From 526869bc0686211cae993555232efa8aac206be5 Mon Sep 17 00:00:00 2001 From: Pol Henarejos <55573252+polhenarejos@users.noreply.github.com> Date: Wed, 17 May 2023 09:42:57 +0200 Subject: [PATCH 01/68] Create FUNDING.yml --- .github/FUNDING.yml | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 .github/FUNDING.yml diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml new file mode 100644 index 0000000..5e8c378 --- /dev/null +++ b/.github/FUNDING.yml @@ -0,0 +1,4 @@ +# These are supported funding model platforms + +github: [polhenarejos] +custom: ["https://www.paypal.me/polhenarejos"] From 1c6f4cfd7f0eb20ab47e3ae52f6c2ad89e8b97b3 Mon Sep 17 00:00:00 2001 From: Pol Henarejos <55573252+polhenarejos@users.noreply.github.com> Date: Wed, 17 May 2023 09:44:59 +0200 Subject: [PATCH 02/68] Update FUNDING.yml --- .github/FUNDING.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml index 5e8c378..b3c287f 100644 --- a/.github/FUNDING.yml +++ b/.github/FUNDING.yml @@ -1,4 +1,4 @@ # These are supported funding model platforms -github: [polhenarejos] +github: polhenarejos custom: ["https://www.paypal.me/polhenarejos"] From ee442ac0847bc7e19e92ada8135124671a1d163d Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Thu, 24 Aug 2023 16:39:57 +0200 Subject: [PATCH 03/68] Get vpcd from repo instead of building it. Signed-off-by: Pol Henarejos --- tests/docker/bullseye/Dockerfile | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/tests/docker/bullseye/Dockerfile b/tests/docker/bullseye/Dockerfile index 6633cd8..bf14010 100644 --- a/tests/docker/bullseye/Dockerfile +++ b/tests/docker/bullseye/Dockerfile @@ -20,11 +20,7 @@ RUN apt install -y libccid \ python3-pip \ swig \ cmake \ + vsmartcard-vpcd \ && rm -rf /var/lib/apt/lists/* RUN pip3 install pytest pycvc cryptography pyscard -RUN git clone https://github.com/polhenarejos/vsmartcard.git -WORKDIR /vsmartcard/virtualsmartcard -RUN autoreconf --verbose --install -RUN ./configure --sysconfdir=/etc -RUN make && make install WORKDIR / From 7506ccd263a058e96d371cf386a4f2388ab86a28 Mon Sep 17 00:00:00 2001 From: Pol Henarejos <55573252+polhenarejos@users.noreply.github.com> Date: Tue, 5 Sep 2023 19:45:51 +0200 Subject: [PATCH 04/68] Update usage.md --- doc/usage.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/usage.md b/doc/usage.md index 6dd2eb9..49cb297 100644 --- a/doc/usage.md +++ b/doc/usage.md @@ -30,7 +30,7 @@ PIN=648219 ## Initialization The first step is to initialize the HSM. To do so, use the `pico-hsm-tool.py` in `tools` folder: ``` -$ python3 pico-hsm-tool.py initialize --so-pin 3537363231383830 --pin 648219 +$ python3 tools/pico-hsm-tool.py --pin 648219 initialize --so-pin 57621880 ``` The PIN number is used to manage all private keys in the device. It supports three attemps. After the third PIN failure, it gets blocked. The PIN accepts from 6 to 16 characters. @@ -51,7 +51,7 @@ $ pkcs11-tool --login --pin 648219 --change-pin --new-pin 123456 To unblock the PIN: ``` -$ pkcs11-tool --login --login-type so --so-pin=3537363231383830 --init-pin --new-pin=648219 +$ pkcs11-tool --login --login-type so --so-pin 3537363231383830 --init-pin --new-pin 648219 ``` ## Keypair generation From f09654ccf49bf8976cbc2846c3022f32909bdbad Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Tue, 5 Sep 2023 18:15:05 +0200 Subject: [PATCH 05/68] Added --silent flag to initialization to avoid prompt display. Signed-off-by: Pol Henarejos --- tools/pico-hsm-tool.py | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/tools/pico-hsm-tool.py b/tools/pico-hsm-tool.py index 7e0353f..72d30e6 100644 --- a/tools/pico-hsm-tool.py +++ b/tools/pico-hsm-tool.py @@ -66,6 +66,7 @@ def parse_args(): parser_init = subparser.add_parser('initialize', help='Performs the first initialization of the Pico HSM.') parser.add_argument('--pin', help='PIN number') parser_init.add_argument('--so-pin', help='SO-PIN number') + parser_init.add_argument('--silent', help='Confirms initialization silently.', action='store_true') parser_attestate = subparser.add_parser('attestate', help='Generates an attestation report for a private key and verifies the private key was generated in the devices or outside.') parser_attestate.add_argument('-k', '--key', help='The private key index', metavar='KEY_ID') @@ -176,14 +177,15 @@ def pki(_, args): print('Error: no PKI is passed. Use --default to retrieve default PKI.') def initialize(picohsm, args): - print('********************************') - print('* PLEASE READ IT CAREFULLY *') - print('********************************') - print('') - print('This tool will erase and reset your device. It will delete all ' - 'private and secret keys.') - print('Are you sure?') - _ = input('[Press enter to confirm]') + if (not args.silent): + print('********************************') + print('* PLEASE READ IT CAREFULLY *') + print('********************************') + print('') + print('This tool will erase and reset your device. It will delete all ' + 'private and secret keys.') + print('Are you sure?') + _ = input('[Press enter to confirm]') if (args.pin): picohsm.login(args.pin) From f4a537f156483901eca001536415b4bf61f67a94 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Tue, 5 Sep 2023 18:43:49 +0200 Subject: [PATCH 06/68] Added NO_DELAY in emulation env. Signed-off-by: Pol Henarejos --- pico-hsm-sdk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pico-hsm-sdk b/pico-hsm-sdk index 81a598f..910b2fb 160000 --- a/pico-hsm-sdk +++ b/pico-hsm-sdk @@ -1 +1 @@ -Subproject commit 81a598f464d715278772ac300d9f8ca7cdb1c25d +Subproject commit 910b2fb75a2ce2c6660fe70334c24c9407910a1a From 3d7f714936456d7a9a5530dac15ab1ecbef8054f Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Tue, 5 Sep 2023 18:44:12 +0200 Subject: [PATCH 07/68] Fix initialization with so-pin. Signed-off-by: Pol Henarejos --- tools/pico-hsm-tool.py | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/tools/pico-hsm-tool.py b/tools/pico-hsm-tool.py index 72d30e6..012c15f 100644 --- a/tools/pico-hsm-tool.py +++ b/tools/pico-hsm-tool.py @@ -39,7 +39,7 @@ except ModuleNotFoundError: sys.exit(-1) try: - from picohsm import PicoHSM, PinType, DOPrefixes, KeyType, EncryptionMode, utils + from picohsm import PicoHSM, PinType, DOPrefixes, KeyType, EncryptionMode, utils, APDUResponse, SWCodes except ModuleNotFoundError: print('ERROR: picohsm module not found! Install picohsm package.\nTry with `pip install pypicohsm`') sys.exit(-1) @@ -188,13 +188,19 @@ def initialize(picohsm, args): _ = input('[Press enter to confirm]') if (args.pin): - picohsm.login(args.pin) - pin = args + try: + picohsm.login(args.pin) + except APDUResponse: + pass + pin = args.pin else: pin = '648219' if (args.so_pin): - picohsm.login(args.pin, who=PinType.SO_PIN) + try: + picohsm.login(args.so_pin, who=PinType.SO_PIN) + except APDUResponse: + pass so_pin = args.so_pin else: so_pin = '57621880' From 173ca7678da13647fde2e4d95c59d3793a436ca0 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Tue, 5 Sep 2023 19:46:32 +0200 Subject: [PATCH 08/68] Accept arbitrary SO-PIN length on reset retry. Signed-off-by: Pol Henarejos --- src/hsm/cmd_reset_retry.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/src/hsm/cmd_reset_retry.c b/src/hsm/cmd_reset_retry.c index 0522fda..2388d75 100644 --- a/src/hsm/cmd_reset_retry.c +++ b/src/hsm/cmd_reset_retry.c @@ -36,16 +36,15 @@ int cmd_reset_retry() { if (P1(apdu) == 0x0 || P1(apdu) == 0x2) { int newpin_len = 0; if (P1(apdu) == 0x0) { - if (apdu.nc <= 8) { + uint8_t so_pin_len = file_read_uint8(file_get_data(file_sopin)); + if (apdu.nc <= so_pin_len + 1) { return SW_WRONG_LENGTH(); } - uint16_t r = check_pin(file_sopin, apdu.data, 8); + uint16_t r = check_pin(file_sopin, apdu.data, so_pin_len); if (r != 0x9000) { return r; } - newpin_len = apdu.nc - 8; - has_session_sopin = true; - hash_multi(apdu.data, 8, session_sopin); + newpin_len = apdu.nc - so_pin_len; } else if (P1(apdu) == 0x2) { if (!has_session_sopin) { @@ -83,15 +82,14 @@ int cmd_reset_retry() { return SW_COMMAND_NOT_ALLOWED(); } if (P1(apdu) == 0x1) { - if (apdu.nc != 8) { + uint8_t so_pin_len = file_read_uint8(file_get_data(file_sopin)); + if (apdu.nc != so_pin_len) { return SW_WRONG_LENGTH(); } - uint16_t r = check_pin(file_sopin, apdu.data, 8); + uint16_t r = check_pin(file_sopin, apdu.data, so_pin_len); if (r != 0x9000) { return r; } - has_session_sopin = true; - hash_multi(apdu.data, 8, session_sopin); } else if (P1(apdu) == 0x3) { if (!has_session_sopin) { From 9f08d612ae04701fab8b820eb8691e575a89c8bd Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Tue, 5 Sep 2023 19:55:39 +0200 Subject: [PATCH 09/68] Add base58 to dockerfile. Signed-off-by: Pol Henarejos --- tests/docker/bullseye/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/docker/bullseye/Dockerfile b/tests/docker/bullseye/Dockerfile index bf14010..91f008a 100644 --- a/tests/docker/bullseye/Dockerfile +++ b/tests/docker/bullseye/Dockerfile @@ -22,5 +22,5 @@ RUN apt install -y libccid \ cmake \ vsmartcard-vpcd \ && rm -rf /var/lib/apt/lists/* -RUN pip3 install pytest pycvc cryptography pyscard +RUN pip3 install pytest pycvc cryptography pyscard base58 WORKDIR / From 433e509c9401dca8cf8d9badf605a6e4391f1dd0 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Tue, 5 Sep 2023 19:56:04 +0200 Subject: [PATCH 10/68] Add initialize with pkcs11-tool test script. Signed-off-by: Pol Henarejos --- tests/scripts/initialize.sh | 44 +++++++++++++++++++++++++++++++++++++ tests/start-up-and-test.sh | 9 +++++++- 2 files changed, 52 insertions(+), 1 deletion(-) create mode 100755 tests/scripts/initialize.sh diff --git a/tests/scripts/initialize.sh b/tests/scripts/initialize.sh new file mode 100755 index 0000000..ce2fb9d --- /dev/null +++ b/tests/scripts/initialize.sh @@ -0,0 +1,44 @@ +#!/bin/bash -eu + +python3 tools/pico-hsm-tool.py --pin 648219 initialize --so-pin 57621880 --silent +test $? -eq 0 || exit $? + +# Change SO-PIN +pkcs11-tool --login --login-type so --so-pin 3537363231383830 --change-pin --new-pin 0123456789012345 +test $? -eq 0 || exit $? + +pkcs11-tool --login --login-type so --so-pin 0123456789012345 --change-pin --new-pin 3537363231383830 +test $? -eq 0 || exit $? + +# Change PIN +pkcs11-tool --login --pin 648219 --change-pin --new-pin 123456 +test $? -eq 0 || exit $? + +# Reset PIN +pkcs11-tool --login --login-type so --so-pin 3537363231383830 --init-pin --new-pin 648219 +test $? -eq 0 || exit $? + +# Change PIN +pkcs11-tool --login --pin 648219 --change-pin --new-pin 123456 +test $? -eq 0 || exit $? + +pkcs11-tool --login --pin 123456 --change-pin --new-pin 648219 +test $? -eq 0 || exit $? + +# Wrong PIN (1st and 2nd PIN_INCORRECT, 3rd PIN_LOCKED) +e=$(pkcs11-tool --login --pin 123456 -I 2>&1) +test $? -eq 1 || exit $? +grep -q CKR_PIN_INCORRECT <<< $e || exit $? +e=$(pkcs11-tool --login --pin 123456 -I 2>&1) +test $? -eq 1 || exit $? +grep -q CKR_PIN_INCORRECT <<< $e || exit $? +e=$(pkcs11-tool --login --pin 123456 -I 2>&1) +test $? -eq 1 || exit $? +grep -q CKR_PIN_LOCKED <<< $e || exit $? + +# Reset PIN +pkcs11-tool --login --login-type so --so-pin 3537363231383830 --init-pin --new-pin 648219 +test $? -eq 0 || exit $? + +pkcs11-tool --login --pin 648219 -I > /dev/null +test $? -eq 0 || exit $? diff --git a/tests/start-up-and-test.sh b/tests/start-up-and-test.sh index 9ba94b4..46b8c9a 100755 --- a/tests/start-up-and-test.sh +++ b/tests/start-up-and-test.sh @@ -8,4 +8,11 @@ sleep 2 rm -f memory.flash tar -xf tests/memory.tar.gz ./build_in_docker/pico_hsm > /dev/null & -pytest tests -W ignore::DeprecationWarning +#pytest tests -W ignore::DeprecationWarning + +chmod a+x tests/scripts/*.sh + +echo -n "Test initialization... " +./tests/scripts/initialize.sh +echo "\tok" + From 08e7d74a81365ff553c9e6da549f69cc9b0ecc00 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Sun, 24 Sep 2023 10:30:09 +0200 Subject: [PATCH 11/68] Fix sending binary when ne=0 Signed-off-by: Pol Henarejos --- src/hsm/cmd_read_binary.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/hsm/cmd_read_binary.c b/src/hsm/cmd_read_binary.c index eb66ff7..2fb7496 100644 --- a/src/hsm/cmd_read_binary.c +++ b/src/hsm/cmd_read_binary.c @@ -88,10 +88,10 @@ int cmd_read_binary() { return SW_WARNING_EOF(); } - uint16_t maxle = data_len - offset; - if (apdu.ne > maxle) { - apdu.ne = maxle; - } + //uint16_t maxle = data_len - offset; + //if (apdu.ne > maxle) { + // apdu.ne = maxle; + //} memcpy(res_APDU, file_get_data(ef) + offset, data_len - offset); res_APDU_size = data_len - offset; } From d906df280953e7e0925d6bf91ea7c4fb1632a23c Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Sun, 24 Sep 2023 10:30:59 +0200 Subject: [PATCH 12/68] Add initialization test script with pkcs11 Signed-off-by: Pol Henarejos --- pico-hsm-sdk | 2 +- tests/docker/bullseye/Dockerfile | 11 ++++++++++- tests/scripts/initialize.sh | 4 ++-- tests/start-up-and-test.sh | 11 +++++------ 4 files changed, 18 insertions(+), 10 deletions(-) diff --git a/pico-hsm-sdk b/pico-hsm-sdk index 910b2fb..30a2707 160000 --- a/pico-hsm-sdk +++ b/pico-hsm-sdk @@ -1 +1 @@ -Subproject commit 910b2fb75a2ce2c6660fe70334c24c9407910a1a +Subproject commit 30a2707dd89ec6c677415171f7e46521689b5b76 diff --git a/tests/docker/bullseye/Dockerfile b/tests/docker/bullseye/Dockerfile index 91f008a..4444398 100644 --- a/tests/docker/bullseye/Dockerfile +++ b/tests/docker/bullseye/Dockerfile @@ -15,12 +15,21 @@ RUN apt install -y libccid \ gcc \ make \ build-essential \ - opensc \ python3 \ python3-pip \ swig \ + libssl-dev \ cmake \ vsmartcard-vpcd \ && rm -rf /var/lib/apt/lists/* RUN pip3 install pytest pycvc cryptography pyscard base58 WORKDIR / +RUN git clone https://github.com/OpenSC/OpenSC +WORKDIR /OpenSC +#RUN git checkout tags/0.23.0 +RUN ./bootstrap +RUN ./configure --enable-openssl +RUN make -j `nproc` +RUN make install +RUN ldconfig +WORKDIR / diff --git a/tests/scripts/initialize.sh b/tests/scripts/initialize.sh index ce2fb9d..8fceb2a 100755 --- a/tests/scripts/initialize.sh +++ b/tests/scripts/initialize.sh @@ -1,4 +1,4 @@ -#!/bin/bash -eu +#!/bin/bash python3 tools/pico-hsm-tool.py --pin 648219 initialize --so-pin 57621880 --silent test $? -eq 0 || exit $? @@ -40,5 +40,5 @@ grep -q CKR_PIN_LOCKED <<< $e || exit $? pkcs11-tool --login --login-type so --so-pin 3537363231383830 --init-pin --new-pin 648219 test $? -eq 0 || exit $? -pkcs11-tool --login --pin 648219 -I > /dev/null +pkcs11-tool --login --pin 648219 -I test $? -eq 0 || exit $? diff --git a/tests/start-up-and-test.sh b/tests/start-up-and-test.sh index 46b8c9a..93b9875 100755 --- a/tests/start-up-and-test.sh +++ b/tests/start-up-and-test.sh @@ -1,4 +1,4 @@ -#!/bin/bash -eu +#!/bin/bash rm -rf pypicohsm git clone https://github.com/polhenarejos/pypicohsm.git @@ -7,12 +7,11 @@ pip3 install -e pypicohsm sleep 2 rm -f memory.flash tar -xf tests/memory.tar.gz -./build_in_docker/pico_hsm > /dev/null & -#pytest tests -W ignore::DeprecationWarning +./build_in_docker/pico_hsm > /dev/null 2>&1 & +pytest tests -W ignore::DeprecationWarning chmod a+x tests/scripts/*.sh echo -n "Test initialization... " -./tests/scripts/initialize.sh -echo "\tok" - +./tests/scripts/initialize.sh > /dev/null 2>&1 +test $? -eq 0 && echo -e '\tok' || (echo -e '\tfail' && exit 1) From 37421d9aadca79a8530bd3b2819b4e78acb0f717 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Tue, 26 Sep 2023 20:09:43 +0200 Subject: [PATCH 13/68] Added pkcs11 keygen test script. Signed-off-by: Pol Henarejos --- tests/scripts/initialize.sh | 46 ++++++++++++++++++------------------- tests/scripts/keygen.sh | 23 +++++++++++++++++++ tests/scripts/pkcs11.sh | 9 ++++++++ tests/scripts/reset.sh | 4 ++++ tests/start-up-and-test.sh | 5 ++-- 5 files changed, 61 insertions(+), 26 deletions(-) create mode 100644 tests/scripts/keygen.sh create mode 100644 tests/scripts/pkcs11.sh create mode 100644 tests/scripts/reset.sh diff --git a/tests/scripts/initialize.sh b/tests/scripts/initialize.sh index 8fceb2a..9db8bae 100755 --- a/tests/scripts/initialize.sh +++ b/tests/scripts/initialize.sh @@ -1,44 +1,44 @@ #!