clone/pico-openpgp
1
0
Fork 0
mirror of https://github.com/polhenarejos/pico-openpgp.git synced 2026-06-20 17:23:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: clone:f2fe6dd5c2928fbdf9a7f46b5a06151ea4cef071
Branches Tags
clone:main
clone:nightly-main clone:v4.6 clone:v4.4 clone:v4.2 clone:v4.0 clone:v4.0-eddsa1 clone:v3.6 clone:v3.4-eddsa1 clone:v3.4 clone:v3.2 clone:v3.0 clone:v2.2 clone:v2.0 clone:v1.12 clone:v1.10 clone:v1.8 clone:v1.6 clone:v1.4 clone:v1.2 clone:v1.0
..
compare: clone:41ae81067cb2ceb233144aa3d79cbce38d630967
Branches Tags
clone:main
clone:nightly-main clone:v4.6 clone:v4.4 clone:v4.2 clone:v4.0 clone:v4.0-eddsa1 clone:v3.6 clone:v3.4-eddsa1 clone:v3.4 clone:v3.2 clone:v3.0 clone:v2.2 clone:v2.0 clone:v1.12 clone:v1.10 clone:v1.8 clone:v1.6 clone:v1.4 clone:v1.2 clone:v1.0

6 Commits
f2fe6dd5c2 ... 41ae81067c

Author SHA1 Message Date
Pol Henarejos
41ae81067c Merge remote-tracking branch 'origin/main' 2025-07-09 09:39:05 +02:00
Pol Henarejos
9c878cc5b6 Fix PIV default keys indication. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2025-07-08 14:13:23 +02:00
Pol Henarejos
31ac28c7de Fix touch policy on mgmt key change. 
Fixes #38.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2025-07-08 13:51:24 +02:00
Pol Henarejos
33ce1c50aa Add autobuild for RP2350. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2025-07-05 00:52:30 +02:00
Pol Henarejos
edfcd087c1 Fix cross build. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2025-06-22 20:26:53 +02:00
Pol Henarejos
a713eb4e03 Fix ESP32 build. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2025-06-22 20:22:38 +02:00
6 changed files with 91 additions and 77 deletions
Expand all files Collapse all files

7
.github/workflows/nightly.yml vendored
View File

@@ -19,13 +19,20 @@ jobs:
with: with:
ref: ${{ matrix.refs }} ref: ${{ matrix.refs }}
submodules: 'recursive' submodules: 'recursive'
- name: Restore private key
run: |
echo "${{ secrets.PRIVATE_KEY_B64 }}" | base64 -d > private.pem
chmod 600 private.pem
- name : Build - name : Build
env: env:
PICO_SDK_PATH: ../pico-sdk PICO_SDK_PATH: ../pico-sdk
SECURE_BOOT_PKEY: ../private.pem
run: | run: |
./workflows/autobuild.sh pico ./workflows/autobuild.sh pico
./build_pico_openpgp.sh --no-eddsa ./build_pico_openpgp.sh --no-eddsa
./workflows/autobuild.sh esp32 ./workflows/autobuild.sh esp32
- name: Delete private key
run: rm private.pem
- name: Update nightly release - name: Update nightly release
uses: pyTooling/Actions/releaser@main uses: pyTooling/Actions/releaser@main
with: with:

11
CMakeLists.txt
View File

@@ -45,6 +45,13 @@ else()
add_executable(pico_openpgp) add_executable(pico_openpgp)
endif() endif()
set(USB_ITF_CCID 1)
set(USB_ITF_WCID 1)
include(pico-keys-sdk/pico_keys_sdk_import.cmake)
if(NOT ESP_PLATFORM)
set(SOURCES ${PICO_KEYS_SOURCES})
endif()
set(SOURCES ${SOURCES} set(SOURCES ${SOURCES}
${CMAKE_CURRENT_LIST_DIR}/src/openpgp/openpgp.c ${CMAKE_CURRENT_LIST_DIR}/src/openpgp/openpgp.c
${CMAKE_CURRENT_LIST_DIR}/src/openpgp/files.c ${CMAKE_CURRENT_LIST_DIR}/src/openpgp/files.c
@@ -70,10 +77,6 @@ set(SOURCES ${SOURCES}
${CMAKE_CURRENT_LIST_DIR}/src/openpgp/defs.c ${CMAKE_CURRENT_LIST_DIR}/src/openpgp/defs.c
) )
set(USB_ITF_CCID 1)
set(USB_ITF_WCID 1)
include(pico-keys-sdk/pico_keys_sdk_import.cmake)
SET_VERSION(ver_major ver_minor "${CMAKE_CURRENT_LIST_DIR}/src/openpgp/version.h" 1) SET_VERSION(ver_major ver_minor "${CMAKE_CURRENT_LIST_DIR}/src/openpgp/version.h" 1)
if(ESP_PLATFORM) if(ESP_PLATFORM)

