Merge remote-tracking branch 'origin/main'

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>

.github/workflows/codeql.yml

@@ -35,7 +35,7 @@ jobs:
         language: [ 'cpp', 'python' ]
         # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
         # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
-        mode: [ 'pico', 'esp32', 'local' ]
+        mode: [ 'pico', 'local' ]
 
     steps:
     - name: Checkout repository

.github/workflows/nightly.yml

@@ -19,13 +19,20 @@ jobs:
         with:
           ref: ${{ matrix.refs }}
           submodules: 'recursive'
+      - name: Restore private key
+        run: |
+          echo "${{ secrets.PRIVATE_KEY_B64 }}" | base64 -d > private.pem
+          chmod 600 private.pem
       - name : Build
         env:
           PICO_SDK_PATH: ../pico-sdk
+          SECURE_BOOT_PKEY: ../private.pem
         run: |
            ./workflows/autobuild.sh pico
-           ./build_pico_openpgp.sh
+           ./build_pico_openpgp.sh --no-eddsa
            ./workflows/autobuild.sh esp32
+      - name: Delete private key
+        run: rm private.pem
       - name: Update nightly release
         uses: pyTooling/Actions/releaser@main
         with:

.github/workflows/test.yml

@@ -14,10 +14,10 @@ name: "Emulation and test"
 on:
   workflow_dispatch:
   push:
-    branches: [ "main", "piv" ]
+    branches: [ "main", "piv", "eddsa" ]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [ "main", "piv" ]
+    branches: [ "main", "piv", "eddsa" ]
   schedule:
     - cron: '23 5 * * 4'
 

CMakeLists.txt

@@ -45,6 +45,13 @@ else()
     add_executable(pico_openpgp)
 endif()
 
+set(USB_ITF_CCID 1)
+set(USB_ITF_WCID 1)
+include(pico-keys-sdk/pico_keys_sdk_import.cmake)
+
+if(NOT ESP_PLATFORM)
+    set(SOURCES ${PICO_KEYS_SOURCES})
+endif()
 set(SOURCES ${SOURCES}
         ${CMAKE_CURRENT_LIST_DIR}/src/openpgp/openpgp.c
         ${CMAKE_CURRENT_LIST_DIR}/src/openpgp/files.c
@@ -67,12 +74,9 @@ set(SOURCES ${SOURCES}
         ${CMAKE_CURRENT_LIST_DIR}/src/openpgp/cmd_keypair_gen.c
         ${CMAKE_CURRENT_LIST_DIR}/src/openpgp/cmd_reset_retry.c
         ${CMAKE_CURRENT_LIST_DIR}/src/openpgp/do.c
+        ${CMAKE_CURRENT_LIST_DIR}/src/openpgp/defs.c
 )
 
-set(USB_ITF_CCID 1)
-set(USB_ITF_WCID 1)
-include(pico-keys-sdk/pico_keys_sdk_import.cmake)
-
 SET_VERSION(ver_major ver_minor "${CMAKE_CURRENT_LIST_DIR}/src/openpgp/version.h" 1)
 
 if(ESP_PLATFORM)

README.md

@@ -3,6 +3,8 @@ This project aims at transforming your Raspberry Pico or ESP32 microcontroller i
 
 OpenPGP cards are used to manage PGP keys and do cryptographic operations, such as keypair generation, signing and asymmetric deciphering. Pico OpenPGP follows the [**OpenPGP 3.4.1** specifications](https://gnupg.org/ftp/specs/OpenPGP-smart-card-application-3.4.pdf "**OpenPGP 3.4.1** specifications"), available at [GnuPG](http://gnupg.org "GnuPG").
 
