pico-hsm

mirror of https://github.com/polhenarejos/pico-hsm.git synced 2024-09-20 11:20:08 +00:00

Author	SHA1	Message	Date
Pol Henarejos	ab2e71cc40	By default, all CVC are self-generated (chr=car). Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-14 01:16:53 +02:00
Pol Henarejos	f79fe9f7d0	Fix when no DKEK is present. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-14 01:16:33 +02:00
Pol Henarejos	6956587106	Add newline at the end of file. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-13 23:31:09 +02:00
Pol Henarejos	349df56b09	Missing header. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-13 15:00:05 +02:00
Pol Henarejos	e6f082d512	Splitting cmd_xxx() functions in separate files. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-13 14:59:27 +02:00
Pol Henarejos	87feed1222	Renaming KEK files. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-13 13:47:43 +02:00
Pol Henarejos	55c8a66613	Fix wrap/unwrap keys with specific allowed algorithms. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-13 02:58:36 +02:00
Pol Henarejos	2e88422c86	Fix deleting KEK when a key is present in the key domain. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-13 00:50:22 +02:00
Pol Henarejos	da841b82d4	Fix deleting KEK. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-13 00:48:05 +02:00
Pol Henarejos	9256a72c3e	Added XKEK derivation to save the KEK from XKEK key domain. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-13 00:43:55 +02:00
Pol Henarejos	69120cc961	Added cvc_get_ext() to find CVC extensions. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-13 00:43:35 +02:00
Pol Henarejos	06aaf58f0b	Added extension optional parameter to be included in the CVC body. This field should be a concatenation of tag 73, which should include an OID and a context. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-13 00:07:24 +02:00
Pol Henarejos	12e5a586d2	Adding support for XKEK CVC extension. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 22:18:21 +02:00
Pol Henarejos	0e76ed7077	Adding OID for CVC extensions. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 21:12:56 +02:00
Pol Henarejos	be911a7aa7	Clearing hash, just in case. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 19:55:07 +02:00
Pol Henarejos	0556a528f3	Fix DKEK key domain creation. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 19:51:59 +02:00
Pol Henarejos	de789cef66	Fix Key Domain deletion. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 19:46:08 +02:00
Pol Henarejos	7208d01547	Adding XKEK Key Domain creation. It validates the membership and creates a XKEK Key Domain. XKEK Key Domains can only be created based on memberships for THAT device. A device can only create XKEK Key Domains with memberships issued for itself. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 19:36:10 +02:00
Pol Henarejos	46cb0a455d	Fix DKEK are only created when requested and not by default. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 14:01:19 +02:00
Pol Henarejos	300e19b612	Moving to mbedtls_platform_zeroize() for better zeroization. Also added more zeroization when a private/secret key is loaded in memory. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 01:52:37 +02:00
Pol Henarejos	2666573050	Fix dkek status report when device is initialized without dkek. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 01:00:27 +02:00
Pol Henarejos	5506b46c9d	Fix finding MKEK file. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 00:57:08 +02:00
Pol Henarejos	7b27cb7a1c	MKEK is also stored with SO encryption. A copy of MKEK is also stored but encrypted with SO-PIN. Thus, we always ensure that we have an operative copy of MKEK, either with PIN and/or SO-PIN. If user resets PIN, the MKEK is loaded with SO-PIN and stored with the derived key from new PIN. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 00:41:04 +02:00
Pol Henarejos	84a70a1de0	Adding MKEK_SO file descriptor. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 00:39:25 +02:00
Pol Henarejos	1756ec49ad	When user resets retry counter and sends the SO-PIN (P1=0x0) it becomes authenticated in this session. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 00:29:34 +02:00