5
build_pico_openpgp.sh
View File

@@ -23,12 +23,13 @@ fi
cd build_release cd build_release
PICO_SDK_PATH="${PICO_SDK_PATH:-../../pico-sdk}" PICO_SDK_PATH="${PICO_SDK_PATH:-../../pico-sdk}"
SECURE_BOOT_PKEY="${SECURE_BOOT_PKEY:-../../ec_private_key.pem}"
board_dir=${PICO_SDK_PATH}/src/boards/include/boards board_dir=${PICO_SDK_PATH}/src/boards/include/boards
for board in "$board_dir"/* for board in "$board_dir"/*
do do
board_name="$(basename -- "$board" .h)" board_name="$(basename -- "$board" .h)"
rm -rf -- ./* rm -rf -- ./*
PICO_SDK_PATH="${PICO_SDK_PATH}" cmake .. -DPICO_BOARD=$board_name -DSECURE_BOOT_PKEY=../../ec_private_key.pem PICO_SDK_PATH="${PICO_SDK_PATH}" cmake .. -DPICO_BOARD=$board_name -DSECURE_BOOT_PKEY=${SECURE_BOOT_PKEY}
make -j`nproc` make -j`nproc`
mv pico_openpgp.uf2 ../release/pico_openpgp_$board_name-$SUFFIX.uf2 mv pico_openpgp.uf2 ../release/pico_openpgp_$board_name-$SUFFIX.uf2
done done
@@ -40,7 +41,7 @@ if [[ $NO_EDDSA -eq 0 ]]; then
do do
board_name="$(basename -- "$board" .h)" board_name="$(basename -- "$board" .h)"
rm -rf -- ./* rm -rf -- ./*
PICO_SDK_PATH="${PICO_SDK_PATH}" cmake .. -DPICO_BOARD=$board_name -DSECURE_BOOT_PKEY=../../ec_private_key.pem -DENABLE_EDDSA=1 PICO_SDK_PATH="${PICO_SDK_PATH}" cmake .. -DPICO_BOARD=$board_name -DSECURE_BOOT_PKEY=${SECURE_BOOT_PKEY} -DENABLE_EDDSA=1
make -j`nproc` make -j`nproc`
mv pico_openpgp.uf2 ../release_eddsa/pico_openpgp_$board_name-$SUFFIX-eddsa1.uf2 mv pico_openpgp.uf2 ../release_eddsa/pico_openpgp_$board_name-$SUFFIX-eddsa1.uf2
done done

2
pico-keys-sdk

Submodule pico-keys-sdk updated: 580b0acffa...113e720fca

2
src/openpgp/CMakeLists.txt
View File

@@ -1,6 +1,6 @@
idf_component_register( idf_component_register(
SRCS ${SOURCES} SRCS ${SOURCES}
INCLUDE_DIRS . ../../pico-keys-sdk/src ../../pico-keys-sdk/src/fs ../../pico-keys-sdk/src/rng ../../pico-keys-sdk/src/usb ../../pico-keys-sdk/tinycbor/src INCLUDE_DIRS . ../../pico-keys-sdk/src ../../pico-keys-sdk/src/fs ../../pico-keys-sdk/src/rng ../../pico-keys-sdk/src/usb ../../pico-keys-sdk/tinycbor/src
REQUIRES bootloader_support esp_partition esp_tinyusb zorxx__neopixel mbedtls efuse REQUIRES mbedtls efuse
) )
idf_component_set_property(${COMPONENT_NAME} WHOLE_ARCHIVE ON) idf_component_set_property(${COMPONENT_NAME} WHOLE_ARCHIVE ON)

