Fix merge.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>

.github/FUNDING.yml

@@ -0,0 +1,4 @@
+# These are supported funding model platforms
+
+github: polhenarejos
+custom: ["https://www.paypal.me/polhenarejos"]

.github/workflows/codeql.yml

@@ -13,12 +13,13 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [ "master", "development" ]
+    branches: [ "master", "development", "development-eddsa" ]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [ "master", "development" ]
+    branches: [ "master", "development", "development-eddsa" ]
   schedule:
     - cron: '23 5 * * 4'
+  workflow_dispatch:
 
 jobs:
   analyze:
@@ -48,11 +49,11 @@ jobs:
         # If you wish to specify custom queries, you can do so here or in a config file.
         # By default, queries listed here will override any specified in a config file.
         # Prefix the list here with "+" to use these queries and those in the config file.
-        
+
         # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
         # queries: security-extended,security-and-quality
 
-        
+
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     # - name: Autobuild
@@ -61,7 +62,7 @@ jobs:
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
 
-    #   If the Autobuild fails above, remove it and uncomment the following three lines. 
+    #   If the Autobuild fails above, remove it and uncomment the following three lines.
     #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
 
     - run: |

.github/workflows/test.yml

@@ -13,18 +13,17 @@ name: "Emulation and test"
 
 on:
   push:
-    branches: [ "master", "development" ]
+    branches: [ "master", "development", "development-eddsa" ]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [ "master", "development" ]
+    branches: [ "master", "development", "development-eddsa" ]
   schedule:
     - cron: '23 5 * * 4'
+  workflow_dispatch:
 
 jobs:
   build:
-
     runs-on: ubuntu-latest
-
     steps:
     - name: Checkout repository and submodules
       uses: actions/checkout@v3
@@ -32,5 +31,36 @@ jobs:
         submodules: recursive
     - name: Build in container
       run: ./tests/build-in-docker.sh
-    - name: Start emulation and test
-      run: ./tests/run-test-in-docker.sh
+    - name: Export image
+      run: |
+        mkdir -p artifacts
+        docker save pico-hsm-test:bullseye -o artifacts/docker-image.tar
+    - name: Temporarily save image
+      uses: actions/upload-artifact@v3
+      with:
+        name: docker-artifact
+        path: artifacts
+        retention-days: 1
+
+  test:
+    runs-on: ubuntu-latest
+    needs: build
+    strategy:
+      matrix:
+        suite: ["pkcs11", "pytest", "sc-hsm-pkcs11"]
+    steps:
+    - name: Checkout repository and submodules
+      uses: actions/checkout@v3
+      with:
+        submodules: recursive
+    - name: Retrieve saved image
+      uses: actions/download-artifact@v3
+      with:
+        name: docker-artifact
+        path: artifacts
+    - name: Load image
+      run: |
+        cd artifacts
+        docker load -q -i docker-image.tar
+    - name: Test ${{ matrix.suite }}
+      run: ./tests/run-test-in-docker.sh ${{ matrix.suite }}

.gitmodules

@@ -1,3 +1,3 @@
-[submodule "pico-hsm-sdk"]
-	path = pico-hsm-sdk
-	url = ../pico-hsm-sdk
+[submodule "pico-keys-sdk"]
+	path = pico-keys-sdk
+	url = https://github.com/polhenarejos/pico-keys-sdk

CMakeLists.txt

@@ -32,6 +32,13 @@ else()
 pico_sdk_init()
 endif()
 
+if (NOT DEFINED __FOR_CI)
+    set(__FOR_CI 0)
+endif()
+if (__FOR_CI)
+    add_definitions(-D__FOR_CI)
+endif()
+
 add_executable(pico_hsm)
 
 set(SOURCES ${SOURCES}
@@ -62,6 +69,7 @@ set(SOURCES ${SOURCES}
         ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_session_pin.c
         ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_puk_auth.c
         ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_pso.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_bip_slip.c
         ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cvc.c
         ${CMAKE_CURRENT_LIST_DIR}/src/hsm/files.c
         ${CMAKE_CURRENT_LIST_DIR}/src/hsm/kek.c
@@ -69,7 +77,7 @@ set(SOURCES ${SOURCES}
 
         )
 set(USB_ITF_CCID 1)
-include(pico-hsm-sdk/pico_hsm_sdk_import.cmake)
+include(pico-keys-sdk/pico_keys_sdk_import.cmake)
 
 set(INCLUDES ${INCLUDES}
         ${CMAKE_CURRENT_LIST_DIR}/src/hsm
@@ -101,5 +109,5 @@ endif (APPLE)
 else()
 pico_add_extra_outputs(pico_hsm)
 
-target_link_libraries(pico_hsm PRIVATE pico_hsm_sdk pico_stdlib pico_multicore hardware_flash hardware_sync hardware_adc pico_unique_id hardware_rtc tinyusb_device tinyusb_board)
+target_link_libraries(pico_hsm PRIVATE pico_keys_sdk pico_stdlib pico_multicore hardware_flash hardware_sync hardware_adc pico_unique_id hardware_rtc tinyusb_device tinyusb_board)
 endif()

README.md

@@ -3,7 +3,7 @@ This is a project to create a Hardware Security Module (HSM) with a Raspberry Pi
 
 ## Capabilities
 ### > Key generation and encrypted storage
-Private and secret keys are stored with a master AES 256 key (DKEK). The DKEK is, at the same time, encrypted with a hashed and salted version of the PIN.
+Private and secret keys are stored with a master AES 256 key (MKEK). The MKEK is, at the same time, encrypted with a hashed and salted version of the PIN.
 **No private/secret keys, DKEK or PIN are stored in plain text ever. Never.**
 
 ### > RSA key generation from 1024 to 4096 bits
@@ -37,7 +37,13 @@ It allows private decryption in place with RSA-OEP and RSA-X-509 algorithms.
 It supports AES key generation in place with keys of 128, 192 and 256 bits.
 
 ### > AES-CBC encryption/decryption
-AES encryption and decryption is performed in place.
+Legacy AES encryption and decryption is performed in place.
+
+### > AES ECB, CBC, CFB, OFB, XTS, CTR, GCM and CCM
+Advanced AES encryption and decryption with multiples modes and customized IV/nonce and additional authenticated data (AAD).[^4]
+
+### > AES key generation of 128, 192, 256 and 512 bits.
+Besides 128, 192 and 256 bits, Pico HSM also supports key generation of 512 bits (64 bytes). These keys are specially indicated for running AES XTS, where two keys of 256 bits are concatenated.
 
 ### > CMAC
 It supports AES-CMAC authentication.[^1]
@@ -109,13 +115,13 @@ Key usage can also be used to perform and auditory and track the usage of a part
 ### > Public Key Authentication
 Public Key Authentication (PKA) allows to authenticate by using a secondary device with a private key and a registered public key in the primary device. A challenge is generated by the primary Pico HSM and given to the secondary for signature. The secondary device signs the challenge and returns the signature. Then, the primary device verifies the signature with the registered public key and if it is valid, it grants full access, as normal PIN authentication.
 
-In PKA, the PIN is used for protecting the DKEK, as classic method with only PIN, and PKA is used for adding an extra security layer. Therefore, this mechanism provides a higher degree of security, since it needs a secondary Pico HSM to authenticate the primary one.
+In PKA, the PIN is used for protecting the MKEK, as classic method with only PIN, and PKA is used for adding an extra security layer. Therefore, this mechanism provides a higher degree of security, since it needs a secondary Pico HSM to authenticate the primary one.
 
 ### > Secure Lock
 An extra layer can be added to the device by adding a private key stored on the computer to lock that Pico HSM to the specific computer. The content will be completely encrypted with a private key only available from a specific computer.
 
 ### > ChaCha20-Poly1305
-This is a novel fast and efficient symmetric encryption algorithm. Similarly to AES, it can be used to cipher your private data.
+This is a novel fast and efficient symmetric encryption algorithm. Similarly to AES, it can be used to cipher your private data.[^4]
 
 ### > X25519 and X448
 Both cruves Curve25519 and Curve448 are supported for doing DH X25519 and X448. Remember that cannot be used for signing.
@@ -124,11 +130,24 @@ Both cruves Curve25519 and Curve448 are supported for doing DH X25519 and X448.
 It supports symmetric key derivations from different standards and RFC.
 
 ### > HMAC
-It supports performing HMAC from a secret key on a arbitrary data with SHA digest algorithm.
+It supports performing HMAC from a secret key on an arbitrary data with SHA digest algorithm.
+
+### > CMAC
+Similarly to HMAC, Pico HSM also supports CMAC with AES algorithm for keys of 128, 192 and 256 bits.
+
+### > XKEK
+Besides DKEK, it supports a more advanced scheme to share keys. Based on private key domains, it is possible to wrap and unwrap private and secret keys inside the domain to only authorized devices. If a device outside the domain tries to unwrap a key, it will fail.
+
+### > MKEK
+A Master Key Encryption Key is used to store safely all the keys. This key is also ciphered with an ephemereal key derived from the hashed PIN. Therefore, we can ensure all the keys are encrypted and stored.
+
+### > Hierarchical Deterministic key generation
+It supports **BIP32** for asymmetric deterministic key derivation and **SLIP10** for symmetric key derivation. With it, crypto wallets can be deployed with Pico HSM, as infinite keys can be derived for signature and symmetric encryption. Curves NIST 256 and Koblitz 256 are supported for master key generation.[^4]
 
 [^1]: PKCS11 modules (`pkcs11-tool` and `sc-tool`) do not support CMAC and key derivation. It must be processed through raw APDU command (`opensc-tool -s`).
 [^2]: Available via SCS3 tool. See [SCS3](/doc/scs3.md "SCS3") for more information.
-[^3]: Imports are available only if the Pico HSM is previously initialized with a DKEK and the DKEK shares are available during the import process.
+[^3]: Imports are available only if the Pico HSM is previously initialized with a DKEK and DKEK shares are available during the import process.
+[^4]: Available by using PicoHSM python tool.
 
 ## Security considerations
 All secret keys (asymmetric and symmetric) are stored encrypted in the flash memory of the Raspberry Pico. DKEK is used as a 256 bit AES key to protect private and secret keys. Keys are never stored in RAM except for signature and decryption operations and only during the process. All keys (including DKEK) are loaded and cleared every time to avoid potential security flaws.
@@ -140,16 +159,21 @@ If the Pico is stolen the contents of private and secret keys cannot be read wit
 ## Download
 Please, go to the Release page and download the UF2 file for your board.
 
-Note that UF2 files are shiped with a dummy VID/PID to avoid license issues (FEFF:FCFD). If you are planning to use it with OpenSC or similar, you should modify Info.plist of CCID driver to add these VID/PID or use the VID/PID patcher as follows:
+Note that UF2 files are shiped with a dummy VID/PID to avoid license issues (FEFF:FCFD). If you are planning to use it with OpenSC or similar, you should modify Info.plist of CCID driver to add these VID/PID or use the [Pico Patcher tool](https://www.picokeys.com/pico-patcher/).
+
+Alternatively you can use the legacy VID/PID patcher as follows:
 `./patch_vidpid.sh VID:PID input_hsm_file.uf2 output_hsm_file.uf2`
 
 You can use whatever VID/PID (i.e., 234b:0000 from FISJ), but remember that you are not authorized to distribute the binary with a VID/PID that you do not own.
 
+Note that the pure-browser option [Pico Patcher tool](https://www.picokeys.com/pico-patcher/) is the most recommended. 
+
 ## Build
 Before building, ensure you have installed the toolchain for the Pico and the Pico SDK is properly located in your drive.
 
 ```
 git clone https://github.com/polhenarejos/pico-hsm
+git submodule update --init --recursive
 cd pico-hsm
 mkdir build
 cd build
@@ -166,9 +190,9 @@ Independent from your Linux distribution or when using another OS that supports
 
 ```
 sudo docker build \
-    --build-arg VERSION_PICO_SDK=1.4.0 \
-    --build-arg VERSION_MAJOR=2 \
-    --build-arg VERSION_MINOR=6 \
+    --build-arg VERSION_PICO_SDK=1.5.0 \
+    --build-arg VERSION_MAJOR=3 \
+    --build-arg VERSION_MINOR=4 \
     --build-arg PICO_BOARD=waveshare_rp2040_zero \
     --build-arg USB_VID=0xfeff \
     --build-arg USB_PID=0xfcfd \

build_pico_hsm.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 VERSION_MAJOR="3"
-VERSION_MINOR="2"
+VERSION_MINOR="6"
 
 rm -rf release/*
 cd build_release
@@ -17,6 +17,7 @@ for board in adafruit_feather_rp2040 \
     eetree_gamekit_rp2040 \
     garatronic_pybstick26_rp2040 \
     melopero_shake_rp2040 \
+    nullbits_bit_c_pro \
     pico \
     pico_w \
     pimoroni_badger2040 \
@@ -31,6 +32,7 @@ for board in adafruit_feather_rp2040 \
     pimoroni_servo2040 \
     pimoroni_tiny2040 \
     pimoroni_tiny2040_2mb \
+    pololu_3pi_2040_robot \
     seeed_xiao_rp2040 \
     solderparty_rp2040_stamp \
     solderparty_rp2040_stamp_carrier \
@@ -40,6 +42,8 @@ for board in adafruit_feather_rp2040 \
     sparkfun_thingplus \
     vgaboard \
     waveshare_rp2040_lcd_0.96 \
+    waveshare_rp2040_lcd_1.28 \
+    waveshare_rp2040_one \
     waveshare_rp2040_plus_4mb \
     waveshare_rp2040_plus_16mb \
     waveshare_rp2040_zero \

doc/usage.md

@@ -30,7 +30,7 @@ PIN=648219
 ## Initialization
 The first step is to initialize the HSM. To do so, use the `pico-hsm-tool.py` in `tools` folder:
 ```
-$ python3 pico-hsm-tool.py initialize --so-pin 3537363231383830 --pin 648219
+$ python3 tools/pico-hsm-tool.py --pin 648219 initialize --so-pin 57621880
 ```
 The PIN number is used to manage all private keys in the device. It supports three attemps. After the third PIN failure, it gets blocked.
 The PIN accepts from 6 to 16 characters.
@@ -51,7 +51,7 @@ $ pkcs11-tool --login --pin 648219 --change-pin --new-pin 123456
 
 To unblock the PIN:
 ```
-$ pkcs11-tool --login --login-type so --so-pin=3537363231383830 --init-pin --new-pin=648219
+$ pkcs11-tool --login --login-type so --so-pin 3537363231383830 --init-pin --new-pin 648219
 ```
 
 ## Keypair generation

src/hsm/cmd_bip_slip.c

@@ -0,0 +1,324 @@
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "sc_hsm.h"
+#include "files.h"
+#include "random.h"
+#include "kek.h"
+#include "asn1.h"
+
+const uint8_t *k1_seed = (const uint8_t *) "Bitcoin seed";
+const uint8_t *p1_seed = (const uint8_t *) "Nist256p1 seed";
+const uint8_t *sym_seed = (const uint8_t *) "Symmetric key seed";
+mbedtls_ecp_keypair hd_context = { 0 };
+uint8_t hd_keytype = 0;
+
+int node_derive_bip_child(const mbedtls_ecp_keypair *parent,
+                          const uint8_t cpar[32],
+                          const uint8_t *i,
+                          mbedtls_ecp_keypair *child,
+                          uint8_t cchild[32]) {
+    uint8_t data[1 + 32 + 4], I[64], *iL = I, *iR = I + 32;
+    mbedtls_mpi il, kchild;
+    mbedtls_mpi_init(&il);
+    mbedtls_mpi_init(&kchild);
+    if (i[0] >= 0x80) {
+        if (mbedtls_mpi_cmp_int(&parent->d, 0) == 0) {
+            return CCID_ERR_NULL_PARAM;
+        }
+        data[0] = 0x00;
+        mbedtls_mpi_write_binary(&parent->d, data + 1, 32);
+    }
+    else {
+        size_t olen = 0;
+        mbedtls_ecp_point_write_binary(&parent->grp,
+                                       &parent->Q,
+                                       MBEDTLS_ECP_PF_COMPRESSED,
+                                       &olen,
+                                       data,
+                                       33);
+    }
+    do {
+        memcpy(data + 33, i, 4);
+        mbedtls_md_hmac(mbedtls_md_info_from_type(MBEDTLS_MD_SHA512),
+                        cpar,
+                        32,
+                        data,
+                        sizeof(data),
+                        I);
+        mbedtls_mpi_read_binary(&il, iL, 32);
+        mbedtls_mpi_add_mpi(&kchild, &il, &parent->d);
+        mbedtls_mpi_mod_mpi(&kchild, &kchild, &parent->grp.N);
+        data[0] = 0x01;
+        memcpy(data + 1, iR, 32);
+    } while (mbedtls_mpi_cmp_mpi(&il,
+                                 &parent->grp.N) != -1 || mbedtls_mpi_cmp_int(&kchild, 0) == 0);
+    mbedtls_mpi_copy(&child->d, &kchild);
+    mbedtls_ecp_mul(&child->grp, &child->Q, &child->d, &child->grp.G, random_gen, NULL);
+    memcpy(cchild, iR, 32);
+    mbedtls_mpi_free(&il);
+    mbedtls_mpi_free(&kchild);
+    return CCID_OK;
+}
+
+int sha256_ripemd160(const uint8_t *buffer, size_t buffer_len, uint8_t *output) {
+    mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), buffer, buffer_len, output);
+    mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_RIPEMD160), output, 32, output);
+    return CCID_OK;
+}
+
+int sha256_sha256(const uint8_t *buffer, size_t buffer_len, uint8_t *output) {
+    mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), buffer, buffer_len, output);
+    mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), output, 32, output);
+    return CCID_OK;
+}
+
+int node_fingerprint_bip(mbedtls_ecp_keypair *ctx, uint8_t fingerprint[4]) {
+    size_t olen = 0;
+    uint8_t buffer[33];
+    mbedtls_ecp_point_write_binary(&ctx->grp,
+                                   &ctx->Q,
+                                   MBEDTLS_ECP_PF_COMPRESSED,
+                                   &olen,
+                                   buffer,
+                                   sizeof(buffer));
+    sha256_ripemd160(buffer, sizeof(buffer), buffer);
+    memcpy(fingerprint, buffer, 4);
+    return CCID_OK;
+}
+
+int node_fingerprint_slip(mbedtls_ecp_keypair *ctx, uint8_t fingerprint[4]) {
+    uint8_t buffer[32];
+    mbedtls_mpi_write_binary(&ctx->d, buffer, sizeof(buffer));
+    sha256_ripemd160(buffer, sizeof(buffer), buffer);
+    memcpy(fingerprint, buffer, 4);
+    return CCID_OK;
+}
+
+int load_master_bip(uint32_t mid, mbedtls_ecp_keypair *ctx, uint8_t chain[32],
+                    uint8_t key_type[1]) {
+    uint8_t mkey[65];
+    mbedtls_ecp_keypair_init(ctx);
+    file_t *ef = search_dynamic_file(EF_MASTER_SEED | mid);
+    if (!file_has_data(ef)) {
+        return CCID_ERR_FILE_NOT_FOUND;
+    }
+    memcpy(mkey, file_get_data(ef), sizeof(mkey));
+    int r = mkek_decrypt(mkey + 1,
+                         sizeof(mkey) - 1);
+    if (r != CCID_OK) {
+        return CCID_EXEC_ERROR;
+    }
+    if (mkey[0] == 0x1 || mkey[0] == 0x2) {
+        if (mkey[0] == 0x1) {
+            mbedtls_ecp_group_load(&ctx->grp, MBEDTLS_ECP_DP_SECP256K1);
+        }
+        else if (mkey[0] == 0x2) {
+            mbedtls_ecp_group_load(&ctx->grp, MBEDTLS_ECP_DP_SECP256R1);
+        }
+        else {
+            return CCID_WRONG_DATA;
+        }
+
+        mbedtls_mpi_read_binary(&ctx->d, mkey + 1, 32);
+        memcpy(chain, mkey + 33, 32);
+        mbedtls_ecp_mul(&ctx->grp, &ctx->Q, &ctx->d, &ctx->grp.G, random_gen, NULL);
+    }
+    else if (mkey[0] == 0x3) {
+        mbedtls_mpi_read_binary(&ctx->d, mkey + 33, 32);
+        memcpy(chain, mkey + 1, 32);
+    }
+    key_type[0] = mkey[0];
+    return CCID_OK;
+}
+
+int node_derive_path(const uint8_t *path,
+                     size_t path_len,
+                     mbedtls_ecp_keypair *ctx,
+                     uint8_t chain[32],
+                     uint8_t fingerprint[4],
+                     uint8_t *nodes,
+                     uint8_t last_node[4],
+                     uint8_t key_type[1]) {
+    uint8_t *tag_data = NULL, *p = NULL;
+    size_t tag_len = 0;
+    uint16_t tag = 0x0;
+    uint8_t node = 0, N[64] = { 0 };
+    int r = 0;
+    memset(last_node, 0, 4);
+    memset(fingerprint, 0, 4);
+    for (; walk_tlv(path, path_len, &p, &tag, &tag_len, &tag_data); node++) {
+        if (tag == 0x02) {
+            if ((node == 0 && tag_len != 1) || (node != 0 && tag_len != 4)) {
+                return CCID_WRONG_DATA;
+            }
+            if (node == 0) {
+                if ((r = load_master_bip(tag_data[0], ctx, chain, key_type)) != CCID_OK) {
+                    return r;
+                }
+            }
+            else if (node > 0) {
+                node_fingerprint_bip(ctx, fingerprint);
+                if ((r = node_derive_bip_child(ctx, chain, tag_data, ctx, chain)) != CCID_OK) {
+                    return r;
+                }
+                memcpy(last_node, tag_data, 4);
+            }
+        }
+        else if (tag == 0x04) {
+            if (node == 0) {
+                return CCID_WRONG_DATA;
+            }
+            else if (node > 0) {
+                node_fingerprint_slip(ctx, fingerprint);
+                *(tag_data - 1) = 0;
+                mbedtls_md_hmac(mbedtls_md_info_from_type(MBEDTLS_MD_SHA512),
+                                chain,
+                                32,
+                                tag_data - 1,
+                                tag_len + 1,
+                                N);
+                memcpy(chain, N, 32);
+                mbedtls_mpi_read_binary(&ctx->d, N + 32, 32);
+            }
+        }
+    }
+    if (nodes) {
+        *nodes = node;
+    }
+    return CCID_OK;
+}
+
+int cmd_bip_slip() {
+    uint8_t p1 = P1(apdu), p2 = P2(apdu);
+    if (p1 == 0x1 || p1 == 0x2 || p1 == 0x3) { // Master generation (K1 and P1)
+        if (p2 >= 10) {
+            return SW_INCORRECT_P1P2();
+        }
+        uint8_t mkey[65], *seed = mkey + 1, seed_len = 64;
+        const uint8_t *key_seed = NULL;
+        mbedtls_mpi il;
+        mbedtls_mpi_init(&il);
+        mbedtls_ecp_group grp;
+        mbedtls_ecp_group_init(&grp);
+        if (p1 == 0x1) {
+            mbedtls_ecp_group_load(&grp, MBEDTLS_ECP_DP_SECP256K1);
+            key_seed = k1_seed;
+        }
+        else if (p1 == 0x2) {
+            mbedtls_ecp_group_load(&grp, MBEDTLS_ECP_DP_SECP256R1);
+            key_seed = p1_seed;
+        }
+        else if (p1 == 0x3) {
+            key_seed = sym_seed;
+        }
+        if (apdu.nc == 0) {
+            seed_len = 64;
+            random_gen(NULL, seed, seed_len);
+        }
+        else {
+            seed_len = MIN(apdu.nc, 64);
+            memcpy(seed, apdu.data, seed_len);
+        }
+        if (p1 == 0x1 || p1 == 0x2) {
+            do {
+                mbedtls_md_hmac(mbedtls_md_info_from_type(MBEDTLS_MD_SHA512), key_seed,
+                                strlen((char *) key_seed), seed, seed_len, seed);
+                mbedtls_mpi_read_binary(&il, seed, 32);
+                seed_len = 64;
+            } while (mbedtls_mpi_cmp_int(&il, 0) == 0 || mbedtls_mpi_cmp_mpi(&il, &grp.N) != -1);
+            mbedtls_ecp_group_free(&grp);
+            mbedtls_mpi_free(&il);
+        }
+        else if (p1 == 0x3) {
+            mbedtls_md_hmac(mbedtls_md_info_from_type(MBEDTLS_MD_SHA512), key_seed,
+                            strlen((char *) key_seed), seed, seed_len, seed);
+        }
+        mkey[0] = p1;
+        file_t *ef = file_new(EF_MASTER_SEED | p2);
+        int r = mkek_encrypt(mkey + 1, sizeof(mkey) - 1);
+        if (r != CCID_OK) {
+            return SW_EXEC_ERROR();
+        }
+        r = flash_write_data_to_file(ef, mkey, sizeof(mkey));
+        if (r != CCID_OK) {
+            return SW_EXEC_ERROR();
+        }
+        low_flash_available();
+    }
+    else if (p1 == 0xA) {
+        if (apdu.nc == 0) {
+            return SW_WRONG_LENGTH();
+        }
+        mbedtls_ecp_keypair ctx;
+        uint8_t chain[32] = { 0 }, fgpt[4] = { 0 }, last_node[4] = { 0 }, key_type = 0, nodes = 0;
+        size_t olen = 0;
+        int r =
+            node_derive_path(apdu.data, apdu.nc, &ctx, chain, fgpt, &nodes, last_node, &key_type);
+        if (r != CCID_OK) {
+            mbedtls_ecp_keypair_free(&ctx);
+            return SW_EXEC_ERROR();
+        }
+        uint8_t pubkey[33];
+        res_APDU_size = 0;
+        memcpy(res_APDU, "\x04\x88\xB2\x1E", 4);
+        res_APDU_size += 4;
+        res_APDU[res_APDU_size++] = nodes - 1;
+        memcpy(res_APDU + res_APDU_size, fgpt, 4);
+        res_APDU_size += 4;
+        memcpy(res_APDU + res_APDU_size, last_node, 4);
+        res_APDU_size += 4;
+        if (key_type == 0x1 || key_type == 0x2) {
+            memcpy(res_APDU + res_APDU_size, chain, 32);
+            res_APDU_size += 32;
+            mbedtls_ecp_point_write_binary(&ctx.grp,
+                                           &ctx.Q,
+                                           MBEDTLS_ECP_PF_COMPRESSED,
+                                           &olen,
+                                           pubkey,
+                                           sizeof(pubkey));
+            memcpy(res_APDU + res_APDU_size, pubkey, olen);
+            res_APDU_size += olen;
+        }
+        else if (key_type == 0x3) {
+            sha256_sha256(chain, 32, chain);
+            memcpy(res_APDU + res_APDU_size, chain, 32);
+            res_APDU_size += 32;
+            mbedtls_mpi_write_binary(&ctx.d, pubkey, 32);
+            sha256_sha256(pubkey, 32, pubkey);
+            memcpy(res_APDU + res_APDU_size, pubkey, 32);
+            res_APDU_size += 32;
+        }
+        mbedtls_ecp_keypair_free(&ctx);
+    }
+    else if (p1 == 0x10) {
+        uint8_t chain[32] = { 0 }, fgpt[4] = { 0 }, last_node[4] = { 0 }, nodes = 0;
+        int r = node_derive_path(apdu.data,
+                                 apdu.nc,
+                                 &hd_context,
+                                 chain,
+                                 fgpt,
+                                 &nodes,
+                                 last_node,
+                                 &hd_keytype);
+        if (r != CCID_OK) {
+            mbedtls_ecp_keypair_free(&hd_context);
+            return SW_EXEC_ERROR();
+        }
+    }
+    return SW_OK();
+}

src/hsm/cmd_cipher_sym.c

@@ -20,6 +20,7 @@
 #include "mbedtls/cmac.h"
 #include "mbedtls/hkdf.h"
 #include "mbedtls/chachapoly.h"
+#include "mbedtls/gcm.h"
 #include "md_wrap.h"
 #include "mbedtls/md.h"
 #include "crypto_utils.h"
@@ -32,6 +33,10 @@
 #include "mbedtls/asn1.h"
 #include "mbedtls/cipher.h"
 #include "mbedtls/oid.h"
+#include "mbedtls/ccm.h"
+
+extern mbedtls_ecp_keypair hd_context;
+extern uint8_t hd_keytype;
 
 /* This is copied from pkcs5.c Mbedtls */
 /** Unfortunately it is declared as static, so I cannot call it. **/
@@ -163,20 +168,22 @@ int cmd_cipher_sym() {
     if (!isUserAuthenticated) {
         return SW_SECURITY_STATUS_NOT_SATISFIED();
     }
-    file_t *ef = search_dynamic_file((KEY_PREFIX << 8) | key_id);
-    if (!ef) {
-        return SW_FILE_NOT_FOUND();
-    }
-    if (key_has_purpose(ef, algo) == false) {
-        return SW_CONDITIONS_NOT_SATISFIED();
-    }
     if (wait_button_pressed() == true) { // timeout
         return SW_SECURE_MESSAGE_EXEC_ERROR();
     }
+    file_t *ef = search_dynamic_file((KEY_PREFIX << 8) | key_id);
+    if (hd_keytype == 0) {
+        if (!ef) {
+            return SW_FILE_NOT_FOUND();
+        }
+        if (key_has_purpose(ef, algo) == false) {
+            return SW_CONDITIONS_NOT_SATISFIED();
+        }
+    }
     int key_size = file_get_size(ef);
-    uint8_t kdata[32]; //maximum AES key size
+    uint8_t kdata[64]; //maximum AES key size
     memcpy(kdata, file_get_data(ef), key_size);
-    if (mkek_decrypt(kdata, key_size) != 0) {
+    if (hd_keytype == 0 && mkek_decrypt(kdata, key_size) != 0) {
         return SW_EXEC_ERROR();
     }
     if (algo == ALGO_AES_CBC_ENCRYPT || algo == ALGO_AES_CBC_DECRYPT) {
@@ -189,8 +196,8 @@ int cmd_cipher_sym() {
         memset(tmp_iv, 0, sizeof(tmp_iv));
         if (algo == ALGO_AES_CBC_ENCRYPT) {
             int r = mbedtls_aes_setkey_enc(&aes, kdata, key_size * 8);
+            mbedtls_platform_zeroize(kdata, sizeof(kdata));
             if (r != 0) {
-                mbedtls_platform_zeroize(kdata, sizeof(kdata));
                 mbedtls_aes_free(&aes);
                 return SW_EXEC_ERROR();
             }
@@ -200,16 +207,14 @@ int cmd_cipher_sym() {
                                       tmp_iv,
                                       apdu.data,
                                       res_APDU);
-            mbedtls_platform_zeroize(kdata, sizeof(kdata));
+            mbedtls_aes_free(&aes);
             if (r != 0) {
-                mbedtls_aes_free(&aes);
                 return SW_EXEC_ERROR();
             }
         }
         else if (algo == ALGO_AES_CBC_DECRYPT) {
             int r = mbedtls_aes_setkey_dec(&aes, kdata, key_size * 8);
             if (r != 0) {
-                mbedtls_platform_zeroize(kdata, sizeof(kdata));
                 mbedtls_aes_free(&aes);
                 return SW_EXEC_ERROR();
             }
@@ -219,14 +224,12 @@ int cmd_cipher_sym() {
                                       tmp_iv,
                                       apdu.data,
                                       res_APDU);
-            mbedtls_platform_zeroize(kdata, sizeof(kdata));
+            mbedtls_aes_free(&aes);
             if (r != 0) {
-                mbedtls_aes_free(&aes);
                 return SW_EXEC_ERROR();
             }
         }
         res_APDU_size = apdu.nc;
-        mbedtls_aes_free(&aes);
     }
     else if (algo == ALGO_AES_CMAC) {
         const mbedtls_cipher_info_t *cipher_info;
@@ -254,7 +257,7 @@ int cmd_cipher_sym() {
         int r = mbedtls_hkdf(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256),
                              NULL,
                              0,
-                             file_get_data(ef),
+                             kdata,
                              key_size,
                              apdu.data,
                              apdu.nc,
@@ -287,6 +290,7 @@ int cmd_cipher_sym() {
             int r = 0;
             mbedtls_chachapoly_context ctx;
             mbedtls_chachapoly_init(&ctx);
+            mbedtls_chachapoly_setkey(&ctx, kdata);
             if (algo == ALGO_EXT_CIPHER_ENCRYPT) {
                 r = mbedtls_chachapoly_encrypt_and_tag(&ctx,
                                                        enc_len,
@@ -310,6 +314,9 @@ int cmd_cipher_sym() {
             mbedtls_platform_zeroize(kdata, sizeof(kdata));
             mbedtls_chachapoly_free(&ctx);
             if (r != 0) {
+                if (r == MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED) {
+                    return SW_WRONG_DATA();
+                }
                 return SW_EXEC_ERROR();
             }
             if (algo == ALGO_EXT_CIPHER_ENCRYPT) {
@@ -405,20 +412,21 @@ int cmd_cipher_sym() {
             res_APDU_size = keylen ? keylen : (apdu.ne > 0 && apdu.ne < 65536 ? apdu.ne : 32);
         }
         else if (memcmp(oid, OID_PKCS5_PBES2, oid_len) == 0) {
+            size_t olen = 0;
             mbedtls_asn1_buf params =
-            { .p = aad, .len = aad_len, .tag = (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE) };
-            int r = mbedtls_pkcs5_pbes2(&params,
+                {.p = aad, .len = aad_len, .tag = (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)};
+            int r = mbedtls_pkcs5_pbes2_ext(&params,
                                         algo == ALGO_EXT_CIPHER_ENCRYPT ? MBEDTLS_PKCS5_ENCRYPT : MBEDTLS_PKCS5_DECRYPT,
                                         kdata,
                                         key_size,
                                         enc,
                                         enc_len,
-                                        res_APDU);
+                                        res_APDU, 4096, &olen);
             mbedtls_platform_zeroize(kdata, sizeof(kdata));
             if (r != 0) {
                 return SW_WRONG_DATA();
             }
-            res_APDU_size = enc_len;
+            res_APDU_size = olen;
         }
         else if (memcmp(oid, OID_KDF_X963, oid_len) == 0) {
             mbedtls_md_type_t md_type = MBEDTLS_MD_SHA1;
@@ -450,6 +458,254 @@ int cmd_cipher_sym() {
             }
             res_APDU_size = apdu.ne > 0 && apdu.ne < 65536 ? apdu.ne : 32;
         }
+        else if (memcmp(oid, OID_NIST_AES, 8) == 0) {
+            if (oid_len != 9) {
+                return SW_WRONG_DATA();
+            }
+            uint8_t aes_algo = oid[8],
+                    mode =
+                (algo == ALGO_EXT_CIPHER_ENCRYPT ? MBEDTLS_AES_ENCRYPT : MBEDTLS_AES_DECRYPT);
+            if ((aes_algo >= 0x01 && aes_algo <= 0x09 && key_size != 16) ||
+                (aes_algo >= 0x15 && aes_algo <= 0x1D && key_size != 24) ||
+                (aes_algo >= 0x29 && aes_algo <= 0x31 && key_size != 32)) {
+                return SW_WRONG_DATA();
+            }
+            mbedtls_aes_context ctx;
+            int r = 0;
+            mbedtls_aes_init(&ctx);
+            if (iv == NULL || iv_len == 0) {
+                iv = tmp_iv;
+                iv_len = sizeof(tmp_iv);
+            }
+            if (aes_algo == 0x01 || aes_algo == 0x15 || aes_algo == 0x29) { /* ECB */
+                if (algo == ALGO_EXT_CIPHER_ENCRYPT) {
+                    r = mbedtls_aes_setkey_enc(&ctx, kdata, key_size * 8);
+                }
+                else if (algo == ALGO_EXT_CIPHER_DECRYPT) {
+                    r = mbedtls_aes_setkey_dec(&ctx, kdata, key_size * 8);
+                }
+                mbedtls_platform_zeroize(kdata, sizeof(kdata));
+                r = mbedtls_aes_crypt_ecb(&ctx, mode, enc, res_APDU);
+                mbedtls_aes_free(&ctx);
+                if (r != 0) {
+                    return SW_EXEC_ERROR();
+                }
+                res_APDU_size = MIN(enc_len, 16); // ECB operates with 16-byte blocks
+            }
+            else if (aes_algo == 0x02 || aes_algo == 0x16 || aes_algo == 0x2A) { /* CBC */
+                if (algo == ALGO_EXT_CIPHER_ENCRYPT) {
+                    r = mbedtls_aes_setkey_enc(&ctx, kdata, key_size * 8);
+                }
+                else if (algo == ALGO_EXT_CIPHER_DECRYPT) {
+                    r = mbedtls_aes_setkey_dec(&ctx, kdata, key_size * 8);
+                }
+                if (r != 0) {
+                    return SW_EXEC_ERROR();
+                }
+                mbedtls_platform_zeroize(kdata, sizeof(kdata));
+                r = mbedtls_aes_crypt_cbc(&ctx, mode, enc_len, iv, enc, res_APDU);
+                mbedtls_aes_free(&ctx);
+                if (r != 0) {
+                    return SW_EXEC_ERROR();
+                }
+                res_APDU_size = enc_len;
+            }
+            else if (aes_algo == 0x03 || aes_algo == 0x17 || aes_algo == 0x2B) { /* OFB */
+                size_t iv_off = 0;
+                r = mbedtls_aes_setkey_enc(&ctx, kdata, key_size * 8);
+                mbedtls_platform_zeroize(kdata, sizeof(kdata));
+                r = mbedtls_aes_crypt_ofb(&ctx, enc_len, &iv_off, iv, enc, res_APDU);
+                mbedtls_aes_free(&ctx);
+                if (r != 0) {
+                    return SW_EXEC_ERROR();
+                }
+                res_APDU_size = enc_len;
+            }
+            else if (aes_algo == 0x04 || aes_algo == 0x18 || aes_algo == 0x2C) { /* CFB */
+                size_t iv_off = 0;
+                r = mbedtls_aes_setkey_enc(&ctx, kdata, key_size * 8);
+                mbedtls_platform_zeroize(kdata, sizeof(kdata));
+                r = mbedtls_aes_crypt_cfb128(&ctx, mode, enc_len, &iv_off, iv, enc, res_APDU);
+                mbedtls_aes_free(&ctx);
+                if (r != 0) {
+                    return SW_EXEC_ERROR();
+                }
+                res_APDU_size = enc_len;
+            }
+            else if (aes_algo == 0x06 || aes_algo == 0x1A || aes_algo == 0x2E) { /* GCM */
+                mbedtls_aes_free(&ctx); // No AES ctx used
+                mbedtls_gcm_context gctx;
+                mbedtls_gcm_init(&gctx);
+                r = mbedtls_gcm_setkey(&gctx, MBEDTLS_CIPHER_ID_AES, kdata, key_size * 8);
+                mbedtls_platform_zeroize(kdata, sizeof(kdata));
+                if (algo == ALGO_EXT_CIPHER_ENCRYPT) {
+                    r = mbedtls_gcm_crypt_and_tag(&gctx,
+                                                  MBEDTLS_GCM_ENCRYPT,
+                                                  enc_len,
+                                                  iv,
+                                                  iv_len,
+                                                  aad,
+                                                  aad_len,
+                                                  enc,
+                                                  res_APDU,
+                                                  16,
+                                                  res_APDU + enc_len);
+                    res_APDU_size = enc_len + 16;
+                }
+                else if (algo == ALGO_EXT_CIPHER_DECRYPT) {
+                    r = mbedtls_gcm_auth_decrypt(&gctx,
+                                                 enc_len - 16,
+                                                 iv,
+                                                 iv_len,
+                                                 aad,
+                                                 aad_len,
+                                                 enc + enc_len - 16,
+                                                 16,
+                                                 enc,
+                                                 res_APDU);
+                    res_APDU_size = enc_len - 16;
+                }
+                mbedtls_gcm_free(&gctx);
+                if (r != 0) {
+                    return SW_EXEC_ERROR();
+                }
+            }
+            else if (aes_algo == 0x09 || aes_algo == 0x1D || aes_algo == 0x31) { /* CTR */
+                size_t iv_off = 0;
+                uint8_t stream_block[16];
+                r = mbedtls_aes_setkey_enc(&ctx, kdata, key_size * 8);
+                mbedtls_platform_zeroize(kdata, sizeof(kdata));
+                r = mbedtls_aes_crypt_ctr(&ctx, enc_len, &iv_off, iv, stream_block, enc, res_APDU);
+                mbedtls_aes_free(&ctx);
+                if (r != 0) {
+                    return SW_EXEC_ERROR();
+                }
+                res_APDU_size = enc_len;
+            }
+            else if (aes_algo == 0x07 || aes_algo == 0x1B || aes_algo == 0x2F) { /* CCM */
+                mbedtls_aes_free(&ctx); // No AES ctx used
+                mbedtls_ccm_context gctx;
+                mbedtls_ccm_init(&gctx);
+                r = mbedtls_ccm_setkey(&gctx, MBEDTLS_CIPHER_ID_AES, kdata, key_size * 8);
+                if (r != 0) {
+                    return SW_EXEC_ERROR();
+                }
+                if (iv_len == 16) {
+                    iv_len = 12;
+                }
+                mbedtls_platform_zeroize(kdata, sizeof(kdata));
+                if (algo == ALGO_EXT_CIPHER_ENCRYPT) {
+                    r = mbedtls_ccm_encrypt_and_tag(&gctx,
+                                                    enc_len,
+                                                    iv,
+                                                    iv_len,
+                                                    aad,
+                                                    aad_len,
+                                                    enc,
+                                                    res_APDU,
+                                                    res_APDU + enc_len,
+                                                    16);
+                    res_APDU_size = enc_len + 16;
+                }
+                else if (algo == ALGO_EXT_CIPHER_DECRYPT) {
+                    r = mbedtls_ccm_auth_decrypt(&gctx,
+                                                 enc_len - 16,
+                                                 iv,
+                                                 iv_len,
+                                                 aad,
+                                                 aad_len,
+                                                 enc,
+                                                 res_APDU,
+                                                 enc + enc_len - 16,
+                                                 16);
+                    res_APDU_size = enc_len - 16;
+                }
+                mbedtls_ccm_free(&gctx);
+                if (r != 0) {
+                    return SW_EXEC_ERROR();
+                }
+            }
+        }
+        else if (memcmp(oid, OID_IEEE_ALG, 8) == 0) {
+            if (oid_len != 9) {
+                return SW_WRONG_DATA();
+            }
+            uint8_t aes_algo = oid[8],
+                    mode =
+                (algo == ALGO_EXT_CIPHER_ENCRYPT ? MBEDTLS_AES_ENCRYPT : MBEDTLS_AES_DECRYPT);
+            int r = 0;
+            uint8_t tmp_iv[16];
+            memset(tmp_iv, 0, sizeof(tmp_iv));
+            if (iv == NULL || iv_len == 0) {
+                iv = tmp_iv;
+                iv_len = sizeof(tmp_iv);
+            }
+            if ((aes_algo == 0x01 && key_size != 32) || (aes_algo == 0x02 && key_size != 64)) {
+                return SW_WRONG_DATA();
+            }
+            mbedtls_aes_xts_context ctx;
+            mbedtls_aes_xts_init(&ctx);
+            if (algo == ALGO_EXT_CIPHER_ENCRYPT) {
+                r = mbedtls_aes_xts_setkey_enc(&ctx, kdata, key_size * 8);
+            }
+            else if (algo == ALGO_EXT_CIPHER_DECRYPT) {
+                r = mbedtls_aes_xts_setkey_dec(&ctx, kdata, key_size * 8);
+            }
+            mbedtls_platform_zeroize(kdata, sizeof(kdata));
+            r = mbedtls_aes_crypt_xts(&ctx, mode, enc_len, iv, enc, res_APDU);
+            mbedtls_aes_xts_free(&ctx);
+            if (r != 0) {
+                return SW_EXEC_ERROR();
+            }
+            res_APDU_size = enc_len;
+        }
+        else if (memcmp(oid, OID_HD, 11) == 0) {
+            mbedtls_aes_context ctx;
+            int r = 0;
+            uint8_t mode =
+                (algo == ALGO_EXT_CIPHER_ENCRYPT ? MBEDTLS_AES_ENCRYPT : MBEDTLS_AES_DECRYPT),
+                    secret[64] = { 0 };
+            mbedtls_aes_init(&ctx);
+            if (hd_keytype != 0x3) {
+                return SW_INCORRECT_PARAMS();
+            }
+            key_size = 32;
+            mbedtls_mpi_write_binary(&hd_context.d, kdata, key_size);
+            r = mbedtls_md_hmac(mbedtls_md_info_from_type(MBEDTLS_MD_SHA512),
+                                kdata,
+                                key_size,
+                                aad,
+                                aad_len,
+                                secret);
+            mbedtls_platform_zeroize(kdata, sizeof(kdata));
+            if (r != 0) {
+                return SW_EXEC_ERROR();
+            }
+            if (iv == tmp_iv || iv_len == 0) {
+                iv = secret + 32;
+                iv_len = 16;
+            }
+            if (algo == ALGO_EXT_CIPHER_ENCRYPT) {
+                r = mbedtls_aes_setkey_enc(&ctx, secret, key_size * 8);
+            }
+            else if (algo == ALGO_EXT_CIPHER_DECRYPT) {
+                r = mbedtls_aes_setkey_dec(&ctx, secret, key_size * 8);
+            }
+            if (r != 0) {
+                return SW_EXEC_ERROR();
+            }
+            r = mbedtls_aes_crypt_cbc(&ctx, mode, enc_len, iv, enc, res_APDU);
+            mbedtls_aes_free(&ctx);
+            if (r != 0) {
+                return SW_EXEC_ERROR();
+            }
+            res_APDU_size = enc_len;
+            mbedtls_ecdsa_free(&hd_context);
+            hd_keytype = 0;
+        }
+        else {
+            return SW_WRONG_DATA();
+        }
     }
     else {
         mbedtls_platform_zeroize(kdata, sizeof(kdata));

