DigestInfo attached
+            size_t nc = apdu.nc;
+            if (pkcs1_strip_digest_info_prefix(&md, apdu.data, apdu.nc, apdu.data, &nc) != CCID_OK) //gets the MD algo id and strips it off
+                return SW_EXEC_ERROR();
+            apdu.nc = nc;
+        }
+        else {
+            //sc_asn1_print_tags(apdu.data, apdu.nc);
+            size_t tout = 0, oid_len = 0;
+            uint8_t *p = NULL, *oid = NULL;
+            if (asn1_find_tag(apdu.data, apdu.nc, 0x30, &tout, &p) && tout > 0 && p != NULL) {
+                size_t tout30 = 0;
+                uint8_t *c30 = NULL;
+                if (asn1_find_tag(p, tout, 0x30, &tout30, &c30) && tout30 > 0 && c30 != NULL) {
+                    asn1_find_tag(c30, tout30, 0x6, &oid_len, &oid);
+                }
+                asn1_find_tag(p, tout, 0x4, &hash_len, &hash);
+            }
+            if (oid && oid_len > 0) {
+                if (memcmp(oid, MBEDTLS_OID_DIGEST_ALG_SHA1, oid_len) == 0)
+                    md = MBEDTLS_MD_SHA1;
+                else if (memcmp(oid, MBEDTLS_OID_DIGEST_ALG_SHA224, oid_len) == 0)
+                    md = MBEDTLS_MD_SHA224;
+                else if (memcmp(oid, MBEDTLS_OID_DIGEST_ALG_SHA256, oid_len) == 0)
+                    md = MBEDTLS_MD_SHA256;
+                else if (memcmp(oid, MBEDTLS_OID_DIGEST_ALG_SHA384, oid_len) == 0)
+                    md = MBEDTLS_MD_SHA384;
+                else if (memcmp(oid, MBEDTLS_OID_DIGEST_ALG_SHA512, oid_len) == 0)
+                    md = MBEDTLS_MD_SHA512;
+            }
+            if (p2 >= ALGO_RSA_PSS && p2 <= ALGO_RSA_PSS_SHA512) {
+                if (p2 == ALGO_RSA_PSS && !oid) {
+                    if (apdu.nc == 20) //default is sha1
+                        md = MBEDTLS_MD_SHA1;
+                    else if (apdu.nc == 28)
+                        md = MBEDTLS_MD_SHA224;
+                    else if (apdu.nc == 32)
+                        md = MBEDTLS_MD_SHA256;
+                    else if (apdu.nc == 48)
+                        md = MBEDTLS_MD_SHA384;
+                    else if (apdu.nc == 64)
+                        md = MBEDTLS_MD_SHA512;
+                }
+                mbedtls_rsa_set_padding(&ctx, MBEDTLS_RSA_PKCS_V21, md);
+            }
+        }
+        if (md == MBEDTLS_MD_NONE) {
+            if (apdu.nc < key_size) //needs padding
+                memset(apdu.data+apdu.nc, 0, key_size-apdu.nc);
+            r = mbedtls_rsa_private(&ctx, random_gen, NULL, apdu.data, res_APDU);
+        }
+        else {
+            uint8_t *signature = (uint8_t *)calloc(key_size, sizeof(uint8_t));
+            r = mbedtls_rsa_pkcs1_sign(&ctx, random_gen, NULL, md, hash_len, hash, signature);
+            memcpy(res_APDU, signature, key_size);
+            free(signature);
+        }
+        if (r != 0) {
+            mbedtls_rsa_free(&ctx);
+            return SW_EXEC_ERROR();
+        }
+        res_APDU_size = key_size;
+        apdu.ne = key_size;
+        mbedtls_rsa_free(&ctx);
+    }
+    else if (p2 >= ALGO_EC_RAW && p2 <= ALGO_EC_SHA512) {
+        mbedtls_ecdsa_context ctx;
+        mbedtls_ecdsa_init(&ctx);
+        md = MBEDTLS_MD_SHA256;
+        if (p2 == ALGO_EC_RAW) {
+            if (apdu.nc == 32)
+                md = MBEDTLS_MD_SHA256;
+            else if (apdu.nc == 20)
+                md = MBEDTLS_MD_SHA1;
+            else if (apdu.nc == 28)
+                md = MBEDTLS_MD_SHA224;
+            else if (apdu.nc == 48)
+                md = MBEDTLS_MD_SHA384;
+            else if (apdu.nc == 64)
+                md = MBEDTLS_MD_SHA512;
+        }
+        if (p2 == ALGO_EC_SHA1)
+            md = MBEDTLS_MD_SHA1;
+        else if (p2 == ALGO_EC_SHA224)
+            md = MBEDTLS_MD_SHA224;
+        else if (p2 == ALGO_EC_SHA256)
+            md = MBEDTLS_MD_SHA256;
+        else if (p2 == ALGO_EC_SHA384)
+            md = MBEDTLS_MD_SHA384;
+        else if (p2 == ALGO_EC_SHA512)
+            md = MBEDTLS_MD_SHA512;
+        int r;
+        r = load_private_key_ecdsa(&ctx, fkey);
+        if (r != CCID_OK) {
+            mbedtls_ecdsa_free(&ctx);
+            if (r == CCID_VERIFICATION_FAILED)
+                return SW_SECURE_MESSAGE_EXEC_ERROR();
+            return SW_EXEC_ERROR();
+        }
+        size_t olen = 0;
+        uint8_t buf[MBEDTLS_ECDSA_MAX_LEN];
+        if (mbedtls_ecdsa_write_signature(&ctx, md, apdu.data, apdu.nc, buf, MBEDTLS_ECDSA_MAX_LEN, &olen, random_gen, NULL) != 0) {
+            mbedtls_ecdsa_free(&ctx);
+            return SW_EXEC_ERROR();
+        }
+        memcpy(res_APDU, buf, olen);
+        res_APDU_size = olen;
+        mbedtls_ecdsa_free(&ctx);
+    }
+    else
+        return SW_INCORRECT_P1P2();
+    decrement_key_counter(fkey);
+    return SW_OK();
+}

src/hsm/cmd_update_ef.c

@@ -0,0 +1,86 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "sc_hsm.h"
+#include "asn1.h"
+
+extern void select_file(file_t *pe);
+
+int cmd_update_ef() {
+    uint8_t p1 = P1(apdu), p2 = P2(apdu);
+    uint16_t fid = (p1 << 8) | p2;
+    uint8_t *data = NULL;
+    uint16_t offset = 0;
+    uint16_t data_len = 0;
+    file_t *ef = NULL;
+    if (!isUserAuthenticated)
+        return SW_SECURITY_STATUS_NOT_SATISFIED();
+    if (fid == 0x0)
+        ef = currentEF;
+    else if (p1 != EE_CERTIFICATE_PREFIX && p1 != PRKD_PREFIX && p1 != CA_CERTIFICATE_PREFIX && p1 != CD_PREFIX && p1 != DATA_PREFIX && p1 != DCOD_PREFIX && p1 != PROT_DATA_PREFIX)
+        return SW_INCORRECT_P1P2();
+
+    if (ef && !authenticate_action(ef, ACL_OP_UPDATE_ERASE))
+        return SW_SECURITY_STATUS_NOT_SATISFIED();
+
+    uint16_t tag = 0x0;
+    uint8_t *tag_data = NULL, *p = NULL;
+    size_t tag_len = 0;
+    while (walk_tlv(apdu.data, apdu.nc, &p, &tag, &tag_len, &tag_data)) {
+        if (tag == 0x54) { //ofset tag
+            for (int i = 1; i <= tag_len; i++)
+                offset |= (*tag_data++ << (8*(tag_len-i)));
+        }
+        else if (tag == 0x53) { //data
+            data_len = tag_len;
+            data = tag_data;
+        }
+    }
+    if (data_len == 0 && offset == 0) { //new file
+        ef = file_new(fid);
+        //if ((fid & 0xff00) == (EE_CERTIFICATE_PREFIX << 8))
+        //    add_file_to_chain(ef, &ef_pukdf);
+        select_file(ef);
+    }
+    else {
+        if (fid == 0x0 && !ef)
+            return SW_FILE_NOT_FOUND();
+        else if (fid != 0x0 && !(ef = search_by_fid(fid, NULL, SPECIFY_EF)) && !(ef = search_dynamic_file(fid))) { //if does not exist, create it
+            //return SW_FILE_NOT_FOUND();
+            ef = file_new(fid);
+        }
+        if (offset == 0) {
+            int r = flash_write_data_to_file(ef, data, data_len);
+            if (r != CCID_OK)
+                return SW_MEMORY_FAILURE();
+        }
+        else {
+            if (!ef->data)
+                return SW_DATA_INVALID();
+
+            uint8_t *data_merge = (uint8_t *)calloc(1, offset+data_len);
+            memcpy(data_merge, file_get_data(ef), offset);
+            memcpy(data_merge+offset, data, data_len);
+            int r = flash_write_data_to_file(ef, data_merge, offset+data_len);
+            free(data_merge);
+            if (r != CCID_OK)
+                return SW_MEMORY_FAILURE();
+        }
+        low_flash_available();
+    }
+    return SW_OK();
+}

