Using dynamic dkek number and current shares, for each key domain.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
2026-01-17 09:28:05 +00:00 · 2022-05-24 09:18:35 +02:00 · 2022-05-24 09:18:35 +02:00 · c80b723112
commit c80b723112
parent a062b92dad
3 changed files with 29 additions and 12 deletions
--- a/src/hsm/files.c
+++ b/src/hsm/files.c
@ -44,6 +44,7 @@ file_t file_entries[] = {
    /* 19 */ { .fid = EF_AODFS  , .parent = 5, .name = NULL, .type = FILE_TYPE_WORKING_EF, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} }, //EF.AODFs
    /* 20 */ { .fid = EF_DODFS  , .parent = 5, .name = NULL, .type = FILE_TYPE_WORKING_EF, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} }, //EF.DODFs
    /* 21 */ { .fid = EF_SKDFS  , .parent = 5, .name = NULL, .type = FILE_TYPE_WORKING_EF, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} }, //EF.SKDFs
+    /* 15 */ { .fid = EF_KEY_DOMAIN, .parent = 5, .name = NULL, .type = FILE_TYPE_INTERNAL_EF | FILE_DATA_FLASH, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0xff} }, //Key domain options
    ///* 22 */ { .fid = 0x0000, .parent = 0, .name = openpgpcard_aid, .type = FILE_TYPE_WORKING_EF, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} },
    /* 23 */ { .fid = 0x0000, .parent = 5, .name = sc_hsm_aid, .type = FILE_TYPE_WORKING_EF, .data = NULL, .ef_structure = FILE_EF_TRANSPARENT, .acl = {0} },
    /* 24 */ { .fid = 0x0000, .parent = 0xff, .name = NULL, .type = FILE_TYPE_UNKNOWN, .data = NULL, .ef_structure = 0, .acl = {0} } //end
--- a/src/hsm/files.h
+++ b/src/hsm/files.h
@ -21,14 +21,15 @@

 #include "file.h"

-#define EF_DEVOPS   0x100E
-#define EF_DKEK     0x1090
-#define EF_PRKDFS   0x6040
-#define EF_PUKDFS   0x6041
-#define EF_CDFS     0x6042
-#define EF_AODFS    0x6043
-#define EF_DODFS    0x6044
-#define EF_SKDFS    0x6045
+#define EF_DEVOPS       0x100E
+#define EF_DKEK         0x1090
+#define EF_KEY_DOMAIN   0x10A0
+#define EF_PRKDFS       0x6040
+#define EF_PUKDFS       0x6041
+#define EF_CDFS         0x6042
+#define EF_AODFS        0x6043
+#define EF_DODFS        0x6044
+#define EF_SKDFS        0x6045

 extern file_t *file_pin1;
 extern file_t *file_retries_pin1;
--- a/src/hsm/sc_hsm.c
+++ b/src/hsm/sc_hsm.c
@ -47,7 +47,6 @@ char atr_sc_hsm[] = {

 uint8_t session_pin[32], session_sopin[32];
 bool has_session_pin = false, has_session_sopin = false;
-static uint8_t dkeks = 0, current_dkeks = 0;

 static int sc_hsm_process_apdu();

@ -681,8 +680,7 @@ static int cmd_initialize() {
    if (apdu.cmd_apdu_data_len > 0) {
        initialize_flash(true);
        scan_all();
-        dkeks = current_dkeks = 0;
-        uint8_t tag = 0x0, *tag_data = NULL, *p = NULL, kds = 1;
+        uint8_t tag = 0x0, *tag_data = NULL, *p = NULL, kds = 1, dkeks = 0;
        size_t tag_len = 0;    
        while (walk_tlv(apdu.cmd_apdu_data, apdu.cmd_apdu_data_len, &p, &tag, &tag_len, &tag_data)) {
            if (tag == 0x80) { //options
@ -737,6 +735,19 @@ static int cmd_initialize() {
                low_flash_available();
            }
        }
+        if (kds < 1)
+            return SW_WRONG_DATA();
+        uint8_t t[MAX_KEY_DOMAINS*2];
+        memset(t, 0, 2*kds);
+        file_t *tf = search_by_fid(EF_KEY_DOMAIN, NULL, SPECIFY_EF);
+        if (!tf)
+            return SW_EXEC_ERROR();
+        if (dkeks > 0)
+            t[0] = dkeks;
+        else
+            memset(t, 1, 2*kds);
+        if (flash_write_data_to_file(tf, t, 2*kds) != CCID_OK)
+            return SW_EXEC_ERROR();
        if (dkeks == 0) {
            //At least, the first DKEK shall exist
            file_t *tf = search_dynamic_file(EF_DKEK);
@ -749,11 +760,11 @@ static int cmd_initialize() {
            }
            for (int kd = 0; kd < kds; kd++) {
                int r = save_dkek_key(kd, random_bytes_get(32));
-                printf("r %d\r\n",r);
                if (r != CCID_OK)
                    return SW_EXEC_ERROR();
            }
        }
+        low_flash_available();
    }
    else { //free memory bytes request
        int heap_left = heapLeft();
@ -778,6 +789,10 @@ static int cmd_key_domain() {
    if (p1 == 0x0) { //dkek import
        if (p2 > MAX_KEY_DOMAINS)
            return SW_WRONG_P1P2();
+        file_t *tf = search_by_fid(EF_KEY_DOMAIN, NULL, SPECIFY_EF);
+        if (!tf)
+            return SW_EXEC_ERROR();
+        uint8_t *kdata = file_get_data(tf), dkeks = *(kdata+2*p2), current_dkeks = *(kdata+2*p2+1);
        if (apdu.cmd_apdu_data_len > 0) {
            file_t *tf = file_new(EF_DKEK+p2);
            if (!tf)