src/hsm/cmd_decrypt_asym.c

@@ -102,7 +102,7 @@ int cmd_decrypt_asym() {
             free(kdata);
             return SW_DATA_INVALID();
         }
-        r = mbedtls_mpi_read_binary(&ctx.ctx.mbed_ecdh.d, kdata + 1, key_size - 1);
+        r = mbedtls_ecp_read_key(gid, (mbedtls_ecdsa_context *)&ctx.ctx.mbed_ecdh, kdata + 1, key_size - 1);
         mbedtls_platform_zeroize(kdata, key_size);
         free(kdata);
         if (r != 0) {
@@ -129,15 +129,18 @@ int cmd_decrypt_asym() {
             return SW_DATA_INVALID();
         }
         size_t olen = 0;
+        // The SmartCard-HSM returns the point result of the DH operation
+        // with a leading '04'
+        res_APDU[0] = 0x04;
         r =
-            mbedtls_ecdh_calc_secret(&ctx, &olen, res_APDU, MBEDTLS_ECP_MAX_BYTES, random_gen,
+            mbedtls_ecdh_calc_secret(&ctx, &olen, res_APDU + 1, MBEDTLS_ECP_MAX_BYTES, random_gen,
                                      NULL);
         mbedtls_ecdh_free(&ctx);
         if (r != 0) {
             return SW_EXEC_ERROR();
         }
         if (p2 == ALGO_EC_DH) {
-            res_APDU_size = olen;
+            res_APDU_size = olen + 1;
         }
         else {
             res_APDU_size = 0;
@@ -175,9 +178,10 @@ int cmd_decrypt_asym() {
                     if (file_get_size(tf) == kdom_uid_len &&
                         memcmp(file_get_data(tf), kdom_uid, kdom_uid_len) == 0) {
                         file_new(EF_DKEK + n);
-                        if (store_dkek_key(n, res_APDU) != CCID_OK) {
+                        if (store_dkek_key(n, res_APDU + 1) != CCID_OK) {
                             return SW_EXEC_ERROR();
                         }
+                        mbedtls_platform_zeroize(res_APDU, 32);
                         return SW_OK();
                     }
                 }

src/hsm/cmd_derive_asym.c

@@ -53,13 +53,13 @@ int cmd_derive_asym() {
         return SW_WRONG_LENGTH();
     }
     if (apdu.data[0] == ALGO_EC_DERIVE) {
-        mbedtls_ecdsa_context ctx;
-        mbedtls_ecdsa_init(&ctx);
+        mbedtls_ecp_keypair ctx;
+        mbedtls_ecp_keypair_init(&ctx);
 
         int r;
-        r = load_private_key_ecdsa(&ctx, fkey);
+        r = load_private_key_ec(&ctx, fkey);
         if (r != CCID_OK) {
-            mbedtls_ecdsa_free(&ctx);
+            mbedtls_ecp_keypair_free(&ctx);
             if (r == CCID_VERIFICATION_FAILED) {
                 return SW_SECURE_MESSAGE_EXEC_ERROR();
             }
@@ -70,7 +70,7 @@ int cmd_derive_asym() {
         mbedtls_mpi_init(&nd);
         r = mbedtls_mpi_read_binary(&a, apdu.data + 1, apdu.nc - 1);
         if (r != 0) {
-            mbedtls_ecdsa_free(&ctx);
+            mbedtls_ecp_keypair_free(&ctx);
             mbedtls_mpi_free(&a);
             mbedtls_mpi_free(&nd);
             return SW_DATA_INVALID();
@@ -78,22 +78,22 @@ int cmd_derive_asym() {
         r = mbedtls_mpi_add_mod(&ctx.grp, &nd, &ctx.d, &a);
         mbedtls_mpi_free(&a);
         if (r != 0) {
-            mbedtls_ecdsa_free(&ctx);
+            mbedtls_ecp_keypair_free(&ctx);
             mbedtls_mpi_free(&nd);
             return SW_EXEC_ERROR();
         }
         r = mbedtls_mpi_copy(&ctx.d, &nd);
         mbedtls_mpi_free(&nd);
         if (r != 0) {
-            mbedtls_ecdsa_free(&ctx);
+            mbedtls_ecp_keypair_free(&ctx);
             return SW_EXEC_ERROR();
         }
-        r = store_keys(&ctx, HSM_KEY_EC, dest_id);
+        r = store_keys(&ctx, PICO_KEYS_KEY_EC, dest_id);
         if (r != CCID_OK) {
-            mbedtls_ecdsa_free(&ctx);
+            mbedtls_ecp_keypair_free(&ctx);
             return SW_EXEC_ERROR();
         }
-        mbedtls_ecdsa_free(&ctx);
+        mbedtls_ecp_keypair_free(&ctx);
     }
     else {
         return SW_WRONG_DATA();

src/hsm/cmd_external_authenticate.c

@@ -38,6 +38,7 @@ int cmd_external_authenticate() {
     if (!file_has_data(ef_puk)) {
         return SW_FILE_NOT_FOUND();
     }
+    puk_status[ef_puk_aut->fid & (MAX_PUK - 1)] = 0;
     uint8_t *puk_data = file_get_data(ef_puk);
     uint8_t *input = (uint8_t *) calloc(dev_name_len + challenge_len, sizeof(uint8_t)), hash[32];
     memcpy(input, dev_name, dev_name_len);

src/hsm/cmd_general_authenticate.c

@@ -43,11 +43,11 @@ int cmd_general_authenticate() {
             if (!fkey) {
                 return SW_EXEC_ERROR();
             }
-            mbedtls_ecdsa_context ectx;
-            mbedtls_ecdsa_init(&ectx);
-            r = load_private_key_ecdsa(&ectx, fkey);
+            mbedtls_ecp_keypair ectx;
+            mbedtls_ecp_keypair_init(&ectx);
+            r = load_private_key_ecdh(&ectx, fkey);
             if (r != CCID_OK) {
-                mbedtls_ecdsa_free(&ectx);
+                mbedtls_ecp_keypair_free(&ectx);
                 return SW_EXEC_ERROR();
             }
             mbedtls_ecdh_context ctx;
@@ -55,12 +55,12 @@ int cmd_general_authenticate() {
             mbedtls_ecp_group_id gid = MBEDTLS_ECP_DP_SECP256R1;
             r = mbedtls_ecdh_setup(&ctx, gid);
             if (r != 0) {
-                mbedtls_ecdsa_free(&ectx);
+                mbedtls_ecp_keypair_free(&ectx);
                 mbedtls_ecdh_free(&ctx);
                 return SW_DATA_INVALID();
             }
             r = mbedtls_mpi_copy(&ctx.ctx.mbed_ecdh.d, &ectx.d);
-            mbedtls_ecdsa_free(&ectx);
+            mbedtls_ecp_keypair_free(&ectx);
             if (r != 0) {
                 mbedtls_ecdh_free(&ctx);
                 return SW_DATA_INVALID();

src/hsm/cmd_initialize.c

@@ -38,6 +38,7 @@ int heapLeft() {
     return left;
 }
 
+extern void reset_puk_store();
 int cmd_initialize() {
     if (apdu.nc > 0) {
         uint8_t mkek[MKEK_SIZE];
@@ -186,41 +187,55 @@ int cmd_initialize() {
                 mbedtls_ecdsa_free(&ecdsa);
                 return SW_EXEC_ERROR();
             }
-            ret = store_keys(&ecdsa, HSM_KEY_EC, key_id);
+            ret = store_keys(&ecdsa, PICO_KEYS_KEY_EC, key_id);
             if (ret != CCID_OK) {
                 mbedtls_ecdsa_free(&ecdsa);
                 return SW_EXEC_ERROR();
             }
             size_t cvc_len = 0;
-            if ((cvc_len = asn1_cvc_aut(&ecdsa, HSM_KEY_EC, res_APDU, 4096, NULL, 0)) == 0) {
+            if ((cvc_len = asn1_cvc_aut(&ecdsa, PICO_KEYS_KEY_EC, res_APDU, 4096, NULL, 0)) == 0) {
                 mbedtls_ecdsa_free(&ecdsa);
                 return SW_EXEC_ERROR();
             }
-            mbedtls_ecdsa_free(&ecdsa);
 
             file_t *fpk = search_by_fid(EF_EE_DEV, NULL, SPECIFY_EF);
             ret = flash_write_data_to_file(fpk, res_APDU, cvc_len);
+            if (ret != 0) {
+                mbedtls_ecdsa_free(&ecdsa);
+                return SW_EXEC_ERROR();
+            }
+
+            if ((cvc_len = asn1_cvc_cert(&ecdsa, PICO_KEYS_KEY_EC, res_APDU, 4096, NULL, 0, true)) == 0) {
+                mbedtls_ecdsa_free(&ecdsa);
+                return SW_EXEC_ERROR();
+            }
+            memcpy(res_APDU + cvc_len, res_APDU, cvc_len);
+            mbedtls_ecdsa_free(&ecdsa);
+            fpk = search_by_fid(EF_TERMCA, NULL, SPECIFY_EF);
+            ret = flash_write_data_to_file(fpk, res_APDU, 2 * cvc_len);
             if (ret != 0) {
                 return SW_EXEC_ERROR();
             }
 
             const uint8_t *keyid =
                 (const uint8_t *) "\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0",
-                          *label = (const uint8_t *) "ESTERMHSM";
+                          *label = (const uint8_t *) "ESPICOHSMTR";
             size_t prkd_len = asn1_build_prkd_ecc(label,
                                                   strlen((const char *) label),
                                                   keyid,
                                                   20,
-                                                  192,
+                                                  256,
                                                   res_APDU,
                                                   4096);
             fpk = search_by_fid(EF_PRKD_DEV, NULL, SPECIFY_EF);
             ret = flash_write_data_to_file(fpk, res_APDU, prkd_len);
+
         }
         if (ret != 0) {
             return SW_EXEC_ERROR();
         }
         low_flash_available();
+        reset_puk_store();
     }
     else {   //free memory bytes request
         int heap_left = heapLeft();

src/hsm/cmd_key_domain.c

@@ -23,11 +23,14 @@
 
 uint8_t get_key_domain(file_t *fkey) {
     size_t tag_len = 0;
+    if (!file_has_data(fkey)) {
+        return 0xff;
+    }
     const uint8_t *meta_tag = get_meta_tag(fkey, 0x92, &tag_len);
     if (meta_tag) {
         return *meta_tag;
     }
-    return 0xff;
+    return 0x0;
 }
 
 int cmd_key_domain() {
@@ -65,10 +68,16 @@ int cmd_key_domain() {
             }
             import_dkek_share(p2, apdu.data);
             if (++current_dkeks >= dkeks) {
-                if (save_dkek_key(p2, NULL) != CCID_OK) {
-                    /* On fail, it will return to previous dkek state. */
-                    import_dkek_share(p2, apdu.data);
-                    return SW_FILE_NOT_FOUND();
+                int r = save_dkek_key(p2, NULL);
+                if (r != CCID_OK) {
+                    if (r == CCID_NO_LOGIN) {
+                        pending_save_dkek = p2;
+                    }
+                    else {
+                        /* On fail, it will return to previous dkek state. */
+                        import_dkek_share(p2, apdu.data);
+                        return SW_FILE_NOT_FOUND();
+                    }
                 }
             }
             uint8_t t[MAX_KEY_DOMAINS * 2];
@@ -94,8 +103,9 @@ int cmd_key_domain() {
             return SW_WRONG_LENGTH();
         }
         if (p1 == 0x3) { //if key domain is not empty, command is denied
-            for (int i = 0; i < dynamic_files; i++) {
-                if (get_key_domain(&dynamic_file[i]) == p2) {
+            for (int i = 1; i < 256; i++) {
+                file_t *fkey = search_dynamic_file(KEY_PREFIX << 8 | i);
+                if (get_key_domain(fkey) == p2) {
                     return SW_FILE_EXISTS();
                 }
             }
@@ -103,10 +113,16 @@ int cmd_key_domain() {
         uint8_t t[MAX_KEY_DOMAINS * 2];
         memcpy(t, kdata, tf_kd_size);
         if (p1 == 0x1) {
+            if (t[2 * p2] != 0xff || t[2 * p2 + 1] != 0xff) {
+                return SW_INCORRECT_P1P2();
+            }
             t[2 * p2] = dkeks = apdu.data[0];
             t[2 * p2 + 1] = current_dkeks = 0;
         }
         else if (p1 == 0x3) {
+            if (t[2 * p2] == 0xff && t[2 * p2 + 1] == 0xff) {
+                return SW_INCORRECT_P1P2();
+            }
             t[2 * p2] = dkeks = 0xff;
             t[2 * p2 + 1] = 0xff;
         }

src/hsm/cmd_key_gen.c

@@ -27,7 +27,10 @@ int cmd_key_gen() {
     if (!isUserAuthenticated) {
         return SW_SECURITY_STATUS_NOT_SATISFIED();
     }
-    if (p2 == 0xB2) {
+    if (p2 == 0xB3) {
+        key_size = 64;
+    }
+    else if (p2 == 0xB2) {
         key_size = 32;
     }
     else if (p2 == 0xB1) {
@@ -37,17 +40,20 @@ int cmd_key_gen() {
         key_size = 16;
     }
     //at this moment, we do not use the template, as only CBC is supported by the driver (encrypt, decrypt and CMAC)
-    uint8_t aes_key[32]; //maximum AES key size
+    uint8_t aes_key[64]; //maximum AES key size
     memcpy(aes_key, random_bytes_get(key_size), key_size);
     int aes_type = 0x0;
     if (key_size == 16) {
-        aes_type = HSM_KEY_AES_128;
+        aes_type = PICO_KEYS_KEY_AES_128;
     }
     else if (key_size == 24) {
-        aes_type = HSM_KEY_AES_192;
+        aes_type = PICO_KEYS_KEY_AES_192;
     }
     else if (key_size == 32) {
-        aes_type = HSM_KEY_AES_256;
+        aes_type = PICO_KEYS_KEY_AES_256;
+    }
+    else if (key_size == 64) {
+        aes_type = PICO_KEYS_KEY_AES_512;
     }
     r = store_keys(aes_key, aes_type, key_id);
     if (r != CCID_OK) {

src/hsm/cmd_key_unwrap.c

@@ -15,6 +15,7 @@
  * along with this program. If not, see <http://www.gnu.org/licenses/>.
  */
 
+#include "common.h"
 #include "crypto_utils.h"
 #include "sc_hsm.h"
 #include "kek.h"
@@ -29,12 +30,12 @@ int cmd_key_unwrap() {
         return SW_SECURITY_STATUS_NOT_SATISFIED();
     }
     int key_type = dkek_type_key(apdu.data);
-    uint8_t kdom = -1, *allowed = NULL;
-    size_t allowed_len = 0;
+    uint8_t kdom = -1, *allowed = NULL, prkd_buf[128];
+    size_t allowed_len = 0, prkd_len = 0;
     if (key_type == 0x0) {
         return SW_DATA_INVALID();
     }
-    if (key_type == HSM_KEY_RSA) {
+    if (key_type & PICO_KEYS_KEY_RSA) {
         mbedtls_rsa_context ctx;
         mbedtls_rsa_init(&ctx);
         do {
@@ -44,38 +45,42 @@ int cmd_key_unwrap() {
             mbedtls_rsa_free(&ctx);
             return SW_EXEC_ERROR();
         }
-        r = store_keys(&ctx, HSM_KEY_RSA, key_id);
-        if ((res_APDU_size = asn1_cvc_aut(&ctx, HSM_KEY_RSA, res_APDU, 4096, NULL, 0)) == 0) {
+        r = store_keys(&ctx, PICO_KEYS_KEY_RSA, key_id);
+        if ((res_APDU_size = asn1_cvc_aut(&ctx, PICO_KEYS_KEY_RSA, res_APDU, 4096, NULL, 0)) == 0) {
             mbedtls_rsa_free(&ctx);
             return SW_EXEC_ERROR();
         }
+        int key_size = ctx.len;
         mbedtls_rsa_free(&ctx);
         if (r != CCID_OK) {
             return SW_EXEC_ERROR();
         }
+        prkd_len = asn1_build_prkd_ecc(NULL, 0, NULL, 0, key_size * 8, prkd_buf, sizeof(prkd_buf));
     }
-    else if (key_type == HSM_KEY_EC) {
-        mbedtls_ecdsa_context ctx;
-        mbedtls_ecdsa_init(&ctx);
+    else if (key_type & PICO_KEYS_KEY_EC) {
+        mbedtls_ecp_keypair ctx;
+        mbedtls_ecp_keypair_init(&ctx);
         do {
             r = dkek_decode_key(++kdom, &ctx, apdu.data, apdu.nc, NULL, &allowed, &allowed_len);
         } while ((r == CCID_ERR_FILE_NOT_FOUND || r == CCID_WRONG_DKEK) && kdom < MAX_KEY_DOMAINS);
         if (r != CCID_OK) {
-            mbedtls_ecdsa_free(&ctx);
+            mbedtls_ecp_keypair_free(&ctx);
             return SW_EXEC_ERROR();
         }
-        r = store_keys(&ctx, HSM_KEY_EC, key_id);
-        if ((res_APDU_size = asn1_cvc_aut(&ctx, HSM_KEY_EC, res_APDU, 4096, NULL, 0)) == 0) {
-            mbedtls_ecdsa_free(&ctx);
+        r = store_keys(&ctx, PICO_KEYS_KEY_EC, key_id);
+        if ((res_APDU_size = asn1_cvc_aut(&ctx, PICO_KEYS_KEY_EC, res_APDU, 4096, NULL, 0)) == 0) {
+            mbedtls_ecp_keypair_free(&ctx);
             return SW_EXEC_ERROR();
         }
-        mbedtls_ecdsa_free(&ctx);
+        int key_size = ctx.grp.nbits;
+        mbedtls_ecp_keypair_free(&ctx);
         if (r != CCID_OK) {
             return SW_EXEC_ERROR();
         }
+        prkd_len = asn1_build_prkd_ecc(NULL, 0, NULL, 0, key_size, prkd_buf, sizeof(prkd_buf));
     }
-    else if (key_type == HSM_KEY_AES) {
-        uint8_t aes_key[32];
+    else if (key_type & PICO_KEYS_KEY_AES) {
+        uint8_t aes_key[64];
         int key_size = 0, aes_type = 0;
         do {
             r = dkek_decode_key(++kdom,
@@ -89,14 +94,17 @@ int cmd_key_unwrap() {
         if (r != CCID_OK) {
             return SW_EXEC_ERROR();
         }
-        if (key_size == 32) {
-            aes_type = HSM_KEY_AES_256;
+        if (key_size == 64) {
+            aes_type = PICO_KEYS_KEY_AES_512;
+        }
+        else if (key_size == 32) {
+            aes_type = PICO_KEYS_KEY_AES_256;
         }
         else if (key_size == 24) {
-            aes_type = HSM_KEY_AES_192;
+            aes_type = PICO_KEYS_KEY_AES_192;
         }
         else if (key_size == 16) {
-            aes_type = HSM_KEY_AES_128;
+            aes_type = PICO_KEYS_KEY_AES_128;
         }
         else {
             return SW_EXEC_ERROR();
@@ -105,6 +113,7 @@ int cmd_key_unwrap() {
         if (r != CCID_OK) {
             return SW_EXEC_ERROR();
         }
+        prkd_len = asn1_build_prkd_aes(NULL, 0, NULL, 0, key_size * 8, prkd_buf, sizeof(prkd_buf));
     }
     if ((allowed != NULL && allowed_len > 0) || kdom >= 0) {
         size_t meta_len = (allowed_len > 0 ? 2 + allowed_len : 0) + (kdom >= 0 ? 3 : 0);
@@ -125,14 +134,21 @@ int cmd_key_unwrap() {
             return r;
         }
     }
+    if (prkd_len > 0) {
+        file_t *fpk = file_new((PRKD_PREFIX << 8) | key_id);
+        r = flash_write_data_to_file(fpk, prkd_buf, prkd_len);
+        if (r != 0) {
+            return SW_EXEC_ERROR();
+        }
+    }
     if (res_APDU_size > 0) {
         file_t *fpk = file_new((EE_CERTIFICATE_PREFIX << 8) | key_id);
         r = flash_write_data_to_file(fpk, res_APDU, res_APDU_size);
         if (r != 0) {
             return SW_EXEC_ERROR();
         }
-        low_flash_available();
         res_APDU_size = 0;
     }
+    low_flash_available();
     return SW_OK();
 }

src/hsm/cmd_key_wrap.c

@@ -19,6 +19,7 @@
 #include "sc_hsm.h"
 #include "asn1.h"
 #include "kek.h"
+#include "files.h"
 
 extern uint8_t get_key_domain(file_t *fkey);
 
@@ -31,10 +32,19 @@ int cmd_key_wrap() {
         return SW_SECURITY_STATUS_NOT_SATISFIED();
     }
     file_t *ef = search_dynamic_file((KEY_PREFIX << 8) | key_id);
-    uint8_t kdom = get_key_domain(ef);
     if (!ef) {
         return SW_FILE_NOT_FOUND();
     }
+    uint8_t kdom = get_key_domain(ef);
+    if (kdom == 0xff) {
+        return SW_REFERENCE_NOT_FOUND();
+    }
+    file_t *tf_kd = search_by_fid(EF_KEY_DOMAIN, NULL, SPECIFY_EF);
+    uint8_t *kdata = file_get_data(tf_kd), dkeks = kdata ? kdata[2 * kdom] : 0,
+            current_dkeks = kdata ? kdata[2 * kdom + 1] : 0;
+    if (dkeks != current_dkeks || dkeks == 0 || dkeks == 0xff) {
+        return SW_REFERENCE_NOT_FOUND();
+    }
     if (key_has_purpose(ef, ALGO_WRAP) == false) {
         return SW_CONDITIONS_NOT_SATISFIED();
     }
@@ -57,42 +67,45 @@ int cmd_key_wrap() {
             }
             return SW_EXEC_ERROR();
         }
-        r = dkek_encode_key(kdom, &ctx, HSM_KEY_RSA, res_APDU, &wrap_len, meta_tag, tag_len);
+        r = dkek_encode_key(kdom, &ctx, PICO_KEYS_KEY_RSA, res_APDU, &wrap_len, meta_tag, tag_len);
         mbedtls_rsa_free(&ctx);
     }
     else if (*dprkd == P15_KEYTYPE_ECC) {
-        mbedtls_ecdsa_context ctx;
-        mbedtls_ecdsa_init(&ctx);
-        r = load_private_key_ecdsa(&ctx, ef);
+        mbedtls_ecp_keypair ctx;
+        mbedtls_ecp_keypair_init(&ctx);
+        r = load_private_key_ec(&ctx, ef);
         if (r != CCID_OK) {
-            mbedtls_ecdsa_free(&ctx);
+            mbedtls_ecp_keypair_free(&ctx);
             if (r == CCID_VERIFICATION_FAILED) {
                 return SW_SECURE_MESSAGE_EXEC_ERROR();
             }
             return SW_EXEC_ERROR();
         }
-        r = dkek_encode_key(kdom, &ctx, HSM_KEY_EC, res_APDU, &wrap_len, meta_tag, tag_len);
-        mbedtls_ecdsa_free(&ctx);
+        r = dkek_encode_key(kdom, &ctx, PICO_KEYS_KEY_EC, res_APDU, &wrap_len, meta_tag, tag_len);
+        mbedtls_ecp_keypair_free(&ctx);
     }
     else if (*dprkd == P15_KEYTYPE_AES) {
-        uint8_t kdata[32]; //maximum AES key size
+        uint8_t kdata[64]; //maximum AES key size
         if (wait_button_pressed() == true) { //timeout
             return SW_SECURE_MESSAGE_EXEC_ERROR();
         }
 
-        int key_size = file_get_size(ef), aes_type = HSM_KEY_AES;
+        int key_size = file_get_size(ef), aes_type = PICO_KEYS_KEY_AES;
         memcpy(kdata, file_get_data(ef), key_size);
         if (mkek_decrypt(kdata, key_size) != 0) {
             return SW_EXEC_ERROR();
         }
-        if (key_size == 32) {
-            aes_type = HSM_KEY_AES_256;
+        if (key_size == 64) {
+            aes_type = PICO_KEYS_KEY_AES_512;
+        }
+        else if (key_size == 32) {
+            aes_type = PICO_KEYS_KEY_AES_256;
         }
         else if (key_size == 24) {
-            aes_type = HSM_KEY_AES_192;
+            aes_type = PICO_KEYS_KEY_AES_192;
         }
         else if (key_size == 16) {
-            aes_type = HSM_KEY_AES_128;
+            aes_type = PICO_KEYS_KEY_AES_128;
         }
         r = dkek_encode_key(kdom, kdata, aes_type, res_APDU, &wrap_len, meta_tag, tag_len);
         mbedtls_platform_zeroize(kdata, sizeof(kdata));

src/hsm/cmd_keypair_gen.c

@@ -69,10 +69,10 @@ int cmd_keypair_gen() {
                     return SW_EXEC_ERROR();
                 }
                 if ((res_APDU_size =
-                         asn1_cvc_aut(&rsa, HSM_KEY_RSA, res_APDU, 4096, NULL, 0)) == 0) {
+                         asn1_cvc_aut(&rsa, PICO_KEYS_KEY_RSA, res_APDU, 4096, NULL, 0)) == 0) {
                     return SW_EXEC_ERROR();
                 }
-                ret = store_keys(&rsa, HSM_KEY_RSA, key_id);
+                ret = store_keys(&rsa, PICO_KEYS_KEY_RSA, key_id);
                 if (ret != CCID_OK) {
                     mbedtls_rsa_free(&rsa);
                     return SW_EXEC_ERROR();
@@ -86,10 +86,23 @@ int cmd_keypair_gen() {
                     return SW_WRONG_DATA();
                 }
                 mbedtls_ecp_group_id ec_id = ec_get_curve_from_prime(prime, prime_len);
-                printf("KEYPAIR ECC %d\r\n", ec_id);
                 if (ec_id == MBEDTLS_ECP_DP_NONE) {
                     return SW_FUNC_NOT_SUPPORTED();
                 }
+                if (ec_id == MBEDTLS_ECP_DP_CURVE25519 || ec_id == MBEDTLS_ECP_DP_CURVE448) {
+                    size_t g_len = 0;
+                    uint8_t *g = NULL;
+                    if (asn1_find_tag(p, tout, 0x83, &g_len, &g) != true) {
+                        return SW_WRONG_DATA();
+                    }
+                    if (ec_id == MBEDTLS_ECP_DP_CURVE25519 && (g[0] != 9)) {
+                        ec_id = MBEDTLS_ECP_DP_ED25519;
+                    }
+                    else if (ec_id == MBEDTLS_ECP_DP_CURVE448 && (g_len != 56 || g[0] != 5)) {
+                        ec_id = MBEDTLS_ECP_DP_ED448;
+                    }
+                }
+                printf("KEYPAIR ECC %d\r\n", ec_id);
                 mbedtls_ecdsa_context ecdsa;
                 mbedtls_ecdsa_init(&ecdsa);
                 uint8_t index = 0;
@@ -133,7 +146,7 @@ int cmd_keypair_gen() {
                     }
                 }
                 if ((res_APDU_size =
-                         asn1_cvc_aut(&ecdsa, HSM_KEY_EC, res_APDU, 4096, ext, ext_len)) == 0) {
+                         asn1_cvc_aut(&ecdsa, PICO_KEYS_KEY_EC, res_APDU, 4096, ext, ext_len)) == 0) {
                     if (ext) {
                         free(ext);
                     }
@@ -143,7 +156,7 @@ int cmd_keypair_gen() {
                 if (ext) {
                     free(ext);
                 }
-                ret = store_keys(&ecdsa, HSM_KEY_EC, key_id);
+                ret = store_keys(&ecdsa, PICO_KEYS_KEY_EC, key_id);
                 mbedtls_ecdsa_free(&ecdsa);
                 if (ret != CCID_OK) {
                     return SW_EXEC_ERROR();

src/hsm/cmd_mse.c

@@ -68,6 +68,9 @@ int cmd_mse() {
                                                              &chr_len);
                             if (memcmp(chr, tag_data, chr_len) == 0) {
                                 ef_puk_aut = ef;
+                                if (puk_status[i] == 1) {
+                                    return SW_CONDITIONS_NOT_SATISFIED(); // It is correct
+                                }
                                 return SW_OK();
                             }
                         }

src/hsm/cmd_puk_auth.c

@@ -23,7 +23,10 @@ int cmd_puk_auth() {
     uint8_t p1 = P1(apdu), p2 = P2(apdu);
     file_t *ef_puk = search_by_fid(EF_PUKAUT, NULL, SPECIFY_EF);
     if (!file_has_data(ef_puk)) {
-        return SW_FILE_NOT_FOUND();
+        if (apdu.nc > 0) {
+            return SW_FILE_NOT_FOUND();
+        }
+        return SW_INCORRECT_P1P2();
     }
     uint8_t *puk_data = file_get_data(ef_puk);
     if (apdu.nc > 0) {

src/hsm/cmd_read_binary.c

@@ -85,13 +85,13 @@ int cmd_read_binary() {
         else {
             uint16_t data_len = file_get_size(ef);
             if (offset > data_len) {
-                return SW_WRONG_P1P2();
+                return SW_WARNING_EOF();
             }
 
-            uint16_t maxle = data_len - offset;
-            if (apdu.ne > maxle) {
-                apdu.ne = maxle;
-            }
+            //uint16_t maxle = data_len - offset;
+            //if (apdu.ne > maxle) {
+            //    apdu.ne = maxle;
+            //}
             memcpy(res_APDU, file_get_data(ef) + offset, data_len - offset);
             res_APDU_size = data_len - offset;
         }

src/hsm/cmd_reset_retry.c

@@ -36,16 +36,15 @@ int cmd_reset_retry() {
     if (P1(apdu) == 0x0 || P1(apdu) == 0x2) {
         int newpin_len = 0;
         if (P1(apdu) == 0x0) {
-            if (apdu.nc <= 8) {
+            uint8_t so_pin_len = file_read_uint8(file_get_data(file_sopin));
+            if (apdu.nc <= so_pin_len + 1) {
                 return SW_WRONG_LENGTH();
             }
-            uint16_t r = check_pin(file_sopin, apdu.data, 8);
+            uint16_t r = check_pin(file_sopin, apdu.data, so_pin_len);
             if (r != 0x9000) {
                 return r;
             }
-            newpin_len = apdu.nc - 8;
-            has_session_sopin = true;
-            hash_multi(apdu.data, 8, session_sopin);
+            newpin_len = apdu.nc - so_pin_len;
         }
         else if (P1(apdu) == 0x2) {
             if (!has_session_sopin) {
@@ -83,15 +82,14 @@ int cmd_reset_retry() {
             return SW_COMMAND_NOT_ALLOWED();
         }
         if (P1(apdu) == 0x1) {
-            if (apdu.nc != 8) {
+            uint8_t so_pin_len = file_read_uint8(file_get_data(file_sopin));
+            if (apdu.nc != so_pin_len) {
                 return SW_WRONG_LENGTH();
             }
-            uint16_t r = check_pin(file_sopin, apdu.data, 8);
+            uint16_t r = check_pin(file_sopin, apdu.data, so_pin_len);
             if (r != 0x9000) {
                 return r;
             }
-            has_session_sopin = true;
-            hash_multi(apdu.data, 8, session_sopin);
         }
         else if (P1(apdu) == 0x3) {
             if (!has_session_sopin) {

src/hsm/cmd_select.c

@@ -47,26 +47,27 @@ int cmd_select() {
     //    return SW_INCORRECT_P1P2();
     //}
 
-    if (apdu.nc >= 2) {
+    if (apdu.nc == 2) {
         fid = get_uint16_t(apdu.data, 0);
     }
 
     //if ((fid & 0xff00) == (KEY_PREFIX << 8))
     //    fid = (PRKD_PREFIX << 8) | (fid & 0xff);
 
-    uint8_t pfx = fid >> 8;
-    if (pfx == PRKD_PREFIX ||
+    /*uint8_t pfx = fid >> 8;*/
+    /*if (pfx == PRKD_PREFIX ||
         pfx == CD_PREFIX ||
         pfx == CA_CERTIFICATE_PREFIX ||
         pfx == KEY_PREFIX ||
         pfx == EE_CERTIFICATE_PREFIX ||
         pfx == DCOD_PREFIX ||
         pfx == DATA_PREFIX ||
-        pfx == PROT_DATA_PREFIX) {
-        if (!(pe = search_dynamic_file(fid)) && !(pe = search_by_fid(fid, NULL, SPECIFY_EF))) {
-            return SW_FILE_NOT_FOUND();
-        }
+        pfx == PROT_DATA_PREFIX) {*/
+    if (fid != 0x0 && !(pe = search_dynamic_file(fid)) &&
+        !(pe = search_by_fid(fid, NULL, SPECIFY_EF))) {
+        return SW_FILE_NOT_FOUND();
     }
+    /*}*/
     if (!pe) {
         if (p1 == 0x0) { //Select MF, DF or EF - File identifier or absent
             if (apdu.nc == 0) {

src/hsm/cmd_signature.c

@@ -14,12 +14,16 @@
  * You should have received a copy of the GNU General Public License
  * along with this program. If not, see <http://www.gnu.org/licenses/>.
  */
-
+#include "sc_hsm.h"
 #include "crypto_utils.h"
 #include "sc_hsm.h"
 #include "asn1.h"
 #include "mbedtls/oid.h"
 #include "random.h"
+#include "mbedtls/eddsa.h"
+
+extern mbedtls_ecp_keypair hd_context;
+extern uint8_t hd_keytype;
 
 //-----
 /* From OpenSC */
@@ -101,7 +105,10 @@ int cmd_signature() {
     if (!isUserAuthenticated) {
         return SW_SECURITY_STATUS_NOT_SATISFIED();
     }
-    if (!(fkey = search_dynamic_file((KEY_PREFIX << 8) | key_id)) || !file_has_data(fkey)) {
+    if ((!(fkey = search_dynamic_file((KEY_PREFIX << 8) | key_id)) &&
+         !(fkey =
+               search_by_fid((KEY_PREFIX << 8) | key_id, NULL,
+                             SPECIFY_EF))) || !file_has_data(fkey)) {
         return SW_FILE_NOT_FOUND();
     }
     if (get_key_counter(fkey) == 0) {
@@ -227,8 +234,8 @@ int cmd_signature() {
         mbedtls_rsa_free(&ctx);
     }
     else if (p2 >= ALGO_EC_RAW && p2 <= ALGO_EC_SHA512) {
-        mbedtls_ecdsa_context ctx;
-        mbedtls_ecdsa_init(&ctx);
+        mbedtls_ecp_keypair ctx;
+        mbedtls_ecp_keypair_init(&ctx);
         md = MBEDTLS_MD_SHA256;
         if (p2 == ALGO_EC_RAW) {
             if (apdu.nc == 32) {
@@ -262,9 +269,9 @@ int cmd_signature() {
         else if (p2 == ALGO_EC_SHA512) {
             md = MBEDTLS_MD_SHA512;
         }
-        int r = load_private_key_ecdsa(&ctx, fkey);
+        int r = load_private_key_ec(&ctx, fkey);
         if (r != CCID_OK) {
-            mbedtls_ecdsa_free(&ctx);
+            mbedtls_ecp_keypair_free(&ctx);
             if (r == CCID_VERIFICATION_FAILED) {
                 return SW_SECURE_MESSAGE_EXEC_ERROR();
             }
@@ -272,14 +279,41 @@ int cmd_signature() {
         }
         size_t olen = 0;
         uint8_t buf[MBEDTLS_ECDSA_MAX_LEN];
-        if (mbedtls_ecdsa_write_signature(&ctx, md, apdu.data, apdu.nc, buf, MBEDTLS_ECDSA_MAX_LEN,
-                                          &olen, random_gen, NULL) != 0) {
-            mbedtls_ecdsa_free(&ctx);
+        if (ctx.grp.id == MBEDTLS_ECP_DP_ED25519 || ctx.grp.id == MBEDTLS_ECP_DP_ED448) {
+            r = mbedtls_eddsa_write_signature(&ctx, apdu.data, apdu.nc, buf, sizeof(buf), &olen, MBEDTLS_EDDSA_PURE, NULL, 0, random_gen, NULL);
+        }
+        else {
+            r = mbedtls_ecdsa_write_signature(&ctx, md, apdu.data, apdu.nc, buf, MBEDTLS_ECDSA_MAX_LEN,
+                                              &olen, random_gen, NULL);
+        }
+        if (r != 0) {
+            mbedtls_ecp_keypair_free(&ctx);
             return SW_EXEC_ERROR();
         }
         memcpy(res_APDU, buf, olen);
         res_APDU_size = olen;
-        mbedtls_ecdsa_free(&ctx);
+        mbedtls_ecp_keypair_free(&ctx);
+    }
+    else if (p2 == ALGO_HD) {
+        size_t olen = 0;
+        uint8_t buf[MBEDTLS_ECDSA_MAX_LEN];
+        if (hd_context.grp.id == MBEDTLS_ECP_DP_NONE) {
+            return SW_CONDITIONS_NOT_SATISFIED();
+        }
+        if (hd_keytype != 0x1 && hd_keytype != 0x2) {
+            return SW_INCORRECT_PARAMS();
+        }
+        md = MBEDTLS_MD_SHA256;
+        if (mbedtls_ecdsa_write_signature(&hd_context, md, apdu.data, apdu.nc, buf,
+                                          MBEDTLS_ECDSA_MAX_LEN,
+                                          &olen, random_gen, NULL) != 0) {
+            mbedtls_ecdsa_free(&hd_context);
+            return SW_EXEC_ERROR();
+        }
+        memcpy(res_APDU, buf, olen);
+        res_APDU_size = olen;
+        mbedtls_ecdsa_free(&hd_context);
+        hd_keytype = 0;
     }
     else {
         return SW_INCORRECT_P1P2();

src/hsm/cmd_update_ef.c

@@ -33,11 +33,14 @@ int cmd_update_ef() {
     if (fid == 0x0) {
         ef = currentEF;
     }
-    else if (p1 != EE_CERTIFICATE_PREFIX && p1 != PRKD_PREFIX && p1 != CA_CERTIFICATE_PREFIX &&
+    /*
+       // This should not happen
+       else if (p1 != EE_CERTIFICATE_PREFIX && p1 != PRKD_PREFIX && p1 != CA_CERTIFICATE_PREFIX &&
              p1 != CD_PREFIX && p1 != DATA_PREFIX && p1 != DCOD_PREFIX &&
              p1 != PROT_DATA_PREFIX) {
         return SW_INCORRECT_P1P2();
-    }
+       }
+     */
 
     if (ef && !authenticate_action(ef, ACL_OP_UPDATE_ERASE)) {
         return SW_SECURITY_STATUS_NOT_SATISFIED();

src/hsm/cvc.c

@@ -27,6 +27,7 @@
 #include "oid.h"
 #include "mbedtls/md.h"
 #include "files.h"
+#include "mbedtls/eddsa.h"
 
 extern const uint8_t *dev_name;
 extern size_t dev_name_len;
@@ -72,33 +73,32 @@ const uint8_t *pointA[] = {
     "\x01\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFC",
 };
 