/bin/bash -python3 tools/pico-hsm-tool.py --pin 648219 initialize --so-pin 57621880 --silent +./tests/scripts/reset.sh > /dev/null 2>&1 test $? -eq 0 || exit $? # Change SO-PIN -pkcs11-tool --login --login-type so --so-pin 3537363231383830 --change-pin --new-pin 0123456789012345 -test $? -eq 0 || exit $? +pkcs11-tool --login --login-type so --so-pin 3537363231383830 --change-pin --new-pin 0123456789012345 > /dev/null 2>&1 +test $? -eq 0 && echo -n "." || exit $? -pkcs11-tool --login --login-type so --so-pin 0123456789012345 --change-pin --new-pin 3537363231383830 -test $? -eq 0 || exit $? +pkcs11-tool --login --login-type so --so-pin 0123456789012345 --change-pin --new-pin 3537363231383830 > /dev/null 2>&1 +test $? -eq 0 && echo -n "." || exit $? # Change PIN -pkcs11-tool --login --pin 648219 --change-pin --new-pin 123456 -test $? -eq 0 || exit $? +pkcs11-tool --login --pin 648219 --change-pin --new-pin 123456 > /dev/null 2>&1 +test $? -eq 0 && echo -n "." || exit $? # Reset PIN -pkcs11-tool --login --login-type so --so-pin 3537363231383830 --init-pin --new-pin 648219 -test $? -eq 0 || exit $? +pkcs11-tool --login --login-type so --so-pin 3537363231383830 --init-pin --new-pin 648219 > /dev/null 2>&1 +test $? -eq 0 && echo -n "." || exit $? # Change PIN -pkcs11-tool --login --pin 648219 --change-pin --new-pin 123456 -test $? -eq 0 || exit $? +pkcs11-tool --login --pin 648219 --change-pin --new-pin 123456 > /dev/null 2>&1 +test $? -eq 0 && echo -n "." || exit $? -pkcs11-tool --login --pin 123456 --change-pin --new-pin 648219 -test $? -eq 0 || exit $? +pkcs11-tool --login --pin 123456 --change-pin --new-pin 648219 > /dev/null 2>&1 +test $? -eq 0 && echo -n "." || exit $? # Wrong PIN (1st and 2nd PIN_INCORRECT, 3rd PIN_LOCKED) e=$(pkcs11-tool --login --pin 123456 -I 2>&1) -test $? -eq 1 || exit $? -grep -q CKR_PIN_INCORRECT <<< $e || exit $? +test $? -eq 1 && echo -n "." || exit $? +grep -q CKR_PIN_INCORRECT <<< $e && echo -n "." || exit $? e=$(pkcs11-tool --login --pin 123456 -I 2>&1) -test $? -eq 1 || exit $? -grep -q CKR_PIN_INCORRECT <<< $e || exit $? +test $? -eq 1 && echo -n "." || exit $? +grep -q CKR_PIN_INCORRECT <<< $e && echo -n "." || exit $? e=$(pkcs11-tool --login --pin 123456 -I 2>&1) -test $? -eq 1 || exit $? -grep -q CKR_PIN_LOCKED <<< $e || exit $? +test $? -eq 1 && echo -n "." || exit $? +grep -q CKR_PIN_LOCKED <<< $e && echo -n "." || exit $? # Reset PIN -pkcs11-tool --login --login-type so --so-pin 3537363231383830 --init-pin --new-pin 648219 -test $? -eq 0 || exit $? +pkcs11-tool --login --login-type so --so-pin 3537363231383830 --init-pin --new-pin 648219 > /dev/null 2>&1 +test $? -eq 0 && echo -n "." || exit $? -pkcs11-tool --login --pin 648219 -I -test $? -eq 0 || exit $? +pkcs11-tool --login --pin 648219 -I > /dev/null 2>&1 +test $? -eq 0 && echo -n "." || exit $? diff --git a/tests/scripts/keygen.sh b/tests/scripts/keygen.sh new file mode 100644 index 0000000..2352f87 --- /dev/null +++ b/tests/scripts/keygen.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +./tests/scripts/reset.sh > /dev/null 2>&1 +test $? -eq 0 || exit $? + +gen_and_check() { + e=$(pkcs11-tool -l --pin 648219 --keypairgen --key-type $1 --id 1 --label "TestLabel" 2>&1) + test $? -eq 0 || exit $? + grep -q "$2" <<< $e || exit $? + pkcs11-tool -l --pin 648219 --delete-object --type privkey --id 1 > /dev/null 2>&1 +} + +gen_and_check "rsa:1024" "RSA 1024 bits" && echo -n "." || exit $? +gen_and_check "rsa:2048" "RSA 2048 bits" && echo -n "." || exit $? +gen_and_check "ec:secp192r1" "EC_POINT 192 bits" && echo -n "." || exit $? +gen_and_check "ec:secp256r1" "EC_POINT 256 bits" && echo -n "." || exit $? +gen_and_check "ec:secp384r1" "EC_POINT 384 bits" && echo -n "." || exit $? +gen_and_check "ec:secp521r1" "EC_POINT 528 bits" && echo -n "." || exit $? +gen_and_check "ec:brainpoolP256r1" "EC_POINT 256 bits" && echo -n "." || exit $? +gen_and_check "ec:brainpoolP384r1" "EC_POINT 384 bits" && echo -n "." || exit $? +gen_and_check "ec:brainpoolP512r1" "EC_POINT 512 bits" && echo -n "." || exit $? +gen_and_check "ec:secp192k1" "EC_POINT 192 bits" && echo -n "." || exit $? +gen_and_check "ec:secp256k1" "EC_POINT 256 bits" && echo -n "." || exit $? diff --git a/tests/scripts/pkcs11.sh b/tests/scripts/pkcs11.sh new file mode 100644 index 0000000..f14c4f0 --- /dev/null +++ b/tests/scripts/pkcs11.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +echo -n "Test initialization..." +#./tests/scripts/initialize.sh +test $? -eq 0 && echo -e '\tok' || (echo -e '\tfail' && exit 1) + +echo -n "Test keygen..." +./tests/scripts/keygen.sh +test $? -eq 0 && echo -e '\tok' || (echo -e '\tfail' && exit 1) diff --git a/tests/scripts/reset.sh b/tests/scripts/reset.sh new file mode 100644 index 0000000..f0f87e5 --- /dev/null +++ b/tests/scripts/reset.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +python3 tools/pico-hsm-tool.py --pin 648219 initialize --so-pin 57621880 --silent +test $? -eq 0 || exit $? diff --git a/tests/start-up-and-test.sh b/tests/start-up-and-test.sh index 93b9875..f10091a 100755 --- a/tests/start-up-and-test.sh +++ b/tests/start-up-and-test.sh @@ -12,6 +12,5 @@ pytest tests -W ignore::DeprecationWarning chmod a+x tests/scripts/*.sh -echo -n "Test initialization... " -./tests/scripts/initialize.sh > /dev/null 2>&1 -test $? -eq 0 && echo -e '\tok' || (echo -e '\tfail' && exit 1) +echo "======== PKCS11 Test suite ========" +./tests/scripts/pkcs11.sh From 1105a1263c0e335555e0bee2b617fcdb5c556fd4 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 2 Oct 2023 00:48:54 +0200 Subject: [PATCH 14/68] Add signature and verification tests for RSA and ECDSA. Signed-off-by: Pol Henarejos --- tests/docker/bullseye/Dockerfile | 5 +- tests/scripts/func.sh | 37 ++++++++ tests/scripts/initialize.sh | 4 +- tests/scripts/keygen.sh | 32 +++---- tests/scripts/pkcs11.sh | 6 +- tests/scripts/sign_and_verify.sh | 146 +++++++++++++++++++++++++++++++ tests/start-up-and-test.sh | 2 +- 7 files changed, 208 insertions(+), 24 deletions(-) create mode 100755 tests/scripts/func.sh mode change 100644 => 100755 tests/scripts/keygen.sh mode change 100644 => 100755 tests/scripts/pkcs11.sh create mode 100755 tests/scripts/sign_and_verify.sh diff --git a/tests/docker/bullseye/Dockerfile b/tests/docker/bullseye/Dockerfile index 4444398..94ade74 100644 --- a/tests/docker/bullseye/Dockerfile +++ b/tests/docker/bullseye/Dockerfile @@ -4,6 +4,8 @@ ARG DEBIAN_FRONTEND=noninteractive RUN apt update && apt upgrade -y RUN apt install -y apt-utils +RUN apt autoremove -y +RUN rm -rf /var/cache/apt/archives/* RUN apt install -y libccid \ libpcsclite-dev \ git \ @@ -26,10 +28,11 @@ RUN pip3 install pytest pycvc cryptography pyscard base58 WORKDIR / RUN git clone https://github.com/OpenSC/OpenSC WORKDIR /OpenSC -#RUN git checkout tags/0.23.0 +RUN git checkout tags/0.22.0 RUN ./bootstrap RUN ./configure --enable-openssl RUN make -j `nproc` RUN make install +RUN make clean RUN ldconfig WORKDIR / diff --git a/tests/scripts/func.sh b/tests/scripts/func.sh new file mode 100755 index 0000000..fc52119 --- /dev/null +++ b/tests/scripts/func.sh @@ -0,0 +1,37 @@ +#!/bin/bash + +gen_and_check() { + e=$(pkcs11-tool -l --pin 648219 --keypairgen --key-type $1 --id 1 --label "TestLabel" 2>&1) + test $? -eq 0 || exit $? + glabel="" + case $1 in + *"192"*) + glabel="EC_POINT 192 bits" + ;; + *"256"*) + glabel="EC_POINT 256 bits" + ;; + *"384"*) + glabel="EC_POINT 384 bits" + ;; + *"512"*) + glabel="EC_POINT 512 bits" + ;; + *"521"*) + glabel="EC_POINT 528 bits" + ;; + *"rsa"*) + IFS=: read -r v1 bits <<< "$1" + glabel="RSA ${bits} bits" + ;; + esac + grep -q "${glabel}" <<< $e || exit $? +} +gen_and_delete() { + gen_and_check $1 + pkcs11-tool -l --pin 648219 --delete-object --type privkey --id 1 > /dev/null 2>&1 +} +reset() { + python3 tools/pico-hsm-tool.py --pin 648219 initialize --so-pin 57621880 --silent > /dev/null 2>&1 + test $? -eq 0 || exit $? +} diff --git a/tests/scripts/initialize.sh b/tests/scripts/initialize.sh index 9db8bae..8f2ebc6 100755 --- a/tests/scripts/initialize.sh +++ b/tests/scripts/initialize.sh @@ -1,7 +1,7 @@ #!/bin/bash -./tests/scripts/reset.sh > /dev/null 2>&1 -test $? -eq 0 || exit $? +source ./tests/scripts/func.sh +reset # Change SO-PIN pkcs11-tool --login --login-type so --so-pin 3537363231383830 --change-pin --new-pin 0123456789012345 > /dev/null 2>&1 diff --git a/tests/scripts/keygen.sh b/tests/scripts/keygen.sh old mode 100644 new mode 100755 index 2352f87..a43cb97 --- a/tests/scripts/keygen.sh +++ b/tests/scripts/keygen.sh @@ -1,23 +1,17 @@ #!/bin/bash -./tests/scripts/reset.sh > /dev/null 2>&1 +source ./tests/scripts/func.sh +reset test $? -eq 0 || exit $? -gen_and_check() { - e=$(pkcs11-tool -l --pin 648219 --keypairgen --key-type $1 --id 1 --label "TestLabel" 2>&1) - test $? -eq 0 || exit $? - grep -q "$2" <<< $e || exit $? - pkcs11-tool -l --pin 648219 --delete-object --type privkey --id 1 > /dev/null 2>&1 -} - -gen_and_check "rsa:1024" "RSA 1024 bits" && echo -n "." || exit $? -gen_and_check "rsa:2048" "RSA 2048 bits" && echo -n "." || exit $? -gen_and_check "ec:secp192r1" "EC_POINT 192 bits" && echo -n "." || exit $? -gen_and_check "ec:secp256r1" "EC_POINT 256 bits" && echo -n "." || exit $? -gen_and_check "ec:secp384r1" "EC_POINT 384 bits" && echo -n "." || exit $? -gen_and_check "ec:secp521r1" "EC_POINT 528 bits" && echo -n "." || exit $? -gen_and_check "ec:brainpoolP256r1" "EC_POINT 256 bits" && echo -n "." || exit $? -gen_and_check "ec:brainpoolP384r1" "EC_POINT 384 bits" && echo -n "." || exit $? -gen_and_check "ec:brainpoolP512r1" "EC_POINT 512 bits" && echo -n "." || exit $? -gen_and_check "ec:secp192k1" "EC_POINT 192 bits" && echo -n "." || exit $? -gen_and_check "ec:secp256k1" "EC_POINT 256 bits" && echo -n "." || exit $? +gen_and_delete "rsa:1024" && echo -n "." || exit $? +gen_and_delete "rsa:2048" && echo -n "." || exit $? +gen_and_delete "ec:secp192r1" && echo -n "." || exit $? +gen_and_delete "ec:secp256r1" && echo -n "." || exit $? +gen_and_delete "ec:secp384r1" && echo -n "." || exit $? +gen_and_delete "ec:secp521r1" && echo -n "." || exit $? +gen_and_delete "ec:brainpoolP256r1" && echo -n "." || exit $? +gen_and_delete "ec:brainpoolP384r1" && echo -n "." || exit $? +gen_and_delete "ec:brainpoolP512r1" && echo -n "." || exit $? +gen_and_delete "ec:secp192k1" && echo -n "." || exit $? +gen_and_delete "ec:secp256k1" && echo -n "." || exit $? diff --git a/tests/scripts/pkcs11.sh b/tests/scripts/pkcs11.sh old mode 100644 new mode 100755 index f14c4f0..0c22f1c --- a/tests/scripts/pkcs11.sh +++ b/tests/scripts/pkcs11.sh @@ -1,9 +1,13 @@ #!/bin/bash echo -n "Test initialization..." -#./tests/scripts/initialize.sh +./tests/scripts/initialize.sh test $? -eq 0 && echo -e '\tok' || (echo -e '\tfail' && exit 1) echo -n "Test keygen..." ./tests/scripts/keygen.sh test $? -eq 0 && echo -e '\tok' || (echo -e '\tfail' && exit 1) + +echo -n "Test sign and verify..." +./tests/scripts/sign_and_verify.sh +test $? -eq 0 && echo -e '\tok' || (echo -e '\tfail' && exit 1) diff --git a/tests/scripts/sign_and_verify.sh b/tests/scripts/sign_and_verify.sh new file mode 100755 index 0000000..6853ba2 --- /dev/null +++ b/tests/scripts/sign_and_verify.sh @@ -0,0 +1,146 @@ +#!/bin/bash + +source ./tests/scripts/func.sh +reset +test $? -eq 0 || exit $? + +TEST_DATA="This is a test string. Be safe, be secure." +echo ${TEST_DATA} > data + +create_dgst() { + openssl dgst -$1 -binary -out data.$1 data > /dev/null 2>&1 +} + +create_dgst sha1 +create_dgst sha224 +create_dgst sha256 +create_dgst sha384 +create_dgst sha512 + +keygen_and_export() { + gen_and_check $1 + test $? -eq 0 && echo -n "." || exit $? + pkcs11-tool --read-object --pin 648219 --id 1 --type pubkey > 1.der 2>/dev/null + test $? -eq 0 && echo -n "." || exit $? + IFS=: read -r mk bts <<< "$1" + openssl ${mk} -inform DER -outform PEM -in 1.der -pubin > 1.pub 2>/dev/null + test $? -eq 0 && echo -n "." || exit $? +} + +# $1 sign mechanism +# $2 sign input file +# $3 sign parameters +# $4 vrfy input file +# $5 vrfy parameters +sign_and_verify() { + pkcs11-tool --id 1 --sign --pin 648219 --mechanism $1 -i $2 -o data.sig $3 > /dev/null 2>&1 + test $? -eq 0 || exit $? + e=$(openssl pkeyutl -verify -pubin -inkey 1.pub -in $4 -sigfile data.sig $5 2>&1) + test $? -eq 0 || exit $? + grep -q "Signature Verified Successfully" <<< $e && echo -n "." || exit $? +} + +sign_and_verify_rsa_pkcs() { + dgstl=$(awk '{print tolower($0)}' <<<$1) + dgstu=$(awk '{print toupper($0)}' <<<$1) + sign_and_verify "${dgstu}-RSA-PKCS" data "" data.${dgstl} "-pkeyopt digest:${dgstl}" + test $? -eq 0 && echo -n "." || exit $? +} + +sign_and_verify_rsa_pss() { + dgstl=$(awk '{print tolower($0)}' <<<$1) + dgstu=$(awk '{print toupper($0)}' <<<$1) + sign_and_verify "RSA-PKCS-PSS" data.${dgstl} "--mgf MGF1-${dgstu} --hash-algorithm ${dgstu}" data.${dgstl} "-pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:-1 -pkeyopt digest:${dgstl}" + test $? -eq 0 && echo -n "." || exit $? +} + +sign_and_verify_rsa_pss_dgst() { + dgstl=$(awk '{print tolower($0)}' <<<$1) + dgstu=$(awk '{print toupper($0)}' <<<$1) + sign_and_verify "${dgstu}-RSA-PKCS-PSS" data "" data.${dgstl} "-pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:-1 -pkeyopt digest:${dgstl}" + test $? -eq 0 && echo -n "." || exit $? +} + +sign_and_verify_ec() { + sign_and_verify ECDSA data.sha1 "--signature-format openssl" data.sha1 + sign_and_verify ECDSA data.sha224 "--signature-format openssl" data.sha224 + sign_and_verify ECDSA data.sha256 "--signature-format openssl" data.sha256 + sign_and_verify ECDSA data.sha384 "--signature-format openssl" data.sha384 + sign_and_verify ECDSA data.sha512 "--signature-format openssl" data.sha512 +} + +sign_and_verify_ec_dgst() { + sign_and_verify ECDSA-SHA1 data "--signature-format openssl" data.sha1 + sign_and_verify ECDSA-SHA224 data "--signature-format openssl" data.sha224 + sign_and_verify ECDSA-SHA256 data "--signature-format openssl" data.sha256 + sign_and_verify ECDSA-SHA384 data "--signature-format openssl" data.sha384 + sign_and_verify ECDSA-SHA512 data "--signature-format openssl" data.sha512 +} + +keygen_sign_and_verify_ec() { + keygen_and_export $1 + sign_and_verify_ec + sign_and_verify_ec_dgst + pkcs11-tool -l --pin 648219 --delete-object --type privkey --id 1 > /dev/null 2>&1 +} + +echo -n '+' + +keygen_sign_and_verify_ec "ec:secp192r1" && echo -n "+" || exit $? +keygen_sign_and_verify_ec "ec:secp256r1" && echo -n "+" || exit $? +keygen_sign_and_verify_ec "ec:secp384r1" && echo -n "+" || exit $? +keygen_sign_and_verify_ec "ec:secp521r1" && echo -n "+" || exit $? +keygen_sign_and_verify_ec "ec:brainpoolP256r1" && echo -n "+" || exit $? +keygen_sign_and_verify_ec "ec:brainpoolP384r1" && echo -n "+" || exit $? +keygen_sign_and_verify_ec "ec:brainpoolP512r1" && echo -n "+" || exit $? +keygen_sign_and_verify_ec "ec:secp192k1" && echo -n "+" || exit $? +keygen_sign_and_verify_ec "ec:secp256k1" && echo -n "+" || exit $? + +echo -n '+' + +keygen_and_export "rsa:2048" + +pkcs11-tool --id 1 --sign --pin 648219 --mechanism RSA-PKCS -i data -o data.sig > /dev/null 2>&1 +test $? -eq 0 && echo -n "." || exit $? +e=$(openssl pkeyutl -verify -pubin -inkey 1.pub -in data -sigfile data.sig 2>&1) +test $? -eq 0 && echo -n "." || exit $? +grep -q "Signature Verified Successfully" <<< $e && echo -n "." || exit $? + +echo -n "+" + +sign_and_verify_rsa_pkcs sha1 +sign_and_verify_rsa_pkcs sha224 +sign_and_verify_rsa_pkcs sha256 +sign_and_verify_rsa_pkcs sha384 +sign_and_verify_rsa_pkcs sha512 + +echo -n "+" + +cp data data_pad +dd if=/dev/zero bs=1 count=227 >> data_pad > /dev/null 2>&1 +test $? -eq 0 && echo -n "." || exit $? +pkcs11-tool --id 1 --sign --pin 648219 --mechanism RSA-X-509 -i data_pad -o data.sig > /dev/null 2>&1 +test $? -eq 0 && echo -n "." || exit $? +TDATA=$(tr -d '\0' < <(openssl rsautl -verify -inkey 1.pub -in data.sig -pubin -raw)) +if [[ ${TEST_DATA} != "$TDATA" ]]; then + exit 1 +fi + +echo -n "+" + +#sign_and_verify_rsa_pss sha1 +sign_and_verify_rsa_pss sha224 +sign_and_verify_rsa_pss sha256 +sign_and_verify_rsa_pss sha384 +sign_and_verify_rsa_pss sha512 + +echo -n "+" + +sign_and_verify_rsa_pss_dgst sha1 +sign_and_verify_rsa_pss_dgst sha224 +sign_and_verify_rsa_pss_dgst sha256 +sign_and_verify_rsa_pss_dgst sha384 +sign_and_verify_rsa_pss_dgst sha512 + +rm -rf data* 1.