src/hsm/cmd_verify.c

@@ -0,0 +1,58 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "sc_hsm.h"
+
+int cmd_verify() {
+    uint8_t p1 = P1(apdu);
+    uint8_t p2 = P2(apdu);
+
+    if (p1 != 0x0 || (p2 & 0x60) != 0x0)
+        return SW_WRONG_P1P2();
+
+    if (p2 == 0x81) { //UserPin
+        uint16_t opts = get_device_options();
+        if (opts & HSM_OPT_TRANSPORT_PIN)
+            return SW_DATA_INVALID();
+        if (has_session_pin && apdu.nc == 0)
+            return SW_OK();
+        if (*file_get_data(file_pin1) == 0 && pka_enabled() == false) //not initialized
+            return SW_REFERENCE_NOT_FOUND();
+        if (apdu.nc > 0) {
+            return check_pin(file_pin1, apdu.data, apdu.nc);
+        }
+        if (file_read_uint8(file_get_data(file_retries_pin1)) == 0)
+            return SW_PIN_BLOCKED();
+        return set_res_sw(0x63, 0xc0 | file_read_uint8(file_get_data(file_retries_pin1)));
+    }
+    else if (p2 == 0x88) { //SOPin
+        if (file_read_uint8(file_get_data(file_sopin)) == 0) //not initialized
+            return SW_REFERENCE_NOT_FOUND();
+        if (apdu.nc > 0) {
+            return check_pin(file_sopin, apdu.data, apdu.nc);
+        }
+        if (file_read_uint8(file_get_data(file_retries_sopin)) == 0)
+            return SW_PIN_BLOCKED();
+        if (has_session_sopin)
+            return SW_OK();
+        return set_res_sw(0x63, 0xc0 | file_read_uint8(file_get_data(file_retries_sopin)));
+    }
+    else if (p2 == 0x85) {
+        return SW_OK();
+    }
+    return SW_REFERENCE_NOT_FOUND();
+}

src/hsm/cvc.c

@@ -17,16 +17,19 @@
 
 #include "common.h"
 #include "cvc.h"
+#include "sc_hsm.h"
 #include "mbedtls/rsa.h"
 #include "mbedtls/ecdsa.h"
-#include "cvcerts.h"
 #include <string.h>
 #include "asn1.h"
-#include "ccid2040.h"
 #include "crypto_utils.h"
 #include "random.h"
 #include "oid.h"
 #include "mbedtls/md.h"
+#include "files.h"
+
+extern const uint8_t *dev_name;
+extern size_t dev_name_len;
 
 size_t asn1_cvc_public_key_rsa(mbedtls_rsa_context *rsa, uint8_t *buf, size_t buf_len) {
     const uint8_t oid_rsa[] = { 0x04, 0x00, 0x7F, 0x00, 0x07, 0x02, 0x02, 0x02, 0x01, 0x02 };
@@ -109,28 +112,31 @@ size_t asn1_cvc_public_key_ecdsa(mbedtls_ecdsa_context *ecdsa, uint8_t *buf, siz
     return tot_len;
 }
 
-size_t asn1_cvc_cert_body(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_len) {
+size_t asn1_cvc_cert_body(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_len, const uint8_t *ext, size_t ext_len) {
     size_t pubkey_size = 0;
     if (key_type == HSM_KEY_RSA)
         pubkey_size = asn1_cvc_public_key_rsa(rsa_ecdsa, NULL, 0);
     else if (key_type == HSM_KEY_EC)
         pubkey_size = asn1_cvc_public_key_ecdsa(rsa_ecdsa, NULL, 0);
     size_t cpi_size = 4;
+    size_t ext_size = 0;
+    if (ext && ext_len > 0)
+        ext_size = asn1_len_tag(0x65, ext_len);
 
     uint8_t *car = NULL, *chr = NULL;
     size_t lencar = 0, lenchr = 0;
 
     if (asn1_find_tag(apdu.data, apdu.nc, 0x42, &lencar, &car) == false || lencar == 0 || car == NULL) {
-        car = (uint8_t *)"UTSRCACC100001";
-        lencar = strlen((char *)car);
+        car = (uint8_t *)dev_name;
+        lencar = dev_name_len;
     }
     if (asn1_find_tag(apdu.data, apdu.nc, 0x5f20, &lenchr, &chr) == false || lenchr == 0 || chr == NULL) {
-        chr = (uint8_t *)"ESHSMCVCA00001";
-        lenchr = strlen((char *)chr);
+        chr = (uint8_t *)dev_name;
+        lenchr = dev_name_len;
     }
     size_t car_size = asn1_len_tag(0x42, lencar), chr_size = asn1_len_tag(0x5f20, lenchr);
 
-    size_t tot_len = asn1_len_tag(0x7f4e, cpi_size+car_size+pubkey_size+chr_size);
+    size_t tot_len = asn1_len_tag(0x7f4e, cpi_size+car_size+pubkey_size+chr_size+ext_size);
 
     if (buf_len == 0 || buf == NULL)
         return tot_len;
@@ -138,7 +144,7 @@ size_t asn1_cvc_cert_body(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_
         return 0;
     uint8_t *p = buf;
     memcpy(p, "\x7F\x4E", 2); p += 2;
-    p += format_tlv_len(cpi_size+car_size+pubkey_size+chr_size, p);
+    p += format_tlv_len(cpi_size+car_size+pubkey_size+chr_size+ext_size, p);
     //cpi
     *p++ = 0x5f; *p++ = 0x29; *p++ = 1; *p++ = 0;
     //car
@@ -150,16 +156,22 @@ size_t asn1_cvc_cert_body(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_
         p += asn1_cvc_public_key_ecdsa(rsa_ecdsa, p, pubkey_size);
     //chr
     *p++ = 0x5f; *p++ = 0x20; p += format_tlv_len(lenchr, p); memcpy(p, chr, lenchr); p += lenchr;
+    if (ext && ext_len > 0) {
+        *p++ = 0x65;
+        p += format_tlv_len(ext_len, p);
+        memcpy(p, ext, ext_len);
+        p += ext_len;
+    }
     return tot_len;
 }
 
-size_t asn1_cvc_cert(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_len) {
+size_t asn1_cvc_cert(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_len, const uint8_t *ext, size_t ext_len) {
     size_t key_size = 0;
     if (key_type == HSM_KEY_RSA)
         key_size = mbedtls_mpi_size(&((mbedtls_rsa_context *)rsa_ecdsa)->N);
     else if (key_type == HSM_KEY_EC)
         key_size = 2*mbedtls_mpi_size(&((mbedtls_ecdsa_context *)rsa_ecdsa)->d);
-    size_t body_size = asn1_cvc_cert_body(rsa_ecdsa, key_type, NULL, 0), sig_size = asn1_len_tag(0x5f37, key_size);
+    size_t body_size = asn1_cvc_cert_body(rsa_ecdsa, key_type, NULL, 0, ext, ext_len), sig_size = asn1_len_tag(0x5f37, key_size);
     size_t tot_len = asn1_len_tag(0x7f21, body_size+sig_size);
     if (buf_len == 0 || buf == NULL)
         return tot_len;
@@ -169,8 +181,7 @@ size_t asn1_cvc_cert(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf
     memcpy(p, "\x7F\x21", 2); p += 2;
     p += format_tlv_len(body_size+sig_size, p);
     body = p;
-    p += asn1_cvc_cert_body(rsa_ecdsa, key_type, p, body_size);
-    
+    p += asn1_cvc_cert_body(rsa_ecdsa, key_type, p, body_size, ext, ext_len);
     uint8_t hsh[32];
     hash256(body, body_size, hsh);
     memcpy(p, "\x5F\x37", 2); p += 2;
@@ -200,12 +211,21 @@ size_t asn1_cvc_cert(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf
     return p-buf;
 }
 