-size_t asn1_cvc_public_key_ecdsa(mbedtls_ecdsa_context *ecdsa, uint8_t *buf, size_t buf_len) {
-    uint8_t Y_buf[MBEDTLS_ECP_MAX_PT_LEN];
+size_t asn1_cvc_public_key_ecdsa(mbedtls_ecp_keypair *ecdsa, uint8_t *buf, size_t buf_len) {
+    uint8_t Y_buf[MBEDTLS_ECP_MAX_PT_LEN], G_buf[MBEDTLS_ECP_MAX_PT_LEN];
     const uint8_t oid_ecdsa[] = { 0x04, 0x00, 0x7F, 0x00, 0x07, 0x02, 0x02, 0x02, 0x02, 0x03 };
+    const uint8_t oid_ri[]    = { 0x04, 0x00, 0x7F, 0x00, 0x07, 0x02, 0x02, 0x05, 0x02, 0x03 };
+    const uint8_t *oid = oid_ecdsa;
     size_t p_size = mbedtls_mpi_size(&ecdsa->grp.P), a_size = mbedtls_mpi_size(&ecdsa->grp.A);
-    size_t b_size = mbedtls_mpi_size(&ecdsa->grp.B),
-           g_size = 1 + mbedtls_mpi_size(&ecdsa->grp.G.X) + mbedtls_mpi_size(&ecdsa->grp.G.X);
+    size_t b_size = mbedtls_mpi_size(&ecdsa->grp.B), g_size = 0;
     size_t o_size = mbedtls_mpi_size(&ecdsa->grp.N), y_size = 0;
-    mbedtls_ecp_point_write_binary(&ecdsa->grp,
-                                   &ecdsa->Q,
-                                   MBEDTLS_ECP_PF_UNCOMPRESSED,
-                                   &y_size,
-                                   Y_buf,
-                                   sizeof(Y_buf));
+    mbedtls_ecp_point_write_binary(&ecdsa->grp, &ecdsa->grp.G, MBEDTLS_ECP_PF_UNCOMPRESSED, &g_size, G_buf, sizeof(G_buf));
+    mbedtls_ecp_point_write_binary(&ecdsa->grp, &ecdsa->Q, MBEDTLS_ECP_PF_UNCOMPRESSED, &y_size, Y_buf, sizeof(Y_buf));
     size_t c_size = 1;
-    size_t ptot_size = asn1_len_tag(0x81, p_size), atot_size = asn1_len_tag(0x82,
-                                                                            a_size ? a_size : (
-                                                                                pointA[ecdsa->grp.id
-                                                                                ] &&
-                                                                                ecdsa->grp.id <
-                                                                                6 ? p_size : 1));
+    size_t ptot_size = asn1_len_tag(0x81, p_size), atot_size = asn1_len_tag(0x82, a_size ? a_size : (pointA[ecdsa->grp.id] && ecdsa->grp.id < 6 ? p_size : 1));
     size_t btot_size = asn1_len_tag(0x83, b_size), gtot_size = asn1_len_tag(0x84, g_size);
     size_t otot_size = asn1_len_tag(0x85, o_size), ytot_size = asn1_len_tag(0x86, y_size);
     size_t ctot_size = asn1_len_tag(0x87, c_size);
     size_t oid_len = asn1_len_tag(0x6, sizeof(oid_ecdsa));
-    size_t tot_len = asn1_len_tag(0x7f49,
-                                  oid_len + ptot_size + atot_size + btot_size + gtot_size + otot_size + ytot_size +
-                                  ctot_size);
+    size_t tot_len = 0, tot_data_len = 0;
+    if (mbedtls_ecp_get_type(&ecdsa->grp) == MBEDTLS_ECP_TYPE_MONTGOMERY || mbedtls_ecp_get_type(&ecdsa->grp) == MBEDTLS_ECP_TYPE_EDWARDS) {
+        tot_data_len = oid_len + ptot_size + otot_size + gtot_size + ytot_size;
+        oid = oid_ri;
+    }
+    else {
+        tot_data_len = oid_len + ptot_size + atot_size + btot_size + gtot_size + otot_size + ytot_size +
+                                  ctot_size;
+    }
+    tot_len = asn1_len_tag(0x7f49, tot_data_len);
     if (buf == NULL || buf_len == 0) {
         return tot_len;
     }
@@ -107,57 +107,52 @@ size_t asn1_cvc_public_key_ecdsa(mbedtls_ecdsa_context *ecdsa, uint8_t *buf, siz
     }
     uint8_t *p = buf;
     memcpy(p, "\x7F\x49", 2); p += 2;
-    p += format_tlv_len(
-        oid_len + ptot_size + atot_size + btot_size + gtot_size + otot_size + ytot_size + ctot_size,
-        p);
+    p += format_tlv_len(tot_data_len, p);
     //oid
-    *p++ = 0x6; p += format_tlv_len(sizeof(oid_ecdsa), p); memcpy(p, oid_ecdsa, sizeof(oid_ecdsa));
+    *p++ = 0x6; p += format_tlv_len(sizeof(oid_ecdsa), p); memcpy(p, oid, sizeof(oid_ecdsa));
     p += sizeof(oid_ecdsa);
-    //p
-    *p++ = 0x81; p += format_tlv_len(p_size, p); mbedtls_mpi_write_binary(&ecdsa->grp.P, p, p_size);
-    p += p_size;
-    //A
-    if (a_size) {
-        *p++ = 0x82; p += format_tlv_len(a_size, p); mbedtls_mpi_write_binary(&ecdsa->grp.A,
-                                                                              p,
-                                                                              a_size); p += a_size;
-    }
-    else {   //mbedtls does not set point A for some curves
-        if (pointA[ecdsa->grp.id] && ecdsa->grp.id < 6) {
-            *p++ = 0x82; p += format_tlv_len(p_size, p); memcpy(p, pointA[ecdsa->grp.id], p_size);
-            p += p_size;
-        }
-        else {
-            *p++ = 0x82; p += format_tlv_len(1, p);
-            *p++ = 0x0;
-        }
-    }
-    //B
-    *p++ = 0x83; p += format_tlv_len(b_size, p); mbedtls_mpi_write_binary(&ecdsa->grp.B, p, b_size);
-    p += b_size;
-    //G
-    size_t g_new_size = 0;
-    *p++ = 0x84; p += format_tlv_len(g_size, p); mbedtls_ecp_point_write_binary(&ecdsa->grp,
-                                                                                &ecdsa->grp.G,
-                                                                                MBEDTLS_ECP_PF_UNCOMPRESSED,
-                                                                                &g_new_size,
-                                                                                p,
-                                                                                g_size);
-    p += g_size;
-    //order
-    *p++ = 0x85; p += format_tlv_len(o_size, p); mbedtls_mpi_write_binary(&ecdsa->grp.N, p, o_size);
-    p += o_size;
-    //Y
-    *p++ = 0x86; p += format_tlv_len(y_size, p); memcpy(p, Y_buf, y_size); p += y_size;
-    //cofactor
-    *p++ = 0x87; p += format_tlv_len(c_size, p);
-    if (ecdsa->grp.id == MBEDTLS_ECP_DP_CURVE448) {
-        *p++ = 4;
-    }
-    else if (ecdsa->grp.id == MBEDTLS_ECP_DP_CURVE25519) {
-        *p++ = 8;
+    if (mbedtls_ecp_get_type(&ecdsa->grp) == MBEDTLS_ECP_TYPE_MONTGOMERY || mbedtls_ecp_get_type(&ecdsa->grp) == MBEDTLS_ECP_TYPE_EDWARDS) {
+        //p
+        *p++ = 0x81; p += format_tlv_len(p_size, p); mbedtls_mpi_write_binary(&ecdsa->grp.P, p, p_size);
+        p += p_size;
+        //order
+        *p++ = 0x82; p += format_tlv_len(o_size, p); mbedtls_mpi_write_binary(&ecdsa->grp.N, p, o_size);
+        p += o_size;
+        //G
+        *p++ = 0x83; p += format_tlv_len(g_size, p); memcpy(p, G_buf, g_size); p += g_size;
+        //Y
+        *p++ = 0x84; p += format_tlv_len(y_size, p); memcpy(p, Y_buf, y_size); p += y_size;
     }
     else {
+        //p
+        *p++ = 0x81; p += format_tlv_len(p_size, p); mbedtls_mpi_write_binary(&ecdsa->grp.P, p, p_size);
+        p += p_size;
+        //A
+        if (a_size) {
+            *p++ = 0x82; p += format_tlv_len(a_size, p); mbedtls_mpi_write_binary(&ecdsa->grp.A, p, a_size); p += a_size;
+        }
+        else {   //mbedtls does not set point A for some curves
+            if (pointA[ecdsa->grp.id] && ecdsa->grp.id < 6) {
+                *p++ = 0x82; p += format_tlv_len(p_size, p); memcpy(p, pointA[ecdsa->grp.id], p_size);
+                p += p_size;
+            }
+            else {
+                *p++ = 0x82; p += format_tlv_len(1, p);
+                *p++ = 0x0;
+            }
+        }
+        //B
+        *p++ = 0x83; p += format_tlv_len(b_size, p); mbedtls_mpi_write_binary(&ecdsa->grp.B, p, b_size);
+        p += b_size;
+        //G
+        *p++ = 0x84; p += format_tlv_len(g_size, p); memcpy(p, G_buf, g_size); p += g_size;
+        //order
+        *p++ = 0x85; p += format_tlv_len(o_size, p); mbedtls_mpi_write_binary(&ecdsa->grp.N, p, o_size);
+        p += o_size;
+        //Y
+        *p++ = 0x86; p += format_tlv_len(y_size, p); memcpy(p, Y_buf, y_size); p += y_size;
+        //cofactor
+        *p++ = 0x87; p += format_tlv_len(c_size, p);
         *p++ = 1;
     }
     return tot_len;
@@ -168,19 +163,25 @@ size_t asn1_cvc_cert_body(void *rsa_ecdsa,
                           uint8_t *buf,
                           size_t buf_len,
                           const uint8_t *ext,
-                          size_t ext_len) {
+                          size_t ext_len,
+                          bool full) {
     size_t pubkey_size = 0;
-    if (key_type == HSM_KEY_RSA) {
+    if (key_type & PICO_KEYS_KEY_RSA) {
         pubkey_size = asn1_cvc_public_key_rsa(rsa_ecdsa, NULL, 0);
     }
-    else if (key_type == HSM_KEY_EC) {
+    else if (key_type & PICO_KEYS_KEY_EC) {
         pubkey_size = asn1_cvc_public_key_ecdsa(rsa_ecdsa, NULL, 0);
     }
-    size_t cpi_size = 4;
-    size_t ext_size = 0;
+    size_t cpi_size = 4, ext_size = 0, role_size = 0, valid_size = 0;
     if (ext && ext_len > 0) {
         ext_size = asn1_len_tag(0x65, ext_len);
     }
+    const uint8_t *role = (const uint8_t *)"\x06\x09\x04\x00\x7F\x00\x07\x03\x01\x02\x02\x53\x01\x00";
+    size_t rolelen = 14;
+    if (full) {
+        role_size = asn1_len_tag(0x7f4c, rolelen);
+        valid_size = asn1_len_tag(0x5f24, 6) + asn1_len_tag(0x5f25, 6);
+    }
 
     uint8_t *car = NULL, *chr = NULL;
     size_t lencar = 0, lenchr = 0;
@@ -189,15 +190,23 @@ size_t asn1_cvc_cert_body(void *rsa_ecdsa,
                       &car) == false || lencar == 0 || car == NULL) {
         car = (uint8_t *) dev_name;
         lencar = dev_name_len;
+        if (dev_name == NULL) {
+            car = (uint8_t *)"ESPICOHSMTR00001";
+            lencar = strlen((const char *)car);
+        }
     }
     if (asn1_find_tag(apdu.data, apdu.nc, 0x5f20, &lenchr,
                       &chr) == false || lenchr == 0 || chr == NULL) {
         chr = (uint8_t *) dev_name;
         lenchr = dev_name_len;
+        if (chr == NULL) {
+            chr = car;
+            lenchr = lencar;
+        }
     }
     size_t car_size = asn1_len_tag(0x42, lencar), chr_size = asn1_len_tag(0x5f20, lenchr);
 
-    size_t tot_len = asn1_len_tag(0x7f4e, cpi_size + car_size + pubkey_size + chr_size + ext_size);
+    size_t tot_len = asn1_len_tag(0x7f4e, cpi_size + car_size + pubkey_size + chr_size + ext_size + role_size + valid_size);
 
     if (buf_len == 0 || buf == NULL) {
         return tot_len;
@@ -207,20 +216,39 @@ size_t asn1_cvc_cert_body(void *rsa_ecdsa,
     }
     uint8_t *p = buf;
     memcpy(p, "\x7F\x4E", 2); p += 2;
-    p += format_tlv_len(cpi_size + car_size + pubkey_size + chr_size + ext_size, p);
+    p += format_tlv_len(cpi_size + car_size + pubkey_size + chr_size + role_size + valid_size + ext_size, p);
     //cpi
     *p++ = 0x5f; *p++ = 0x29; *p++ = 1; *p++ = 0;
     //car
     *p++ = 0x42; p += format_tlv_len(lencar, p); memcpy(p, car, lencar); p += lencar;
     //pubkey
-    if (key_type == HSM_KEY_RSA) {
+    if (key_type & PICO_KEYS_KEY_RSA) {
         p += asn1_cvc_public_key_rsa(rsa_ecdsa, p, pubkey_size);
     }
-    else if (key_type == HSM_KEY_EC) {
+    else if (key_type & PICO_KEYS_KEY_EC) {
         p += asn1_cvc_public_key_ecdsa(rsa_ecdsa, p, pubkey_size);
     }
     //chr
     *p++ = 0x5f; *p++ = 0x20; p += format_tlv_len(lenchr, p); memcpy(p, chr, lenchr); p += lenchr;
+    if (full) {
+        *p++ = 0x7f;
+        *p++ = 0x4c;
+        p += format_tlv_len(rolelen, p);
+        memcpy(p, role, rolelen);
+        p += rolelen;
+
+        *p++ = 0x5f;
+        *p++ = 0x25;
+        p += format_tlv_len(6, p);
+        memcpy(p, "\x02\x03\x00\x03\x02\x01", 6);
+        p += 6;
+
+        *p++ = 0x5f;
+        *p++ = 0x24;
+        p += format_tlv_len(6, p);
+        memcpy(p, "\x07\x00\x01\x02\x03\x01", 6);
+        p += 6;
+    }
     if (ext && ext_len > 0) {
         *p++ = 0x65;
         p += format_tlv_len(ext_len, p);
@@ -235,19 +263,16 @@ size_t asn1_cvc_cert(void *rsa_ecdsa,
                      uint8_t *buf,
                      size_t buf_len,
                      const uint8_t *ext,
-                     size_t ext_len) {
+                     size_t ext_len,
+                     bool full) {
     size_t key_size = 0;
-    if (key_type == HSM_KEY_RSA) {
+    if (key_type & PICO_KEYS_KEY_RSA) {
         key_size = mbedtls_mpi_size(&((mbedtls_rsa_context *) rsa_ecdsa)->N);
     }
-    else if (key_type == HSM_KEY_EC) {
-        key_size = 2 *
-                   (int) ((mbedtls_ecp_curve_info_from_grp_id(((mbedtls_ecdsa_context *) rsa_ecdsa)
-                                                              ->grp.id)->
-                           bit_size + 7) / 8);
+    else if (key_type & PICO_KEYS_KEY_EC) {
+        key_size = 2 * (int)((mbedtls_ecp_curve_info_from_grp_id(((mbedtls_ecdsa_context *) rsa_ecdsa)->grp.id)->bit_size + 7) / 8);
     }
-    size_t body_size = asn1_cvc_cert_body(rsa_ecdsa, key_type, NULL, 0, ext, ext_len),
-           sig_size = asn1_len_tag(0x5f37, key_size);
+    size_t body_size = asn1_cvc_cert_body(rsa_ecdsa, key_type, NULL, 0, ext, ext_len, full), sig_size = asn1_len_tag(0x5f37, key_size);
     size_t tot_len = asn1_len_tag(0x7f21, body_size + sig_size);
     if (buf_len == 0 || buf == NULL) {
         return tot_len;
@@ -259,26 +284,29 @@ size_t asn1_cvc_cert(void *rsa_ecdsa,
     memcpy(p, "\x7F\x21", 2); p += 2;
     p += format_tlv_len(body_size + sig_size, p);
     body = p;
-    p += asn1_cvc_cert_body(rsa_ecdsa, key_type, p, body_size, ext, ext_len);
+    p += asn1_cvc_cert_body(rsa_ecdsa, key_type, p, body_size, ext, ext_len, full);
     uint8_t hsh[32];
     hash256(body, body_size, hsh);
     memcpy(p, "\x5F\x37", 2); p += 2;
     p += format_tlv_len(key_size, p);
-    if (key_type == HSM_KEY_RSA) {
-        if (mbedtls_rsa_rsassa_pkcs1_v15_sign(rsa_ecdsa, random_gen, NULL, MBEDTLS_MD_SHA256, 32,
-                                              hsh, p) != 0) {
+    if (key_type & PICO_KEYS_KEY_RSA) {
+        if (mbedtls_rsa_rsassa_pkcs1_v15_sign(rsa_ecdsa, random_gen, NULL, MBEDTLS_MD_SHA256, 32, hsh, p) != 0) {
             memset(p, 0, key_size);
         }
         p += key_size;
     }
-    else if (key_type == HSM_KEY_EC) {
+    else if (key_type & PICO_KEYS_KEY_EC) {
         mbedtls_mpi r, s;
         int ret = 0;
-        mbedtls_ecdsa_context *ecdsa = (mbedtls_ecdsa_context *) rsa_ecdsa;
+        mbedtls_ecp_keypair *ecdsa = (mbedtls_ecp_keypair *) rsa_ecdsa;
         mbedtls_mpi_init(&r);
         mbedtls_mpi_init(&s);
-        ret =
-            mbedtls_ecdsa_sign(&ecdsa->grp, &r, &s, &ecdsa->d, hsh, sizeof(hsh), random_gen, NULL);
+        if (ecdsa->grp.id == MBEDTLS_ECP_DP_ED25519 || ecdsa->grp.id == MBEDTLS_ECP_DP_ED448) {
+            ret = mbedtls_eddsa_sign(&ecdsa->grp, &r, &s, &ecdsa->d, body, body_size, MBEDTLS_EDDSA_PURE, NULL, 0, random_gen, NULL);
+        }
+        else {
+            ret = mbedtls_ecdsa_sign(&ecdsa->grp, &r, &s, &ecdsa->d, hsh, sizeof(hsh), random_gen, NULL);
+        }
         if (ret == 0) {
             mbedtls_mpi_write_binary(&r, p, key_size / 2); p += key_size / 2;
             mbedtls_mpi_write_binary(&s, p, key_size / 2); p += key_size / 2;
@@ -299,7 +327,7 @@ size_t asn1_cvc_aut(void *rsa_ecdsa,
                     size_t buf_len,
                     const uint8_t *ext,
                     size_t ext_len) {
-    size_t cvcert_size = asn1_cvc_cert(rsa_ecdsa, key_type, NULL, 0, ext, ext_len);
+    size_t cvcert_size = asn1_cvc_cert(rsa_ecdsa, key_type, NULL, 0, ext, ext_len, false);
     size_t outcar_len = dev_name_len;
     const uint8_t *outcar = dev_name;
     size_t outcar_size = asn1_len_tag(0x42, outcar_len);
@@ -307,16 +335,14 @@ size_t asn1_cvc_aut(void *rsa_ecdsa,
     if (!fkey) {
         return 0;
     }
-    mbedtls_ecdsa_context ectx;
-    mbedtls_ecdsa_init(&ectx);
-    if (load_private_key_ecdsa(&ectx, fkey) != CCID_OK) {
-        mbedtls_ecdsa_free(&ectx);
+    mbedtls_ecp_keypair ectx;
+    mbedtls_ecp_keypair_init(&ectx);
+    if (load_private_key_ec(&ectx, fkey) != CCID_OK) {
+        mbedtls_ecp_keypair_free(&ectx);
         return 0;
     }
     int ret = 0, key_size = 2 * mbedtls_mpi_size(&ectx.d);
-    size_t outsig_size = asn1_len_tag(0x5f37, key_size), tot_len = asn1_len_tag(0x67,
-                                                                                cvcert_size + outcar_size +
-                                                                                outsig_size);
+    size_t outsig_size = asn1_len_tag(0x5f37, key_size), tot_len = asn1_len_tag(0x67, cvcert_size + outcar_size + outsig_size);
     if (buf_len == 0 || buf == NULL) {
         return tot_len;
     }
@@ -328,18 +354,23 @@ size_t asn1_cvc_aut(void *rsa_ecdsa,
     p += format_tlv_len(cvcert_size + outcar_size + outsig_size, p);
     uint8_t *body = p;
     //cvcert
-    p += asn1_cvc_cert(rsa_ecdsa, key_type, p, cvcert_size, ext, ext_len);
+    p += asn1_cvc_cert(rsa_ecdsa, key_type, p, cvcert_size, ext, ext_len, false);
     //outcar
     *p++ = 0x42; p += format_tlv_len(outcar_len, p); memcpy(p, outcar, outcar_len); p += outcar_len;
-    uint8_t hsh[32];
     memcpy(p, "\x5f\x37", 2); p += 2;
     p += format_tlv_len(key_size, p);
-    hash256(body, cvcert_size + outcar_size, hsh);
     mbedtls_mpi r, s;
     mbedtls_mpi_init(&r);
     mbedtls_mpi_init(&s);
-    ret = mbedtls_ecdsa_sign(&ectx.grp, &r, &s, &ectx.d, hsh, sizeof(hsh), random_gen, NULL);
-    mbedtls_ecdsa_free(&ectx);
+    if (ectx.grp.id == MBEDTLS_ECP_DP_ED25519 || ectx.grp.id == MBEDTLS_ECP_DP_ED448) {
+        ret = mbedtls_eddsa_sign(&ectx.grp, &r, &s, &ectx.d, body, cvcert_size + outcar_size, MBEDTLS_EDDSA_PURE, NULL, 0, random_gen, NULL);
+    }
+    else {
+        uint8_t hsh[32];
+        hash256(body, cvcert_size + outcar_size, hsh);
+        ret = mbedtls_ecdsa_sign(&ectx.grp, &r, &s, &ectx.d, hsh, sizeof(hsh), random_gen, NULL);
+    }
+    mbedtls_ecp_keypair_free(&ectx);
     if (ret != 0) {
         mbedtls_mpi_free(&r);
         mbedtls_mpi_free(&s);
@@ -413,18 +444,39 @@ size_t asn1_build_prkd_generic(const uint8_t *label,
                                const uint8_t *keyid,
                                size_t keyid_len,
                                size_t keysize,
-                               const uint8_t *seq,
-                               size_t seq_len,
+                               int key_type,
                                uint8_t *buf,
                                size_t buf_len) {
+    size_t seq_len = 0;
+    const uint8_t *seq = NULL;
+    uint8_t first_tag = 0x0;
+    if (key_type & PICO_KEYS_KEY_EC) {
+        seq = (const uint8_t *)"\x07\x20\x80";
+        seq_len = 3;
+        first_tag = 0xA0;
+    }
+    else if (key_type & PICO_KEYS_KEY_RSA) {
+        seq = (const uint8_t *)"\x02\x74";
+        seq_len = 2;
+        first_tag = 0x30;
+    }
+    else if (key_type & PICO_KEYS_KEY_AES) {
+        seq = (const uint8_t *)"\x07\xC0\x10";
+        seq_len = 3;
+        first_tag = 0xA8;
+    }
     size_t seq1_size = asn1_len_tag(0x30, asn1_len_tag(0xC, label_len));
     size_t seq2_size =
         asn1_len_tag(0x30, asn1_len_tag(0x4, keyid_len) + asn1_len_tag(0x3, seq_len));
-    size_t seq3_size =
-        asn1_len_tag(0xA1,
-                     asn1_len_tag(0x30,
-                                  asn1_len_tag(0x30, asn1_len_tag(0x4, 0)) + asn1_len_tag(0x2, 2)));
-    size_t tot_len = asn1_len_tag(0xA0, seq1_size + seq2_size + seq3_size);
+    size_t seq3_size = 0, seq4_size = 0;
+    if (key_type & PICO_KEYS_KEY_EC || key_type & PICO_KEYS_KEY_RSA) {
+        seq4_size = asn1_len_tag(0xA1, asn1_len_tag(0x30, asn1_len_tag(0x30, asn1_len_tag(0x4, 0)) + asn1_len_tag(0x2, 2)));
+    }
+    else if (key_type & PICO_KEYS_KEY_AES) {
+        seq3_size = asn1_len_tag(0xA0, asn1_len_tag(0x30, asn1_len_tag(0x2, 2)));
+        seq4_size = asn1_len_tag(0xA1, asn1_len_tag(0x30, asn1_len_tag(0x30, asn1_len_tag(0x4, 0))));
+    }
+    size_t tot_len = asn1_len_tag(first_tag, seq1_size + seq2_size + seq4_size);
     if (buf_len == 0 || buf == NULL) {
         return tot_len;
     }
@@ -432,8 +484,8 @@ size_t asn1_build_prkd_generic(const uint8_t *label,
         return 0;
     }
     uint8_t *p = buf;
-    *p++ = 0xA0;
-    p += format_tlv_len(seq1_size + seq2_size + seq3_size, p);
+    *p++ = first_tag;
+    p += format_tlv_len(seq1_size + seq2_size + seq3_size + seq4_size, p);
     //Seq 1
     *p++ = 0x30;
     p += format_tlv_len(asn1_len_tag(0xC, label_len), p);
@@ -452,22 +504,36 @@ size_t asn1_build_prkd_generic(const uint8_t *label,
     memcpy(p, seq, seq_len); p += seq_len;
 
     //Seq 3
+    if (key_type & PICO_KEYS_KEY_AES) {
+        *p++ = 0xA0;
+        p += format_tlv_len(asn1_len_tag(0x30, asn1_len_tag(0x2, 2)), p);
+        *p++ = 0x30;
+        p += format_tlv_len(asn1_len_tag(0x2, 2), p);
+        *p++ = 0x2;
+        p += format_tlv_len(2, p);
+        *p++ = (keysize >> 8) & 0xff;
+        *p++ = keysize & 0xff;
+    }
+
+    //Seq 4
     *p++ = 0xA1;
-    p +=
-        format_tlv_len(asn1_len_tag(0x30,
-                                    asn1_len_tag(0x30, asn1_len_tag(0x4, 0)) + asn1_len_tag(0x2,
-                                                                                            2)),
-                       p);
+    size_t inseq4_len = asn1_len_tag(0x30, asn1_len_tag(0x4, 0));
+    if (key_type & PICO_KEYS_KEY_EC || key_type & PICO_KEYS_KEY_RSA) {
+        inseq4_len += asn1_len_tag(0x2, 2);
+    }
+    p += format_tlv_len(asn1_len_tag(0x30, inseq4_len), p);
     *p++ = 0x30;
-    p += format_tlv_len(asn1_len_tag(0x30, asn1_len_tag(0x4, 0)) + asn1_len_tag(0x2, 2), p);
+    p += format_tlv_len(inseq4_len, p);
     *p++ = 0x30;
     p += format_tlv_len(asn1_len_tag(0x4, 0), p);
     *p++ = 0x4;
     p += format_tlv_len(0, p);
-    *p++ = 0x2;
-    p += format_tlv_len(2, p);
-    *p++ = (keysize >> 8) & 0xff;
-    *p++ = keysize & 0xff;
+    if (key_type & PICO_KEYS_KEY_EC || key_type & PICO_KEYS_KEY_RSA) {
+        *p++ = 0x2;
+        p += format_tlv_len(2, p);
+        *p++ = (keysize >> 8) & 0xff;
+        *p++ = keysize & 0xff;
+    }
     return p - buf;
 }
 
@@ -483,8 +549,7 @@ size_t asn1_build_prkd_ecc(const uint8_t *label,
                                    keyid,
                                    keyid_len,
                                    keysize,
-                                   (const uint8_t *) "\x07\x20\x80",
-                                   3,
+                                   PICO_KEYS_KEY_EC,
                                    buf,
                                    buf_len);
 }
@@ -501,8 +566,24 @@ size_t asn1_build_prkd_rsa(const uint8_t *label,
                                    keyid,
                                    keyid_len,
                                    keysize,
-                                   (const uint8_t *) "\x02\x74",
-                                   2,
+                                   PICO_KEYS_KEY_RSA,
+                                   buf,
+                                   buf_len);
+}
+
+size_t asn1_build_prkd_aes(const uint8_t *label,
+                           size_t label_len,
+                           const uint8_t *keyid,
+                           size_t keyid_len,
+                           size_t keysize,
+                           uint8_t *buf,
+                           size_t buf_len) {
+    return asn1_build_prkd_generic(label,
+                                   label_len,
+                                   keyid,
+                                   keyid_len,
+                                   keysize,
+                                   PICO_KEYS_KEY_AES,
                                    buf,
                                    buf_len);
 }

src/hsm/cvc.h

@@ -45,7 +45,8 @@ extern size_t asn1_cvc_cert(void *rsa_ecdsa,
                             uint8_t *buf,
                             size_t buf_len,
                             const uint8_t *ext,
-                            size_t ext_len);
+                            size_t ext_len,
+                            bool full);
 extern size_t asn1_cvc_aut(void *rsa_ecdsa,
                            uint8_t key_type,
                            uint8_t *buf,
@@ -86,4 +87,11 @@ extern size_t asn1_build_prkd_rsa(const uint8_t *label,
                                   size_t keysize,
                                   uint8_t *buf,
                                   size_t buf_len);
+extern size_t asn1_build_prkd_aes(const uint8_t *label,
+                                  size_t label_len,
+                                  const uint8_t *keyid,
+                                  size_t keyid_len,
+                                  size_t keysize,
+                                  uint8_t *buf,
+                                  size_t buf_len);
 #endif

src/hsm/files.h

@@ -28,7 +28,8 @@
 #define EF_DKEK         0x1090
 #define EF_KEY_DOMAIN   0x10A0
 #define EF_PUKAUT       0x10C0
-#define EF_PUK          0X10D0
+#define EF_PUK          0x10D0
+#define EF_MASTER_SEED  0x1110
 #define EF_PRKDFS       0x6040
 #define EF_PUKDFS       0x6041
 #define EF_CDFS         0x6042
@@ -40,7 +41,9 @@
 #define EF_PRKD_DEV     0xC400
 #define EF_EE_DEV       0xCE00
 
-#define EF_TERMCA       0x2f02
+#define EF_TERMCA       0x2F02
+#define EF_TOKENINFO    0x2F03
+#define EF_STATICTOKEN  0xCB00
 
 extern file_t *file_pin1;
 extern file_t *file_retries_pin1;

src/hsm/kek.c

@@ -36,6 +36,7 @@ extern bool has_session_pin, has_session_sopin;
 extern uint8_t session_pin[32], session_sopin[32];
 uint8_t mkek_mask[MKEK_KEY_SIZE];
 bool has_mkek_mask = false;
+uint8_t pending_save_dkek = 0xff;
 
 #define POLY 0xedb88320
 
@@ -286,7 +287,7 @@ int dkek_encode_key(uint8_t id,
                     size_t *out_len,
                     const uint8_t *allowed,
                     size_t allowed_len) {
-    if (!(key_type & HSM_KEY_RSA) && !(key_type & HSM_KEY_EC) && !(key_type & HSM_KEY_AES)) {
+    if (!(key_type & PICO_KEYS_KEY_RSA) && !(key_type & PICO_KEYS_KEY_EC) && !(key_type & PICO_KEYS_KEY_AES)) {
         return CCID_WRONG_DATA;
     }
 
@@ -316,21 +317,24 @@ int dkek_encode_key(uint8_t id,
         return r;
     }
 
-    if (key_type & HSM_KEY_AES) {
-        if (key_type & HSM_KEY_AES_128) {
+    if (key_type & PICO_KEYS_KEY_AES) {
+        if (key_type & PICO_KEYS_KEY_AES_128) {
             kb_len = 16;
         }
-        else if (key_type & HSM_KEY_AES_192) {
+        else if (key_type & PICO_KEYS_KEY_AES_192) {
             kb_len = 24;
         }
-        else if (key_type & HSM_KEY_AES_256) {
+        else if (key_type & PICO_KEYS_KEY_AES_256) {
             kb_len = 32;
         }
+        else if (key_type & PICO_KEYS_KEY_AES_512) {
+            kb_len = 64;
+        }
 
-        if (kb_len != 16 && kb_len != 24 && kb_len != 32) {
+        if (kb_len != 16 && kb_len != 24 && kb_len != 32 && kb_len != 64) {
             return CCID_WRONG_DATA;
         }
-        if (*out_len < 8 + 1 + 10 + 6 + 4 + (2 + 32 + 14) + 16) {
+        if (*out_len < 8 + 1 + 10 + 6 + (2 + 64 + 14) + 16) { // 14 bytes padding
             return CCID_WRONG_LENGTH;
         }
 
@@ -341,7 +345,7 @@ int dkek_encode_key(uint8_t id,
         algo = (uint8_t *) "\x00\x08\x60\x86\x48\x01\x65\x03\x04\x01"; //2.16.840.1.101.3.4.1 (2+8)
         algo_len = 10;
     }
-    else if (key_type & HSM_KEY_RSA) {
+    else if (key_type & PICO_KEYS_KEY_RSA) {
         if (*out_len < 8 + 1 + 12 + 6 + (8 + 2 * 4 + 2 * 4096 / 8 + 3 + 13) + 16) { //13 bytes pading
             return CCID_WRONG_LENGTH;
         }
@@ -362,7 +366,7 @@ int dkek_encode_key(uint8_t id,
         algo = (uint8_t *) "\x00\x0A\x04\x00\x7F\x00\x07\x02\x02\x02\x01\x02";
         algo_len = 12;
     }
-    else if (key_type & HSM_KEY_EC) {
+    else if (key_type & PICO_KEYS_KEY_EC) {
         if (*out_len < 8 + 1 + 12 + 6 + (8 + 2 * 8 + 9 * 66 + 2 + 4) + 16) { //4 bytes pading
             return CCID_WRONG_LENGTH;
         }
@@ -381,26 +385,29 @@ int dkek_encode_key(uint8_t id,
         put_uint16_t(mbedtls_mpi_size(&ecdsa->grp.N), kb + 8 + kb_len); kb_len += 2;
         mbedtls_mpi_write_binary(&ecdsa->grp.N, kb + 8 + kb_len, mbedtls_mpi_size(&ecdsa->grp.N));
         kb_len += mbedtls_mpi_size(&ecdsa->grp.N);
-        put_uint16_t(1 + mbedtls_mpi_size(&ecdsa->grp.G.X) + mbedtls_mpi_size(&ecdsa->grp.G.Y),
-                     kb + 8 + kb_len); kb_len += 2;
-        kb[8 + kb_len++] = 0x4;
-        mbedtls_mpi_write_binary(&ecdsa->grp.G.X, kb + 8 + kb_len,
-                                 mbedtls_mpi_size(&ecdsa->grp.G.X));
-        kb_len += mbedtls_mpi_size(&ecdsa->grp.G.X);
-        mbedtls_mpi_write_binary(&ecdsa->grp.G.Y, kb + 8 + kb_len,
-                                 mbedtls_mpi_size(&ecdsa->grp.G.Y));
-        kb_len += mbedtls_mpi_size(&ecdsa->grp.G.Y);
+
+        size_t olen = 0;
+        mbedtls_ecp_point_write_binary(&ecdsa->grp,
+                                       &ecdsa->grp.G,
+                                       MBEDTLS_ECP_PF_UNCOMPRESSED,
+                                       &olen,
+                                       kb + 8 + kb_len + 2,
+                                       sizeof(kb) - 8 - kb_len - 2);
+        put_uint16_t(olen, kb + 8 + kb_len);
+        kb_len += 2 + olen;
+
         put_uint16_t(mbedtls_mpi_size(&ecdsa->d), kb + 8 + kb_len); kb_len += 2;
         mbedtls_mpi_write_binary(&ecdsa->d, kb + 8 + kb_len, mbedtls_mpi_size(&ecdsa->d));
         kb_len += mbedtls_mpi_size(&ecdsa->d);
-        put_uint16_t(1 + mbedtls_mpi_size(&ecdsa->Q.X) + mbedtls_mpi_size(&ecdsa->Q.Y),
-                     kb + 8 + kb_len);
-        kb_len += 2;
-        kb[8 + kb_len++] = 0x4;
-        mbedtls_mpi_write_binary(&ecdsa->Q.X, kb + 8 + kb_len, mbedtls_mpi_size(&ecdsa->Q.X));
-        kb_len += mbedtls_mpi_size(&ecdsa->Q.X);
-        mbedtls_mpi_write_binary(&ecdsa->Q.Y, kb + 8 + kb_len, mbedtls_mpi_size(&ecdsa->Q.Y));
-        kb_len += mbedtls_mpi_size(&ecdsa->Q.Y);
+
+        mbedtls_ecp_point_write_binary(&ecdsa->grp,
+                                       &ecdsa->Q,
+                                       MBEDTLS_ECP_PF_UNCOMPRESSED,
+                                       &olen,
+                                       kb + 8 + kb_len + 2,
+                                       sizeof(kb) - 8 - kb_len - 2);
+        put_uint16_t(olen, kb + 8 + kb_len);
+        kb_len += 2 + olen;
 
         algo = (uint8_t *) "\x00\x0A\x04\x00\x7F\x00\x07\x02\x02\x02\x02\x03";
         algo_len = 12;
@@ -411,13 +418,13 @@ int dkek_encode_key(uint8_t id,
     memcpy(out + *out_len, kcv, 8);
     *out_len += 8;
 
-    if (key_type & HSM_KEY_AES) {
+    if (key_type & PICO_KEYS_KEY_AES) {
         out[*out_len] = 15;
     }
-    else if (key_type & HSM_KEY_RSA) {
+    else if (key_type & PICO_KEYS_KEY_RSA) {
         out[*out_len] = 5;
     }
-    else if (key_type & HSM_KEY_EC) {
+    else if (key_type & PICO_KEYS_KEY_EC) {
         out[*out_len] = 12;
     }
     *out_len += 1;
@@ -451,7 +458,7 @@ int dkek_encode_key(uint8_t id,
     if (kb_len < kb_len_pad) {
         kb[kb_len] = 0x80;
     }
-    r = aes_encrypt(kenc, NULL, 256, HSM_AES_MODE_CBC, kb, kb_len_pad);
+    r = aes_encrypt(kenc, NULL, 256, PICO_KEYS_AES_MODE_CBC, kb, kb_len_pad);
     if (r != CCID_OK) {
         return r;
     }
@@ -475,13 +482,13 @@ int dkek_encode_key(uint8_t id,
 
 int dkek_type_key(const uint8_t *in) {
     if (in[8] == 5 || in[8] == 6) {
-        return HSM_KEY_RSA;
+        return PICO_KEYS_KEY_RSA;
     }
     else if (in[8] == 12) {
-        return HSM_KEY_EC;
+        return PICO_KEYS_KEY_EC;
     }
     else if (in[8] == 15) {
-        return HSM_KEY_AES;
+        return PICO_KEYS_KEY_AES;
     }
     return 0x0;
 }
@@ -578,7 +585,7 @@ int dkek_decode_key(uint8_t id,
     uint8_t kb[8 + 2 * 4 + 2 * 4096 / 8 + 3 + 13]; //worst case: RSA-4096  (plus, 13 bytes padding)
     memset(kb, 0, sizeof(kb));
     memcpy(kb, in + ofs, in_len - 16 - ofs);
-    r = aes_decrypt(kenc, NULL, 256, HSM_AES_MODE_CBC, kb, in_len - 16 - ofs);
+    r = aes_decrypt(kenc, NULL, 256, PICO_KEYS_AES_MODE_CBC, kb, in_len - 16 - ofs);
     if (r != CCID_OK) {
         return r;
     }
@@ -689,7 +696,14 @@ int dkek_decode_key(uint8_t id,
         len = get_uint16_t(kb, ofs); ofs += len + 2;
 