+If you are looking for a OpenPGP + Fido, see: https://github.com/polhenarejos/pico-fido2
+
 ## Features
 Pico OpenPGP has implemented the following features:
 

VERSION

@@ -1 +1 @@
-Version=3.4
+Version=3.6

build_pico_openpgp.sh

@@ -1,23 +1,48 @@
 #!/bin/bash
 
 VERSION_MAJOR="3"
-VERSION_MINOR="4"
+VERSION_MINOR="6"
+NO_EDDSA=0
 SUFFIX="${VERSION_MAJOR}.${VERSION_MINOR}"
 #if ! [[ -z "${GITHUB_SHA}" ]]; then
 #    SUFFIX="${SUFFIX}.${GITHUB_SHA}"
 #fi
 
-rm -rf release/*
+if [[ $1 == "--no-eddsa" ]]; then
+    NO_EDDSA=1
+    echo "Skipping EDDSA build"
+fi
+
 mkdir -p build_release
 mkdir -p release
+mkdir -p release_eddsa
+rm -rf -- release/*
+if [[ $NO_EDDSA -eq 0 ]]; then
+    rm -rf -- release_eddsa/*
+fi
 cd build_release
+
 PICO_SDK_PATH="${PICO_SDK_PATH:-../../pico-sdk}"
+SECURE_BOOT_PKEY="${SECURE_BOOT_PKEY:-../../ec_private_key.pem}"
 board_dir=${PICO_SDK_PATH}/src/boards/include/boards
 for board in "$board_dir"/*
 do
-    board_name="$(basename -- $board .h)"
-    rm -rf *
-    PICO_SDK_PATH="${PICO_SDK_PATH}" cmake .. -DPICO_BOARD=$board_name
+    board_name="$(basename -- "$board" .h)"
+    rm -rf -- ./*
+    PICO_SDK_PATH="${PICO_SDK_PATH}" cmake .. -DPICO_BOARD=$board_name -DSECURE_BOOT_PKEY=${SECURE_BOOT_PKEY}
     make -j`nproc`
     mv pico_openpgp.uf2 ../release/pico_openpgp_$board_name-$SUFFIX.uf2
 done
+
+# Build with EDDSA
+
+if [[ $NO_EDDSA -eq 0 ]]; then
+    for board in "$board_dir"/*
+    do
+        board_name="$(basename -- "$board" .h)"
+        rm -rf -- ./*
+        PICO_SDK_PATH="${PICO_SDK_PATH}" cmake .. -DPICO_BOARD=$board_name -DSECURE_BOOT_PKEY=${SECURE_BOOT_PKEY} -DENABLE_EDDSA=1
+        make -j`nproc`
+        mv pico_openpgp.uf2 ../release_eddsa/pico_openpgp_$board_name-$SUFFIX-eddsa1.uf2
+    done
+fi

src/openpgp/CMakeLists.txt

@@ -1,6 +1,6 @@
 idf_component_register(
     SRCS ${SOURCES}
-    INCLUDE_DIRS . ../../pico-keys-sdk/src ../../pico-keys-sdk/src/fs ../../pico-keys-sdk/src/rng ../../pico-keys-sdk/src/usb
-    REQUIRES bootloader_support esp_partition esp_tinyusb zorxx__neopixel mbedtls efuse
+    INCLUDE_DIRS . ../../pico-keys-sdk/src ../../pico-keys-sdk/src/fs ../../pico-keys-sdk/src/rng ../../pico-keys-sdk/src/usb ../../pico-keys-sdk/tinycbor/src
+    REQUIRES mbedtls efuse
 )
 idf_component_set_property(${COMPONENT_NAME} WHOLE_ARCHIVE ON)

src/openpgp/cmd_change_pin.c

@@ -29,6 +29,10 @@ int cmd_change_pin() {
     }
     uint8_t pin_len = file_get_data(pw)[0];
     uint16_t r = 0;
+    r = check_pin(pw, apdu.data, pin_len);
+    if (r != 0x9000) {
+        return r;
+    }
     if ((r = load_dek()) != PICOKEY_OK) {
         return SW_EXEC_ERROR();
     }
@@ -38,10 +42,6 @@ int cmd_change_pin() {
             dek[IV_SIZE + i] ^= otp_key_1[i];
         }
     }
-    r = check_pin(pw, apdu.data, pin_len);
-    if (r != 0x9000) {
-        return r;
-    }
     uint8_t dhash[33];
     dhash[0] = apdu.nc - pin_len;
     double_hash_pin(apdu.data + pin_len, apdu.nc - pin_len, dhash + 1);