* +pkcs11-tool -l --pin 648219 --delete-object --type privkey --id 1 > /dev/null 2>&1 diff --git a/tests/start-up-and-test.sh b/tests/start-up-and-test.sh index f10091a..4271a25 100755 --- a/tests/start-up-and-test.sh +++ b/tests/start-up-and-test.sh @@ -8,7 +8,7 @@ sleep 2 rm -f memory.flash tar -xf tests/memory.tar.gz ./build_in_docker/pico_hsm > /dev/null 2>&1 & -pytest tests -W ignore::DeprecationWarning +#pytest tests -W ignore::DeprecationWarning chmod a+x tests/scripts/*.sh From 48301a5d713219fb7bca6f2a77be8c11cf8b36cc Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 2 Oct 2023 00:50:34 +0200 Subject: [PATCH 15/68] Fix chunking Signed-off-by: Pol Henarejos --- pico-hsm-sdk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pico-hsm-sdk b/pico-hsm-sdk index 30a2707..42dcdd3 160000 --- a/pico-hsm-sdk +++ b/pico-hsm-sdk @@ -1 +1 @@ -Subproject commit 30a2707dd89ec6c677415171f7e46521689b5b76 +Subproject commit 42dcdd337277362b874503f5a36560e78c26d1f7 From cb1bba4f13dbc11ebfc6cb87800a7d6a1dc2da8a Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 2 Oct 2023 01:12:09 +0200 Subject: [PATCH 16/68] Enable pytest tests Signed-off-by: Pol Henarejos --- tests/start-up-and-test.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/start-up-and-test.sh b/tests/start-up-and-test.sh index 4271a25..f10091a 100755 --- a/tests/start-up-and-test.sh +++ b/tests/start-up-and-test.sh @@ -8,7 +8,7 @@ sleep 2 rm -f memory.flash tar -xf tests/memory.tar.gz ./build_in_docker/pico_hsm > /dev/null 2>&1 & -#pytest tests -W ignore::DeprecationWarning +pytest tests -W ignore::DeprecationWarning chmod a+x tests/scripts/*.sh From c44d7db4e1de8fb7d21d36d5167c88e58a879c5a Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 9 Oct 2023 00:34:50 +0200 Subject: [PATCH 17/68] Refactor tests Signed-off-by: Pol Henarejos --- tests/scripts/func.sh | 19 ++++- tests/scripts/initialize.sh | 15 ++-- tests/scripts/keygen.sh | 18 ++--- tests/scripts/pkcs11.sh | 22 ++++-- tests/scripts/sign_and_verify.sh | 125 +++++++++++++------------------ 5 files changed, 102 insertions(+), 97 deletions(-) diff --git a/tests/scripts/func.sh b/tests/scripts/func.sh index fc52119..4a9b324 100755 --- a/tests/scripts/func.sh +++ b/tests/scripts/func.sh @@ -1,8 +1,11 @@ #!/bin/bash +OK="\033[32mok\033[0m" +FAIL="\033[31mfail\033[0m" + gen_and_check() { e=$(pkcs11-tool -l --pin 648219 --keypairgen --key-type $1 --id 1 --label "TestLabel" 2>&1) - test $? -eq 0 || exit $? + test $? -eq 0 && echo -n "." || exit $? glabel="" case $1 in *"192"*) @@ -25,13 +28,25 @@ gen_and_check() { glabel="RSA ${bits} bits" ;; esac - grep -q "${glabel}" <<< $e || exit $? + grep -q "${glabel}" <<< $e && echo -n "." || exit $? } gen_and_delete() { gen_and_check $1 + test $? -eq 0 && echo -n "." || exit $? pkcs11-tool -l --pin 648219 --delete-object --type privkey --id 1 > /dev/null 2>&1 + test $? -eq 0 && echo -n "." || exit $? } reset() { python3 tools/pico-hsm-tool.py --pin 648219 initialize --so-pin 57621880 --silent > /dev/null 2>&1 test $? -eq 0 || exit $? } + +keygen_and_export() { + gen_and_check $1 + test $? -eq 0 && echo -n "." || exit $? + pkcs11-tool --read-object --pin 648219 --id 1 --type pubkey > 1.der 2>/dev/null + test $? -eq 0 && echo -n "." || exit $? + IFS=: read -r mk bts <<< "$1" + openssl ${mk} -inform DER -outform PEM -in 1.der -pubin > 1.pub 2>/dev/null + test $? -eq 0 && echo -n "." || exit $? +} diff --git a/tests/scripts/initialize.sh b/tests/scripts/initialize.sh index 8f2ebc6..39426c8 100755 --- a/tests/scripts/initialize.sh +++ b/tests/scripts/initialize.sh @@ -4,17 +4,20 @@ source ./tests/scripts/func.sh reset # Change SO-PIN +echo -n " Test SO-PIN change..." pkcs11-tool --login --login-type so --so-pin 3537363231383830 --change-pin --new-pin 0123456789012345 > /dev/null 2>&1 test $? -eq 0 && echo -n "." || exit $? pkcs11-tool --login --login-type so --so-pin 0123456789012345 --change-pin --new-pin 3537363231383830 > /dev/null 2>&1 -test $? -eq 0 && echo -n "." || exit $? +test $? -eq 0 && echo -e ".\t${OK}" || exit $? # Change PIN +echo -n " Test PIN change..." pkcs11-tool --login --pin 648219 --change-pin --new-pin 123456 > /dev/null 2>&1 -test $? -eq 0 && echo -n "." || exit $? +test $? -eq 0 && echo -e ".\t${OK}" || exit $? # Reset PIN +echo -n " Test PIN reset..." pkcs11-tool --login --login-type so --so-pin 3537363231383830 --init-pin --new-pin 648219 > /dev/null 2>&1 test $? -eq 0 && echo -n "." || exit $? @@ -23,9 +26,10 @@ pkcs11-tool --login --pin 648219 --change-pin --new-pin 123456 > /dev/null 2>&1 test $? -eq 0 && echo -n "." || exit $? pkcs11-tool --login --pin 123456 --change-pin --new-pin 648219 > /dev/null 2>&1 -test $? -eq 0 && echo -n "." || exit $? +test $? -eq 0 && echo -e ".\t${OK}" || exit $? # Wrong PIN (1st and 2nd PIN_INCORRECT, 3rd PIN_LOCKED) +echo -n " Test wrong PIN attempts..." e=$(pkcs11-tool --login --pin 123456 -I 2>&1) test $? -eq 1 && echo -n "." || exit $? grep -q CKR_PIN_INCORRECT <<< $e && echo -n "." || exit $? @@ -34,11 +38,12 @@ test $? -eq 1 && echo -n "." || exit $? grep -q CKR_PIN_INCORRECT <<< $e && echo -n "." || exit $? e=$(pkcs11-tool --login --pin 123456 -I 2>&1) test $? -eq 1 && echo -n "." || exit $? -grep -q CKR_PIN_LOCKED <<< $e && echo -n "." || exit $? +grep -q CKR_PIN_LOCKED <<< $e && echo -e "\t${OK}" || exit $? # Reset PIN +echo -n " Test restore PIN..." pkcs11-tool --login --login-type so --so-pin 3537363231383830 --init-pin --new-pin 648219 > /dev/null 2>&1 test $? -eq 0 && echo -n "." || exit $? pkcs11-tool --login --pin 648219 -I > /dev/null 2>&1 -test $? -eq 0 && echo -n "." || exit $? +test $? -eq 0 && echo -e "\t${OK}" || exit $? diff --git a/tests/scripts/keygen.sh b/tests/scripts/keygen.sh index a43cb97..0b59f71 100755 --- a/tests/scripts/keygen.sh +++ b/tests/scripts/keygen.sh @@ -4,14 +4,10 @@ source ./tests/scripts/func.sh reset test $? -eq 0 || exit $? -gen_and_delete "rsa:1024" && echo -n "." || exit $? -gen_and_delete "rsa:2048" && echo -n "." || exit $? -gen_and_delete "ec:secp192r1" && echo -n "." || exit $? -gen_and_delete "ec:secp256r1" && echo -n "." || exit $? -gen_and_delete "ec:secp384r1" && echo -n "." || exit $? -gen_and_delete "ec:secp521r1" && echo -n "." || exit $? -gen_and_delete "ec:brainpoolP256r1" && echo -n "." || exit $? -gen_and_delete "ec:brainpoolP384r1" && echo -n "." || exit $? -gen_and_delete "ec:brainpoolP512r1" && echo -n "." || exit $? -gen_and_delete "ec:secp192k1" && echo -n "." || exit $? -gen_and_delete "ec:secp256k1" && echo -n "." || exit $? +algs=("rsa:1024" "rsa:2048" "ec:secp192r1" "ec:secp256r1" "ec:secp384r1" "ec:secp521r1" "ec:brainpoolP256r1" "ec:brainpoolP384r1" "ec:brainpoolP512r1" "ec:secp192k1" "ec:secp256k1") +for alg in ${algs[*]}; do + IFS=: read -r a s <<< "${alg}" + au=$(awk '{print toupper($0)}' <<<${a}) + echo -n " Test ${au} ${s}..." + gen_and_delete ${alg} && echo -e ".\t${OK}" || exit $? +done diff --git a/tests/scripts/pkcs11.sh b/tests/scripts/pkcs11.sh index 0c22f1c..3e15984 100755 --- a/tests/scripts/pkcs11.sh +++ b/tests/scripts/pkcs11.sh @@ -1,13 +1,23 @@ #!/bin/bash -echo -n "Test initialization..." +source ./tests/scripts/func.sh +echo "==== Test initialization ====" ./tests/scripts/initialize.sh -test $? -eq 0 && echo -e '\tok' || (echo -e '\tfail' && exit 1) +test $? -eq 0 || { + echo -e "\t${FAIL}" + exit 1 +} -echo -n "Test keygen..." +echo "==== Test keygen ====" ./tests/scripts/keygen.sh -test $? -eq 0 && echo -e '\tok' || (echo -e '\tfail' && exit 1) +test $? -eq 0 || { + echo -e "\t${FAIL}" + exit 1 +} -echo -n "Test sign and verify..." +echo "==== Test sign and verify ====" ./tests/scripts/sign_and_verify.sh -test $? -eq 0 && echo -e '\tok' || (echo -e '\tfail' && exit 1) +test $? -eq 0 || { + echo -e "\t${FAIL}" + exit 1 +} diff --git a/tests/scripts/sign_and_verify.sh b/tests/scripts/sign_and_verify.sh index 6853ba2..a9c7581 100755 --- a/tests/scripts/sign_and_verify.sh +++ b/tests/scripts/sign_and_verify.sh @@ -9,24 +9,16 @@ echo ${TEST_DATA} > data create_dgst() { openssl dgst -$1 -binary -out data.$1 data > /dev/null 2>&1 -} - -create_dgst sha1 -create_dgst sha224 -create_dgst sha256 -create_dgst sha384 -create_dgst sha512 - -keygen_and_export() { - gen_and_check $1 - test $? -eq 0 && echo -n "." || exit $? - pkcs11-tool --read-object --pin 648219 --id 1 --type pubkey > 1.der 2>/dev/null - test $? -eq 0 && echo -n "." || exit $? - IFS=: read -r mk bts <<< "$1" - openssl ${mk} -inform DER -outform PEM -in 1.der -pubin > 1.pub 2>/dev/null test $? -eq 0 && echo -n "." || exit $? } +dgsts=("sha1" "sha224" "sha256" "sha384" "sha512") +for dgst in ${dgsts[*]}; do + echo -n " Create digest ${dgst}..." + create_dgst ${dgst} + test $? -eq 0 && echo -e ".\t${OK}" || exit $? +done + # $1 sign mechanism # $2 sign input file # $3 sign parameters @@ -34,9 +26,9 @@ keygen_and_export() { # $5 vrfy parameters sign_and_verify() { pkcs11-tool --id 1 --sign --pin 648219 --mechanism $1 -i $2 -o data.sig $3 > /dev/null 2>&1 - test $? -eq 0 || exit $? + test $? -eq 0 && echo -n "." || exit $? e=$(openssl pkeyutl -verify -pubin -inkey 1.pub -in $4 -sigfile data.sig $5 2>&1) - test $? -eq 0 || exit $? + test $? -eq 0 && echo -n "." || exit $? grep -q "Signature Verified Successfully" <<< $e && echo -n "." || exit $? } @@ -61,62 +53,52 @@ sign_and_verify_rsa_pss_dgst() { test $? -eq 0 && echo -n "." || exit $? } -sign_and_verify_ec() { - sign_and_verify ECDSA data.sha1 "--signature-format openssl" data.sha1 - sign_and_verify ECDSA data.sha224 "--signature-format openssl" data.sha224 - sign_and_verify ECDSA data.sha256 "--signature-format openssl" data.sha256 - sign_and_verify ECDSA data.sha384 "--signature-format openssl" data.sha384 - sign_and_verify ECDSA data.sha512 "--signature-format openssl" data.sha512 -} - -sign_and_verify_ec_dgst() { - sign_and_verify ECDSA-SHA1 data "--signature-format openssl" data.sha1 - sign_and_verify ECDSA-SHA224 data "--signature-format openssl" data.sha224 - sign_and_verify ECDSA-SHA256 data "--signature-format openssl" data.sha256 - sign_and_verify ECDSA-SHA384 data "--signature-format openssl" data.sha384 - sign_and_verify ECDSA-SHA512 data "--signature-format openssl" data.sha512 -} - keygen_sign_and_verify_ec() { + echo " Test ECDSA with $1" + echo -n " Keygen $1..." keygen_and_export $1 - sign_and_verify_ec - sign_and_verify_ec_dgst + test $? -eq 0 && echo -e ".\t${OK}" || exit $? + for dgst in ${dgsts[*]}; do + dgstu=$(awk '{print toupper($0)}' <<<${dgst}) + echo -n " Test ECDSA with ${dgst} and $1..." + sign_and_verify ECDSA "data.${dgst}" "--signature-format openssl" data.${dgst} + test $? -eq 0 && echo -e ".\t${OK}" || exit $? + echo -n " Test ECDSA-${dgstu} with $1..." + sign_and_verify "ECDSA-${dgstu}" data "--signature-format openssl" data.${dgst} + test $? -eq 0 && echo -e ".\t${OK}" || exit $? + done + echo -n " Delete $1..." pkcs11-tool -l --pin 648219 --delete-object --type privkey --id 1 > /dev/null 2>&1 + test $? -eq 0 && echo -e ".\t${OK}" || exit $? } -echo -n '+' - -keygen_sign_and_verify_ec "ec:secp192r1" && echo -n "+" || exit $? -keygen_sign_and_verify_ec "ec:secp256r1" && echo -n "+" || exit $? -keygen_sign_and_verify_ec "ec:secp384r1" && echo -n "+" || exit $? -keygen_sign_and_verify_ec "ec:secp521r1" && echo -n "+" || exit $? -keygen_sign_and_verify_ec "ec:brainpoolP256r1" && echo -n "+" || exit $? -keygen_sign_and_verify_ec "ec:brainpoolP384r1" && echo -n "+" || exit $? -keygen_sign_and_verify_ec "ec:brainpoolP512r1" && echo -n "+" || exit $? -keygen_sign_and_verify_ec "ec:secp192k1" && echo -n "+" || exit $? -keygen_sign_and_verify_ec "ec:secp256k1" && echo -n "+" || exit $? - -echo -n '+' +algs=("ec:secp192r1" "ec:secp256r1" "ec:secp384r1" "ec:secp521r1" "ec:brainpoolP256r1" "ec:brainpoolP384r1" "ec:brainpoolP512r1" "ec:secp192k1" "ec:secp256k1") +for alg in ${algs[*]}; do + keygen_sign_and_verify_ec ${alg} || exit $? +done +echo " Test RSA PKCS" +echo -n " Keygen rsa:2048..." keygen_and_export "rsa:2048" +test $? -eq 0 && echo -e ".\t${OK}" || exit $? +echo -n " Test RSA-PKCS..." pkcs11-tool --id 1 --sign --pin 648219 --mechanism RSA-PKCS -i data -o data.sig > /dev/null 2>&1 test $? -eq 0 && echo -n "." || exit $? e=$(openssl pkeyutl -verify -pubin -inkey 1.pub -in data -sigfile data.sig 2>&1) test $? -eq 0 && echo -n "." || exit $? -grep -q "Signature Verified Successfully" <<< $e && echo -n "." || exit $? +grep -q "Signature Verified Successfully" <<< $e && echo -e ".\t${OK}" || exit $? -echo -n "+" - -sign_and_verify_rsa_pkcs sha1 -sign_and_verify_rsa_pkcs sha224 -sign_and_verify_rsa_pkcs sha256 -sign_and_verify_rsa_pkcs sha384 -sign_and_verify_rsa_pkcs sha512 - -echo -n "+" +for dgst in ${dgsts[*]}; do + dgstu=$(awk '{print toupper($0)}' <<<${dgst}) + echo -n " Test RSA-PKCS-${dgstu}..." + sign_and_verify_rsa_pkcs ${dgst} + test $? -eq 0 && echo -e ".\t${OK}" || exit $? +done +echo -n " Test RSA-X-509..." cp data data_pad +test $? -eq 0 && echo -n "." || exit $? dd if=/dev/zero bs=1 count=227 >> data_pad > /dev/null 2>&1 test $? -eq 0 && echo -n "." || exit $? pkcs11-tool --id 1 --sign --pin 648219 --mechanism RSA-X-509 -i data_pad -o data.sig > /dev/null 2>&1 @@ -125,22 +107,19 @@ TDATA=$(tr -d '\0' < <(openssl rsautl -verify -inkey 1.pub -in data.sig -pubin - if [[ ${TEST_DATA} != "$TDATA" ]]; then exit 1 fi +test $? -eq 0 && echo -e ".\t${OK}" || exit $? -echo -n "+" - -#sign_and_verify_rsa_pss sha1 -sign_and_verify_rsa_pss sha224 -sign_and_verify_rsa_pss sha256 -sign_and_verify_rsa_pss sha384 -sign_and_verify_rsa_pss sha512 - -echo -n "+" - -sign_and_verify_rsa_pss_dgst sha1 -sign_and_verify_rsa_pss_dgst sha224 -sign_and_verify_rsa_pss_dgst sha256 -sign_and_verify_rsa_pss_dgst sha384 -sign_and_verify_rsa_pss_dgst sha512 +for dgst in ${dgsts[*]}; do + dgstu=$(awk '{print toupper($0)}' <<<${dgst}) + if [[ "${dgst}" != "sha1" ]]; then + echo -n " Test RSA-PKCS-PSS with ${dgst}..." + sign_and_verify_rsa_pss ${dgst} + test $? -eq 0 && echo -e ".\t${OK}" || exit $? + fi + echo -n " Test ${dgstu}-RSA-PKCS-PSS..." + sign_and_verify_rsa_pss_dgst ${dgst} + test $? -eq 0 && echo -e ".\t${OK}" || exit $? +done rm -rf data* 1.* pkcs11-tool -l --pin 648219 --delete-object --type privkey --id 1 > /dev/null 2>&1 From c3af303468ed30aa2ebb15d715e9cb3de4c9ed37 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 9 Oct 2023 00:58:49 +0200 Subject: [PATCH 18/68] Split pytest and pkcs11 test suites. Signed-off-by: Pol Henarejos --- .github/workflows/test.yml | 2 ++ tests/run-test-pkcs11-in-docker.sh | 5 +++++ tests/start-up-and-test-pkcs11.sh | 15 +++++++++++++++ tests/start-up-and-test.sh | 5 ----- 4 files changed, 22 insertions(+), 5 deletions(-) create mode 100644 tests/run-test-pkcs11-in-docker.sh create mode 100644 tests/start-up-and-test-pkcs11.sh diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 4c55029..230db48 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -35,3 +35,5 @@ jobs: run: ./tests/build-in-docker.sh - name: Start emulation and test run: ./tests/run-test-in-docker.sh + - name: Test PKCS11 + run: ./tests/run-test-pkcs11-in-docker.sh diff --git a/tests/run-test-pkcs11-in-docker.sh b/tests/run-test-pkcs11-in-docker.sh new file mode 100644 index 0000000..ca3486e --- /dev/null +++ b/tests/run-test-pkcs11-in-docker.sh @@ -0,0 +1,5 @@ +#!