         //G
-        len = get_uint16_t(kb, ofs); ofs += len + 2;
+        len = get_uint16_t(kb, ofs);
+        if (ec_id == MBEDTLS_ECP_DP_CURVE25519 && kb[ofs + 2] != 0x09) {
+            ec_id = MBEDTLS_ECP_DP_ED25519;
+        }
+        else if (ec_id == MBEDTLS_ECP_DP_CURVE448 && (len != 56 || kb[ofs + 2] != 0x05)) {
+            ec_id = MBEDTLS_ECP_DP_ED448;
+        }
+        ofs += len + 2;
 
         //d
         len = get_uint16_t(kb, ofs); ofs += 2;
@@ -704,8 +718,16 @@ int dkek_decode_key(uint8_t id,
         len = get_uint16_t(kb, ofs); ofs += 2;
         r = mbedtls_ecp_point_read_binary(&ecdsa->grp, &ecdsa->Q, kb + ofs, len);
         if (r != 0) {
-            mbedtls_ecdsa_free(ecdsa);
-            return CCID_EXEC_ERROR;
+            if (mbedtls_ecp_get_type(&ecdsa->grp) == MBEDTLS_ECP_TYPE_EDWARDS) {
+                r = mbedtls_ecp_point_edwards(&ecdsa->grp, &ecdsa->Q, &ecdsa->d, random_gen, NULL);
+            }
+            else {
+                r = mbedtls_ecp_mul(&ecdsa->grp, &ecdsa->Q, &ecdsa->d, &ecdsa->grp.G, random_gen, NULL);
+            }
+            if (r != 0) {
+                mbedtls_ecdsa_free(ecdsa);
+                return CCID_EXEC_ERROR;
+            }
         }
         r = mbedtls_ecp_check_pub_priv(ecdsa, ecdsa, random_gen, NULL);
         if (r != 0) {

src/hsm/kek.h

@@ -74,4 +74,6 @@ extern mse_t mse;
 
 extern int mse_decrypt_ct(uint8_t *, size_t);
 
+extern uint8_t pending_save_dkek;
+
 #endif

src/hsm/oid.h

@@ -144,4 +144,34 @@
 
 #define OID_KDF_X963                    "\x2B\x81\x05\x10\x86\x48\x3F"
 
+#define OID_NIST_ALG                    "\x60\x86\x48\x01\x65\x03\x04"
+#define OID_NIST_AES                    OID_NIST_ALG "\x01"
+#define OID_AES128_ECB                  OID_NIST_AES "\x01"
+#define OID_AES128_CBC                  OID_NIST_AES "\x02"
+#define OID_AES128_OFB                  OID_NIST_AES "\x03"
+#define OID_AES128_CFB                  OID_NIST_AES "\x04"
+#define OID_AES128_GCM                  OID_NIST_AES "\x06"
+#define OID_AES128_CCM                  OID_NIST_AES "\x07"
+#define OID_AES128_CTR                  OID_NIST_AES "\x09" // Not existing
+#define OID_AES192_ECB                  OID_NIST_AES "\x15"
+#define OID_AES192_CBC                  OID_NIST_AES "\x16"
+#define OID_AES192_OFB                  OID_NIST_AES "\x17"
+#define OID_AES192_CFB                  OID_NIST_AES "\x18"
+#define OID_AES192_GCM                  OID_NIST_AES "\x1A"
+#define OID_AES192_CCM                  OID_NIST_AES "\x1B"
+#define OID_AES192_CTR                  OID_NIST_AES "\x1D" // Not existing
+#define OID_AES256_ECB                  OID_NIST_AES "\x29"
+#define OID_AES256_CBC                  OID_NIST_AES "\x2A"
+#define OID_AES256_OFB                  OID_NIST_AES "\x2B"
+#define OID_AES256_CFB                  OID_NIST_AES "\x2C"
+#define OID_AES256_GCM                  OID_NIST_AES "\x2E"
+#define OID_AES256_CCM                  OID_NIST_AES "\x2F"
+#define OID_AES256_CTR                  OID_NIST_AES "\x31" // Not existing
+
+#define OID_IEEE_ALG                    "\x2B\x6F\x02\x8C\x53\x00\x00\x01"
+#define OID_AES128_XTS                  OID_IEEE_ALG "\x01"
+#define OID_AES256_XTS                  OID_IEEE_ALG "\x02"
+
+#define OID_HD                          "\x2B\x06\x01\x04\x01\x83\xA8\x78\x05\x8D\x6B"
+
 #endif

src/hsm/sc_hsm.c

@@ -24,8 +24,9 @@
 #include "eac.h"
 #include "cvc.h"
 #include "asn1.h"
-#include "hsm.h"
+#include "pico_keys.h"
 #include "usb.h"
+#include "random.h"
 
 const uint8_t sc_hsm_aid[] = {
     11,
@@ -75,23 +76,20 @@ extern int cmd_general_authenticate();
 extern int cmd_session_pin();
 extern int cmd_puk_auth();
 extern int cmd_pso();
+extern int cmd_bip_slip();
 
 extern const uint8_t *ccid_atr;
 
-app_t *sc_hsm_select_aid(app_t *a, const uint8_t *aid, uint8_t aid_len) {
-    if (!memcmp(aid, sc_hsm_aid + 1, MIN(aid_len, sc_hsm_aid[0]))) {
-        a->aid = sc_hsm_aid;
-        a->process_apdu = sc_hsm_process_apdu;
-        a->unload = sc_hsm_unload;
-        init_sc_hsm();
-        return a;
-    }
-    return NULL;
+int sc_hsm_select_aid(app_t *a) {
+    a->process_apdu = sc_hsm_process_apdu;
+    a->unload = sc_hsm_unload;
+    init_sc_hsm();
+    return CCID_OK;
 }
 
 void __attribute__((constructor)) sc_hsm_ctor() {
     ccid_atr = atr_sc_hsm;
-    register_app(sc_hsm_select_aid);
+    register_app(sc_hsm_select_aid, sc_hsm_aid);
 }
 
 void scan_files() {
@@ -218,11 +216,7 @@ int puk_store_select_chr(const uint8_t *chr) {
     return CCID_ERR_FILE_NOT_FOUND;
 }
 
-void init_sc_hsm() {
-    scan_all();
-    has_session_pin = has_session_sopin = false;
-    isUserAuthenticated = false;
-    cmd_select();
+void reset_puk_store() {
     if (puk_store_entries > 0) { /* From previous session */
         for (int i = 0; i < puk_store_entries; i++) {
             if (puk_store[i].copied == true) {
@@ -234,7 +228,12 @@ void init_sc_hsm() {
     puk_store_entries = 0;
     file_t *fterm = search_by_fid(EF_TERMCA, NULL, SPECIFY_EF);
     if (fterm) {
-        add_cert_puk_store(file_get_data(fterm), file_get_size(fterm), false);
+        uint8_t *p = NULL, *fterm_data = file_get_data(fterm), *pq = fterm_data;
+        size_t fterm_data_len = file_get_size(fterm);
+        while (walk_tlv(fterm_data, fterm_data_len, &p, NULL, NULL, NULL)) {
+            add_cert_puk_store(pq, p - pq, false);
+            pq = p;
+        }
     }
     for (int i = 0; i < 0xfe; i++) {
         file_t *ef = search_dynamic_file((CA_CERTIFICATE_PREFIX << 8) | i);
@@ -246,6 +245,14 @@ void init_sc_hsm() {
     memset(puk_status, 0, sizeof(puk_status));
 }
 
+void init_sc_hsm() {
+    scan_all();
+    has_session_pin = has_session_sopin = false;
+    isUserAuthenticated = false;
+    cmd_select();
+    reset_puk_store();
+}
+
 int sc_hsm_unload() {
     has_session_pin = has_session_sopin = false;
     isUserAuthenticated = false;
@@ -269,7 +276,7 @@ bool wait_button_pressed() {
     uint16_t opts = get_device_options();
     if (opts & HSM_OPT_BOOTSEL_BUTTON) {
         queue_try_add(&card_to_usb_q, &val);
-        do {
+        do{
             queue_remove_blocking(&usb_to_card_q, &val);
         } while (val != EV_BUTTON_PRESSED && val != EV_BUTTON_TIMEOUT);
     }
@@ -278,7 +285,11 @@ bool wait_button_pressed() {
 }
 
 int parse_token_info(const file_t *f, int mode) {
+#ifdef __FOR_CI
+    char *label = "SmartCard-HSM";
+#else
     char *label = "Pico-HSM";
+#endif
     char *manu = "Pol Henarejos";
     if (mode == 1) {
         uint8_t *p = res_APDU;
@@ -309,7 +320,7 @@ int pin_reset_retries(const file_t *pin, bool force) {
         return CCID_ERR_FILE_NOT_FOUND;
     }
     uint8_t retries = file_read_uint8(file_get_data(act));
-    if (retries == 0 && force == false) { //blocked
+    if (retries == 0 && force == false) { // blocked
         return CCID_ERR_BLOCKED;
     }
     retries = file_read_uint8(file_get_data(max));
@@ -367,7 +378,7 @@ int check_pin(const file_t *pin, const uint8_t *data, size_t len) {
     else {
         uint8_t dhash[32];
         double_hash_pin(data, len, dhash);
-        if (sizeof(dhash) != file_get_size(pin) - 1) { //1 byte for pin len
+        if (sizeof(dhash) != file_get_size(pin) - 1) { // 1 byte for pin len
             return SW_CONDITIONS_NOT_SATISFIED();
         }
         if (memcmp(file_get_data(pin) + 1, dhash, sizeof(dhash)) != 0) {
@@ -396,6 +407,10 @@ int check_pin(const file_t *pin, const uint8_t *data, size_t len) {
         hash_multi(data, len, session_sopin);
         has_session_sopin = true;
     }
+    if (pending_save_dkek != 0xff) {
+        save_dkek_key(pending_save_dkek, NULL);
+        pending_save_dkek = 0xff;
+    }
     return SW_OK();
 }
 
@@ -454,7 +469,7 @@ uint32_t decrement_key_counter(file_t *fkey) {
         /* We cannot modify meta_data, as it comes from flash memory. It must be cpied to an aux buffer */
         memcpy(cmeta, meta_data, meta_size);
         while (walk_tlv(cmeta, meta_size, &p, &tag, &tag_len, &tag_data)) {
-            if (tag == 0x90) { //ofset tag
+            if (tag == 0x90) { // ofset tag
                 uint32_t val =
                     (tag_data[0] << 24) | (tag_data[1] << 16) | (tag_data[2] << 8) | tag_data[3];
                 val--;
@@ -477,33 +492,36 @@ uint32_t decrement_key_counter(file_t *fkey) {
     return 0xffffffff;
 }
 
-//Stores the private and public keys in flash
+// Stores the private and public keys in flash
 int store_keys(void *key_ctx, int type, uint8_t key_id) {
     int r, key_size = 0;
-    uint8_t kdata[4096 / 8]; //worst case
-    if (type == HSM_KEY_RSA) {
+    uint8_t kdata[4096 / 8]; // worst case
+    if (type & PICO_KEYS_KEY_RSA) {
         mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) key_ctx;
         key_size = mbedtls_mpi_size(&rsa->P) + mbedtls_mpi_size(&rsa->Q);
         mbedtls_mpi_write_binary(&rsa->P, kdata, key_size / 2);
         mbedtls_mpi_write_binary(&rsa->Q, kdata + key_size / 2, key_size / 2);
     }
-    else if (type == HSM_KEY_EC) {
+    else if (type & PICO_KEYS_KEY_EC) {
         mbedtls_ecdsa_context *ecdsa = (mbedtls_ecdsa_context *) key_ctx;
         key_size = mbedtls_mpi_size(&ecdsa->d);
         kdata[0] = ecdsa->grp.id & 0xff;
-        mbedtls_mpi_write_binary(&ecdsa->d, kdata + 1, key_size);
+        mbedtls_ecp_write_key(ecdsa, kdata + 1, key_size);
         key_size++;
     }
-    else if (type & HSM_KEY_AES) {
-        if (type == HSM_KEY_AES_128) {
+    else if (type & PICO_KEYS_KEY_AES) {
+        if (type == PICO_KEYS_KEY_AES_128) {
             key_size = 16;
         }
-        else if (type == HSM_KEY_AES_192) {
+        else if (type == PICO_KEYS_KEY_AES_192) {
             key_size = 24;
         }
-        else if (type == HSM_KEY_AES_256) {
+        else if (type == PICO_KEYS_KEY_AES_256) {
             key_size = 32;
         }
+        else if (type == PICO_KEYS_KEY_AES_512) {
+            key_size = 64;
+        }
         memcpy(kdata, key_ctx, key_size);
     }
     else {
@@ -566,7 +584,7 @@ int find_and_store_meta_key(uint8_t key_id) {
 }
 
 int load_private_key_rsa(mbedtls_rsa_context *ctx, file_t *fkey) {
-    if (wait_button_pressed() == true) { //timeout
+    if (wait_button_pressed() == true) { // timeout
         return CCID_VERIFICATION_FAILED;
     }
 
@@ -609,13 +627,13 @@ int load_private_key_rsa(mbedtls_rsa_context *ctx, file_t *fkey) {
     return CCID_OK;
 }
 
-int load_private_key_ecdsa(mbedtls_ecdsa_context *ctx, file_t *fkey) {
-    if (wait_button_pressed() == true) { //timeout
+int load_private_key_ec(mbedtls_ecp_keypair *ctx, file_t *fkey) {
+    if (wait_button_pressed() == true) { // timeout
         return CCID_VERIFICATION_FAILED;
     }
 
     int key_size = file_get_size(fkey);
-    uint8_t kdata[67]; //Worst case, 521 bit + 1byte
+    uint8_t kdata[67]; // Worst case, 521 bit + 1byte
     memcpy(kdata, file_get_data(fkey), key_size);
     if (mkek_decrypt(kdata, key_size) != 0) {
         return CCID_EXEC_ERROR;
@@ -624,12 +642,25 @@ int load_private_key_ecdsa(mbedtls_ecdsa_context *ctx, file_t *fkey) {
     int r = mbedtls_ecp_read_key(gid, ctx, kdata + 1, key_size - 1);
     if (r != 0) {
         mbedtls_platform_zeroize(kdata, sizeof(kdata));
-        mbedtls_ecdsa_free(ctx);
+        mbedtls_ecp_keypair_free(ctx);
         return CCID_EXEC_ERROR;
     }
     mbedtls_platform_zeroize(kdata, sizeof(kdata));
+    if (gid == MBEDTLS_ECP_DP_ED25519 || gid == MBEDTLS_ECP_DP_ED448) {
+        r = mbedtls_ecp_point_edwards(&ctx->grp, &ctx->Q, &ctx->d, random_gen, NULL);
+    }
+    else {
+        r = mbedtls_ecp_mul(&ctx->grp, &ctx->Q, &ctx->d, &ctx->grp.G, random_gen, NULL);
+    }
+    if (r != 0) {
+        mbedtls_ecp_keypair_free(ctx);
+        return CCID_EXEC_ERROR;
+    }
     return CCID_OK;
 }
+int load_private_key_ecdh(mbedtls_ecp_keypair *ctx, file_t *fkey) {
+    return load_private_key_ec(ctx, fkey);
+}
 
 #define INS_VERIFY                  0x20
 #define INS_MSE                     0x22
@@ -638,6 +669,7 @@ int load_private_key_ecdsa(mbedtls_ecdsa_context *ctx, file_t *fkey) {
 #define INS_RESET_RETRY             0x2C
 #define INS_KEYPAIR_GEN             0x46
 #define INS_KEY_GEN                 0x48
+#define INS_BIP_SLIP                0x4A
 #define INS_INITIALIZE              0x50
 #define INS_KEY_DOMAIN              0x52
 #define INS_PUK_AUTH                0x54
@@ -687,6 +719,7 @@ static const cmd_t cmds[] = {
     { INS_PUK_AUTH, cmd_puk_auth },
     { INS_PSO, cmd_pso },
     { INS_EXTERNAL_AUTHENTICATE, cmd_external_authenticate },
+    { INS_BIP_SLIP, cmd_bip_slip },
     { 0x00, 0x0 }
 };
 

src/hsm/sc_hsm.h

@@ -27,7 +27,7 @@
 #endif
 #include "file.h"
 #include "apdu.h"
-#include "hsm.h"
+#include "pico_keys.h"
 
 extern const uint8_t sc_hsm_aid[];
 
@@ -58,6 +58,7 @@ extern const uint8_t sc_hsm_aid[];
 #define ALGO_EC_DH              0x80        /* ECDH key derivation */
 #define ALGO_EC_DH_AUTPUK       0x83
 #define ALGO_EC_DH_XKEK         0x84
+#define ALGO_HD                 0xA0
 
 #define ALGO_WRAP               0x92
 #define ALGO_UNWRAP             0x93
@@ -117,7 +118,8 @@ extern int delete_file(file_t *ef);
 extern const uint8_t *get_meta_tag(file_t *ef, uint16_t meta_tag, size_t *tag_len);
 extern bool key_has_purpose(file_t *ef, uint8_t purpose);
 extern int load_private_key_rsa(mbedtls_rsa_context *ctx, file_t *fkey);
-extern int load_private_key_ecdsa(mbedtls_ecdsa_context *ctx, file_t *fkey);
+extern int load_private_key_ec(mbedtls_ecp_keypair *ctx, file_t *fkey);
+extern int load_private_key_ecdh(mbedtls_ecp_keypair *ctx, file_t *fkey);
 extern bool wait_button_pressed();
 extern int store_keys(void *key_ctx, int type, uint8_t key_id);
 extern int find_and_store_meta_key(uint8_t key_id);

src/hsm/version.h

@@ -18,7 +18,7 @@
 #ifndef __VERSION_H_
 #define __VERSION_H_
 
-#define HSM_VERSION 0x0304
+#define HSM_VERSION 0x0306
 
 #define HSM_VERSION_MAJOR ((HSM_VERSION >> 8) & 0xff)
 #define HSM_VERSION_MINOR (HSM_VERSION & 0xff)

tests/build-in-docker.sh

@@ -1,7 +1,14 @@
 #!/bin/bash -eu
 
 source tests/docker_env.sh
+build_image
 #run_in_docker rm -rf CMakeFiles
 run_in_docker mkdir -p build_in_docker
-run_in_docker -w "$PWD/build_in_docker" cmake -DENABLE_EMULATION=1 ..
+run_in_docker -w "$PWD/build_in_docker" cmake -DENABLE_EMULATION=1 -D__FOR_CI=1 ..
 run_in_docker -w "$PWD/build_in_docker" make -j ${NUM_PROC}
+docker create --name temp_container pico-hsm-test:bullseye
+docker cp $PWD/build_in_docker/pico_hsm temp_container:/pico_hsm
+docker commit temp_container pico-hsm-test:bullseye
+docker stop temp_container
+docker rm temp_container
+docker image prune -f

tests/conftest.py

@@ -19,491 +19,15 @@
 
 import sys
 import pytest
-import os
-from binascii import hexlify
-from utils import APDUResponse, DOPrefixes, KeyType, Algorithm, Padding, int_to_bytes
-from const import *
-import hashlib
 
 try:
-    from cvc.asn1 import ASN1
-    from cvc import oid
-    from cvc.certificates import CVC
-    from cvc.ec_curves import ec_domain, find_curve
+    from picohsm import PicoHSM
 except ModuleNotFoundError:
-    print('ERROR: cvc module not found! Install pycvc package.\nTry with `pip install pycvc`')
+    print('ERROR: picohsm module not found! Install picohsm package.\nTry with `pip install pypicohsm`')
     sys.exit(-1)
 
-try:
-    from smartcard.CardType import AnyCardType
-    from smartcard.CardRequest import CardRequest
-    from smartcard.Exceptions import CardRequestTimeoutException, CardConnectionException
-except ModuleNotFoundError:
-    print('ERROR: smarctard module not found! Install pyscard package.\nTry with `pip install pyscard`')
-    sys.exit(-1)
-
-try:
-    from cryptography.hazmat.primitives.asymmetric import ec, rsa, utils, padding
-    from cryptography.hazmat.primitives import hashes, cmac
-    from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
-    from cryptography.hazmat.primitives.serialization import Encoding, PublicFormat
-except ModuleNotFoundError:
-    print('ERROR: cryptography module not found! Install cryptography package.\nTry with `pip install cryptography`')
-    sys.exit(-1)
-
-
-class Device:
-    class EcDummy:
-        def __init__(self, name):
-            self.name = name
-
-    def __init__(self,pin='648219'):
-        self.__pin = pin
-        cardtype = AnyCardType()
-        try:
-            # request card insertion
-            cardrequest = CardRequest(timeout=10, cardType=cardtype)
-            self.__card = cardrequest.waitforcard()
-
-            # connect to the card and perform a few transmits
-            self.__card.connection.connect()
-
-        except CardRequestTimeoutException:
-            raise Exception('time-out: no card inserted during last 10s')
-        self.select_applet()
-
-    def select_applet(self):
-        self.__card.connection.transmit([0x00, 0xA4, 0x04, 0x00, 0xB, 0xE8, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x81, 0xC3, 0x1F, 0x02, 0x01, 0x0])
-
-    def send(self, command, cla=0x00, p1=0x00, p2=0x00, ne=None, data=None, codes=[]):
-        lc = []
-        dataf = []
-        if (data):
-            lc = [0x00] + list(len(data).to_bytes(2, 'big'))
-            dataf = list(data)
-        else:
-            lc = [0x00*3]
-        if (ne is None):
-            le = [0x00, 0x00]
-        else:
-            le = list(ne.to_bytes(2, 'big'))
-        if (isinstance(command, list) and len(command) > 1):
-            apdu = command
-        else:
-            apdu = [cla, command]
-
-        apdu = apdu + [p1, p2] + lc + dataf + le
-        try:
-            response, sw1, sw2 = self.__card.connection.transmit(apdu)
-        except CardConnectionException:
-            self.__card.connection.reconnect()
-            response, sw1, sw2 = self.__card.connection.transmit(apdu)
-
-        code = (sw1<<8|sw2)
-        if (sw1 != 0x90):
-            if (sw1 == 0x63 and sw2 & 0xF0 == 0xC0):
-                pass
-            elif (code == 0x6A82):
-                self.select_applet()
-                if (sw1 == 0x90):
-                    response, sw1, sw2 = self.__card.connection.transmit(apdu)
-                    if (sw1 == 0x90):
-                        return response
-            elif (code == 0x6982):
-                response, sw1, sw2 = self.__card.connection.transmit([0x00, 0x20, 0x00, 0x81, len(self.__pin)] + list(self.__pin.encode()) + [0x0])
-                if (sw1 == 0x90):
-                    response, sw1, sw2 = self.__card.connection.transmit(apdu)
-                    if (sw1 == 0x90):
-                        return response
-            if (code not in codes):
-                raise APDUResponse(sw1, sw2)
-        if (len(codes) > 1):
-            return response, code
-        return response
-
-    def get_login_retries(self):
-        self.select_applet()
-        try:
-            self.send(command=0x20, p2=0x81)
-        except APDUResponse as e:
-            if (e.sw1 == 0x63 and e.sw2 & 0xF0 == 0xC0):
-                return e.sw2 & 0x0F
-            raise e
-
-    def initialize(self, pin=DEFAULT_PIN, sopin=DEFAULT_SOPIN, options=None, retries=DEFAULT_RETRIES, dkek_shares=None, puk_auts=None, puk_min_auts=None, key_domains=None):
-        if (retries is not None and not 0 < retries <= 10):
-            raise ValueError('Retries must be in the range (0,10]')
-        if (dkek_shares is not None and not 0 <= dkek_shares <= 10):
-            raise ValueError('DKEK shares must be in the range [0,10]')
-        if ((puk_auts is not None and puk_min_auts is None) or (puk_auts is None and puk_min_auts is not None)):
-            raise ValueError('PUK Auts and PUK Min Auts must be specified both')
-        if (puk_auts is not None and not 0 < puk_auts <= 8):
-            raise ValueError('PUK Auts must be in the range (0,8]')
-        if (puk_min_auts is not None and not 0 < puk_min_auts <= 8):
-            raise ValueError('PUK Min Auts must be in the range (0,8]')
-        if (puk_auts is not None and puk_min_auts is not None and puk_min_auts > puk_auts):
-            raise ValueError('PUK Min Auts must be less or equal to PUK Auts')
-        if (key_domains is not None and not 0 < key_domains <= 8):
-            raise ValueError('Key Domains must be in the range (0,8]')
-
-        a = ASN1()
-        if (pin is not None):
-            a = a.add_tag(0x81, pin.encode())
-        if (sopin is not None):
-            a = a.add_tag(0x82, sopin.encode())
-        if (retries is not None):
-            a = a.add_tag(0x91, bytes([retries]))
-        if (dkek_shares is not None):
-            a = a.add_tag(0x92, bytes([dkek_shares]))
-        if (puk_auts is not None and puk_min_auts is not None):
-            a = a.add_tag(0x93, bytes([puk_auts, puk_min_auts]))
-        if (key_domains is not None):
-            a = a.add_tag(0x97, bytes([key_domains]))
-
-        data = a.encode()
-
-        self.send(cla=0x80, command=0x50, data=data)
-
-    def login(self, pin=None):
-        if (pin is None):
-            pin = self.__pin
-        self.send(command=0x20, p2=0x81, data=pin.encode())
-
-    def get_first_free_id(self):
-        kids = self.list_keys(prefix=DOPrefixes.KEY_PREFIX)
-        mset = set(range(max(kids)))-set(kids)
-        if (len(mset) > 0):
-            return min(mset)
-        if (max(kids) == 255):
-            raise ValueError('Max number of key id reached')
-        return max(kids)+1
-
-    def list_keys(self, prefix=None):
-        resp = self.send(command=0x58)
-        if (prefix is not None):
-            grouped = [(resp[i],resp[i+1]) for i in range(0, len(resp), 2) if resp[i] == prefix.value]
-            _, kids = zip(*grouped)
-            return kids
-        return [(resp[i],resp[i+1]) for i in range(0, len(resp), 2)]
-
-    def key_generation(self, type, param):
-        if (type in [KeyType.RSA, KeyType.ECC]):
-            a = ASN1().add_tag(0x5f29, bytes([0])).add_tag(0x42, 'UTCA00001'.encode())
-            if (type == KeyType.RSA):
-                if (not 1024 <= param <= 4096):
-                    raise ValueError('RSA bits must be in the range [1024,4096]')
-                a.add_tag(0x7f49, ASN1().add_oid(oid.ID_TA_RSA_V1_5_SHA_256).add_tag(0x2, param.to_bytes(2, 'big')).encode())
-            elif (type == KeyType.ECC):
-                if (param not in ('secp192r1', 'secp256r1', 'secp384r1', 'secp521r1', 'brainpoolP256r1', 'brainpoolP384r1', 'brainpoolP512r1', 'secp192k1', 'secp256k1')):
-                    raise ValueError('Bad elliptic curve name')
-
-                dom = ec_domain(Device.EcDummy(param))
-                pubctx = [dom.P, dom.A, dom.B, dom.G, dom.O, None, dom.F]
-                a.add_object(0x7f49, oid.ID_TA_ECDSA_SHA_256, pubctx)
-            a.add_tag(0x5f20, 'UTCDUMMY00001'.encode())
-            data = a.encode()
-
-            keyid = self.get_first_free_id()
-            self.send(command=0x46, p1=keyid, data=list(data))
-        elif (type == KeyType.AES):
-            if (param == 128):
-                p2 = 0xB0
-            elif (param == 192):
-                p2 = 0xB1
-            elif (param == 256):
-                p2 = 0xB2
-            else:
-                raise ValueError('Bad AES key size')
-            keyid = self.get_first_free_id()
-            self.send(command=0x48, p1=keyid, p2=p2)
-        else:
-            raise ValueError('Bad KeyType')
-        return keyid
-
-    def delete_file(self, fid):
-        self.send(command=0xE4, data=[fid >> 8, fid & 0xff])
-
-    def get_contents(self, p1, p2=None):
-        if (p2):
-            resp = self.send(command=0xB1, p1=p1, p2=p2, data=[0x54, 0x02, 0x00, 0x00])
-        else:
-            resp = self.get_contents(p1=p1 >> 8, p2=p1 & 0xff)
-        return bytes(resp)
-
-    def public_key(self, keyid, param=None):
-        response = self.get_contents(p1=DOPrefixes.EE_CERTIFICATE_PREFIX.value, p2=keyid)
-
-        cert = bytearray(response)
-        roid = CVC().decode(cert).pubkey().oid()
-        if (roid == oid.ID_TA_ECDSA_SHA_256):
-            curve = find_curve(ec_domain(Device.EcDummy(param)).P)
-            Y = bytes(CVC().decode(cert).pubkey().find(0x86).data())
-            return ec.EllipticCurvePublicKey.from_encoded_point(
-                        curve,
-                        Y,
-                    )
-        elif (roid == oid.ID_TA_RSA_V1_5_SHA_256):
-            n = int.from_bytes(bytes(CVC().decode(cert).pubkey().find(0x81).data()), 'big')
-            e = int.from_bytes(bytes(CVC().decode(cert).pubkey().find(0x82).data()), 'big')
-            return rsa.RSAPublicNumbers(e, n).public_key()
-        return None
-
-    def sign(self, keyid, scheme, data):
-        resp = self.send(cla=0x80, command=0x68, p1=keyid, p2=scheme.value, data=data)
-        return resp
-
-    def verify(self, pubkey, data, signature, scheme):
-        if (Algorithm.ALGO_EC_RAW.value <= scheme.value <= Algorithm.ALGO_EC_SHA512.value):
-            if (scheme == Algorithm.ALGO_EC_SHA1):
-                hsh = hashes.SHA1()
-            elif (scheme == Algorithm.ALGO_EC_SHA224):
-                hsh = hashes.SHA224()
-            elif (scheme == Algorithm.ALGO_EC_SHA256):
-                hsh = hashes.SHA256()
-            elif (scheme == Algorithm.ALGO_EC_RAW):
-                hsh = utils.Prehashed(hashes.SHA512())
-            elif (scheme == Algorithm.ALGO_EC_SHA384):
-                hsh = hashes.SHA384()
-            elif (scheme == Algorithm.ALGO_EC_SHA512):
-                hsh = hashes.SHA512()
-            return pubkey.verify(signature, data, ec.ECDSA(hsh))
-        elif (Algorithm.ALGO_RSA_PKCS1_SHA1.value <= scheme.value <= Algorithm.ALGO_RSA_PSS_SHA512.value):
-            if (scheme == Algorithm.ALGO_RSA_PKCS1_SHA1 or scheme == Algorithm.ALGO_RSA_PSS_SHA1):
-                hsh = hashes.SHA1()
-            elif (scheme == Algorithm.ALGO_RSA_PKCS1_SHA224 or scheme == Algorithm.ALGO_RSA_PSS_SHA224):
-                hsh = hashes.SHA224()
-            elif (scheme == Algorithm.ALGO_RSA_PKCS1_SHA256 or scheme == Algorithm.ALGO_RSA_PSS_SHA256):
-                hsh = hashes.SHA256()
-            elif (scheme == Algorithm.ALGO_RSA_PKCS1_SHA384 or scheme == Algorithm.ALGO_RSA_PSS_SHA384):
-                hsh = hashes.SHA384()
-            elif (scheme == Algorithm.ALGO_RSA_PKCS1_SHA512 or scheme == Algorithm.ALGO_RSA_PSS_SHA512):
-                hsh = hashes.SHA512()
-            if (Algorithm.ALGO_RSA_PKCS1_SHA1.value <= scheme.value <= Algorithm.ALGO_RSA_PKCS1_SHA512.value):
-                padd = padding.PKCS1v15()
-            elif (Algorithm.ALGO_RSA_PSS_SHA1.value <= scheme.value <= Algorithm.ALGO_RSA_PSS_SHA512.value):
-                padd = padding.PSS(
-                    mgf=padding.MGF1(hsh),
-                    salt_length=padding.PSS.AUTO
-                )
-            return pubkey.verify(signature, data, padd, hsh)
-
-    def decrypt(self, keyid, data, pad):
-        if (isinstance(pad, padding.OAEP)):
-            p2 = Padding.OAEP.value
-        elif (isinstance(pad, padding.PKCS1v15)):
-            p2 = Padding.PKCS.value
-        else:
-            p2 = Padding.RAW.value
-        resp = self.send(command=0x62, p1=keyid, p2=p2, data=list(data))
-        return bytes(resp)
-
-    def import_dkek(self, dkek):
-        resp = self.send(cla=0x80, command=0x52, p1=0x0, p2=0x0, data=dkek)
-        return resp
-
-    def import_key(self, pkey, dkek=None, purposes=None):
-        data = b''
-        kcv = hashlib.sha256(dkek or b'\x00'*32).digest()[:8]
-        kenc = hashlib.sha256((dkek or b'\x00'*32) + b'\x00\x00\x00\x01').digest()
-        kmac = hashlib.sha256((dkek or b'\x00'*32) + b'\x00\x00\x00\x02').digest()
-        data += kcv
-        if (isinstance(pkey, rsa.RSAPrivateKey)):
-            data += b'\x05'
-            algo = b'\x00\x0A\x04\x00\x7F\x00\x07\x02\x02\x02\x01\x02'
-        elif (isinstance(pkey, ec.EllipticCurvePrivateKey)):
-            data += b'\x0C'
-            algo = b'\x00\x0A\x04\x00\x7F\x00\x07\x02\x02\x02\x02\x03'
-        elif (isinstance(pkey, bytes)):
-            data += b'\x0F'
-            algo = b'\x00\x08\x60\x86\x48\x01\x65\x03\x04\x01'
-
-        data += algo
-        if (not purposes and isinstance(pkey, bytes)):
-            purposes = [Algorithm.ALGO_AES_CBC_ENCRYPT.value, Algorithm.ALGO_AES_CBC_DECRYPT.value, Algorithm.ALGO_AES_CMAC.value, Algorithm.ALGO_AES_DERIVE.value, Algorithm.ALGO_EXT_CIPHER_ENCRYPT.value, Algorithm.ALGO_EXT_CIPHER_DECRYPT.value]
-        if (purposes):
-            data += b'\x00' + bytes([len(purposes)]) + bytes(purposes) + b'\x00'*4
-        else:
-            data += b'\x00'*6
-
-        kb = os.urandom(8)
-        if (isinstance(pkey, rsa.RSAPrivateKey)):
-            kb += int_to_bytes(pkey.key_size, length=2)
-            pubnum = pkey.public_key().public_numbers()
-            pnum = pkey.private_numbers()
-            kb += int_to_bytes((pnum.d.bit_length()+7)//8, length=2)
-            kb += int_to_bytes(pnum.d)
-            kb += int_to_bytes((pubnum.n.bit_length()+7)//8, length=2)
-            kb += int_to_bytes(pubnum.n)
-            kb += int_to_bytes((pubnum.e.bit_length()+7)//8, length=2)
-            kb += int_to_bytes(pubnum.e)
-        elif (isinstance(pkey, ec.EllipticCurvePrivateKey)):
-            curve = ec_domain(pkey.curve)
-            kb += int_to_bytes(len(curve.P)*8, length=2)
-            kb += int_to_bytes(len(curve.A), length=2)
-            kb += curve.A
-            kb += int_to_bytes(len(curve.B), length=2)
-            kb += curve.B
-            kb += int_to_bytes(len(curve.P), length=2)
-            kb += curve.P
-            kb += int_to_bytes(len(curve.O), length=2)
-            kb += curve.O
-            kb += int_to_bytes(len(curve.G), length=2)
-            kb += curve.G
-            kb += int_to_bytes((pkey.private_numbers().private_value.bit_length()+7)//8, length=2)
-            kb += int_to_bytes(pkey.private_numbers().private_value)
-            p = pkey.public_key().public_bytes(Encoding.X962, PublicFormat.UncompressedPoint)
-            kb += int_to_bytes(len(p), length=2)
-            kb += p
-        elif (isinstance(pkey, bytes)):
-            kb += int_to_bytes(len(pkey), length=2)
-            kb += pkey
-
-        kb_len_pad = (len(kb)//16)*16
-        if (len(kb) % 16 > 0):
-            kb_len_pad = (len(kb)//16 + 1)*16
-        if (len(kb) < kb_len_pad):
-            kb += b'\x80'
-            kb += b'\x00' * (kb_len_pad-len(kb))
-        cipher = Cipher(algorithms.AES(kenc), modes.CBC(b'\x00'*16))
-        encryptor = cipher.encryptor()
-        ct = encryptor.update(kb) + encryptor.finalize()
-        data += ct
-        c = cmac.CMAC(algorithms.AES(kmac))
-        c.update(data)
-        data += c.finalize()
-
-        p1 = self.get_first_free_id()
-        _ = self.send(cla=0x80, command=0x74, p1=p1, p2=0x93, data=data)
-        return p1
-
-    def exchange(self, keyid, pubkey):
-        resp = self.send(cla=0x80, command=0x62, p1=keyid, p2=Algorithm.ALGO_EC_DH.value, data=pubkey.public_bytes(Encoding.X962, PublicFormat.UncompressedPoint))
-        return resp
-
-    def parse_cvc(self, data):
-        car = CVC().decode(data).car()
-        chr = CVC().decode(data).chr()
-        return {'car': car, 'chr': chr}
-
-    def get_termca(self):
-        resp = self.get_contents(EF_TERMCA)
-        cv_data = self.parse_cvc(resp)
-        a = ASN1().decode(resp).find(0x7f21).data()
-        tlen = len(ASN1.calculate_len(len(a)))
-        ret = {'cv': cv_data}
-        if (len(a)+2+tlen < len(resp)): # There's more certificate
-            resp = resp[2+len(a)+tlen:]
-            dv_data = self.parse_cvc(resp)
-            ret['dv'] = dv_data
-        return ret
-
-    def get_version(self):
-        resp = self.send(cla=0x80, command=0x50)
-        return resp[5]+0.1*resp[6]
-
-    def get_key_domain(self, key_domain=0):
-        resp, code = self.send(cla=0x80, command=0x52, p2=key_domain, codes=[0x9000, 0x6A88, 0x6A86])
-        if (code == 0x9000):
-            return {'dkek': { 'total': resp[0], 'missing': resp[1]}, 'kcv': resp[2:10]}
-        return {'error': code}
-
-    def get_key_domains(self):
-        for k in range(0xFF):
-            _, code = self.send(cla=0x80, command=0x52, p2=k, codes=[0x9000, 0x6A88, 0x6A86])
-            if (code == 0x6A86):
-                return k
-        return 0
-
-    def set_key_domain(self, key_domain=0, total=DEFAULT_DKEK_SHARES):
-        resp = self.send(cla=0x80, command=0x52, p1=0x1, p2=key_domain, data=[total])
-        return resp
-
-    def clear_key_domain(self, key_domain=0):
-        resp = self.send(cla=0x80, command=0x52, p1=0x4, p2=key_domain)
-        return resp
-
-    def delete_key_domain(self, key_domain=0):
-        self.send(cla=0x80, command=0x52, p1=0x3, p2=key_domain, codes=[0x6A88])
-
-    def get_challenge(self, length):
-        return self.send(cla=0x80, command=0x84, ne=length)
-
-    def cipher(self, algo, keyid, data):
-        resp = self.send(cla=0x80, command=0x78, p1=keyid, p2=algo.value, data=data)
-        return resp
-
-    def hmac(self, hash, keyid, data):
-        if (hash == hashes.SHA1):
-            algo = b'\x2A\x86\x48\x86\xF7\x0D\x02\x07'
-        elif (hash == hashes.SHA224):
-            algo = b'\x2A\x86\x48\x86\xF7\x0D\x02\x08'
-        elif (hash == hashes.SHA256):
-            algo = b'\x2A\x86\x48\x86\xF7\x0D\x02\x09'
-        elif (hash == hashes.SHA384):
-            algo = b'\x2A\x86\x48\x86\xF7\x0D\x02\x0A'
-        elif (hash == hashes.SHA512):
-            algo = b'\x2A\x86\x48\x86\xF7\x0D\x02\x0B'
-        else:
-            raise ValueError("Hash not supported")
-        data = [0x06, len(algo)] + list(algo) + [0x81, len(data)] + list(data)
-        resp = self.send(cla=0x80, command=0x78, p1=keyid, p2=0x51, data=data)
-        return resp
-
-    def cmac(self, keyid, data):
-        resp = self.send(cla=0x80, command=0x78, p1=keyid, p2=Algorithm.ALGO_AES_CMAC.value, data=data)
-        return resp
-
-    def hkdf(self, hash, keyid, data, salt, out_len=None):
-        if (hash == hashes.SHA256):
-            algo = b'\x2A\x86\x48\x86\xF7\x0D\x01\x09\x10\x03\x1D'
-        elif (hash == hashes.SHA384):
-            algo = b'\x2A\x86\x48\x86\xF7\x0D\x01\x09\x10\x03\x1E'
-        elif (hash == hashes.SHA512):
-            algo = b'\x2A\x86\x48\x86\xF7\x0D\x01\x09\x10\x03\x1F'
-        data = [0x06, len(algo)] + list(algo) + [0x81, len(data)] + list(data) + [0x82, len(salt)] + list(salt)
-        resp = self.send(cla=0x80, command=0x78, p1=keyid, p2=0x51, data=data, ne=out_len)
-        return resp
-
-    def pbkdf2(self, hash, keyid, salt, iterations, out_len=None):
-        oid = b'\x2A\x86\x48\x86\xF7\x0D\x01\x05\x0C'
-        salt = b'\x04' + bytes([len(salt)]) + salt
-        iteration = b'\x02' + bytes([len(int_to_bytes(iterations))]) + int_to_bytes(iterations)
-        prf = b'\x30\x0A\x06\x08\x2A\x86\x48\x86\xF7\x0D\x02'
-        if (hash == hashes.SHA1):
-            prf += b'\x07'
-        elif (hash == hashes.SHA224):
-            prf += b'\x08'
-        elif (hash == hashes.SHA256):
-            prf += b'\x09'
-        elif (hash == hashes.SHA384):
-            prf += b'\x0A'
-        elif (hash == hashes.SHA512):
-            prf += b'\x0B'
-        data = list(salt + iteration + prf)
-        data = [0x06, len(oid)] + list(oid) + [0x81, len(data)] + list(data)
-        resp = self.send(cla=0x80, command=0x78, p1=keyid, p2=0x51, data=data, ne=out_len)
-        return resp
-
-    def x963(self, hash, keyid, data, out_len=None):
-        oid =  b'\x2B\x81\x05\x10\x86\x48\x3F'
-        enc = b'\x2A\x86\x48\x86\xF7\x0D\x02'
-        if (hash == hashes.SHA1):
-            enc += b'\x07'
-        elif (hash == hashes.SHA224):
-            enc += b'\x08'
-        elif (hash == hashes.SHA256):
-            enc += b'\x09'
-        elif (hash == hashes.SHA384):
-            enc += b'\x0A'
-        elif (hash == hashes.SHA512):
-            enc += b'\x0B'
-        else:
-            raise ValueError("Hash not supported")
-        data = [0x06, len(oid)] + list(oid) + [0x81, len(enc)] + list(enc) + [0x83, len(data)] + list(data)
-        resp = self.send(cla=0x80, command=0x78, p1=keyid, p2=0x51, data=data, ne=out_len)
-        return resp
 
