From fc6c852e093514e4e69b4c8d6256758ff967192d Mon Sep 17 00:00:00 2001
From: Pol Henarejos <pol.henarejos@cttc.es>
Date: Thu, 18 Aug 2022 20:09:23 +0200
Subject: [PATCH] When used this tool, the device is always reset to default
 state.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
---
 burn-cvcerts.py | 105 +++++++++++++++++++++++++++++++-----------------
 1 file changed, 68 insertions(+), 37 deletions(-)

diff --git a/burn-cvcerts.py b/burn-cvcerts.py
index 98ced76..fe835be 100644
--- a/burn-cvcerts.py
+++ b/burn-cvcerts.py
@@ -16,48 +16,79 @@ class APDUResponse(Exception):
         self.sw2 = sw2
         super().__init__(f'SW:{sw1:02X}{sw2:02X}')
         
-def send_apdu(command, p1, p2, data):
+def send_apdu(card, command, p1, p2, data):
     lc = [0x00] + list(len(data).to_bytes(2,'big'))
     le = [0x00, 0x00]
-    apdu = [0x00] + [command, p1, p2] + lc + data + le
-    response, sw1, sw2 = cardservice.connection.transmit(apdu)
+    if (isinstance(command, list) and len(command) > 1):
+        apdu = command
+    else:
+        apdu = [0x00, command]
+        
+    apdu = apdu + [p1, p2] + lc + data + le
+    response, sw1, sw2 = card.connection.transmit(apdu)
     if (sw1 != 0x90):
         raise APDUResponse(sw1,sw2)
     return response
 
-cardtype = AnyCardType()
-
-try:
-    # request card insertion
-    cardrequest = CardRequest(timeout=10, cardType=cardtype)
-    cardservice = cardrequest.waitforcard()
-
-    # connect to the card and perform a few transmits
-    cardservice.connection.connect()
-
-    response = send_apdu(0xB1, 0xCE, 0x00, [0x54,0x02,0x00,0x00])
-
-    cert = bytearray(response)
-    Y = CVC().decode(cert).pubkey().find(0x86).data()
-    print(f'Public Point: {hexlify(Y).decode()}')
+def main():
+    print('Pico HSM burning certificates tool v1.0')
+    print('Author: Pol Henarejos')
+    print('Report bugs to https://github.com/polhenarejos/pico-hsm/')
+    print('')
+    print('')
+    print('********************************')
+    print('*   PLEASE READ IT CAREFULLY   *')
+    print('********************************')
+    print('')
+    print('This tool will erase and reset your device. It will delete all private and secret keys.')
+    print('Are you sure?')
+    _ = input('[Press enter to confirm]')
+    cardtype = AnyCardType()
+    try:
+        # request card insertion
+        cardrequest = CardRequest(timeout=10, cardType=cardtype)
+        card = cardrequest.waitforcard()
     
-    user_agent = 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7'
-    pbk = base64.urlsafe_b64encode(Y)
-    data = urllib.parse.urlencode({'pubkey':pbk}).encode()
-    req = urllib.request.Request("https://www.henarejos.me/pico-hsm/cvc/", method='POST', data=data, headers={'User-Agent':user_agent,} ) #The assembled request
-    response = urllib.request.urlopen(req)
-    resp = response.read().decode('utf-8')
-    j = json.loads(resp)
-    dataef = base64.urlsafe_b64decode(j['cvcert']) + base64.urlsafe_b64decode(j['dvcert'])
-    
-    response = send_apdu(0xa4, 0x00, 0x00, [0x2f,0x02])
-    pin = getpass('PIN: ')
-    response = send_apdu(0x20, 0x00, 0x81, list(pin.encode()))
-
-    apdu_data = [0x54, 0x02, 0x00, 0x00] + list(ASN1.make_tag(0x53, dataef))
-    response = send_apdu(0xd7, 0x00, 0x00, apdu_data)
-    
-    print('Certificate uploaded successfully!')
+        # connect to the card and perform a few transmits
+        card.connection.connect()
         
-except CardRequestTimeoutException:
-    print('time-out: no card inserted during last 10s')
+        reset_data = [0x80, 0x02, 0x00, 0x01, 0x81, 0x06, 0x36, 0x34, 0x38, 0x32, 0x31, 0x39, 0x82, 0x08, 0x35, 0x37, 0x36, 0x32, 0x31, 0x38, 0x38, 0x30, 0x91, 0x01, 0x03]
+        response = send_apdu(card, [0x80, 0x50], 0x00, 0x00, reset_data)
+    
+        response = send_apdu(card, 0xB1, 0xCE, 0x00, [0x54,0x02,0x00,0x00])
+    
+        cert = bytearray(response)
+        Y = CVC().decode(cert).pubkey().find(0x86).data()
+        print(f'Public Point: {hexlify(Y).decode()}')
+        
+        user_agent = 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7'
+        pbk = base64.urlsafe_b64encode(Y)
+        data = urllib.parse.urlencode({'pubkey':pbk}).encode()
+        req = urllib.request.Request("https://www.henarejos.me/pico-hsm/cvc/", method='POST', data=data, headers={'User-Agent':user_agent,} ) #The assembled request
+        response = urllib.request.urlopen(req)
+        resp = response.read().decode('utf-8')
+        j = json.loads(resp)
+        print('Device name: '+j['devname'])
+        dataef = base64.urlsafe_b64decode(j['cvcert']) + base64.urlsafe_b64decode(j['dvcert'])
+        
+        response = send_apdu(card, 0xa4, 0x00, 0x00, [0x2f,0x02])
+        pin = b'648219'
+        response = send_apdu(card, 0x20, 0x00, 0x81, list(pin))
+    
+        apdu_data = [0x54, 0x02, 0x00, 0x00] + list(ASN1.make_tag(0x53, dataef))
+        response = send_apdu(card, 0xd7, 0x00, 0x00, apdu_data)
+        
+        print('Certificate uploaded successfully!')
+        print('')
+        print('Note that the device is initialized with a default PIN and configuration.')
+        print('Now you can initialize the device as usual with you chosen PIN and configuration options.')
+            
+    except CardRequestTimeoutException:
+        print('time-out: no card inserted during last 10s')
+
+def run():
+    main()
+
+if __name__ == "__main__":
+    run()
+    
\ No newline at end of file