/bin/bash -eu + +source tests/docker_env.sh +run_in_docker ./tests/start-up-and-test.sh + diff --git a/tests/start-up-and-test-pkcs11.sh b/tests/start-up-and-test-pkcs11.sh new file mode 100644 index 0000000..8f0834e --- /dev/null +++ b/tests/start-up-and-test-pkcs11.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +rm -rf pypicohsm +git clone https://github.com/polhenarejos/pypicohsm.git +pip3 install -e pypicohsm +/usr/sbin/pcscd & +sleep 2 +rm -f memory.flash +tar -xf tests/memory.tar.gz +./build_in_docker/pico_hsm > /dev/null 2>&1 & + +chmod a+x tests/scripts/*.sh + +echo "======== PKCS11 Test suite ========" +./tests/scripts/pkcs11.sh diff --git a/tests/start-up-and-test.sh b/tests/start-up-and-test.sh index f10091a..4825b6b 100755 --- a/tests/start-up-and-test.sh +++ b/tests/start-up-and-test.sh @@ -9,8 +9,3 @@ rm -f memory.flash tar -xf tests/memory.tar.gz ./build_in_docker/pico_hsm > /dev/null 2>&1 & pytest tests -W ignore::DeprecationWarning - -chmod a+x tests/scripts/*.sh - -echo "======== PKCS11 Test suite ========" -./tests/scripts/pkcs11.sh From 8321996a14707fca4ffbe23da1272a6f820651a3 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 9 Oct 2023 08:30:24 +0200 Subject: [PATCH 19/68] Fix +x flag. Signed-off-by: Pol Henarejos --- tests/docker_env.sh | 0 tests/run-test-pkcs11-in-docker.sh | 0 tests/start-up-and-test-pkcs11.sh | 0 3 files changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 tests/docker_env.sh mode change 100644 => 100755 tests/run-test-pkcs11-in-docker.sh mode change 100644 => 100755 tests/start-up-and-test-pkcs11.sh diff --git a/tests/docker_env.sh b/tests/docker_env.sh old mode 100644 new mode 100755 diff --git a/tests/run-test-pkcs11-in-docker.sh b/tests/run-test-pkcs11-in-docker.sh old mode 100644 new mode 100755 diff --git a/tests/start-up-and-test-pkcs11.sh b/tests/start-up-and-test-pkcs11.sh old mode 100644 new mode 100755 From 3514c7ad82d7927fa3ac69633fa3bb3ce220058a Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 9 Oct 2023 09:30:15 +0200 Subject: [PATCH 20/68] Fix pkcs11 runner test. Signed-off-by: Pol Henarejos --- tests/run-test-pkcs11-in-docker.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/run-test-pkcs11-in-docker.sh b/tests/run-test-pkcs11-in-docker.sh index ca3486e..d94654a 100755 --- a/tests/run-test-pkcs11-in-docker.sh +++ b/tests/run-test-pkcs11-in-docker.sh @@ -1,5 +1,5 @@ #!/bin/bash -eu source tests/docker_env.sh -run_in_docker ./tests/start-up-and-test.sh +run_in_docker ./tests/start-up-and-test-pkcs11.sh From 2e633abb2c0c320215ca358ba8464f132a52d6b1 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 9 Oct 2023 13:09:16 +0200 Subject: [PATCH 21/68] Use dynamic dd size. Signed-off-by: Pol Henarejos --- tests/scripts/sign_and_verify.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/scripts/sign_and_verify.sh b/tests/scripts/sign_and_verify.sh index a9c7581..02f856e 100755 --- a/tests/scripts/sign_and_verify.sh +++ b/tests/scripts/sign_and_verify.sh @@ -99,7 +99,8 @@ done echo -n " Test RSA-X-509..." cp data data_pad test $? -eq 0 && echo -n "." || exit $? -dd if=/dev/zero bs=1 count=227 >> data_pad > /dev/null 2>&1 +tlen=${#TEST_DATA} +dd if=/dev/zero bs=1 count=$((256-$tlen)) >> data_pad > /dev/null 2>&1 test $? -eq 0 && echo -n "." || exit $? pkcs11-tool --id 1 --sign --pin 648219 --mechanism RSA-X-509 -i data_pad -o data.sig > /dev/null 2>&1 test $? -eq 0 && echo -n "." || exit $? From c4357649782f1fc4f0d65800368f1f3451a68119 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 9 Oct 2023 13:10:10 +0200 Subject: [PATCH 22/68] Add PKCS11 asymmetric ciphering tests. Signed-off-by: Pol Henarejos --- tests/scripts/asym_cipher.sh | 39 ++++++++++++++++++++++++++++++++++++ tests/scripts/pkcs11.sh | 7 +++++++ 2 files changed, 46 insertions(+) create mode 100755 tests/scripts/asym_cipher.sh diff --git a/tests/scripts/asym_cipher.sh b/tests/scripts/asym_cipher.sh new file mode 100755 index 0000000..35fef76 --- /dev/null +++ b/tests/scripts/asym_cipher.sh @@ -0,0 +1,39 @@ +#!/bin/bash + +source ./tests/scripts/func.sh +reset +test $? -eq 0 || exit $? + +rsa_encrypt_decrypt() { + openssl pkeyutl -encrypt -pubin -inkey 1.pub $2 -in $1 -out data.crypt + test $? -eq 0 && echo -n "." || exit $? + e=$(pkcs11-tool --id 1 --pin 648219 --decrypt $3 -i data.crypt 2>/dev/null) + test $? -eq 0 && echo -n "." || exit $? + grep -q "${TEST_STRING}" <<< $e || exit $? +} + +TEST_STRING="This is a test string. Be safe, be secure." + +echo ${TEST_STRING} > data + +echo -n " Keygen RSA 2048..." +keygen_and_export rsa:2048 +test $? -eq 0 && echo -e ".\t${OK}" || exit $? + +echo -n " Test RSA-PKCS ciphering..." +rsa_encrypt_decrypt data "-pkeyopt rsa_padding_mode:pkcs1" "--mechanism RSA-PKCS" +test $? -eq 0 && echo -e ".\t${OK}" || exit $? + +echo -n " Test RSA-X-509 ciphering..." +cp data data_pad +tlen=${#TEST_STRING} +dd if=/dev/zero bs=1 count=$((256-$tlen-1)) >> data_pad 2> /dev/null +test $? -eq 0 && echo -n "." || exit $? +rsa_encrypt_decrypt data_pad "-pkeyopt rsa_padding_mode:none" "--mechanism RSA-X-509" +test $? -eq 0 && echo -e ".\t${OK}" || exit $? + +echo -n " Test RSA-PKCS-OAEP ciphering..." +rsa_encrypt_decrypt data "-pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -pkeyopt rsa_mgf1_md:sha256" "--mechanism RSA-PKCS-OAEP" +openssl pkeyutl -encrypt -pubin -inkey 1.pub -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -pkeyopt rsa_mgf1_md:sha256 -in data -out data.crypt +test $? -eq 0 && echo -e ".\t${OK}" || exit $? + diff --git a/tests/scripts/pkcs11.sh b/tests/scripts/pkcs11.sh index 3e15984..c2292b8 100755 --- a/tests/scripts/pkcs11.sh +++ b/tests/scripts/pkcs11.sh @@ -21,3 +21,10 @@ test $? -eq 0 || { echo -e "\t${FAIL}" exit 1 } + +echo "==== Test asymmetric ciphering ====" +./tests/scripts/asym_cipher.sh +test $? -eq 0 || { + echo -e "\t${FAIL}" + exit 1 +} From 205356b848e456d2f77a3f6e7a5ee3cad5d858ad Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 9 Oct 2023 14:21:55 +0200 Subject: [PATCH 23/68] Let's try different jobs Signed-off-by: Pol Henarejos --- .github/workflows/test.yml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 230db48..43497d8 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -23,9 +23,7 @@ on: jobs: build: - runs-on: ubuntu-latest - steps: - name: Checkout repository and submodules uses: actions/checkout@v3 @@ -33,7 +31,15 @@ jobs: submodules: recursive - name: Build in container run: ./tests/build-in-docker.sh - - name: Start emulation and test + test: + runs-on: ubuntu-latest + needs: build + steps: + - name: Test PCSC (pytest) run: ./tests/run-test-in-docker.sh + test_pkcs11: + runs-on: ubuntu-latest + needs: build + steps: - name: Test PKCS11 run: ./tests/run-test-pkcs11-in-docker.sh From d118b787a2985d130ab37727d699df62c082c88d Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 9 Oct 2023 14:44:52 +0200 Subject: [PATCH 24/68] Try using reusable workflows Signed-off-by: Pol Henarejos --- .github/workflows/build.yml | 16 ++++++++++++++++ .github/workflows/test.yml | 15 +++++++-------- 2 files changed, 23 insertions(+), 8 deletions(-) create mode 100644 .github/workflows/build.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..e6a0e8b --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,16 @@ + +name: Reusable build workflow + +on: + workflow_call: + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Checkout repository and submodules + uses: actions/checkout@v3 + with: + submodules: recursive + - name: Build in container + run: ./tests/build-in-docker.sh diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 43497d8..c3f5285 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -22,24 +22,23 @@ on: workflow_dispatch: jobs: - build: + test: runs-on: ubuntu-latest + uses: ./.github/workflows/build.yml steps: - name: Checkout repository and submodules uses: actions/checkout@v3 with: submodules: recursive - - name: Build in container - run: ./tests/build-in-docker.sh - test: - runs-on: ubuntu-latest - needs: build - steps: - name: Test PCSC (pytest) run: ./tests/run-test-in-docker.sh test_pkcs11: runs-on: ubuntu-latest - needs: build + uses: ./.github/workflows/build.yml steps: + - name: Checkout repository and submodules + uses: actions/checkout@v3 + with: + submodules: recursive - name: Test PKCS11 run: ./tests/run-test-pkcs11-in-docker.sh From 4493afa84db44734eee4ddf8a4c25c5c29323c64 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 9 Oct 2023 14:46:37 +0200 Subject: [PATCH 25/68] Fix workflow Signed-off-by: Pol Henarejos --- .github/workflows/test.yml | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index c3f5285..a40c61f 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -22,23 +22,17 @@ on: workflow_dispatch: jobs: + build: + uses: ./.github/workflows/build.yml test: runs-on: ubuntu-latest - uses: ./.github/workflows/build.yml + needs: build steps: - - name: Checkout repository and submodules - uses: actions/checkout@v3 - with: - submodules: recursive - name: Test PCSC (pytest) run: ./tests/run-test-in-docker.sh test_pkcs11: runs-on: ubuntu-latest - uses: ./.github/workflows/build.yml + needs: build steps: - - name: Checkout repository and submodules - uses: actions/checkout@v3 - with: - submodules: recursive - name: Test PKCS11 run: ./tests/run-test-pkcs11-in-docker.sh From ba036f4c0f33110ca5e5cc98fb46b707d59f680c Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 9 Oct 2023 16:35:51 +0200 Subject: [PATCH 26/68] Add EC derive tests. Signed-off-by: Pol Henarejos --- tests/scripts/asym_cipher.sh | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/tests/scripts/asym_cipher.sh b/tests/scripts/asym_cipher.sh index 35fef76..ea7baed 100755 --- a/tests/scripts/asym_cipher.sh +++ b/tests/scripts/asym_cipher.sh @@ -7,9 +7,12 @@ test $? -eq 0 || exit $? rsa_encrypt_decrypt() { openssl pkeyutl -encrypt -pubin -inkey 1.pub $2 -in $1 -out data.crypt test $? -eq 0 && echo -n "." || exit $? - e=$(pkcs11-tool --id 1 --pin 648219 --decrypt $3 -i data.crypt 2>/dev/null) + TDATA=$(tr -d '\0' < <(pkcs11-tool --id 1 --pin 648219 --decrypt $3 -i data.crypt 2>/dev/null)) + test $? -eq 0 && echo -n "." || exit $? + if [[ ${TEST_STRING} != "$TDATA" ]]; then + exit 1 + fi test $? -eq 0 && echo -n "." || exit $? - grep -q "${TEST_STRING}" <<< $e || exit $? } TEST_STRING="This is a test string. Be safe, be secure." @@ -37,3 +40,24 @@ rsa_encrypt_decrypt data "-pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sh openssl pkeyutl -encrypt -pubin -inkey 1.pub -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -pkeyopt rsa_mgf1_md:sha256 -in data -out data.crypt test $? -eq 0 && echo -e ".\t${OK}" || exit $? +rm -rf data* 1.* +pkcs11-tool -l --pin 648219 --delete-object --type privkey --id 1 > /dev/null 2>&1 + +algs=("secp192r1" "secp256r1" "secp384r1" "secp521r1" "brainpoolP256r1" "brainpoolP384r1" "brainpoolP512r1" "secp192k1" "secp256k1") +for alg in ${algs[*]}; do + echo -n " Test EC derive with ${alg}..." + keygen_and_export ec:${alg} + test $? -eq 0 && echo -n "." || exit $? + openssl ecparam -genkey -name ${alg} > bob.pem 2>/dev/null + test $? -eq 0 && echo -n "." || exit $? + openssl ec -in bob.pem -pubout -outform DER > bob.der 2>/dev/null + test $? -eq 0 && echo -n "." || exit $? + pkcs11-tool --pin 648219 --id 1 --derive -i bob.der -o mine-bob.der > /dev/null 2>&1 + test $? -eq 0 && echo -n "." || exit $? + openssl pkeyutl -derive -out bob-mine.der -inkey bob.pem -peerkey 1.pub 2>/dev/null + test $? -eq 0 && echo -n "." || exit $? + cmp bob-mine.der mine-bob.der + test $? -eq 0 && echo -e ".\t${OK}" || exit $? + rm -rf data* 1.* + pkcs11-tool -l --pin 648219 --delete-object --type privkey --id 1 > /dev/null 2>&1 +done From 345ae2be69d726faf3c865d64ba75a2b98a39f16 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 9 Oct 2023 16:36:00 +0200 Subject: [PATCH 27/68] Not used Signed-off-by: Pol Henarejos --- .github/workflows/build.yml | 16 ---------------- tests/scripts/reset.sh | 4 ---- 2 files changed, 20 deletions(-) delete mode 100644 .github/workflows/build.yml delete mode 100644 tests/scripts/reset.sh diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml deleted file mode 100644 index e6a0e8b..0000000 --- a/.github/workflows/build.yml +++ /dev/null @@ -1,16 +0,0 @@ - -name: Reusable build workflow - -on: - workflow_call: - -jobs: - build: - runs-on: ubuntu-latest - steps: - - name: Checkout repository and submodules - uses: actions/checkout@v3 - with: - submodules: recursive - - name: Build in container - run: ./tests/build-in-docker.sh diff --git a/tests/scripts/reset.sh b/tests/scripts/reset.sh deleted file mode 100644 index f0f87e5..0000000 --- a/tests/scripts/reset.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash - -python3 tools/pico-hsm-tool.py --pin 648219 initialize --so-pin 57621880 --silent -test $? -eq 0 || exit $? From c97680772d9f06fd894d303bf9de4a4166b2769f Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 9 Oct 2023 16:36:37 +0200 Subject: [PATCH 28/68] Use artifacts Signed-off-by: Pol Henarejos --- .github/workflows/test.yml | 46 +++++++++++++++++++++++++++++++++++++- 1 file changed, 45 insertions(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index a40c61f..46a2962 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -23,16 +23,60 @@ on: jobs: build: - uses: ./.github/workflows/build.yml + runs-on: ubuntu-latest + steps: + - name: Checkout repository and submodules + uses: actions/checkout@v3 + with: + submodules: recursive + - name: Build in container + run: ./tests/build-in-docker.sh + - name: Export image + run: | + mkdir -p artifacts + docker save pico-hsm-test:bullseye -o artifacts/docker-image.tar + - name: Temporarily save image + uses: actions/upload-artifact@v2 + with: + name: docker-artifact + path: artifacts + retention-days: 1 + test: runs-on: ubuntu-latest needs: build steps: + - name: Checkout repository and submodules + uses: actions/checkout@v3 + with: + submodules: recursive + - name: Retrieve saved image + uses: actions/download-artifact@v2 + with: + name: docker-artifact + path: artifacts + - name: Load image + run: | + cd artifacts + docker load -q -i docker-image.tar - name: Test PCSC (pytest) run: ./tests/run-test-in-docker.sh test_pkcs11: runs-on: ubuntu-latest needs: build steps: + - name: Checkout repository and submodules + uses: actions/checkout@v3 + with: + submodules: recursive + - name: Retrieve saved image + uses: actions/download-artifact@v2 + with: + name: docker-artifact + path: artifacts + - name: Load image + run: | + cd artifacts + docker load -q -i docker-image.tar - name: Test PKCS11 run: ./tests/run-test-pkcs11-in-docker.sh From 2f177eb8dfd73fa90d6a0b03501f313643a26854 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 9 Oct 2023 16:46:51 +0200 Subject: [PATCH 29/68] Build image only during build Signed-off-by: Pol Henarejos --- tests/build-in-docker.sh | 1 + tests/docker_env.sh | 18 ++++++++++-------- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/tests/build-in-docker.sh b/tests/build-in-docker.sh index d0b636e..57a0618 100755 --- a/tests/build-in-docker.sh +++ b/tests/build-in-docker.sh @@ -1,6 +1,7 @@ #!