 @pytest.fixture(scope="session")
 def device():
-    dev = Device()
+    dev = PicoHSM()
     return dev

tests/const.py

@@ -17,10 +17,9 @@
  */
 """
 
-DEFAULT_PIN = '648219'
-DEFAULT_SOPIN = '57621880'
-DEFAULT_RETRIES = 3
-DEFAULT_DKEK = [0x1] * 32
-DEFAULT_DKEK_SHARES = 2
+from binascii import unhexlify
 
-EF_TERMCA   = 0x2f02
+DEFAULT_DKEK = [0x1] * 32
+
+TERM_CERT = unhexlify('7F2181E57F4E819E5F290100421045535049434F48534D445630303030317F494F060A04007F00070202020203864104F571E53AA8E75C929D925081CF0F893CB5991D48BD546C1A3F22199F037E4B12D601ACD91C67C88D3C5B3D04C08EC0A372485F7A248E080EE0C6237C1B075E1C5F201045535049434F48534D54525A474E50327F4C0E060904007F0007030102025301005F25060203000300055F24060204000300045F374041BF5E970739135770DBCC5DDA81FFD8B13419A9257D44CAF8404267C644E8F435B43F5E57EB2A8CF4B198045ACD094E0CB34E6217D9C8922CFB9BBEFD4088AD')
+DICA_CERT = unhexlify('7F2181E97F4E81A25F290100421045535049434F48534D434130303030317F494F060A04007F0007020202020386410421EE4A21C16A10F737F12E78E5091B266612038CDABEBB722B15BF6D41B877FBF64D9AB69C39B9831B1AE00BEF2A4E81976F7688D45189BB232A24703D8A96A55F201045535049434F48534D445630303030317F4C12060904007F000703010202530580000000005F25060202000801085F24060203000601045F37403F75C08FFFC9186B56E6147199E82BFC327CEEF72495BC567961CD54D702F13E3C2766FCD1D11BD6A9D1F4A229B76B248CEB9AF88D59A74D0AB149448705159B')

tests/docker/bullseye/Dockerfile

@@ -0,0 +1,49 @@
+FROM debian:bullseye
+
+ARG DEBIAN_FRONTEND=noninteractive
+
+RUN apt update && apt upgrade -y
+RUN apt install -y apt-utils
+RUN apt autoremove -y
+RUN rm -rf /var/cache/apt/archives/*
+RUN apt install -y libccid \
+    libpcsclite-dev \
+    git \
+    autoconf \
+    pkg-config \
+    libtool \
+    help2man \
+    automake \
+    gcc \
+    make \
+    build-essential \
+    python3 \
+    python3-pip \
+    swig \
+    libssl-dev \
+    cmake \
+    vsmartcard-vpcd \
+    && rm -rf /var/lib/apt/lists/*
+RUN pip3 install pytest pycvc cryptography pyscard base58
+WORKDIR /
+RUN git clone https://github.com/OpenSC/OpenSC
+WORKDIR /OpenSC
+RUN git checkout tags/0.23.0
+RUN ./bootstrap
+RUN ./configure --enable-openssl
+RUN make -j `nproc`
+RUN make install
+RUN make clean
+RUN ldconfig
+WORKDIR /
+RUN git clone https://github.com/polhenarejos/pypicohsm.git
+RUN pip3 install -e pypicohsm
+RUN git clone https://github.com/CardContact/sc-hsm-embedded
+WORKDIR /sc-hsm-embedded
+RUN autoreconf -fi
+RUN ./configure
+RUN make -j `nproc`
+RUN make install
+RUN cp ./src/tests/sc-hsm-pkcs11-test /usr/local/bin/sc-hsm-pkcs11-test
+RUN make clean
+WORKDIR /

tests/docker/jammy/Dockerfile

@@ -22,7 +22,7 @@ RUN apt install -y libccid \
     cmake \
     && rm -rf /var/lib/apt/lists/*
 RUN pip3 install pytest pycvc cryptography pyscard
-RUN git clone https://github.com/frankmorgner/vsmartcard.git
+RUN git clone https://github.com/polhenarejos/vsmartcard.git
 WORKDIR /vsmartcard/virtualsmartcard
 RUN autoreconf --verbose --install
 RUN ./configure --sysconfdir=/etc

tests/docker_env.sh

@@ -46,7 +46,7 @@
 
 
 # default values, can be overridden by the environment
-: ${MBEDTLS_DOCKER_GUEST:=jammy}
+: ${MBEDTLS_DOCKER_GUEST:=bullseye}
 
 
 DOCKER_IMAGE_TAG="pico-hsm-test:${MBEDTLS_DOCKER_GUEST}"
@@ -72,14 +72,16 @@ else
     NUM_PROC="$(nproc)"
 fi
 
-# Build the Docker image
-echo "Getting docker image up to date (this may take a few minutes)..."
-${DOCKER} image build \
-    -t ${DOCKER_IMAGE_TAG} \
-    --cache-from=${DOCKER_IMAGE_TAG} \
-    --network host \
-    --build-arg MAKEFLAGS_PARALLEL="-j ${NUM_PROC}" \
-    tests/docker/${MBEDTLS_DOCKER_GUEST}
+build_image() {
+    # Build the Docker image
+    echo "Getting docker image up to date (this may take a few minutes)..."
+    ${DOCKER} image build \
+        -t ${DOCKER_IMAGE_TAG} \
+        --cache-from=${DOCKER_IMAGE_TAG} \
+        --network host \
+        --build-arg MAKEFLAGS_PARALLEL="-j ${NUM_PROC}" \
+        tests/docker/${MBEDTLS_DOCKER_GUEST}
+}
 
 run_in_docker()
 {

tests/pico-hsm/test_000_info.py

@@ -18,17 +18,19 @@
 """
 
 import pytest
-from const import EF_TERMCA
 
 def test_select(device):
     device.select_applet()
 
+def test_initialization(device):
+    device.initialize()
+
 def test_termca(device):
     data = device.get_termca()
     assert(b'ESPICOHSMTR' == data['cv']['chr'][:11])
-    assert(b'ESPICOHSMDV' == data['cv']['car'][:11])
-    assert(b'ESPICOHSMDV' == data['dv']['chr'][:11])
-    assert(b'ESPICOHSMCA' == data['dv']['car'][:11])
+    assert(b'ESPICOHSMDV' == data['cv']['car'][:11] or b'ESPICOHSMTR' == data['cv']['car'][:11])
+    assert(b'ESPICOHSMDV' == data['dv']['chr'][:11] or b'ESPICOHSMTR' == data['dv']['chr'][:11])
+    assert(b'ESPICOHSMCA' == data['dv']['car'][:11] or b'ESPICOHSMTR' == data['dv']['car'][:11])
     assert(data['cv']['car'] == data['dv']['chr'])
 
 def test_get_version(device):

tests/pico-hsm/test_004_key_domains.py

@@ -18,9 +18,13 @@
 """
 
 import pytest
-from const import DEFAULT_DKEK_SHARES, DEFAULT_DKEK
+import hashlib
+from const import DEFAULT_DKEK
+from picohsm import APDUResponse, SWCodes
+from picohsm.const import DEFAULT_DKEK_SHARES
 
 KEY_DOMAINS = 3
+TEST_KEY_DOMAIN = 1
 
 def test_key_domains(device):
     device.initialize(key_domains=KEY_DOMAINS)
@@ -34,13 +38,28 @@ def test_key_domains(device):
     assert(kd['error'] == 0x6A86)
     assert(device.get_key_domains() == KEY_DOMAINS)
 
-def test_set_key_domain(device):
-    kd = device.get_key_domain(key_domain=0)
+def test_import_dkek_wrong_key_domain(device):
+    with pytest.raises(APDUResponse) as e:
+        device.import_dkek(DEFAULT_DKEK, key_domain=0)
+    assert(e.value.sw == SWCodes.SW_COMMAND_NOT_ALLOWED)
+
+def test_import_dkek_fail(device):
+    with pytest.raises(APDUResponse) as e:
+        device.import_dkek(DEFAULT_DKEK, key_domain=TEST_KEY_DOMAIN)
+    assert(e.value.sw == SWCodes.SW_COMMAND_NOT_ALLOWED)
+
+def test_set_key_domain_fail(device):
+    with pytest.raises(APDUResponse) as e:
+        device.set_key_domain(key_domain=10)
+    assert(e.value.sw == SWCodes.SW_INCORRECT_P1P2)
+
+def test_set_key_domain_ok(device):
+    kd = device.get_key_domain(key_domain=TEST_KEY_DOMAIN)
     assert('error' in kd)
     assert(kd['error'] == 0x6A88)
 
-    device.set_key_domain(key_domain=0)
-    kd = device.get_key_domain(key_domain=0)
+    device.set_key_domain(key_domain=TEST_KEY_DOMAIN)
+    kd = device.get_key_domain(key_domain=TEST_KEY_DOMAIN)
     assert('error' not in kd)
     assert('dkek' in kd)
     assert('total' in kd['dkek'])
@@ -48,25 +67,44 @@ def test_set_key_domain(device):
     assert('missing' in kd['dkek'])
     assert(kd['dkek']['missing'] == DEFAULT_DKEK_SHARES)
 
+def test_import_dkek_ok(device):
+    resp = device.import_dkek(DEFAULT_DKEK, key_domain=TEST_KEY_DOMAIN)
+    assert(resp[0] == DEFAULT_DKEK_SHARES)
+    assert(resp[1] == DEFAULT_DKEK_SHARES-1)
+
+    resp = device.import_dkek(DEFAULT_DKEK, key_domain=TEST_KEY_DOMAIN)
+    assert(resp[1] == DEFAULT_DKEK_SHARES-2)
+
+    kcv = hashlib.sha256(b'\x00'*32).digest()[:8]
+    assert(resp[2:] == kcv)
+
 def test_clear_key_domain(device):
     kd = device.get_key_domain(key_domain=0)
+    assert('error' in kd)
+    assert(kd['error'] == SWCodes.SW_REFERENCE_NOT_FOUND)
+
+    kd = device.get_key_domain(key_domain=TEST_KEY_DOMAIN)
     assert(kd['dkek']['total'] == DEFAULT_DKEK_SHARES)
 
-    device.import_dkek(DEFAULT_DKEK)
-    kd = device.get_key_domain(key_domain=0)
-    assert(kd['dkek']['missing'] == DEFAULT_DKEK_SHARES-1)
-
-    device.clear_key_domain(key_domain=0)
-    kd = device.get_key_domain(key_domain=0)
+    device.clear_key_domain(key_domain=TEST_KEY_DOMAIN)
+    kd = device.get_key_domain(key_domain=TEST_KEY_DOMAIN)
     assert(kd['dkek']['missing'] == DEFAULT_DKEK_SHARES)
 
 def test_delete_key_domain(device):
     assert(device.get_key_domains() == KEY_DOMAINS)
-    kd = device.get_key_domain(key_domain=0)
+    kd = device.get_key_domain(key_domain=TEST_KEY_DOMAIN)
+    assert(kd['dkek']['total'] == DEFAULT_DKEK_SHARES)
+    with pytest.raises(APDUResponse) as e:
+        device.delete_key_domain(key_domain=0)
+    assert(e.value.sw == SWCodes.SW_INCORRECT_P1P2)
+
+def test_delete_key_domain(device):
+    assert(device.get_key_domains() == KEY_DOMAINS)
+    kd = device.get_key_domain(key_domain=TEST_KEY_DOMAIN)
     assert(kd['dkek']['total'] == DEFAULT_DKEK_SHARES)
 
-    device.delete_key_domain(key_domain=0)
+    device.delete_key_domain(key_domain=TEST_KEY_DOMAIN)
     assert(device.get_key_domains() == KEY_DOMAINS)
-    kd = device.get_key_domain(key_domain=0)
+    kd = device.get_key_domain(key_domain=TEST_KEY_DOMAIN)
     assert('error' in kd)
     assert(kd['error'] == 0x6A88)

tests/pico-hsm/test_005_dkek.py

@@ -19,8 +19,8 @@
 
 import pytest
 import hashlib
-from utils import APDUResponse, SWCodes
-from const import DEFAULT_PIN, DEFAULT_RETRIES, DEFAULT_DKEK, DEFAULT_DKEK_SHARES
+from picohsm.const import DEFAULT_DKEK_SHARES, DEFAULT_PIN, DEFAULT_RETRIES
+from const import  DEFAULT_DKEK
 
 def test_dkek(device):
     device.initialize(retries=DEFAULT_RETRIES, dkek_shares=DEFAULT_DKEK_SHARES)
@@ -33,5 +33,5 @@ def test_dkek(device):
     assert(resp[1] == DEFAULT_DKEK_SHARES-2)
 
     kcv = hashlib.sha256(b'\x00'*32).digest()[:8]
-    assert(bytes(resp[2:]) == kcv)
+    assert(resp[2:] == kcv)
 

tests/pico-hsm/test_010_pin.py

@@ -18,36 +18,35 @@
 """
 
 import pytest
-from utils import APDUResponse, SWCodes
-from const import DEFAULT_PIN, DEFAULT_RETRIES
+from picohsm import APDUResponse, SWCodes
+from picohsm.const import DEFAULT_PIN, DEFAULT_RETRIES
 
 WRONG_PIN = '112233'
-RETRIES = DEFAULT_RETRIES
 
 def test_pin_init_retries(device):
-    device.initialize(retries=RETRIES)
+    device.initialize(retries=DEFAULT_RETRIES)
     retries = device.get_login_retries()
-    assert(retries == RETRIES)
+    assert(retries == DEFAULT_RETRIES)
 
 def test_pin_login(device):
-    device.initialize(retries=RETRIES)
+    device.initialize(retries=DEFAULT_RETRIES)
     device.login(DEFAULT_PIN)
 
 def test_pin_retries(device):
-    device.initialize(retries=RETRIES)
+    device.initialize(retries=DEFAULT_RETRIES)
     device.login(DEFAULT_PIN)
 
-    for ret in range(RETRIES-1):
+    for ret in range(DEFAULT_RETRIES-1):
         with pytest.raises(APDUResponse) as e:
             device.login(WRONG_PIN)
-        assert(e.value.sw1 == 0x63 and e.value.sw2 == (0xC0 | (RETRIES-1-ret)))
+        assert(e.value.sw1 == 0x63 and e.value.sw2 == (0xC0 | (DEFAULT_RETRIES-1-ret)))
 
     with pytest.raises(APDUResponse) as e:
         device.login(WRONG_PIN)
-    assert(e.value.sw == SWCodes.SW_PIN_BLOCKED.value)
+    assert(e.value.sw == SWCodes.SW_PIN_BLOCKED)
 
-    device.initialize(retries=RETRIES)
+    device.initialize(retries=DEFAULT_RETRIES)
     retries = device.get_login_retries()
-    assert(retries == RETRIES)
+    assert(retries == DEFAULT_RETRIES)
 
 

tests/pico-hsm/test_020_keypair_gen.py

@@ -18,20 +18,22 @@
 """
 
 import pytest
-from utils import KeyType, DOPrefixes
+from picohsm import KeyType, DOPrefixes
 
 def test_gen_initialize(device):
     device.initialize()
 
 @pytest.mark.parametrize(
-    "curve", ['secp192r1', 'secp256r1', 'secp384r1', 'secp521r1', 'brainpoolP256r1', 'brainpoolP384r1', 'brainpoolP512r1', 'secp192k1', 'secp256k1']
+    "curve", ['secp192r1', 'secp256r1', 'secp384r1', 'secp521r1', 'brainpoolP256r1', 'brainpoolP384r1', 'brainpoolP512r1', 'secp192k1', 'secp256k1', 'curve25519', 'curve448', 'ed25519', 'ed448']
 )
 def test_gen_ecc(device, curve):
     keyid = device.key_generation(KeyType.ECC, curve)
     resp = device.list_keys()
-    assert((DOPrefixes.KEY_PREFIX.value, keyid) in resp)
-    device.delete_file(DOPrefixes.KEY_PREFIX.value << 8 | keyid)
-    device.delete_file(DOPrefixes.EE_CERTIFICATE_PREFIX.value << 8 | keyid)
+    assert((DOPrefixes.KEY_PREFIX, keyid) in resp)
+    device.delete_file(DOPrefixes.KEY_PREFIX, keyid)
+    device.delete_file(DOPrefixes.EE_CERTIFICATE_PREFIX, keyid)
+    resp = device.list_keys()
+    assert((DOPrefixes.KEY_PREFIX, keyid) not in resp)
 
 @pytest.mark.parametrize(
     "modulus", [1024, 2048, 4096]
@@ -39,7 +41,7 @@ def test_gen_ecc(device, curve):
 def test_gen_rsa(device, modulus):
     keyid = device.key_generation(KeyType.RSA, modulus)
     resp = device.list_keys()
-    assert((DOPrefixes.KEY_PREFIX.value, keyid) in resp)
-    device.delete_file(DOPrefixes.KEY_PREFIX.value << 8 | keyid)
-    device.delete_file(DOPrefixes.EE_CERTIFICATE_PREFIX.value << 8 | keyid)
+    assert((DOPrefixes.KEY_PREFIX, keyid) in resp)
+    device.delete_file(DOPrefixes.KEY_PREFIX, keyid)
+    device.delete_file(DOPrefixes.EE_CERTIFICATE_PREFIX, keyid)
 

tests/pico-hsm/test_021_key_import.py

@@ -20,16 +20,18 @@
 import pytest
 import hashlib
 import os
-from utils import KeyType, DOPrefixes
-from cryptography.hazmat.primitives.asymmetric import rsa, ec
-from const import DEFAULT_RETRIES, DEFAULT_DKEK_SHARES, DEFAULT_DKEK
+from picohsm import DOPrefixes
+from cryptography.hazmat.primitives.asymmetric import rsa, ec, x25519, x448, ed25519, ed448
+from cryptography.hazmat.primitives.serialization import Encoding, PublicFormat
+from picohsm.const import DEFAULT_RETRIES, DEFAULT_DKEK_SHARES
+from const import DEFAULT_DKEK
 
 def test_prepare_dkek(device):
     device.initialize(retries=DEFAULT_RETRIES, dkek_shares=DEFAULT_DKEK_SHARES)
     resp = device.import_dkek(DEFAULT_DKEK)
     resp = device.import_dkek(DEFAULT_DKEK)
     kcv = hashlib.sha256(b'\x00'*32).digest()[:8]
-    assert(bytes(resp[2:]) == kcv)
+    assert(resp[2:] == kcv)
 
 @pytest.mark.parametrize(
     "modulus", [1024, 2048, 4096]
@@ -42,8 +44,8 @@ def test_import_rsa(device, modulus):
     keyid = device.import_key(pkey)
     pubkey = device.public_key(keyid)
     assert(pubkey.public_numbers() == pkey.public_key().public_numbers())
-    device.delete_file(DOPrefixes.KEY_PREFIX.value << 8 | keyid)
-    device.delete_file(DOPrefixes.EE_CERTIFICATE_PREFIX.value << 8 | keyid)
+    device.delete_file(DOPrefixes.KEY_PREFIX, keyid)
+    device.delete_file(DOPrefixes.EE_CERTIFICATE_PREFIX, keyid)
 
 
 @pytest.mark.parametrize(
@@ -54,8 +56,30 @@ def test_import_ecc(device, curve):
     keyid = device.import_key(pkey)
     pubkey = device.public_key(keyid, param=curve().name)
     assert(pubkey.public_numbers() == pkey.public_key().public_numbers())
-    device.delete_file(DOPrefixes.KEY_PREFIX.value << 8 | keyid)
-    device.delete_file(DOPrefixes.EE_CERTIFICATE_PREFIX.value << 8 | keyid)
+    device.delete_file(DOPrefixes.KEY_PREFIX, keyid)
+    device.delete_file(DOPrefixes.EE_CERTIFICATE_PREFIX, keyid)
+
+@pytest.mark.parametrize(
+    "curve", [x25519.X25519PrivateKey, x448.X448PrivateKey]
+)
+def test_import_montgomery(device, curve):
+    pkey = curve.generate()
+    keyid = device.import_key(pkey)
+    pubkey = device.public_key(keyid, param=curve)
+    assert(pubkey.public_bytes(Encoding.Raw, PublicFormat.Raw) == pkey.public_key().public_bytes(Encoding.Raw, PublicFormat.Raw))
+    device.delete_file(DOPrefixes.KEY_PREFIX, keyid)
+    device.delete_file(DOPrefixes.EE_CERTIFICATE_PREFIX, keyid)
+
+@pytest.mark.parametrize(
+    "curve", [ed25519.Ed25519PrivateKey, ed448.Ed448PrivateKey]
+)
+def test_import_edwards(device, curve):
+    pkey = curve.generate()
+    keyid = device.import_key(pkey)
+    pubkey = device.public_key(keyid, param=curve)
+    assert(pubkey.public_bytes(Encoding.Raw, PublicFormat.Raw) == pkey.public_key().public_bytes(Encoding.Raw, PublicFormat.Raw))
+    device.delete_file(DOPrefixes.KEY_PREFIX, keyid)
+    device.delete_file(DOPrefixes.EE_CERTIFICATE_PREFIX, keyid)
 
 @pytest.mark.parametrize(
     "size", [128, 192, 256]

tests/pico-hsm/test_022_key_exchange.py

@@ -19,16 +19,17 @@
 
 import pytest
 import hashlib
-from utils import KeyType, DOPrefixes
-from cryptography.hazmat.primitives.asymmetric import rsa, ec
-from const import DEFAULT_RETRIES, DEFAULT_DKEK_SHARES, DEFAULT_DKEK
+from picohsm import DOPrefixes
+from cryptography.hazmat.primitives.asymmetric import ec, x25519, x448
+from picohsm.const import DEFAULT_RETRIES, DEFAULT_DKEK_SHARES
+from const import DEFAULT_DKEK
 
 def test_prepare_dkek(device):
     device.initialize(retries=DEFAULT_RETRIES, dkek_shares=DEFAULT_DKEK_SHARES)
     resp = device.import_dkek(DEFAULT_DKEK)
     resp = device.import_dkek(DEFAULT_DKEK)
     kcv = hashlib.sha256(b'\x00'*32).digest()[:8]
-    assert(bytes(resp[2:]) == kcv)
+    assert(resp[2:] == kcv)
 
 @pytest.mark.parametrize(
     "curve", [ec.SECP192R1, ec.SECP256R1, ec.SECP384R1, ec.SECP521R1, ec.SECP256K1, ec.BrainpoolP256R1, ec.BrainpoolP384R1, ec.BrainpoolP512R1]
@@ -43,10 +44,31 @@ def test_exchange_ecc(device, curve):
     sharedB = pkeyB.exchange(ec.ECDH(), pbkeyA)
     sharedA = device.exchange(keyid, pbkeyB)
 
-    assert(bytes(sharedA) == sharedB)
+    assert(sharedA == sharedB)
 
     sharedAA = pkeyA.exchange(ec.ECDH(), pbkeyB)
-    assert(bytes(sharedA) == sharedAA)
+    assert(sharedA == sharedAA)
 
-    device.delete_file(DOPrefixes.KEY_PREFIX.value << 8 | keyid)
-    device.delete_file(DOPrefixes.EE_CERTIFICATE_PREFIX.value << 8 | keyid)
+    device.delete_file(DOPrefixes.KEY_PREFIX, keyid)
+    device.delete_file(DOPrefixes.EE_CERTIFICATE_PREFIX, keyid)
+
+@pytest.mark.parametrize(
+    "curve", [x25519.X25519PrivateKey, x448.X448PrivateKey]
+)
+def test_exchange_montgomery(device, curve):
+    pkeyA = curve.generate()
+    pbkeyA = pkeyA.public_key()
+    keyid = device.import_key(pkeyA)
+    pkeyB = curve.generate()
+    pbkeyB = pkeyB.public_key()
+
+    sharedB = pkeyB.exchange(pbkeyA)
+    sharedA = device.exchange(keyid, pbkeyB)
+
+    assert(sharedA == sharedB)
+
+    sharedAA = pkeyA.exchange(pbkeyB)
+    assert(sharedA == sharedAA)
+
+    device.delete_file(DOPrefixes.KEY_PREFIX, keyid)
+    device.delete_file(DOPrefixes.EE_CERTIFICATE_PREFIX, keyid)

tests/pico-hsm/test_023_key_generation.py

@@ -18,7 +18,7 @@
 """
 
 import pytest
-from utils import KeyType, DOPrefixes
+from picohsm import KeyType, DOPrefixes
 
 @pytest.mark.parametrize(
     "size", [128, 192, 256]
@@ -26,5 +26,5 @@ from utils import KeyType, DOPrefixes
 def test_gen_aes(device, size):
     keyid = device.key_generation(KeyType.AES, size)
     resp = device.list_keys()
-    assert((DOPrefixes.KEY_PREFIX.value, keyid) in resp)
-    device.delete_file(DOPrefixes.KEY_PREFIX.value << 8 | keyid)
+    assert((DOPrefixes.KEY_PREFIX, keyid) in resp)
+    device.delete_file(DOPrefixes.KEY_PREFIX, keyid)

tests/pico-hsm/test_025_key_export.py

@@ -0,0 +1,137 @@
+"""
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2023 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+"""
+
+import pytest
+from picohsm import KeyType, DOPrefixes, APDUResponse, SWCodes
+from binascii import hexlify
+import hashlib
+from const import DEFAULT_DKEK
+from cryptography.hazmat.primitives import cmac
+from cryptography.hazmat.primitives.ciphers import algorithms, Cipher, modes
+from cryptography.hazmat.primitives.asymmetric import ec
+from cryptography.hazmat.primitives import serialization
+
+def test_initialize(device):
+    device.initialize(key_domains=1)
+    assert(device.get_key_domains() == 1)
+
+    device.set_key_domain(key_domain=0, total=2)
+
+keyid_in = -1
+keyid_out = -1
+def test_key_generation_no_key_domain(device):
+    global keyid_out
+    keyid_out = device.key_generation(KeyType.ECC, 'brainpoolP256r1')
+    device.put_contents(p1=DOPrefixes.PRKD_PREFIX, p2=keyid_out, data=[0xA0])
+    resp = device.list_keys()
+    assert((DOPrefixes.KEY_PREFIX, keyid_out) in resp)
+    assert((DOPrefixes.PRKD_PREFIX, keyid_out) in resp)
+
+def test_key_generation_with_key_domain(device):
+    global keyid_in
+    keyid_in = device.key_generation(KeyType.ECC, 'brainpoolP256r1', key_domain=0)
+    device.put_contents(p1=DOPrefixes.PRKD_PREFIX, p2=keyid_in, data=[0xA0])
+    resp = device.list_keys()
+    assert((DOPrefixes.KEY_PREFIX, keyid_in) in resp)
+    assert((DOPrefixes.PRKD_PREFIX, keyid_in) in resp)
+
+def test_export_key_out(device):
+    with pytest.raises(APDUResponse) as e:
+        device.export_key(keyid_out)
+    assert(e.value.sw == SWCodes.SW_REFERENCE_NOT_FOUND)
+
+def test_export_key_in_fail(device):
+    with pytest.raises(APDUResponse) as e:
+        device.export_key(keyid_in)
+    assert(e.value.sw == SWCodes.SW_REFERENCE_NOT_FOUND)
+
+def test_export_import_dkek(device):
+    resp = device.import_dkek(DEFAULT_DKEK, key_domain=0)
+    resp = device.import_dkek(DEFAULT_DKEK, key_domain=0)
+
+def test_export_key_in_ok(device):
+    resp = device.export_key(keyid_in)
+    kcv = hashlib.sha256(b'\x00'*32).digest()[:8]
+    assert(kcv == resp[:8])
+    assert(resp[8] == 12)
+    assert(resp[9:21] == b"\x00\x0A\x04\x00\x7F\x00\x07\x02\x02\x02\x02\x03")
+
+    pkey = hashlib.sha256(b'\x00'*32+b'\x00\x00\x00\x02').digest()
+    c = cmac.CMAC(algorithms.AES(pkey))
+    c.update(resp[:-16])
+    resCMAC = c.finalize()
+    assert(resCMAC == resp[-16:])
+
+def test_delete_keys_in_out(device):
+    device.delete_file(DOPrefixes.KEY_PREFIX, keyid_in)
+    device.delete_file(DOPrefixes.EE_CERTIFICATE_PREFIX, keyid_in)
+    device.delete_file(DOPrefixes.KEY_PREFIX, keyid_out)
+    device.delete_file(DOPrefixes.EE_CERTIFICATE_PREFIX, keyid_out)
+
+def test_export_import(device):
+    pkey_gen = ec.generate_private_key(ec.BrainpoolP256R1())
+    keyid = device.import_key(pkey_gen)
+
+    resp = device.export_key(keyid)
+    kcv = hashlib.sha256(b'\x00'*32).digest()[:8]
+    assert(kcv == resp[:8])
+    assert(resp[8] == 12)
+    assert(resp[9:21] == b"\x00\x0A\x04\x00\x7F\x00\x07\x02\x02\x02\x02\x03")
+
+    pkey = hashlib.sha256(b'\x00'*32+b'\x00\x00\x00\x02').digest()
+    c = cmac.CMAC(algorithms.AES(pkey))
+    c.update(resp[:-16])
+    resCMAC = c.finalize()
+    assert(resCMAC == resp[-16:])
+
+    iv = b'\x00'*16
+    pkey = hashlib.sha256(b'\x00'*32+b'\x00\x00\x00\x01').digest()
+    cipher = Cipher(algorithms.AES(pkey), modes.CBC(iv))
+    decryptor = cipher.decryptor()
+    payload = decryptor.update(resp[27:-16]) + decryptor.finalize()
+
+    rnd = payload[:8]
+    ofs = 8
+    key_size = int.from_bytes(payload[ofs:ofs+2], 'big')
+    ofs += 2
+    A_len = int.from_bytes(payload[ofs:ofs+2], 'big')
+    ofs += 2+A_len
+    B_len = int.from_bytes(payload[ofs:ofs+2], 'big')
+    ofs += 2+B_len
+    P_len = int.from_bytes(payload[ofs:ofs+2], 'big')
+    ofs += 2+P_len
+    N_len = int.from_bytes(payload[ofs:ofs+2], 'big')
+    ofs += 2+N_len
+    G_len = int.from_bytes(payload[ofs:ofs+2], 'big')
+    ofs += 2+G_len
+    d_len = int.from_bytes(payload[ofs:ofs+2], 'big')
+    ofs += 2
+    d = payload[ofs:ofs+d_len]
+    ofs += d_len
+    Q_len = int.from_bytes(payload[ofs:ofs+2], 'big')
+    ofs += 2
+    Q = payload[ofs:ofs+Q_len]
+    ofs += Q_len
+
+    pkey_ex = ec.EllipticCurvePrivateNumbers(int.from_bytes(d, 'big'), ec.EllipticCurvePublicKey.from_encoded_point(ec.BrainpoolP256R1(), Q).public_numbers()).private_key()
+    assert(pkey_gen.private_bytes(serialization.Encoding.DER, serialization.PrivateFormat.PKCS8, serialization.NoEncryption()) == pkey_ex.private_bytes(serialization.Encoding.DER, serialization.PrivateFormat.PKCS8, serialization.NoEncryption()))
+    assert(pkey_gen.public_key().public_bytes(serialization.Encoding.X962, serialization.PublicFormat.UncompressedPoint) == pkey_ex.public_key().public_bytes(serialization.Encoding.X962, serialization.PublicFormat.UncompressedPoint))
+
+    device.delete_file(DOPrefixes.KEY_PREFIX, keyid)
+    device.delete_file(DOPrefixes.EE_CERTIFICATE_PREFIX, keyid)

tests/pico-hsm/test_030_signature.py

@@ -18,7 +18,7 @@
 """
 
 import pytest
-from utils import KeyType, DOPrefixes, Algorithm
+from picohsm import KeyType, DOPrefixes, Algorithm
 from binascii import hexlify
 import hashlib
 
@@ -39,7 +39,7 @@ def test_signature_ecc(device, curve, scheme):
     else:
         datab = data
     signature = device.sign(keyid=keyid, scheme=scheme, data=datab)
-    device.delete_file(DOPrefixes.KEY_PREFIX.value << 8 | keyid)
+    device.delete_file(DOPrefixes.KEY_PREFIX, keyid)
     device.verify(pubkey, datab, signature, scheme)
 
 @pytest.mark.parametrize(
@@ -52,6 +52,15 @@ def test_signature_rsa(device, modulus, scheme):
     keyid = device.key_generation(KeyType.RSA, modulus)
     pubkey = device.public_key(keyid=keyid)
     signature = device.sign(keyid=keyid, scheme=scheme, data=data)
-    device.delete_file(DOPrefixes.KEY_PREFIX.value << 8 | keyid)
+    device.delete_file(DOPrefixes.KEY_PREFIX, keyid)
     device.verify(pubkey, data, signature, scheme)
 
+@pytest.mark.parametrize(
+    "curve", ['ed25519', 'ed448']
+)
+def test_signature_edwards(device, curve):
+    keyid = device.key_generation(KeyType.ECC, curve)
+    pubkey = device.public_key(keyid=keyid)
+    signature = device.sign(keyid=keyid, scheme=Algorithm.ALGO_EC_RAW, data=data)
+    device.delete_file(DOPrefixes.KEY_PREFIX, keyid)
+    device.verify(pubkey, data, signature)

tests/pico-hsm/test_040_decrypt.py

@@ -18,9 +18,8 @@
 """
 
 import pytest
-from utils import KeyType, DOPrefixes, Algorithm
+from picohsm import KeyType, DOPrefixes
 from binascii import hexlify
-import hashlib
 from cryptography.hazmat.primitives.asymmetric import padding
 from cryptography.hazmat.primitives import hashes
 
@@ -43,6 +42,6 @@ def test_decrypt_rsa(device, modulus, pad):
     message = data[:(modulus//8)-100]
     ciphered = pubkey.encrypt(message, pad)
     datab = device.decrypt(keyid, ciphered, pad)
-    device.delete_file(DOPrefixes.KEY_PREFIX.value << 8 | keyid)
+    device.delete_file(DOPrefixes.KEY_PREFIX, keyid)
     assert(datab == message)
 

tests/pico-hsm/test_050_cipher.py

@@ -20,8 +20,9 @@
 import pytest
 import os
 from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
-from utils import Algorithm, DOPrefixes
-from const import DEFAULT_DKEK_SHARES, DEFAULT_DKEK
+from picohsm import Algorithm, DOPrefixes
+from picohsm.const import DEFAULT_DKEK_SHARES
+from const import DEFAULT_DKEK
 
 MESSAGE = b'a secret message'
 
