Adding --pin parameter for initialization.

If provided, it unlocks MKEK before initialization.
If not, it will generate a new MKEK and device certificate.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>

tools/pico-hsm-tool.py

@@ -59,10 +59,12 @@ def send_apdu(card, command, p1, p2, data):
 def parse_args():
     parser = argparse.ArgumentParser()
     subparser = parser.add_subparsers(title="commands", dest="command")
-    _ = subparser.add_parser('initialize', help='Performs the first initialization of the Pico HSM.')
+    parser_init = subparser.add_parser('initialize', help='Performs the first initialization of the Pico HSM.')
+    parser_init.add_argument('--pin', help='PIN number')
 
     parser_attestate = subparser.add_parser('attestate', help='Generates an attestation report for a private key and verifies the private key was generated in the devices or outside.')
-    parser_attestate.add_argument('-k', '--key', help='The private key index', metavar='KEY_ID', required=True)
+    parser_attestate.add_argument('-k', '--key', help='The private key index', metavar='KEY_ID')
+    parser_attestate.add_argument('--key-file', help='The request certificate of key', metavar='FILENAME')
 
     parser_pki = subparser.add_parser('pki', help='Performs PKI operations.')
     subparser_pki = parser_pki.add_subparsers(title='commands', dest='subcommand')
@@ -107,7 +109,7 @@ def pki(card, args):
         if (args.default is True):
             get_pki_certs(certs_dir=args.certs_dir, force=args.force)
 
-def initialize(card):
+def initialize(card, args):
     print('********************************')
     print('*   PLEASE READ IT CAREFULLY   *')
     print('********************************')
@@ -117,9 +119,17 @@ def initialize(card):
     print('Are you sure?')
     _ = input('[Press enter to confirm]')
 
-    reset_data = [0x80, 0x02, 0x00, 0x01, 0x81, 0x06, 0x36, 0x34, 0x38,
-                0x32, 0x31,
-                0x39, 0x82, 0x08, 0x35, 0x37, 0x36, 0x32, 0x31, 0x38,
+    if (args.pin):
+        pin = args.pin.encode()
+        try:
+            response = send_apdu(card, 0x20, 0x00, 0x81, list(pin))
+        except APDUResponse:
+            pass
+    else:
+            pin = b'648219'
+
+    pin_data = [0x81, len(pin)] + list(pin)
+    reset_data = [0x80, 0x02, 0x00, 0x01] + pin_data + [0x82, 0x08, 0x35, 0x37, 0x36, 0x32, 0x31, 0x38,
                 0x38, 0x30, 0x91, 0x01, 0x03]
     response = send_apdu(card, [0x80, 0x50], 0x00, 0x00, reset_data)
 
@@ -137,7 +147,6 @@ def initialize(card):
         j['cvcert']) + base64.urlsafe_b64decode(j['dvcert'])
 
     response = send_apdu(card, 0xa4, 0x00, 0x00, [0x2f, 0x02])
-    pin = b'648219'
     response = send_apdu(card, 0x20, 0x00, 0x81, list(pin))
 
     apdu_data = [0x54, 0x02, 0x00, 0x00] + \
@@ -160,7 +169,6 @@ def attestate(card, args):
         sys.exit(1)
 
     devcert = ASN1().decode(response).find(0x7f21, pos=0).data(return_tag=True)
-    dica = ASN1().decode(response).find(0x7f21, pos=1).data(return_tag=True)
 
     try:
         cert = send_apdu(card, 0xB1, 0xCE, kid, [0x54, 0x02, 0x00, 0x00])
@@ -206,9 +214,9 @@ def attestate(card, args):
         print(f'Key {kid} is NOT generated by device {chr.decode()}')
 
 def main(args):
-    print('Pico HSM burning certificates tool v1.1')
+    print('Pico HSM Tool v1.2')
     print('Author: Pol Henarejos')
-    print('Report bugs to https://github.com/polhenarejos/pico-hsm/')
+    print('Report bugs to https://github.com/polhenarejos/pico-hsm/issues')
     print('')
     print('')
     cardtype = AnyCardType()
@@ -225,7 +233,7 @@ def main(args):
 
     # Following commands may raise APDU exception on error
     if (args.command == 'initialize'):
-        initialize(card)
+        initialize(card, args)
     elif (args.command == 'attestate'):
         attestate(card, args)
     elif (args.command == 'pki'):