-size_t asn1_cvc_aut(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_len) {
-    size_t cvcert_size = asn1_cvc_cert(rsa_ecdsa, key_type, NULL, 0);
-    size_t outcar_len = 0;
-    const uint8_t *outcar = cvc_get_chr((uint8_t *)termca+2, (termca[1] << 8) | termca[0], &outcar_len);
+size_t asn1_cvc_aut(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_len, const uint8_t *ext, size_t ext_len) {
+    size_t cvcert_size = asn1_cvc_cert(rsa_ecdsa, key_type, NULL, 0, ext, ext_len);
+    size_t outcar_len = dev_name_len;
+    const uint8_t *outcar = dev_name;
     size_t outcar_size = asn1_len_tag(0x42, outcar_len);
-    int key_size = 2*file_read_uint16(termca_pk), ret = 0;
+    file_t *fkey = search_by_fid(EF_KEY_DEV, NULL, SPECIFY_EF);
+    if (!fkey)
+        return 0;
+    mbedtls_ecdsa_context ectx;
+    mbedtls_ecdsa_init(&ectx);
+    if (load_private_key_ecdsa(&ectx, fkey) != CCID_OK) {
+        mbedtls_ecdsa_free(&ectx);
+        return 0;
+    }
+    int ret = 0, key_size = 2*mbedtls_mpi_size(&ectx.d);
     size_t outsig_size = asn1_len_tag(0x5f37, key_size), tot_len = asn1_len_tag(0x67, cvcert_size+outcar_size+outsig_size);
     if (buf_len == 0 || buf == NULL)
         return tot_len;
@@ -216,13 +236,9 @@ size_t asn1_cvc_aut(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_
     p += format_tlv_len(cvcert_size+outcar_size+outsig_size, p);
     uint8_t *body = p;
     //cvcert
-    p += asn1_cvc_cert(rsa_ecdsa, key_type, p, cvcert_size);
+    p += asn1_cvc_cert(rsa_ecdsa, key_type, p, cvcert_size, ext, ext_len);
     //outcar
     *p++ = 0x42; p += format_tlv_len(outcar_len, p); memcpy(p, outcar, outcar_len); p += outcar_len;
-    mbedtls_ecdsa_context ctx;
-    mbedtls_ecdsa_init(&ctx);
-    if (mbedtls_ecp_read_key(MBEDTLS_ECP_DP_SECP192R1, &ctx, termca_pk+2, file_read_uint16(termca_pk)) != 0)
-        return 0;
     uint8_t hsh[32];
     memcpy(p, "\x5f\x37", 2); p += 2;
     p += format_tlv_len(key_size, p);
@@ -230,8 +246,8 @@ size_t asn1_cvc_aut(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_
     mbedtls_mpi r, s;
     mbedtls_mpi_init(&r);
     mbedtls_mpi_init(&s);
-    ret = mbedtls_ecdsa_sign(&ctx.grp, &r, &s, &ctx.d, hsh, sizeof(hsh), random_gen, NULL);
-    mbedtls_ecdsa_free(&ctx);
+    ret = mbedtls_ecdsa_sign(&ectx.grp, &r, &s, &ectx.d, hsh, sizeof(hsh), random_gen, NULL);
+    mbedtls_ecdsa_free(&ectx);
     if (ret != 0) {
         mbedtls_mpi_free(&r);
         mbedtls_mpi_free(&s);
@@ -383,6 +399,13 @@ const uint8_t *cvc_get_pub(const uint8_t *data, size_t len, size_t *olen) {
     return NULL;
 }
 
+const uint8_t *cvc_get_ext(const uint8_t *data, size_t len, size_t *olen) {
+    if ((data = cvc_get_body(data, len, olen)) != NULL) {
+        return cvc_get_field(data, len, olen, 0x65);
+    }
+    return NULL;
+}
+
 extern PUK puk_store[MAX_PUK_STORE_ENTRIES];
 extern int puk_store_entries;
 
@@ -490,15 +513,15 @@ int puk_verify(const uint8_t *sig, size_t sig_len, const uint8_t *hash, size_t h
     }
     else if (memcmp(oid, OID_ID_TA_ECDSA, 9) == 0) { //ECC
         mbedtls_md_type_t md = MBEDTLS_MD_NONE;
-        if (memcmp(oid, OID_IT_TA_ECDSA_SHA_1, oid_len) == 0) 
+        if (memcmp(oid, OID_ID_TA_ECDSA_SHA_1, oid_len) == 0)
             md = MBEDTLS_MD_SHA1;
-        else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_224, oid_len) == 0) 
+        else if (memcmp(oid, OID_ID_TA_ECDSA_SHA_224, oid_len) == 0)
             md = MBEDTLS_MD_SHA224;
-        else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_256, oid_len) == 0) 
+        else if (memcmp(oid, OID_ID_TA_ECDSA_SHA_256, oid_len) == 0)
             md = MBEDTLS_MD_SHA256;
-        else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_384, oid_len) == 0) 
+        else if (memcmp(oid, OID_ID_TA_ECDSA_SHA_384, oid_len) == 0)
             md = MBEDTLS_MD_SHA384;
-        else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_512, oid_len) == 0) 
+        else if (memcmp(oid, OID_ID_TA_ECDSA_SHA_512, oid_len) == 0)
             md = MBEDTLS_MD_SHA512;
         if (md == MBEDTLS_MD_NONE)
             return CCID_WRONG_DATA;
@@ -585,15 +608,15 @@ int cvc_verify(const uint8_t *cert, size_t cert_len, const uint8_t *ca, size_t c
             md = MBEDTLS_MD_SHA512;
     }
     else if (memcmp(oid, OID_ID_TA_ECDSA, 9) == 0) { //ECC
-        if (memcmp(oid, OID_IT_TA_ECDSA_SHA_1, oid_len) == 0) 
+        if (memcmp(oid, OID_ID_TA_ECDSA_SHA_1, oid_len) == 0)
             md = MBEDTLS_MD_SHA1;
-        else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_224, oid_len) == 0) 
+        else if (memcmp(oid, OID_ID_TA_ECDSA_SHA_224, oid_len) == 0)
             md = MBEDTLS_MD_SHA224;
-        else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_256, oid_len) == 0) 
+        else if (memcmp(oid, OID_ID_TA_ECDSA_SHA_256, oid_len) == 0)
             md = MBEDTLS_MD_SHA256;
-        else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_384, oid_len) == 0) 
+        else if (memcmp(oid, OID_ID_TA_ECDSA_SHA_384, oid_len) == 0)
             md = MBEDTLS_MD_SHA384;
-        else if (memcmp(oid, OID_IT_TA_ECDSA_SHA_512, oid_len) == 0) 
+        else if (memcmp(oid, OID_ID_TA_ECDSA_SHA_512, oid_len) == 0)
             md = MBEDTLS_MD_SHA512;
     }
     if (md == MBEDTLS_MD_NONE)

src/hsm/cvc.h

@@ -36,13 +36,14 @@ typedef struct PUK {
 
 #define MAX_PUK_STORE_ENTRIES 4
 
-extern size_t asn1_cvc_cert(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_len);
-extern size_t asn1_cvc_aut(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_len);
+extern size_t asn1_cvc_cert(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_len, const uint8_t *ext, size_t ext_len);
+extern size_t asn1_cvc_aut(void *rsa_ecdsa, uint8_t key_type, uint8_t *buf, size_t buf_len, const uint8_t *ext, size_t ext_len);
 extern size_t asn1_build_cert_description(const uint8_t *label, size_t label_len, const uint8_t *puk, size_t puk_len, uint16_t fid, uint8_t *buf, size_t buf_len);
 extern const uint8_t *cvc_get_field(const uint8_t *data, size_t len, size_t *olen, uint16_t tag);
 extern const uint8_t *cvc_get_car(const uint8_t *data, size_t len, size_t *olen);
 extern const uint8_t *cvc_get_chr(const uint8_t *data, size_t len, size_t *olen);
 extern const uint8_t *cvc_get_pub(const uint8_t *data, size_t len, size_t *olen);
+extern const uint8_t *cvc_get_ext(const uint8_t *data, size_t len, size_t *olen);
 extern int cvc_verify(const uint8_t *cert, size_t cert_len, const uint8_t *ca, size_t ca_len);
 extern mbedtls_ecp_group_id cvc_inherite_ec_group(const uint8_t *ca, size_t ca_len);
 extern int puk_verify(const uint8_t *sig, size_t sig_len, const uint8_t *hash, size_t hash_len, const uint8_t *ca, size_t ca_len);

src/hsm/files.c

@@ -19,13 +19,12 @@
 
 extern const uint8_t sc_hsm_aid[];
 extern int parse_token_info(const file_t *f, int mode);
-extern int parse_cvca(const file_t *f, int mode);
 