src/openpgp/cmd_import_data.c

@@ -156,8 +156,8 @@ int cmd_import_data() {
             return SW_EXEC_ERROR();
         }
     }
-    else if (algo[0] == ALGO_ECDSA || algo[0] == ALGO_ECDH) {
-        mbedtls_ecdsa_context ecdsa;
+    else if (algo[0] == ALGO_ECDSA || algo[0] == ALGO_ECDH || algo[0] == ALGO_EDDSA) {
+        mbedtls_ecp_keypair ecdsa;
         if (p[1] == NULL || len[1] == 0) {
             return SW_WRONG_DATA();
         }
@@ -165,7 +165,7 @@ int cmd_import_data() {
         if (gid == MBEDTLS_ECP_DP_NONE) {
             return SW_FUNC_NOT_SUPPORTED();
         }
-        mbedtls_ecdsa_init(&ecdsa);
+        mbedtls_ecp_keypair_init(&ecdsa);
         if (gid == MBEDTLS_ECP_DP_CURVE25519) {
             mbedtls_ecp_group_load(&ecdsa.grp, gid);
             r = mbedtls_mpi_read_binary(&ecdsa.d, p[1], len[1]);
@@ -174,17 +174,25 @@ int cmd_import_data() {
             r = mbedtls_ecp_read_key(gid, &ecdsa, p[1], len[1]);
         }
         if (r != 0) {
-            mbedtls_ecdsa_free(&ecdsa);
+            mbedtls_ecp_keypair_free(&ecdsa);
             return SW_EXEC_ERROR();
         }
-        r = mbedtls_ecp_mul(&ecdsa.grp, &ecdsa.Q, &ecdsa.d, &ecdsa.grp.G, random_gen, NULL);
+#ifdef MBEDTLS_EDDSA_C
+        if (ecdsa.grp.id == MBEDTLS_ECP_DP_ED25519) {
+            r = mbedtls_ecp_point_edwards(&ecdsa.grp, &ecdsa.Q, &ecdsa.d, random_gen, NULL);
+        }
+        else
+#endif
+        {
+            r = mbedtls_ecp_mul(&ecdsa.grp, &ecdsa.Q, &ecdsa.d, &ecdsa.grp.G, random_gen, NULL);
+        }
         if (r != 0) {
-            mbedtls_ecdsa_free(&ecdsa);
+            mbedtls_ecp_keypair_free(&ecdsa);
             return SW_EXEC_ERROR();
         }
         r = store_keys(&ecdsa, ALGO_ECDSA, fid, true);
         make_ecdsa_response(&ecdsa);
-        mbedtls_ecdsa_free(&ecdsa);
+        mbedtls_ecp_keypair_free(&ecdsa);
         if (r != PICOKEY_OK) {
             return SW_EXEC_ERROR();
         }

src/openpgp/cmd_internal_aut.c

@@ -37,7 +37,7 @@ int cmd_internal_aut() {
     if (!ef) {
         return SW_REFERENCE_NOT_FOUND();
     }
-    if (wait_button_pressed(EF_UIF_AUT) == true) {
+    if (wait_button_pressed_fid(EF_UIF_AUT) == true) {
         return SW_SECURE_MESSAGE_EXEC_ERROR();
     }
     int r = PICOKEY_OK;
@@ -57,17 +57,17 @@ int cmd_internal_aut() {
         }
         res_APDU_size = olen;
     }
-    else if (algo[0] == ALGO_ECDH || algo[0] == ALGO_ECDSA) {
-        mbedtls_ecdsa_context ctx;
-        mbedtls_ecdsa_init(&ctx);
+    else if (algo[0] == ALGO_ECDH || algo[0] == ALGO_ECDSA || algo[0] == ALGO_EDDSA) {
+        mbedtls_ecp_keypair ctx;
+        mbedtls_ecp_keypair_init(&ctx);
         r = load_private_key_ecdsa(&ctx, ef, true);
         if (r != PICOKEY_OK) {
-            mbedtls_ecdsa_free(&ctx);
+            mbedtls_ecp_keypair_free(&ctx);
             return SW_EXEC_ERROR();
         }
         size_t olen = 0;
         r = ecdsa_sign(&ctx, apdu.data, apdu.nc, res_APDU, &olen);
-        mbedtls_ecdsa_free(&ctx);
+        mbedtls_ecp_keypair_free(&ctx);
         if (r != 0) {
             return SW_EXEC_ERROR();
         }