/bin/bash -eu source tests/docker_env.sh +build_image #run_in_docker rm -rf CMakeFiles run_in_docker mkdir -p build_in_docker run_in_docker -w "$PWD/build_in_docker" cmake -DENABLE_EMULATION=1 .. diff --git a/tests/docker_env.sh b/tests/docker_env.sh index 41b1d75..c801fb8 100755 --- a/tests/docker_env.sh +++ b/tests/docker_env.sh @@ -72,14 +72,16 @@ else NUM_PROC="$(nproc)" fi -# Build the Docker image -echo "Getting docker image up to date (this may take a few minutes)..." -${DOCKER} image build \ - -t ${DOCKER_IMAGE_TAG} \ - --cache-from=${DOCKER_IMAGE_TAG} \ - --network host \ - --build-arg MAKEFLAGS_PARALLEL="-j ${NUM_PROC}" \ - tests/docker/${MBEDTLS_DOCKER_GUEST} +build_image() { + # Build the Docker image + echo "Getting docker image up to date (this may take a few minutes)..." + ${DOCKER} image build \ + -t ${DOCKER_IMAGE_TAG} \ + --cache-from=${DOCKER_IMAGE_TAG} \ + --network host \ + --build-arg MAKEFLAGS_PARALLEL="-j ${NUM_PROC}" \ + tests/docker/${MBEDTLS_DOCKER_GUEST} +} run_in_docker() { From 11a34729414ad37d3990e43ca7ccd2f737c0ceaa Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 9 Oct 2023 17:45:49 +0200 Subject: [PATCH 30/68] Refactor test workflow Signed-off-by: Pol Henarejos --- .github/workflows/test.yml | 26 +++++--------------------- tests/docker/bullseye/Dockerfile | 4 +++- tests/run-test-in-docker.sh | 11 ++++++++++- tests/start-up-and-test-pkcs11.sh | 9 +-------- tests/start-up-and-test.sh | 10 ++-------- tests/startup.sh | 20 ++++++++++++++++++++ 6 files changed, 41 insertions(+), 39 deletions(-) create mode 100644 tests/startup.sh diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 46a2962..d6d7515 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -45,6 +45,9 @@ jobs: test: runs-on: ubuntu-latest needs: build + strategy: + matrix: + suite: ["pkcs11", "pytest"] steps: - name: Checkout repository and submodules uses: actions/checkout@v3 @@ -59,24 +62,5 @@ jobs: run: | cd artifacts docker load -q -i docker-image.tar - - name: Test PCSC (pytest) - run: ./tests/run-test-in-docker.sh - test_pkcs11: - runs-on: ubuntu-latest - needs: build - steps: - - name: Checkout repository and submodules - uses: actions/checkout@v3 - with: - submodules: recursive - - name: Retrieve saved image - uses: actions/download-artifact@v2 - with: - name: docker-artifact - path: artifacts - - name: Load image - run: | - cd artifacts - docker load -q -i docker-image.tar - - name: Test PKCS11 - run: ./tests/run-test-pkcs11-in-docker.sh + - name: Test ${{ matrix.suite }} + run: ./tests/run-test-in-docker.sh ${{ matrix.suite }} diff --git a/tests/docker/bullseye/Dockerfile b/tests/docker/bullseye/Dockerfile index 94ade74..14b7c48 100644 --- a/tests/docker/bullseye/Dockerfile +++ b/tests/docker/bullseye/Dockerfile @@ -28,11 +28,13 @@ RUN pip3 install pytest pycvc cryptography pyscard base58 WORKDIR / RUN git clone https://github.com/OpenSC/OpenSC WORKDIR /OpenSC -RUN git checkout tags/0.22.0 +RUN git checkout tags/0.23.0 RUN ./bootstrap RUN ./configure --enable-openssl RUN make -j `nproc` RUN make install RUN make clean RUN ldconfig +RUN git clone https://github.com/polhenarejos/pypicohsm.git +RUN pip3 install -e pypicohsm WORKDIR / diff --git a/tests/run-test-in-docker.sh b/tests/run-test-in-docker.sh index ca3486e..3589acc 100755 --- a/tests/run-test-in-docker.sh +++ b/tests/run-test-in-docker.sh @@ -1,5 +1,14 @@ #!/bin/bash -eu source tests/docker_env.sh -run_in_docker ./tests/start-up-and-test.sh + +if [[ "$#" -gt 1 ]]; then + if [[ $1 == "pkcs11" ]]; then + run_in_docker ./tests/start-up-and-test-pkcs11.sh + elif [[ $1 == "pytest" ]]; then + run_in_docker ./tests/start-up-and-test.sh + fi +else + run_in_docker ./tests/start-up-and-test.sh +fi diff --git a/tests/start-up-and-test-pkcs11.sh b/tests/start-up-and-test-pkcs11.sh index 8f0834e..25363be 100755 --- a/tests/start-up-and-test-pkcs11.sh +++ b/tests/start-up-and-test-pkcs11.sh @@ -1,13 +1,6 @@ #!/bin/bash -rm -rf pypicohsm -git clone https://github.com/polhenarejos/pypicohsm.git -pip3 install -e pypicohsm -/usr/sbin/pcscd & -sleep 2 -rm -f memory.flash -tar -xf tests/memory.tar.gz -./build_in_docker/pico_hsm > /dev/null 2>&1 & +source ./tests/startup.sh chmod a+x tests/scripts/*.sh diff --git a/tests/start-up-and-test.sh b/tests/start-up-and-test.sh index 4825b6b..de0a302 100755 --- a/tests/start-up-and-test.sh +++ b/tests/start-up-and-test.sh @@ -1,11 +1,5 @@ #!/bin/bash -rm -rf pypicohsm -git clone https://github.com/polhenarejos/pypicohsm.git -pip3 install -e pypicohsm -/usr/sbin/pcscd & -sleep 2 -rm -f memory.flash -tar -xf tests/memory.tar.gz -./build_in_docker/pico_hsm > /dev/null 2>&1 & +source ./tests/startup.sh + pytest tests -W ignore::DeprecationWarning diff --git a/tests/startup.sh b/tests/startup.sh new file mode 100644 index 0000000..8cc289f --- /dev/null +++ b/tests/startup.sh @@ -0,0 +1,20 @@ +#!/bin/bash + +OK="\033[32mok\033[0m" +FAIL="\033[31mfail\033[0m" + +echo -n "Start PCSC... " +/usr/sbin/pcscd & +test $? -eq 0 && echo -e "${OK}" || { + echo -e "${FAIL}" + exit 1 +} +sleep 2 +rm -f memory.flash +tar -xf tests/memory.tar.gz +echo -n "Start Pico HSM... " +./build_in_docker/pico_hsm > /dev/null 2>&1 & +test $? -eq 0 && echo -e "${OK}" || { + echo -e "${FAIL}" + exit 1 +} From 42a9434c5099e7f7f4202223b58f4d280d33255a Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 9 Oct 2023 17:46:01 +0200 Subject: [PATCH 31/68] Not used Signed-off-by: Pol Henarejos --- tests/run-test-pkcs11-in-docker.sh | 5 ----- 1 file changed, 5 deletions(-) delete mode 100755 tests/run-test-pkcs11-in-docker.sh diff --git a/tests/run-test-pkcs11-in-docker.sh b/tests/run-test-pkcs11-in-docker.sh deleted file mode 100755 index d94654a..0000000 --- a/tests/run-test-pkcs11-in-docker.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash -eu - -source tests/docker_env.sh -run_in_docker ./tests/start-up-and-test-pkcs11.sh - From 78cbe59e64ad8cc0bf918d9e474c38e371d01235 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 9 Oct 2023 17:58:32 +0200 Subject: [PATCH 32/68] Fix startup Signed-off-by: Pol Henarejos --- tests/run-test-in-docker.sh | 9 ++------- tests/startup.sh | 3 ++- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/tests/run-test-in-docker.sh b/tests/run-test-in-docker.sh index 3589acc..de7018a 100755 --- a/tests/run-test-in-docker.sh +++ b/tests/run-test-in-docker.sh @@ -2,13 +2,8 @@ source tests/docker_env.sh -if [[ "$#" -gt 1 ]]; then - if [[ $1 == "pkcs11" ]]; then - run_in_docker ./tests/start-up-and-test-pkcs11.sh - elif [[ $1 == "pytest" ]]; then - run_in_docker ./tests/start-up-and-test.sh - fi +if [[ $1 == "pkcs11" ]]; then + run_in_docker ./tests/start-up-and-test-pkcs11.sh else run_in_docker ./tests/start-up-and-test.sh fi - diff --git a/tests/startup.sh b/tests/startup.sh index 8cc289f..a6d924f 100644 --- a/tests/startup.sh +++ b/tests/startup.sh @@ -13,8 +13,9 @@ sleep 2 rm -f memory.flash tar -xf tests/memory.tar.gz echo -n "Start Pico HSM... " -./build_in_docker/pico_hsm > /dev/null 2>&1 & +./build_in_docker/pico_hsm & test $? -eq 0 && echo -e "${OK}" || { echo -e "${FAIL}" exit 1 } +sleep 2 From a7770a7e571c9cb7e17a1455be4deb356aead64d Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 9 Oct 2023 18:25:10 +0200 Subject: [PATCH 33/68] Check Pico HSM PCSC connectivity. Signed-off-by: Pol Henarejos --- tests/startup.sh | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/tests/startup.sh b/tests/startup.sh index a6d924f..91b1a0e 100644 --- a/tests/startup.sh +++ b/tests/startup.sh @@ -1,9 +1,14 @@ #!/bin/bash -OK="\033[32mok\033[0m" -FAIL="\033[31mfail\033[0m" +OK="\t\033[32mok\033[0m" +FAIL="\t\033[31mfail\033[0m" -echo -n "Start PCSC... " +fail() { + echo -e "${FAIL}" + exit 1 +} + +echo -n "Start PCSC..." /usr/sbin/pcscd & test $? -eq 0 && echo -e "${OK}" || { echo -e "${FAIL}" @@ -12,10 +17,11 @@ test $? -eq 0 && echo -e "${OK}" || { sleep 2 rm -f memory.flash tar -xf tests/memory.tar.gz -echo -n "Start Pico HSM... " -./build_in_docker/pico_hsm & -test $? -eq 0 && echo -e "${OK}" || { - echo -e "${FAIL}" - exit 1 -} +echo -n "Start Pico HSM..." +/pico_hsm > /dev/null 2>&1 & +test $? -eq 0 && echo -n "." || fail sleep 2 +ATR="3b:fe:18:00:00:81:31:fe:45:80:31:81:54:48:53:4d:31:73:80:21:40:81:07:fa" +e=$(opensc-tool -an 2>&1) +grep -q "${ATR}" <<< $e && echo -n "." || fail +test $? -eq 0 && echo -e "${OK}" || fail From b74c4070d14332a496691f9346590fc5016afedc Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 9 Oct 2023 18:26:16 +0200 Subject: [PATCH 34/68] When build, it copies generated binaries to image, which will be used later by other jobs. Signed-off-by: Pol Henarejos --- tests/build-in-docker.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tests/build-in-docker.sh b/tests/build-in-docker.sh index 57a0618..6a990d6 100755 --- a/tests/build-in-docker.sh +++ b/tests/build-in-docker.sh @@ -6,3 +6,9 @@ build_image run_in_docker mkdir -p build_in_docker run_in_docker -w "$PWD/build_in_docker" cmake -DENABLE_EMULATION=1 .. run_in_docker -w "$PWD/build_in_docker" make -j ${NUM_PROC} +docker create --name temp_container pico-hsm-test:bullseye +docker cp $PWD/build_in_docker/pico_hsm temp_container:/pico_hsm +docker commit temp_container pico-hsm-test:bullseye +docker stop temp_container +docker rm temp_container +docker rmi $(docker images -f "dangling=true" -q) From 9db3e78d32823aac4976fab161f0ecf45be96a54 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 9 Oct 2023 18:41:01 +0200 Subject: [PATCH 35/68] Not necessary rmi Signed-off-by: Pol Henarejos --- tests/build-in-docker.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/build-in-docker.sh b/tests/build-in-docker.sh index 6a990d6..63e5dea 100755 --- a/tests/build-in-docker.sh +++ b/tests/build-in-docker.sh @@ -11,4 +11,3 @@ docker cp $PWD/build_in_docker/pico_hsm temp_container:/pico_hsm docker commit temp_container pico-hsm-test:bullseye docker stop temp_container docker rm temp_container -docker rmi $(docker images -f "dangling=true" -q) From fa821c43c80229f07b80ae931baa6aa26138bd09 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 9 Oct 2023 19:00:23 +0200 Subject: [PATCH 36/68] Prune images autom. Signed-off-by: Pol Henarejos --- tests/build-in-docker.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/build-in-docker.sh b/tests/build-in-docker.sh index 63e5dea..b3d9a96 100755 --- a/tests/build-in-docker.sh +++ b/tests/build-in-docker.sh @@ -11,3 +11,4 @@ docker cp $PWD/build_in_docker/pico_hsm temp_container:/pico_hsm docker commit temp_container pico-hsm-test:bullseye docker stop temp_container docker rm temp_container +docker image prune -f From 448d61dd2d5dee7cf71011132278e713fc57a3a6 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 9 Oct 2023 19:00:36 +0200 Subject: [PATCH 37/68] Use artifact@v3 Signed-off-by: Pol Henarejos --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index d6d7515..950f525 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -54,7 +54,7 @@ jobs: with: submodules: recursive - name: Retrieve saved image - uses: actions/download-artifact@v2 + uses: actions/download-artifact@v3 with: name: docker-artifact path: artifacts From 011a594fe448e5b0ffd4eb24e1d0ac66170cd371 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 9 Oct 2023 19:18:04 +0200 Subject: [PATCH 38/68] Also use artifacts@v3 on upload. Signed-off-by: Pol Henarejos --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 950f525..27f3b1d 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -36,7 +36,7 @@ jobs: mkdir -p artifacts docker save pico-hsm-test:bullseye -o artifacts/docker-image.tar - name: Temporarily save image - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: docker-artifact path: artifacts From 3057aba041e7391e87059e794532ba9b9c617d3e Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 9 Oct 2023 21:15:23 +0200 Subject: [PATCH 39/68] Fix redundant line. Signed-off-by: Pol Henarejos --- tests/scripts/asym_cipher.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/scripts/asym_cipher.sh b/tests/scripts/asym_cipher.sh index ea7baed..c75bf20 100755 --- a/tests/scripts/asym_cipher.sh +++ b/tests/scripts/asym_cipher.sh @@ -37,7 +37,6 @@ test $? -eq 0 && echo -e ".\t${OK}" || exit $? echo -n " Test RSA-PKCS-OAEP ciphering..." rsa_encrypt_decrypt data "-pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -pkeyopt rsa_mgf1_md:sha256" "--mechanism RSA-PKCS-OAEP" -openssl pkeyutl -encrypt -pubin -inkey 1.pub -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -pkeyopt rsa_mgf1_md:sha256 -in data -out data.crypt test $? -eq 0 && echo -e ".\t${OK}" || exit $? rm -rf data* 1.* From 2ecfff0ebbc6eecd268f7e719f9cffe6c2639476 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 9 Oct 2023 21:15:51 +0200 Subject: [PATCH 40/68] Add store binary data tests. Signed-off-by: Pol Henarejos --- tests/scripts/pkcs11.sh | 7 +++++++ tests/scripts/store_binary.sh | 28 ++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+) create mode 100755 tests/scripts/store_binary.sh diff --git a/tests/scripts/pkcs11.sh b/tests/scripts/pkcs11.sh index c2292b8..bf625a2 100755 --- a/tests/scripts/pkcs11.sh +++ b/tests/scripts/pkcs11.sh @@ -28,3 +28,10 @@ test $? -eq 0 || { echo -e "\t${FAIL}" exit 1 } + +echo "==== Test binary storage ====" +./tests/scripts/store_binary.sh +test $? -eq 0 || { + echo -e "\t${FAIL}" + exit 1 +} diff --git a/tests/scripts/store_binary.sh b/tests/scripts/store_binary.sh new file mode 100755 index 0000000..2a116f1 --- /dev/null +++ b/tests/scripts/store_binary.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +source ./tests/scripts/func.sh +reset +test $? -eq 0 || exit $? + +TEST_DATA="Pico HSM is awesome!" + +echo 'Pico HSM is awesome!' > data + +echo -n " Test public binary storage..." +pkcs11-tool --pin 648219 --write-object test --type data --id 1 --label 'test1' > /dev/null 2>&1 +test $? -eq 0 && echo -n "." || exit $? +e=$(pkcs11-tool --read-object --type data --label 'test1' 2>&1) +test $? -eq 0 && echo -n "." || exit $? +grep -q "${TEST_DATA}" <<< $e && echo -e ".\t${OK}" || exit $? +pkcs11-tool --pin 648219 --delete-object --type data --label 'test1' > /dev/null 2>&1 + +echo -n " Test private binary storage..." +pkcs11-tool --pin 648219 --write-object test --type data --id 1 --label 'test1' --private > /dev/null 2>&1 +test $? -eq 0 && echo -n "." || exit $? +e=$(pkcs11-tool --read-object --type data --label 'test1' --pin 648219 2>&1) +test $? -eq 0 && echo -n "." || exit $? +grep -q "${TEST_DATA}" <<< $e && echo -n "." || exit $? +e=$(pkcs11-tool --read-object --type data --label 'test1' 2>&1) +test $? -eq 1 && echo -n "." || exit $? +grep -q "error: object not found" <<< $e && echo -e ".\t${OK}" || exit $? +pkcs11-tool --pin 648219 --delete-object --type data --label 'test1' > /dev/null 2>&1 From e27c8d4ff6303010a58a1f9e3eccce9ae288c74a Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 9 Oct 2023 21:55:31 +0200 Subject: [PATCH 41/68] Added flag for compile for CI or production. Signed-off-by: Pol Henarejos --- CMakeLists.txt | 7 +++++++ src/hsm/sc_hsm.c | 4 ++++ 2 files changed, 11 insertions(+) diff --git a/CMakeLists.txt b/CMakeLists.txt index a3f9046..5f97c09 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -32,6 +32,13 @@ else() pico_sdk_init() endif() +if (NOT DEFINED __FOR_CI) + set(__FOR_CI 0) +endif() +if (__FOR_CI) + add_definitions(-D__FOR_CI) +endif() + add_executable(pico_hsm) set(SOURCES ${SOURCES} diff --git a/src/hsm/sc_hsm.c b/src/hsm/sc_hsm.c index 41b2dcd..42cfe27 100644 --- a/src/hsm/sc_hsm.c +++ b/src/hsm/sc_hsm.c @@ -289,7 +289,11 @@ bool wait_button_pressed() { } int parse_token_info(const file_t *f, int mode) { +#ifdef __FOR_CI + char *label = "SmartCard-HSM"; +#else char *label = "Pico-HSM"; +#endif char *manu = "Pol Henarejos"; if (mode == 1) { uint8_t *p = res_APDU; From d5af9160c1039e65e7a6191cfc5e02fb9f5dacd5 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 9 Oct 2023 21:55:55 +0200 Subject: [PATCH 42/68] Build in docker with for CI flag. Signed-off-by: Pol Henarejos --- tests/build-in-docker.