 file_t file_entries[] = {
     /*  0 */ { .fid = 0x3f00    , .parent = 0xff, .name = NULL, .type = FILE_TYPE_DF, .data = NULL, .ef_structure = 0, .acl = {0} }, // MF
     /*  1 */ { .fid = 0x2f00    , .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} }, //EF.DIR
     /*  2 */ { .fid = 0x2f01    , .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} }, //EF.ATR
-    /*  3 */ { .fid = 0x2f02    , .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC,.data = (uint8_t *)parse_cvca, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} }, //EF.GDO
+    /*  3 */ { .fid = EF_TERMCA , .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH | FILE_PERSISTENT, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} }, //EF.GDO
     /*  4 */ { .fid = 0x2f03    , .parent = 5, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC,.data = (uint8_t *)parse_token_info, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} }, //EF.TokenInfo
     /*  5 */ { .fid = 0x5015    , .parent = 0, .name = NULL, .type = FILE_TYPE_DF, .data = NULL, .ef_structure = 0, .acl = {0} }, //DF.PKCS15
     /*  6 */ { .fid = 0x5031    , .parent = 5, .name = NULL, .type = FILE_TYPE_WORKING_EF, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} }, //EF.ODF
@@ -47,12 +46,14 @@ file_t file_entries[] = {
     /* 22 */ { .fid = EF_KEY_DOMAIN, .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //Key domain options
     /* 23 */ { .fid = EF_META   , .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //EF.CDFs
     /* 24 */ { .fid = EF_PUKAUT, .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //Public Key Authentication
-    /* 25 */ { .fid = EF_KEY_DEV, .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //Device Key
-    /* 26 */ { .fid = EF_PRKD_DEV, .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //PrKD Device
-    /* 27 */ { .fid = EF_EE_DEV, .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //End Entity Certificate Device
-    ///* 28 */ { .fid = 0x0000, .parent = 0, .name = openpgpcard_aid, .type = FILE_TYPE_WORKING_EF, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} },
-    /* 29 */ { .fid = 0x0000, .parent = 5, .name = sc_hsm_aid, .type = FILE_TYPE_WORKING_EF, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} },
-    /* 30 */ { .fid = 0x0000, .parent = 0xff, .name = NULL, .type = FILE_TYPE_UNKNOWN, .data = NULL, .ef_structure = 0, .acl = {0} } //end
+    /* 25 */ { .fid = EF_KEY_DEV, .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH | FILE_PERSISTENT, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //Device Key
+    /* 26 */ { .fid = EF_PRKD_DEV, .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH | FILE_PERSISTENT, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //PrKD Device
+    /* 27 */ { .fid = EF_EE_DEV, .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH | FILE_PERSISTENT, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //End Entity Certificate Device
+    /* 28 */ { .fid = EF_MKEK , .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH | FILE_PERSISTENT, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //MKEK
+    /* 29 */ { .fid = EF_MKEK_SO , .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH | FILE_PERSISTENT, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //MKEK with SO-PIN
+    ///* 30 */ { .fid = 0x0000, .parent = 0, .name = openpgpcard_aid, .type = FILE_TYPE_WORKING_EF, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} },
+    /* 31 */ { .fid = 0x0000, .parent = 5, .name = sc_hsm_aid, .type = FILE_TYPE_WORKING_EF, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} },
+    /* 32 */ { .fid = 0x0000, .parent = 0xff, .name = NULL, .type = FILE_TYPE_UNKNOWN, .data = NULL, .ef_structure = 0, .acl = {0} } //end
 };
 
 const file_t *MF = &file_entries[0];

src/hsm/files.h

@@ -22,6 +22,9 @@
 #include "file.h"
 
 #define EF_DEVOPS       0x100E
+#define EF_MKEK         0x100A
+#define EF_MKEK_SO      0x100B
+#define EF_XKEK         0x1080
 #define EF_DKEK         0x1090
 #define EF_KEY_DOMAIN   0x10A0
 #define EF_PUKAUT       0x10C0
@@ -37,6 +40,8 @@
 #define EF_PRKD_DEV     0xC400
 #define EF_EE_DEV       0xCE00
 
+#define EF_TERMCA       0x2f02
+
 extern file_t *file_pin1;
 extern file_t *file_retries_pin1;
 extern file_t *file_sopin;

src/hsm/kek.c

@@ -19,7 +19,7 @@
 #include "common.h"
 #include "stdlib.h"
 #include "pico/stdlib.h"
-#include "dkek.h"
+#include "kek.h"
 #include "crypto_utils.h"
 #include "random.h"
 #include "sc_hsm.h"
@@ -29,8 +29,8 @@
 #include "mbedtls/ecdsa.h"
 #include "files.h"
 
-extern bool has_session_pin;
-extern uint8_t session_pin[32];
+extern bool has_session_pin, has_session_sopin;
+extern uint8_t session_pin[32], session_sopin[32];
 
 #define POLY 0xedb88320
 
@@ -45,49 +45,110 @@ uint32_t crc32c(const uint8_t *buf, size_t len)
     return ~crc;
 }
 
-int load_dkek(uint8_t id, uint8_t *dkek) {
-    if (has_session_pin == false)
+int load_mkek(uint8_t *mkek) {
+    if (has_session_pin == false && has_session_sopin == false)
         return CCID_NO_LOGIN;
-    file_t *tf = search_dynamic_file(EF_DKEK+id);
-    if (!tf)
-        return CCID_ERR_FILE_NOT_FOUND;
-    memcpy(dkek, file_get_data(tf), DKEK_SIZE);
-    int ret = aes_decrypt_cfb_256(session_pin, DKEK_IV(dkek), DKEK_KEY(dkek), DKEK_KEY_SIZE+DKEK_KEY_CS_SIZE);
+    const uint8_t *pin = NULL;
+    if (pin == NULL && has_session_pin == true) {
+        file_t *tf = search_by_fid(EF_MKEK, NULL, SPECIFY_EF);
+        if (tf) {
+            memcpy(mkek, file_get_data(tf), MKEK_SIZE);
+            pin = session_pin;
+        }
+    }
+    if (pin == NULL && has_session_sopin == true) {
+        file_t *tf = search_by_fid(EF_MKEK_SO, NULL, SPECIFY_EF);
+        if (tf) {
+            memcpy(mkek, file_get_data(tf), MKEK_SIZE);
+            pin = session_sopin;
+        }
+    }
+    if (pin == NULL) //Should never happen
+        return CCID_EXEC_ERROR;
+    int ret = aes_decrypt_cfb_256(pin, MKEK_IV(mkek), MKEK_KEY(mkek), MKEK_KEY_SIZE+MKEK_KEY_CS_SIZE);
     if (ret != 0)
         return CCID_EXEC_ERROR;
-    if (crc32c(DKEK_KEY(dkek), DKEK_KEY_SIZE) != *(uint32_t*)DKEK_CHECKSUM(dkek))
+    if (crc32c(MKEK_KEY(mkek), MKEK_KEY_SIZE) != *(uint32_t *)MKEK_CHECKSUM(mkek))
         return CCID_WRONG_DKEK;
     return CCID_OK;
 }
 
-void release_dkek(uint8_t *dkek) {
-    memset(dkek, 0, DKEK_SIZE);
+int load_dkek(uint8_t id, uint8_t *dkek) {
+    file_t *tf = search_dynamic_file(EF_DKEK+id);
+    if (!tf)
+        return CCID_ERR_FILE_NOT_FOUND;
+    memcpy(dkek, file_get_data(tf), DKEK_KEY_SIZE);
+    return mkek_decrypt(dkek, DKEK_KEY_SIZE);
+}
+
+void release_mkek(uint8_t *mkek) {
+    mbedtls_platform_zeroize(mkek, MKEK_SIZE);
+}
+
+int store_mkek(const uint8_t *mkek) {
+    if (has_session_pin == false && has_session_sopin == false)
+        return CCID_NO_LOGIN;
+    uint8_t tmp_mkek[MKEK_SIZE];
+    if (mkek == NULL) {
+        const uint8_t *rd = random_bytes_get(MKEK_IV_SIZE+MKEK_KEY_SIZE);
+        memcpy(tmp_mkek, rd, MKEK_IV_SIZE+MKEK_KEY_SIZE);
+    }
+    else
+        memcpy(tmp_mkek, mkek, MKEK_SIZE);
+    *(uint32_t*)MKEK_CHECKSUM(tmp_mkek) = crc32c(MKEK_KEY(tmp_mkek), MKEK_KEY_SIZE);
+    if (has_session_pin) {
+        uint8_t tmp_mkek_pin[MKEK_SIZE];
+        memcpy(tmp_mkek_pin, tmp_mkek, MKEK_SIZE);
+        file_t *tf = search_by_fid(EF_MKEK, NULL, SPECIFY_EF);
+        if (!tf) {
+            release_mkek(tmp_mkek);
+            release_mkek(tmp_mkek_pin);
+            return CCID_ERR_FILE_NOT_FOUND;
+        }
+        aes_encrypt_cfb_256(session_pin, MKEK_IV(tmp_mkek_pin), MKEK_KEY(tmp_mkek_pin), MKEK_KEY_SIZE+MKEK_KEY_CS_SIZE);
+        flash_write_data_to_file(tf, tmp_mkek_pin, MKEK_SIZE);
+        release_mkek(tmp_mkek_pin);
+    }
+    if (has_session_sopin) {
+        uint8_t tmp_mkek_sopin[MKEK_SIZE];
+        memcpy(tmp_mkek_sopin, tmp_mkek, MKEK_SIZE);
+        file_t *tf = search_by_fid(EF_MKEK_SO, NULL, SPECIFY_EF);
+        if (!tf) {
+            release_mkek(tmp_mkek);
+            release_mkek(tmp_mkek_sopin);
+            return CCID_ERR_FILE_NOT_FOUND;
+        }
+        aes_encrypt_cfb_256(session_sopin, MKEK_IV(tmp_mkek_sopin), MKEK_KEY(tmp_mkek_sopin), MKEK_KEY_SIZE + MKEK_KEY_CS_SIZE);
+        flash_write_data_to_file(tf, tmp_mkek_sopin, MKEK_SIZE);
+        release_mkek(tmp_mkek_sopin);
+    }
+    low_flash_available();
+    release_mkek(tmp_mkek);
+    return CCID_OK;
 }
 
