From bbbf28cb42cc48a57642bd6bd95d128f9df1a54a Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Wed, 18 Mar 2026 14:26:43 +0100 Subject: [PATCH] Fix ACL for static files. Signed-off-by: Pol Henarejos --- pico-keys-sdk | 2 +- src/hsm/files.c | 306 +++++++++++++++++++++++++++++++++++------------- 2 files changed, 225 insertions(+), 83 deletions(-) diff --git a/pico-keys-sdk b/pico-keys-sdk index 39c3339..0df1914 160000 --- a/pico-keys-sdk +++ b/pico-keys-sdk @@ -1 +1 @@ -Subproject commit 39c3339b38b4adce642ba9a0013e4f3eba0919ee +Subproject commit 0df1914cdee0e31969a0127b0fcf20ab884384e6 diff --git a/src/hsm/files.c b/src/hsm/files.c index 012a652..545cfb4 100644 --- a/src/hsm/files.c +++ b/src/hsm/files.c @@ -22,88 +22,230 @@ extern int parse_token_info(const file_t *f, int mode); extern int parse_ef_dir(const file_t *f, int mode); file_t file_entries[] = { - /* 0 */ { .fid = 0x3f00, .parent = 0xff, .name = NULL, .type = FILE_TYPE_DF, .data = NULL, - .ef_structure = 0, .acl = { 0 } }, // MF - /* 1 */ { .fid = 0x2f00, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC, .data = (uint8_t *) parse_ef_dir, - .ef_structure = FILE_EF_TRANSPARENT, .acl = { 0 } }, //EF.DIR - /* 2 */ { .fid = 0x2f01, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF, .data = NULL, - .ef_structure = FILE_EF_TRANSPARENT, .acl = { 0 } }, //EF.ATR - /* 3 */ { .fid = EF_TERMCA, .parent = 0, .name = NULL, - .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH | FILE_PERSISTENT, .data = NULL, - .ef_structure = FILE_EF_TRANSPARENT, .acl = { 0 } }, //EF.GDO - /* 4 */ { .fid = 0x2f03, .parent = 5, .name = NULL, - .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC, .data = (uint8_t *) parse_token_info, - .ef_structure = FILE_EF_TRANSPARENT, .acl = { 0 } }, //EF.TokenInfo - /* 5 */ { .fid = 0x5015, .parent = 0, .name = NULL, .type = FILE_TYPE_DF, .data = NULL, - .ef_structure = 0, .acl = { 0 } }, //DF.PKCS15 - /* 6 */ { .fid = 0x5031, .parent = 5, .name = NULL, .type = FILE_TYPE_WORKING_EF, .data = NULL, - .ef_structure = FILE_EF_TRANSPARENT, .acl = { 0 } }, //EF.ODF - /* 7 */ { .fid = 0x5032, .parent = 5, .name = NULL, .type = FILE_TYPE_WORKING_EF, .data = NULL, - .ef_structure = FILE_EF_TRANSPARENT, .acl = { 0 } }, //EF.TokenInfo - /* 8 */ { .fid = 0x5033, .parent = 0, .name = NULL, .type = FILE_TYPE_WORKING_EF, .data = NULL, - .ef_structure = FILE_EF_TRANSPARENT, .acl = { 0 } }, //EF.UnusedSpace - /* 9 */ { .fid = EF_PIN1, .parent = 5, .name = NULL, - .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, - .ef_structure = FILE_EF_TRANSPARENT, .acl = { 0xff } }, //PIN (PIN1) - /* 10 */ { .fid = EF_PIN1_MAX_RETRIES, .parent = 5, .name = NULL, - .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, - .ef_structure = FILE_EF_TRANSPARENT, .acl = { 0xff } }, //max retries PIN (PIN1) - /* 11 */ { .fid = EF_PIN1_RETRIES, .parent = 5, .name = NULL, - .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, - .ef_structure = FILE_EF_TRANSPARENT, .acl = { 0xff } }, //retries PIN (PIN1) - /* 12 */ { .fid = EF_SOPIN, .parent = 5, .name = NULL, - .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, - .ef_structure = FILE_EF_TRANSPARENT, .acl = { 0xff } }, //PIN (SOPIN) - /* 13 */ { .fid = EF_SOPIN_MAX_RETRIES, .parent = 5, .name = NULL, - .