Upgrade to version 2.0.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>

.github/FUNDING.yml

@@ -0,0 +1,4 @@
+# These are supported funding model platforms
+
+github: polhenarejos
+custom: ["https://www.paypal.me/polhenarejos"]

.github/workflows/test.yml

@@ -14,10 +14,10 @@ name: "Emulation and test"
 on:
   workflow_dispatch:
   push:
-    branches: [ "main" ]
+    branches: [ "main", "piv" ]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [ "main" ]
+    branches: [ "main", "piv" ]
   schedule:
     - cron: '23 5 * * 4'
 

.gitmodules

@@ -1,3 +1,3 @@
-[submodule "pico-hsm-sdk"]
+[submodule "pico-keys-sdk"]
-	path = pico-hsm-sdk
+	path = pico-keys-sdk
-	url = ../pico-hsm-sdk
+	url = https://github.com/polhenarejos/pico-keys-sdk

CMakeLists.txt

@@ -37,6 +37,7 @@ add_executable(pico_openpgp)
 set(SOURCES ${SOURCES}
         ${CMAKE_CURRENT_LIST_DIR}/src/openpgp/openpgp.c
         ${CMAKE_CURRENT_LIST_DIR}/src/openpgp/files.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/openpgp/piv.c
         )
 
 set(INCLUDES ${INCLUDES}
@@ -44,7 +45,7 @@ set(INCLUDES ${INCLUDES}
         )
 
 set(USB_ITF_CCID 1)
-include(pico-hsm-sdk/pico_hsm_sdk_import.cmake)
+include(pico-keys-sdk/pico_keys_sdk_import.cmake)
 
 target_sources(pico_openpgp PUBLIC ${SOURCES})
 target_include_directories(pico_openpgp PUBLIC ${INCLUDES})
@@ -75,5 +76,5 @@ pico_add_extra_outputs(pico_openpgp)
 
 #target_compile_definitions(pico_openpgp PRIVATE MBEDTLS_ECDSA_DETERMINISTIC=1)
 
-target_link_libraries(pico_openpgp PRIVATE pico_hsm_sdk pico_stdlib tinyusb_device tinyusb_board pico_multicore hardware_flash hardware_sync hardware_adc pico_unique_id hardware_rtc)
+target_link_libraries(pico_openpgp PRIVATE pico_keys_sdk pico_stdlib tinyusb_device tinyusb_board pico_multicore hardware_flash hardware_sync hardware_adc pico_unique_id hardware_rtc)
 endif()

README.md

@@ -56,10 +56,17 @@ If the Pico is stolen the contents of private and secret keys cannot be read wit
 ## Download
 Please, go to the [Release page](https://github.com/polhenarejos/pico-openpgp/releases "Release page"))  and download the UF2 file for your board.
 
-Note that UF2 files are shiped with a dummy VID/PID to avoid license issues (FEFF:FCFD). If you are planning to use it with OpenSC or similar, you should modify Info.plist of CCID driver to add these VID/PID or use the VID/PID patcher as follows: `./patch_vidpid.sh VID:PID input_openpgp_file.uf2 output_openpgp_file.uf2`
+Please, go to the Release page and download the UF2 file for your board.
+
+Note that UF2 files are shiped with a dummy VID/PID to avoid license issues (FEFF:FCFD). If you are planning to use it with OpenSC or similar, you should modify Info.plist of CCID driver to add these VID/PID or use the [Pico Patcher tool](https://www.picokeys.com/pico-patcher/).
+
+Alternatively you can use the legacy VID/PID patcher as follows:
+`./patch_vidpid.sh VID:PID input_hsm_file.uf2 output_hsm_file.uf2`
 
 You can use whatever VID/PID (i.e., 234b:0000 from FISJ), but remember that you are not authorized to distribute the binary with a VID/PID that you do not own.
 
+Note that the pure-browser option [Pico Patcher tool](https://www.picokeys.com/pico-patcher/) is the most recommended. 
+
 ## Build
 Before building, ensure you have installed the toolchain for the Pico and the Pico SDK is properly located in your drive.
 

VERSION

@@ -1 +1 @@
-Version=1.10
+Version=2.0

build_pico_openpgp.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
-VERSION_MAJOR="1"
+VERSION_MAJOR="2"
-VERSION_MINOR="10"
+VERSION_MINOR="0"
 
 rm -rf release/*
 cd build_release
@@ -17,6 +17,7 @@ for board in adafruit_feather_rp2040 \
     eetree_gamekit_rp2040 \
     garatronic_pybstick26_rp2040 \
     melopero_shake_rp2040 \
+    nullbits_bit_c_pro \
     pico \
     pico_w \
     pimoroni_badger2040 \
@@ -31,6 +32,7 @@ for board in adafruit_feather_rp2040 \
     pimoroni_servo2040 \
     pimoroni_tiny2040 \
     pimoroni_tiny2040_2mb \
+    pololu_3pi_2040_robot \
     seeed_xiao_rp2040 \
     solderparty_rp2040_stamp \
     solderparty_rp2040_stamp_carrier \
@@ -40,6 +42,8 @@ for board in adafruit_feather_rp2040 \
     sparkfun_thingplus \
     vgaboard \
     waveshare_rp2040_lcd_0.96 \
+    waveshare_rp2040_lcd_1.28 \
+    waveshare_rp2040_one \
     waveshare_rp2040_plus_4mb \
     waveshare_rp2040_plus_16mb \
     waveshare_rp2040_zero \

patch_vidpid.sh

@@ -17,8 +17,8 @@
 # along with this program. If not, see <http://www.gnu.org/licenses/>.
 #
 