141
src/openpgp/piv.c
View File

@@ -218,7 +218,7 @@ static void scan_files_piv() {
uint8_t *key = (uint8_t *)"\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"; uint8_t *key = (uint8_t *)"\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08";
file_t *ef = search_by_fid(EF_PIV_KEY_CARDMGM, NULL, SPECIFY_ANY); file_t *ef = search_by_fid(EF_PIV_KEY_CARDMGM, NULL, SPECIFY_ANY);
file_put_data(ef, key, 24); file_put_data(ef, key, 24);
uint8_t meta[] = { PIV_ALGO_AES192, PINPOLICY_ALWAYS, TOUCHPOLICY_ALWAYS, ORIGIN_GENERATED }; uint8_t meta[] = { PIV_ALGO_AES192, PINPOLICY_ALWAYS, TOUCHPOLICY_ALWAYS };
meta_add(EF_PIV_KEY_CARDMGM, meta, sizeof(meta)); meta_add(EF_PIV_KEY_CARDMGM, meta, sizeof(meta));
has_pwpiv = false; has_pwpiv = false;
memset(session_pwpiv, 0, sizeof(session_pwpiv)); memset(session_pwpiv, 0, sizeof(session_pwpiv));
@@ -458,74 +458,76 @@ static int cmd_get_metadata() {
res_APDU[res_APDU_size++] = 2; res_APDU[res_APDU_size++] = 2;
res_APDU[res_APDU_size++] = meta[1]; res_APDU[res_APDU_size++] = meta[1];
res_APDU[res_APDU_size++] = meta[2]; res_APDU[res_APDU_size++] = meta[2];
res_APDU[res_APDU_size++] = 0x3; if (key_ref != EF_PIV_KEY_CARDMGM) {
res_APDU[res_APDU_size++] = 1; res_APDU[res_APDU_size++] = 0x3;
res_APDU[res_APDU_size++] = meta[3]; res_APDU[res_APDU_size++] = 1;
if (meta[0] == PIV_ALGO_RSA1024 || meta[0] == PIV_ALGO_RSA2048 || meta[0] == PIV_ALGO_RSA3072 || meta[0] == PIV_ALGO_RSA4096 || meta[0] == PIV_ALGO_ECCP256 || meta[0] == PIV_ALGO_ECCP384) { res_APDU[res_APDU_size++] = meta[3];
res_APDU[res_APDU_size++] = 0x4; if (meta[0] == PIV_ALGO_RSA1024 || meta[0] == PIV_ALGO_RSA2048 || meta[0] == PIV_ALGO_RSA3072 || meta[0] == PIV_ALGO_RSA4096 || meta[0] == PIV_ALGO_ECCP256 || meta[0] == PIV_ALGO_ECCP384) {
res_APDU[res_APDU_size++] = 0; // Filled later res_APDU[res_APDU_size++] = 0x4;
uint8_t *pk = &res_APDU[res_APDU_size]; res_APDU[res_APDU_size++] = 0; // Filled later
if (meta[0] == PIV_ALGO_RSA1024 || meta[0] == PIV_ALGO_RSA2048 || meta[0] == PIV_ALGO_RSA3072 || meta[0] == PIV_ALGO_RSA4096) { uint8_t *pk = &res_APDU[res_APDU_size];
mbedtls_rsa_context ctx; if (meta[0] == PIV_ALGO_RSA1024 || meta[0] == PIV_ALGO_RSA2048 || meta[0] == PIV_ALGO_RSA3072 || meta[0] == PIV_ALGO_RSA4096) {
mbedtls_rsa_init(&ctx); mbedtls_rsa_context ctx;
int r = load_private_key_rsa(&ctx, ef_key, false); mbedtls_rsa_init(&ctx);
if (r != PICOKEY_OK) { int r = load_private_key_rsa(&ctx, ef_key, false);
mbedtls_rsa_free(&ctx); if (r != PICOKEY_OK) {
return SW_EXEC_ERROR(); mbedtls_rsa_free(&ctx);
