From ed2925cfb6c81c47a124f4467cd09945e7e99908 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 6 Nov 2023 14:25:42 +0100 Subject: [PATCH] Use new Pico Keys SDK. Signed-off-by: Pol Henarejos --- CMakeLists.txt | 4 ++-- src/hsm/cmd_derive_asym.c | 2 +- src/hsm/cmd_initialize.c | 6 +++--- src/hsm/cmd_key_gen.c | 8 ++++---- src/hsm/cmd_key_unwrap.c | 22 +++++++++++----------- src/hsm/cmd_key_wrap.c | 14 +++++++------- src/hsm/cmd_keypair_gen.c | 8 ++++---- src/hsm/cvc.c | 38 +++++++++++++++++++------------------- src/hsm/kek.c | 32 ++++++++++++++++---------------- src/hsm/sc_hsm.c | 16 ++++++++-------- src/hsm/sc_hsm.h | 2 +- 11 files changed, 76 insertions(+), 76 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 5f97c09..8cc8556 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -77,7 +77,7 @@ set(SOURCES ${SOURCES} ) set(USB_ITF_CCID 1) -include(pico-hsm-sdk/pico_hsm_sdk_import.cmake) +include(pico-keys-sdk/pico_keys_sdk_import.cmake) set(INCLUDES ${INCLUDES} ${CMAKE_CURRENT_LIST_DIR}/src/hsm @@ -109,5 +109,5 @@ endif (APPLE) else() pico_add_extra_outputs(pico_hsm) -target_link_libraries(pico_hsm PRIVATE pico_hsm_sdk pico_stdlib pico_multicore hardware_flash hardware_sync hardware_adc pico_unique_id hardware_rtc tinyusb_device tinyusb_board) +target_link_libraries(pico_hsm PRIVATE pico_keys_sdk pico_stdlib pico_multicore hardware_flash hardware_sync hardware_adc pico_unique_id hardware_rtc tinyusb_device tinyusb_board) endif() diff --git a/src/hsm/cmd_derive_asym.c b/src/hsm/cmd_derive_asym.c index 700a5f1..ff59009 100644 --- a/src/hsm/cmd_derive_asym.c +++ b/src/hsm/cmd_derive_asym.c @@ -88,7 +88,7 @@ int cmd_derive_asym() { mbedtls_ecdsa_free(&ctx); return SW_EXEC_ERROR(); } - r = store_keys(&ctx, HSM_KEY_EC, dest_id); + r = store_keys(&ctx, PICO_KEYS_KEY_EC, dest_id); if (r != CCID_OK) { mbedtls_ecdsa_free(&ctx); return SW_EXEC_ERROR(); diff --git a/src/hsm/cmd_initialize.c b/src/hsm/cmd_initialize.c index 06b1082..8dd45c1 100644 --- a/src/hsm/cmd_initialize.c +++ b/src/hsm/cmd_initialize.c @@ -187,13 +187,13 @@ int cmd_initialize() { mbedtls_ecdsa_free(&ecdsa); return SW_EXEC_ERROR(); } - ret = store_keys(&ecdsa, HSM_KEY_EC, key_id); + ret = store_keys(&ecdsa, PICO_KEYS_KEY_EC, key_id); if (ret != CCID_OK) { mbedtls_ecdsa_free(&ecdsa); return SW_EXEC_ERROR(); } size_t cvc_len = 0; - if ((cvc_len = asn1_cvc_aut(&ecdsa, HSM_KEY_EC, res_APDU, 4096, NULL, 0)) == 0) { + if ((cvc_len = asn1_cvc_aut(&ecdsa, PICO_KEYS_KEY_EC, res_APDU, 4096, NULL, 0)) == 0) { mbedtls_ecdsa_free(&ecdsa); return SW_EXEC_ERROR(); } @@ -205,7 +205,7 @@ int cmd_initialize() { return