-VERSION_MAJOR="3" #Version of Pico CCID Core
+VERSION_MAJOR="4" #Version of Pico CCID Core
-VERSION_MINOR="4"
+VERSION_MINOR="0"
 
 echo "----------------------------"
 echo "VID/PID patcher for Pico OpenPGP"

src/openpgp/files.c

@@ -39,6 +39,7 @@ extern int parse_algoinfo(const file_t *f, int mode);
 extern int parse_app_data(const file_t *f, int mode);
 extern int parse_discrete_do(const file_t *f, int mode);
 extern int parse_pw_status(const file_t *f, int mode);
+extern int piv_parse_discovery(const file_t *f);
 
 uint8_t historical_bytes[] = {
     10, 0,
@@ -83,66 +84,403 @@ uint8_t exlen_info[] = {
 };
 
 file_t file_entries[] = {
-    /*  0 */ { .fid = 0x3f00, .parent = 0xff, .name = NULL, .type = FILE_TYPE_DF, .data = NULL, .ef_structure = 0, .acl = ACL_NONE }, // MF
+    /*  0 */ { .fid = 0x3f00, .parent = 0xff, .name = NULL, .type = FILE_TYPE_DF, .data = NULL,
-    /*  1 */ { .fid = EF_FULL_AID, .parent = 0, .name = openpgp_aid_full, .type = FILE_TYPE_WORKING_EF, .data = (uint8_t *)openpgp_aid_full, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_RO },
+               .ef_structure = 0, .acl = ACL_NONE },                                                                                  // MF
-    /*  2 */ { .fid = EF_CH_NAME, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /*  1 */ { .fid = EF_FULL_AID, .parent = 0, .name = openpgp_aid_full,
-    /*  3 */ { .fid = EF_LOGIN_DATA, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+               .type = FILE_TYPE_WORKING_EF, .data = (uint8_t *) openpgp_aid_full,
-    /*  4 */ { .fid = EF_LANG_PREF, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_RO },
-    /*  5 */ { .fid = EF_SEX, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /*  2 */ { .fid = EF_CH_NAME, .parent = 0, .name = NULL,
-    /*  6 */ { .fid = EF_URI_URL, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
-    /*  7 */ { .fid = EF_HIST_BYTES, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF, .data = historical_bytes, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_RO },
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
-    /*  8 */ { .fid = EF_CH_DATA, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC, .data = (uint8_t *)parse_ch_data, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_RO },
+    /*  3 */ { .fid = EF_LOGIN_DATA, .parent = 0, .name = NULL,
-    /*  9 */ { .fid = EF_SEC_TPL, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC, .data = (uint8_t *)parse_sec_tpl, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_RO },
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
-    /* 10 */ { .fid = EF_CH_CERT, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC, .data = (uint8_t *)parse_ch_cert, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_RO },
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
-    /* 11 */ { .fid = EF_EXLEN_INFO, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF, .data = exlen_info, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_RO },
+    /*  4 */ { .fid = EF_LANG_PREF, .parent = 0, .name = NULL,
-    /* 12 */ { .fid = EF_GFM, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF, .data = feature_mngmnt, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_RO },
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
-    /* 13 */ { .fid = EF_SIG_COUNT, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_RO },
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
-    /* 14 */ { .fid = EF_EXT_CAP, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF, .data = extended_capabilities, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_RO },
+    /*  5 */ { .fid = EF_SEX, .parent = 0, .name = NULL,
-    /* 15 */ { .fid = EF_ALGO_SIG, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC, .data = (uint8_t *)parse_algoinfo, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
-    /* 16 */ { .fid = EF_ALGO_DEC, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC, .data = (uint8_t *)parse_algoinfo, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
-    /* 17 */ { .fid = EF_ALGO_AUT, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC, .data = (uint8_t *)parse_algoinfo, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /*  6 */ { .fid = EF_URI_URL, .parent = 0, .name = NULL,
-    /* 18 */ { .fid = EF_PW_STATUS, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC, .data = (uint8_t *)parse_pw_status, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
-    /* 19 */ { .fid = EF_FP, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC, .data = (uint8_t *)parse_fp, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_RO },
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
-    /* 20 */ { .fid = EF_FP_SIG, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /*  7 */ { .fid = EF_HIST_BYTES, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF,
-    /* 21 */ { .fid = EF_FP_DEC, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+               .data = historical_bytes, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_RO },
-    /* 22 */ { .fid = EF_FP_AUT, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /*  8 */ { .fid = EF_CH_DATA, .parent = 0, .name = NULL,
-    /* 23 */ { .fid = EF_CA_FP, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC, .data = (uint8_t *)parse_cafp, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_RO },
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC, .data = (uint8_t *) parse_ch_data,
-    /* 24 */ { .fid = EF_FP_CA1, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_RO },
-    /* 25 */ { .fid = EF_FP_CA2, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /*  9 */ { .fid = EF_SEC_TPL, .parent = 0, .name = NULL,
-    /* 26 */ { .fid = EF_FP_CA3, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC, .data = (uint8_t *) parse_sec_tpl,
-    /* 27 */ { .fid = EF_TS_ALL, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC, .data = (uint8_t *)parse_ts, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_RO },
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_RO },
-    /* 28 */ { .fid = EF_TS_SIG, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 10 */ { .fid = EF_CH_CERT, .parent = 0, .name = NULL,
-    /* 29 */ { .fid = EF_TS_DEC, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC, .data = (uint8_t *) parse_ch_cert,
-    /* 30 */ { .fid = EF_TS_AUT, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_RO },
-    /* 31 */ { .fid = EF_RESET_CODE, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 11 */ { .fid = EF_EXLEN_INFO, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF,
-    /* 32 */ { .fid = EF_UIF_SIG, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+               .data = exlen_info, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_RO },
-    /* 33 */ { .fid = EF_UIF_DEC, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 12 */ { .fid = EF_GFM, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF,
-    /* 34 */ { .fid = EF_UIF_AUT, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+               .data = feature_mngmnt, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_RO },
-    /* 35 */ { .fid = EF_KEY_INFO, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC, .data = (uint8_t *)parse_keyinfo, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_RO },
+    /* 13 */ { .fid = EF_SIG_COUNT, .parent = 0, .name = NULL,
-    /* 36 */ { .fid = EF_ALGO_INFO, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC, .data = (uint8_t *)parse_algoinfo, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_RO },
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
-    /* 37 */ { .fid = EF_APP_DATA, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC, .data = (uint8_t *)parse_app_data, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_RO },
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_RO },
-    /* 38 */ { .fid = EF_DISCRETE_DO, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC, .data = (uint8_t *)parse_discrete_do, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_RO },
+    /* 14 */ { .fid = EF_EXT_CAP, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF,
-    /* 39 */ { .fid = EF_PW1, .parent = 0, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+               .data = extended_capabilities, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_RO },
-    /* 40 */ { .fid = EF_RC, .parent = 0, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 15 */ { .fid = EF_ALGO_SIG, .parent = 0, .name = NULL,
-    /* 41 */ { .fid = EF_PW3, .parent = 0, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC, .data = (uint8_t *) parse_algoinfo,
-    /* 42 */ { .fid = EF_ALGO_PRIV1, .parent = 0, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
-    /* 43 */ { .fid = EF_ALGO_PRIV2, .parent = 0, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 16 */ { .fid = EF_ALGO_DEC, .parent = 0, .name = NULL,
-    /* 44 */ { .fid = EF_ALGO_PRIV3, .parent = 0, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC, .data = (uint8_t *) parse_algoinfo,
-    /* 45 */ { .fid = EF_PK_SIG, .parent = 0, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
-    /* 46 */ { .fid = EF_PK_DEC, .parent = 0, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 17 */ { .fid = EF_ALGO_AUT, .parent = 0, .name = NULL,
-    /* 47 */ { .fid = EF_PK_AUT, .parent = 0, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC, .data = (uint8_t *) parse_algoinfo,
-    /* 48 */ { .fid = EF_PB_SIG, .parent = 0, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
-    /* 49 */ { .fid = EF_PB_DEC, .parent = 0, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 18 */ { .fid = EF_PW_STATUS, .parent = 0, .name = NULL,
-    /* 50 */ { .fid = EF_PB_AUT, .parent = 0, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC, .data = (uint8_t *) parse_pw_status,
-    /* 51 */ { .fid = EF_PW_PRIV, .parent = 0, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
-    /* 52 */ { .fid = EF_DEK, .parent = 0, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_NONE },
+    /* 19 */ { .fid = EF_FP, .parent = 0, .name = NULL,
-    /* 53 */ { .fid = EF_KDF, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC, .data = (uint8_t *) parse_fp,
-    /* 54 */ { .fid = EF_CH_1, .parent = 0, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_NONE },
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_RO },
-    /* 55 */ { .fid = EF_CH_2, .parent = 0, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_NONE },
+    /* 20 */ { .fid = EF_FP_SIG, .parent = 0, .name = NULL,