Pol Henarejos	7b286b04b1	Introducing MKEK (Master Key Encryption Key). MKEK is used to encrypt all keys in the device, regardless of Key Domains or DKEK. From now on, all keys are encrypted using an AES 256-bit secret key. MKEK is also encrypted and stored based on a derived key from PIN. When user introduces the PIN, the MKEK can be unlocked to load the stored private/secret keys. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-12 00:20:02 +02:00
Pol Henarejos	a731e88c78	Adding MKEK ef id. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-11 22:59:54 +02:00
Pol Henarejos	ffd31f2ea7	Memset kcv to 0 always when called. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-10 23:58:01 +02:00
Pol Henarejos	356eeea505	Added support for ECDH_XKEK. Note that it is unfinished. ECDH_XKEK is utilized for deriving and setting the KEK, based on the calc DH secret. It should not return anything, just SW_OK (this is not what is happening right now). Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-10 23:51:41 +02:00
Pol Henarejos	34d9469157	When creating XKEK domain, it returns key domain UID. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-10 23:29:08 +02:00
Pol Henarejos	36b1bf9875	Added ECDH algorithms for XKEK and AUT. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-10 23:28:44 +02:00
Pol Henarejos	7badd19a07	Upgrading PICO SDK to v1.4 and adding new boards. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-09 01:28:39 +02:00
Pol Henarejos	f122a9ab28	Upgrade to version 2.6. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-09 00:42:58 +02:00
Pol Henarejos	14dbad4dd7	Do not return PIN unitialized if PKA is enabled. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-09 00:27:53 +02:00
Pol Henarejos	cdce9ab50b	Adding pka_enabled() to check whether the device is configured with PKA. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-09 00:26:56 +02:00
Pol Henarejos	30d3270e1d	Adding clarification on setting PKA and PIN with SCS3. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-09 00:26:35 +02:00
Pol Henarejos	157923decc	Clafiricate docs about PKA and PIN Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-06 01:44:24 +02:00
Pol Henarejos	7bbcbc57eb	Removing unnecessary debug. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-06 01:36:03 +02:00
Pol Henarejos	9074463f4e	Added clarification on PKA and PIN DKEK is protected in the device with a derived key from the PIN number. Unfortunately, SCS3 does not support the combination of PKA and PIN but OpenSC does. This is explained here. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-06 01:27:51 +02:00
Pol Henarejos	3ebf4fdff5	User authentication is unlinked from session_pin Due to PUK Authentication, user authentication is not linked to having a valid session_pin anymore. In case of enabled PUK Auth, session_pin is used only for unlocking DKEK, but not for granting auth privileges, as they only are granted when PUK Auth succeeds. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-08-06 01:13:09 +02:00
Pol Henarejos	77e5fa2d2b	Added static files for device key and certiticate. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-15 15:57:54 +02:00
Pol Henarejos	6bd2e65459	Add function for building PrKD asn1 Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-15 15:38:11 +02:00
Pol Henarejos	3363e9ad0c	Updating ccid. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-14 19:12:31 +02:00
Pol Henarejos	d1f0f45525	Added support for native PKCS1.5 and OEP decryption. It is not tested, as it is not supported by pkcs11 modules. For instance, OpenSSL implements OEP in local side, calling a RAW decryption on the device. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-14 17:00:23 +02:00
Pol Henarejos	efc1b4a4ae	Fix meta deletion. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-14 16:45:06 +02:00
Pol Henarejos	a45303d9e6	Added support for specific purposes. Added support for SHA512 operations. Keys can only be used for the specific purpose provided during the keypair generation. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-14 16:12:04 +02:00
Pol Henarejos	871ff69f56	Fix critical bug. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-14 11:46:44 +02:00
Pol Henarejos	d4b4289c0b	Update extra_command.md Added explanation for Key usage counter.	2022-06-14 11:27:49 +02:00
Pol Henarejos	32af000435	Upgrading to version 2.4. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>	2022-06-13 19:39:35 +02:00
Pol Henarejos	64178192ad	Update README.md Added PKA description.	2022-06-13 15:03:46 +02:00

1 2 3 4 5 ...

484 Commits