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/build-in-docker.sh b/tests/build-in-docker.sh index b3d9a96..8a42b51 100755 --- a/tests/build-in-docker.sh +++ b/tests/build-in-docker.sh @@ -4,7 +4,7 @@ source tests/docker_env.sh build_image #run_in_docker rm -rf CMakeFiles run_in_docker mkdir -p build_in_docker -run_in_docker -w "$PWD/build_in_docker" cmake -DENABLE_EMULATION=1 .. +run_in_docker -w "$PWD/build_in_docker" cmake -DENABLE_EMULATION=1 -D__FOR_CI=1 .. run_in_docker -w "$PWD/build_in_docker" make -j ${NUM_PROC} docker create --name temp_container pico-hsm-test:bullseye docker cp $PWD/build_in_docker/pico_hsm temp_container:/pico_hsm From 43c46e9112fe7a9b8bdcc01fc620c7996f8ad10f Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 9 Oct 2023 21:56:18 +0200 Subject: [PATCH 43/68] Add sc-hsm-embedd pkcs11 driver and test. Signed-off-by: Pol Henarejos --- tests/docker/bullseye/Dockerfile | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tests/docker/bullseye/Dockerfile b/tests/docker/bullseye/Dockerfile index 14b7c48..032ba5c 100644 --- a/tests/docker/bullseye/Dockerfile +++ b/tests/docker/bullseye/Dockerfile @@ -35,6 +35,15 @@ RUN make -j `nproc` RUN make install RUN make clean RUN ldconfig +WORKDIR / RUN git clone https://github.com/polhenarejos/pypicohsm.git RUN pip3 install -e pypicohsm +RUN git clone https://github.com/CardContact/sc-hsm-embedded +WORKDIR /sc-hsm-embedded +RUN autoreconf -fi +RUN ./configure +RUN make -j `nproc` +RUN make install +RUN cp ./src/tests/sc-hsm-pkcs11-test /usr/local/bin/sc-hsm-pkcs11-test +RUN make clean WORKDIR / From c3b57b229fcc6375c90c2f7464643c48426fc1a1 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 9 Oct 2023 21:56:41 +0200 Subject: [PATCH 44/68] Add sc-hsm-pkcs11-test to test matrix. Signed-off-by: Pol Henarejos --- .github/workflows/test.yml | 2 +- tests/run-test-in-docker.sh | 2 ++ tests/scripts/sc_hsm_test.sh | 24 ++++++++++++++++++++++++ 3 files changed, 27 insertions(+), 1 deletion(-) create mode 100755 tests/scripts/sc_hsm_test.sh diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 27f3b1d..9b81817 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -47,7 +47,7 @@ jobs: needs: build strategy: matrix: - suite: ["pkcs11", "pytest"] + suite: ["pkcs11", "pytest", "sc-hsm-pkcs11"] steps: - name: Checkout repository and submodules uses: actions/checkout@v3 diff --git a/tests/run-test-in-docker.sh b/tests/run-test-in-docker.sh index de7018a..367ecf1 100755 --- a/tests/run-test-in-docker.sh +++ b/tests/run-test-in-docker.sh @@ -4,6 +4,8 @@ source tests/docker_env.sh if [[ $1 == "pkcs11" ]]; then run_in_docker ./tests/start-up-and-test-pkcs11.sh +elif [[ $1 == "sc-hsm-pkcs11" ]]; then + run_in_docker ./tests/scripts/sc_hsm_test.sh else run_in_docker ./tests/start-up-and-test.sh fi diff --git a/tests/scripts/sc_hsm_test.sh b/tests/scripts/sc_hsm_test.sh new file mode 100755 index 0000000..0885439 --- /dev/null +++ b/tests/scripts/sc_hsm_test.sh @@ -0,0 +1,24 @@ +#!/bin/bash + +source ./tests/startup.sh + +echo "==== Test SC HSM ====" +echo -n " Running sc-hsm-pkcs11-test..." +pkcs11-tool -l --pin 648219 --keypairgen --key-type ec:secp256r1 --id 1 --label "TestLabel" > /dev/null 2>&1 +test $? -eq 0 && echo -n "." || { + echo -e "\t${FAIL}" + exit 1 +} +e=$(/usr/local/bin/sc-hsm-pkcs11-test --module /usr/local/lib/libsc-hsm-pkcs11.so --pin 648219 --invasive 2>&1) +test $? -eq 0 && echo -n "." || { + echo -e "\t${FAIL}" + exit 1 +} +grep -q "338 tests performed" <<< $e && echo -n "." || { + echo -e "\t${FAIL}" + exit 1 +} +grep -q "0 tests failed" <<< $e && echo -e ".\t${OK}" || { + echo -e "\t${FAIL}" + exit 1 +} \ No newline at end of file From dbe0ef19de847e0638373f09d628f5fe3c285e80 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 9 Oct 2023 22:17:22 +0200 Subject: [PATCH 45/68] Fix store binary test script. Signed-off-by: Pol Henarejos --- tests/scripts/store_binary.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/scripts/store_binary.sh b/tests/scripts/store_binary.sh index 2a116f1..3b03cff 100755 --- a/tests/scripts/store_binary.sh +++ b/tests/scripts/store_binary.sh @@ -6,7 +6,7 @@ test $? -eq 0 || exit $? TEST_DATA="Pico HSM is awesome!" -echo 'Pico HSM is awesome!' > data +echo ${TEST_DATA} > test echo -n " Test public binary storage..." pkcs11-tool --pin 648219 --write-object test --type data --id 1 --label 'test1' > /dev/null 2>&1 From 185d19504ff918f1f04bec2eba34e7d719e01a8a Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Wed, 11 Oct 2023 12:12:53 +0200 Subject: [PATCH 46/68] Add plaintext debug. Signed-off-by: Pol Henarejos --- pico-hsm-sdk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pico-hsm-sdk b/pico-hsm-sdk index 42dcdd3..dbfb89f 160000 --- a/pico-hsm-sdk +++ b/pico-hsm-sdk @@ -1 +1 @@ -Subproject commit 42dcdd337277362b874503f5a36560e78c26d1f7 +Subproject commit dbfb89f9595b6d398eb4d83ce42b14b657d45f9d From 654cb1e4e0510b7b8b80d73cc4c41ffd74f843e2 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Wed, 11 Oct 2023 12:13:21 +0200 Subject: [PATCH 47/68] Added AES pkcs11 tests. Signed-off-by: Pol Henarejos --- tests/scripts/aes.sh | 38 ++++++++++++++++++++++++++++++++++++++ tests/scripts/pkcs11.sh | 7 +++++++ 2 files changed, 45 insertions(+) create mode 100755 tests/scripts/aes.sh diff --git a/tests/scripts/aes.sh b/tests/scripts/aes.sh new file mode 100755 index 0000000..ae1a22b --- /dev/null +++ b/tests/scripts/aes.sh @@ -0,0 +1,38 @@ +#!/bin/bash + +source ./tests/scripts/func.sh +reset +test $? -eq 0 || exit $? + +TEST_DATA="This is a text." + +echo "${TEST_DATA}" > test + +sc_tool() { + pkcs11-tool --module /usr/local/lib/libsc-hsm-pkcs11.so -l --pin 648219 $@ +} + +aeses=("16" "24" "32") + +for aes in ${aeses[*]}; do + echo " Test AES (AES:${aes})" + echo -n " Keygen... " + sc_tool --keygen --key-type "AES:${aes}" --id 1 --label "AES:${aes}" > /dev/null 2>&1 + test $? -eq 0 && echo -n "." || exit $? + e=$(sc_tool --list-object --type secrkey 2>&1) + test $? -eq 0 && echo -n "." || exit $? + grep -q "AES length ${aes}" <<< $e && echo -n "." || exit $? + grep -q "AES:${aes}" <<< $e && echo -e ".\t${OK}" || exit $? + + echo -n " Encryption..." + sc_tool --encrypt --id 1 --input-file test --mechanism aes-cbc > crypted.aes 2>/dev/null + test $? -eq 0 && echo -e ".\t${OK}" || exit $? + + echo -n " Decryption..." + e=$(sc_tool --decrypt --id 1 --input-file crypted.aes --mechanism aes-cbc 2>/dev/null) + test $? -eq 0 && echo -n "." || exit $? + grep -q "${TEST_DATA}" <<< $e && echo -e ".\t${OK}" || exit $? + + sc_tool --delete --type secrkey --id 1 > /dev/null 2>&1 +done +rm -rf test crypted.aes diff --git a/tests/scripts/pkcs11.sh b/tests/scripts/pkcs11.sh index bf625a2..e0f6fda 100755 --- a/tests/scripts/pkcs11.sh +++ b/tests/scripts/pkcs11.sh @@ -35,3 +35,10 @@ test $? -eq 0 || { echo -e "\t${FAIL}" exit 1 } + +echo "==== Test AES ====" +./tests/scripts/aes.sh +test $? -eq 0 || { + echo -e "\t${FAIL}" + exit 1 +} From 2853b38b088cb6db3360d34a87e2247f25adaf6e Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Wed, 11 Oct 2023 13:00:24 +0200 Subject: [PATCH 48/68] Add PKCS11 tool test Signed-off-by: Pol Henarejos --- tests/scripts/pkcs11.sh | 7 +++++++ tests/scripts/pkcs11_test.sh | 11 +++++++++++ 2 files changed, 18 insertions(+) create mode 100755 tests/scripts/pkcs11_test.sh diff --git a/tests/scripts/pkcs11.sh b/tests/scripts/pkcs11.sh index e0f6fda..46ed776 100755 --- a/tests/scripts/pkcs11.sh +++ b/tests/scripts/pkcs11.sh @@ -42,3 +42,10 @@ test $? -eq 0 || { echo -e "\t${FAIL}" exit 1 } + +echo "==== Test PKCS11-tool ====" +./tests/scripts/pkcs11_test.sh +test $? -eq 0 || { + echo -e "\t${FAIL}" + exit 1 +} \ No newline at end of file diff --git a/tests/scripts/pkcs11_test.sh b/tests/scripts/pkcs11_test.sh new file mode 100755 index 0000000..0550dc7 --- /dev/null +++ b/tests/scripts/pkcs11_test.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +source ./tests/scripts/func.sh +reset +test $? -eq 0 || exit $? + +echo -n " Test PKCS11 tool..." +gen_and_check rsa:2048 +test $? -eq 0 && echo -n "." || exit $? +pkcs11-tool --test -l --pin 648219 > /dev/null 2>&1 +test $? -eq 0 && echo -e ".\t${OK}" || exit $? From aaed6bd7b6be58c08f5d6d50c7d6e7799260e899 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Wed, 11 Oct 2023 21:02:18 +0200 Subject: [PATCH 49/68] New format for applet selection. Signed-off-by: Pol Henarejos --- pico-hsm-sdk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pico-hsm-sdk b/pico-hsm-sdk index dbfb89f..eef2f19 160000 --- a/pico-hsm-sdk +++ b/pico-hsm-sdk @@ -1 +1 @@ -Subproject commit dbfb89f9595b6d398eb4d83ce42b14b657d45f9d +Subproject commit eef2f190f21b16b3dc982e8806edee0172a76edf From 11bb00e18690a7684e2c0e08eb34f9488bf08f3b Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Wed, 11 Oct 2023 21:03:09 +0200 Subject: [PATCH 50/68] Default key domain is 0. It allows to wrap keys not associated to any key domain. Signed-off-by: Pol Henarejos --- src/hsm/cmd_key_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/hsm/cmd_key_domain.c b/src/hsm/cmd_key_domain.c index d548452..ea31f41 100644 --- a/src/hsm/cmd_key_domain.c +++ b/src/hsm/cmd_key_domain.c @@ -27,7 +27,7 @@ uint8_t get_key_domain(file_t *fkey) { if (meta_tag) { return *meta_tag; } - return 0xff; + return 0x0; } int cmd_key_domain() { From eddb1baf7b817ed1e67e6e91986f4d6e21fc68bb Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Wed, 11 Oct 2023 21:03:17 +0200 Subject: [PATCH 51/68] Use new applet selection format. Signed-off-by: Pol Henarejos --- src/hsm/sc_hsm.c | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/src/hsm/sc_hsm.c b/src/hsm/sc_hsm.c index 42cfe27..a7bfcf2 100644 --- a/src/hsm/sc_hsm.c +++ b/src/hsm/sc_hsm.c @@ -80,20 +80,16 @@ extern int cmd_bip_slip(); extern const uint8_t *ccid_atr; -app_t *sc_hsm_select_aid(app_t *a, const uint8_t *aid, uint8_t aid_len) { - if (!memcmp(aid, sc_hsm_aid + 1, MIN(aid_len, sc_hsm_aid[0]))) { - a->aid = sc_hsm_aid; - a->process_apdu = sc_hsm_process_apdu; - a->unload = sc_hsm_unload; - init_sc_hsm(); - return a; - } - return NULL; +int sc_hsm_select_aid(app_t *a) { + a->process_apdu = sc_hsm_process_apdu; + a->unload = sc_hsm_unload; + init_sc_hsm(); + return CCID_OK; } void __attribute__((constructor)) sc_hsm_ctor() { ccid_atr = atr_sc_hsm; - register_app(sc_hsm_select_aid); + register_app(sc_hsm_select_aid, sc_hsm_aid); } void scan_files() { From 4be258f4c7ef51a8614b821711d455e4faa4fe70 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Wed, 11 Oct 2023 21:04:53 +0200 Subject: [PATCH 52/68] Fix applet loading. Signed-off-by: Pol Henarejos --- pico-hsm-sdk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pico-hsm-sdk b/pico-hsm-sdk index eef2f19..1b5a749 160000 --- a/pico-hsm-sdk +++ b/pico-hsm-sdk @@ -1 +1 @@ -Subproject commit eef2f190f21b16b3dc982e8806edee0172a76edf +Subproject commit 1b5a7496e174ed32265cb71fc5af334f7dcde869 From 1950b03d3560529ea994f075e6f789c422760ce7 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Wed, 11 Oct 2023 21:11:41 +0200 Subject: [PATCH 53/68] Add more pkcs11-tool tests. Signed-off-by: Pol Henarejos --- tests/scripts/pkcs11_test.sh | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/tests/scripts/pkcs11_test.sh b/tests/scripts/pkcs11_test.sh index 0550dc7..6cbd193 100755 --- a/tests/scripts/pkcs11_test.sh +++ b/tests/scripts/pkcs11_test.sh @@ -7,5 +7,11 @@ test $? -eq 0 || exit $? echo -n " Test PKCS11 tool..." gen_and_check rsa:2048 test $? -eq 0 && echo -n "." || exit $? -pkcs11-tool --test -l --pin 648219 > /dev/null 2>&1 -test $? -eq 0 && echo -e ".\t${OK}" || exit $? +e=$(pkcs11-tool --test -l --pin 648219 2>&1) +test $? -eq 0 && echo -n "." || exit $? +grep -q "No errors" <<< $e && echo -n "." || exit $? +pkcs11-tool -l --pin 648219 --delete-object --type privkey --id 1 > /dev/null 2>&1 +test $? -eq 0 && echo -n "." || exit $? +e=$(pkcs11-tool --test-ec -l --pin 648219 --id 1 --key-type ec:secp256r1 2>&1) +test $? -eq 0 && echo -n "." || exit $? +grep -q "==> OK" <<< $e && echo -e ".\t${OK}" || exit $? From 1bf0d6337bfc0e8925d5f4dbe3dc841f027e5482 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Wed, 11 Oct 2023 21:12:06 +0200 Subject: [PATCH 54/68] Added backup and restore tests (pkcs11 wrap/unwrap). Signed-off-by: Pol Henarejos --- tests/scripts/backup.sh | 59 +++++++++++++++++++++++++++++++++++++++++ tests/scripts/pkcs11.sh | 9 ++++++- 2 files changed, 67 insertions(+), 1 deletion(-) create mode 100755 tests/scripts/backup.sh diff --git a/tests/scripts/backup.sh b/tests/scripts/backup.sh new file mode 100755 index 0000000..396f443 --- /dev/null +++ b/tests/scripts/backup.sh @@ -0,0 +1,59 @@ +#!/bin/bash + +source ./tests/scripts/func.sh +reset +test $? -eq 0 || exit $? + +sc_backup() { + for i in $(seq 1 $1); do + sc-hsm-tool --create-dkek-share dkek.${i}.pbe --password testpw > /dev/null 2>&1 + test $? -eq 0 && echo -n "." || exit $? + done + sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219 --dkek-shares $1 > /dev/null 2>&1 + test $? -eq 0 && echo -n "." || exit $? + pkcs11-tool -l --pin 648219 -I > /dev/null 2>&1 + test $? -eq 0 && echo -n "." || exit $? + for i in $(seq 1 $1); do + e=$(sc-hsm-tool --pin 648219 --import-dkek-share dkek.${i}.pbe --password testpw 2>&1) + test $? -eq 0 && echo -n "." || exit $? + grep -q "DKEK share imported" <<< $e && echo -n "." || exit $? + grep -q "DKEK shares : $1" <<< $e && echo -n "." || exit $? + if [[ $i -lt $1 ]]; then + grep -q "DKEK import pending, $(( $1 - $i ))" <<< $e && echo -n "." || exit $? + fi + done +} +echo -n " Test single DKEK..." +sc_backup 1 +test $? -eq 0 && echo -e ".\t${OK}" || exit $? + +: ' +echo -n " Test multiple DKEK..." +sc_backup 3 +test $? -eq 0 && echo -e ".\t${OK}" || exit $? + +rm -rf dkek.*.pbe +' + +echo " Test backup and restore" +algs=("rsa:1024" "rsa:2048" "ec:secp192r1" "ec:secp256r1" "ec:secp384r1" "ec:secp521r1" "ec:brainpoolP256r1" "ec:brainpoolP384r1" "ec:brainpoolP512r1" "ec:secp192k1" "ec:secp256k1") +for alg in ${algs[*]}; do + echo -n " Keygen ${alg}..." + gen_and_check ${alg} + test $? -eq 0 && echo -e ".\t${OK}" || exit $? + echo -n " Wrap key..." + sc-hsm-tool --wrap-key wrap-key.bin --key-reference 1 --pin 648219 > /dev/null 2>&1 + test $? -eq 0 && echo -n "." || exit $? + e=$(pkcs15-tool -D 2>&1) + grep -q "Key ref : 10" <<< $e && exit $? || echo -e ".\t${OK}" + echo -n " Unwrap key..." + sc-hsm-tool --unwrap-key wrap-key.bin --key-reference 10 --pin 648219 --force > /dev/null 2>&1 + test $? -eq 0 && echo -n "." || exit $? + e=$(pkcs15-tool -D 2>&1) + grep -q "Key ref : 10" <<< $e && echo -e ".\t${OK}" || exit $? + echo -n " Cleaning..." + pkcs11-tool -l --pin 648219 --delete-object --type privkey --id 1 > /dev/null 2>&1 + test $? -eq 0 && echo -n "." || exit $? + pkcs11-tool -l --pin 648219 --delete-object --type privkey --id 1 > /dev/null 2>&1 + test $? -eq 0 && echo -e ".\t${OK}" || exit $? +done diff --git a/tests/scripts/pkcs11.sh b/tests/scripts/pkcs11.sh index 46ed776..c688fdc 100755 --- a/tests/scripts/pkcs11.sh +++ b/tests/scripts/pkcs11.sh @@ -48,4 +48,11 @@ echo "==== Test PKCS11-tool ====" test $? -eq 0 || { echo -e "\t${FAIL}" exit 1 -} \ No newline at end of file +} + +echo "==== Test backup and restore ====" +./tests/scripts/backup.sh +test $? -eq 0 || { + echo -e "\t${FAIL}" + exit 1 +} From 5d21e39aa646ed3c071578964ffc45fbe0694bc2 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Thu, 12 Oct 2023 17:40:20 +0200 Subject: [PATCH 55/68] Fix deleting key domain. It only checks if contains keys and no other files. Signed-off-by: Pol Henarejos --- src/hsm/cmd_key_domain.