src/openpgp/cmd_keypair_gen.c

@@ -76,23 +76,23 @@ int cmd_keypair_gen() {
                 return SW_EXEC_ERROR();
             }
         }
-        else if (algo[0] == ALGO_ECDH || algo[0] == ALGO_ECDSA) {
+        else if (algo[0] == ALGO_ECDH || algo[0] == ALGO_ECDSA || algo[0] == ALGO_EDDSA) {
             printf("KEYPAIR ECDSA\r\n");
             mbedtls_ecp_group_id gid = get_ec_group_id_from_attr(algo + 1, algo_len - 1);
             if (gid == MBEDTLS_ECP_DP_NONE) {
                 return SW_FUNC_NOT_SUPPORTED();
             }
-            mbedtls_ecdsa_context ecdsa;
-            mbedtls_ecdsa_init(&ecdsa);
+            mbedtls_ecp_keypair ecdsa;
+            mbedtls_ecp_keypair_init(&ecdsa);
             uint8_t index = 0;
             r = mbedtls_ecdsa_genkey(&ecdsa, gid, random_gen, &index);
             if (r != 0) {
-                mbedtls_ecdsa_free(&ecdsa);
+                mbedtls_ecp_keypair_free(&ecdsa);
                 return SW_EXEC_ERROR();
             }
             r = store_keys(&ecdsa, algo[0], fid, true);
             make_ecdsa_response(&ecdsa);
-            mbedtls_ecdsa_free(&ecdsa);
+            mbedtls_ecp_keypair_free(&ecdsa);
             if (r != PICOKEY_OK) {
                 return SW_EXEC_ERROR();
             }
@@ -127,7 +127,7 @@ int cmd_keypair_gen() {
     }
     else if (P1(apdu) == 0x81) { //read
         file_t *ef = search_by_fid(fid + 3, NULL, SPECIFY_EF);
-        if (!ef || !ef->data) {
+        if (!file_has_data(ef)) {
             return SW_REFERENCE_NOT_FOUND();
         }
         res_APDU_size = file_get_size(ef);

src/openpgp/cmd_pso.c

@@ -66,7 +66,7 @@ int cmd_pso() {
     if (!ef) {
         return SW_REFERENCE_NOT_FOUND();
     }
-    if (wait_button_pressed(pk_fid == EF_PK_SIG ? EF_UIF_SIG : EF_UIF_DEC) == true) {
+    if (wait_button_pressed_fid(pk_fid == EF_PK_SIG ? EF_UIF_SIG : EF_UIF_DEC) == true) {
         return SW_SECURE_MESSAGE_EXEC_ERROR();
     }
     int r = PICOKEY_OK;
@@ -137,18 +137,18 @@ int cmd_pso() {
             res_APDU_size = olen;
         }
     }
-    else if (algo[0] == ALGO_ECDH || algo[0] == ALGO_ECDSA) {
+    else if (algo[0] == ALGO_ECDH || algo[0] == ALGO_ECDSA || algo[0] == ALGO_EDDSA) {
         if (P1(apdu) == 0x9E && P2(apdu) == 0x9A) {
-            mbedtls_ecdsa_context ctx;
-            mbedtls_ecdsa_init(&ctx);
+            mbedtls_ecp_keypair ctx;
+            mbedtls_ecp_keypair_init(&ctx);
             r = load_private_key_ecdsa(&ctx, ef, true);
             if (r != PICOKEY_OK) {
-                mbedtls_ecdsa_free(&ctx);
+                mbedtls_ecp_keypair_free(&ctx);
                 return SW_EXEC_ERROR();
             }
             size_t olen = 0;
             r = ecdsa_sign(&ctx, apdu.data, apdu.nc, res_APDU, &olen);
-            mbedtls_ecdsa_free(&ctx);
+            mbedtls_ecp_keypair_free(&ctx);
             if (r != 0) {
                 return SW_EXEC_ERROR();
             }