@@ -42,11 +43,11 @@ def test_cipher_aes_cipher(device, size):
     encryptor = cipher.encryptor()
     ctA = encryptor.update(MESSAGE) + encryptor.finalize()
     ctB = device.cipher(Algorithm.ALGO_AES_CBC_ENCRYPT, keyid, MESSAGE)
-    assert(bytes(ctB) == ctA)
+    assert(ctB == ctA)
 
     decryptor = cipher.decryptor()
     plA = decryptor.update(ctA) + decryptor.finalize()
     plB = device.cipher(Algorithm.ALGO_AES_CBC_DECRYPT, keyid, ctA)
-    device.delete_file(DOPrefixes.KEY_PREFIX.value << 8 | keyid)
-    assert(bytes(plB) == plA)
-    assert(bytes(plB) == MESSAGE)
+    device.delete_file(DOPrefixes.KEY_PREFIX, keyid)
+    assert(plB == plA)
+    assert(plB == MESSAGE)

tests/pico-hsm/test_051_chachapoly.py

@@ -0,0 +1,126 @@
+"""
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+"""
+
+import pytest
+import os
+from cryptography.hazmat.primitives.ciphers import aead
+import cryptography.exceptions
+from picohsm import APDUResponse, DOPrefixes, EncryptionMode, SWCodes
+from picohsm.const import DEFAULT_DKEK_SHARES
+from const import DEFAULT_DKEK
+from binascii import hexlify
+
+MESSAGE = b'a secret message'
+AAD = b'this is a tag for AAD'
+
+def test_prepare_chachapoly(device):
+    device.initialize(dkek_shares=DEFAULT_DKEK_SHARES)
+    resp = device.import_dkek(DEFAULT_DKEK)
+    resp = device.import_dkek(DEFAULT_DKEK)
+
+def generate_key(device):
+     # ChaCha uses 32 bytes key
+    pkey = os.urandom(256 // 8)
+    keyid = device.import_key(pkey)
+    return pkey, keyid
+
+
+def test_cipher_chachapoly_cipher(device):
+    iv = b'\x00'*12
+    pkey, keyid = generate_key(device)
+
+    ctd = device.chachapoly(keyid, EncryptionMode.ENCRYPT, data=MESSAGE, aad=AAD)
+
+    chacha = aead.ChaCha20Poly1305(pkey)
+    ctg = chacha.encrypt(iv, MESSAGE, AAD)
+    assert(ctd == ctg)
+
+    pld = device.chachapoly(keyid, EncryptionMode.DECRYPT, data=ctd, aad=AAD)
+
+    plg = chacha.decrypt(iv, ctg, AAD)
+    device.delete_file(DOPrefixes.KEY_PREFIX, keyid)
+    assert(pld == plg)
+    assert(pld == MESSAGE)
+
+def test_cipher_chachapoly_random_iv(device):
+    pkey, keyid = generate_key(device)
+    iv = os.urandom(12)
+    ctd = device.chachapoly(keyid, EncryptionMode.ENCRYPT, data=MESSAGE, iv=iv, aad=AAD)
+
+    chacha = aead.ChaCha20Poly1305(pkey)
+    ctg = chacha.encrypt(iv, MESSAGE, AAD)
+    assert(ctd == ctg)
+
+    pld = device.chachapoly(keyid, EncryptionMode.DECRYPT, data=ctd, iv=iv, aad=AAD)
+
+    plg = chacha.decrypt(iv, ctg, AAD)
+    device.delete_file(DOPrefixes.KEY_PREFIX, keyid)
+    assert(pld == plg)
+    assert(pld == MESSAGE)
+
+def test_cipher_chachapoly_no_aad(device):
+    pkey, keyid = generate_key(device)
+    iv = os.urandom(12)
+    ctd = device.chachapoly(keyid, EncryptionMode.ENCRYPT, data=MESSAGE, iv=iv)
+
+    chacha = aead.ChaCha20Poly1305(pkey)
+    ctg = chacha.encrypt(iv, MESSAGE, b'')
+    assert(ctd == ctg)
+
+    pld = device.chachapoly(keyid, EncryptionMode.DECRYPT, data=ctd, iv=iv)
+
+    plg = chacha.decrypt(iv, ctg, b'')
+    device.delete_file(DOPrefixes.KEY_PREFIX, keyid)
+    assert(pld == plg)
+    assert(pld == MESSAGE)
+
+def test_cipher_chachapoly_bad_random_iv(device):
+    pkey, keyid = generate_key(device)
+    iv = os.urandom(12)
+    ctd = device.chachapoly(keyid, EncryptionMode.ENCRYPT, data=MESSAGE, iv=iv, aad=AAD)
+
+    chacha = aead.ChaCha20Poly1305(pkey)
+    ctg = chacha.encrypt(iv, MESSAGE, AAD)
+    assert(ctd == ctg)
+
+    iv = os.urandom(12)
+    with pytest.raises(APDUResponse) as e:
+        pld = device.chachapoly(keyid, EncryptionMode.DECRYPT, data=ctd, iv=iv, aad=AAD)
+    assert (e.value.sw == SWCodes.SW_WRONG_DATA)
+
+    with pytest.raises(cryptography.exceptions.InvalidTag):
+        plg = chacha.decrypt(iv, ctg, AAD)
+    device.delete_file(DOPrefixes.KEY_PREFIX, keyid)
+
+def test_cipher_chachapoly_bad_aad(device):
+    pkey, keyid = generate_key(device)
+    iv = os.urandom(12)
+    ctd = device.chachapoly(keyid, EncryptionMode.ENCRYPT, data=MESSAGE, iv=iv, aad=AAD)
+
+    chacha = aead.ChaCha20Poly1305(pkey)
+    ctg = chacha.encrypt(iv, MESSAGE, AAD)
+    assert(ctd == ctg)
+
+    with pytest.raises(APDUResponse) as e:
+        pld = device.chachapoly(keyid, EncryptionMode.DECRYPT, data=ctd, iv=iv, aad=AAD + b'bad')
+    assert (e.value.sw == SWCodes.SW_WRONG_DATA)
+
+    with pytest.raises(cryptography.exceptions.InvalidTag):
+        plg = chacha.decrypt(iv, ctg, AAD + b'bad')
+    device.delete_file(DOPrefixes.KEY_PREFIX, keyid)

tests/pico-hsm/test_052_aes_ext.py

@@ -0,0 +1,342 @@
+"""
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+"""
+
+import pytest
+import os
+from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes, aead
+import cryptography.exceptions
+from picohsm import APDUResponse, DOPrefixes, EncryptionMode, SWCodes, AES
+from picohsm.const import DEFAULT_DKEK_SHARES
+from const import DEFAULT_DKEK
+from binascii import hexlify
+
+MESSAGE = b'a secret message'
+AAD = b'this is a tag for AAD'
+
+def test_prepare_aes(device):
+    device.initialize(dkek_shares=DEFAULT_DKEK_SHARES)
+    resp = device.import_dkek(DEFAULT_DKEK)
+    resp = device.import_dkek(DEFAULT_DKEK)
+
+def generate_key(device, size):
+    pkey = os.urandom(size // 8)
+    keyid = device.import_key(pkey)
+    return pkey, keyid
+
+@pytest.mark.parametrize(
+    "size", [128, 192, 256]
+)
+def test_aes_ecb(device, size):
+    pkey, keyid = generate_key(device, size)
+    ctA = device.aes(keyid, EncryptionMode.ENCRYPT, AES.ECB, MESSAGE)
+
+    cipher = Cipher(algorithms.AES(pkey), modes.ECB())
+    encryptor = cipher.encryptor()
+    ctB = encryptor.update(MESSAGE) + encryptor.finalize()
+    assert(ctA == ctB)
+
+    dtA = device.aes(keyid, EncryptionMode.DECRYPT, AES.ECB, ctA)
+    decryptor = cipher.decryptor()
+    dtB = decryptor.update(ctB) + decryptor.finalize()
+    assert(dtA == dtB)
+    assert(dtA == MESSAGE)
+    device.delete_key(keyid)
+
+@pytest.mark.parametrize(
+    "size", [128, 192, 256]
+)
+def test_aes_cbc_no_iv(device, size):
+    pkey, keyid = generate_key(device, size)
+    ctA = device.aes(keyid, EncryptionMode.ENCRYPT, AES.CBC, MESSAGE)
+
+    iv = b'\x00' * 16
+    cipher = Cipher(algorithms.AES(pkey), modes.CBC(iv))
+    encryptor = cipher.encryptor()
+    ctB = encryptor.update(MESSAGE) + encryptor.finalize()
+    assert(ctA == ctB)
+
+    dtA = device.aes(keyid, EncryptionMode.DECRYPT, AES.CBC, ctA)
+    decryptor = cipher.decryptor()
+    dtB = decryptor.update(ctB) + decryptor.finalize()
+    assert(dtA == dtB)
+    assert(dtA == MESSAGE)
+    device.delete_key(keyid)
+
+@pytest.mark.parametrize(
+    "size", [128, 192, 256]
+)
+def test_aes_cbc_iv(device, size):
+    pkey, keyid = generate_key(device, size)
+    iv = os.urandom(16)
+    ctA = device.aes(keyid, EncryptionMode.ENCRYPT, AES.CBC, MESSAGE, iv=iv)
+
+    cipher = Cipher(algorithms.AES(pkey), modes.CBC(iv))
+    encryptor = cipher.encryptor()
+    ctB = encryptor.update(MESSAGE) + encryptor.finalize()
+    assert(ctA == ctB)
+
+    dtA = device.aes(keyid, EncryptionMode.DECRYPT, AES.CBC, ctA, iv=iv)
+    decryptor = cipher.decryptor()
+    dtB = decryptor.update(ctB) + decryptor.finalize()
+    assert(dtA == dtB)
+    assert(dtA == MESSAGE)
+    device.delete_key(keyid)
+
+@pytest.mark.parametrize(
+    "size", [128, 192, 256]
+)
+def test_aes_ofb_no_iv(device, size):
+    pkey, keyid = generate_key(device, size)
+    ctA = device.aes(keyid, EncryptionMode.ENCRYPT, AES.OFB, MESSAGE)
+
+    iv = b'\x00' * 16
+    cipher = Cipher(algorithms.AES(pkey), modes.OFB(iv))
+    encryptor = cipher.encryptor()
+    ctB = encryptor.update(MESSAGE) + encryptor.finalize()
+    assert(ctA == ctB)
+
+    dtA = device.aes(keyid, EncryptionMode.DECRYPT, AES.OFB, ctA)
+    decryptor = cipher.decryptor()
+    dtB = decryptor.update(ctB) + decryptor.finalize()
+    assert(dtA == dtB)
+    assert(dtA == MESSAGE)
+    device.delete_key(keyid)
+
+@pytest.mark.parametrize(
+    "size", [128, 192, 256]
+)
+def test_aes_ofb_iv(device, size):
+    pkey, keyid = generate_key(device, size)
+    iv = os.urandom(16)
+    ctA = device.aes(keyid, EncryptionMode.ENCRYPT, AES.OFB, MESSAGE, iv=iv)
+
+    cipher = Cipher(algorithms.AES(pkey), modes.OFB(iv))
+    encryptor = cipher.encryptor()
+    ctB = encryptor.update(MESSAGE) + encryptor.finalize()
+    assert(ctA == ctB)
+
+    dtA = device.aes(keyid, EncryptionMode.DECRYPT, AES.OFB, ctA, iv=iv)
+    decryptor = cipher.decryptor()
+    dtB = decryptor.update(ctB) + decryptor.finalize()
+    assert(dtA == dtB)
+    assert(dtA == MESSAGE)
+    device.delete_key(keyid)
+
+@pytest.mark.parametrize(
+    "size", [128, 192, 256]
+)
+def test_aes_cfb_no_iv(device, size):
+    pkey, keyid = generate_key(device, size)
+    ctA = device.aes(keyid, EncryptionMode.ENCRYPT, AES.CFB, MESSAGE)
+
+    iv = b'\x00' * 16
+    cipher = Cipher(algorithms.AES(pkey), modes.CFB(iv))
+    encryptor = cipher.encryptor()
+    ctB = encryptor.update(MESSAGE) + encryptor.finalize()
+    assert(ctA == ctB)
+
+    dtA = device.aes(keyid, EncryptionMode.DECRYPT, AES.CFB, ctA)
+    decryptor = cipher.decryptor()
+    dtB = decryptor.update(ctB) + decryptor.finalize()
+    assert(dtA == dtB)
+    assert(dtA == MESSAGE)
+    device.delete_key(keyid)
+
+@pytest.mark.parametrize(
+    "size", [128, 192, 256]
+)
+def test_aes_cfb_iv(device, size):
+    pkey, keyid = generate_key(device, size)
+    iv = os.urandom(16)
+    ctA = device.aes(keyid, EncryptionMode.ENCRYPT, AES.CFB, MESSAGE, iv=iv)
+
+    cipher = Cipher(algorithms.AES(pkey), modes.CFB(iv))
+    encryptor = cipher.encryptor()
+    ctB = encryptor.update(MESSAGE) + encryptor.finalize()
+    assert(ctA == ctB)
+
+    dtA = device.aes(keyid, EncryptionMode.DECRYPT, AES.CFB, ctA, iv=iv)
+    decryptor = cipher.decryptor()
+    dtB = decryptor.update(ctB) + decryptor.finalize()
+    assert(dtA == dtB)
+    assert(dtA == MESSAGE)
+    device.delete_key(keyid)
+
+@pytest.mark.parametrize(
+    "size", [128, 192, 256]
+)
+def test_aes_gcm_no_iv(device, size):
+    pkey, keyid = generate_key(device, size)
+    ctA = device.aes(keyid, EncryptionMode.ENCRYPT, AES.GCM, MESSAGE, aad=AAD)
+
+    iv = b'\x00' * 16
+    encryptor = Cipher(algorithms.AES(pkey), modes.GCM(iv)).encryptor()
+    encryptor.authenticate_additional_data(AAD)
+    ctB = encryptor.update(MESSAGE) + encryptor.finalize()
+    assert(ctA == ctB + encryptor.tag)
+
+    dtA = device.aes(keyid, EncryptionMode.DECRYPT, AES.GCM, ctA, aad=AAD)
+    decryptor = Cipher(algorithms.AES(pkey), modes.GCM(iv, encryptor.tag)).decryptor()
+    decryptor.authenticate_additional_data(AAD)
+    dtB = decryptor.update(ctB) + decryptor.finalize()
+    assert(dtA == dtB)
+    assert(dtA == MESSAGE)
+    device.delete_key(keyid)
+
+@pytest.mark.parametrize(
+    "size", [128, 192, 256]
+)
+def test_aes_gcm_iv(device, size):
+    pkey, keyid = generate_key(device, size)
+    iv = os.urandom(16)
+    ctA = device.aes(keyid, EncryptionMode.ENCRYPT, AES.GCM, MESSAGE, iv=iv, aad=AAD)
+
+    encryptor = Cipher(algorithms.AES(pkey), modes.GCM(iv)).encryptor()
+    encryptor.authenticate_additional_data(AAD)
+    ctB = encryptor.update(MESSAGE) + encryptor.finalize()
+    assert(ctA == ctB + encryptor.tag)
+
+    dtA = device.aes(keyid, EncryptionMode.DECRYPT, AES.GCM, ctA, iv=iv, aad=AAD)
+    decryptor = Cipher(algorithms.AES(pkey), modes.GCM(iv, encryptor.tag)).decryptor()
+    decryptor.authenticate_additional_data(AAD)
+    dtB = decryptor.update(ctB) + decryptor.finalize()
+    assert(dtA == dtB)
+    assert(dtA == MESSAGE)
+    device.delete_key(keyid)
+
+@pytest.mark.parametrize(
+    "size", [256, 512]
+)
+def test_aes_xts_no_iv(device, size):
+    pkey, keyid = generate_key(device, size)
+    ctA = device.aes(keyid, EncryptionMode.ENCRYPT, AES.XTS, MESSAGE)
+
+    iv = b'\x00' * 16
+    cipher = Cipher(algorithms.AES(pkey), modes.XTS(iv))
+    encryptor = cipher.encryptor()
+    ctB = encryptor.update(MESSAGE) + encryptor.finalize()
+    assert(ctA == ctB)
+
+    dtA = device.aes(keyid, EncryptionMode.DECRYPT, AES.XTS, ctA)
+    decryptor = cipher.decryptor()
+    dtB = decryptor.update(ctB) + decryptor.finalize()
+    assert(dtA == dtB)
+    assert(dtA == MESSAGE)
+    device.delete_key(keyid)
+
+@pytest.mark.parametrize(
+    "size", [256, 512]
+)
+def test_aes_xts_iv(device, size):
+    pkey, keyid = generate_key(device, size)
+    iv = os.urandom(16)
+    ctA = device.aes(keyid, EncryptionMode.ENCRYPT, AES.XTS, MESSAGE, iv=iv)
+
+    cipher = Cipher(algorithms.AES(pkey), modes.XTS(iv))
+    encryptor = cipher.encryptor()
+    ctB = encryptor.update(MESSAGE) + encryptor.finalize()
+    assert(ctA == ctB)
+
+    dtA = device.aes(keyid, EncryptionMode.DECRYPT, AES.XTS, ctA, iv=iv)
+    decryptor = cipher.decryptor()
+    dtB = decryptor.update(ctB) + decryptor.finalize()
+    assert(dtA == dtB)
+    assert(dtA == MESSAGE)
+    device.delete_key(keyid)
+
+@pytest.mark.parametrize(
+    "size", [128, 192, 256]
+)
+def test_aes_ctr_no_iv(device, size):
+    pkey, keyid = generate_key(device, size)
+    ctA = device.aes(keyid, EncryptionMode.ENCRYPT, AES.CTR, MESSAGE)
+
+    iv = b'\x00' * 16
+    cipher = Cipher(algorithms.AES(pkey), modes.CTR(iv))
+    encryptor = cipher.encryptor()
+    ctB = encryptor.update(MESSAGE) + encryptor.finalize()
+    assert(ctA == ctB)
+
+    dtA = device.aes(keyid, EncryptionMode.DECRYPT, AES.CTR, ctA)
+    decryptor = cipher.decryptor()
+    dtB = decryptor.update(ctB) + decryptor.finalize()
+    assert(dtA == dtB)
+    assert(dtA == MESSAGE)
+    device.delete_key(keyid)
+
+@pytest.mark.parametrize(
+    "size", [128, 192, 256]
+)
+def test_aes_ctr_iv(device, size):
+    pkey, keyid = generate_key(device, size)
+    iv = os.urandom(16)
+    ctA = device.aes(keyid, EncryptionMode.ENCRYPT, AES.CTR, MESSAGE, iv=iv)
+
+    cipher = Cipher(algorithms.AES(pkey), modes.CTR(iv))
+    encryptor = cipher.encryptor()
+    ctB = encryptor.update(MESSAGE) + encryptor.finalize()
+    assert(ctA == ctB)
+
+    dtA = device.aes(keyid, EncryptionMode.DECRYPT, AES.CTR, ctA, iv=iv)
+    decryptor = cipher.decryptor()
+    dtB = decryptor.update(ctB) + decryptor.finalize()
+    assert(dtA == dtB)
+    assert(dtA == MESSAGE)
+    device.delete_key(keyid)
+
+@pytest.mark.parametrize(
+    "size", [128, 192, 256]
+)
+def test_aes_ccm_no_iv(device, size):
+    pkey, keyid = generate_key(device, size)
+    ctA = device.aes(keyid, EncryptionMode.ENCRYPT, AES.CCM, MESSAGE, aad=AAD)
+
+    iv = b'\x00' * 12
+    encryptor = aead.AESCCM(pkey)
+    ctB = encryptor.encrypt(iv, MESSAGE, AAD)
+    assert(ctA == ctB)
+
+    dtA = device.aes(keyid, EncryptionMode.DECRYPT, AES.CCM, ctA, aad=AAD)
+    decryptor = encryptor
+    dtB = decryptor.decrypt(iv, ctB, AAD)
+    assert(dtA == dtB)
+    assert(dtA == MESSAGE)
+    device.delete_key(keyid)
+
+@pytest.mark.parametrize(
+    "size", [128, 192, 256]
+)
+@pytest.mark.parametrize(
+    "iv_len", [7, 8, 9, 10, 11, 12, 13]
+)
+def test_aes_ccm_iv(device, size, iv_len):
+    pkey, keyid = generate_key(device, size)
+    iv = os.urandom(iv_len)
+    ctA = device.aes(keyid, EncryptionMode.ENCRYPT, AES.CCM, MESSAGE, iv=iv, aad=AAD)
+
+    encryptor = aead.AESCCM(pkey)
+    ctB = encryptor.encrypt(iv, MESSAGE, AAD)
+    assert(ctA == ctB)
+
+    dtA = device.aes(keyid, EncryptionMode.DECRYPT, AES.CCM, ctA, iv=iv, aad=AAD)
+    decryptor = encryptor
+    dtB = decryptor.decrypt(iv, ctB, AAD)
+    assert(dtA == dtB)
+    assert(dtA == MESSAGE)
+    device.delete_key(keyid)

tests/pico-hsm/test_060_mac.py

@@ -21,8 +21,9 @@ import pytest
 import os
 from cryptography.hazmat.primitives import hashes, hmac, cmac
 from cryptography.hazmat.primitives.ciphers import algorithms
-from utils import Algorithm, DOPrefixes
-from const import DEFAULT_DKEK_SHARES, DEFAULT_DKEK
+from picohsm import DOPrefixes
+from picohsm.const import DEFAULT_DKEK_SHARES
+from const import DEFAULT_DKEK
 
 MESSAGE = b'a secret message'
 
@@ -44,8 +45,8 @@ def test_mac_hmac(device, size, algo):
     h = hmac.HMAC(pkey, algo())
     h.update(MESSAGE)
     resB = h.finalize()
-    device.delete_file(DOPrefixes.KEY_PREFIX.value << 8 | keyid)
-    assert(bytes(resA) == resB)
+    device.delete_file(DOPrefixes.KEY_PREFIX, keyid)
+    assert(resA == resB)
 
 @pytest.mark.parametrize(
     "size", [128, 192, 256]
@@ -57,6 +58,6 @@ def test_mac_cmac(device, size):
     c = cmac.CMAC(algorithms.AES(pkey))
     c.update(MESSAGE)
     resB = c.finalize()
-    device.delete_file(DOPrefixes.KEY_PREFIX.value << 8 | keyid)
-    assert(bytes(resA) == resB)
+    device.delete_file(DOPrefixes.KEY_PREFIX, keyid)
+    assert(resA == resB)
 

tests/pico-hsm/test_070_hkdf.py

@@ -22,8 +22,9 @@ import os
 from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives.kdf.hkdf import HKDF
 from cryptography import exceptions
-from const import DEFAULT_DKEK_SHARES, DEFAULT_DKEK
-from utils import DOPrefixes
+from picohsm.const import DEFAULT_DKEK_SHARES
+from const import DEFAULT_DKEK
+from picohsm import DOPrefixes
 
 INFO = b'info message'
 
@@ -47,7 +48,7 @@ class TestHKDF:
         keyid = device.import_key(pkey)
         salt = os.urandom(16)
         resA = device.hkdf(algo, keyid, INFO, salt, out_len=out_len)
-        device.delete_file(DOPrefixes.KEY_PREFIX.value << 8 | keyid)
+        device.delete_file(DOPrefixes.KEY_PREFIX, keyid)
         hkdf = HKDF(
             algorithm=algo(),
             length=out_len,
@@ -55,21 +56,21 @@ class TestHKDF:
             info=INFO,
         )
         resB = hkdf.derive(pkey)
-        assert(bytes(resA) == resB)
+        assert(resA == resB)
         hkdf = HKDF(
             algorithm=algo(),
             length=out_len,
             salt=salt,
             info=INFO,
         )
-        hkdf.verify(pkey, bytes(resA))
+        hkdf.verify(pkey, resA)
 
     def test_hkdf_fail(self, device, size, algo, out_len):
         pkey = os.urandom(size // 8)
         keyid = device.import_key(pkey)
         salt = os.urandom(16)
         resA = device.hkdf(algo, keyid, INFO, salt, out_len=out_len)
-        device.delete_file(DOPrefixes.KEY_PREFIX.value << 8 | keyid)
+        device.delete_file(DOPrefixes.KEY_PREFIX, keyid)
         hkdf = HKDF(
             algorithm=algo(),
             length=out_len,
@@ -78,4 +79,4 @@ class TestHKDF:
         )
         pkey = os.urandom(size // 8)
         with pytest.raises(exceptions.InvalidKey):
-            hkdf.verify(pkey, bytes(resA))
+            hkdf.verify(pkey, resA)

tests/pico-hsm/test_071_pbkdf2.py

@@ -22,8 +22,9 @@ import os
 from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
 from cryptography import exceptions
-from const import DEFAULT_DKEK_SHARES, DEFAULT_DKEK
-from utils import DOPrefixes
+from picohsm.const import DEFAULT_DKEK_SHARES
+from const import DEFAULT_DKEK
+from picohsm import DOPrefixes
 
 INFO = b'info message'
 
@@ -50,7 +51,7 @@ class TestPBKDF2:
         keyid = device.import_key(pkey)
         salt = os.urandom(16)
         resA = device.pbkdf2(algo, keyid, salt, iterations=iterations, out_len=out_len)
-        device.delete_file(DOPrefixes.KEY_PREFIX.value << 8 | keyid)
+        device.delete_file(DOPrefixes.KEY_PREFIX, keyid)
         kdf = PBKDF2HMAC(
             algorithm=algo(),
             length=out_len,
@@ -58,21 +59,21 @@ class TestPBKDF2:
             iterations=iterations,
         )
         resB = kdf.derive(pkey)
-        assert(bytes(resA) == resB)
+        assert(resA == resB)
         kdf = PBKDF2HMAC(
             algorithm=algo(),
             length=out_len,
             salt=salt,
             iterations=iterations,
         )
-        kdf.verify(pkey, bytes(resA))
+        kdf.verify(pkey, resA)
 
     def test_pbkdf2_fail(self, device, size, algo, out_len, iterations):
         pkey = os.urandom(size // 8)
         keyid = device.import_key(pkey)
         salt = os.urandom(16)
         resA = device.pbkdf2(algo, keyid, salt, iterations=iterations, out_len=out_len)
-        device.delete_file(DOPrefixes.KEY_PREFIX.value << 8 | keyid)
+        device.delete_file(DOPrefixes.KEY_PREFIX, keyid)
 
         kdf = PBKDF2HMAC(
             algorithm=algo(),
@@ -82,4 +83,4 @@ class TestPBKDF2:
         )
         pkey = os.urandom(size // 8)
         with pytest.raises(exceptions.InvalidKey):
-            kdf.verify(pkey, bytes(resA))
+            kdf.verify(pkey, resA)

tests/pico-hsm/test_072_x963.py

@@ -22,8 +22,9 @@ import os
 from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives.kdf.x963kdf import X963KDF
 from cryptography import exceptions
-from const import DEFAULT_DKEK_SHARES, DEFAULT_DKEK
-from utils import DOPrefixes
+from picohsm.const import DEFAULT_DKEK_SHARES
+from const import DEFAULT_DKEK
+from picohsm import DOPrefixes
 
 INFO = b'shared message'
 
@@ -46,26 +47,26 @@ class TestX963:
         pkey = os.urandom(size // 8)
         keyid = device.import_key(pkey)
         resA = device.x963(algo, keyid, INFO, out_len=out_len)
-        device.delete_file(DOPrefixes.KEY_PREFIX.value << 8 | keyid)
+        device.delete_file(DOPrefixes.KEY_PREFIX, keyid)
         xkdf = X963KDF(
             algorithm=algo(),
             length=out_len,
             sharedinfo=INFO,
         )
         resB = xkdf.derive(pkey)
-        assert(bytes(resA) == resB)
+        assert(resA == resB)
         xkdf = X963KDF(
             algorithm=algo(),
             length=out_len,
             sharedinfo=INFO,
         )
-        xkdf.verify(pkey, bytes(resA))
+        xkdf.verify(pkey, resA)
 
     def test_x963_fail(self, device, size, algo, out_len):
         pkey = os.urandom(size // 8)
         keyid = device.import_key(pkey)
         resA = device.x963(algo, keyid, INFO, out_len=out_len)
-        device.delete_file(DOPrefixes.KEY_PREFIX.value << 8 | keyid)
+        device.delete_file(DOPrefixes.KEY_PREFIX, keyid)
         xkdf = X963KDF(
             algorithm=algo(),
             length=out_len,
@@ -73,4 +74,4 @@ class TestX963:
         )
         pkey = os.urandom(size // 8)
         with pytest.raises(exceptions.InvalidKey):
-            xkdf.verify(pkey, bytes(resA))
+            xkdf.verify(pkey, resA)

tests/pico-hsm/test_080_pka.py

@@ -0,0 +1,146 @@
+"""
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2023 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+"""
+
+import pytest
+from binascii import unhexlify, hexlify
+from cvc.certificates import CVC
+from picohsm.utils import int_to_bytes
+from picohsm import APDUResponse, SWCodes
+from const import TERM_CERT, DICA_CERT
+from cryptography.hazmat.primitives.asymmetric import ec, utils
+from cryptography.hazmat.primitives import hashes
+
+AUT_KEY = unhexlify('0A40E11E672C28C558B72C25D93BCF28C08D39AFDD5A1A2FD3BAF7A6B27F0C2E')
+aut_pk = ec.derive_private_key(int.from_bytes(AUT_KEY, 'big'), ec.BrainpoolP256R1())
+AUT_PUK = unhexlify('678201ed7f218201937f4e82014b5f290100421045535049434f48534d54525a474e50327f4982011d060a04007f000702020202038120a9fb57dba1eea9bc3e660a909d838d726e3bf623d52620282013481d1f6e537782207d5a0975fc2c3057eef67530417affe7fb8055c126dc5c6ce94a4b44f330b5d9832026dc5c6ce94a4b44f330b5d9bbd77cbf958416295cf7e1ce6bccdc18ff8c07b68441048bd2aeb9cb7e57cb2c4b482ffc81b7afb9de27e1e3bd23c23a4453bd9ace3262547ef835c3dac4fd97f8461a14611dc9c27745132ded8e545c1d54c72f0469978520a9fb57dba1eea9bc3e660a909d838d718c397aa3b561a6f7901e0e82974856a78641040cc18ce246da678239af0913a1579dda58c07be404da4a65327794fac93f57a333267979905b5d046da7020226cc4e5fc477e8fc651a0cf87095259aafa88e648701015f201045535049434f48534d54525a474e50325f37401fc90bdab2a58c3cd25f18a90baa2c21d3d087002ba240fb274ff066759297f79e130053d902d637a448c8cdcd0670fe8ebcc06d8a3ee82079f08d1ff8660393421045535049434f48534d54525a474e50325f3740e24e7e23eae3c78f9fa88391004369a293c43ef99e2279170983e1dbe707fbf0382d09de3e60ef1addd2f055947c3efcef17926065ddb7a031f4905da474ed1d')
+
+
+term_chr = CVC().decode(TERM_CERT).chr()
+
+def test_initialize(device):
+    device.initialize(puk_auts=1, puk_min_auts=1)
+    device.logout()
+
+def test_register_puk(device):
+    status = device.get_puk_status()
+    assert(status == bytes([1,1,1,0]))
+
+    status = device.register_puk(AUT_PUK, TERM_CERT, DICA_CERT)
+    assert(status == bytes([1,0,1,0]))
+    assert(device.check_puk_key(term_chr) == 0)
+
+def test_enumerate_puk_reg(device):
+    puks = device.enumerate_puk()
+    assert(len(puks) == 1)
+    assert(puks[0]['status'] == 0)
+
+def test_authentication(device):
+    input = device.puk_prepare_signature()
+    signature = aut_pk.sign(input, ec.ECDSA(hashes.SHA256()))
+    r,s = utils.decode_dss_signature(signature)
+    signature = list(int_to_bytes(r) + int_to_bytes(s))
+    device.authenticate_puk(term_chr, signature)
+    status = device.get_puk_status()
+    assert(status == bytes([1,0,1,1]))
+
+def test_enumerate_puk_ok(device):
+    puks = device.enumerate_puk()
+    assert(len(puks) == 1)
+    assert(puks[0]['status'] == 1)
+
+def test_check_key(device):
+    assert(device.check_puk_key(term_chr) == 1)
+    bad_chr = b'XXXXX'
+    assert(device.check_puk_key(bad_chr) == -1)
+    assert(device.check_puk_key(bad_chr) != 0)
+    assert(device.check_puk_key(bad_chr) != 1)
+
+def test_puk_reset(device):
+    device.logout()
+    status = device.get_puk_status()
+    assert(status == bytes([1,0,1,0]))
+    assert(device.check_puk_key(term_chr) == 0)
+
+def test_authentication_fail(device):
+    input = b'this is a fake input'
+    signature = aut_pk.sign(input, ec.ECDSA(hashes.SHA256()))
+    r,s = utils.decode_dss_signature(signature)
+    signature = list(int_to_bytes(r) + int_to_bytes(s))
+    with pytest.raises(APDUResponse) as e:
+        device.authenticate_puk(term_chr, signature)
+    assert(e.value.sw == SWCodes.SW_CONDITIONS_NOT_SATISFIED)
+
+    status = device.get_puk_status()
+    assert(status == bytes([1,0,1,0]))
+    assert(device.check_puk_key(term_chr) == 0)
+
+def test_enumerate_puk_1(device):
+    device.initialize(puk_auts=1, puk_min_auts=1)
+    puks = device.enumerate_puk()
+    assert(len(puks) == 1)
+    assert(puks[0]['status'] == -1)
+
+    device.register_puk(AUT_PUK, TERM_CERT, DICA_CERT)
+    puks = device.enumerate_puk()
+    assert(len(puks) == 1)
+    assert(puks[0]['status'] == 0)
+
+def test_enumerate_puk_2(device):
+    device.initialize(puk_auts=2, puk_min_auts=1)
+    puks = device.enumerate_puk()
+    assert(len(puks) == 2)
+    assert(puks[0]['status'] == -1)
+    assert(puks[1]['status'] == -1)
+
+    device.register_puk(AUT_PUK, TERM_CERT, DICA_CERT)
+    puks = device.enumerate_puk()
+    assert(len(puks) == 2)
+    assert(puks[0]['status'] == 0)
+    assert(puks[1]['status'] == -1)
+
+def test_register_more_puks(device):
+    device.initialize(puk_auts=2, puk_min_auts=1)
+    status = device.get_puk_status()
+    assert(status == bytes([2,2,1,0]))
+
+    status = device.register_puk(AUT_PUK, TERM_CERT, DICA_CERT)
+    assert(status == bytes([2,1,1,0]))
+
+def test_is_pku(device):
+    device.initialize(puk_auts=1, puk_min_auts=1)
+    assert(device.is_puk() == True)
+
+    device.initialize()
+    assert(device.is_puk() == False)
+
+def test_check_puk_key(device):
+    device.initialize(puk_auts=1, puk_min_auts=1)
+    status = device.check_puk_key(term_chr)
+    assert(status == -1)
+
+    status = device.register_puk(AUT_PUK, TERM_CERT, DICA_CERT)
+    status = device.check_puk_key(term_chr)
+    assert(status == 0)
+
+
+def test_register_puk_with_no_puk(device):
+    device.initialize()
+    with pytest.raises(APDUResponse) as e:
+        device.register_puk(AUT_PUK, TERM_CERT, DICA_CERT)
+    assert(e.value.sw == SWCodes.SW_FILE_NOT_FOUND)

tests/pico-hsm/test_090_xkek.py

@@ -0,0 +1,98 @@
+"""
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2023 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+"""
+
+import pytest
+from binascii import unhexlify, hexlify
+from picohsm.utils import int_to_bytes
+from const import TERM_CERT, DICA_CERT
+from cvc.asn1 import ASN1
+from cvc.certificates import CVC
+from cvc import oid
+from cryptography.hazmat.primitives.asymmetric import ec
+from picohsm import DOPrefixes, APDUResponse, SWCodes
+
+KDM = unhexlify(b'30820420060b2b0601040181c31f0402016181ed7f2181e97f4e81a25f290100421045535049434f48534d434130303030317f494f060a04007f0007020202020386410421ee4a21c16a10f737f12e78e5091b266612038cdabebb722b15bf6d41b877fbf64d9ab69c39b9831b1ae00bef2a4e81976f7688d45189bb232a24703d8a96a55f201045535049434f48534d445630303030317f4c12060904007f000703010202530580000000005f25060202000801085f24060203000601045f37403f75c08fffc9186b56e6147199e82bfc327ceef72495bc567961cd54d702f13e3c2766fcd1d11bd6a9d1f4a229b76b248ceb9af88d59a74d0ab149448705159b6281e97f2181e57f4e819e5f290100421045535049434f48534d445630303030317f494f060a04007f00070202020203864104c8561b41e54fea81bb80dd4a6d537e7c3904344e8ca90bc5f668111811e02c8d5d51ca93ca89558f2a8a9cbb147434e3441ec174505ff980fd7a7106286196915f201045535049434f48534d54524a444736387f4c0e060904007f0007030102025301005f25060203000300065f24060204000300055f3740983de63d0975b715ebd8a93cb38fa9638882c8b7064d51a6facabed693b92edc098e458b713203413ef6de0958c44772cbdbc264205c7b1bdb8b4fcb2516437f638201f1678201ed7f218201937f4e82014b5f290100421045535049434f48534d54524a444736387f4982011d060a04007f000702020202038120a9fb57dba1eea9bc3e660a909d838d726e3bf623d52620282013481d1f6e537782207d5a0975fc2c3057eef67530417affe7fb8055c126dc5c6ce94a4b44f330b5d9832026dc5c6ce94a4b44f330b5d9bbd77cbf958416295cf7e1ce6bccdc18ff8c07b68441048bd2aeb9cb7e57cb2c4b482ffc81b7afb9de27e1e3bd23c23a4453bd9ace3262547ef835c3dac4fd97f8461a14611dc9c27745132ded8e545c1d54c72f0469978520a9fb57dba1eea9bc3e660a909d838d718c397aa3b561a6f7901e0e82974856a78641048b1f450912a2e4d428b7eefc5fa05618a9ef295e90009a61cbb0970181b333474ea94f94cde5a11aba0589e85d4225002789ff1cdcf25756f059647b49fc2a158701015f201045535049434f48534d54524a444736385f3740372407c20de7257c89dae1e6606c8a046ca65efaa010c0a22b75c402ee243de51f5f1507457193679ed9db4fbbfe8efb9d695b684492b665ad8ba98c1f84ea38421045535049434f48534d54524a444736385f374098718e2e14a44386b689b71a101530316b65ab49a91bab0dd56099c5161ecb8aadff6cf27449f94034e58b7306f01e6ffa2766a2f5bb1281e12e5f1f9174733454400cf8926ca5bec9a91bcd47bf391c15d94ef6e3243d5fd1fffeaafd586766bc3221eafd808f17f8450f238cc1fe7ab1854443db31d622f53a2b3fdb3ad750d5ce')
+
+def test_initialize(device):
+    device.initialize(key_domains=1)
+    device.logout()
+
+def test_create_xkek(device):
+    with pytest.raises(APDUResponse) as e:
+        device.create_xkek(KDM)
+    assert(e.value.sw == SWCodes.SW_CONDITIONS_NOT_SATISFIED)
+
+    device.login()
+    kcv, did = device.create_xkek(KDM)
+    assert(kcv == b'\x00'*8)
+
+    gskcert = ASN1().decode(KDM).find(0x30).find(0x63).data()
+    gskQ = CVC().decode(gskcert).pubkey().find(0x86).data()
+    pub = ec.EllipticCurvePublicKey.from_encoded_point(ec.BrainpoolP256R1(), bytes(gskQ))
+    assert(did == int_to_bytes(pub.public_numbers().x)+int_to_bytes(pub.public_numbers().y))
+
+keyid = -1
+def test_derive_xkek(device):
+    global keyid
+    keyid = device.generate_xkek_key()
+
+    resp = device.list_keys()
+    assert((DOPrefixes.KEY_PREFIX, keyid) in resp)
+
+    xkek_dom = device.get_key_domain()['xkek']
+    pkey = ec.generate_private_key(ec.BrainpoolP256R1())
+    pubkey = pkey.public_key()
+    cert = CVC().cert(pubkey=pubkey, scheme=oid.ID_TA_ECDSA_SHA_256, signkey=pkey, signscheme=oid.ID_TA_ECDSA_SHA_256, car=b"UTCA00001", chr=b"UTCDUMMY00001", extensions=[
+                {
+                    'tag': 0x73,
+                    'oid': b'\x2B\x06\x01\x04\x01\x81\xC3\x1F\x03\x02\x02',
+                    'contexts': {
+                        0: xkek_dom
+                    }
+                }
+            ]).encode()
+    device.derive_xkek(keyid, cert)
+
+    resp = device.get_key_domain()
+    assert(resp['kcv'] != b'\x00'*8)
+
+
+def test_delete_xkek(device):
+    device.delete_xkek()
+
+    resp = device.get_key_domain()
+    assert(resp['kcv'] == b'\x00'*8)
+
+def test_delete_domain_with_key(device):
+    with pytest.raises(APDUResponse) as e:
+        device.delete_key_domain()
+    assert(e.value.sw == SWCodes.SW_FILE_EXISTS)
+
+    device.delete_file(DOPrefixes.KEY_PREFIX, keyid)
+    device.delete_file(DOPrefixes.EE_CERTIFICATE_PREFIX, keyid)
+
+def test_delete_domain(device):
+    device.delete_key_domain()
+
+    resp = device.get_key_domain()
+    assert('kcv' not in resp)
+    assert('xkek' not in resp)
+    assert('error' in resp)
+    assert(resp['error'] == SWCodes.SW_REFERENCE_NOT_FOUND)
+