SW_EXEC_ERROR(); } - if ((cvc_len = asn1_cvc_cert(&ecdsa, HSM_KEY_EC, res_APDU, 4096, NULL, 0, true)) == 0) { + if ((cvc_len = asn1_cvc_cert(&ecdsa, PICO_KEYS_KEY_EC, res_APDU, 4096, NULL, 0, true)) == 0) { mbedtls_ecdsa_free(&ecdsa); return SW_EXEC_ERROR(); } diff --git a/src/hsm/cmd_key_gen.c b/src/hsm/cmd_key_gen.c index 78846be..9389cb7 100644 --- a/src/hsm/cmd_key_gen.c +++ b/src/hsm/cmd_key_gen.c @@ -44,16 +44,16 @@ int cmd_key_gen() { memcpy(aes_key, random_bytes_get(key_size), key_size); int aes_type = 0x0; if (key_size == 16) { - aes_type = HSM_KEY_AES_128; + aes_type = PICO_KEYS_KEY_AES_128; } else if (key_size == 24) { - aes_type = HSM_KEY_AES_192; + aes_type = PICO_KEYS_KEY_AES_192; } else if (key_size == 32) { - aes_type = HSM_KEY_AES_256; + aes_type = PICO_KEYS_KEY_AES_256; } else if (key_size == 64) { - aes_type = HSM_KEY_AES_512; + aes_type = PICO_KEYS_KEY_AES_512; } r = store_keys(aes_key, aes_type, key_id); if (r != CCID_OK) { diff --git a/src/hsm/cmd_key_unwrap.c b/src/hsm/cmd_key_unwrap.c index bfbae74..83b765b 100644 --- a/src/hsm/cmd_key_unwrap.c +++ b/src/hsm/cmd_key_unwrap.c @@ -35,7 +35,7 @@ int cmd_key_unwrap() { if (key_type == 0x0) { return SW_DATA_INVALID(); } - if (key_type & HSM_KEY_RSA) { + if (key_type & PICO_KEYS_KEY_RSA) { mbedtls_rsa_context ctx; mbedtls_rsa_init(&ctx); do { @@ -45,8 +45,8 @@ int cmd_key_unwrap() { mbedtls_rsa_free(&ctx); return SW_EXEC_ERROR(); } - r = store_keys(&ctx, HSM_KEY_RSA, key_id); - if ((res_APDU_size = asn1_cvc_aut(&ctx, HSM_KEY_RSA, res_APDU, 4096, NULL, 0)) == 0) { + r = store_keys(&ctx, PICO_KEYS_KEY_RSA, key_id); + if ((res_APDU_size = asn1_cvc_aut(&ctx, PICO_KEYS_KEY_RSA, res_APDU, 4096, NULL, 0)) == 0) { mbedtls_rsa_free(&ctx); return SW_EXEC_ERROR(); } @@ -57,7 +57,7 @@ int cmd_key_unwrap() { } prkd_len = asn1_build_prkd_ecc(NULL, 0, NULL, 0, key_size * 8, prkd_buf, sizeof(prkd_buf)); } - else if (key_type & HSM_KEY_EC) { + else if (key_type & PICO_KEYS_KEY_EC) { mbedtls_ecdsa_context ctx; mbedtls_ecdsa_init(&ctx); do { @@ -67,8 +67,8 @@ int cmd_key_unwrap() { mbedtls_ecdsa_free(&ctx); return SW_EXEC_ERROR(); } - r = store_keys(&ctx, HSM_KEY_EC, key_id); - if ((res_APDU_size = asn1_cvc_aut(&ctx, HSM_KEY_EC, res_APDU, 4096, NULL, 0)) == 0) { + r = store_keys(&ctx, PICO_KEYS_KEY_EC, key_id); + if ((res_APDU_size = asn1_cvc_aut(&ctx, PICO_KEYS_KEY_EC, res_APDU, 4096, NULL, 0)) == 0) { mbedtls_ecdsa_free(&ctx); return SW_EXEC_ERROR(); } @@ -79,7 +79,7 @@ int cmd_key_unwrap() { } prkd_len = asn1_build_prkd_ecc(NULL, 0, NULL, 0, key_size, prkd_buf, sizeof(prkd_buf)); } - else if (key_type & HSM_KEY_AES) { + else