-    /* 56 */ { .fid = EF_CH_3, .parent = 0, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_NONE },
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 21 */ { .fid = EF_FP_DEC, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 22 */ { .fid = EF_FP_AUT, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 23 */ { .fid = EF_CA_FP, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC, .data = (uint8_t *) parse_cafp,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_RO },
+    /* 24 */ { .fid = EF_FP_CA1, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 25 */ { .fid = EF_FP_CA2, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 26 */ { .fid = EF_FP_CA3, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 27 */ { .fid = EF_TS_ALL, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC, .data = (uint8_t *) parse_ts,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_RO },
+    /* 28 */ { .fid = EF_TS_SIG, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 29 */ { .fid = EF_TS_DEC, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 30 */ { .fid = EF_TS_AUT, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 31 */ { .fid = EF_RESET_CODE, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 32 */ { .fid = EF_UIF_SIG, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 33 */ { .fid = EF_UIF_DEC, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 34 */ { .fid = EF_UIF_AUT, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 35 */ { .fid = EF_KEY_INFO, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC, .data = (uint8_t *) parse_keyinfo,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_RO },
+    /* 36 */ { .fid = EF_ALGO_INFO, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC, .data = (uint8_t *) parse_algoinfo,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_RO },
+    /* 37 */ { .fid = EF_APP_DATA, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC, .data = (uint8_t *) parse_app_data,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_RO },
+    /* 38 */ { .fid = EF_DISCRETE_DO, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC, .data = (uint8_t *) parse_discrete_do,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_RO },
+    /* 39 */ { .fid = EF_PW1, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 40 */ { .fid = EF_RC, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 41 */ { .fid = EF_PW3, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 42 */ { .fid = EF_ALGO_PRIV1, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 43 */ { .fid = EF_ALGO_PRIV2, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 44 */ { .fid = EF_ALGO_PRIV3, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 45 */ { .fid = EF_PK_SIG, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 46 */ { .fid = EF_PK_DEC, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 47 */ { .fid = EF_PK_AUT, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 48 */ { .fid = EF_PB_SIG, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 49 */ { .fid = EF_PB_DEC, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 50 */ { .fid = EF_PB_AUT, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 51 */ { .fid = EF_PW_PRIV, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 52 */ { .fid = EF_DEK, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_NONE },
+    /* 53 */ { .fid = EF_KDF, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 54 */ { .fid = EF_CH_1, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_NONE },
+    /* 55 */ { .fid = EF_CH_2, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_NONE },
+    /* 56 */ { .fid = EF_CH_3, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_NONE },
+    // ** PIV ** //
+    /* 57 */ { .fid = EF_PIV_ADMIN_DATA, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 58 */ { .fid = EF_PIV_ATTESTATION, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 59 */ { .fid = EF_PIV_MSCMAP, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 60 */ { .fid = EF_PIV_MSROOTS1, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 61 */ { .fid = EF_PIV_MSROOTS2, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 62 */ { .fid = EF_PIV_MSROOTS3, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 63 */ { .fid = EF_PIV_MSROOTS4, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 64 */ { .fid = EF_PIV_MSROOTS5, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 65 */ { .fid = EF_PIV_KEY_AUTHENTICATION, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 66 */ { .fid = EF_PIV_KEY_CARDMGM, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 67 */ { .fid = EF_PIV_KEY_SIGNATURE, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 68 */ { .fid = EF_PIV_KEY_KEYMGM, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 69 */ { .fid = EF_PIV_KEY_CARDAUTH, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 70 */ { .fid = EF_PIV_KEY_RETIRED1, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 71 */ { .fid = EF_PIV_KEY_RETIRED2, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 72 */ { .fid = EF_PIV_KEY_RETIRED3, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 73 */ { .fid = EF_PIV_KEY_RETIRED4, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 74 */ { .fid = EF_PIV_KEY_RETIRED5, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 75 */ { .fid = EF_PIV_KEY_RETIRED6, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 76 */ { .fid = EF_PIV_KEY_RETIRED7, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 77 */ { .fid = EF_PIV_KEY_RETIRED8, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 78 */ { .fid = EF_PIV_KEY_RETIRED9, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 79 */ { .fid = EF_PIV_KEY_RETIRED10, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 80 */ { .fid = EF_PIV_KEY_RETIRED11, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 81 */ { .fid = EF_PIV_KEY_RETIRED12, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 82 */ { .fid = EF_PIV_KEY_RETIRED12, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 83 */ { .fid = EF_PIV_KEY_RETIRED13, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 84 */ { .fid = EF_PIV_KEY_RETIRED14, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 85 */ { .fid = EF_PIV_KEY_RETIRED15, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 86 */ { .fid = EF_PIV_KEY_RETIRED16, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 87 */ { .fid = EF_PIV_KEY_RETIRED17, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 88 */ { .fid = EF_PIV_KEY_RETIRED18, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 89 */ { .fid = EF_PIV_KEY_RETIRED19, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 90 */ { .fid = EF_PIV_KEY_RETIRED20, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 91 */ { .fid = EF_PIV_KEY_ATTESTATION, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 92 */ { .fid = EF_PIV_CAPABILITY, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 93 */ { .fid = EF_PIV_CHUID, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 94 */ { .fid = EF_PIV_AUTHENTICATION, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 95 */ { .fid = EF_PIV_FINGERPRINTS, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 96 */ { .fid = EF_PIV_SECURITY, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 97 */ { .fid = EF_PIV_FACIAL, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 98 */ { .fid = EF_PIV_PRINTED, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 99 */ { .fid = EF_PIV_SIGNATURE, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 100 */ { .fid = EF_PIV_KEY_MANAGEMENT, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 101 */ { .fid = EF_PIV_CARD_AUTH, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 102 */ { .fid = EF_PIV_DISCOVERY, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC, .data = (uint8_t *) piv_parse_discovery,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 103 */ { .fid = EF_PIV_KEY_HISTORY, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 104 */ { .fid = EF_PIV_IRIS, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 105 */ { .fid = EF_PIV_BITGT, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 106 */ { .fid = EF_PIV_SM_SIGNER, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 107 */ { .fid = EF_PIV_PC_REF_DATA, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 108 */ { .fid = EF_PIV_RETIRED1, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 109 */ { .fid = EF_PIV_RETIRED2, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 110 */ { .fid = EF_PIV_RETIRED3, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 111 */ { .fid = EF_PIV_RETIRED4, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 112 */ { .fid = EF_PIV_RETIRED5, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 113 */ { .fid = EF_PIV_RETIRED6, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 114 */ { .fid = EF_PIV_RETIRED7, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 115 */ { .fid = EF_PIV_RETIRED8, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 116 */ { .fid = EF_PIV_RETIRED9, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 117 */ { .fid = EF_PIV_RETIRED10, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 118 */ { .fid = EF_PIV_RETIRED11, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 119 */ { .fid = EF_PIV_RETIRED12, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 120 */ { .fid = EF_PIV_RETIRED13, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 121 */ { .fid = EF_PIV_RETIRED14, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 122 */ { .fid = EF_PIV_RETIRED15, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 123 */ { .fid = EF_PIV_RETIRED16, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 124 */ { .fid = EF_PIV_RETIRED17, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 125 */ { .fid = EF_PIV_RETIRED18, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 126 */ { .fid = EF_PIV_RETIRED19, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 127 */ { .fid = EF_PIV_RETIRED20, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
+    /* 128 */ { .fid = EF_PIV_PIN, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 129 */ { .fid = EF_PIV_PUK, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_WP },
+    /* 130 */ { .fid = EF_META, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_NONE },
+    /* 131 */ { .fid = EF_PW_RETRIES, .parent = 0, .name = NULL,
+               .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL,
+               .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_R_WP },
 
