Merge branch 'master' into development-eddsa

Fixes #103.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>

.github/workflows/nightly.yml

@@ -34,7 +34,7 @@ jobs:
       - name: Delete private key
         run: rm private.pem
       - name: Update nightly release
-        uses: pyTooling/Actions/releaser@v6.7.0
+        uses: pyTooling/Actions/releaser@main
         with:
           tag: nightly-${{ matrix.refs }}
           rm: true

README.md

@@ -162,10 +162,10 @@ Secure Lock restricts the device to the manufacturer’s firmware only, locking
 Pico HSM also supports ESP32-S3 boards, which add secure storage, flash encryption and secure boot.
 
 ### > Dynamic VID/PID
-Supports setting VID & PID on-the-fly. U
+Supports setting VID & PID on-the-fly. Use `pico-hsm-tool.py` or [Pico Commissioner](https://www.picokeys.com/pico-commissioner/ "Pico Commissioner") for specify VID/PID values and reboot the device.
 
 ### > Rescue Pico HSM Tool and Commissioner
-Pico HSM Tool implements a new CCID stack to rescue the Pico HSM in case it has wrong VID/PID values and it is not recognized by the OS.
+Pico HSM Tool implements a new CCID stack to rescue the Pico HSM in case it has wrong VID/PID values and it is not recognized by the OS. It can be accessed through `pico-hsm-tool.py` or [Pico Commissioner](https://www.picokeys.com/pico-commissioner/ "Pico Commissioner").
 
 ## Security considerations
 All secret keys (both asymmetric and symmetric) are encrypted and stored in the flash memory. The MKEK, a 256-bit AES key, is used to protect these private and secret keys. Keys are held in RAM only during signature and decryption operations, and are loaded and cleared each time to avoid potential security vulnerabilities.
@@ -345,6 +345,12 @@ Communication with the Pico HSM follows the same protocols and methods used with
 
 For advanced usage scenarios, refer to the documentation and examples provided. Additionally, the Pico HSM supports the SCS3 tool for more sophisticated operations and includes features like multiple key domains. For detailed information on SCS3 usage, refer to [SCS3 documentation](/doc/scs3.md).
 
+### Important
+OpenSC relies on PCSC driver, which reads a list (`Info.plist`) that contains a pair of VID/PID of supported readers. In order to be detectable, you have several options:
+- Use `pico-hsm-tool.py` to modify VID/PID on-the-fly.
+- Use the pure-browser online [Pico Commissioner](https://www.picokeys.com/pico-commissioner/ "Pico Commissioner") that commissions the Pico Key on-the-fly without external tools.
+- Build and configure the project with the proper VID/PID with `USB_VID` and `USB_PID` parameters in `CMake` (see [Build section](#build "Build section")). Note that you cannot distribute the patched/compiled binary if you do not own the VID/PID or have an explicit authorization.
+
 ## License and Commercial Use
 
 This project is available under two editions:

build_pico_hsm.sh

@@ -1,25 +1,48 @@
 #!/bin/bash
 
 VERSION_MAJOR="6"
-VERSION_MINOR="2"
+VERSION_MINOR="0"
+NO_EDDSA=0
 SUFFIX="${VERSION_MAJOR}.${VERSION_MINOR}"
 #if ! [[ -z "${GITHUB_SHA}" ]]; then
 #    SUFFIX="${SUFFIX}.${GITHUB_SHA}"
 #fi
 
+if [[ $1 == "--no-eddsa" ]]; then
+    NO_EDDSA=1
+    echo "Skipping EDDSA build"
+fi
+
 mkdir -p build_release
 mkdir -p release
+mkdir -p release_eddsa
 rm -rf -- release/*
+if [[ $NO_EDDSA -eq 0 ]]; then
+    rm -rf -- release_eddsa/*
+fi
 cd build_release
 
 PICO_SDK_PATH="${PICO_SDK_PATH:-../../pico-sdk}"
 SECURE_BOOT_PKEY="${SECURE_BOOT_PKEY:-../../ec_private_key.pem}"
-boards=("pico" "pico2")
-
-for board_name in "${boards[@]}"
+board_dir=${PICO_SDK_PATH}/src/boards/include/boards
+for board in "$board_dir"/*
 do
+    board_name="$(basename -- "$board" .h)"
     rm -rf -- ./*
     PICO_SDK_PATH="${PICO_SDK_PATH}" cmake .. -DPICO_BOARD=$board_name -DSECURE_BOOT_PKEY=${SECURE_BOOT_PKEY}
     make -j`nproc`
     mv pico_hsm.uf2 ../release/pico_hsm_$board_name-$SUFFIX.uf2
 done
+
+# Build with EDDSA
+
+if [[ $NO_EDDSA -eq 0 ]]; then
+    for board in "$board_dir"/*
+    do
+        board_name="$(basename -- "$board" .h)"
+        rm -rf -- ./*
+        PICO_SDK_PATH="${PICO_SDK_PATH}" cmake .. -DPICO_BOARD=$board_name -DSECURE_BOOT_PKEY=${SECURE_BOOT_PKEY} -DENABLE_EDDSA=1
+        make -j`nproc`
+        mv pico_hsm.uf2 ../release_eddsa/pico_hsm_$board_name-$SUFFIX-eddsa1.uf2
+    done
+fi

doc/usage.md

@@ -28,9 +28,9 @@ PIN=648219
 [^1]: `openssl version -a` will return the `OPENSSLDIR`, which contains `openssl.cnf` file and `ENGINESDIR`, which contains the p11 engine.
 