} return SW_EXEC_ERROR();
res_APDU[res_APDU_size++] = 0x81; }
res_APDU[res_APDU_size++] = 0x82;
put_uint16_t_be(mbedtls_mpi_size(&ctx.N), res_APDU + res_APDU_size); res_APDU_size += 2;
mbedtls_mpi_write_binary(&ctx.N, res_APDU + res_APDU_size, mbedtls_mpi_size(&ctx.N));
res_APDU_size += mbedtls_mpi_size(&ctx.N);
res_APDU[res_APDU_size++] = 0x82;
res_APDU[res_APDU_size++] = mbedtls_mpi_size(&ctx.E) & 0xff;
mbedtls_mpi_write_binary(&ctx.E, res_APDU + res_APDU_size, mbedtls_mpi_size(&ctx.E));
res_APDU_size += mbedtls_mpi_size(&ctx.E);
mbedtls_rsa_free(&ctx);
}
else {
mbedtls_ecdsa_context ctx;
mbedtls_ecdsa_init(&ctx);
int r = load_private_key_ecdsa(&ctx, ef_key, false);
if (r != PICOKEY_OK) {
mbedtls_ecdsa_free(&ctx);
return SW_EXEC_ERROR();
}
uint8_t pt[MBEDTLS_ECP_MAX_PT_LEN];
size_t plen = 0;
mbedtls_ecp_point_write_binary(&ctx.grp, &ctx.Q, MBEDTLS_ECP_PF_UNCOMPRESSED, &plen, pt, sizeof(pt));
mbedtls_ecdsa_free(&ctx);
res_APDU[res_APDU_size++] = 0x86;
if (plen >= 128) {
res_APDU[res_APDU_size++] = 0x81; res_APDU[res_APDU_size++] = 0x81;
res_APDU[res_APDU_size++] = 0x82;
put_uint16_t_be(mbedtls_mpi_size(&ctx.N), res_APDU + res_APDU_size); res_APDU_size += 2;
mbedtls_mpi_write_binary(&ctx.N, res_APDU + res_APDU_size, mbedtls_mpi_size(&ctx.N));
res_APDU_size += mbedtls_mpi_size(&ctx.N);
res_APDU[res_APDU_size++] = 0x82;
res_APDU[res_APDU_size++] = mbedtls_mpi_size(&ctx.E) & 0xff;
mbedtls_mpi_write_binary(&ctx.E, res_APDU + res_APDU_size, mbedtls_mpi_size(&ctx.E));
res_APDU_size += mbedtls_mpi_size(&ctx.E);
mbedtls_rsa_free(&ctx);
}
else {
mbedtls_ecdsa_context ctx;
mbedtls_ecdsa_init(&ctx);
int r = load_private_key_ecdsa(&ctx, ef_key, false);
if (r != PICOKEY_OK) {
mbedtls_ecdsa_free(&ctx);
return SW_EXEC_ERROR();
}
uint8_t pt[MBEDTLS_ECP_MAX_PT_LEN];
size_t plen = 0;
mbedtls_ecp_point_write_binary(&ctx.grp, &ctx.Q, MBEDTLS_ECP_PF_UNCOMPRESSED, &plen, pt, sizeof(pt));
mbedtls_ecdsa_free(&ctx);
res_APDU[res_APDU_size++] = 0x86;
if (plen >= 128) {
res_APDU[res_APDU_size++] = 0x81;
}
res_APDU[res_APDU_size++] = plen;
memcpy(res_APDU + res_APDU_size, pt, plen);
res_APDU_size += plen;
}
uint16_t pk_len = res_APDU_size - (pk - res_APDU);
if (pk_len > 255) {
memmove(pk + 2, pk, pk_len);
pk[-1] = 0x82;
pk[0] = pk_len >> 8;
pk[1] = pk_len & 0xff;
res_APDU_size += 2;
}
else if (pk_len > 127) {
memmove(pk + 1, pk, pk_len);
pk[-1] = 0x81;
pk[0] = pk_len;
res_APDU_size += 1;
}
else {
pk[-1] = pk_len;
} }
res_APDU[res_APDU_size++] = plen;
memcpy(res_APDU + res_APDU_size, pt, plen);