-    /* 57 */ { .fid = 0x0000, .parent = 0, .name = openpgp_aid, .type = FILE_TYPE_WORKING_EF, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_RO },
+    /* 132 */ { .fid = 0x0000, .parent = 0, .name = openpgp_aid, .type = FILE_TYPE_WORKING_EF,
-    /* 58 */ { .fid = 0x0000, .parent = 0xff, .name = NULL, .type = FILE_TYPE_UNKNOWN, .data = NULL, .ef_structure = 0, .acl = ACL_NONE } //end
+               .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = ACL_RO },
+    /* 133 */ { .fid = 0x0000, .parent = 0xff, .name = NULL, .type = FILE_TYPE_NOT_KNOWN, .data = NULL,
+               .ef_structure = 0, .acl = ACL_NONE }                                                                                       //end
 };
 
 const file_t *MF = &file_entries[0];

src/openpgp/files.h

@@ -28,6 +28,7 @@
 #define EF_ALGO_PRIV2   0x10c2
 #define EF_ALGO_PRIV3   0x10c3
 #define EF_PW_PRIV      0x10c4
+#define EF_PW_RETRIES   0x10c5
 #define EF_PK_SIG       0x10d1
 #define EF_PK_DEC       0x10d2
 #define EF_PK_AUT       0x10d3
@@ -81,4 +82,83 @@
 #define EF_EXLEN_INFO   0x7f66 //C
 #define EF_GFM          0x7f74 //C
 