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/hsm/cmd_key_domain.c b/src/hsm/cmd_key_domain.c index ea31f41..06b329c 100644 --- a/src/hsm/cmd_key_domain.c +++ b/src/hsm/cmd_key_domain.c @@ -23,6 +23,9 @@ uint8_t get_key_domain(file_t *fkey) { size_t tag_len = 0; + if (!file_has_data(fkey)) { + return 0xff; + } const uint8_t *meta_tag = get_meta_tag(fkey, 0x92, &tag_len); if (meta_tag) { return *meta_tag; @@ -94,8 +97,9 @@ int cmd_key_domain() { return SW_WRONG_LENGTH(); } if (p1 == 0x3) { //if key domain is not empty, command is denied - for (int i = 0; i < dynamic_files; i++) { - if (get_key_domain(&dynamic_file[i]) == p2) { + for (int i = 1; i < 256; i++) { + file_t *fkey = search_dynamic_file(KEY_PREFIX << 8 | i); + if (get_key_domain(fkey) == p2) { return SW_FILE_EXISTS(); } } From 2693ab4926ed761a3f1d8e1df750a007c1b6d9fa Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Thu, 12 Oct 2023 17:40:56 +0200 Subject: [PATCH 56/68] Fix applet selection. Signed-off-by: Pol Henarejos --- pico-hsm-sdk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pico-hsm-sdk b/pico-hsm-sdk index 1b5a749..4b099c9 160000 --- a/pico-hsm-sdk +++ b/pico-hsm-sdk @@ -1 +1 @@ -Subproject commit 1b5a7496e174ed32265cb71fc5af334f7dcde869 +Subproject commit 4b099c9d1e90c8c1ee83061a1f32b1489985fbad From 6b1eeb4004156f41fafd4a6bc87e61ec193dff8b Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Thu, 12 Oct 2023 17:42:31 +0200 Subject: [PATCH 57/68] Fix DKEK import when no logged. DKEK shall accept import even if it is not logged in. However, to store the DKEK, the PIN is used for MKEK, which is not available if it is nog logged in. I added a queueing system to store a pending DKEK after login. Therefore, to import a DKEK, the user must import it AND call VERIFY command if it is not already logged in. Signed-off-by: Pol Henarejos --- src/hsm/cmd_key_domain.c | 14 ++++++++++---- src/hsm/kek.c | 1 + src/hsm/kek.h | 2 ++ src/hsm/sc_hsm.c | 4 ++++ 4 files changed, 17 insertions(+), 4 deletions(-) diff --git a/src/hsm/cmd_key_domain.c b/src/hsm/cmd_key_domain.c index 06b329c..aeecb31 100644 --- a/src/hsm/cmd_key_domain.c +++ b/src/hsm/cmd_key_domain.c @@ -68,10 +68,16 @@ int cmd_key_domain() { } import_dkek_share(p2, apdu.data); if (++current_dkeks >= dkeks) { - if (save_dkek_key(p2, NULL) != CCID_OK) { - /* On fail, it will return to previous dkek state. */ - import_dkek_share(p2, apdu.data); - return SW_FILE_NOT_FOUND(); + int r = save_dkek_key(p2, NULL); + if (r != CCID_OK) { + if (r == CCID_NO_LOGIN) { + pending_save_dkek = p2; + } + else { + /* On fail, it will return to previous dkek state. */ + import_dkek_share(p2, apdu.data); + return SW_FILE_NOT_FOUND(); + } } } uint8_t t[MAX_KEY_DOMAINS * 2]; diff --git a/src/hsm/kek.c b/src/hsm/kek.c index 8b797ed..54cb5c3 100644 --- a/src/hsm/kek.c +++ b/src/hsm/kek.c @@ -36,6 +36,7 @@ extern bool has_session_pin, has_session_sopin; extern uint8_t session_pin[32], session_sopin[32]; uint8_t mkek_mask[MKEK_KEY_SIZE]; bool has_mkek_mask = false; +uint8_t pending_save_dkek = 0xff; #define POLY 0xedb88320 diff --git a/src/hsm/kek.h b/src/hsm/kek.h index e6b5ade..5c85c2f 100644 --- a/src/hsm/kek.h +++ b/src/hsm/kek.h @@ -74,4 +74,6 @@ extern mse_t mse; extern int mse_decrypt_ct(uint8_t *, size_t); +extern uint8_t pending_save_dkek; + #endif diff --git a/src/hsm/sc_hsm.c b/src/hsm/sc_hsm.c index a7bfcf2..2fd0fd6 100644 --- a/src/hsm/sc_hsm.c +++ b/src/hsm/sc_hsm.c @@ -407,6 +407,10 @@ int check_pin(const file_t *pin, const uint8_t *data, size_t len) { hash_multi(data, len, session_sopin); has_session_sopin = true; } + if (pending_save_dkek != 0xff) { + save_dkek_key(pending_save_dkek, NULL); + pending_save_dkek = 0xff; + } return SW_OK(); } From 76522829ef0716c91b1f9eaac9c0920ce6c36fa8 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Thu, 12 Oct 2023 17:42:49 +0200 Subject: [PATCH 58/68] User must log in after DKEK import. Signed-off-by: Pol Henarejos --- tests/scripts/backup.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/tests/scripts/backup.sh b/tests/scripts/backup.sh index 396f443..09d1d70 100755 --- a/tests/scripts/backup.sh +++ b/tests/scripts/backup.sh @@ -14,7 +14,7 @@ sc_backup() { pkcs11-tool -l --pin 648219 -I > /dev/null 2>&1 test $? -eq 0 && echo -n "." || exit $? for i in $(seq 1 $1); do - e=$(sc-hsm-tool --pin 648219 --import-dkek-share dkek.${i}.pbe --password testpw 2>&1) + e=$(sc-hsm-tool --import-dkek-share dkek.${i}.pbe --password testpw 2>&1) test $? -eq 0 && echo -n "." || exit $? grep -q "DKEK share imported" <<< $e && echo -n "." || exit $? grep -q "DKEK shares : $1" <<< $e && echo -n "." || exit $? @@ -22,18 +22,19 @@ sc_backup() { grep -q "DKEK import pending, $(( $1 - $i ))" <<< $e && echo -n "." || exit $? fi done + # Store DKEK, since it is not logged in + pkcs11-tool -l --pin 648219 -I > /dev/null 2>&1 + test $? -eq 0 && echo -n "." || exit $? } echo -n " Test single DKEK..." sc_backup 1 test $? -eq 0 && echo -e ".\t${OK}" || exit $? -: ' echo -n " Test multiple DKEK..." sc_backup 3 test $? -eq 0 && echo -e ".\t${OK}" || exit $? rm -rf dkek.*.pbe -' echo " Test backup and restore" algs=("rsa:1024" "rsa:2048" "ec:secp192r1" "ec:secp256r1" "ec:secp384r1" "ec:secp521r1" "ec:brainpoolP256r1" "ec:brainpoolP384r1" "ec:brainpoolP512r1" "ec:secp192k1" "ec:secp256k1") From 9dbf4b3172725615bc6b8087ad7548f2fbac687f Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Thu, 12 Oct 2023 19:03:37 +0200 Subject: [PATCH 59/68] Removing pkcs11-tool test for EC. Signed-off-by: Pol Henarejos --- tests/scripts/pkcs11_test.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/scripts/pkcs11_test.sh b/tests/scripts/pkcs11_test.sh index 6cbd193..1f8b197 100755 --- a/tests/scripts/pkcs11_test.sh +++ b/tests/scripts/pkcs11_test.sh @@ -11,7 +11,7 @@ e=$(pkcs11-tool --test -l --pin 648219 2>&1) test $? -eq 0 && echo -n "." || exit $? grep -q "No errors" <<< $e && echo -n "." || exit $? pkcs11-tool -l --pin 648219 --delete-object --type privkey --id 1 > /dev/null 2>&1 -test $? -eq 0 && echo -n "." || exit $? -e=$(pkcs11-tool --test-ec -l --pin 648219 --id 1 --key-type ec:secp256r1 2>&1) -test $? -eq 0 && echo -n "." || exit $? -grep -q "==> OK" <<< $e && echo -e ".\t${OK}" || exit $? +test $? -eq 0 && echo -e ".\t${OK}" || exit $? +#e=$(pkcs11-tool --test-ec -l --pin 648219 --id 1 --key-type ec:secp256r1 2>&1) +#test $? -eq 0 && echo -n "." || exit $? +#grep -q "==> OK" <<< $e && echo -e ".\t${OK}" || exit $? From 652a0f0d21a461ade4188b235b72372adf92460b Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Thu, 12 Oct 2023 21:04:02 +0200 Subject: [PATCH 60/68] Fix managing spaces. Signed-off-by: Pol Henarejos --- tests/scripts/backup.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/scripts/backup.sh b/tests/scripts/backup.sh index 09d1d70..84a3d29 100755 --- a/tests/scripts/backup.sh +++ b/tests/scripts/backup.sh @@ -17,7 +17,7 @@ sc_backup() { e=$(sc-hsm-tool --import-dkek-share dkek.${i}.pbe --password testpw 2>&1) test $? -eq 0 && echo -n "." || exit $? grep -q "DKEK share imported" <<< $e && echo -n "." || exit $? - grep -q "DKEK shares : $1" <<< $e && echo -n "." || exit $? + grep -q "DKEK shares[[:blank:]]*: $1" <<< $e && echo -n "." || exit $? if [[ $i -lt $1 ]]; then grep -q "DKEK import pending, $(( $1 - $i ))" <<< $e && echo -n "." || exit $? fi @@ -46,12 +46,12 @@ for alg in ${algs[*]}; do sc-hsm-tool --wrap-key wrap-key.bin --key-reference 1 --pin 648219 > /dev/null 2>&1 test $? -eq 0 && echo -n "." || exit $? e=$(pkcs15-tool -D 2>&1) - grep -q "Key ref : 10" <<< $e && exit $? || echo -e ".\t${OK}" + grep -q "Key ref[[:blank:]]*: 10" <<< $e && exit $? || echo -e ".\t${OK}" echo -n " Unwrap key..." sc-hsm-tool --unwrap-key wrap-key.bin --key-reference 10 --pin 648219 --force > /dev/null 2>&1 test $? -eq 0 && echo -n "." || exit $? e=$(pkcs15-tool -D 2>&1) - grep -q "Key ref : 10" <<< $e && echo -e ".\t${OK}" || exit $? + grep -q "Key ref[[:blank:]]*: 10" <<< $e && echo -e ".\t${OK}" || exit $? echo -n " Cleaning..." pkcs11-tool -l --pin 648219 --delete-object --type privkey --id 1 > /dev/null 2>&1 test $? -eq 0 && echo -n "." || exit $? From b6831a46508ae5e0a10494bc5f9a76f4d6627a23 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 6 Nov 2023 14:20:19 +0100 Subject: [PATCH 61/68] Rename pico-hsm-sdk submodule to new name. Signed-off-by: Pol Henarejos --- .gitmodules | 2 +- pico-hsm-sdk => pico-keys-sdk | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename pico-hsm-sdk => pico-keys-sdk (100%) diff --git a/.gitmodules b/.gitmodules index 6e06e69..5609c7f 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +1,3 @@ [submodule "pico-hsm-sdk"] - path = pico-hsm-sdk + path = pico-keys-sdk url = ../pico-hsm-sdk diff --git a/pico-hsm-sdk b/pico-keys-sdk similarity index 100% rename from pico-hsm-sdk rename to pico-keys-sdk From cc19f8f061327ad41d8431c14297b3ab14cbbed9 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 6 Nov 2023 14:20:39 +0100 Subject: [PATCH 62/68] Use new pico-keys-sdk submodule. Signed-off-by: Pol Henarejos --- .gitmodules | 4 ++-- pico-keys-sdk | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.gitmodules b/.gitmodules index 5609c7f..852c02c 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +1,3 @@ -[submodule "pico-hsm-sdk"] +[submodule "pico-keys-sdk"] path = pico-keys-sdk - url = ../pico-hsm-sdk + url = https://github.com/polhenarejos/pico-keys-sdk diff --git a/pico-keys-sdk b/pico-keys-sdk index 4b099c9..09276f7 160000 --- a/pico-keys-sdk +++ b/pico-keys-sdk @@ -1 +1 @@ -Subproject commit 4b099c9d1e90c8c1ee83061a1f32b1489985fbad +Subproject commit 09276f7117beb7a2f52e65cc601b9153e7b59ca1 From ed2925cfb6c81c47a124f4467cd09945e7e99908 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 6 Nov 2023 14:25:42 +0100 Subject: [PATCH 63/68] Use new Pico Keys SDK. Signed-off-by: Pol Henarejos --- CMakeLists.txt | 4 ++-- src/hsm/cmd_derive_asym.c | 2 +- src/hsm/cmd_initialize.c | 6 +++--- src/hsm/cmd_key_gen.c | 8 ++++---- src/hsm/cmd_key_unwrap.c | 22 +++++++++++----------- src/hsm/cmd_key_wrap.c | 14 +++++++------- src/hsm/cmd_keypair_gen.c | 8 ++++---- src/hsm/cvc.c | 38 +++++++++++++++++++------------------- src/hsm/kek.c | 32 ++++++++++++++++---------------- src/hsm/sc_hsm.c | 16 ++++++++-------- src/hsm/sc_hsm.h | 2 +- 11 files changed, 76 insertions(+), 76 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 5f97c09..8cc8556 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -77,7 +77,7 @@ set(SOURCES ${SOURCES} ) set(USB_ITF_CCID 1) -include(pico-hsm-sdk/pico_hsm_sdk_import.cmake) +include(pico-keys-sdk/pico_keys_sdk_import.cmake) set(INCLUDES ${INCLUDES} ${CMAKE_CURRENT_LIST_DIR}/src/hsm @@ -109,5 +109,5 @@ endif (APPLE) else() pico_add_extra_outputs(pico_hsm) -target_link_libraries(pico_hsm PRIVATE pico_hsm_sdk pico_stdlib pico_multicore hardware_flash hardware_sync hardware_adc pico_unique_id hardware_rtc tinyusb_device tinyusb_board) +target_link_libraries(pico_hsm PRIVATE pico_keys_sdk pico_stdlib pico_multicore hardware_flash hardware_sync hardware_adc pico_unique_id hardware_rtc tinyusb_device tinyusb_board) endif() diff --git a/src/hsm/cmd_derive_asym.c b/src/hsm/cmd_derive_asym.c index 700a5f1..ff59009 100644 --- a/src/hsm/cmd_derive_asym.c +++ b/src/hsm/cmd_derive_asym.c @@ -88,7 +88,7 @@ int cmd_derive_asym() { mbedtls_ecdsa_free(&ctx); return SW_EXEC_ERROR(); } - r = store_keys(&ctx, HSM_KEY_EC, dest_id); + r = store_keys(&ctx, PICO_KEYS_KEY_EC, dest_id); if (r != CCID_OK) { mbedtls_ecdsa_free(&ctx); return SW_EXEC_ERROR(); diff --git a/src/hsm/cmd_initialize.c b/src/hsm/cmd_initialize.c index 06b1082..8dd45c1 100644 --- a/src/hsm/cmd_initialize.c +++ b/src/hsm/cmd_initialize.c @@ -187,13 +187,13 @@ int cmd_initialize() { mbedtls_ecdsa_free(&ecdsa); return SW_EXEC_ERROR(); } - ret = store_keys(&ecdsa, HSM_KEY_EC, key_id); + ret = store_keys(&ecdsa, PICO_KEYS_KEY_EC, key_id); if (ret != CCID_OK) { mbedtls_ecdsa_free(&ecdsa); return SW_EXEC_ERROR(); } size_t cvc_len = 0; - if ((cvc_len = asn1_cvc_aut(&ecdsa, HSM_KEY_EC, res_APDU, 4096, NULL, 0)) == 0) { + if ((cvc_len = asn1_cvc_aut(&ecdsa, PICO_KEYS_KEY_EC, res_APDU, 4096, NULL, 0)) == 0) { mbedtls_ecdsa_free(&ecdsa); return SW_EXEC_ERROR(); } @@ -205,7 +205,7 @@ int cmd_initialize() { return SW_EXEC_ERROR(); } - if ((cvc_len = asn1_cvc_cert(&ecdsa, HSM_KEY_EC, res_APDU, 4096, NULL, 0, true)) == 0) { + if ((cvc_len = asn1_cvc_cert(&ecdsa, PICO_KEYS_KEY_EC, res_APDU, 4096, NULL, 0, true)) == 0) { mbedtls_ecdsa_free(&ecdsa); return SW_EXEC_ERROR(); } diff --git a/src/hsm/cmd_key_gen.c b/src/hsm/cmd_key_gen.c index 78846be..9389cb7 100644 --- a/src/hsm/cmd_key_gen.c +++ b/src/hsm/cmd_key_gen.c @@ -44,16 +44,16 @@ int cmd_key_gen() { memcpy(aes_key, random_bytes_get(key_size), key_size); int aes_type = 0x0; if (key_size == 16) { - aes_type = HSM_KEY_AES_128; + aes_type = PICO_KEYS_KEY_AES_128; } else if (key_size == 24) { - aes_type = HSM_KEY_AES_192; + aes_type = PICO_KEYS_KEY_AES_192; } else if (key_size == 32) { - aes_type = HSM_KEY_AES_256; + aes_type = PICO_KEYS_KEY_AES_256; } else if (key_size == 64) { - aes_type = HSM_KEY_AES_512; + aes_type = PICO_KEYS_KEY_AES_512; } r = store_keys(aes_key, aes_type, key_id); if (r != CCID_OK) { diff --git a/src/hsm/cmd_key_unwrap.c b/src/hsm/cmd_key_unwrap.c index bfbae74..83b765b 100644 --- a/src/hsm/cmd_key_unwrap.c +++ b/src/hsm/cmd_key_unwrap.c @@ -35,7 +35,7 @@ int cmd_key_unwrap() { if (key_type == 0x0) { return SW_DATA_INVALID(); } - if (key_type & HSM_KEY_RSA) { + if (key_type & PICO_KEYS_KEY_RSA) { mbedtls_rsa_context ctx; mbedtls_rsa_init(&ctx); do { @@ -45,8 +45,8 @@ int cmd_key_unwrap() { mbedtls_rsa_free(&ctx); return SW_EXEC_ERROR(); } - r = store_keys(&ctx, HSM_KEY_RSA, key_id); - if ((res_APDU_size = asn1_cvc_aut(&ctx, HSM_KEY_RSA, res_APDU, 4096, NULL, 0)) == 0) { + r = store_keys(&ctx, PICO_KEYS_KEY_RSA, key_id); + if ((res_APDU_size = asn1_cvc_aut(&ctx, PICO_KEYS_KEY_RSA, res_APDU, 4096, NULL, 0)) == 0) { mbedtls_rsa_free(&ctx); return SW_EXEC_ERROR(); } @@ -57,7 +57,7 @@ int cmd_key_unwrap() { } prkd_len = asn1_build_prkd_ecc(NULL, 0, NULL, 0, key_size * 8, prkd_buf, sizeof(prkd_buf)); } - else if (key_type & HSM_KEY_EC) { + else if (key_type & PICO_KEYS_KEY_EC) { mbedtls_ecdsa_context ctx; mbedtls_ecdsa_init(&ctx); do { @@ -67,8 +67,8 @@ int cmd_key_unwrap() { mbedtls_ecdsa_free(&ctx); return SW_EXEC_ERROR(); } - r = store_keys(&ctx, HSM_KEY_EC, key_id); - if ((res_APDU_size = asn1_cvc_aut(&ctx, HSM_KEY_EC, res_APDU, 4096, NULL, 0)) == 0) { + r = store_keys(&ctx, PICO_KEYS_KEY_EC, key_id); + if ((res_APDU_size = asn1_cvc_aut(&ctx, PICO_KEYS_KEY_EC, res_APDU, 4096, NULL, 0)) == 0) { mbedtls_ecdsa_free(&ctx); return SW_EXEC_ERROR(); } @@ -79,7 +79,7 @@ int cmd_key_unwrap() { } prkd_len = asn1_build_prkd_ecc(NULL, 0, NULL, 0, key_size, prkd_buf, sizeof(prkd_buf)); } - else if (key_type & HSM_KEY_AES) { + else if (key_type & PICO_KEYS_KEY_AES) { uint8_t aes_key[64]; int key_size = 0, aes_type = 0; do { @@ -95,16 +95,16 @@ int cmd_key_unwrap() { return SW_EXEC_ERROR(); } if (key_size == 64) { - aes_type = HSM_KEY_AES_512; + aes_type = PICO_KEYS_KEY_AES_512; } else if (key_size == 32) { - aes_type = HSM_KEY_AES_256; + aes_type = PICO_KEYS_KEY_AES_256; } else if (key_size == 24) { - aes_type = HSM_KEY_AES_192; + aes_type = PICO_KEYS_KEY_AES_192; } else if (key_size == 16) { - aes_type = HSM_KEY_AES_128; + aes_type = PICO_KEYS_KEY_AES_128; } else { return SW_EXEC_ERROR(); diff --git a/src/hsm/cmd_key_wrap.c b/src/hsm/cmd_key_wrap.c index d9cbf8f..938f543 100644 --- a/src/hsm/cmd_key_wrap.c +++ b/src/hsm/cmd_key_wrap.c @@ -67,7 +67,7 @@ int cmd_key_wrap() { } return SW_EXEC_ERROR(); } - r = dkek_encode_key(kdom, &ctx, HSM_KEY_RSA, res_APDU, &wrap_len, meta_tag, tag_len); + r = dkek_encode_key(kdom, &ctx, PICO_KEYS_KEY_RSA, res_APDU, &wrap_len, meta_tag, tag_len); mbedtls_rsa_free(&ctx); } else if (*dprkd == P15_KEYTYPE_ECC) { @@ -81,7 +81,7 @@ int cmd_key_wrap() { } return SW_EXEC_ERROR(); } - r = dkek_encode_key(kdom, &ctx, HSM_KEY_EC, res_APDU, &wrap_len, meta_tag, tag_len); + r = dkek_encode_key(kdom, &ctx, PICO_KEYS_KEY_EC, res_APDU, &wrap_len, meta_tag, tag_len); mbedtls_ecdsa_free(&ctx); } else if (*dprkd == P15_KEYTYPE_AES) { @@ -90,22 +90,22 @@ int cmd_key_wrap() { return SW_SECURE_MESSAGE_EXEC_ERROR(); } - int key_size = file_get_size(ef), aes_type = HSM_KEY_AES; + int key_size = file_get_size(ef), aes_type = PICO_KEYS_KEY_AES; memcpy(kdata, file_get_data(ef), key_size); if (mkek_decrypt(kdata, key_size) != 0) { return SW_EXEC_ERROR(); } if (key_size == 64) { - aes_type = HSM_KEY_AES_512; + aes_type = PICO_KEYS_KEY_AES_512; } else if (key_size == 32) { - aes_type = HSM_KEY_AES_256; + aes_type = PICO_KEYS_KEY_AES_256; } else if (key_size == 24) { - aes_type = HSM_KEY_AES_192; + aes_type = PICO_KEYS_KEY_AES_192; } else if (key_size == 16) { - aes_type = HSM_KEY_AES_128; + aes_type = PICO_KEYS_KEY_AES_128; } r = dkek_encode_key(kdom, kdata, aes_type, res_APDU, &wrap_len, meta_tag, tag_len); mbedtls_platform_zeroize(kdata, sizeof(kdata)); diff --git a/src/hsm/cmd_keypair_gen.c b/src/hsm/cmd_keypair_gen.c index 638b950..25a4dd0 