res_APDU_size += plen;
}
uint16_t pk_len = res_APDU_size - (pk - res_APDU);
if (pk_len > 255) {
memmove(pk + 2, pk, pk_len);
pk[-1] = 0x82;
pk[0] = pk_len >> 8;
pk[1] = pk_len & 0xff;
res_APDU_size += 2;
}
else if (pk_len > 127) {
memmove(pk + 1, pk, pk_len);
pk[-1] = 0x81;
pk[0] = pk_len;
res_APDU_size += 1;
}
else {
pk[-1] = pk_len;
} }
} }
} }
if (key_ref == EF_PIV_PIN || key_ref == EF_PIV_PUK || key_ref == EF_PIV_KEY_CARDMGM) { if (key_ref == EF_PIV_PIN || key_ref == EF_PIV_PUK || key_ref == EF_PIV_KEY_CARDMGM) {
uint8_t dhash[32]; uint8_t dhash[32];
int32_t eq = false; int32_t eq = 0;
if (key_ref == EF_PIV_PIN) { if (key_ref == EF_PIV_PIN) {
double_hash_pin((const uint8_t *)"\x31\x32\x33\x34\x35\x36\xFF\xFF", 8, dhash); double_hash_pin((const uint8_t *)"\x31\x32\x33\x34\x35\x36\xFF\xFF", 8, dhash);
eq = memcmp(dhash, file_get_data(ef_key) + 1, file_get_size(ef_key) - 1); eq = memcmp(dhash, file_get_data(ef_key) + 1, file_get_size(ef_key) - 1);
@@ -539,7 +541,7 @@ static int cmd_get_metadata() {
} }
res_APDU[res_APDU_size++] = 0x5; res_APDU[res_APDU_size++] = 0x5;
res_APDU[res_APDU_size++] = 1; res_APDU[res_APDU_size++] = 1;
res_APDU[res_APDU_size++] = eq; res_APDU[res_APDU_size++] = eq == 0;
if (key_ref == EF_PIV_PIN || key_ref == EF_PIV_PUK) { if (key_ref == EF_PIV_PIN || key_ref == EF_PIV_PUK) {
file_t *pw_status; file_t *pw_status;
if (!(pw_status = search_by_fid(EF_PW_PRIV, NULL, SPECIFY_EF))) { if (!(pw_status = search_by_fid(EF_PW_PRIV, NULL, SPECIFY_EF))) {
@@ -983,12 +985,13 @@ static int cmd_set_mgmkey() {
} }
uint8_t touch = P2(apdu); uint8_t touch = P2(apdu);
if (touch != 0xFF && touch != 0xFE) { if (touch != 0xFF && touch != 0xFE) {
if (touch == 0xFF) { return SW_INCORRECT_P1P2();
touch = TOUCHPOLICY_NEVER; }
} if (touch == 0xFF) {
else if (touch == 0xFE) { touch = TOUCHPOLICY_NEVER;
touch = TOUCHPOLICY_ALWAYS; }
} else if (touch == 0xFE) {
touch = TOUCHPOLICY_ALWAYS;
} }
uint8_t algo = apdu.data[0], key_ref = apdu.data[1], pinlen = apdu.data[2]; uint8_t algo = apdu.data[0], key_ref = apdu.data[1], pinlen = apdu.data[2];
if ((key_ref != EF_PIV_KEY_CARDMGM) || (!(algo == PIV_ALGO_AES128 && pinlen == 16) && !(algo == PIV_ALGO_AES192 && pinlen == 24) && !(algo == PIV_ALGO_AES256 && pinlen == 32) && !(algo == PIV_ALGO_3DES && pinlen == 24))) { if ((key_ref != EF_PIV_KEY_CARDMGM) || (!(algo == PIV_ALGO_AES128 && pinlen == 16) && !(algo == PIV_ALGO_AES192 && pinlen == 24) && !(algo == PIV_ALGO_AES256 && pinlen == 32) && !(algo == PIV_ALGO_3DES && pinlen == 24))) {