+// PIV
+
+#define EF_PIV_PIN  0x1184
+#define EF_PIV_PUK  0x1185
+
+#define EF_PIV_ADMIN_DATA  0xff00
+#define EF_PIV_ATTESTATION 0xff01
+#define	EF_PIV_MSCMAP      0xff10
+#define	EF_PIV_MSROOTS1    0xff11
+#define EF_PIV_MSROOTS2    0xff12
+#define EF_PIV_MSROOTS3    0xff13
+#define EF_PIV_MSROOTS4    0xff14
+#define EF_PIV_MSROOTS5    0xff15
+
+#define EF_PIV_KEY_AUTHENTICATION   0x009a
+#define EF_PIV_KEY_CARDMGM          0x009b
+#define EF_PIV_KEY_SIGNATURE        0x009c
+#define EF_PIV_KEY_KEYMGM           0x009d
+#define EF_PIV_KEY_CARDAUTH         0x009e
+#define EF_PIV_KEY_RETIRED1         0x0082
+#define EF_PIV_KEY_RETIRED2         0x0083
+#define EF_PIV_KEY_RETIRED3         0x0084
+#define EF_PIV_KEY_RETIRED4         0x0085
+#define EF_PIV_KEY_RETIRED5         0x0086
+#define EF_PIV_KEY_RETIRED6         0x0087
+#define EF_PIV_KEY_RETIRED7         0x0088
+#define EF_PIV_KEY_RETIRED8         0x0089
+#define EF_PIV_KEY_RETIRED9         0x008a
+#define EF_PIV_KEY_RETIRED10        0x008b
+#define EF_PIV_KEY_RETIRED11        0x008c
+#define EF_PIV_KEY_RETIRED12        0x008d
+#define EF_PIV_KEY_RETIRED13        0x008e
+#define EF_PIV_KEY_RETIRED14        0x008f
+#define EF_PIV_KEY_RETIRED15        0x0090
+#define EF_PIV_KEY_RETIRED16        0x0091
+#define EF_PIV_KEY_RETIRED17        0x0092
+#define EF_PIV_KEY_RETIRED18        0x0096 // It's 0x93 but assigned to EF_SIG_COUNT
+#define EF_PIV_KEY_RETIRED19        0x0094
+#define EF_PIV_KEY_RETIRED20        0x0095
+#define EF_PIV_KEY_ATTESTATION      0x00fb // It's 0xf9 but assigned to EF_KDF
+
+#define EF_PIV_CAPABILITY       0xc107
+#define EF_PIV_CHUID            0xc102
+#define EF_PIV_AUTHENTICATION   0xc105 /* cert for 9a key */
+#define EF_PIV_FINGERPRINTS     0xc103
+#define EF_PIV_SECURITY         0xc106
+#define EF_PIV_FACIAL           0xc108
+#define EF_PIV_PRINTED          0xc109
+#define EF_PIV_SIGNATURE        0xc10a /* cert for 9c key */
+#define EF_PIV_KEY_MANAGEMENT   0xc10b /* cert for 9d key */
+#define EF_PIV_CARD_AUTH        0xc101 /* cert for 9e key */
+#define EF_PIV_DISCOVERY        0x007e
+#define EF_PIV_KEY_HISTORY      0xc10c
+#define EF_PIV_IRIS             0xc121
+#define EF_PIV_BITGT            0x7f61
+#define EF_PIV_SM_SIGNER        0xc122
+#define EF_PIV_PC_REF_DATA      0xc123
+
+#define EF_PIV_RETIRED1  0xc10d
+#define EF_PIV_RETIRED2  0xc10e
+#define EF_PIV_RETIRED3  0xc10f
+#define EF_PIV_RETIRED4  0xc110
+#define EF_PIV_RETIRED5  0xc111
+#define EF_PIV_RETIRED6  0xc112
+#define EF_PIV_RETIRED7  0xc113
+#define EF_PIV_RETIRED8  0xc114
+#define EF_PIV_RETIRED9  0xc115
+#define EF_PIV_RETIRED10 0xc116
+#define EF_PIV_RETIRED11 0xc117
+#define EF_PIV_RETIRED12 0xc118
+#define EF_PIV_RETIRED13 0xc119
+#define EF_PIV_RETIRED14 0xc11a
+#define EF_PIV_RETIRED15 0xc11b
+#define EF_PIV_RETIRED16 0xc11c
+#define EF_PIV_RETIRED17 0xc11d
+#define EF_PIV_RETIRED18 0xc11e
+#define EF_PIV_RETIRED19 0xc11f
+#define EF_PIV_RETIRED20 0xc120
+
 #endif

src/openpgp/openpgp.h

@@ -23,11 +23,37 @@
 #include <pico/stdlib.h>
 #endif
 
-#include "hsm.h"
+#include "pico_keys.h"
 #include "apdu.h"
+#include "mbedtls/rsa.h"
+#include "mbedtls/ecdsa.h"
 
 extern bool has_pw1;
 extern bool has_pw3;
 
-#endif
+extern int store_keys(void *key_ctx, int type, uint16_t key_id, bool use_kek);
+extern void make_rsa_response(mbedtls_rsa_context *rsa);
+extern void make_ecdsa_response(mbedtls_ecdsa_context *ecdsa);
+extern int ecdsa_sign(mbedtls_ecdsa_context *ctx,
+                      const uint8_t *data,
+                      size_t data_len,
+                      uint8_t *out,
+                      size_t *out_len);
+extern int rsa_sign(mbedtls_rsa_context *ctx,
+                    const uint8_t *data,
+                    size_t data_len,
+                    uint8_t *out,
+                    size_t *out_len);
+extern int load_private_key_rsa(mbedtls_rsa_context *ctx, file_t *fkey, bool use_dek);
+extern int load_private_key_ecdsa(mbedtls_ecdsa_context *ctx, file_t *fkey, bool use_dek);
+extern int pin_reset_retries(const file_t *pin, bool force);
 