100644 --- a/src/hsm/cmd_keypair_gen.c +++ b/src/hsm/cmd_keypair_gen.c @@ -69,10 +69,10 @@ int cmd_keypair_gen() { return SW_EXEC_ERROR(); } if ((res_APDU_size = - asn1_cvc_aut(&rsa, HSM_KEY_RSA, res_APDU, 4096, NULL, 0)) == 0) { + asn1_cvc_aut(&rsa, PICO_KEYS_KEY_RSA, res_APDU, 4096, NULL, 0)) == 0) { return SW_EXEC_ERROR(); } - ret = store_keys(&rsa, HSM_KEY_RSA, key_id); + ret = store_keys(&rsa, PICO_KEYS_KEY_RSA, key_id); if (ret != CCID_OK) { mbedtls_rsa_free(&rsa); return SW_EXEC_ERROR(); @@ -133,7 +133,7 @@ int cmd_keypair_gen() { } } if ((res_APDU_size = - asn1_cvc_aut(&ecdsa, HSM_KEY_EC, res_APDU, 4096, ext, ext_len)) == 0) { + asn1_cvc_aut(&ecdsa, PICO_KEYS_KEY_EC, res_APDU, 4096, ext, ext_len)) == 0) { if (ext) { free(ext); } @@ -143,7 +143,7 @@ int cmd_keypair_gen() { if (ext) { free(ext); } - ret = store_keys(&ecdsa, HSM_KEY_EC, key_id); + ret = store_keys(&ecdsa, PICO_KEYS_KEY_EC, key_id); mbedtls_ecdsa_free(&ecdsa); if (ret != CCID_OK) { return SW_EXEC_ERROR(); diff --git a/src/hsm/cvc.c b/src/hsm/cvc.c index 9e1a932..93434a5 100644 --- a/src/hsm/cvc.c +++ b/src/hsm/cvc.c @@ -165,10 +165,10 @@ size_t asn1_cvc_cert_body(void *rsa_ecdsa, size_t ext_len, bool full) { size_t pubkey_size = 0; - if (key_type & HSM_KEY_RSA) { + if (key_type & PICO_KEYS_KEY_RSA) { pubkey_size = asn1_cvc_public_key_rsa(rsa_ecdsa, NULL, 0); } - else if (key_type & HSM_KEY_EC) { + else if (key_type & PICO_KEYS_KEY_EC) { pubkey_size = asn1_cvc_public_key_ecdsa(rsa_ecdsa, NULL, 0); } size_t cpi_size = 4, ext_size = 0, role_size = 0, valid_size = 0; @@ -221,10 +221,10 @@ size_t asn1_cvc_cert_body(void *rsa_ecdsa, //car *p++ = 0x42; p += format_tlv_len(lencar, p); memcpy(p, car, lencar); p += lencar; //pubkey - if (key_type & HSM_KEY_RSA) { + if (key_type & PICO_KEYS_KEY_RSA) { p += asn1_cvc_public_key_rsa(rsa_ecdsa, p, pubkey_size); } - else if (key_type & HSM_KEY_EC) { + else if (key_type & PICO_KEYS_KEY_EC) { p += asn1_cvc_public_key_ecdsa(rsa_ecdsa, p, pubkey_size); } //chr @@ -265,10 +265,10 @@ size_t asn1_cvc_cert(void *rsa_ecdsa, size_t ext_len, bool full) { size_t key_size = 0; - if (key_type & HSM_KEY_RSA) { + if (key_type & PICO_KEYS_KEY_RSA) { key_size = mbedtls_mpi_size(&((mbedtls_rsa_context *) rsa_ecdsa)->N); } - else if (key_type & HSM_KEY_EC) { + else if (key_type & PICO_KEYS_KEY_EC) { key_size = 2 * (int)((mbedtls_ecp_curve_info_from_grp_id(((mbedtls_ecdsa_context *) rsa_ecdsa)->grp.id)->bit_size + 7) / 8); } size_t body_size = asn1_cvc_cert_body(rsa_ecdsa, key_type, NULL, 0, ext, ext_len, full), sig_size = asn1_len_tag(0x5f37, key_size); @@ -288,13 +288,13 @@ size_t asn1_cvc_cert(void *rsa_ecdsa, hash256(body, body_size, hsh); memcpy(p, "\x5F\x37", 2); p += 2; p += format_tlv_len(key_size, p); - if (key_type & HSM_KEY_RSA) { + if (key_type & PICO_KEYS_KEY_RSA) { if (mbedtls_rsa_rsassa_pkcs1_v15_sign(rsa_ecdsa, random_gen, NULL, MBEDTLS_MD_SHA256, 32, hsh, p) != 0) { memset(p, 0, key_size); } p += key_size; } - else if (key_type & HSM_KEY_EC) { + else if (key_type & PICO_KEYS_KEY_EC) { mbedtls_mpi r, s; int ret = 0; mbedtls_ecdsa_context *ecdsa = (mbedtls_ecdsa_context *) rsa_ecdsa; @@ -440,17 +440,17 @@ size_t asn1_build_prkd_generic(const uint8_t *label, size_t seq_len = 0; const uint8_t *seq = NULL; uint8_t first_tag = 0x0; - if (key_type & HSM_KEY_EC) { + if (key_type & PICO_KEYS_KEY_EC) { seq = (const uint8_t *)"\x07\x20\x80"; seq_len = 3; first_tag = 0xA0; } - else if (key_type & HSM_KEY_RSA) { + else if (key_type & PICO_KEYS_KEY_RSA) { seq = (const uint8_t *)"\x02\x74"; seq_len = 2; first_tag = 0x30; } - else if (key_type & HSM_KEY_AES) { + else if (key_type & PICO_KEYS_KEY_AES) { seq = (const uint8_t *)"\x07\xC0\x10"; seq_len = 3; first_tag = 0xA8; @@ -459,10 +459,10 @@ size_t asn1_build_prkd_generic(const uint8_t *label, size_t seq2_size = asn1_len_tag(0x30, asn1_len_tag(0x4, keyid_len) + asn1_len_tag(0x3, seq_len)); size_t seq3_size = 0, seq4_size = 0; - if (key_type & HSM_KEY_EC || key_type & HSM_KEY_RSA) { + if (key_type & PICO_KEYS_KEY_EC || key_type & PICO_KEYS_KEY_RSA) { seq4_size = asn1_len_tag(0xA1, asn1_len_tag(0x30, asn1_len_tag(0x30, asn1_len_tag(0x4, 0)) + asn1_len_tag(0x2, 2))); } - else if (key_type & HSM_KEY_AES) { + else if (key_type & PICO_KEYS_KEY_AES) { seq3_size = asn1_len_tag(0xA0, asn1_len_tag(0x30, asn1_len_tag(0x2, 2))); seq4_size = asn1_len_tag(0xA1, asn1_len_tag(0x30, asn1_len_tag(0x30, asn1_len_tag(0x4, 0)))); } @@ -494,7 +494,7 @@ size_t asn1_build_prkd_generic(const uint8_t *label, memcpy(p, seq, seq_len); p += seq_len; //Seq 3 - if (key_type & HSM_KEY_AES) { + if (key_type & PICO_KEYS_KEY_AES) { *p++ = 0xA0; p += format_tlv_len(asn1_len_tag(0x30, asn1_len_tag(0x2, 2)), p); *p++ = 0x30; @@ -508,7 +508,7 @@ size_t asn1_build_prkd_generic(const uint8_t *label, //Seq 4 *p++ = 0xA1; size_t inseq4_len = asn1_len_tag(0x30, asn1_len_tag(0x4, 0)); - if (key_type & HSM_KEY_EC || key_type & HSM_KEY_RSA) { + if (key_type & PICO_KEYS_KEY_EC || key_type & PICO_KEYS_KEY_RSA) { inseq4_len += asn1_len_tag(0x2, 2); } p += format_tlv_len(asn1_len_tag(0x30, inseq4_len), p); @@ -518,7 +518,7 @@ size_t asn1_build_prkd_generic(const uint8_t *label, p += format_tlv_len(asn1_len_tag(0x4, 0), p); *p++ = 0x4; p += format_tlv_len(0, p); - if (key_type & HSM_KEY_EC || key_type & HSM_KEY_RSA) { + if (key_type & PICO_KEYS_KEY_EC || key_type & PICO_KEYS_KEY_RSA) { *p++ = 0x2; p += format_tlv_len(2, p); *p++ = (keysize >> 8) & 0xff; @@ -539,7 +539,7 @@ size_t asn1_build_prkd_ecc(const uint8_t *label, keyid, keyid_len, keysize, - HSM_KEY_EC, + PICO_KEYS_KEY_EC, buf, buf_len); } @@ -556,7 +556,7 @@ size_t asn1_build_prkd_rsa(const uint8_t *label, keyid, keyid_len, keysize, - HSM_KEY_RSA, + PICO_KEYS_KEY_RSA, buf, buf_len); } @@ -573,7 +573,7 @@ size_t asn1_build_prkd_aes(const uint8_t *label, keyid, keyid_len, keysize, - HSM_KEY_AES, + PICO_KEYS_KEY_AES, buf, buf_len); } diff --git a/src/hsm/kek.c b/src/hsm/kek.c index 54cb5c3..2144c1e 100644 --- a/src/hsm/kek.c +++ b/src/hsm/kek.c @@ -287,7 +287,7 @@ int dkek_encode_key(uint8_t id, size_t *out_len, const uint8_t *allowed, size_t allowed_len) { - if (!(key_type & HSM_KEY_RSA) && !(key_type & HSM_KEY_EC) && !(key_type & HSM_KEY_AES)) { + if (!(key_type & PICO_KEYS_KEY_RSA) && !(key_type & PICO_KEYS_KEY_EC) && !(key_type & PICO_KEYS_KEY_AES)) { return CCID_WRONG_DATA; } @@ -317,17 +317,17 @@ int dkek_encode_key(uint8_t id, return r; } - if (key_type & HSM_KEY_AES) { - if (key_type & HSM_KEY_AES_128) { + if (key_type & PICO_KEYS_KEY_AES) { + if (key_type & PICO_KEYS_KEY_AES_128) { kb_len = 16; } - else if (key_type & HSM_KEY_AES_192) { + else if (key_type & PICO_KEYS_KEY_AES_192) { kb_len = 24; } - else if (key_type & HSM_KEY_AES_256) { + else if (key_type & PICO_KEYS_KEY_AES_256) { kb_len = 32; } - else if (key_type & HSM_KEY_AES_512) { + else if (key_type & PICO_KEYS_KEY_AES_512) { kb_len = 64; } @@ -345,7 +345,7 @@ int dkek_encode_key(uint8_t id, algo = (uint8_t *) "\x00\x08\x60\x86\x48\x01\x65\x03\x04\x01"; //2.16.840.1.101.3.4.1 (2+8) algo_len = 10; } - else if (key_type & HSM_KEY_RSA) { + else if (key_type & PICO_KEYS_KEY_RSA) { if (*out_len < 8 + 1 + 12 + 6 + (8 + 2 * 4 + 2 * 4096 / 8 + 3 + 13) + 16) { //13 bytes pading return CCID_WRONG_LENGTH; } @@ -366,7 +366,7 @@ int dkek_encode_key(uint8_t id, algo = (uint8_t *) "\x00\x0A\x04\x00\x7F\x00\x07\x02\x02\x02\x01\x02"; algo_len = 12; } - else if (key_type & HSM_KEY_EC) { + else if (key_type & PICO_KEYS_KEY_EC) { if (*out_len < 8 + 1 + 12 + 6 + (8 + 2 * 8 + 9 * 66 + 2 + 4) + 16) { //4 bytes pading return CCID_WRONG_LENGTH; } @@ -418,13 +418,13 @@ int dkek_encode_key(uint8_t id, memcpy(out + *out_len, kcv, 8); *out_len += 8; - if (key_type & HSM_KEY_AES) { + if (key_type & PICO_KEYS_KEY_AES) { out[*out_len] = 15; } - else if (key_type & HSM_KEY_RSA) { + else if (key_type & PICO_KEYS_KEY_RSA) { out[*out_len] = 5; } - else if (key_type & HSM_KEY_EC) { + else if (key_type & PICO_KEYS_KEY_EC) { out[*out_len] = 12; } *out_len += 1; @@ -458,7 +458,7 @@ int dkek_encode_key(uint8_t id, if (kb_len < kb_len_pad) { kb[kb_len] = 0x80; } - r = aes_encrypt(kenc, NULL, 256, HSM_AES_MODE_CBC, kb, kb_len_pad); + r = aes_encrypt(kenc, NULL, 256, PICO_KEYS_AES_MODE_CBC, kb, kb_len_pad); if (r != CCID_OK) { return r; } @@ -482,13 +482,13 @@ int dkek_encode_key(uint8_t id, int dkek_type_key(const uint8_t *in) { if (in[8] == 5 || in[8] == 6) { - return HSM_KEY_RSA; + return PICO_KEYS_KEY_RSA; } else if (in[8] == 12) { - return HSM_KEY_EC; + return PICO_KEYS_KEY_EC; } else if (in[8] == 15) { - return HSM_KEY_AES; + return PICO_KEYS_KEY_AES; } return 0x0; } @@ -585,7 +585,7 @@ int dkek_decode_key(uint8_t id, uint8_t kb[8 + 2 * 4 + 2 * 4096 / 8 + 3 + 13]; //worst case: RSA-4096 (plus, 13 bytes padding) memset(kb, 0, sizeof(kb)); memcpy(kb, in + ofs, in_len - 16 - ofs); - r = aes_decrypt(kenc, NULL, 256, HSM_AES_MODE_CBC, kb, in_len - 16 - ofs); + r = aes_decrypt(kenc, NULL, 256, PICO_KEYS_AES_MODE_CBC, kb, in_len - 16 - ofs); if (r != CCID_OK) { return r; } diff --git a/src/hsm/sc_hsm.c b/src/hsm/sc_hsm.c index 2fd0fd6..2380839 100644 --- a/src/hsm/sc_hsm.c +++ b/src/hsm/sc_hsm.c @@ -24,7 +24,7 @@ #include "eac.h" #include "cvc.h" #include "asn1.h" -#include "hsm.h" +#include "pico_keys.h" #include "usb.h" #include "random.h" @@ -496,30 +496,30 @@ uint32_t decrement_key_counter(file_t *fkey) { int store_keys(void *key_ctx, int type, uint8_t key_id) { int r, key_size = 0; uint8_t kdata[4096 / 8]; // worst case - if (type & HSM_KEY_RSA) { + if (type & PICO_KEYS_KEY_RSA) { mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) key_ctx; key_size = mbedtls_mpi_size(&rsa->P) + mbedtls_mpi_size(&rsa->Q); mbedtls_mpi_write_binary(&rsa->P, kdata, key_size / 2); mbedtls_mpi_write_binary(&rsa->Q, kdata + key_size / 2, key_size / 2); } - else if (type & HSM_KEY_EC) { + else if (type & PICO_KEYS_KEY_EC) { mbedtls_ecdsa_context *ecdsa = (mbedtls_ecdsa_context *) key_ctx; key_size = mbedtls_mpi_size(&ecdsa->d); kdata[0] = ecdsa->grp.id & 0xff; mbedtls_ecp_write_key(ecdsa, kdata + 1, key_size); key_size++; } - else if (type & HSM_KEY_AES) { - if (type == HSM_KEY_AES_128) { + else if (type & PICO_KEYS_KEY_AES) { + if (type == PICO_KEYS_KEY_AES_128) { key_size = 16; } - else if (type == HSM_KEY_AES_192) { + else if (type == PICO_KEYS_KEY_AES_192) { key_size = 24; } - else if (type == HSM_KEY_AES_256) { + else if (type == PICO_KEYS_KEY_AES_256) { key_size = 32; } - else if (type == HSM_KEY_AES_512) { + else if (type == PICO_KEYS_KEY_AES_512) { key_size = 64; } memcpy(kdata, key_ctx, key_size); diff --git a/src/hsm/sc_hsm.h b/src/hsm/sc_hsm.h index e80de37..9a7b194 100644 --- a/src/hsm/sc_hsm.h +++ b/src/hsm/sc_hsm.h @@ -27,7 +27,7 @@ #endif #include "file.h" #include "apdu.h" -#include "hsm.h" +#include "pico_keys.h" extern const uint8_t sc_hsm_aid[]; From 88ff27f354c222696daa7284c4d6c8adcc81db94 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 6 Nov 2023 17:01:27 +0100 Subject: [PATCH 64/68] Fix mbedTLS 3.5 build. Signed-off-by: Pol Henarejos --- pico-keys-sdk | 2 +- src/hsm/cmd_cipher_sym.c | 9 +++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/pico-keys-sdk b/pico-keys-sdk index 09276f7..6069911 160000 --- a/pico-keys-sdk +++ b/pico-keys-sdk @@ -1 +1 @@ -Subproject commit 09276f7117beb7a2f52e65cc601b9153e7b59ca1 +Subproject commit 6069911be0bf91844a174a1d69e2539e81145fe6 diff --git a/src/hsm/cmd_cipher_sym.c b/src/hsm/cmd_cipher_sym.c index adddcb7..68a1f36 100644 --- a/src/hsm/cmd_cipher_sym.c +++ b/src/hsm/cmd_cipher_sym.c @@ -412,20 +412,21 @@ int cmd_cipher_sym() { res_APDU_size = keylen ? keylen : (apdu.ne > 0 && apdu.ne < 65536 ? apdu.ne : 32); } else if (memcmp(oid, OID_PKCS5_PBES2, oid_len) == 0) { + size_t olen = 0; mbedtls_asn1_buf params = - { .p = aad, .len = aad_len, .tag = (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE) }; - int r = mbedtls_pkcs5_pbes2(¶ms, + {.p = aad, .len = aad_len, .tag = (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)}; + int r = mbedtls_pkcs5_pbes2_ext(¶ms, algo == ALGO_EXT_CIPHER_ENCRYPT ? MBEDTLS_PKCS5_ENCRYPT : MBEDTLS_PKCS5_DECRYPT, kdata, key_size, enc, enc_len, - res_APDU); + res_APDU, 4096, &olen); mbedtls_platform_zeroize(kdata, sizeof(kdata)); if (r != 0) { return SW_WRONG_DATA(); } - res_APDU_size = enc_len; + res_APDU_size = olen; } else if (memcmp(oid, OID_KDF_X963, oid_len) == 0) { mbedtls_md_type_t md_type = MBEDTLS_MD_SHA1; From a3bf2e9e141df3f0a75e122aa7af4e2c0fce8f16 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 6 Nov 2023 17:10:19 +0100 Subject: [PATCH 65/68] If no key is found, generate a new one. Signed-off-by: Pol Henarejos --- tools/secure_key/macos.py | 4 +++- tools/secure_key/windows.py | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/tools/secure_key/macos.py b/tools/secure_key/macos.py index ded5eda..a20e3d8 100644 --- a/tools/secure_key/macos.py +++ b/tools/secure_key/macos.py @@ -51,7 +51,9 @@ def get_secure_key(): try: backend = get_backend(False) key = backend.get_password(DOMAIN, USERNAME)[0] - except keyring.errors.KeyringError: + if (key is None): + raise TypeError + except (keyring.errors.KeyringError, TypeError): try: key = generate_secure_key(False)[0] # It should be True, but secure enclave causes python segfault except keyring.errors.PasswordSetError: diff --git a/tools/secure_key/windows.py b/tools/secure_key/windows.py index 3f26a79..79bec21 100644 --- a/tools/secure_key/windows.py +++ b/tools/secure_key/windows.py @@ -39,6 +39,8 @@ def get_secure_key(): key = None try: key = keyring.get_password(DOMAIN, USERNAME) - except keyring.errors.KeyringError: + if (key is None): + raise TypeError + except (keyring.errors.KeyringError, TypeError): key = generate_secure_key() return get_d(key.encode()) From 3ccff7881fdce7a1ee0477a4e2062dbd5bee7e98 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 6 Nov 2023 17:25:04 +0100 Subject: [PATCH 66/68] Upgrade to Pico Keys SDK 5. Signed-off-by: Pol Henarejos --- pico-keys-sdk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pico-keys-sdk b/pico-keys-sdk index 6069911..f0687c1 160000 --- a/pico-keys-sdk +++ b/pico-keys-sdk @@ -1 +1 @@ -Subproject commit 6069911be0bf91844a174a1d69e2539e81145fe6 +Subproject commit f0687c1ef392c2bcb293ea554f1dd8b784484922 From 1b0d23cf24bf97d3a40fde3dcc2d6263720ec0ce Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 6 Nov 2023 17:26:24 +0100 Subject: [PATCH 67/68] Add two new boards. Signed-off-by: Pol Henarejos --- build_pico_hsm.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/build_pico_hsm.sh b/build_pico_hsm.sh index 4c716e9..0fc80e5 100755 --- a/build_pico_hsm.sh +++ b/build_pico_hsm.sh @@ -17,6 +17,7 @@ for board in adafruit_feather_rp2040 \ eetree_gamekit_rp2040 \ garatronic_pybstick26_rp2040 \ melopero_shake_rp2040 \ + nullbits_bit_c_pro \ pico \ pico_w \ pimoroni_badger2040 \ @@ -31,6 +32,7 @@ for board in adafruit_feather_rp2040 \ pimoroni_servo2040 \ pimoroni_tiny2040 \ pimoroni_tiny2040_2mb \ + pololu_3pi_2040_robot \ seeed_xiao_rp2040 \ solderparty_rp2040_stamp \ solderparty_rp2040_stamp_carrier \ From 98e9b72b42a128d5cc2bd74dedb742a59662ccc0 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 6 Nov 2023 17:26:43 +0100 Subject: [PATCH 68/68] Upgrade version to 3.6. Signed-off-by: Pol Henarejos --- build_pico_hsm.sh | 2 +- src/hsm/version.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/build_pico_hsm.sh b/build_pico_hsm.sh index 0fc80e5..aa6a112 100755 --- a/build_pico_hsm.sh +++ b/build_pico_hsm.sh @@ -1,7 +1,7 @@ #!/bin/bash VERSION_MAJOR="3" -VERSION_MINOR="2" +VERSION_MINOR="6" rm -rf release/* cd build_release diff --git a/src/hsm/version.h b/src/hsm/version.h index 8161144..43be6a3 100644 --- a/src/hsm/version.h +++ b/src/hsm/version.h @@ -18,7 +18,7 @@ #ifndef __VERSION_H_ #define __VERSION_H_ -#define HSM_VERSION 0x0304 +#define HSM_VERSION 0x0306 #define HSM_VERSION_MAJOR ((HSM_VERSION >> 8) & 0xff) #define HSM_VERSION_MINOR (HSM_VERSION & 0xff)