 int store_dkek_key(uint8_t id, uint8_t *dkek) {
     file_t *tf = search_dynamic_file(EF_DKEK+id);
     if (!tf)
         return CCID_ERR_FILE_NOT_FOUND;
-    *(uint32_t*)DKEK_CHECKSUM(dkek) = crc32c(DKEK_KEY(dkek), DKEK_KEY_SIZE);
-    aes_encrypt_cfb_256(session_pin, DKEK_IV(dkek), DKEK_KEY(dkek), DKEK_KEY_SIZE+DKEK_KEY_CS_SIZE);
-    flash_write_data_to_file(tf, dkek, DKEK_SIZE);
+    int r = mkek_encrypt(dkek, DKEK_KEY_SIZE);
+    if (r != CCID_OK)
+        return r;
+    flash_write_data_to_file(tf, dkek, DKEK_KEY_SIZE);
     low_flash_available();
-    release_dkek(dkek);
     return CCID_OK;
 }
 
 int save_dkek_key(uint8_t id, const uint8_t *key) {
-    uint8_t dkek[DKEK_SIZE];
-    const uint8_t *iv = random_bytes_get(32);
-    memcpy(dkek, iv, DKEK_IV_SIZE);
+    uint8_t dkek[DKEK_KEY_SIZE];
     if (!key) {
         file_t *tf = search_dynamic_file(EF_DKEK+id);
         if (!tf)
             return CCID_ERR_FILE_NOT_FOUND;
-        memcpy(DKEK_KEY(dkek), file_get_data(tf), DKEK_KEY_SIZE);
+        memcpy(dkek, file_get_data(tf), DKEK_KEY_SIZE);
     }
     else
-        memcpy(DKEK_KEY(dkek), key, DKEK_KEY_SIZE);
+        memcpy(dkek, key, DKEK_KEY_SIZE);
     return store_dkek_key(id, dkek);
 }
 
@@ -107,59 +168,63 @@ int import_dkek_share(uint8_t id, const uint8_t *share) {
 }
 
 int dkek_kcv(uint8_t id, uint8_t *kcv) { //kcv 8 bytes
-    uint8_t hsh[32], dkek[DKEK_SIZE];
+    uint8_t hsh[32], dkek[DKEK_KEY_SIZE];
+    memset(kcv, 0, 8);
+    memset(hsh, 0, sizeof(hsh));
     int r = load_dkek(id, dkek);
     if (r != CCID_OK)
         return r;
-    hash256(DKEK_KEY(dkek), DKEK_KEY_SIZE, hsh);
-    release_dkek(dkek);
+    hash256(dkek, DKEK_KEY_SIZE, hsh);
+    mbedtls_platform_zeroize(dkek, sizeof(dkek));
     memcpy(kcv, hsh, 8);
     return CCID_OK;
 }
 
 int dkek_kenc(uint8_t id, uint8_t *kenc) { //kenc 32 bytes
-    uint8_t dkek[DKEK_SIZE+4];
+    uint8_t dkek[DKEK_KEY_SIZE+4];
+    memset(kenc, 0, 32);
     int r = load_dkek(id, dkek);
     if (r != CCID_OK)
         return r;
-    memcpy(DKEK_KEY(dkek)+DKEK_KEY_SIZE, "\x0\x0\x0\x1", 4);
-    hash256(DKEK_KEY(dkek), DKEK_KEY_SIZE+4, kenc);
-    release_dkek(dkek);
+    memcpy(dkek+DKEK_KEY_SIZE, "\x0\x0\x0\x1", 4);
+    hash256(dkek, sizeof(dkek), kenc);
+    mbedtls_platform_zeroize(dkek, sizeof(dkek));
     return CCID_OK;
 }
 
 int dkek_kmac(uint8_t id, uint8_t *kmac) { //kmac 32 bytes
-    uint8_t dkek[DKEK_SIZE+4];
+    uint8_t dkek[DKEK_KEY_SIZE+4];
+    memset(kmac, 0, 32);
     int r = load_dkek(id, dkek);
     if (r != CCID_OK)
         return r;
-    memcpy(DKEK_KEY(dkek)+DKEK_KEY_SIZE, "\x0\x0\x0\x2", 4);
-    hash256(DKEK_KEY(dkek), DKEK_KEY_SIZE+4, kmac);
-    release_dkek(dkek);
+    memcpy(dkek+DKEK_KEY_SIZE, "\x0\x0\x0\x2", 4);
+    hash256(dkek, DKEK_KEY_SIZE+4, kmac);
+    mbedtls_platform_zeroize(dkek, sizeof(dkek));
     return CCID_OK;
 }
 
-int dkek_encrypt(uint8_t id, uint8_t *data, size_t len) {
+int mkek_encrypt(uint8_t *data, size_t len) {
     int r;
-    uint8_t dkek[DKEK_SIZE+4];
-    if ((r = load_dkek(id, dkek)) != CCID_OK)
+    uint8_t mkek[MKEK_SIZE+4];
+    if ((r = load_mkek(mkek)) != CCID_OK)
         return r;
-    r = aes_encrypt_cfb_256(DKEK_KEY(dkek), DKEK_IV(dkek), data, len);
-    release_dkek(dkek);
+    r = aes_encrypt_cfb_256(MKEK_KEY(mkek), MKEK_IV(mkek), data, len);
+    release_mkek(mkek);
     return r;
 }
 
-int dkek_decrypt(uint8_t id, uint8_t *data, size_t len) {
+int mkek_decrypt(uint8_t *data, size_t len) {
     int r;
-    uint8_t dkek[DKEK_SIZE+4];
-    if ((r = load_dkek(id, dkek)) != CCID_OK)
+    uint8_t mkek[MKEK_SIZE+4];
+    if ((r = load_mkek(mkek)) != CCID_OK)
         return r;
-    r = aes_decrypt_cfb_256(DKEK_KEY(dkek), DKEK_IV(dkek), data, len);
-    release_dkek(dkek);
+    r = aes_decrypt_cfb_256(MKEK_KEY(mkek), MKEK_IV(mkek), data, len);
+    release_mkek(mkek);
     return r;
 }
 
-int dkek_encode_key(uint8_t id, void *key_ctx, int key_type, uint8_t *out, size_t *out_len) {
+int dkek_encode_key(uint8_t id, void *key_ctx, int key_type, uint8_t *out, size_t *out_len, const uint8_t *allowed, size_t allowed_len) {
     if (!(key_type & HSM_KEY_RSA) && !(key_type & HSM_KEY_EC) && !(key_type & HSM_KEY_AES))
         return CCID_WRONG_DATA;
 
@@ -168,8 +233,6 @@ int dkek_encode_key(uint8_t id, void *key_ctx, int key_type, uint8_t *out, size_
     int kb_len = 0, r = 0;
     uint8_t *algo = NULL;
     uint8_t algo_len = 0;
-    uint8_t *allowed = NULL;
-    uint8_t allowed_len = 0;
     uint8_t kenc[32];
     memset(kenc, 0, sizeof(kenc));
     r = dkek_kenc(id, kenc);
@@ -207,8 +270,6 @@ int dkek_encode_key(uint8_t id, void *key_ctx, int key_type, uint8_t *out, size_
 
         algo = (uint8_t *)"\x00\x08\x60\x86\x48\x01\x65\x03\x04\x01"; //2.16.840.1.101.3.4.1 (2+8)
         algo_len = 10;
-        allowed = (uint8_t *)"\x00\x04\x10\x11\x18\x99"; //(2+4)
-        allowed_len = 6;
     }
     else if (key_type & HSM_KEY_RSA) {
         if (*out_len < 8+1+12+6+(8+2*4+2*4096/8+3+13)+16) //13 bytes pading
@@ -276,7 +337,8 @@ int dkek_encode_key(uint8_t id, void *key_ctx, int key_type, uint8_t *out, size_
     else
         *out_len += 2;
 
-    if (allowed) {
+    if (allowed && allowed_len > 0) {
+        put_uint16_t(allowed_len, out+*out_len); *out_len += 2;
         memcpy(out+*out_len, allowed, allowed_len);
         *out_len += allowed_len;
     }
@@ -319,7 +381,7 @@ int dkek_type_key(const uint8_t *in) {
     return 0x0;
 }
 