+#define ALGO_RSA        0x01
+#define ALGO_ECDH       0x12
+#define ALGO_ECDSA      0x13
+#define ALGO_AES        0x70
+#define ALGO_AES_128    0x71
+#define ALGO_AES_192    0x72
+#define ALGO_AES_256    0x74
+
+#endif

src/openpgp/version.h

@@ -24,9 +24,14 @@
 #define OPGP_VERSION_MINOR (OPGP_VERSION & 0xff)
 
 
-#define PIPGP_VERSION 0x010A
+#define PIPGP_VERSION 0x0200
 
 #define PIPGP_VERSION_MAJOR ((PIPGP_VERSION >> 8) & 0xff)
 #define PIPGP_VERSION_MINOR (PIPGP_VERSION & 0xff)
 
+#define PIV_VERSION 0x0507
+
+#define PIV_VERSION_MAJOR ((PIV_VERSION >> 8) & 0xff)
+#define PIV_VERSION_MINOR (PIV_VERSION & 0xff)
+
 #endif

tests/card_test_personalize_admin_less_1.py

@@ -92,7 +92,7 @@ class Test_Card_Personalize_Adminless_FIRST(object):
 
     def test_pw1_status(self, card):
         s = get_data_object(card, 0xc4)
-        assert match(b'\x00...\x03[\x00\x03]\x03', s, DOTALL)
+        assert match(b'\x01...\x03[\x00\x03]\x03', s, DOTALL)
 
     def test_app_data(self, card):
         app_data = get_data_object(card, 0x6e)

tests/docker/jammy/Dockerfile

@@ -20,12 +20,22 @@ RUN apt install -y libccid \
     python3-pip \
     swig \
     cmake \
+    vsmartcard-vpcd \
     libgcrypt-dev \
+    libssl-dev \
+    check \
+    gengetopt \
     && rm -rf /var/lib/apt/lists/*
 RUN pip3 install pytest pycvc cryptography pyscard
-RUN git clone https://github.com/frankmorgner/vsmartcard.git
+RUN git clone https://github.com/Yubico/yubico-piv-tool
-WORKDIR /vsmartcard/virtualsmartcard
+WORKDIR /yubico-piv-tool
-RUN autoreconf --verbose --install
+RUN git checkout tags/yubico-piv-tool-2.5.1
-RUN ./configure --sysconfdir=/etc
+ADD tests/docker/jammy/yubico-piv-tool.patch /yubico-piv-tool/yubico-piv-tool.patch
-RUN make && make install
+RUN git apply yubico-piv-tool.patch
+RUN mkdir build
+WORKDIR /yubico-piv-tool/build
+RUN cmake .. -DENABLE_HARDWARE_TESTS=1
+RUN make -j`nproc`
+RUN make install
 WORKDIR /
+RUN ldconfig

tests/docker/jammy/yubico-piv-tool.patch

@@ -0,0 +1,68 @@
+diff --git a/lib/tests/api.c b/lib/tests/api.c
+index fb7c1a8..b569ec3 100644
+--- a/lib/tests/api.c
++++ b/lib/tests/api.c
+@@ -515,7 +515,7 @@ START_TEST(test_pin_policy_always) {
+     unsigned char rand[128] = {0};
+ 
+     size_t sig_len = sizeof(signature);
+-    size_t padlen = 256;
++    size_t padlen = 512;
+     unsigned int enc_len;
+     unsigned int data_len;
+ 
+@@ -1009,8 +1009,8 @@ END_TEST
+ START_TEST(test_pin_cache) {
+   ykpiv_rc res;
+   ykpiv_state *local_state;
+-  unsigned char data[256] = {0};
+-  unsigned char data_in[256] = {0};
++  unsigned char data[512] = {0};
++  unsigned char data_in[512] = {0};
+   int len = sizeof(data);
+   size_t len2 = sizeof(data);
+ 
+@@ -1028,17 +1028,17 @@ START_TEST(test_pin_cache) {
+   ck_assert_int_eq(res, YKPIV_OK);
+ 
+   // Verify decryption does not work without auth
+-  res = ykpiv_decipher_data(g_state, data_in, (size_t)len, data, &len2, YKPIV_ALGO_RSA2048, 0x9a);
++  res = ykpiv_decipher_data(g_state, data_in, (size_t)len, data, &len2, YKPIV_ALGO_RSA4096, 0x9a);
+   ck_assert_int_eq(res, YKPIV_AUTHENTICATION_ERROR);
+ 
+   // Verify decryption does work when authed
+   res = ykpiv_verify_select(g_state, "123456", 6, NULL, true);
+   ck_assert_int_eq(res, YKPIV_OK);
+-  res = ykpiv_decipher_data(g_state, data_in, (size_t)len, data, &len2, YKPIV_ALGO_RSA2048, 0x9a);
++  res = ykpiv_decipher_data(g_state, data_in, (size_t)len, data, &len2, YKPIV_ALGO_RSA4096, 0x9a);
+   ck_assert_int_eq(res, YKPIV_OK);
+ 
+   // Verify PIN policy allows continuing to decrypt without re-verifying
+-  res = ykpiv_decipher_data(g_state, data_in, (size_t)len, data, &len2, YKPIV_ALGO_RSA2048, 0x9a);
++  res = ykpiv_decipher_data(g_state, data_in, (size_t)len, data, &len2, YKPIV_ALGO_RSA4096, 0x9a);
+   ck_assert_int_eq(res, YKPIV_OK);
+ 
+   // Create a new ykpiv state, connect, and close it.
+@@ -1059,7 +1059,7 @@ START_TEST(test_pin_cache) {
+   //
+   // Note that you can verify that this fails by rebuilding with
+   // DISABLE_PIN_CACHE set to 1.
+-  res = ykpiv_decipher_data(g_state, data_in, (size_t)len, data, &len2, YKPIV_ALGO_RSA2048, 0x9a);
++  res = ykpiv_decipher_data(g_state, data_in, (size_t)len, data, &len2, YKPIV_ALGO_RSA4096, 0x9a);
+   ck_assert_int_eq(res, YKPIV_OK);
+ }
+ END_TEST
+diff --git a/tools/confirm.sh b/tools/confirm.sh
+index 81c10ac..4ab15c5 100755
+--- a/tools/confirm.sh
++++ b/tools/confirm.sh
+@@ -20,7 +20,8 @@ echo "WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WA
+ echo "******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* *******" >&0
+ echo >&0
+ echo -n "Are you SURE you wish to proceed?  If so, type 'CONFIRM': " >&0
+-
++echo "0"
++exit 0
+ read CONFIRM
+ if [[ "x$CONFIRM" != "xCONFIRM" ]]; then
+     echo "1"