src/openpgp/cmd_reset_retry.c

@@ -16,6 +16,7 @@
  */
 
 #include "openpgp.h"
+#include "otp.h"
 
 int cmd_reset_retry() {
     if (P2(apdu) != 0x81) {
@@ -44,6 +45,8 @@ int cmd_reset_retry() {
             newpin_len = apdu.nc - pin_len;
             has_rc = true;
             hash_multi(apdu.data, pin_len, session_rc);
+            has_pw1 = has_pw3 = false;
+            isUserAuthenticated = false;
         }
         else if (P1(apdu) == 0x2) {
             if (!has_pw3) {
@@ -59,6 +62,11 @@ int cmd_reset_retry() {
         if (!tf) {
             return SW_REFERENCE_NOT_FOUND();
         }
+        if (otp_key_1) {
+            for (int i = 0; i < 32; i++) {
+                dek[IV_SIZE + i] ^= otp_key_1[i];
+            }
+        }
         uint8_t def[IV_SIZE + 32 + 32 + 32 + 32];
         memcpy(def, file_get_data(tf), file_get_size(tf));
         hash_multi(apdu.data + (apdu.nc - newpin_len), newpin_len, session_pw1);
@@ -74,6 +82,9 @@ int cmd_reset_retry() {
             return SW_MEMORY_FAILURE();
         }
         low_flash_available();
+        if ((r = load_dek()) != PICOKEY_OK) {
+            return SW_EXEC_ERROR();
+        }
         return SW_OK();
     }
     return SW_INCORRECT_P1P2();

src/openpgp/cmd_terminate_df.c

@@ -32,6 +32,6 @@ int cmd_terminate_df() {
         return SW_WRONG_LENGTH();
     }
     initialize_flash(true);
-    scan_files();
+    scan_files_openpgp();
     return SW_OK();
 }

src/openpgp/cmd_version.c

@@ -18,7 +18,7 @@
 #include "openpgp.h"
 #include "version.h"
 
-int cmd_version() {
+int cmd_version_openpgp() {
     res_APDU[res_APDU_size++] = PIPGP_VERSION_MAJOR;
     res_APDU[res_APDU_size++] = PIPGP_VERSION_MINOR;
     res_APDU[res_APDU_size++] = 0x0;

src/openpgp/defs.c

@@ -0,0 +1,20 @@
+/*
+ * This file is part of the Pico OpenPGP distribution (https://github.com/polhenarejos/pico-openpgp).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "openpgp.h"
+
+uint8_t PICO_PRODUCT = 3;

src/openpgp/do.c

@@ -28,12 +28,7 @@ int parse_do(uint16_t *fids, int mode) {
                 data_len = ((int (*)(const file_t *, int))(ef->data))((const file_t *) ef, mode);
             }
             else {
-                if (ef->data) {
-                    data_len = file_get_size(ef);
-                }
-                else {
-                    data_len = 0;
-                }
+                data_len = file_get_size(ef);
                 if (mode == 1) {
                     if (fids[0] > 1 && res_APDU_size > 0) {
                         if (fids[i + 1] < 0x0100) {
@@ -45,7 +40,7 @@ int parse_do(uint16_t *fids, int mode) {
                         }
                         res_APDU_size += format_tlv_len(data_len, res_APDU + res_APDU_size);
                     }
-                    if (ef->data) {
+                    if (file_has_data(ef)) {
                         memcpy(res_APDU + res_APDU_size, file_get_data(ef), data_len);
                     }
                     res_APDU_size += data_len;
@@ -174,20 +169,6 @@ int parse_pw_status(const file_t *f, int mode) {
     return res_APDU_size - init_len;
 }
 