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, - .ef_structure = FILE_EF_TRANSPARENT, .acl = { 0xff } }, //max retries PIN (SOPIN) - /* 14 */ { .fid = EF_SOPIN_RETRIES, .parent = 5, .name = NULL, - .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, - .ef_structure = FILE_EF_TRANSPARENT, .acl = { 0xff } }, //retries PIN (SOPIN) - /* 15 */ { .fid = EF_DEVOPS, .parent = 5, .name = NULL, - .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH | FILE_PERSISTENT, .data = NULL, - .ef_structure = FILE_EF_TRANSPARENT, .acl = { 0xff } }, //Device options - /* 16 */ { .fid = EF_PRKDFS, .parent = 5, .name = NULL, .type = FILE_TYPE_WORKING_EF, - .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = { 0 } }, //EF.PrKDFs - /* 17 */ { .fid = EF_PUKDFS, .parent = 5, .name = NULL, .type = FILE_TYPE_WORKING_EF, - .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = { 0 } }, //EF.PuKDFs - /* 18 */ { .fid = EF_CDFS, .parent = 5, .name = NULL, .type = FILE_TYPE_WORKING_EF, - .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = { 0 } }, //EF.CDFs - /* 19 */ { .fid = EF_AODFS, .parent = 5, .name = NULL, .type = FILE_TYPE_WORKING_EF, - .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = { 0 } }, //EF.AODFs - /* 20 */ { .fid = EF_DODFS, .parent = 5, .name = NULL, .type = FILE_TYPE_WORKING_EF, - .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = { 0 } }, //EF.DODFs - /* 21 */ { .fid = EF_SKDFS, .parent = 5, .name = NULL, .type = FILE_TYPE_WORKING_EF, - .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = { 0 } }, //EF.SKDFs - /* 22 */ { .fid = EF_KEY_DOMAIN, .parent = 5, .name = NULL, - .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, - .ef_structure = FILE_EF_TRANSPARENT, .acl = { 0xff } }, //Key domain options - /* 23 */ { .fid = EF_META, .parent = 5, .name = NULL, - .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, - .ef_structure = FILE_EF_TRANSPARENT, .acl = { 0xff } }, //EF.CDFs - /* 24 */ { .fid = EF_PUKAUT, .parent = 5, .name = NULL, - .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, - .ef_structure = FILE_EF_TRANSPARENT, .acl = { 0xff } }, //Public Key Authentication - /* 25 */ { .fid = EF_KEY_DEV, .parent = 5, .name = NULL, - .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH | FILE_PERSISTENT, .data = NULL, - .ef_structure = FILE_EF_TRANSPARENT, .acl = { 0xff } }, //Device Key - /* 26 */ { .fid = EF_PRKD_DEV, .parent = 5, .name = NULL, - .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH | FILE_PERSISTENT, .data = NULL, - .ef_structure = FILE_EF_TRANSPARENT, .acl = { 0xff } }, //PrKD Device - /* 27 */ { .fid = EF_EE_DEV, .parent = 5, .name = NULL, - .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH | FILE_PERSISTENT, .data = NULL, - .ef_structure = FILE_EF_TRANSPARENT, .acl = { 0xff } }, //End Entity Certificate Device - /* 28 */ { .fid = EF_MKEK, .parent = 5, .name = NULL, - .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH | FILE_PERSISTENT, .data = NULL, - .ef_structure = FILE_EF_TRANSPARENT, .acl = { 0xff } }, //MKEK - /* 29 */ { .fid = EF_MKEK_SO, .parent = 5, .name = NULL, - .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH | FILE_PERSISTENT, .data = NULL, - .ef_structure = FILE_EF_TRANSPARENT, .acl = { 0xff } }, //MKEK with SO-PIN - ///* 30 */ { .fid = 0x0000, .parent = 0, .name = openpgpcard_aid, .type = FILE_TYPE_WORKING_EF, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} }, - /* 31 */ { .fid = 0x0000, .parent = 5, .name = sc_hsm_aid, .type = FILE_TYPE_WORKING_EF, - .