dba614ed36
and add the Enterprise / Commercial licensing option.
Main changes:
- Replace GPLv3 headers with AGPLv3 headers in source files.
- Update LICENSE file to the full AGPLv3 text.
- Add ENTERPRISE.md describing the dual-licensing model:
* Community Edition: AGPLv3 (strong copyleft, including network use).
* Enterprise / Commercial Edition: proprietary license for production /
multi-user / OEM use without the obligation to disclose derivative code.
- Update README with a new "License and Commercial Use" section pointing to
ENTERPRISE.md and clarifying how companies can obtain a commercial license.
Why this change:
- AGPLv3 ensures that modified versions offered as a service or deployed
in production environments must provide corresponding source code.
- The Enterprise / Commercial edition provides organizations with an
alternative proprietary license that allows internal, large-scale, or OEM
use (bulk provisioning, policy enforcement, inventory / revocation,
custom attestation, signed builds) without AGPL disclosure obligations.
This commit formally marks the first release that is dual-licensed:
AGPLv3 for the Community Edition and a proprietary commercial license
for Enterprise customers.
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
135 lines
5.8 KiB
C
135 lines
5.8 KiB
C
/*
|
|
* This file is part of the Pico HSM distribution (https://github.com/polhenarejos/pico-hsm).
|
|
* Copyright (c) 2022 Pol Henarejos.
|
|
*
|
|
* This program is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU Affero General Public License as published by
|
|
* the Free Software Foundation, version 3.
|
|
*
|
|
* This program is distributed in the hope that it will be useful, but
|
|
* WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* Affero General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Affero General Public License
|
|
* along with this program. If not, see <https://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
#ifndef _SC_HSM_H_
|
|
#define _SC_HSM_H_
|
|
|
|
#include <stdlib.h>
|
|
#ifndef ESP_PLATFORM
|
|
#include "common.h"
|
|
#else
|
|
#define MBEDTLS_ALLOW_PRIVATE_ACCESS
|
|
#endif
|
|
#include "mbedtls/rsa.h"
|
|
#include "mbedtls/ecdsa.h"
|
|
#if !defined(ENABLE_EMULATION) && !defined(ESP_PLATFORM)
|
|
#include "pico/stdlib.h"
|
|
#endif
|
|
#include "file.h"
|
|
#include "apdu.h"
|
|
#include "pico_keys.h"
|
|
#include "usb.h"
|
|
|
|
#define MAX_APDU_DATA (USB_BUFFER_SIZE - 20)
|
|
|
|
extern const uint8_t sc_hsm_aid[];
|
|
|
|
#define ALGO_RSA_RAW 0x20 /* RSA signature with external padding */
|
|
#define ALGO_RSA_DECRYPT 0x21 /* RSA raw decrypt */
|
|
#define ALGO_RSA_DECRYPT_PKCS1 0x22
|
|
#define ALGO_RSA_DECRYPT_OEP 0x23
|
|
#define ALGO_RSA_PKCS1 0x30 /* RSA signature with DigestInfo input and PKCS#1 V1.5 padding */
|
|
#define ALGO_RSA_PKCS1_SHA1 0x31 /* RSA signature with SHA-1 hash and PKCS#1 V1.5 padding */
|
|
#define ALGO_RSA_PKCS1_SHA224 0x32
|
|
#define ALGO_RSA_PKCS1_SHA256 0x33 /* RSA signature with SHA-256 hash and PKCS#1 V1.5 padding */
|
|
#define ALGO_RSA_PKCS1_SHA384 0x34
|
|
#define ALGO_RSA_PKCS1_SHA512 0x35
|
|
|
|
#define ALGO_RSA_PSS 0x40 /* RSA signature with external hash and PKCS#1 PSS padding*/
|
|
#define ALGO_RSA_PSS_SHA1 0x41 /* RSA signature with SHA-1 hash and PKCS#1 PSS padding */
|
|
#define ALGO_RSA_PSS_SHA224 0x42
|
|
#define ALGO_RSA_PSS_SHA256 0x43 /* RSA signature with SHA-256 hash and PKCS#1 PSS padding */
|
|
#define ALGO_RSA_PSS_SHA384 0x44
|
|
#define ALGO_RSA_PSS_SHA512 0x45
|