if (key_type & PICO_KEYS_KEY_AES) { uint8_t aes_key[64]; int key_size = 0, aes_type = 0; do { @@ -95,16 +95,16 @@ int cmd_key_unwrap() { return SW_EXEC_ERROR(); } if (key_size == 64) { - aes_type = HSM_KEY_AES_512; + aes_type = PICO_KEYS_KEY_AES_512; } else if (key_size == 32) { - aes_type = HSM_KEY_AES_256; + aes_type = PICO_KEYS_KEY_AES_256; } else if (key_size == 24) { - aes_type = HSM_KEY_AES_192; + aes_type = PICO_KEYS_KEY_AES_192; } else if (key_size == 16) { - aes_type = HSM_KEY_AES_128; + aes_type = PICO_KEYS_KEY_AES_128; } else { return SW_EXEC_ERROR(); diff --git a/src/hsm/cmd_key_wrap.c b/src/hsm/cmd_key_wrap.c index d9cbf8f..938f543 100644 --- a/src/hsm/cmd_key_wrap.c +++ b/src/hsm/cmd_key_wrap.c @@ -67,7 +67,7 @@ int cmd_key_wrap() { } return SW_EXEC_ERROR(); } - r = dkek_encode_key(kdom, &ctx, HSM_KEY_RSA, res_APDU, &wrap_len, meta_tag, tag_len); + r = dkek_encode_key(kdom, &ctx, PICO_KEYS_KEY_RSA, res_APDU, &wrap_len, meta_tag, tag_len); mbedtls_rsa_free(&ctx); } else if (*dprkd == P15_KEYTYPE_ECC) { @@ -81,7 +81,7 @@ int cmd_key_wrap() { } return SW_EXEC_ERROR(); } - r = dkek_encode_key(kdom, &ctx, HSM_KEY_EC, res_APDU, &wrap_len, meta_tag, tag_len); + r = dkek_encode_key(kdom, &ctx, PICO_KEYS_KEY_EC, res_APDU, &wrap_len, meta_tag, tag_len); mbedtls_ecdsa_free(&ctx); } else if (*dprkd == P15_KEYTYPE_AES) { @@ -90,22 +90,22 @@ int cmd_key_wrap() { return SW_SECURE_MESSAGE_EXEC_ERROR(); } - int key_size = file_get_size(ef), aes_type = HSM_KEY_AES; + int key_size = file_get_size(ef), aes_type = PICO_KEYS_KEY_AES; memcpy(kdata, file_get_data(ef), key_size); if (mkek_decrypt(kdata, key_size) != 0) { return SW_EXEC_ERROR(); } if (key_size == 64) { - aes_type = HSM_KEY_AES_512; + aes_type = PICO_KEYS_KEY_AES_512; } else if (key_size == 32) { - aes_type = HSM_KEY_AES_256; + aes_type = PICO_KEYS_KEY_AES_256; } else if (key_size == 24) { - aes_type = HSM_KEY_AES_192; + aes_type = PICO_KEYS_KEY_AES_192; } else if (key_size == 16) { - aes_type = HSM_KEY_AES_128; + aes_type = PICO_KEYS_KEY_AES_128; } r = dkek_encode_key(kdom, kdata, aes_type, res_APDU, &wrap_len, meta_tag, tag_len); mbedtls_platform_zeroize(kdata, sizeof(kdata)); diff --git a/src/hsm/cmd_keypair_gen.c b/src/hsm/cmd_keypair_gen.c index 638b950..25a4dd0 100644 --- a/src/hsm/cmd_keypair_gen.c +++ b/src/hsm/cmd_keypair_gen.c @@ -69,10 +69,10 @@ int cmd_keypair_gen() { return SW_EXEC_ERROR(); } if ((res_APDU_size = - asn1_cvc_aut(&rsa, HSM_KEY_RSA, res_APDU, 4096, NULL, 0)) == 0) { + asn1_cvc_aut(&rsa, PICO_KEYS_KEY_RSA, res_APDU, 4096, NULL, 0)) == 0) { return SW_EXEC_ERROR(); } - ret = store_keys(&rsa, HSM_KEY_RSA, key_id); + ret = store_keys(&rsa, PICO_KEYS_KEY_RSA, key_id); if (ret != CCID_OK) { mbedtls_rsa_free(&rsa); return SW_EXEC_ERROR(); @@ -133,7 +133,7 @@ int cmd_keypair_gen() { } } if ((res_APDU_size = - asn1_cvc_aut(&ecdsa, HSM_KEY_EC, res_APDU, 4096, ext, ext_len)) == 0) { + asn1_cvc_aut(&ecdsa, PICO_KEYS_KEY_EC, res_APDU, 4096, ext, ext_len)) == 0) { if (ext) { free(ext); } @@ -143,7 +143,7 @@ int cmd_keypair_gen() { if (ext) { free(ext); } - ret = store_keys(&ecdsa, HSM_KEY_EC, key_id); + ret = store_keys(&ecdsa, PICO_KEYS_KEY_EC, key_id); mbedtls_ecdsa_free(&ecdsa); if (ret != CCID_OK) { return SW_EXEC_ERROR(); diff --git a/src/hsm/cvc.c b/src/hsm/cvc.c index 9e1a932..93434a5 100644 --- a/src/hsm/cvc.c +++ b/src/hsm/cvc.c @@ -165,10 +165,10 @@ size_t asn1_cvc_cert_body(void *rsa_ecdsa, size_t ext_len, bool full) { size_t pubkey_size = 0; - if (key_type & HSM_KEY_RSA) { + if (key_type & PICO_KEYS_KEY_RSA) { pubkey_size = asn1_cvc_public_key_rsa(rsa_ecdsa, NULL, 0); } - else if (key_type & HSM_KEY_EC) { + else if (key_type & PICO_KEYS_KEY_EC) { pubkey_size = asn1_cvc_public_key_ecdsa(rsa_ecdsa, NULL, 0); } size_t cpi_size = 4, ext_size = 0, role_size = 0, valid_size = 0; @@ -221,10 +221,10 @@ size_t asn1_cvc_cert_body(void *rsa_ecdsa, //car *p++ = 0x42; p += format_tlv_len(lencar, p); memcpy(p, car, lencar); p += lencar; //pubkey - if (key_type & HSM_KEY_RSA) { + if (key_type & PICO_KEYS_KEY_RSA) { p += asn1_cvc_public_key_rsa(rsa_ecdsa, p, pubkey_size); } - else if (key_type & HSM_KEY_EC) { + else if (key_type & PICO_KEYS_KEY_EC) { p += asn1_cvc_public_key_ecdsa(rsa_ecdsa, p, pubkey_size); } //chr @@ -265,10 +265,10 @@ size_t asn1_cvc_cert(void *rsa_ecdsa, size_t ext_len, bool full) { size_t key_size = 0; - if (key_type & HSM_KEY_RSA) { + if (key_type & PICO_KEYS_KEY_RSA) { key_size = mbedtls_mpi_size(&((mbedtls_rsa_context *) rsa_ecdsa)->N); } - else if (key_type & HSM_KEY_EC) { + else if (key_type & PICO_KEYS_KEY_EC) { key_size = 2 * (int)((mbedtls_ecp_curve_info_from_grp_id(((mbedtls_ecdsa_context *) rsa_ecdsa)->grp.id)->bit_size + 7) / 8); } size_t body_size = asn1_cvc_cert_body(rsa_ecdsa, key_type, NULL, 0, ext, ext_len, full), sig_size = asn1_len_tag(0x5f37, key_size); @@ -288,13 +288,13 @@ size_t asn1_cvc_cert(void *rsa_ecdsa, hash256(body, body_size, hsh); memcpy(p, "\x5F\x37", 2); p += 2; p += format_tlv_len(key_size, p); - if (key_type & HSM_KEY_RSA) { + if (key_type & PICO_KEYS_KEY_RSA) { if (mbedtls_rsa_rsassa_pkcs1_v15_sign(rsa_ecdsa, random_gen, NULL, MBEDTLS_MD_SHA256, 32, hsh, p) != 0) { memset(p, 0, key_size); } p += key_size; } - else