From 138af5c113d50464015ace7374f9b60246297d48 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Wed, 24 Aug 2022 17:47:28 +0200 Subject: [PATCH] Adding --pin parameter for initialization. If provided, it unlocks MKEK before initialization. If not, it will generate a new MKEK and device certificate. Signed-off-by: Pol Henarejos --- tools/pico-hsm-tool.py | 30 +++++++++++++++++++----------- 1 file changed, 19 insertions(+), 11 deletions(-) mode change 100644 => 100755 tools/pico-hsm-tool.py diff --git a/tools/pico-hsm-tool.py b/tools/pico-hsm-tool.py old mode 100644 new mode 100755 index dee49cc..bc7a649 --- a/tools/pico-hsm-tool.py +++ b/tools/pico-hsm-tool.py @@ -59,10 +59,12 @@ def send_apdu(card, command, p1, p2, data): def parse_args(): parser = argparse.ArgumentParser() subparser = parser.add_subparsers(title="commands", dest="command") - _ = subparser.add_parser('initialize', help='Performs the first initialization of the Pico HSM.') + parser_init = subparser.add_parser('initialize', help='Performs the first initialization of the Pico HSM.') + parser_init.add_argument('--pin', help='PIN number') parser_attestate = subparser.add_parser('attestate', help='Generates an attestation report for a private key and verifies the private key was generated in the devices or outside.') - parser_attestate.add_argument('-k', '--key', help='The private key index', metavar='KEY_ID', required=True) + parser_attestate.add_argument('-k', '--key', help='The private key index', metavar='KEY_ID') + parser_attestate.add_argument('--key-file', help='The request certificate of key', metavar='FILENAME') parser_pki = subparser.add_parser('pki', help='Performs PKI operations.') subparser_pki = parser_pki.add_subparsers(title='commands', dest='subcommand') @@ -107,7 +109,7 @@ def pki(card, args): if (args.default is True): get_pki_certs(certs_dir=args.certs_dir, force=args.force) -def initialize(card): +def initialize(card, args): print('********************************') print('* PLEASE READ IT CAREFULLY *') print('********************************') @@ -117,9 +119,17 @@ def initialize(card): print('Are you sure?') _ = input('[Press enter to confirm]') - reset_data = [0x80, 0x02, 0x00, 0x01, 0x81, 0x06, 0x36, 0x34, 0x38, - 0x32, 0x31, - 0x39, 0x82, 0x08, 0x35, 0x37, 0x36, 0x32, 0x31, 0x38, + if (args.pin): + pin = args.pin.encode() + try: + response = send_apdu(card, 0x20, 0x00, 0x81, list(pin)) + except APDUResponse: + pass + else: + pin = b'648219' + + pin_data = [0x81, len(pin)] + list(pin) + reset_data = [0x80, 0x02, 0x00, 0x01] + pin_data + [0x82, 0x08, 0x35, 0x37, 0x36, 0x32, 0x31, 0x38, 0x38, 0x30, 0x91, 0x01, 0x03] response = send_apdu(card, [0x80, 0x50], 0x00, 0x00, reset_data) @@ -137,7 +147,6 @@ def initialize(card): j['cvcert']) + base64.urlsafe_b64decode(j['dvcert']) response = send_apdu(card, 0xa4, 0x00, 0x00, [0x2f, 0x02]) - pin = b'648219' response = send_apdu(card, 0x20, 0x00, 0x81, list(pin)) apdu_data = [0x54, 0x02, 0x00, 0x00] + \ @@ -160,7 +169,6 @@ def attestate(card, args): sys.exit(1) devcert = ASN1().decode(response).find(0x7f21, pos=0).data(return_tag=True) - dica = ASN1().decode(response).find(0x7f21, pos=1).data(return_tag=True) try: cert = send_apdu(card, 0xB1, 0xCE, kid, [0x54, 0x02, 0x00, 0x00]) @@ -206,9 +214,9 @@ def attestate(card, args): print(f'Key {kid} is NOT generated by device {chr.decode()}') def main(args): - print('Pico HSM burning certificates tool v1.1') + print('Pico HSM Tool v1.2') print('Author: Pol Henarejos') - print('Report bugs to https://github.com/polhenarejos/pico-hsm/') + print('Report bugs to https://github.com/polhenarejos/pico-hsm/issues') print('') print('') cardtype = AnyCardType() @@ -225,7 +233,7 @@ def main(args): # Following commands may raise APDU exception on error if (args.command == 'initialize'): - initialize(card) + initialize(card, args) elif (args.command == 'attestate'): attestate(card, args) elif (args.command == 'pki'):