-int dkek_decode_key(uint8_t id, void *key_ctx, const uint8_t *in, size_t in_len, int *key_size_out) {
+int dkek_decode_key(uint8_t id, void *key_ctx, const uint8_t *in, size_t in_len, int *key_size_out, uint8_t **allowed, size_t *allowed_len) {
     uint8_t kcv[8];
     int r = 0;
     memset(kcv, 0, sizeof(kcv));
@@ -370,6 +432,8 @@ int dkek_decode_key(uint8_t id, void *key_ctx, const uint8_t *in, size_t in_len,
 
     //Allowed algorithms
     len = get_uint16_t(in, ofs);
+    *allowed = (uint8_t *)(in+ofs+2);
+    *allowed_len = len;
     ofs += len+2;
 
     //Access conditions

src/hsm/kek.h

@@ -18,29 +18,31 @@
 #ifndef _DKEK_H_
 #define _DKEK_H_
 
-extern int load_dkek(uint8_t, uint8_t *);
+extern int load_mkek(uint8_t *);
+extern int store_mkek(const uint8_t *);
 extern int save_dkek_key(uint8_t, const uint8_t *key);
 extern int store_dkek_key(uint8_t, uint8_t *);
-extern void init_dkek();
-extern void release_dkek(uint8_t *);
+extern void init_mkek();
+extern void release_mkek(uint8_t *);
 extern int import_dkek_share(uint8_t, const uint8_t *share);
 extern int dkek_kcv(uint8_t, uint8_t *kcv);
-extern int dkek_encrypt(uint8_t, uint8_t *data, size_t len);
-extern int dkek_decrypt(uint8_t, uint8_t *data, size_t len);
-extern int dkek_encode_key(uint8_t, void *key_ctx, int key_type, uint8_t *out, size_t *out_len);
+extern int mkek_encrypt(uint8_t *data, size_t len);
+extern int mkek_decrypt(uint8_t *data, size_t len);
+extern int dkek_encode_key(uint8_t, void *key_ctx, int key_type, uint8_t *out, size_t *out_len, const uint8_t *, size_t);
 extern int dkek_type_key(const uint8_t *in);
-extern int dkek_decode_key(uint8_t, void *key_ctx, const uint8_t *in, size_t in_len, int *key_size_out);
+extern int dkek_decode_key(uint8_t, void *key_ctx, const uint8_t *in, size_t in_len, int *key_size_out, uint8_t **, size_t *);
 
 #define MAX_DKEK_ENCODE_KEY_BUFFER (8+1+12+6+(8+2*4+2*4096/8+3+13)+16)
 
 #define MAX_KEY_DOMAINS 16
 
-#define DKEK_IV_SIZE     (IV_SIZE)
+#define MKEK_IV_SIZE     (IV_SIZE)
+#define MKEK_KEY_SIZE    (32)
+#define MKEK_KEY_CS_SIZE (4)
+#define MKEK_SIZE        (MKEK_IV_SIZE+MKEK_KEY_SIZE+MKEK_KEY_CS_SIZE)
+#define MKEK_IV(p)       (p)
+#define MKEK_KEY(p)      (MKEK_IV(p)+MKEK_IV_SIZE)
+#define MKEK_CHECKSUM(p) (MKEK_KEY(p)+MKEK_KEY_SIZE)
 #define DKEK_KEY_SIZE    (32)
-#define DKEK_KEY_CS_SIZE (4)
-#define DKEK_SIZE        (DKEK_IV_SIZE+DKEK_KEY_SIZE+DKEK_KEY_CS_SIZE)
-#define DKEK_KEY(p)      (p+DKEK_IV_SIZE)
-#define DKEK_IV(p)       (p)
-#define DKEK_CHECKSUM(p) (p+DKEK_IV_SIZE+DKEK_KEY_SIZE)
 
 #endif

src/hsm/oid.h

@@ -23,23 +23,7 @@
 
 #define OID_BSI_DE                      "\x04\x00\x7F\x00\x07"
 
-#define OID_ID_CA                       OID_BSI_DE "\x02\x02\x03"
-
-#define OID_ID_CA_DH                    OID_ID_CA "\x01"
-
-#define OID_ID_CA_DH_3DES_CBC_CBC       OID_ID_CA_DH "\x01"
-#define OID_ID_CA_DH_AES_CBC_CMAC_128   OID_ID_CA_DH "\x02"
-#define OID_ID_CA_DH_AES_CBC_CMAC_192   OID_ID_CA_DH "\x03"
-#define OID_ID_CA_DH_AES_CBC_CMAC_256   OID_ID_CA_DH "\x04"
-
-#define OID_ID_CA_ECDH                  OID_ID_CA "\x02"
-
-#define OID_ID_CA_ECDH_3DES_CBC_CBC     OID_ID_CA_ECDH "\x01"
-#define OID_ID_CA_ECDH_AES_CBC_CMAC_128 OID_ID_CA_ECDH "\x02"
-#define OID_ID_CA_ECDH_AES_CBC_CMAC_192 OID_ID_CA_ECDH "\x03"
-#define OID_ID_CA_ECDH_AES_CBC_CMAC_256 OID_ID_CA_ECDH "\x04"
-
-#define OID_ID_PK                       OID_BSI_DE "\x02\x02\0x1"
+#define OID_ID_PK                       OID_BSI_DE "\x02\x02\x01"
 #define OID_ID_PK_DH                    OID_ID_PK "\x01"
 #define OID_ID_PK_ECDH                  OID_ID_PK "\x02"
 
@@ -56,11 +40,25 @@
 
 #define OID_ID_TA_ECDSA                 OID_ID_TA "\x02"
 
-#define OID_IT_TA_ECDSA_SHA_1           OID_ID_TA_ECDSA "\x01"
-#define OID_IT_TA_ECDSA_SHA_224         OID_ID_TA_ECDSA "\x02"
-#define OID_IT_TA_ECDSA_SHA_256         OID_ID_TA_ECDSA "\x03"
-#define OID_IT_TA_ECDSA_SHA_384         OID_ID_TA_ECDSA "\x04"
-#define OID_IT_TA_ECDSA_SHA_512         OID_ID_TA_ECDSA "\x05"
+#define OID_ID_TA_ECDSA_SHA_1           OID_ID_TA_ECDSA "\x01"
+#define OID_ID_TA_ECDSA_SHA_224         OID_ID_TA_ECDSA "\x02"
+#define OID_ID_TA_ECDSA_SHA_256         OID_ID_TA_ECDSA "\x03"
+#define OID_ID_TA_ECDSA_SHA_384         OID_ID_TA_ECDSA "\x04"
+#define OID_ID_TA_ECDSA_SHA_512         OID_ID_TA_ECDSA "\x05"
+
+#define OID_ID_CA                       OID_BSI_DE "\x02\x02\x03"
+
+#define OID_ID_CA_DH                    OID_ID_CA "\x01"
+#define OID_ID_CA_DH_3DES_CBC_CBC       OID_ID_CA_DH "\x01"
+#define OID_ID_CA_DH_AES_CBC_CMAC_128   OID_ID_CA_DH "\x02"
+#define OID_ID_CA_DH_AES_CBC_CMAC_192   OID_ID_CA_DH "\x03"
+#define OID_ID_CA_DH_AES_CBC_CMAC_256   OID_ID_CA_DH "\x04"
+
+#define OID_ID_CA_ECDH                  OID_ID_CA "\x02"
+#define OID_ID_CA_ECDH_3DES_CBC_CBC     OID_ID_CA_ECDH "\x01"
+#define OID_ID_CA_ECDH_AES_CBC_CMAC_128 OID_ID_CA_ECDH "\x02"
+#define OID_ID_CA_ECDH_AES_CBC_CMAC_192 OID_ID_CA_ECDH "\x03"
+#define OID_ID_CA_ECDH_AES_CBC_CMAC_256 OID_ID_CA_ECDH "\x04"
 
 #define OID_ID_RI                       OID_BSI_DE "\x02\x02\x05"
 
@@ -78,4 +76,31 @@
 
 #define OID_ID_CI                       OID_BSI_DE "\x02\x02\x06"
 