if (key_type & HSM_KEY_EC) { + else if (key_type & PICO_KEYS_KEY_EC) { mbedtls_mpi r, s; int ret = 0; mbedtls_ecdsa_context *ecdsa = (mbedtls_ecdsa_context *) rsa_ecdsa; @@ -440,17 +440,17 @@ size_t asn1_build_prkd_generic(const uint8_t *label, size_t seq_len = 0; const uint8_t *seq = NULL; uint8_t first_tag = 0x0; - if (key_type & HSM_KEY_EC) { + if (key_type & PICO_KEYS_KEY_EC) { seq = (const uint8_t *)"\x07\x20\x80"; seq_len = 3; first_tag = 0xA0; } - else if (key_type & HSM_KEY_RSA) { + else if (key_type & PICO_KEYS_KEY_RSA) { seq = (const uint8_t *)"\x02\x74"; seq_len = 2; first_tag = 0x30; } - else if (key_type & HSM_KEY_AES) { + else if (key_type & PICO_KEYS_KEY_AES) { seq = (const uint8_t *)"\x07\xC0\x10"; seq_len = 3; first_tag = 0xA8; @@ -459,10 +459,10 @@ size_t asn1_build_prkd_generic(const uint8_t *label, size_t seq2_size = asn1_len_tag(0x30, asn1_len_tag(0x4, keyid_len) + asn1_len_tag(0x3, seq_len)); size_t seq3_size = 0, seq4_size = 0; - if (key_type & HSM_KEY_EC || key_type & HSM_KEY_RSA) { + if (key_type & PICO_KEYS_KEY_EC || key_type & PICO_KEYS_KEY_RSA) { seq4_size = asn1_len_tag(0xA1, asn1_len_tag(0x30, asn1_len_tag(0x30, asn1_len_tag(0x4, 0)) + asn1_len_tag(0x2, 2))); } - else if (key_type & HSM_KEY_AES) { + else if (key_type & PICO_KEYS_KEY_AES) { seq3_size = asn1_len_tag(0xA0, asn1_len_tag(0x30, asn1_len_tag(0x2, 2))); seq4_size = asn1_len_tag(0xA1, asn1_len_tag(0x30, asn1_len_tag(0x30, asn1_len_tag(0x4, 0)))); } @@ -494,7 +494,7 @@ size_t asn1_build_prkd_generic(const uint8_t *label, memcpy(p, seq, seq_len); p += seq_len; //Seq 3 - if (key_type & HSM_KEY_AES) { + if (key_type & PICO_KEYS_KEY_AES) { *p++ = 0xA0; p += format_tlv_len(asn1_len_tag(0x30, asn1_len_tag(0x2, 2)), p); *p++ = 0x30; @@ -508,7 +508,7 @@ size_t asn1_build_prkd_generic(const uint8_t *label, //Seq 4 *p++ = 0xA1; size_t inseq4_len = asn1_len_tag(0x30, asn1_len_tag(0x4, 0)); - if (key_type & HSM_KEY_EC || key_type & HSM_KEY_RSA) { + if (key_type & PICO_KEYS_KEY_EC || key_type & PICO_KEYS_KEY_RSA) { inseq4_len += asn1_len_tag(0x2, 2); } p += format_tlv_len(asn1_len_tag(0x30, inseq4_len), p); @@ -518,7 +518,7 @@ size_t asn1_build_prkd_generic(const uint8_t *label, p += format_tlv_len(asn1_len_tag(0x4, 0), p); *p++ = 0x4; p += format_tlv_len(0, p); - if (key_type & HSM_KEY_EC || key_type & HSM_KEY_RSA) { + if (key_type & PICO_KEYS_KEY_EC || key_type & PICO_KEYS_KEY_RSA) { *p++ = 0x2; p += format_tlv_len(2, p); *p++ = (keysize >> 8) & 0xff; @@ -539,7 +539,7 @@ size_t asn1_build_prkd_ecc(const uint8_t *label, keyid, keyid_len, keysize, - HSM_KEY_EC, + PICO_KEYS_KEY_EC, buf, buf_len); } @@ -556,7 +556,7 @@ size_t asn1_build_prkd_rsa(const uint8_t *label, keyid, keyid_len, keysize, - HSM_KEY_RSA, + PICO_KEYS_KEY_RSA, buf, buf_len); } @@ -573,7 +573,7 @@ size_t asn1_build_prkd_aes(const uint8_t *label, keyid, keyid_len, keysize, - HSM_KEY_AES, + PICO_KEYS_KEY_AES, buf, buf_len); } diff --git a/src/hsm/kek.c b/src/hsm/kek.c index 54cb5c3..2144c1e 100644 --- a/src/hsm/kek.c +++ b/src/hsm/kek.c @@ -287,7 +287,7 @@ int dkek_encode_key(uint8_t id, size_t *out_len, const uint8_t *allowed, size_t allowed_len) { - if (!(key_type & HSM_KEY_RSA) && !(key_type & HSM_KEY_EC) && !(key_type & HSM_KEY_AES)) { + if (!(key_type & PICO_KEYS_KEY_RSA) && !(key_type & PICO_KEYS_KEY_EC) && !(key_type & PICO_KEYS_KEY_AES)) { return CCID_WRONG_DATA; } @@ -317,17 +317,17 @@ int dkek_encode_key(uint8_t id, return r; } - if (key_type & HSM_KEY_AES) { - if (key_type & HSM_KEY_AES_128) { + if (key_type & PICO_KEYS_KEY_AES) { + if (key_type & PICO_KEYS_KEY_AES_128) { kb_len = 16; } - else if (key_type & HSM_KEY_AES_192) { + else if (key_type & PICO_KEYS_KEY_AES_192) { kb_len = 24; } - else if (key_type & HSM_KEY_AES_256) { + else if (key_type & PICO_KEYS_KEY_AES_256) { kb_len = 32; } - else if (key_type & HSM_KEY_AES_512) { + else if (key_type & PICO_KEYS_KEY_AES_512) { kb_len = 64; } @@ -345,7 +345,7 @@ int dkek_encode_key(uint8_t id, algo = (uint8_t *) "\x00\x08\x60\x86\x48\x01\x65\x03\x04\x01"; //2.16.840.1.101.3.4.1 (2+8) algo_len = 10; } - else if (key_type & HSM_KEY_RSA) { + else if (key_type & PICO_KEYS_KEY_RSA) { if (*out_len < 8 + 1 + 12 + 6 + (8 + 2 * 4 + 2 * 4096 / 8 + 3 + 13) + 16) { //13 bytes pading return CCID_WRONG_LENGTH; } @@ -366,7 +366,7 @@ int dkek_encode_key(uint8_t id, algo = (uint8_t *) "\x00\x0A\x04\x00\x7F\x00\x07\x02\x02\x02\x01\x02"; algo_len = 12; } - else if (key_type & HSM_KEY_EC) { + else if (key_type & PICO_KEYS_KEY_EC) { if (*out_len < 8 + 1 + 12 + 6 + (8 + 2 * 8 + 9 * 66 + 2 + 4) + 16) { //4 bytes pading return CCID_WRONG_LENGTH; } @@ -418,13 +418,13 @@ int dkek_encode_key(uint8_t id, memcpy(out + *out_len, kcv, 8); *out_len += 8; - if (key_type & HSM_KEY_AES) { + if (key_type & PICO_KEYS_KEY_AES) { out[*out_len] = 15; } - else if (key_type & HSM_KEY_RSA) { + else if (key_type & PICO_KEYS_KEY_RSA) { out[*out_len] = 5; } - else if (key_type & HSM_KEY_EC) { + else if (key_type & PICO_KEYS_KEY_EC) { out[*out_len] = 12; } *out_len += 1; @@ -458,7 +458,7 @@ int dkek_encode_key(uint8_t id, if (kb_len < kb_len_pad) { kb[kb_len] = 0x80; } - r = aes_encrypt(kenc, NULL, 256, HSM_AES_MODE_CBC, kb, kb_len_pad); + r = aes_encrypt(kenc, NULL, 