tests/pico-hsm/test_095_bip_slip.py

@@ -0,0 +1,453 @@
+"""
+/*
+ * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
+ * Copyright (c) 2023 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+"""
+
+import pytest
+from binascii import unhexlify, hexlify
+from picohsm.utils import int_to_bytes
+from picohsm.const import DEFAULT_DKEK_SHARES
+from const import DEFAULT_DKEK
+from cvc.asn1 import ASN1
+from cvc.certificates import CVC
+from cvc import oid
+from cryptography.hazmat.primitives.asymmetric import ec
+from cryptography.hazmat.primitives import hashes
+from picohsm import EncryptionMode, APDUResponse, SWCodes, PicoHSM
+import hashlib
+
+TEST_STRING = b'Pico Keys are awesome!'
+
+def sha256_sha256(data):
+    return hashlib.sha256(hashlib.sha256(data).digest()).digest()
+
+def test_initialize(device):
+    device.initialize(dkek_shares=DEFAULT_DKEK_SHARES)
+    resp = device.import_dkek(DEFAULT_DKEK)
+    resp = device.import_dkek(DEFAULT_DKEK)
+
+seeds = [
+        {
+            'name': 'secp256k1',
+            'id': 0,
+            'seed': unhexlify('000102030405060708090a0b0c0d0e0f'),
+        },
+        {
+            'name': 'secp256k1',
+            'id': 1,
+            'seed': unhexlify('fffcf9f6f3f0edeae7e4e1dedbd8d5d2cfccc9c6c3c0bdbab7b4b1aeaba8a5a29f9c999693908d8a8784817e7b7875726f6c696663605d5a5754514e4b484542'),
+        },
+        {
+            'name': 'secp256k1',
+            'id': 2,
+            'seed': unhexlify('4b381541583be4423346c643850da4b320e46a87ae3d2a4e6da11eba819cd4acba45d239319ac14f863b8d5ab5a0d0c64d2e8a1e7d1457df2e5a3c51c73235be'),
+        },
+        {
+            'name': 'secp256k1',
+            'id': 3,
+            'seed': unhexlify('3ddd5602285899a946114506157c7997e5444528f3003f6134712147db19b678'),
+        },
+        {
+            'name': 'secp256r1',
+            'id': 4,
+            'seed': unhexlify('000102030405060708090a0b0c0d0e0f'),
+        },
+        {
+            'name': 'secp256r1',
+            'id': 5,
+            'seed': unhexlify('fffcf9f6f3f0edeae7e4e1dedbd8d5d2cfccc9c6c3c0bdbab7b4b1aeaba8a5a29f9c999693908d8a8784817e7b7875726f6c696663605d5a5754514e4b484542'),
+        },
+        {
+            'name': 'secp256r1',
+            'id': 6,
+            'seed': unhexlify('a7305bc8df8d0951f0cb224c0e95d7707cbdf2c6ce7e8d481fec69c7ff5e9446'),
+        },
+        {
+            'name': 'symmetric',
+            'id': 7,
+            'seed': unhexlify('c76c4ac4f4e4a00d6b274d5c39c700bb4a7ddc04fbc6f78e85ca75007b5b495f74a9043eeb77bdd53aa6fc3a0e31462270316fa04b8c19114c8798706cd02ac8'),
+        },
+    ]
+@pytest.mark.parametrize(
+    "seed", seeds
+)
+def test_generate_master(device, seed):
+    resp = device.hd_generate_master_node(curve=seed['name'], id=seed['id'], seed=seed['seed'])
+
+def hardened(i):
+    return 0x80000000 + i
+
+@pytest.mark.parametrize(
+    "path", [
+        {
+            'path': [0],
+            'xpub': b'xpub661MyMwAqRbcFtXgS5sYJABqqG9YLmC4Q1Rdap9gSE8NqtwybGhePY2gZ29ESFjqJoCu1Rupje8YtGqsefD265TMg7usUDFdp6W1EGMcet8',
+        },
+        {
+            'path': [0, hardened(0)],
+            'xpub': b'xpub68Gmy5EdvgibQVfPdqkBBCHxA5htiqg55crXYuXoQRKfDBFA1WEjWgP6LHhwBZeNK1VTsfTFUHCdrfp1bgwQ9xv5ski8PX9rL2dZXvgGDnw',
+        },
+        {
+            'path': [0, hardened(0), 1],
+            'xpub': b'xpub6ASuArnXKPbfEwhqN6e3mwBcDTgzisQN1wXN9BJcM47sSikHjJf3UFHKkNAWbWMiGj7Wf5uMash7SyYq527Hqck2AxYysAA7xmALppuCkwQ',
+        },
+        {
+            'path': [0, hardened(0), 1, hardened(2)],
+            'xpub': b'xpub6D4BDPcP2GT577Vvch3R8wDkScZWzQzMMUm3PWbmWvVJrZwQY4VUNgqFJPMM3No2dFDFGTsxxpG5uJh7n7epu4trkrX7x7DogT5Uv6fcLW5',
+        },
+        {
+            'path': [0, hardened(0), 1, hardened(2), 2],
+            'xpub': b'xpub6FHa3pjLCk84BayeJxFW2SP4XRrFd1JYnxeLeU8EqN3vDfZmbqBqaGJAyiLjTAwm6ZLRQUMv1ZACTj37sR62cfN7fe5JnJ7dh8zL4fiyLHV',
+        },
+        {
+            'path': [0, hardened(0), 1, hardened(2), 2, 1000000000],
+            'xpub': b'xpub6H1LXWLaKsWFhvm6RVpEL9P4KfRZSW7abD2ttkWP3SSQvnyA8FSVqNTEcYFgJS2UaFcxupHiYkro49S8yGasTvXEYBVPamhGW6cFJodrTHy',
+        },
+        {
+            'path': [1],
+            'xpub': b'xpub661MyMwAqRbcFW31YEwpkMuc5THy2PSt5bDMsktWQcFF8syAmRUapSCGu8ED9W6oDMSgv6Zz8idoc4a6mr8BDzTJY47LJhkJ8UB7WEGuduB',
+        },
+        {
+            'path': [1, 0],
+            'xpub': b'xpub69H7F5d8KSRgmmdJg2KhpAK8SR3DjMwAdkxj3ZuxV27CprR9LgpeyGmXUbC6wb7ERfvrnKZjXoUmmDznezpbZb7ap6r1D3tgFxHmwMkQTPH',
+        },
+        {
+            'path': [1, 0, hardened(2147483647)],
+            'xpub': b'xpub6ASAVgeehLbnwdqV6UKMHVzgqAG8Gr6riv3Fxxpj8ksbH9ebxaEyBLZ85ySDhKiLDBrQSARLq1uNRts8RuJiHjaDMBU4Zn9h8LZNnBC5y4a',
+        },
+        {
+            'path': [1, 0, hardened(2147483647), 1],
+            'xpub': b'xpub6DF8uhdarytz3FWdA8TvFSvvAh8dP3283MY7p2V4SeE2wyWmG5mg5EwVvmdMVCQcoNJxGoWaU9DCWh89LojfZ537wTfunKau47EL2dhHKon',
+        },
+        {
+            'path': [1, 0, hardened(2147483647), 1, hardened(2147483646)],
+            'xpub': b'xpub6ERApfZwUNrhLCkDtcHTcxd75RbzS1ed54G1LkBUHQVHQKqhMkhgbmJbZRkrgZw4koxb5JaHWkY4ALHY2grBGRjaDMzQLcgJvLJuZZvRcEL',
+        },
+        {
+            'path': [1, 0, hardened(2147483647), 1, hardened(2147483646), 2],
+            'xpub': b'xpub6FnCn6nSzZAw5Tw7cgR9bi15UV96gLZhjDstkXXxvCLsUXBGXPdSnLFbdpq8p9HmGsApME5hQTZ3emM2rnY5agb9rXpVGyy3bdW6EEgAtqt',
+        },
+        {
+            'path': [2],
+            'xpub': b'xpub661MyMwAqRbcEZVB4dScxMAdx6d4nFc9nvyvH3v4gJL378CSRZiYmhRoP7mBy6gSPSCYk6SzXPTf3ND1cZAceL7SfJ1Z3GC8vBgp2epUt13',
+        },
+        {
+            'path': [2, hardened(0)],
+            'xpub': b'xpub68NZiKmJWnxxS6aaHmn81bvJeTESw724CRDs6HbuccFQN9Ku14VQrADWgqbhhTHBaohPX4CjNLf9fq9MYo6oDaPPLPxSb7gwQN3ih19Zm4Y',
+        },
+        {
+            'path': [3],
+            'xpub': b'xpub661MyMwAqRbcGczjuMoRm6dXaLDEhW1u34gKenbeYqAix21mdUKJyuyu5F1rzYGVxyL6tmgBUAEPrEz92mBXjByMRiJdba9wpnN37RLLAXa',
+        },
+        {
+            'path': [3, hardened(0)],
+            'xpub': b'xpub69AUMk3qDBi3uW1sXgjCmVjJ2G6WQoYSnNHyzkmdCHEhSZ4tBok37xfFEqHd2AddP56Tqp4o56AePAgCjYdvpW2PU2jbUPFKsav5ut6Ch1m',
+        },
+        {
+            'path': [3, hardened(0), hardened(1)],
+            'xpub': b'xpub6BJA1jSqiukeaesWfxe6sNK9CCGaujFFSJLomWHprUL9DePQ4JDkM5d88n49sMGJxrhpjazuXYWdMf17C9T5XnxkopaeS7jGk1GyyVziaMt',
+        },
+    ]
+)
+def test_derive_node_bip(device, path):
+    resp = device.hd_derive_node(path['path'])
+    assert(resp == path['xpub'])
+
+@pytest.mark.parametrize(
+    "path", [
+        {
+            'path': [0],
+            'fingerprint': unhexlify('00000000'),
+            'chain': unhexlify('873dff81c02f525623fd1fe5167eac3a55a049de3d314bb42ee227ffed37d508'),
+            'public': unhexlify('0339a36013301597daef41fbe593a02cc513d0b55527ec2df1050e2e8ff49c85c2')
+        },
+        {
+            'path': [0, hardened(0)],
+            'fingerprint': unhexlify('3442193e'),
+            'chain': unhexlify('47fdacbd0f1097043b78c63c20c34ef4ed9a111d980047ad16282c7ae6236141'),
+            'public': unhexlify('035a784662a4a20a65bf6aab9ae98a6c068a81c52e4b032c0fb5400c706cfccc56')
+        },
+        {
+            'path': [0, hardened(0), 1],
+            'fingerprint': unhexlify('5c1bd648'),
+            'chain': unhexlify('2a7857631386ba23dacac34180dd1983734e444fdbf774041578e9b6adb37c19'),
+            'public': unhexlify('03501e454bf00751f24b1b489aa925215d66af2234e3891c3b21a52bedb3cd711c')
+        },
+        {
+            'path': [0, hardened(0), 1, hardened(2)],
+            'fingerprint': unhexlify('bef5a2f9'),
+            'chain': unhexlify('04466b9cc8e161e966409ca52986c584f07e9dc81f735db683c3ff6ec7b1503f'),
+            'public': unhexlify('0357bfe1e341d01c69fe5654309956cbea516822fba8a601743a012a7896ee8dc2')
+        },
+        {
+            'path': [0, hardened(0), 1, hardened(2), 2],
+            'fingerprint': unhexlify('ee7ab90c'),
+            'chain': unhexlify('cfb71883f01676f587d023cc53a35bc7f88f724b1f8c2892ac1275ac822a3edd'),
+            'public': unhexlify('02e8445082a72f29b75ca48748a914df60622a609cacfce8ed0e35804560741d29')
+        },
+        {
+            'path': [0, hardened(0), 1, hardened(2), 2, 1000000000],
+            'fingerprint': unhexlify('d880d7d8'),
+            'chain': unhexlify('c783e67b921d2beb8f6b389cc646d7263b4145701dadd2161548a8b078e65e9e'),
+            'public': unhexlify('022a471424da5e657499d1ff51cb43c47481a03b1e77f951fe64cec9f5a48f7011')
+        },
+        {
+            'path': [4],
+            'fingerprint': unhexlify('00000000'),
+            'chain': unhexlify('beeb672fe4621673f722f38529c07392fecaa61015c80c34f29ce8b41b3cb6ea'),
+            'public': unhexlify('0266874dc6ade47b3ecd096745ca09bcd29638dd52c2c12117b11ed3e458cfa9e8')
+        },
+        {
+            'path': [4, hardened(0)],
+            'fingerprint': unhexlify('be6105b5'),
+            'chain': unhexlify('3460cea53e6a6bb5fb391eeef3237ffd8724bf0a40e94943c98b83825342ee11'),
+            'public': unhexlify('0384610f5ecffe8fda089363a41f56a5c7ffc1d81b59a612d0d649b2d22355590c')
+        },
+        {
+            'path': [4, hardened(0), 1],
+            'fingerprint': unhexlify('9b02312f'),
+            'chain': unhexlify('4187afff1aafa8445010097fb99d23aee9f599450c7bd140b6826ac22ba21d0c'),
+            'public': unhexlify('03526c63f8d0b4bbbf9c80df553fe66742df4676b241dabefdef67733e070f6844')
+        },
+        {
+            'path': [4, hardened(0), 1, hardened(2)],
+            'fingerprint': unhexlify('b98005c1'),
+            'chain': unhexlify('98c7514f562e64e74170cc3cf304ee1ce54d6b6da4f880f313e8204c2a185318'),
+            'public': unhexlify('0359cf160040778a4b14c5f4d7b76e327ccc8c4a6086dd9451b7482b5a4972dda0')
+        },
+        {
+            'path': [4, hardened(0), 1, hardened(2), 2],
+            'fingerprint': unhexlify('0e9f3274'),
+            'chain': unhexlify('ba96f776a5c3907d7fd48bde5620ee374d4acfd540378476019eab70790c63a0'),
+            'public': unhexlify('029f871f4cb9e1c97f9f4de9ccd0d4a2f2a171110c61178f84430062230833ff20')
+        },
+        {
+            'path': [4, hardened(0), 1, hardened(2), 2, 1000000000],
+            'fingerprint': unhexlify('8b2b5c4b'),
+            'chain': unhexlify('b9b7b82d326bb9cb5b5b121066feea4eb93d5241103c9e7a18aad40f1dde8059'),
+            'public': unhexlify('02216cd26d31147f72427a453c443ed2cde8a1e53c9cc44e5ddf739725413fe3f4')
+        },
+        {
+            'path': [1],
+            'fingerprint': unhexlify('00000000'),
+            'chain': unhexlify('60499f801b896d83179a4374aeb7822aaeaceaa0db1f85ee3e904c4defbd9689'),
+            'public': unhexlify('03cbcaa9c98c877a26977d00825c956a238e8dddfbd322cce4f74b0b5bd6ace4a7')
+        },
+        {
+            'path': [1, 0],
+            'fingerprint': unhexlify('bd16bee5'),
+            'chain': unhexlify('f0909affaa7ee7abe5dd4e100598d4dc53cd709d5a5c2cac40e7412f232f7c9c'),
+            'public': unhexlify('02fc9e5af0ac8d9b3cecfe2a888e2117ba3d089d8585886c9c826b6b22a98d12ea')
+        },
+        {
+            'path': [1, 0, hardened(2147483647)],
+            'fingerprint': unhexlify('5a61ff8e'),
+            'chain': unhexlify('be17a268474a6bb9c61e1d720cf6215e2a88c5406c4aee7b38547f585c9a37d9'),
+            'public': unhexlify('03c01e7425647bdefa82b12d9bad5e3e6865bee0502694b94ca58b666abc0a5c3b')
+        },
+        {
+            'path': [1, 0, hardened(2147483647), 1],
+            'fingerprint': unhexlify('d8ab4937'),
+            'chain': unhexlify('f366f48f1ea9f2d1d3fe958c95ca84ea18e4c4ddb9366c336c927eb246fb38cb'),
+            'public': unhexlify('03a7d1d856deb74c508e05031f9895dab54626251b3806e16b4bd12e781a7df5b9')
+        },
+        {
+            'path': [1, 0, hardened(2147483647), 1, hardened(2147483646)],
+            'fingerprint': unhexlify('78412e3a'),
+            'chain': unhexlify('637807030d55d01f9a0cb3a7839515d796bd07706386a6eddf06cc29a65a0e29'),
+            'public': unhexlify('02d2b36900396c9282fa14628566582f206a5dd0bcc8d5e892611806cafb0301f0')
+        },
+        {
+            'path': [1, 0, hardened(2147483647), 1, hardened(2147483646), 2],
+            'fingerprint': unhexlify('31a507b8'),
+            'chain': unhexlify('9452b549be8cea3ecb7a84bec10dcfd94afe4d129ebfd3b3cb58eedf394ed271'),
+            'public': unhexlify('024d902e1a2fc7a8755ab5b694c575fce742c48d9ff192e63df5193e4c7afe1f9c')
+        },
+        {
+            'path': [5],
+            'fingerprint': unhexlify('00000000'),
+            'chain': unhexlify('96cd4465a9644e31528eda3592aa35eb39a9527769ce1855beafc1b81055e75d'),
+            'public': unhexlify('02c9e16154474b3ed5b38218bb0463e008f89ee03e62d22fdcc8014beab25b48fa')
+        },
+        {
+            'path': [5, 0],
+            'fingerprint': unhexlify('607f628f'),
+            'chain': unhexlify('84e9c258bb8557a40e0d041115b376dd55eda99c0042ce29e81ebe4efed9b86a'),
+            'public': unhexlify('039b6df4bece7b6c81e2adfeea4bcf5c8c8a6e40ea7ffa3cf6e8494c61a1fc82cc')
+        },
+        {
+            'path': [5, 0, hardened(2147483647)],
+            'fingerprint': unhexlify('946d2a54'),
+            'chain': unhexlify('f235b2bc5c04606ca9c30027a84f353acf4e4683edbd11f635d0dcc1cd106ea6'),
+            'public': unhexlify('02f89c5deb1cae4fedc9905f98ae6cbf6cbab120d8cb85d5bd9a91a72f4c068c76')
+        },
+        {
+            'path': [5, 0, hardened(2147483647), 1],
+            'fingerprint': unhexlify('218182d8'),
+            'chain': unhexlify('7c0b833106235e452eba79d2bdd58d4086e663bc8cc55e9773d2b5eeda313f3b'),
+            'public': unhexlify('03abe0ad54c97c1d654c1852dfdc32d6d3e487e75fa16f0fd6304b9ceae4220c64')
+        },
+        {
+            'path': [5, 0, hardened(2147483647), 1, hardened(2147483646)],
+            'fingerprint': unhexlify('931223e4'),
+            'chain': unhexlify('5794e616eadaf33413aa309318a26ee0fd5163b70466de7a4512fd4b1a5c9e6a'),
+            'public': unhexlify('03cb8cb067d248691808cd6b5a5a06b48e34ebac4d965cba33e6dc46fe13d9b933')
+        },
+        {
+            'path': [5, 0, hardened(2147483647), 1, hardened(2147483646), 2],
+            'fingerprint': unhexlify('956c4629'),
+            'chain': unhexlify('3bfb29ee8ac4484f09db09c2079b520ea5616df7820f071a20320366fbe226a7'),
+            'public': unhexlify('020ee02e18967237cf62672983b253ee62fa4dd431f8243bfeccdf39dbe181387f')
+        },
+        {
+            'path': [4],
+            'fingerprint': unhexlify('00000000'),
+            'chain': unhexlify('beeb672fe4621673f722f38529c07392fecaa61015c80c34f29ce8b41b3cb6ea'),
+            'public': unhexlify('0266874dc6ade47b3ecd096745ca09bcd29638dd52c2c12117b11ed3e458cfa9e8')
+        },
+        {
+            'path': [4, hardened(28578)],
+            'fingerprint': unhexlify('be6105b5'),
+            'chain': unhexlify('e94c8ebe30c2250a14713212f6449b20f3329105ea15b652ca5bdfc68f6c65c2'),
+            'public': unhexlify('02519b5554a4872e8c9c1c847115363051ec43e93400e030ba3c36b52a3e70a5b7')
+        },
+        {
+            'path': [4, hardened(28578), 33941],
+            'fingerprint': unhexlify('3e2b7bc6'),
+            'chain': unhexlify('9e87fe95031f14736774cd82f25fd885065cb7c358c1edf813c72af535e83071'),
+            'public': unhexlify('0235bfee614c0d5b2cae260000bb1d0d84b270099ad790022c1ae0b2e782efe120')
+        },
+        {
+            'path': [6],
+            'fingerprint': unhexlify('00000000'),
+            'chain': unhexlify('7762f9729fed06121fd13f326884c82f59aa95c57ac492ce8c9654e60efd130c'),
+            'public': unhexlify('0383619fadcde31063d8c5cb00dbfe1713f3e6fa169d8541a798752a1c1ca0cb20')
+        },
+    ]
+)
+def test_derive_node_xpub(device, path):
+    resp = device.hd_derive_node(path['path'])
+    xpub = PicoHSM.hd_decode_xpub(resp)
+    assert(xpub['fingerprint'] == path['fingerprint'])
+    assert(xpub['chain'] == path['chain'])
+    assert(xpub['public'] == path['public'])
+
+@pytest.mark.parametrize(
+    "path", [
+        {
+            'path': [7],
+            'fingerprint': unhexlify('00000000'),
+            'chain': unhexlify('8F8C33732530A0417DD446097EDB6F6617D52D627C6DB28581D74D11B385D25A'),
+            'public': unhexlify('dbf12b44133eaab506a740f6565cc117228cbf1dd70635cfa8ddfdc9af734756')
+        },
+        {
+            'path': [7, b"SLIP-0021"],
+            'fingerprint': unhexlify('0e521cdd'),
+            'chain': unhexlify('446ADED06078CF950DAB737F014C7BAE81EEB6E7BEECC260A38E2E0FA9973104'),
+            'public': unhexlify('1d065e3ac1bbe5c7fad32cf2305f7d709dc070d672044a19e610c77cdf33de0d')
+        },
+        {
+            'path': [7, b"SLIP-0021", b"Master encryption key"],
+            'fingerprint': unhexlify('4a6e721d'),
+            'chain': unhexlify('7072D5593032B84A90E2E2E42996D277026FF55C1082AC82A121D775FED0ACEB'),
+            'public': unhexlify('ea163130e35bbafdf5ddee97a17b39cef2be4b4f390180d65b54cf05c6a82fde')
+        },
+        {
+            'path': [7, b"SLIP-0021", b"Authentication key"],
+            'fingerprint': unhexlify('4a6e721d'),
+            'chain': unhexlify('3D5C87DC62CE006681B8C3DF723AE50FEEA40D6C26AEF8135BD321BA390A5B42'),
+            'public': unhexlify('47194e938ab24cc82bfa25f6486ed54bebe79c40ae2a5a32ea6db294d81861a6')
+        },
+    ]
+)
+def test_derive_node_slip(device, path):
+    resp = device.hd_derive_node(path['path'])
+    xpub = PicoHSM.hd_decode_xpub(resp)
+    assert(xpub['fingerprint'] == path['fingerprint'])
+    assert(xpub['chain'] == sha256_sha256(path['chain']))
+    assert(xpub['public'] == sha256_sha256(path['public']))
+
+def get_master_curve(mid):
+    for m in seeds:
+        if (m['id'] == mid):
+            if (m['name'] == 'secp256k1'):
+                return ec.SECP256K1()
+            elif (m['name'] == 'secp256r1'):
+                return ec.SECP256R1()
+    return None
+
+@pytest.mark.parametrize(
+    "path", [
+        [0],
+        [0, hardened(0)],
+        [0, hardened(0), 1],
+        [0, hardened(0), 1, hardened(2)],
+        [0, hardened(0), 1, hardened(2), 2],
+        [0, hardened(0), 1, hardened(2), 2, 1000000000],
+        [1],
+        [1, 0],
+        [1, 0, hardened(2147483647)],
+        [1, 0, hardened(2147483647), 1],
+        [1, 0, hardened(2147483647), 1, hardened(2147483646)],
+        [1, 0, hardened(2147483647), 1, hardened(2147483646), 2],
+        [4],
+        [4, hardened(0)],
+        [4, hardened(0), 1],
+        [4, hardened(0), 1, hardened(2)],
+        [4, hardened(0), 1, hardened(2), 2],
+        [4, hardened(0), 1, hardened(2), 2, 1000000000],
+        [5],
+        [5, 0],
+        [5, 0, hardened(2147483647)],
+        [5, 0, hardened(2147483647), 1],
+        [5, 0, hardened(2147483647), 1, hardened(2147483646)],
+        [5, 0, hardened(2147483647), 1, hardened(2147483646), 2],
+    ]
+)
+def test_signature(device, path):
+    pub = device.hd_derive_node(path)
+    xpub = PicoHSM.hd_decode_xpub(pub)
+    curve = get_master_curve(path[0])
+    pubkey = ec.EllipticCurvePublicKey.from_encoded_point(curve, xpub['public'])
+    resp = device.hd_signature(path, TEST_STRING)
+    pubkey.verify(resp, TEST_STRING, ec.ECDSA(hashes.SHA256()))
+
+@pytest.mark.parametrize(
+    "path", [
+        [7],
+        [7, b"SLIP-0021"],
+        [7, b"SLIP-0021", b"Master encryption key"],
+        [7, b"SLIP-0021", b"Authentication key"],
+    ]
+)
+def test_signature_slip(device, path):
+    pub = device.hd_derive_node(path)
+    with pytest.raises(APDUResponse) as e:
+        resp = device.hd_signature(path, TEST_STRING)
+    assert (e.value.sw == SWCodes.SW_CONDITIONS_NOT_SATISFIED)
+
+@pytest.mark.parametrize(
+    "ask_on_encrypt", [True, False]
+)
+@pytest.mark.parametrize(
+    "ask_on_decrypt", [True, False]
+)
+def test_cipher_slip(device, ask_on_encrypt, ask_on_decrypt):
+    MSG1 = b"testing message!"
+    enctext = device.hd_cipher([7, b"\x01", b"\x02"], b"test", MSG1, EncryptionMode.ENCRYPT, ask_on_encrypt, ask_on_decrypt)
+    resp = device.hd_cipher([7, b"\x01", b"\x02"], b"test", enctext, EncryptionMode.DECRYPT, ask_on_encrypt, ask_on_decrypt)
+    assert(resp == MSG1)

tests/run-test-in-docker.sh

@@ -1,5 +1,11 @@
 #!/bin/bash -eu
 
 source tests/docker_env.sh
-run_in_docker ./tests/start-up-and-test.sh
 
+if [[ $1 == "pkcs11" ]]; then
+    run_in_docker ./tests/start-up-and-test-pkcs11.sh
+elif [[ $1 == "sc-hsm-pkcs11" ]]; then
+    run_in_docker ./tests/scripts/sc_hsm_test.sh
+else
+    run_in_docker ./tests/start-up-and-test.sh
+fi

tests/scripts/aes.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+
+source ./tests/scripts/func.sh
+reset
+test $? -eq 0 || exit $?
+
+TEST_DATA="This is a text."
+
+echo "${TEST_DATA}" > test
+
+sc_tool() {
+    pkcs11-tool --module /usr/local/lib/libsc-hsm-pkcs11.so -l --pin 648219 $@
+}
+
+aeses=("16" "24" "32")
+
+for aes in ${aeses[*]}; do
+    echo "  Test AES (AES:${aes})"
+    echo -n "    Keygen... "
+    sc_tool --keygen --key-type "AES:${aes}" --id 1 --label "AES:${aes}" > /dev/null 2>&1
+    test $? -eq 0 && echo -n "." || exit $?
+    e=$(sc_tool --list-object --type secrkey 2>&1)
+    test $? -eq 0 && echo -n "." || exit $?
+    grep -q "AES length ${aes}" <<< $e && echo -n "." || exit $?
+    grep -q "AES:${aes}" <<< $e && echo -e ".\t${OK}" || exit $?
+
+    echo -n "    Encryption..."
+    sc_tool --encrypt --id 1 --input-file test --mechanism aes-cbc > crypted.aes 2>/dev/null
+    test $? -eq 0 && echo -e ".\t${OK}" || exit $?
+
+    echo -n "    Decryption..."
+    e=$(sc_tool --decrypt --id 1 --input-file crypted.aes --mechanism aes-cbc 2>/dev/null)
+    test $? -eq 0 && echo -n "." || exit $?
+    grep -q "${TEST_DATA}" <<< $e && echo -e ".\t${OK}" || exit $?
+
+    sc_tool --delete --type secrkey --id 1 > /dev/null 2>&1
+done
+rm -rf test crypted.aes

tests/scripts/asym_cipher.sh

@@ -0,0 +1,62 @@
+#!/bin/bash
+
+source ./tests/scripts/func.sh
+reset
+test $? -eq 0 || exit $?
+
+rsa_encrypt_decrypt() {
+    openssl pkeyutl -encrypt -pubin -inkey 1.pub $2 -in $1 -out data.crypt
+    test $? -eq 0 && echo -n "." || exit $?
+    TDATA=$(tr -d '\0' < <(pkcs11-tool --id 1 --pin 648219 --decrypt $3 -i data.crypt 2>/dev/null))
+    test $? -eq 0 && echo -n "." || exit $?
+    if [[ ${TEST_STRING} != "$TDATA" ]]; then
+        exit 1
+    fi
+    test $? -eq 0 && echo -n "." || exit $?
+}
+
+TEST_STRING="This is a test string. Be safe, be secure."
+
+echo ${TEST_STRING} > data
+
+echo -n "  Keygen RSA 2048..."
+keygen_and_export rsa:2048
+test $? -eq 0 && echo -e ".\t${OK}" || exit $?
+
+echo -n "  Test RSA-PKCS ciphering..."
+rsa_encrypt_decrypt data "-pkeyopt rsa_padding_mode:pkcs1" "--mechanism RSA-PKCS"
+test $? -eq 0 && echo -e ".\t${OK}" || exit $?
+
+echo -n "  Test RSA-X-509 ciphering..."
+cp data data_pad
+tlen=${#TEST_STRING}
+dd if=/dev/zero bs=1 count=$((256-$tlen-1)) >> data_pad 2> /dev/null
+test $? -eq 0 && echo -n "." || exit $?
+rsa_encrypt_decrypt data_pad "-pkeyopt rsa_padding_mode:none" "--mechanism RSA-X-509"
+test $? -eq 0 && echo -e ".\t${OK}" || exit $?
+
+echo -n "  Test RSA-PKCS-OAEP ciphering..."
+rsa_encrypt_decrypt data "-pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -pkeyopt rsa_mgf1_md:sha256" "--mechanism RSA-PKCS-OAEP"
+test $? -eq 0 && echo -e ".\t${OK}" || exit $?
+
+rm -rf data* 1.*
+pkcs11-tool -l --pin 648219 --delete-object --type privkey --id 1 > /dev/null 2>&1
+
+algs=("secp192r1" "secp256r1" "secp384r1" "secp521r1" "brainpoolP256r1" "brainpoolP384r1" "brainpoolP512r1" "secp192k1" "secp256k1")
+for alg in ${algs[*]}; do
+    echo -n "  Test EC derive with ${alg}..."
+    keygen_and_export ec:${alg}
+    test $? -eq 0 && echo -n "." || exit $?
+    openssl ecparam -genkey -name ${alg} > bob.pem 2>/dev/null
+    test $? -eq 0 && echo -n "." || exit $?
+    openssl ec -in bob.pem -pubout -outform DER > bob.der 2>/dev/null
+    test $? -eq 0 && echo -n "." || exit $?
+    pkcs11-tool --pin 648219 --id 1 --derive -i bob.der -o mine-bob.der > /dev/null 2>&1
+    test $? -eq 0 && echo -n "." || exit $?
+    openssl pkeyutl -derive -out bob-mine.der -inkey bob.pem -peerkey 1.pub 2>/dev/null
+    test $? -eq 0 && echo -n "." || exit $?
+    cmp bob-mine.der mine-bob.der
+    test $? -eq 0 && echo -e ".\t${OK}" || exit $?
+    rm -rf data* 1.*
+    pkcs11-tool -l --pin 648219 --delete-object --type privkey --id 1 > /dev/null 2>&1
+done

tests/scripts/backup.sh

@@ -0,0 +1,60 @@
+#!/bin/bash
+
+source ./tests/scripts/func.sh
+reset
+test $? -eq 0 || exit $?
+
+sc_backup() {
+    for i in $(seq 1 $1); do
+        sc-hsm-tool --create-dkek-share dkek.${i}.pbe --password testpw > /dev/null 2>&1
+        test $? -eq 0 && echo -n "." || exit $?
+    done
+    sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219 --dkek-shares $1 > /dev/null 2>&1
+    test $? -eq 0 && echo -n "." || exit $?
+    pkcs11-tool -l --pin 648219 -I > /dev/null 2>&1
+    test $? -eq 0 && echo -n "." || exit $?
+    for i in $(seq 1 $1); do
+        e=$(sc-hsm-tool --import-dkek-share dkek.${i}.pbe --password testpw 2>&1)
+        test $? -eq 0 && echo -n "." || exit $?
+        grep -q "DKEK share imported" <<< $e && echo -n "." || exit $?
+        grep -q "DKEK shares[[:blank:]]*: $1" <<< $e && echo -n "." || exit $?
+        if [[ $i -lt $1 ]]; then
+            grep -q "DKEK import pending, $(( $1 - $i ))" <<< $e && echo -n "." || exit $?
+        fi
+    done
+    # Store DKEK, since it is not logged in
+    pkcs11-tool -l --pin 648219 -I > /dev/null 2>&1
+    test $? -eq 0 && echo -n "." || exit $?
+}
+echo -n "  Test single DKEK..."
+sc_backup 1
+test $? -eq 0 && echo -e ".\t${OK}" || exit $?
+
+echo -n "  Test multiple DKEK..."
+sc_backup 3
+test $? -eq 0 && echo -e ".\t${OK}" || exit $?
+
+rm -rf dkek.*.pbe
+
+echo "  Test backup and restore"
+algs=("rsa:1024" "rsa:2048" "ec:secp192r1" "ec:secp256r1" "ec:secp384r1" "ec:secp521r1" "ec:brainpoolP256r1" "ec:brainpoolP384r1" "ec:brainpoolP512r1" "ec:secp192k1" "ec:secp256k1")
+for alg in ${algs[*]}; do
+    echo -n "    Keygen ${alg}..."
+    gen_and_check ${alg}
+    test $? -eq 0 && echo -e ".\t${OK}" || exit $?
+    echo -n "    Wrap key..."
+    sc-hsm-tool --wrap-key wrap-key.bin --key-reference 1 --pin 648219 > /dev/null 2>&1
+    test $? -eq 0 && echo -n "." || exit $?
+    e=$(pkcs15-tool -D 2>&1)
+    grep -q "Key ref[[:blank:]]*: 10" <<< $e && exit $? || echo -e ".\t${OK}"
+    echo -n "    Unwrap key..."
+    sc-hsm-tool --unwrap-key wrap-key.bin --key-reference 10 --pin 648219 --force > /dev/null 2>&1
+    test $? -eq 0 && echo -n "." || exit $?
+    e=$(pkcs15-tool -D 2>&1)
+    grep -q "Key ref[[:blank:]]*: 10" <<< $e && echo -e ".\t${OK}" || exit $?
+    echo -n "    Cleaning..."
+    pkcs11-tool -l --pin 648219 --delete-object --type privkey --id 1 > /dev/null 2>&1
+    test $? -eq 0 && echo -n "." || exit $?
+    pkcs11-tool -l --pin 648219 --delete-object --type privkey --id 1 > /dev/null 2>&1
+    test $? -eq 0 && echo -e ".\t${OK}" || exit $?
+done

tests/scripts/func.sh

@@ -0,0 +1,52 @@
+#!/bin/bash
+
+OK="\033[32mok\033[0m"
+FAIL="\033[31mfail\033[0m"
+
+gen_and_check() {
+    e=$(pkcs11-tool -l --pin 648219 --keypairgen --key-type $1 --id 1 --label "TestLabel" 2>&1)
+    test $? -eq 0 && echo -n "." || exit $?
+    glabel=""
+    case $1 in
+    *"192"*)
+        glabel="EC_POINT 192 bits"
+        ;;
+    *"256"*)
+        glabel="EC_POINT 256 bits"
+        ;;
+    *"384"*)
+        glabel="EC_POINT 384 bits"
+        ;;
+    *"512"*)
+        glabel="EC_POINT 512 bits"
+        ;;
+    *"521"*)
+        glabel="EC_POINT 528 bits"
+        ;;
+    *"rsa"*)
+        IFS=: read -r v1 bits <<< "$1"
+        glabel="RSA ${bits} bits"
+        ;;
+    esac
+    grep -q "${glabel}" <<< $e && echo -n "." || exit $?
+}
+gen_and_delete() {
+    gen_and_check $1
+    test $? -eq 0 && echo -n "." || exit $?
+    pkcs11-tool -l --pin 648219 --delete-object --type privkey --id 1 > /dev/null 2>&1
+    test $? -eq 0 && echo -n "." || exit $?
+}
+reset() {
+    python3 tools/pico-hsm-tool.py --pin 648219 initialize --so-pin 57621880 --silent > /dev/null 2>&1
+    test $? -eq 0 || exit $?
+}
+
+keygen_and_export() {
+    gen_and_check $1
+    test $? -eq 0 && echo -n "." || exit $?
+    pkcs11-tool --read-object --pin 648219 --id 1 --type pubkey > 1.der 2>/dev/null
+    test $? -eq 0 && echo -n "." || exit $?
+    IFS=: read -r mk bts <<< "$1"
+    openssl ${mk} -inform DER -outform PEM -in 1.der -pubin > 1.pub 2>/dev/null
+    test $? -eq 0 && echo -n "." || exit $?
+}

tests/scripts/initialize.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+
+source ./tests/scripts/func.sh
+reset
+
+# Change SO-PIN
+echo -n "  Test SO-PIN change..."
+pkcs11-tool --login --login-type so --so-pin 3537363231383830 --change-pin --new-pin 0123456789012345 > /dev/null 2>&1
+test $? -eq 0 && echo -n "." || exit $?
+
+pkcs11-tool --login --login-type so --so-pin 0123456789012345 --change-pin --new-pin 3537363231383830 > /dev/null 2>&1
+test $? -eq 0 && echo -e ".\t${OK}" || exit $?
+
+# Change PIN
+echo -n "  Test PIN change..."
+pkcs11-tool --login --pin 648219 --change-pin --new-pin 123456 > /dev/null 2>&1
+test $? -eq 0 && echo -e ".\t${OK}" || exit $?
+
+# Reset PIN
+echo -n "  Test PIN reset..."
+pkcs11-tool --login --login-type so --so-pin 3537363231383830 --init-pin --new-pin 648219 > /dev/null 2>&1
+test $? -eq 0 && echo -n "." || exit $?
+
+# Change PIN
+pkcs11-tool --login --pin 648219 --change-pin --new-pin 123456 > /dev/null 2>&1
+test $? -eq 0 && echo -n "." || exit $?
+
+pkcs11-tool --login --pin 123456 --change-pin --new-pin 648219 > /dev/null 2>&1
+test $? -eq 0 && echo -e ".\t${OK}" || exit $?
+
+# Wrong PIN (1st and 2nd PIN_INCORRECT, 3rd PIN_LOCKED)
+echo -n "  Test wrong PIN attempts..."
+e=$(pkcs11-tool --login --pin 123456 -I 2>&1)
+test $? -eq 1 && echo -n "." || exit $?
+grep -q CKR_PIN_INCORRECT <<< $e && echo -n "." || exit $?
+e=$(pkcs11-tool --login --pin 123456 -I 2>&1)
+test $? -eq 1 && echo -n "." || exit $?
+grep -q CKR_PIN_INCORRECT <<< $e && echo -n "." || exit $?
+e=$(pkcs11-tool --login --pin 123456 -I 2>&1)
+test $? -eq 1 && echo -n "." || exit $?
+grep -q CKR_PIN_LOCKED <<< $e && echo -e "\t${OK}" || exit $?
+
+# Reset PIN
+echo -n "  Test restore PIN..."
+pkcs11-tool --login --login-type so --so-pin 3537363231383830 --init-pin --new-pin 648219 > /dev/null 2>&1
+test $? -eq 0 && echo -n "." || exit $?
+
+pkcs11-tool --login --pin 648219 -I > /dev/null 2>&1
+test $? -eq 0 && echo -e "\t${OK}" || exit $?

tests/scripts/keygen.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+source ./tests/scripts/func.sh
+reset
+test $? -eq 0 || exit $?
+
+algs=("rsa:1024" "rsa:2048" "ec:secp192r1" "ec:secp256r1" "ec:secp384r1" "ec:secp521r1" "ec:brainpoolP256r1" "ec:brainpoolP384r1" "ec:brainpoolP512r1" "ec:secp192k1" "ec:secp256k1")
+for alg in ${algs[*]}; do
+    IFS=: read -r a s <<< "${alg}"
+    au=$(awk '{print toupper($0)}' <<<${a})
+    echo -n "  Test ${au} ${s}..."
+    gen_and_delete ${alg} && echo -e ".\t${OK}" || exit $?
+done

tests/scripts/pkcs11.sh

@@ -0,0 +1,58 @@
+#!/bin/bash
+
+source ./tests/scripts/func.sh
+echo "==== Test initialization ===="
+./tests/scripts/initialize.sh
+test $? -eq 0 || {
+    echo -e "\t${FAIL}"
+    exit 1
+}
+
+echo "==== Test keygen ===="
+./tests/scripts/keygen.sh
+test $? -eq 0 || {
+    echo -e "\t${FAIL}"
+    exit 1
+}
+
+echo "==== Test sign and verify ===="
+./tests/scripts/sign_and_verify.sh
+test $? -eq 0 || {
+    echo -e "\t${FAIL}"
+    exit 1
+}
+
+echo "==== Test asymmetric ciphering ===="
+./tests/scripts/asym_cipher.sh
+test $? -eq 0 || {
+    echo -e "\t${FAIL}"
+    exit 1
+}
+
+echo "==== Test binary storage ===="
+./tests/scripts/store_binary.sh
+test $? -eq 0 || {
+    echo -e "\t${FAIL}"
+    exit 1
+}
+
+echo "==== Test AES ===="
+./tests/scripts/aes.sh
+test $? -eq 0 || {
+    echo -e "\t${FAIL}"
+    exit 1
+}
+
+echo "==== Test PKCS11-tool ===="
+./tests/scripts/pkcs11_test.sh
+test $? -eq 0 || {
+    echo -e "\t${FAIL}"
+    exit 1
+}
+
+echo "==== Test backup and restore ===="
+./tests/scripts/backup.sh
+test $? -eq 0 || {
+    echo -e "\t${FAIL}"
+    exit 1
+}

tests/scripts/pkcs11_test.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+source ./tests/scripts/func.sh
+reset
+test $? -eq 0 || exit $?
+
+echo -n "  Test PKCS11 tool..."
+gen_and_check rsa:2048
+test $? -eq 0 && echo -n "." || exit $?
+e=$(pkcs11-tool --test -l --pin 648219 2>&1)
+test $? -eq 0 && echo -n "." || exit $?
+grep -q "No errors" <<< $e && echo -n "." || exit $?
+pkcs11-tool -l --pin 648219 --delete-object --type privkey --id 1 > /dev/null 2>&1
+test $? -eq 0 && echo -e ".\t${OK}" || exit $?
+#e=$(pkcs11-tool --test-ec -l --pin 648219 --id 1 --key-type ec:secp256r1 2>&1)
+#test $? -eq 0 && echo -n "." || exit $?
+#grep -q "==> OK" <<< $e && echo -e ".\t${OK}" || exit $?