tests/docker_env.sh

@@ -49,7 +49,7 @@
 : ${MBEDTLS_DOCKER_GUEST:=jammy}
 
 
-DOCKER_IMAGE_TAG="pico-hsm-test:${MBEDTLS_DOCKER_GUEST}"
+DOCKER_IMAGE_TAG="pico-openpgp-test:${MBEDTLS_DOCKER_GUEST}"
 
 # Make sure docker is available
 if ! which docker > /dev/null; then
@@ -79,7 +79,7 @@ ${DOCKER} image build \
     --cache-from=${DOCKER_IMAGE_TAG} \
     --network host \
     --build-arg MAKEFLAGS_PARALLEL="-j ${NUM_PROC}" \
-    tests/docker/${MBEDTLS_DOCKER_GUEST}
+    -f tests/docker/${MBEDTLS_DOCKER_GUEST}/Dockerfile .
 
 run_in_docker()
 {

tests/scripts/attestation.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+source ./tests/scripts/func.sh
+
+echo -n "  Fetch attestation certificate... "
+piv read-cert -sf9 -o sf9.pem
+test $? -eq 0 && echo -e ".\t${OK}" || exit $?
+
+algs=("RSA1024" "RSA2048" "ECCP256" "ECCP384")
+slots=("9a" "9c" "9d" "9e" "82" "83" "84" "85" "86" "87" "88" "89" "8a" "8b" "8c" "8d" "8e" "8f" "90" "91" "92" "93" "94" "95")
+for alg in ${algs[*]}; do
+    for slot in ${slots[*]}; do
+        echo "  Test attestation with ${alg} in slot ${slot}"
+        echo -n "    Keygen... "
+        gen_and_check $alg $slot && echo -e ".\t${OK}" || exit $?
+
+        echo -n "    Fetch attesting certificate... "
+        piv attest -s$slot -o attestation.pem
+        test $? -eq 0 && echo -e ".\t${OK}" || exit $?
+
+        echo -n "    OpenSSL verify attestation... "
+        e=$(openssl verify -CAfile sf9.pem attestation.pem 2>&1)
+        test $? -eq 0 && echo -n "." || exit $?
+        grep -q ": OK" <<< $e && echo -e ".\t${OK}" || exit $?
+
+        echo -n "    Key deletion... "
+        delete_key $alg $slot && echo -e ".\t${OK}" || exit $?
+
+    done
+done
+
+rm -rf cert.pem
+rm -rf sf9.pem

tests/scripts/cli-test.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+chmod a+x tests/scripts/*.sh
+
+echo "======== CLI Test suite ========"
+./tests/scripts/yubico-piv-tool.sh

tests/scripts/func.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+
+OK="\033[32mok\033[0m"
+FAIL="\033[31mfail\033[0m"
+
+READER="u"
+
+piv() {
+    yubico-piv-tool -r${READER} -a$@
+}
+
+gen_and_check() {
+    e=$(piv generate -s$2 -A$1 -opublic.pem 2>&1)
+    test $? -eq 0 && echo -n "." || exit $?
+    grep -q "Successfully generated a new private key" <<< $e && echo -n "." || exit $?
+    e=$(piv status 2>&1)
+    e=${e//$'\t'/}
+    e=${e//$'\n'/}
+    test $? -eq 0 && echo -n "." || exit $?
+    grep -q "Slot $2:Algorithm:$1" <<< $e && echo -n "." || exit $?
+}
+delete_key() {
+    piv delete-key -s$2 > /dev/null 2>&1
+    test $? -eq 0 && echo -n "." || exit $?
+    piv delete-cert -s$2 > /dev/null 2>&1
+    test $? -eq 0 && echo -n "." || exit $?
+    e=$(piv status 2>&1)
+    test $? -eq 0 && echo -n "." || exit $?
+    q=$(grep -q "Slot $2: Algorithm: $1" <<< $e)
+    test $? -eq 1 && echo -n "." || exit $?
+    rm -rf public.pem
+}
+gen_and_delete() {
+    gen_and_check $1 $2
+    test $? -eq 0 && echo -n "." || exit $?
+    delete_key $1 $2
+    test $? -eq 0 && echo -n "." || exit $?
+}

tests/scripts/keygen.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+source ./tests/scripts/func.sh
+
+algs=("RSA1024" "RSA2048" "ECCP256" "ECCP384")
+slots=("9a" "9c" "9d" "9e" "82" "83" "84" "85" "86" "87" "88" "89" "8a" "8b" "8c" "8d" "8e" "8f" "90" "91" "92" "93" "94" "95")
+for alg in ${algs[*]}; do
+    for slot in ${slots[*]}; do
+        echo -n "  Test ${alg} in slot ${slot}... "
+        gen_and_delete ${alg} $slot && echo -e ".\t${OK}" || exit $?
+    done
+done