+#define OID_CARDCONTACT                 "\x2B\x06\x01\x04\x01\x81\xC3\x1F"
+
+#define OID_OPENSCDP                    OID_CARDCONTACT "\x01"
+#define OID_CC_ISO7816                  OID_CARDCONTACT "\x02"
+#define OID_CC_PKI                      OID_CARDCONTACT "\x03"
+#define OID_CC_FORMAT                   OID_CARDCONTACT "\x04"
+#define OID_CC_GP_PROFILES              OID_CARDCONTACT "\x10"
+
+#define OID_SCSH3                       OID_OPENSCDP "\x01"
+#define OID_SCSH3GUI                    OID_OPENSCDP "\x02"
+
+#define OID_SMARCARD_HSM                OID_CC_ISO7816 "\x01"
+#define OID_CC_APDUTEST                 OID_CC_ISO7816 "\x02"
+#define OID_CC_PACKAGES                 OID_CC_ISO7816 "\x7F"
+
+#define OID_CC_ROLES                    OID_CC_PKI "\x01"
+#define OID_CC_ROLE_SC_HSM              OID_CC_ROLES "\x01"
+
+#define OID_CC_EXTENSIONS               OID_CC_PKI "\x02"
+#define OID_ID_IMPU                     OID_CC_EXTENSIONS "\x01"
+#define OID_ID_KEY_DOMAIN_UID           OID_CC_EXTENSIONS "\x02"
+
+#define OID_CC_FF_DEVICEID              OID_CC_FORMAT "\x01"
+#define OID_CC_FF_KDM                   OID_CC_FORMAT "\x02"
+#define OID_CC_FF_PKA                   OID_CC_FORMAT "\x03"
+#define OID_CC_FF_KDA                   OID_CC_FORMAT "\x04"
+
 #endif

src/hsm/sc_hsm.h

@@ -19,12 +19,16 @@
 #define _SC_HSM_H_
 
 #include <stdlib.h>
+#include "common.h"
+#include "mbedtls/rsa.h"
+#include "mbedtls/ecdsa.h"
 #include "pico/stdlib.h"
-#include "ccid2040.h"
+#include "file.h"
+#include "apdu.h"
+#include "hsm.h"
 
 extern const uint8_t sc_hsm_aid[];
 
-
 #define ALGO_RSA_RAW			0x20		/* RSA signature with external padding */
 #define ALGO_RSA_DECRYPT		0x21		/* RSA raw decrypt */
 #define ALGO_RSA_DECRYPT_PKCS1  0x22
@@ -50,6 +54,8 @@ extern const uint8_t sc_hsm_aid[];
 #define ALGO_EC_SHA384          0x74
 #define ALGO_EC_SHA512          0x75
 #define ALGO_EC_DH				0x80        /* ECDH key derivation */
+#define ALGO_EC_DH_AUTPUK       0x83
+#define ALGO_EC_DH_XKEK         0x84
 
 #define ALGO_WRAP               0x92
 #define ALGO_UNWRAP             0x93
@@ -85,13 +91,32 @@ extern const uint8_t sc_hsm_aid[];
 #define P15_KEYTYPE_ECC     0xA0
 #define P15_KEYTYPE_AES     0xA8
 
+#define MAX_PUK 8
+
 extern int pin_reset_retries(const file_t *pin, bool);
 extern int pin_wrong_retry(const file_t *pin);
 
 extern void hash(const uint8_t *input, size_t len, uint8_t output[32]);
 extern void hash_multi(const uint8_t *input, size_t len, uint8_t output[32]);
 extern void double_hash_pin(const uint8_t *pin, size_t len, uint8_t output[32]);
-
+extern uint16_t get_device_options();
+extern bool has_session_pin, has_session_sopin;
 extern uint8_t session_pin[32], session_sopin[32];
+extern int check_pin(const file_t *pin, const uint8_t *data, size_t len);
+extern bool pka_enabled();
+extern const uint8_t *dev_name;
+extern size_t dev_name_len;
+extern uint8_t puk_status[MAX_PUK];
+extern int puk_store_select_chr(const uint8_t *chr);
+extern int delete_file(file_t *ef);
+extern const uint8_t *get_meta_tag(file_t *ef, uint16_t meta_tag, size_t *tag_len);
+extern bool key_has_purpose(file_t *ef, uint8_t purpose);
+extern int load_private_key_rsa(mbedtls_rsa_context *ctx, file_t *fkey);
+extern int load_private_key_ecdsa(mbedtls_ecdsa_context *ctx, file_t *fkey);
+extern bool wait_button_pressed();
+extern int store_keys(void *key_ctx, int type, uint8_t key_id);
+extern int find_and_store_meta_key(uint8_t key_id);
+extern uint32_t get_key_counter(file_t *fkey);
+extern uint32_t decrement_key_counter(file_t *fkey);
 
 #endif

src/hsm/version.h

@@ -18,7 +18,7 @@
 #ifndef __VERSION_H_
 #define __VERSION_H_
 
-#define HSM_VERSION 0x0206
+#define HSM_VERSION 0x0300
 
 #define HSM_VERSION_MAJOR ((HSM_VERSION >> 8) & 0xff)
 #define HSM_VERSION_MINOR (HSM_VERSION & 0xff)

tools/pico-hsm-patch-vidpid.sh

@@ -17,8 +17,8 @@
 # along with this program. If not, see <http://www.gnu.org/licenses/>.
 #
 
-VERSION_MAJOR="2" #Version of Pico CCID Core
-VERSION_MINOR="0"
+VERSION_MAJOR="3" #Version of Pico CCID Core
+VERSION_MINOR="4"
 
 echo "----------------------------"
 echo "VID/PID patcher for Pico HSM"