-#define ALGO_RSA_1K     0
-#define ALGO_RSA_2k     1
-#define ALGO_RSA_3K     2
-#define ALGO_RSA_4K     3
-#define ALGO_X448       4
-#define ALGO_P256K1     5
-#define ALGO_P256R1     6
-#define ALGO_P384R1     7
-#define ALGO_P521R1     8
-#define ALGO_BP256R1    9
-#define ALGO_BP384R1    10
-#define ALGO_BP512R1    11
-#define ALGO_CV22519    12
-
 const uint8_t algorithm_attr_x448[] = {
     4,
     ALGO_ECDH,
@@ -275,6 +256,20 @@ const uint8_t algorithm_attr_cv25519[] = {
     0x2b, 0x06, 0x01, 0x04, 0x01, 0x97, 0x55, 0x01, 0x05, 0x01
 };
 
+#ifdef MBEDTLS_EDDSA_C
+const uint8_t algorithm_attr_ed25519[] = {
+    10,
+    ALGO_EDDSA,
+    0x2b, 0x06, 0x01, 0x04, 0x01, 0xda, 0x47, 0x0f, 0x01
+};
+
+const uint8_t algorithm_attr_ed448[] = {
+    4,
+    ALGO_EDDSA,
+    0x2b, 0x65, 0x71
+};
+#endif
+
 int parse_algo(const uint8_t *algo, uint16_t tag) {
     res_APDU[res_APDU_size++] = tag & 0xff;
     memcpy(res_APDU + res_APDU_size, algo, algo[0] + 1);
@@ -300,6 +295,10 @@ int parse_algoinfo(const file_t *f, int mode) {
         datalen += parse_algo(algorithm_attr_bp256r1, EF_ALGO_SIG);
         datalen += parse_algo(algorithm_attr_bp384r1, EF_ALGO_SIG);
         datalen += parse_algo(algorithm_attr_bp512r1, EF_ALGO_SIG);
+#ifdef MBEDTLS_EDDSA_C
+        datalen += parse_algo(algorithm_attr_ed25519, EF_ALGO_SIG);
+        datalen += parse_algo(algorithm_attr_ed448, EF_ALGO_SIG);
+#endif
 
         datalen += parse_algo(algorithm_attr_rsa1k, EF_ALGO_DEC);
         datalen += parse_algo(algorithm_attr_rsa2k, EF_ALGO_DEC);
@@ -326,6 +325,10 @@ int parse_algoinfo(const file_t *f, int mode) {
         datalen += parse_algo(algorithm_attr_bp256r1, EF_ALGO_AUT);
         datalen += parse_algo(algorithm_attr_bp384r1, EF_ALGO_AUT);
         datalen += parse_algo(algorithm_attr_bp512r1, EF_ALGO_AUT);
+#ifdef MBEDTLS_EDDSA_C
+        datalen += parse_algo(algorithm_attr_ed25519, EF_ALGO_AUT);
+        datalen += parse_algo(algorithm_attr_ed448, EF_ALGO_AUT);
+#endif
         uint16_t lpdif = res_APDU + res_APDU_size - lp - 2;
         *lp++ = lpdif >> 8;
         *lp++ = lpdif & 0xff;

src/openpgp/do.h

@@ -26,3 +26,7 @@ extern const uint8_t algorithm_attr_cv25519[];
 extern const uint8_t algorithm_attr_x448[];
 extern const uint8_t algorithm_attr_rsa2k[];
 extern const uint8_t algorithm_attr_rsa4096[];
+#ifdef MBEDTLS_EDDSA_C
+extern const uint8_t algorithm_attr_ed25519[];
+extern const uint8_t algorithm_attr_ed448[];
+#endif

src/openpgp/openpgp.c

@@ -30,8 +30,9 @@
 #include "ccid/ccid.h"
 #include "otp.h"
 #include "do.h"
-
-uint8_t PICO_PRODUCT = 3;
+#ifdef MBEDTLS_EDDSA_C
+#include "mbedtls/eddsa.h"
+#endif
 
 bool has_pw1 = false;
 bool has_pw2 = false;
@@ -64,7 +65,7 @@ int openpgp_process_apdu();
 
 extern uint32_t board_button_read(void);
 