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = { 0 } }, - /* 32 */ { .fid = 0x0000, .parent = 0xff, .name = NULL, .type = FILE_TYPE_NOT_KNOWN, .data = NULL, - .ef_structure = 0, .acl = { 0 } } //end + /* 0 */ { .fid = 0x3f00, // MF + .parent = 0xff, + .name = NULL, + .type = FILE_TYPE_DF, + .data = NULL, + .ef_structure = 0, + .acl = ACL_ALL }, + /* 1 */ { .fid = 0x2f00, //EF.DIR + .parent = 0, + .name = NULL, + .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC, + .data = (uint8_t *) parse_ef_dir, + .ef_structure = FILE_EF_TRANSPARENT, + .acl = ACL_ALL }, + /* 2 */ { .fid = 0x2f01, // EF.ATR + .parent = 0, + .name = NULL, + .type = FILE_TYPE_WORKING_EF, + .data = NULL, + .ef_structure = FILE_EF_TRANSPARENT, + .acl = ACL_ALL }, + /* 3 */ { .fid = EF_TERMCA, // EF.GDO + .parent = 0, + .name = NULL, + .type = FILE_TYPE_WORKING_EF | FILE_DATA_FLASH | FILE_PERSISTENT, + .data = NULL, + .ef_structure = FILE_EF_TRANSPARENT, + .acl = ACL_ALL }, + /* 4 */ { .fid = 0x2f03, // EF.TokenInfo + .parent = 5, + .name = NULL, + .type = FILE_TYPE_WORKING_EF | FILE_DATA_FUNC, + .data = (uint8_t *) parse_token_info, + .ef_structure = FILE_EF_TRANSPARENT, + .acl = ACL_ALL }, + /* 5 */ { .fid = 0x5015, // DF.PKCS15 + .parent = 0, + .name = NULL, + .type = FILE_TYPE_DF, + .data = NULL, + .ef_structure = 0, + .acl = ACL_ALL }, + /* 6 */ { .fid = 0x5031, // EF.ODF + .parent = 5, + .name = NULL, + .type = FILE_TYPE_WORKING_EF, + .data = NULL, + .ef_structure = FILE_EF_TRANSPARENT, + .acl = ACL_ALL }, + /* 7 */ { .fid = 0x5032, // EF.TokenInfo + .parent = 5, + .name = NULL, + .type = FILE_TYPE_WORKING_EF, + .data = NULL, + .ef_structure = FILE_EF_TRANSPARENT, + .acl = ACL_ALL }, + /* 8 */ { .fid = 0x5033, // EF.UnusedSpace + .parent = 0, + .name = NULL, + .type = FILE_TYPE_WORKING_EF, + .data = NULL, + .ef_structure = FILE_EF_TRANSPARENT, + .acl = ACL_ALL }, + /* 9 */ { .fid = EF_PIN1, // PIN (PIN1) + .parent = 5, + .name = NULL, + .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, + .data = NULL, + .ef_structure = FILE_EF_TRANSPARENT, + .acl = ACL_NONE }, + /* 10 */ { .fid = EF_PIN1_MAX_RETRIES, // max retries PIN (PIN1) + .parent = 5, + .name = NULL, + .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, + .data = NULL, + .ef_structure = FILE_EF_TRANSPARENT, + .acl = ACL_NONE }, + /* 11 */ { .fid = EF_PIN1_RETRIES, // retries PIN (PIN1) + .parent = 5, + .name = NULL, + .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, + .data = NULL, + .ef_structure = FILE_EF_TRANSPARENT, + .acl = ACL_NONE }, + /* 12 */ { .fid = EF_SOPIN, // PIN (SOPIN) + .parent = 5, + .name = NULL, + .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, + .data = NULL, + .ef_structure = FILE_EF_TRANSPARENT, + .acl = ACL_NONE }, + /* 13 */ { .fid = EF_SOPIN_MAX_RETRIES, // max retries PIN (SOPIN) + .parent = 5, + .name = NULL, + .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, + .data = NULL, + .ef_structure = FILE_EF_TRANSPARENT, + .acl = ACL_NONE }, + /* 14 */ { .fid = EF_SOPIN_RETRIES, // retries PIN (SOPIN) + .parent = 5, + .name = NULL, + .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, + .data = NULL, + .ef_structure = FILE_EF_TRANSPARENT, + .acl = ACL_NONE }, + /* 15 */ { .fid = EF_DEVOPS, // Device options + .parent = 5, + .name = NULL, + .