tools/pico-hsm-tool.py

@@ -0,0 +1,304 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+"""
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+"""
+
+from smartcard.CardType import AnyCardType
+from smartcard.CardRequest import CardRequest
+from smartcard.Exceptions import CardRequestTimeoutException
+from cvc.certificates import CVC
+from cvc.asn1 import ASN1
+from cvc.oid import oid2scheme
+from cvc.utils import scheme_rsa
+from cryptography.hazmat.primitives.asymmetric import ec
+import json
+import urllib.request
+import base64
+from binascii import hexlify
+import sys
+import argparse
+import os
+from datetime import datetime
+from argparse import RawTextHelpFormatter
+
+class APDUResponse(Exception):
+    def __init__(self, sw1, sw2):
+        self.sw1 = sw1
+        self.sw2 = sw2
+        super().__init__(f'SW:{sw1:02X}{sw2:02X}')
+
+
+def send_apdu(card, command, p1, p2, data=None):
+    lc = []
+    dataf = []
+    if (data):
+        lc = [0x00] + list(len(data).to_bytes(2, 'big'))
+        dataf = data
+    le = [0x00, 0x00]
+    if (isinstance(command, list) and len(command) > 1):
+        apdu = command
+    else:
+        apdu = [0x00, command]
+
+    apdu = apdu + [p1, p2] + lc + dataf + le
+    response, sw1, sw2 = card.connection.transmit(apdu)
+    if (sw1 != 0x90):
+        raise APDUResponse(sw1, sw2)
+    return response
+
+def parse_args():
+    parser = argparse.ArgumentParser()
+    subparser = parser.add_subparsers(title="commands", dest="command")
+    parser_init = subparser.add_parser('initialize', help='Performs the first initialization of the Pico HSM.')
+    parser_init.add_argument('--pin', help='PIN number')
+    parser_init.add_argument('--so-pin', help='SO-PIN number')
+
+    parser_attestate = subparser.add_parser('attestate', help='Generates an attestation report for a private key and verifies the private key was generated in the devices or outside.')
+    parser_attestate.add_argument('-k', '--key', help='The private key index', metavar='KEY_ID')
+
+    parser_pki = subparser.add_parser('pki', help='Performs PKI operations.')
+    subparser_pki = parser_pki.add_subparsers(title='commands', dest='subcommand')
+    parser_pki_init = subparser_pki.add_parser('initialize', help='Initializes the Public Key Infrastructure (PKI)')
+
+    parser_pki_init.add_argument('--certs-dir', help='Store the PKI certificates into this directory.', default='certs')
+    parser_pki_init.add_argument('--default', help='Setups the default public PKI from public Pico HSM PKI.', action='store_true')
+    parser_pki_init.add_argument('--force', help='Forces the download of certificates.', action='store_true')
+
+    parser_rtc = subparser.add_parser('datetime', help='Datetime operations with the integrated Real Time Clock (RTC).')
+    parser_rtc.add_argument('subcommand', choices=['set', 'get'], help='Sets or gets current datetime.')
+
+    parser_opts = subparser.add_parser('options', help='Manage extra options.', formatter_class=RawTextHelpFormatter)
+    parser_opts.add_argument('subcommand', choices=['set', 'get'], help='Sets or gets option OPT.')
+    parser_opts.add_argument('opt', choices=['button', 'counter'], help='Button: press-to-confirm button.\nCounter: every generated key has an internal counter.')
+    parser_opts.add_argument('onoff', choices=['on', 'off'], help='Toggles state ON or OFF', metavar='ON/OFF', nargs='?')
+
+    args = parser.parse_args()
+    return args
+
+def get_pki_data(url, data=None, method='GET'):
+    user_agent = 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; '
+    'rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7'
+    method = 'GET'
+    if (data is not None):
+        method = 'POST'
+    req = urllib.request.Request(f"https://www.henarejos.me/pico/pico-hsm/{url}/",
+                                method=method,
+                                data=data,
+                                headers={'User-Agent': user_agent, })
+    response = urllib.request.urlopen(req)
+    resp = response.read().decode('utf-8')
+    j = json.loads(resp)
+    return j
+
+def get_pki_certs(certs_dir='certs', force=False):
+    certs = get_pki_data('certs')
+    if (os.path.exists(certs_dir) is False):
+        os.mkdir(certs_dir)
+    cvcap = os.path.join(certs_dir, certs['cvca']['CHR'])
+    dvcap = os.path.join(certs_dir, certs['dvca']['CHR'])
+    if (os.path.exists(cvcap) is False or force is True):
+        with open(cvcap, 'wb') as f:
+            f.write(base64.urlsafe_b64decode(certs['cvca']['cert']))
+    if (os.path.exists(dvcap) is False or force is True):
+        with open(dvcap, 'wb') as f:
+            f.write(base64.urlsafe_b64decode(certs['dvca']['cert']))
+    print(f'All PKI certificates are stored at {certs_dir} folder')
+
+def pki(card, args):
+    if (args.subcommand == 'initialize'):
+        if (args.default is True):
+            get_pki_certs(certs_dir=args.certs_dir, force=args.force)
+        else:
+            print('Error: no PKI is passed. Use --default to retrieve default PKI.')
+
+def initialize(card, args):
+    print('********************************')
+    print('*   PLEASE READ IT CAREFULLY   *')
+    print('********************************')
+    print('')
+    print('This tool will erase and reset your device. It will delete all '
+        'private and secret keys.')
+    print('Are you sure?')
+    _ = input('[Press enter to confirm]')
+
+    send_apdu(card, 0xA4, 0x04, 0x00, [0xE8, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x81, 0xC3, 0x1F, 0x02, 0x01])
+    if (args.pin):
+        pin = args.pin.encode()
+        try:
+            response = send_apdu(card, 0x20, 0x00, 0x81, list(pin))
+        except APDUResponse:
+            pass
+    else:
+            pin = b'648219'
+    if (args.so_pin):
+        so_pin = args.so_pin.encode()
+        try:
+            response = send_apdu(card, 0x20, 0x00, 0x82, list(so_pin))
+        except APDUResponse:
+            pass
+    else:
+            so_pin = b'57621880'
+
+    pin_data = [0x81, len(pin)] + list(pin)
+    so_pin_data = [0x82, len(so_pin)] + list(so_pin)
+    reset_data = [0x80, 0x02, 0x00, 0x01] + pin_data + so_pin_data + [0x91, 0x01, 0x03]
+    response = send_apdu(card, [0x80, 0x50], 0x00, 0x00, reset_data)
+
+    response = send_apdu(card, 0xB1, 0xCE, 0x00, [0x54, 0x02, 0x00, 0x00])
+
+    cert = bytearray(response)
+    Y = CVC().decode(cert).pubkey().find(0x86).data()
+    print(f'Public Point: {hexlify(Y).decode()}')
+
+    pbk = base64.urlsafe_b64encode(Y)
+    data = urllib.parse.urlencode({'pubkey': pbk}).encode()
+    j = get_pki_data('cvc', data=data)
+    print('Device name: '+j['devname'])
+    dataef = base64.urlsafe_b64decode(
+        j['cvcert']) + base64.urlsafe_b64decode(j['dvcert'])
+
+    response = send_apdu(card, 0xa4, 0x00, 0x00, [0x2f, 0x02])
+    response = send_apdu(card, 0x20, 0x00, 0x81, list(pin))
+
+    apdu_data = [0x54, 0x02, 0x00, 0x00] + \
+        list(ASN1.make_tag(0x53, dataef))
+    response = send_apdu(card, 0xd7, 0x00, 0x00, apdu_data)
+
+    print('Certificate uploaded successfully!')
+    print('')
+    print('Note that the device is initialized with a default PIN and '
+        'configuration.')
+    print('Now you can initialize the device as usual with your chosen PIN '
+        'and configuration options.')
+
+def attestate(card, args):
+    kid = int(args.key)
+    try:
+        response = send_apdu(card, 0xB1, 0x2F, 0x02, [0x54, 0x02, 0x00, 0x00])
+    except APDUResponse as a:
+        print('ERROR: There is an error with the device certificate.')
+        sys.exit(1)
+
+    devcert = ASN1().decode(response).find(0x7f21, pos=0).data(return_tag=True)
+
+    try:
+        cert = send_apdu(card, 0xB1, 0xCE, kid, [0x54, 0x02, 0x00, 0x00])
+    except APDUResponse as a:
+        if (a.sw1 == 0x6a and a.sw2 == 0x82):
+            print('ERROR: Key not found')
+            sys.exit(1)
+    from binascii import hexlify
+    print(hexlify(bytearray(cert)))
+    print(f'Details of key {kid}:\n')
+    print(f'  CAR: {(CVC().decode(cert).car()).decode()}')
+    print('  Public Key:')
+    puboid = CVC().decode(cert).pubkey().oid()
+    print(f'    Scheme: {oid2scheme(puboid)}')
+    chr = CVC().decode(cert).chr()
+    car = CVC().decode(cert).car()
+    if (scheme_rsa(puboid)):
+        print(f'    Modulus: {hexlify(CVC().decode(cert).pubkey().find(0x81).data()).decode()}')
+        print(f'    Exponent: {hexlify(CVC().decode(cert).pubkey().find(0x82).data()).decode()}')
+    else:
+        print(f'    Public Point: {hexlify(CVC().decode(cert).pubkey().find(0x86).data()).decode()}')
+    print(f'  CHR: {chr.decode()}')
+    print('  Key signature:')
+    inret = CVC().decode(cert).verify()
+    if (inret):
+        print('    Status: VALID')
+        print(f'      This certificate is signed with private key {kid}')
+    else:
+        print('    Status: NOT VALID')
+        print(f'      This certificate is NOT signed with private key {kid}')
+    print('  Cert signature:')
+    print(f'    Outer CAR: {CVC().decode(cert).outer_car().decode()}')
+    outret = CVC().decode(cert).verify(outer=True, dica=devcert, curve=ec.SECP256R1())
+    if (outret):
+        print('    Status: VALID')
+        print('      This certificate is signed with the device key')
+    else:
+        print('    Status: NOT VALID')
+        print('      This certificate is NOT signed with the device key')
+
+    if (inret is True and outret is True):
+        print(f'Key {kid} is generated by device {chr.decode()}')
+    else:
+        print(f'Key {kid} is NOT generated by device {chr.decode()}')
+
+def rtc(card, args):
+    if (args.subcommand == 'set'):
+        now = datetime.now()
+        _ = send_apdu(card, [0x80, 0x64], 0x0A, 0x00, list(now.year.to_bytes(2, 'big')) + [now.month, now.day, now.weekday(), now.hour, now.minute, now.second ])
+    elif (args.subcommand == 'get'):
+        response = send_apdu(card, [0x80, 0x64], 0x0A, 0x00)
+        dt = datetime(int.from_bytes(response[:2], 'big'), response[2], response[3], response[5], response[6], response[7])
+        print(f'Current date and time is: {dt.ctime()}')
+
+def opts(card, args):
+    opt = 0x0
+    if (args.opt == 'button'):
+        opt = 0x1
+    elif (args.opt == 'counter'):
+        opt = 0x2
+    current = send_apdu(card, [0x80, 0x64], 0x6, 0x0)[0]
+    if (args.subcommand == 'set'):
+        if (args.onoff == 'on'):
+            newopt = current | opt
+        else:
+            newopt = current & ~opt
+        send_apdu(card, [0x80, 0x64], 0x6, 0x0, [newopt])
+    elif (args.subcommand == 'get'):
+        print(f'Option {args.opt.upper()} is {"ON" if current & opt else "OFF"}')
+
+def main(args):
+    print('Pico HSM Tool v1.4')
+    print('Author: Pol Henarejos')
+    print('Report bugs to https://github.com/polhenarejos/pico-hsm/issues')
+    print('')
+    print('')
+    cardtype = AnyCardType()
+    try:
+        # request card insertion
+        cardrequest = CardRequest(timeout=10, cardType=cardtype)
+        card = cardrequest.waitforcard()
+
+        # connect to the card and perform a few transmits
+        card.connection.connect()
+
+    except CardRequestTimeoutException:
+        print('time-out: no card inserted during last 10s')
+
+    # Following commands may raise APDU exception on error
+    if (args.command == 'initialize'):
+        initialize(card, args)
+    elif (args.command == 'attestate'):
+        attestate(card, args)
+    elif (args.command == 'pki'):
+        pki(card, args)
+    elif (args.command == 'datetime'):
+        rtc(card, args)
+    elif (args.command == 'options'):
+        opts(card, args)
+
+def run():
+    args = parse_args()
+    main(args)
+
+if __name__ == "__main__":
+    run()

workflows/autobuild.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+git submodule update --init --recursive
+sudo apt update
+sudo apt install -y cmake gcc-arm-none-eabi libnewlib-arm-none-eabi libstdc++-arm-none-eabi-newlib
+git clone https://github.com/raspberrypi/pico-sdk
+cd pico-sdk
+git submodule update --init
+cd ..
+mkdir build
+cd build
+cmake -DPICO_SDK_PATH=../pico-sdk ..
+make