|
|
|
#define ALGO_EC_RAW 0x70 /* ECDSA signature with hash input */
|
|
#define ALGO_EC_SHA1 0x71 /* ECDSA signature with SHA-1 hash */
|
|
#define ALGO_EC_SHA224 0x72 /* ECDSA signature with SHA-224 hash */
|
|
#define ALGO_EC_SHA256 0x73 /* ECDSA signature with SHA-256 hash */
|
|
#define ALGO_EC_SHA384 0x74
|
|
#define ALGO_EC_SHA512 0x75
|
|
#define ALGO_EC_DH 0x80 /* ECDH key derivation */
|
|
#define ALGO_EC_DH_AUTPUK 0x83
|
|
#define ALGO_EC_DH_XKEK 0x84
|
|
#define ALGO_HD 0xA0
|
|
|
|
#define ALGO_WRAP 0x92
|
|
#define ALGO_UNWRAP 0x93
|
|
#define ALGO_REPLACE 0x94
|
|
|
|
#define ALGO_EC_DERIVE 0x98 /* Derive EC key from EC key */
|
|
|
|
#define ALGO_AES_CBC_ENCRYPT 0x10
|
|
#define ALGO_AES_CBC_DECRYPT 0x11
|
|
#define ALGO_AES_CMAC 0x18
|
|
#define ALGO_EXT_CIPHER_ENCRYPT 0x51 /* Extended ciphering Encrypt */
|
|
#define ALGO_EXT_CIPHER_DECRYPT 0x52 /* Extended ciphering Decrypt */
|
|
#define ALGO_AES_DERIVE 0x99
|
|
|
|
#define HSM_OPT_RRC 0x0001
|
|
#define HSM_OPT_TRANSPORT_PIN 0x0002
|
|
#define HSM_OPT_SESSION_PIN 0x0004
|
|
#define HSM_OPT_SESSION_PIN_EXPL 0x000C
|
|
#define HSM_OPT_REPLACE_PKA 0x0008
|
|
#define HSM_OPT_COMBINED_AUTH 0x0010
|
|
#define HSM_OPT_RRC_RESET_ONLY 0x0020
|
|
#define HSM_OPT_BOOTSEL_BUTTON 0x0100
|
|
#define HSM_OPT_KEY_COUNTER_ALL 0x0200
|
|
#define HSM_OPT_SECURE_LOCK 0x0400
|
|
|
|
#define PRKD_PREFIX 0xC4 /* Hi byte in file identifier for PKCS#15 PRKD objects */
|
|
#define CD_PREFIX 0xC8 /* Hi byte in file identifier for PKCS#15 CD objects */
|
|
#define DCOD_PREFIX 0xC9 /* Hi byte in file identifier for PKCS#15 DCOD objects */
|
|
#define CA_CERTIFICATE_PREFIX 0xCA /* Hi byte in file identifier for CA certificates */
|
|
#define KEY_PREFIX 0xCC /* Hi byte in file identifier for key objects */
|
|
#define PROT_DATA_PREFIX 0xCD /* Hi byte in file identifier for PIN protected data objects */
|
|
#define EE_CERTIFICATE_PREFIX 0xCE /* Hi byte in file identifier for EE certificates */
|
|
#define DATA_PREFIX 0xCF /* Hi byte in file identifier for readable data objects */
|
|
|
|
#define P15_KEYTYPE_RSA 0x30
|
|
#define P15_KEYTYPE_ECC 0xA0
|
|
#define P15_KEYTYPE_AES 0xA8
|
|
|
|
#define MAX_PUK 8
|
|
|
|
extern int pin_reset_retries(const file_t *pin, bool);
|
|
extern int pin_wrong_retry(const file_t *pin);
|
|
|
|
extern void hash(const uint8_t *input, uint16_t len, uint8_t output[32]);
|
|
extern uint16_t get_device_options();
|
|
extern bool has_session_pin, has_session_sopin;
|
|
extern uint8_t session_pin[32], session_sopin[32];
|
|
extern uint16_t check_pin(const file_t *pin, const uint8_t *data, uint16_t len);
|
|
extern bool pka_enabled();
|
|
extern const uint8_t *dev_name;
|
|
extern uint16_t dev_name_len;
|
|
extern uint8_t puk_status[MAX_PUK];
|
|
extern int puk_store_select_chr(const uint8_t *chr);
|
|
extern int delete_file(file_t *ef);
|
|
extern const uint8_t *get_meta_tag(file_t *ef, uint16_t meta_tag, uint16_t *tag_len);
|
|
extern bool key_has_purpose(file_t *ef, uint8_t purpose);
|
|
extern int load_private_key_rsa(mbedtls_rsa_context *ctx, file_t *fkey);
|
|
extern int load_private_key_ec(mbedtls_ecp_keypair *ctx, file_t *fkey);
|
|
extern int load_private_key_ecdh(mbedtls_ecp_keypair *ctx, file_t *fkey);
|
|
extern bool wait_button_pressed();
|
|
extern int store_keys(void *key_ctx, int type, uint8_t key_id);
|
|
extern int find_and_store_meta_key(uint8_t key_id);
|
|
extern uint32_t get_key_counter(file_t *fkey);
|
|
extern uint32_t decrement_key_counter(file_t *fkey);
|
|
|
|
#endif
|