 ## Initialization
-The first step is to initialize the HSM. To do so, use:
+The first step is to initialize the HSM. To do so, use the `pico-hsm-tool.py` in `tools` folder:
 ```
-$ sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219
+$ python3 tools/pico-hsm-tool.py --pin 648219 initialize --so-pin 57621880
 ```
 The PIN number is used to manage all private keys in the device. It supports three attemps. After the third PIN failure, it gets blocked.
 The PIN accepts from 6 to 16 characters.

src/hsm/cmd_keypair_gen.c

@@ -47,6 +47,9 @@ int cmd_keypair_gen() {
                 if (asn1_find_tag(&ctxo, 0x2, &ks) && asn1_len(&ks) > 0) {
                     key_size = asn1_get_uint(&ks);
                 }
+                printf("KEYPAIR RSA %lu (%lx)\n",
+                       (unsigned long) key_size,
+                       (unsigned long) exponent);
                 mbedtls_rsa_context rsa;
                 mbedtls_rsa_init(&rsa);
                 uint8_t index = 0;
@@ -71,6 +74,7 @@ int cmd_keypair_gen() {
                     return SW_WRONG_DATA();
                 }
                 mbedtls_ecp_group_id ec_id = ec_get_curve_from_prime(prime.data, prime.len);
+                printf("KEYPAIR ECC %d\n", ec_id);
                 if (ec_id == MBEDTLS_ECP_DP_NONE) {
                     return SW_FUNC_NOT_SUPPORTED();
                 }
@@ -88,6 +92,7 @@ int cmd_keypair_gen() {
                     }
 #endif
                 }
+                printf("KEYPAIR ECC %d\r\n", ec_id);
                 mbedtls_ecdsa_context ecdsa;
                 mbedtls_ecdsa_init(&ecdsa);
                 uint8_t index = 0;

src/hsm/cmd_signature.c

@@ -305,6 +305,9 @@ int cmd_signature() {
             mbedtls_ecp_keypair_free(&hd_context);
             return SW_INCORRECT_PARAMS();
         }
+        if (wait_button_pressed() == true) { // timeout
+            return SW_SECURE_MESSAGE_EXEC_ERROR();
+        }
         md = MBEDTLS_MD_SHA256;
         if (mbedtls_ecdsa_write_signature(&hd_context, md, apdu.data, apdu.nc, buf,
                                           MBEDTLS_ECDSA_MAX_LEN,

src/hsm/version.h

@@ -18,7 +18,7 @@
 #ifndef __VERSION_H_
 #define __VERSION_H_
 
-#define HSM_VERSION 0x0602
+#define HSM_VERSION 0x0600
 
 #define HSM_VERSION_MAJOR ((HSM_VERSION >> 8) & 0xff)
 #define HSM_VERSION_MINOR (HSM_VERSION & 0xff)

tests/docker/bullseye/Dockerfile

@@ -36,6 +36,10 @@ RUN make install
 RUN make clean
 RUN ldconfig
 WORKDIR /
+RUN git clone https://github.com/polhenarejos/pypicohsm.git
+WORKDIR /pypicohsm
+RUN pip3 install .
+WORKDIR /
 RUN git clone https://github.com/CardContact/sc-hsm-embedded
 WORKDIR /sc-hsm-embedded
 RUN autoreconf -fi

tests/scripts/func.sh

@@ -37,9 +37,7 @@ gen_and_delete() {
     test $? -eq 0 && echo -n "." || exit $?
 }
 reset() {
-    #python3 tools/pico-hsm-tool.py --pin 648219 initialize --so-pin 57621880 --silent --no-dev-cert > /dev/null 2>&1
-    rm -f memory.flash
-    tar -xf tests/memory.tar.gz
+    python3 tools/pico-hsm-tool.py --pin 648219 initialize --so-pin 57621880 --silent --no-dev-cert > /dev/null 2>&1
     test $? -eq 0 || exit $?
 }
 

tests/start-up-and-test.sh

@@ -2,4 +2,4 @@
 
 source ./tests/startup.sh
 
-# pytest tests -W ignore::DeprecationWarning
+pytest tests -W ignore::DeprecationWarning