tests/scripts/sc_hsm_test.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+source ./tests/startup.sh
+
+echo "==== Test SC HSM ===="
+echo -n "  Running sc-hsm-pkcs11-test..."
+pkcs11-tool -l --pin 648219 --keypairgen --key-type ec:secp256r1 --id 1 --label "TestLabel" > /dev/null 2>&1
+test $? -eq 0 && echo -n "." ||  {
+    echo -e "\t${FAIL}"
+    exit 1
+}
+e=$(/usr/local/bin/sc-hsm-pkcs11-test --module /usr/local/lib/libsc-hsm-pkcs11.so --pin 648219 --invasive 2>&1)
+test $? -eq 0 && echo -n "." || {
+    echo -e "\t${FAIL}"
+    exit 1
+}
+grep -q "338 tests performed" <<< $e && echo -n "." || {
+    echo -e "\t${FAIL}"
+    exit 1
+}
+grep -q "0 tests failed" <<< $e && echo -e ".\t${OK}" || {
+    echo -e "\t${FAIL}"
+    exit 1
+}

tests/scripts/sign_and_verify.sh

@@ -0,0 +1,126 @@
+#!/bin/bash
+
+source ./tests/scripts/func.sh
+reset
+test $? -eq 0 || exit $?
+
+TEST_DATA="This is a test string. Be safe, be secure."
+echo ${TEST_DATA}  > data
+
+create_dgst() {
+    openssl dgst -$1 -binary -out data.$1 data > /dev/null 2>&1
+    test $? -eq 0 && echo -n "." || exit $?
+}
+
+dgsts=("sha1" "sha224" "sha256" "sha384" "sha512")
+for dgst in ${dgsts[*]}; do
+    echo -n "  Create digest ${dgst}..."
+    create_dgst ${dgst}
+    test $? -eq 0 && echo -e ".\t${OK}" || exit $?
+done
+
+# $1 sign mechanism
+# $2 sign input file
+# $3 sign parameters
+# $4 vrfy input file
+# $5 vrfy parameters
+sign_and_verify() {
+    pkcs11-tool --id 1 --sign --pin 648219 --mechanism $1 -i $2 -o data.sig $3 > /dev/null 2>&1
+    test $? -eq 0 && echo -n "." || exit $?
+    e=$(openssl pkeyutl -verify -pubin -inkey 1.pub -in $4 -sigfile data.sig $5 2>&1)
+    test $? -eq 0 && echo -n "." || exit $?
+    grep -q "Signature Verified Successfully" <<< $e && echo -n "." || exit $?
+}
+
+sign_and_verify_rsa_pkcs() {
+    dgstl=$(awk '{print tolower($0)}' <<<$1)
+    dgstu=$(awk '{print toupper($0)}' <<<$1)
+    sign_and_verify "${dgstu}-RSA-PKCS" data "" data.${dgstl} "-pkeyopt digest:${dgstl}"
+    test $? -eq 0 && echo -n "." || exit $?
+}
+
+sign_and_verify_rsa_pss() {
+    dgstl=$(awk '{print tolower($0)}' <<<$1)
+    dgstu=$(awk '{print toupper($0)}' <<<$1)
+    sign_and_verify "RSA-PKCS-PSS" data.${dgstl} "--mgf MGF1-${dgstu} --hash-algorithm ${dgstu}" data.${dgstl} "-pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:-1 -pkeyopt digest:${dgstl}"
+    test $? -eq 0 && echo -n "." || exit $?
+}
+
+sign_and_verify_rsa_pss_dgst() {
+    dgstl=$(awk '{print tolower($0)}' <<<$1)
+    dgstu=$(awk '{print toupper($0)}' <<<$1)
+    sign_and_verify "${dgstu}-RSA-PKCS-PSS" data "" data.${dgstl} "-pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:-1 -pkeyopt digest:${dgstl}"
+    test $? -eq 0 && echo -n "." || exit $?
+}
+
+keygen_sign_and_verify_ec() {
+    echo "  Test ECDSA with $1"
+    echo -n "    Keygen $1..."
+    keygen_and_export $1
+    test $? -eq 0 && echo -e ".\t${OK}" || exit $?
+    for dgst in ${dgsts[*]}; do
+        dgstu=$(awk '{print toupper($0)}' <<<${dgst})
+        echo -n "    Test ECDSA with ${dgst} and $1..."
+        sign_and_verify ECDSA "data.${dgst}" "--signature-format openssl" data.${dgst}
+        test $? -eq 0 && echo -e ".\t${OK}" || exit $?
+        echo -n "    Test ECDSA-${dgstu} with $1..."
+        sign_and_verify "ECDSA-${dgstu}" data "--signature-format openssl" data.${dgst}
+        test $? -eq 0 && echo -e ".\t${OK}" || exit $?
+    done
+    echo -n "    Delete $1..."
+    pkcs11-tool -l --pin 648219 --delete-object --type privkey --id 1 > /dev/null 2>&1
+    test $? -eq 0 && echo -e ".\t${OK}" || exit $?
+}
+
+algs=("ec:secp192r1" "ec:secp256r1" "ec:secp384r1" "ec:secp521r1" "ec:brainpoolP256r1" "ec:brainpoolP384r1" "ec:brainpoolP512r1" "ec:secp192k1" "ec:secp256k1")
+for alg in ${algs[*]}; do
+    keygen_sign_and_verify_ec ${alg} || exit $?
+done
+
+echo "  Test RSA PKCS"
+echo -n "    Keygen rsa:2048..."
+keygen_and_export "rsa:2048"
+test $? -eq 0 && echo -e ".\t${OK}" || exit $?
+
+echo -n "    Test RSA-PKCS..."
+pkcs11-tool --id 1 --sign --pin 648219 --mechanism RSA-PKCS -i data -o data.sig > /dev/null 2>&1
+test $? -eq 0 && echo -n "." || exit $?
+e=$(openssl pkeyutl -verify -pubin -inkey 1.pub -in data -sigfile data.sig 2>&1)
+test $? -eq 0 && echo -n "." || exit $?
+grep -q "Signature Verified Successfully" <<< $e && echo -e ".\t${OK}" || exit $?
+
+for dgst in ${dgsts[*]}; do
+    dgstu=$(awk '{print toupper($0)}' <<<${dgst})
+    echo -n "    Test RSA-PKCS-${dgstu}..."
+    sign_and_verify_rsa_pkcs ${dgst}
+    test $? -eq 0 && echo -e ".\t${OK}" || exit $?
+done
+
+echo -n "    Test RSA-X-509..."
+cp data data_pad
+test $? -eq 0 && echo -n "." || exit $?
+tlen=${#TEST_DATA}
+dd if=/dev/zero bs=1 count=$((256-$tlen)) >> data_pad > /dev/null 2>&1
+test $? -eq 0 && echo -n "." || exit $?
+pkcs11-tool --id 1 --sign --pin 648219 --mechanism RSA-X-509 -i data_pad -o data.sig > /dev/null 2>&1
+test $? -eq 0 && echo -n "." || exit $?
+TDATA=$(tr -d '\0' < <(openssl rsautl -verify -inkey 1.pub -in data.sig -pubin -raw))
+if [[ ${TEST_DATA} != "$TDATA" ]]; then
+    exit 1
+fi
+test $? -eq 0 && echo -e ".\t${OK}" || exit $?
+
+for dgst in ${dgsts[*]}; do
+    dgstu=$(awk '{print toupper($0)}' <<<${dgst})
+    if [[ "${dgst}" != "sha1" ]]; then
+        echo -n "    Test RSA-PKCS-PSS with ${dgst}..."
+        sign_and_verify_rsa_pss ${dgst}
+        test $? -eq 0 && echo -e ".\t${OK}" || exit $?
+    fi
+    echo -n "    Test ${dgstu}-RSA-PKCS-PSS..."
+    sign_and_verify_rsa_pss_dgst ${dgst}
+    test $? -eq 0 && echo -e ".\t${OK}" || exit $?
+done
+
+rm -rf data* 1.*
+pkcs11-tool -l --pin 648219 --delete-object --type privkey --id 1 > /dev/null 2>&1

tests/scripts/store_binary.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+source ./tests/scripts/func.sh
+reset
+test $? -eq 0 || exit $?
+
+TEST_DATA="Pico HSM is awesome!"
+
+echo ${TEST_DATA} > test
+
+echo -n "  Test public binary storage..."
+pkcs11-tool --pin 648219 --write-object test --type data --id 1 --label 'test1' > /dev/null 2>&1
+test $? -eq 0 && echo -n "." || exit $?
+e=$(pkcs11-tool --read-object --type data --label 'test1' 2>&1)
+test $? -eq 0 && echo -n "." || exit $?
+grep -q "${TEST_DATA}" <<< $e && echo -e ".\t${OK}" || exit $?
+pkcs11-tool --pin 648219 --delete-object --type data --label 'test1' > /dev/null 2>&1
+
+echo -n "  Test private binary storage..."
+pkcs11-tool --pin 648219 --write-object test --type data --id 1 --label 'test1' --private > /dev/null 2>&1
+test $? -eq 0 && echo -n "." || exit $?
+e=$(pkcs11-tool --read-object --type data --label 'test1' --pin 648219 2>&1)
+test $? -eq 0 && echo -n "." || exit $?
+grep -q "${TEST_DATA}" <<< $e && echo -n "." || exit $?
+e=$(pkcs11-tool --read-object --type data --label 'test1' 2>&1)
+test $? -eq 1 && echo -n "." || exit $?
+grep -q "error: object not found" <<< $e && echo -e ".\t${OK}" || exit $?
+pkcs11-tool --pin 648219 --delete-object --type data --label 'test1' > /dev/null 2>&1

tests/start-up-and-test-pkcs11.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+source ./tests/startup.sh
+
+chmod a+x tests/scripts/*.sh
+
+echo "======== PKCS11 Test suite ========"
+./tests/scripts/pkcs11.sh

tests/start-up-and-test.sh

@@ -1,8 +1,5 @@
-#!/bin/bash -eu
+#!/bin/bash
+
+source ./tests/startup.sh
 
-/usr/sbin/pcscd &
-sleep 2
-rm -f memory.flash
-tar -xf tests/memory.tar.gz
-./build_in_docker/pico_hsm > /dev/null &
 pytest tests -W ignore::DeprecationWarning

tests/startup.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+OK="\t\033[32mok\033[0m"
+FAIL="\t\033[31mfail\033[0m"
+
+fail() {
+    echo -e "${FAIL}"
+    exit 1
+}
+
+echo -n "Start PCSC..."
+/usr/sbin/pcscd &
+test $? -eq 0 && echo -e "${OK}" || {
+    echo -e "${FAIL}"
+    exit 1
+}
+sleep 2
+rm -f memory.flash
+tar -xf tests/memory.tar.gz
+echo -n "Start Pico HSM..."
+/pico_hsm > /dev/null 2>&1 &
+test $? -eq 0 && echo -n "." || fail
+sleep 2
+ATR="3b:fe:18:00:00:81:31:fe:45:80:31:81:54:48:53:4d:31:73:80:21:40:81:07:fa"
+e=$(opensc-tool -an 2>&1)
+grep -q "${ATR}" <<< $e && echo -n "." || fail
+test $? -eq 0 && echo -e "${OK}" || fail

tests/utils.py

@@ -1,138 +0,0 @@
-"""
-/*
- * This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
- * Copyright (c) 2022 Pol Henarejos.
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, version 3.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program. If not, see <http://www.gnu.org/licenses/>.
- */
-"""
-
-from enum import Enum
-
-class SWCodes(Enum):
-    SW_BYTES_REMAINING_00               = 0x6100
-    SW_WARNING_STATE_UNCHANGED          = 0x6200
-    SW_WARNING_CORRUPTED                = 0x6281
-    SW_WARNING_EOF                      = 0x6282
-    SW_WARNING_EF_DEACTIVATED           = 0x6283
-    SW_WARNING_WRONG_FCI                = 0x6284
-    SW_WARNING_EF_TERMINATED            = 0x6285
-
-    SW_WARNING_NOINFO                   = 0x6300
-    SW_WARNING_FILLUP                   = 0x6381
-
-    SW_EXEC_ERROR                       = 0x6400
-
-    SW_SECURE_MESSAGE_EXEC_ERROR        = 0x6600
-
-    SW_WRONG_LENGTH                     = 0x6700
-
-    SW_LOGICAL_CHANNEL_NOT_SUPPORTED    = 0x6881
-    SW_SECURE_MESSAGING_NOT_SUPPORTED   = 0x6882
-
-    SW_COMMAND_INCOMPATIBLE             = 0x6981
-    SW_SECURITY_STATUS_NOT_SATISFIED    = 0x6982
-    SW_PIN_BLOCKED                      = 0x6983
-    SW_DATA_INVALID                     = 0x6984
-    SW_CONDITIONS_NOT_SATISFIED         = 0x6985
-    SW_COMMAND_NOT_ALLOWED              = 0x6986
-    SW_SECURE_MESSAGING_MISSING_DO      = 0x6987
-    SW_SECURE_MESSAGING_INCORRECT_DO    = 0x6988
-    SW_APPLET_SELECT_FAILED             = 0x6999
-
-    SW_INCORRECT_PARAMS                 = 0x6A80
-    SW_FUNC_NOT_SUPPORTED               = 0x6A81
-    SW_FILE_NOT_FOUND                   = 0x6A82
-    SW_RECORD_NOT_FOUND                 = 0x6A83
-    SW_FILE_FULL                        = 0x6A84
-    SW_WRONG_NE                         = 0x6A85
-    SW_INCORRECT_P1P2                   = 0x6A86
-    SW_WRONG_NC                         = 0x6A87
-    SW_REFERENCE_NOT_FOUND              = 0x6A88
-    SW_FILE_EXISTS                      = 0x6A89
-
-    SW_WRONG_P1P2                       = 0x6B00
-
-    SW_CORRECT_LENGTH_00                = 0x6C00
-
-    SW_INS_NOT_SUPPORTED                = 0x6D00
-
-    SW_CLA_NOT_SUPPORTED                = 0x6E00
-
-    SW_UNKNOWN                          = 0x6F00
-
-    SW_OK                               = 0x900
-
-class APDUResponse(Exception):
-    def __init__(self, sw1, sw2):
-        self.sw1 = sw1
-        self.sw2 = sw2
-        self.sw = sw1 << 8 | sw2
-        super().__init__(f'SW:{sw1:02X}{sw2:02X}')
-
-class DOPrefixes(Enum):
-    PRKD_PREFIX             = 0xC4
-    CD_PREFIX               = 0xC8
-    DCOD_PREFIX             = 0xC9
-    CA_CERTIFICATE_PREFIX   = 0xCA
-    KEY_PREFIX              = 0xCC
-    PROT_DATA_PREFIX        = 0xCD
-    EE_CERTIFICATE_PREFIX   = 0xCE
-    DATA_PREFIX             = 0xCF
-
-class KeyType(Enum):
-    RSA                     = 1
-    ECC                     = 2
-    AES                     = 3
-
-class Algorithm(Enum):
-    ALGO_AES_CBC_ENCRYPT    = 0x10
-    ALGO_AES_CBC_DECRYPT    = 0x11
-    ALGO_AES_CMAC           = 0x18
-    ALGO_EXT_CIPHER_ENCRYPT = 0x51
-    ALGO_EXT_CIPHER_DECRYPT = 0x52
-    ALGO_AES_DERIVE         = 0x99
-
-    ALGO_EC_RAW             = 0x70
-    ALGO_EC_SHA1            = 0x71
-    ALGO_EC_SHA224          = 0x72
-    ALGO_EC_SHA256          = 0x73
-    ALGO_EC_SHA384          = 0x74
-    ALGO_EC_SHA512          = 0x75
-    ALGO_EC_DH              = 0x80
-    ALGO_EC_DERIVE          = 0x98
-
-    ALGO_RSA_RAW            = 0x20
-    ALGO_RSA_DECRYPT        = 0x21
-    ALGO_RSA_DECRYPT_PKCS1  = 0x22
-    ALGO_RSA_DECRYPT_OEP    = 0x23
-    ALGO_RSA_PKCS1          = 0x30
-    ALGO_RSA_PKCS1_SHA1     = 0x31
-    ALGO_RSA_PKCS1_SHA224   = 0x32
-    ALGO_RSA_PKCS1_SHA256   = 0x33
-    ALGO_RSA_PKCS1_SHA384   = 0x34
-    ALGO_RSA_PKCS1_SHA512   = 0x35
-    ALGO_RSA_PSS            = 0x40
-    ALGO_RSA_PSS_SHA1       = 0x41
-    ALGO_RSA_PSS_SHA224     = 0x42
-    ALGO_RSA_PSS_SHA256     = 0x43
-    ALGO_RSA_PSS_SHA384     = 0x44
-    ALGO_RSA_PSS_SHA512     = 0x45
-
-class Padding(Enum):
-    RAW =       0x21
-    PKCS =      0x22
-    OAEP =       0x23
-
-def int_to_bytes(x, length=None, byteorder='big'):
-    return x.to_bytes(length or (x.bit_length() + 7) // 8, byteorder=byteorder)

tools/pico-hsm-tool.py

@@ -20,17 +20,8 @@
 """
 
 import sys
-try:
-    from smartcard.CardType import AnyCardType
-    from smartcard.CardRequest import CardRequest
-    from smartcard.Exceptions import CardRequestTimeoutException, CardConnectionException
-except ModuleNotFoundError:
-    print('ERROR: smarctard module not found! Install pyscard package.\nTry with `pip install pyscard`')
-    sys.exit(-1)
-
 try:
     from cvc.certificates import CVC
-    from cvc.asn1 import ASN1
     from cvc.oid import oid2scheme
     from cvc.utils import scheme_rsa
 except ModuleNotFoundError:
@@ -47,6 +38,11 @@ except ModuleNotFoundError:
     print('ERROR: cryptography module not found! Install cryptography package.\nTry with `pip install cryptography`')
     sys.exit(-1)
 
+try:
+    from picohsm import PicoHSM, PinType, DOPrefixes, KeyType, EncryptionMode, utils, APDUResponse, SWCodes
+except ModuleNotFoundError:
+    print('ERROR: picohsm module not found! Install picohsm package.\nTry with `pip install pypicohsm`')
+    sys.exit(-1)
 
 import json
 import urllib.request
@@ -61,58 +57,16 @@ from argparse import RawTextHelpFormatter
 
 pin = None
 
-class APDUResponse(Exception):
-    def __init__(self, sw1, sw2):
-        self.sw1 = sw1
-        self.sw2 = sw2
-        super().__init__(f'SW:{sw1:02X}{sw2:02X}')
-
 def hexy(a):
     return [hex(i) for i in a]
 
-def send_apdu(card, command, p1, p2, data=None, ne=None):
-    lc = []
-    dataf = []
-    if (data):
-        lc = [0x00] + list(len(data).to_bytes(2, 'big'))
-        dataf = data
-    if (ne is None):
-        le = [0x00, 0x00]
-    else:
-        le = list(ne.to_bytes(2, 'big'))
-    if (isinstance(command, list) and len(command) > 1):
-        apdu = command
-    else:
-        apdu = [0x00, command]
-
-    apdu = apdu + [p1, p2] + lc + dataf + le
-    try:
-        response, sw1, sw2 = card.connection.transmit(apdu)
-    except CardConnectionException:
-        card.connection.reconnect()
-        response, sw1, sw2 = card.connection.transmit(apdu)
-    if (sw1 != 0x90):
-        if (sw1 == 0x6A and sw2 == 0x82):
-            response, sw1, sw2 = card.connection.transmit([0x00, 0xA4, 0x04, 0x00, 0xB, 0xE8, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x81, 0xC3, 0x1F, 0x02, 0x01, 0x0])
-            if (sw1 == 0x90):
-                response, sw1, sw2 = card.connection.transmit(apdu)
-                if (sw1 == 0x90):
-                    return response
-        elif (sw1 == 0x69 and sw2 == 0x82):
-            response, sw1, sw2 = card.connection.transmit([0x00, 0x20, 0x00, 0x81, len(pin)] + list(pin.encode()) + [0x0])
-            if (sw1 == 0x90):
-                response, sw1, sw2 = card.connection.transmit(apdu)
-                if (sw1 == 0x90):
-                    return response
-        raise APDUResponse(sw1, sw2)
-    return response
-
 def parse_args():
     parser = argparse.ArgumentParser()
     subparser = parser.add_subparsers(title="commands", dest="command")
     parser_init = subparser.add_parser('initialize', help='Performs the first initialization of the Pico HSM.')
     parser.add_argument('--pin', help='PIN number')
     parser_init.add_argument('--so-pin', help='SO-PIN number')
+    parser_init.add_argument('--silent', help='Confirms initialization silently.', action='store_true')
 
     parser_attestate = subparser.add_parser('attestate', help='Generates an attestation report for a private key and verifies the private key was generated in the devices or outside.')
     parser_attestate.add_argument('-k', '--key', help='The private key index', metavar='KEY_ID')
@@ -128,7 +82,7 @@ def parse_args():
     parser_rtc = subparser.add_parser('datetime', help='Datetime operations with the integrated Real Time Clock (RTC).')
     subparser_rtc = parser_rtc.add_subparsers(title='commands', dest='subcommand')
     parser_rtc_set = subparser_rtc.add_parser('set', help='Sets the current datetime.')
-    parser_rtc_get = subparser_rtc.add_parser('set', help='Gets the current datetime.')
+    parser_rtc_get = subparser_rtc.add_parser('get', help='Gets the current datetime.')
 
     parser_opts = subparser.add_parser('options', help='Manage extra options.', formatter_class=RawTextHelpFormatter)
     subparser_opts = parser_opts.add_subparsers(title='commands', dest='subcommand')
@@ -215,56 +169,44 @@ def get_pki_certs(certs_dir='certs', force=False):
             f.write(base64.urlsafe_b64decode(certs['dvca']['cert']))
     print(f'All PKI certificates are stored at {certs_dir} folder')
 
-def pki(card, args):
+def pki(_, args):
     if (args.subcommand == 'initialize'):
         if (args.default is True):
             get_pki_certs(certs_dir=args.certs_dir, force=args.force)
         else:
             print('Error: no PKI is passed. Use --default to retrieve default PKI.')
 
-def login(card, args):
-    global pin
-    pin = args.pin
-    try:
-        response = send_apdu(card, 0x20, 0x00, 0x81, list(args.pin.encode()))
-    except APDUResponse:
-        pass
+def initialize(picohsm, args):
+    if (not args.silent):
+        print('********************************')
+        print('*   PLEASE READ IT CAREFULLY   *')
+        print('********************************')
+        print('')
+        print('This tool will erase and reset your device. It will delete all '
+            'private and secret keys.')
+        print('Are you sure?')
+        _ = input('[Press enter to confirm]')
 
-def initialize(card, args):
-    print('********************************')
-    print('*   PLEASE READ IT CAREFULLY   *')
-    print('********************************')
-    print('')
-    print('This tool will erase and reset your device. It will delete all '
-        'private and secret keys.')
-    print('Are you sure?')
-    _ = input('[Press enter to confirm]')
-
-    send_apdu(card, 0xA4, 0x04, 0x00, [0xE8, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x81, 0xC3, 0x1F, 0x02, 0x01])
     if (args.pin):
-        pin = args.pin.encode()
         try:
-            response = send_apdu(card, 0x20, 0x00, 0x81, list(pin))
+            picohsm.login(args.pin)
         except APDUResponse:
             pass
+        pin = args.pin
     else:
-        pin = b'648219'
+        pin = '648219'
 
     if (args.so_pin):
-        so_pin = args.so_pin.encode()
         try:
-            response = send_apdu(card, 0x20, 0x00, 0x82, list(so_pin))
+            picohsm.login(args.so_pin, who=PinType.SO_PIN)
         except APDUResponse:
             pass
+        so_pin = args.so_pin
     else:
-        so_pin = b'57621880'
+        so_pin = '57621880'
 
-    pin_data = [0x81, len(pin)] + list(pin)
-    so_pin_data = [0x82, len(so_pin)] + list(so_pin)
-    reset_data = [0x80, 0x02, 0x00, 0x01] + pin_data + so_pin_data + [0x91, 0x01, 0x03]
-    response = send_apdu(card, [0x80, 0x50], 0x00, 0x00, reset_data)
-
-    response = send_apdu(card, 0xB1, 0xCE, 0x00, [0x54, 0x02, 0x00, 0x00])
+    picohsm.initialize(pin=pin, sopin=so_pin)
+    response = picohsm.get_contents(DOPrefixes.EE_CERTIFICATE_PREFIX, 0x00)
 
     cert = bytearray(response)
     Y = CVC().decode(cert).pubkey().find(0x86).data()
@@ -275,14 +217,10 @@ def initialize(card, args):
     j = get_pki_data('cvc', data=data)
     print('Device name: '+j['devname'])
     dataef = base64.urlsafe_b64decode(
-        j['cvcert']) + base64.urlsafe_b64decode(j['dvcert'])
+        j['cvcert']) + base64.urlsafe_b64decode(j['dvcert']) + base64.urlsafe_b64decode(j['cacert'])
 
-    response = send_apdu(card, 0xa4, 0x00, 0x00, [0x2f, 0x02])
-    response = send_apdu(card, 0x20, 0x00, 0x81, list(pin))
-
-    apdu_data = [0x54, 0x02, 0x00, 0x00] + \
-        list(ASN1.make_tag(0x53, dataef))
-    response = send_apdu(card, 0xd7, 0x00, 0x00, apdu_data)
+    picohsm.select_file(0x2f02)
+    response = picohsm.put_contents(0x0000, data=dataef)
 
     print('Certificate uploaded successfully!')
     print('')
@@ -291,22 +229,11 @@ def initialize(card, args):
     print('Now you can initialize the device as usual with your chosen PIN '
         'and configuration options.')
 
-def attestate(card, args):
+def attestate(picohsm, args):
     kid = int(args.key)
-    try:
-        response = send_apdu(card, 0xB1, 0x2F, 0x02, [0x54, 0x02, 0x00, 0x00])
-    except APDUResponse as a:
-        print('ERROR: There is an error with the device certificate.')
-        sys.exit(1)
-
-    devcert = ASN1().decode(response).find(0x7f21, pos=0).data(return_tag=True)
-
-    try:
-        cert = send_apdu(card, 0xB1, 0xCE, kid, [0x54, 0x02, 0x00, 0x00])
-    except APDUResponse as a:
-        if (a.sw1 == 0x6a and a.sw2 == 0x82):
-            print('ERROR: Key not found')
-            sys.exit(1)
+    termca = picohsm.get_termca()
+    devcert = termca['cv']['data']
+    cert = picohsm.get_contents(0xCE, kid)
 
     print(hexlify(bytearray(cert)))
     print(f'Details of key {kid}:\n')
@@ -345,42 +272,41 @@ def attestate(card, args):
     else:
         print(f'Key {kid} is NOT generated by device {chr.decode()}')
 
-def rtc(card, args):
+def rtc(picohsm, args):
     if (args.subcommand == 'set'):
         now = datetime.now()
-        _ = send_apdu(card, [0x80, 0x64], 0x0A, 0x00, list(now.year.to_bytes(2, 'big')) + [now.month, now.day, now.weekday(), now.hour, now.minute, now.second ])
+        _ = picohsm.send(cla=0x80, command=0x64, p1=0x0A, data=list(now.year.to_bytes(2, 'big')) + [now.month, now.day, now.weekday(), now.hour, now.minute, now.second ])
     elif (args.subcommand == 'get'):
-        response = send_apdu(card, [0x80, 0x64], 0x0A, 0x00)
+        response = picohsm.send(cla=0x80, command=0x64, p1=0x0A)
         dt = datetime(int.from_bytes(response[:2], 'big'), response[2], response[3], response[5], response[6], response[7])
         print(f'Current date and time is: {dt.ctime()}')
 
-def opts(card, args):
+def opts(picohsm, args):
     opt = 0x0
     if (args.opt == 'button'):
         opt = 0x1
     elif (args.opt == 'counter'):
         opt = 0x2
-    current = send_apdu(card, [0x80, 0x64], 0x6, 0x0)[0]
+    current = picohsm.send(cla=0x80, command=0x64, p1=0x6)[0]
     if (args.subcommand == 'set'):
         if (args.onoff == 'on'):
             newopt = current | opt
         else:
             newopt = current & ~opt
-        send_apdu(card, [0x80, 0x64], 0x6, 0x0, [newopt])
+        picohsm.send(cla=0x80, command=0x64, p1=0x6, data=[newopt])
     elif (args.subcommand == 'get'):
         print(f'Option {args.opt.upper()} is {"ON" if current & opt else "OFF"}')
 
 class SecureLock:
-    def __init__(self, card):
-        self.card = card
+    def __init__(self, picohsm):
+        self.picohsm = picohsm
 
     def mse(self):
         sk = ec.generate_private_key(ec.SECP256R1())
         pn = sk.public_key().public_numbers()
         self.__pb = sk.public_key().public_bytes(Encoding.X962, PublicFormat.UncompressedPoint)
 
-
-        ret = send_apdu(self.card, [0x80, 0x64], 0x3A, 0x01, list(self.__pb))
+        ret = self.picohsm.send(cla=0x80, command=0x64, p1=0x3A, p2=0x01, data=list(self.__pb))
 
         pk = ec.EllipticCurvePublicKey.from_encoded_point(ec.SECP256R1(), bytes(ret))
         shared_key = sk.exchange(ec.ECDH(), pk)
@@ -402,7 +328,7 @@ class SecureLock:
 
     def unlock_device(self):
         ct = self.get_skey()
-        send_apdu(self.card, [0x80, 0x64], 0x3A, 0x03, list(ct))
+        self.picohsm.send(cla=0x80, command=0x64, p1=0x3A, p2=0x03, data=list(ct))
 
     def _get_key_device(self):
         if (platform.system() == 'Windows' or platform.system() == 'Linux'):
@@ -421,15 +347,14 @@ class SecureLock:
 
     def enable_device_aut(self):
         ct = self.get_skey()
-        send_apdu(self.card, [0x80, 0x64], 0x3A, 0x02, list(ct))
+        self.picohsm.send(cla=0x80, command=0x64, p1=0x3A, p2=0x02, data=list(ct))
 
     def disable_device_aut(self):
         ct = self.get_skey()
-        send_apdu(self.card, [0x80, 0x64], 0x3A, 0x04, list(ct))
+        self.picohsm.send(cla=0x80, command=0x64, p1=0x3A, p2=0x04, p3=list(ct))
 
-
-def secure(card, args):
-    slck = SecureLock(card)
+def secure(picohsm, args):
+    slck = SecureLock(picohsm)
     if (args.subcommand == 'enable'):
         slck.enable_device_aut()
     elif (args.subcommand == 'unlock'):
@@ -437,120 +362,63 @@ def secure(card, args):
     elif (args.subcommand == 'disable'):
         slck.disable_device_aut()
 
-
-def cipher(card, args):
+def cipher(picohsm, args):
     if (args.subcommand == 'keygen'):
-        ksize = 0xB2
-        if (args.key_size == 24):
-            ksize = 0xB1
-        elif (args.key_size == 16):
-            ksize = 0xB0
-        ret = send_apdu(card, 0x48, int(args.key), ksize)
-
+        ret = picohsm.key_generation(KeyType.AES, param=args.key_size * 8)
     else:
-        enc = None
-        aad = None
+        if (args.file_in):
+            fin = open(args.file_in, 'rb')
+        else:
+            fin = sys.stdin.buffer
+        enc = fin.read()
+        fin.close()
+        iv = args.iv
+        if (args.iv and args.hex):
+            iv = unhexlify(iv)
+        aad = args.aad
+        if (args.aad and args.hex):
+                aad = unhexlify(aad)
+
+        mode = EncryptionMode.ENCRYPT if args.subcommand[0] == 'e' else EncryptionMode.DECRYPT
         if (args.alg == 'CHACHAPOLY'):
-            oid = b'\x2A\x86\x48\x86\xF7\x0D\x01\x09\x10\x03\x12'
+            ret = picohsm.chachapoly(args.key, mode, data=enc, iv=iv, aad=aad)
         elif (args.alg == 'HMAC-SHA1'):
-            oid = b'\x2A\x86\x48\x86\xF7\x0D\x02\x07'
+            ret = picohsm.hmac(hashes.SHA1, args.key, data=enc)
         elif (args.alg == 'HMAC-SHA224'):
-            oid = b'\x2A\x86\x48\x86\xF7\x0D\x02\x08'
+            ret = picohsm.hmac(hashes.SHA224, args.key, data=enc)
         elif (args.alg == 'HMAC-SHA256'):
-            oid = b'\x2A\x86\x48\x86\xF7\x0D\x02\x09'
+            ret = picohsm.hmac(hashes.SHA256, args.key, data=enc)
         elif (args.alg == 'HMAC-SHA384'):
-            oid = b'\x2A\x86\x48\x86\xF7\x0D\x02\x0A'
+            ret = picohsm.hmac(hashes.SHA384, args.key, data=enc)
         elif (args.alg == 'HMAC-SHA512'):
-            oid = b'\x2A\x86\x48\x86\xF7\x0D\x02\x0B'
+            ret = picohsm.hmac(hashes.SHA512, args.key, data=enc)
         elif (args.alg == 'HKDF-SHA256'):
-            oid = b'\x2A\x86\x48\x86\xF7\x0D\x01\x09\x10\x03\x1D'
+            ret = picohsm.hkdf(hashes.SHA256, args.key, data=enc, salt=iv, out_len=args.output_len)
         elif (args.alg == 'HKDF-SHA384'):
-            oid = b'\x2A\x86\x48\x86\xF7\x0D\x01\x09\x10\x03\x1E'
+            ret = picohsm.hkdf(hashes.SHA384, args.key, data=enc, salt=iv, out_len=args.output_len)
         elif (args.alg == 'HKDF-SHA512'):
-            oid = b'\x2A\x86\x48\x86\xF7\x0D\x01\x09\x10\x03\x1F'
-        elif (args.alg in ['PBKDF2-SHA1', 'PBKDF2-SHA224', 'PBKDF2-SHA256', 'PBKDF2-SHA384', 'PBKDF2-SHA512']):
-            if ('PBKDF2' in args.alg):
-                oid = b'\x2A\x86\x48\x86\xF7\x0D\x01\x05\x0C'
-            salt = b'\x04' + bytes([len(args.iv)//2]) + unhexlify(args.iv)
-            iteration = b'\x02' + bytes([len(int_to_bytes(int(args.iteration)))]) + int_to_bytes(int(args.iteration))
-            prf = b'\x30\x0A\x06\x08\x2A\x86\x48\x86\xF7\x0D\x02'
-            if (args.alg == 'PBKDF2-SHA1'):
-                prf += b'\x07'
-            elif (args.alg == 'PBKDF2-SHA224'):
-                prf += b'\x08'
-            elif (args.alg == 'PBKDF2-SHA256'):
-                prf += b'\x09'
-            elif (args.alg == 'PBKDF2-SHA384'):
-                prf += b'\x0A'
-            elif (args.alg == 'PBKDF2-SHA512'):
-                prf += b'\x0B'
-            enc = list(salt + iteration + prf)
-        elif (args.alg in 'X963-SHA1', 'X963-SHA224', 'X963-SHA256', 'X963-SHA384', 'X963-SHA512'):
-            oid = b'\x2B\x81\x05\x10\x86\x48\x3F'
-            enc = b'\x2A\x86\x48\x86\xF7\x0D\x02'
-            if (args.alg == 'X963-SHA1'):
-                enc += b'\x07'
-            elif (args.alg == 'X963-SHA224'):
-                enc += b'\x08'
-            elif (args.alg == 'X963-SHA256'):
-                enc += b'\x09'
-            elif (args.alg == 'X963-SHA384'):
-                enc += b'\x0A'
-            elif (args.alg == 'X963-SHA512'):
-                enc += b'\x0B'
-        '''
-        # To be finished: it does not work with AES (only supported by HSM)
-        elif (args.alg in ['PBES2-SHA1', 'PBES2-SHA224', 'PBES2-SHA256', 'PBES2-SHA384', 'PBES2-SHA512']):
-            oid = b'\x2A\x86\x48\x86\xF7\x0D\x01\x05\x0D'
-            if (not args.iv):
-                sys.stderr.buffer.write(b'ERROR: --iv required')
-                sys.exit(-1)
-            salt = b'\x04' + bytes([len(args.iv)//2]) + unhexlify(args.iv)
-            iteration = b'\x02' + bytes([len(int_to_bytes(int(args.iteration)))]) + int_to_bytes(int(args.iteration))
-            prf = b'\x30\x0A\x06\x08\x2A\x86\x48\x86\xF7\x0D\x02'
-            if (args.alg == 'PBES2-SHA1'):
-                prf += b'\x07'
-            elif (args.alg == 'PBES2-SHA224'):
-                prf += b'\x08'
-            elif (args.alg == 'PBES2-SHA256'):
-                prf += b'\x09'
-            elif (args.alg == 'PBES2-SHA384'):
-                prf += b'\x0A'
-            elif (args.alg == 'PBES2-SHA512'):
-                prf += b'\x0B'
-            oid_kdf = b'\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x05\x0C'
-            aad = hexlify(oid_kdf + b'\x30' + bytes([len(salt)+len(iteration)+len(prf)]) + salt + iteration + prf)
-            args.hex = True
-        '''
+            ret = picohsm.hkdf(hashes.SHA512, args.key, data=enc, salt=iv, out_len=args.output_len)
+        elif (args.alg == 'PBKDF2-SHA1'):
+            ret = picohsm.pbkdf2(hashes.SHA1, args.key, salt=iv, iterations=args.iteration, out_len=args.output_len)
+        elif (args.alg == 'PBKDF2-SHA224'):
+            ret = picohsm.pbkdf2(hashes.SHA224, args.key, salt=iv, iterations=args.iteration, out_len=args.output_len)
+        elif (args.alg == 'PBKDF2-SHA256'):
+            ret = picohsm.pbkdf2(hashes.SHA256, args.key, salt=iv, iterations=args.iteration, out_len=args.output_len)
+        elif (args.alg == 'PBKDF2-SHA384'):
+            ret = picohsm.pbkdf2(hashes.SHA384, args.key, salt=iv, iterations=args.iteration, out_len=args.output_len)
+        elif (args.alg == 'PBKDF2-SHA512'):
+            ret = picohsm.pbkdf2(hashes.SHA512, args.key, salt=iv, iterations=args.iteration, out_len=args.output_len)
+        elif (args.alg == 'X963-SHA1'):
+            ret = picohsm.x963(hashes.SHA1, args.key, data=enc, out_len=args.output_len)
+        elif (args.alg == 'X963-SHA224'):
+            ret = picohsm.x963(hashes.SHA224, args.key, data=enc, out_len=args.output_len)
+        elif (args.alg == 'X963-SHA256'):
+            ret = picohsm.x963(hashes.SHA256, args.key, data=enc, out_len=args.output_len)
+        elif (args.alg == 'X963-SHA384'):
+            ret = picohsm.x963(hashes.SHA384, args.key, data=enc, out_len=args.output_len)
+        elif (args.alg == 'X963-SHA512'):
+            ret = picohsm.x963(hashes.SHA512, args.key, data=enc, out_len=args.output_len)
 
-        if (args.subcommand[0] == 'e' or args.subcommand == 'hmac' or args.subcommand == 'kdf'):
-            alg = 0x51
-        elif (args.subcommand[0] == 'd'):
-            alg = 0x52
-
-        if (not enc):
-            if (args.file_in):
-                fin = open(args.file_in, 'rb')
-            else:
-                fin = sys.stdin.buffer
-            enc = fin.read()
-            fin.close()
-
-        data = [0x06, len(oid)] + list(oid) + [0x81, len(enc)] + list(enc)
-
-        if (args.iv and not 'PBKDF2' in args.alg and not 'PBES2' in args.alg):
-            data += [0x82, len(args.iv)//2] + list(unhexlify(args.iv))
-        if (not aad):
-            aad = args.aad
-        if (aad):
-            if (args.hex):
-                data += [0x83, len(aad)//2] + list(unhexlify(aad))
-            else:
-                data += [0x83, len(aad)] + list(aad)
-
-        ne = int(args.output_len) if 'output_len' in args and args.output_len else None
-
-        ret = send_apdu(card, [0x80, 0x78], int(args.key), alg, data=data, ne=ne)
         if (args.file_out):
             fout = open(args.file_out, 'wb')
         else:
@@ -562,19 +430,16 @@ def cipher(card, args):
         if (args.file_out):
             fout.close()
 
-def int_to_bytes(x: int) -> bytes:
-    return x.to_bytes((x.bit_length() + 7) // 8, 'big')
-
-def x25519(card, args):
+def x25519(picohsm, args):
     if (args.command == 'x25519'):
         P = b'\x7f\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xed'
-        A = int_to_bytes(0x01DB42)
+        A = utils.int_to_bytes(0x01DB42)
         N = b'\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\xDE\xF9\xDE\xA2\xF7\x9C\xD6\x58\x12\x63\x1A\x5C\xF5\xD3\xED'
         G = b'\x04\x09\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd9\xd3\xce\x7e\xa2\xc5\xe9\x29\xb2\x61\x7c\x6d\x7e\x4d\x3d\x92\x4c\xd1\x48\x77\x2c\xdd\x1e\xe0\xb4\x86\xa0\xb8\xa1\x19\xae\x20'
         h = b'\x08'
     elif (args.command == 'x448'):
         P = b'\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff'
-        A = int_to_bytes(0x98AA)
+        A = utils.int_to_bytes(0x98AA)
         N = b'\x3f\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x7c\xca\x23\xe9\xc4\x4e\xdb\x49\xae\xd6\x36\x90\x21\x6c\xc2\x72\x8d\xc5\x8f\x55\x23\x78\xc2\x92\xab\x58\x44\xf3'
         G = b'\x04\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1a\x5b\x7b\x45\x3d\x22\xd7\x6f\xf7\x7a\x67\x50\xb1\xc4\x12\x13\x21\x0d\x43\x46\x23\x7e\x02\xb8\xed\xf6\xf3\x8d\xc2\x5d\xf7\x60\xd0\x45\x55\xf5\x34\x5d\xae\xcb\xce\x6f\x32\x58\x6e\xab\x98\x6c\xf6\xb1\xf5\x95\x12\x5d\x23\x7d'
         h = b'\x04'
@@ -589,45 +454,33 @@ def x25519(card, args):
     cdata += b'\x42\x0C\x55\x54\x44\x55\x4D\x4D\x59\x30\x30\x30\x30\x31'
     cdata += b'\x7f\x49\x81' + bytes([len(oid)+len(p_data)+len(a_data)+len(g_data)+len(n_data)+len(h_data)]) + oid + p_data + a_data + g_data + n_data + h_data
     cdata += b'\x5F\x20\x0C\x55\x54\x44\x55\x4D\x4D\x59\x30\x30\x30\x30\x31'
-    ret = send_apdu(card, 0x46, int(args.key), 0x00, list(cdata))
+    ret = picohsm.send(command=0x46, p1=args.key, data=list(cdata))
 
 def main(args):
-    sys.stderr.buffer.write(b'Pico HSM Tool v1.8\n')
+    sys.stderr.buffer.write(b'Pico HSM Tool v1.10\n')
     sys.stderr.buffer.write(b'Author: Pol Henarejos\n')
     sys.stderr.buffer.write(b'Report bugs to https://github.com/polhenarejos/pico-hsm/issues\n')
     sys.stderr.buffer.write(b'\n\n')
-    cardtype = AnyCardType()
-    try:
-        # request card insertion
-        cardrequest = CardRequest(timeout=10, cardType=cardtype)
-        card = cardrequest.waitforcard()
 
-        # connect to the card and perform a few transmits
-        card.connection.connect()
-
-    except CardRequestTimeoutException:
-        raise Exception('time-out: no card inserted during last 10s')
-
-    if (args.pin):
-        login(card, args)
+    picohsm = PicoHSM(args.pin)
 
     # Following commands may raise APDU exception on error
     if (args.command == 'initialize'):
-        initialize(card, args)
+        initialize(picohsm, args)
     elif (args.command == 'attestate'):
-        attestate(card, args)
+        attestate(picohsm, args)
     elif (args.command == 'pki'):
-        pki(card, args)
+        pki(picohsm, args)
     elif (args.command == 'datetime'):
-        rtc(card, args)
+        rtc(picohsm, args)
     elif (args.command == 'options'):
-        opts(card, args)
+        opts(picohsm, args)
     elif (args.command == 'secure'):
-        secure(card, args)
+        secure(picohsm, args)
     elif (args.command == 'cipher'):
-        cipher(card, args)
+        cipher(picohsm, args)
     elif (args.command == 'x25519' or args.command == 'x448'):
-        x25519(card, args)
+        x25519(picohsm, args)
 
 
 def run():

tools/secure_key/macos.py

@@ -51,7 +51,9 @@ def get_secure_key():
     try:
         backend = get_backend(False)
         key = backend.get_password(DOMAIN, USERNAME)[0]
-    except keyring.errors.KeyringError:
+        if (key is None):
+            raise TypeError
+    except (keyring.errors.KeyringError, TypeError):
         try:
             key = generate_secure_key(False)[0] # It should be True, but secure enclave causes python segfault
         except keyring.errors.PasswordSetError:

tools/secure_key/windows.py

@@ -39,6 +39,8 @@ def get_secure_key():
     key = None
     try:
         key = keyring.get_password(DOMAIN, USERNAME)
-    except keyring.errors.KeyringError:
+        if (key is None):
+            raise TypeError
+    except (keyring.errors.KeyringError, TypeError):
         key = generate_secure_key()
     return get_d(key.encode())