tests/scripts/signatures.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+
+source ./tests/scripts/func.sh
+
+algs=("RSA1024" "RSA2048" "ECCP256" "ECCP384")
+slots=("9a" "9c" "9d" "9e" "82" "83" "84" "85" "86" "87" "88" "89" "8a" "8b" "8c" "8d" "8e" "8f" "90" "91" "92" "93" "94" "95")
+for alg in ${algs[*]}; do
+    for slot in ${slots[*]}; do
+        echo "  Test signature with ${alg} in slot ${slot}"
+        echo -n "    Keygen... "
+        gen_and_check $alg $slot && echo -e ".\t${OK}" || exit $?
+
+        echo -n "    Test request certificate... "
+        e=$(piv verify -arequest -P123456 -s$slot -S'/CN=bar/OU=test/O=example.com/' -ipublic.pem -ocert.pem 2>&1)
+        test $? -eq 0 && echo -n "." || exit $?
+        grep -q "Successfully verified PIN" <<< $e && echo -n "." || exit $?
+        grep -q "Successfully generated a certificate request" <<< $e && echo -e ".\t${OK}" || exit $?
+
+        echo -n "    OpenSSL verify request... "
+        e=$(openssl req -verify -in cert.pem 2>&1)
+        test $? -eq 0 && echo -n "." || exit $?
+        grep -q " OK" <<< $e && echo -e ".\t${OK}" || exit $?
+
+        echo -n "    Test self-signed certificate... "
+        e=$(piv verify -aselfsign -P123456 -s$slot -S'/CN=bar/OU=test/O=example.com/' -ipublic.pem -ocert.pem 2>&1)
+        test $? -eq 0 && echo -n "." || exit $?
+        grep -q "Successfully verified PIN" <<< $e && echo -n "." || exit $?
+        grep -q "Successfully generated a new self signed certificate" <<< $e && echo -e ".\t${OK}" || exit $?
+
+        echo -n "    Test signature... "
+        e=$(piv verify-pin -atest-signature -s$slot -P123456 -icert.pem 2>&1)
+        test $? -eq 0 && echo -n "." || exit $?
+        grep -q "Successful" <<< $e && echo -e ".\t${OK}" || exit $?
+
+        echo -n "    OpenSSL verify cert... "
+        e=$(openssl verify -CAfile cert.pem cert.pem 2>&1)
+        test $? -eq 0 && echo -n "." || exit $?
+        grep -q ": OK" <<< $e && echo -e ".\t${OK}" || exit $?
+
+        echo -n "    Key deletion... "
+        delete_key $alg $slot && echo -e ".\t${OK}" || exit $?
+
+    done
+done
+
+rm -rf cert.pem

tests/scripts/version.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+source ./tests/scripts/func.sh
+
+# Get version
+echo -n "  Test version... "
+e=$(piv version 2>&1)
+test $? -eq 0 && echo -n "." || exit $?
+grep -q "Application version" <<< $e && echo -n "." || exit $?
+grep -q " found" <<< $e && echo -e ".\t${OK}" || exit $?

tests/scripts/yubico-piv-test.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+source ./tests/scripts/func.sh
+reset
+test $? -eq 0 || exit $?
+
+echo -n "  Test PKCS11 tool..."
+gen_and_check rsa:2048
+test $? -eq 0 && echo -n "." || exit $?
+e=$(pkcs11-tool --test -l --pin 648219 2>&1)
+test $? -eq 0 && echo -n "." || exit $?
+grep -q "No errors" <<< $e && echo -n "." || exit $?
+pkcs11-tool -l --pin 648219 --delete-object --type privkey --id 1 > /dev/null 2>&1
+test $? -eq 0 && echo -e ".\t${OK}" || exit $?
+#e=$(pkcs11-tool --test-ec -l --pin 648219 --id 1 --key-type ec:secp256r1 2>&1)
+#test $? -eq 0 && echo -n "." || exit $?
+#grep -q "==> OK" <<< $e && echo -e ".\t${OK}" || exit $?

tests/scripts/yubico-piv-tool.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+source ./tests/scripts/func.sh
+echo "==== Test version ===="
+./tests/scripts/version.sh
+test $? -eq 0 || {
+    echo -e "\t${FAIL}"
+    exit 1
+}
+
+echo "==== Test asymmetric keygen ===="
+./tests/scripts/keygen.sh
+test $? -eq 0 || {
+    echo -e "\t${FAIL}"
+    exit 1
+}
+
+echo "==== Test self-signed certificates ===="
+./tests/scripts/signatures.sh
+test $? -eq 0 || {
+    echo -e "\t${FAIL}"
+    exit 1
+}
+
+echo "==== Test attestation ===="
+./tests/scripts/attestation.sh
+test $? -eq 0 || {
+    echo -e "\t${FAIL}"
+    exit 1
+}

tests/start-up-and-test.sh

@@ -1,7 +1,30 @@
-#!/bin/bash -eu
+#!/bin/bash
 
+OK="\t\033[32mok\033[0m"
+FAIL="\t\033[31mfail\033[0m"
+
+fail() {
+    echo -e "${FAIL}"
+    exit 1
+}
+
+echo -n "Start PCSC..."
 /usr/sbin/pcscd &
-sleep 2
+test $? -eq 0 && echo -e "${OK}" || {
-rm -rf memory.flash
+    echo -e "${FAIL}"
-./build_in_docker/pico_openpgp > /dev/null &
+    exit 1
+}
+sleep 1
+rm -f memory.flash
+echo -n "Start Pico OpenPGP..."
+./build_in_docker/pico_openpgp > /dev/null 2>&1 &
+test $? -eq 0 && echo -n "." || fail
+sleep 1
+ATR="3b:da:18:ff:81:b1:fe:75:1f:03:00:31:f5:73:c0:01:60:00:90:00:1c"
+e=$(opensc-tool -an 2>&1)
+grep -q "${ATR}" <<< $e && echo -n "." || fail
+test $? -eq 0 && echo -e "${OK}" || fail
+
 pytest tests -W ignore::DeprecationWarning
+
+./tests/scripts/cli-test.sh