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH | FILE_PERSISTENT, + .data = NULL, + .ef_structure = FILE_EF_TRANSPARENT, + .acl = ACL_NONE }, + /* 16 */ { .fid = EF_PRKDFS, // EF.PrKDFs + .parent = 5, + .name = NULL, + .type = FILE_TYPE_WORKING_EF, + .data = NULL, + .ef_structure = FILE_EF_TRANSPARENT, + .acl = ACL_ALL }, + /* 17 */ { .fid = EF_PUKDFS, // EF.PuKDFs + .parent = 5, + .name = NULL, + .type = FILE_TYPE_WORKING_EF, + .data = NULL, + .ef_structure = FILE_EF_TRANSPARENT, + .acl = ACL_ALL }, + /* 18 */ { .fid = EF_CDFS, // EF.CDFs + .parent = 5, + .name = NULL, + .type = FILE_TYPE_WORKING_EF, + .data = NULL, + .ef_structure = FILE_EF_TRANSPARENT, + .acl = ACL_ALL }, + /* 19 */ { .fid = EF_AODFS, // EF.AODFs + .parent = 5, + .name = NULL, + .type = FILE_TYPE_WORKING_EF, + .data = NULL, + .ef_structure = FILE_EF_TRANSPARENT, + .acl = ACL_ALL }, + /* 20 */ { .fid = EF_DODFS, // EF.DODFs + .parent = 5, + .name = NULL, + .type = FILE_TYPE_WORKING_EF, + .data = NULL, + .ef_structure = FILE_EF_TRANSPARENT, + .acl = ACL_ALL }, + /* 21 */ { .fid = EF_SKDFS, // EF.SKDFs + .parent = 5, + .name = NULL, + .type = FILE_TYPE_WORKING_EF, + .data = NULL, + .ef_structure = FILE_EF_TRANSPARENT, + .acl = ACL_ALL }, + /* 22 */ { .fid = EF_KEY_DOMAIN, // Key domain options + .parent = 5, + .name = NULL, + .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, + .data = NULL, + .ef_structure = FILE_EF_TRANSPARENT, + .acl = ACL_NONE }, + /* 23 */ { .fid = EF_META, // EF.CDFs + .parent = 5, + .name = NULL, + .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, + .data = NULL, + .ef_structure = FILE_EF_TRANSPARENT, + .acl = ACL_NONE }, + /* 24 */ { .fid = EF_PUKAUT, // Public Key Authentication + .parent = 5, + .name = NULL, + .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, + .data = NULL, + .ef_structure = FILE_EF_TRANSPARENT, + .acl = ACL_NONE }, + /* 25 */ { .fid = EF_KEY_DEV, // Device Key + .parent = 5, + .name = NULL, + .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH | FILE_PERSISTENT, + .data = NULL, + .ef_structure = FILE_EF_TRANSPARENT, + .acl = ACL_NONE }, + /* 26 */ { .fid = EF_PRKD_DEV, // PrKD Device + .parent = 5, + .name = NULL, + .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH | FILE_PERSISTENT, + .data = NULL, + .ef_structure = FILE_EF_TRANSPARENT, + .acl = ACL_NONE }, + /* 27 */ { .fid = EF_EE_DEV, // End Entity Certificate Device + .parent = 5, + .name = NULL, + .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH | FILE_PERSISTENT, + .data = NULL, + .ef_structure = FILE_EF_TRANSPARENT, + .acl = ACL_NONE }, + /* 28 */ { .fid = EF_MKEK, // MKEK + .parent = 5, + .name = NULL, + .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH | FILE_PERSISTENT, + .data = NULL, + .ef_structure = FILE_EF_TRANSPARENT, + .acl = ACL_NONE }, + /* 29 */ { .fid = EF_MKEK_SO, // MKEK with SO-PIN + .parent = 5, + .name = NULL, + .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH | FILE_PERSISTENT, + .data = NULL, + .ef_structure = FILE_EF_TRANSPARENT, + .acl = ACL_NONE }, + /* 30 */ { .fid = 0x0000, + .parent = 5, + .name = sc_hsm_aid, + .type = FILE_TYPE_WORKING_EF, + .data = NULL, + .ef_structure = FILE_EF_TRANSPARENT, + .acl = ACL_ALL }, + /* 31 */ { .fid = 0x0000, // end + .parent = 0xff, + .name = NULL, + .type = FILE_TYPE_NOT_KNOWN, + .data = NULL, + .ef_structure = 0, + .acl = { 0 } } }; const file_t *MF = &file_entries[0];