256, PICO_KEYS_AES_MODE_CBC, kb, kb_len_pad); if (r != CCID_OK) { return r; } @@ -482,13 +482,13 @@ int dkek_encode_key(uint8_t id, int dkek_type_key(const uint8_t *in) { if (in[8] == 5 || in[8] == 6) { - return HSM_KEY_RSA; + return PICO_KEYS_KEY_RSA; } else if (in[8] == 12) { - return HSM_KEY_EC; + return PICO_KEYS_KEY_EC; } else if (in[8] == 15) { - return HSM_KEY_AES; + return PICO_KEYS_KEY_AES; } return 0x0; } @@ -585,7 +585,7 @@ int dkek_decode_key(uint8_t id, uint8_t kb[8 + 2 * 4 + 2 * 4096 / 8 + 3 + 13]; //worst case: RSA-4096 (plus, 13 bytes padding) memset(kb, 0, sizeof(kb)); memcpy(kb, in + ofs, in_len - 16 - ofs); - r = aes_decrypt(kenc, NULL, 256, HSM_AES_MODE_CBC, kb, in_len - 16 - ofs); + r = aes_decrypt(kenc, NULL, 256, PICO_KEYS_AES_MODE_CBC, kb, in_len - 16 - ofs); if (r != CCID_OK) { return r; } diff --git a/src/hsm/sc_hsm.c b/src/hsm/sc_hsm.c index 2fd0fd6..2380839 100644 --- a/src/hsm/sc_hsm.c +++ b/src/hsm/sc_hsm.c @@ -24,7 +24,7 @@ #include "eac.h" #include "cvc.h" #include "asn1.h" -#include "hsm.h" +#include "pico_keys.h" #include "usb.h" #include "random.h" @@ -496,30 +496,30 @@ uint32_t decrement_key_counter(file_t *fkey) { int store_keys(void *key_ctx, int type, uint8_t key_id) { int r, key_size = 0; uint8_t kdata[4096 / 8]; // worst case - if (type & HSM_KEY_RSA) { + if (type & PICO_KEYS_KEY_RSA) { mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) key_ctx; key_size = mbedtls_mpi_size(&rsa->P) + mbedtls_mpi_size(&rsa->Q); mbedtls_mpi_write_binary(&rsa->P, kdata, key_size / 2); mbedtls_mpi_write_binary(&rsa->Q, kdata + key_size / 2, key_size / 2); } - else if (type & HSM_KEY_EC) { + else if (type & PICO_KEYS_KEY_EC) { mbedtls_ecdsa_context *ecdsa = (mbedtls_ecdsa_context *) key_ctx; key_size = mbedtls_mpi_size(&ecdsa->d); kdata[0] = ecdsa->grp.id & 0xff; mbedtls_ecp_write_key(ecdsa, kdata + 1, key_size); key_size++; } - else if (type & HSM_KEY_AES) { - if (type == HSM_KEY_AES_128) { + else if (type & PICO_KEYS_KEY_AES) { + if (type == PICO_KEYS_KEY_AES_128) { key_size = 16; } - else if (type == HSM_KEY_AES_192) { + else if (type == PICO_KEYS_KEY_AES_192) { key_size = 24; } - else if (type == HSM_KEY_AES_256) { + else if (type == PICO_KEYS_KEY_AES_256) { key_size = 32; } - else if (type == HSM_KEY_AES_512) { + else if (type == PICO_KEYS_KEY_AES_512) { key_size = 64; } memcpy(kdata, key_ctx, key_size); diff --git a/src/hsm/sc_hsm.h b/src/hsm/sc_hsm.h index e80de37..9a7b194 100644 --- a/src/hsm/sc_hsm.h +++ b/src/hsm/sc_hsm.h @@ -27,7 +27,7 @@ #endif #include "file.h" #include "apdu.h" -#include "hsm.h" +#include "pico_keys.h" extern const uint8_t sc_hsm_aid[];