Added PUK authentication.

Surprisingly, it works from the very beginning. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
2024-09-20 11:20:08 +00:00 · 2022-06-12 17:43:50 +02:00 · 2022-06-12 17:43:50 +02:00 · 914020fd36
commit 914020fd36
parent 168a8cd5a6
2 changed files with 12 additions and 2 deletions
--- a/src/hsm/cvc.h
+++ b/src/hsm/cvc.h
@ -45,5 +45,6 @@ extern const uint8_t *cvc_get_chr(const uint8_t *data, size_t len, size_t *olen)
 extern const uint8_t *cvc_get_pub(const uint8_t *data, size_t len, size_t *olen);
 extern int cvc_verify(const uint8_t *cert, size_t cert_len, const uint8_t *ca, size_t ca_len);
 extern mbedtls_ecp_group_id cvc_inherite_ec_group(const uint8_t *ca, size_t ca_len);
+extern int puk_verify(const uint8_t *sig, size_t sig_len, const uint8_t *hash, size_t hash_len, const uint8_t *ca, size_t ca_len);

 #endif
--- a/src/hsm/sc_hsm.c
+++ b/src/hsm/sc_hsm.c
@ -2316,9 +2316,18 @@ int cmd_pso() {
 int cmd_external_authenticate() {
    if (P1(apdu) != 0x0 || P2(apdu) != 0x0)
        return SW_INCORRECT_P1P2();
-    uint8_t *input = (uint8_t *)calloc(dev_name_len+challenge_len, sizeof(uint8_t));
-    
+    if (ef_puk_aut == NULL)
+        return SW_REFERENCE_NOT_FOUND();
+    if (apdu.nc == 0)
+        return SW_WRONG_LENGTH();
+    uint8_t *input = (uint8_t *)calloc(dev_name_len+challenge_len, sizeof(uint8_t)), hash[32];
+    memcpy(input, dev_name, dev_name_len);
+    memcpy(input+dev_name_len, challenge, challenge_len);
+    hash256(input, dev_name_len+challenge_len, hash);
+    int r = puk_verify(apdu.data, apdu.nc, hash, 32, file_get_data(ef_puk_aut), file_get_size(ef_puk_aut));
    free(input);
+    if (r != 0)
+        return SW_CONDITIONS_NOT_SATISFIED();
    return SW_OK();
 }