-bool wait_button_pressed(uint16_t fid) {
+bool wait_button_pressed_fid(uint16_t fid) {
     uint32_t val = EV_PRESS_BUTTON;
 #ifndef ENABLE_EMULATION
     file_t *ef = search_by_fid(fid, NULL, SPECIFY_ANY);
@@ -96,7 +97,7 @@ void select_file(file_t *pe) {
     }
 }
 
-void scan_files() {
+void scan_files_openpgp() {
     scan_flash();
     file_t *ef;
     if ((ef = search_by_fid(EF_FULL_AID, NULL, SPECIFY_ANY))) {
@@ -285,7 +286,7 @@ void init_openpgp() {
     algo_aut = EF_ALGO_PRIV3;
     pk_dec = EF_PK_DEC;
     pk_aut = EF_PK_AUT;
-    scan_files();
+    scan_files_openpgp();
     //cmd_select();
 }
 
@@ -488,8 +489,8 @@ int store_keys(void *key_ctx, int type, uint16_t key_id, bool use_kek) {
         mbedtls_mpi_write_binary(&rsa->P, kdata, key_size / 2);
         mbedtls_mpi_write_binary(&rsa->Q, kdata + key_size / 2, key_size / 2);
     }
-    else if (type == ALGO_ECDSA || type == ALGO_ECDH) {
-        mbedtls_ecdsa_context *ecdsa = (mbedtls_ecdsa_context *) key_ctx;
+    else if (type == ALGO_ECDSA || type == ALGO_ECDH || type == ALGO_EDDSA) {
+        mbedtls_ecp_keypair *ecdsa = (mbedtls_ecp_keypair *) key_ctx;
         size_t olen = 0;
         kdata[0] = ecdsa->grp.id & 0xff;
         mbedtls_ecp_write_key_ext(ecdsa, &olen, kdata + 1, sizeof(kdata) - 1);
@@ -558,7 +559,7 @@ int load_private_key_rsa(mbedtls_rsa_context *ctx, file_t *fkey, bool use_dek) {
     return PICOKEY_OK;
 }
 
-int load_private_key_ecdsa(mbedtls_ecdsa_context *ctx, file_t *fkey, bool use_dek) {
+int load_private_key_ecdsa(mbedtls_ecp_keypair *ctx, file_t *fkey, bool use_dek) {
     int key_size = file_get_size(fkey);
     uint8_t kdata[67]; //Worst case, 521 bit + 1byte
     memcpy(kdata, file_get_data(fkey), key_size);
@@ -568,11 +569,19 @@ int load_private_key_ecdsa(mbedtls_ecdsa_context *ctx, file_t *fkey, bool use_de
     mbedtls_ecp_group_id gid = kdata[0];
     int r = mbedtls_ecp_read_key(gid, ctx, kdata + 1, key_size - 1);
     if (r != 0) {
-        mbedtls_ecdsa_free(ctx);
+        mbedtls_ecp_keypair_free(ctx);
         return PICOKEY_EXEC_ERROR;
     }
     mbedtls_platform_zeroize(kdata, sizeof(kdata));
-    r = mbedtls_ecp_mul(&ctx->grp, &ctx->Q, &ctx->d, &ctx->grp.G, random_gen, NULL);
+#ifdef MBEDTLS_EDDSA_C
+    if (ctx->grp.id == MBEDTLS_ECP_DP_ED25519 || ctx->grp.id == MBEDTLS_ECP_DP_ED448) {
+        r = mbedtls_ecp_point_edwards(&ctx->grp, &ctx->Q, &ctx->d, random_gen, NULL);
+    }
+    else
+#endif
+    {
+        r = mbedtls_ecp_mul(&ctx->grp, &ctx->Q, &ctx->d, &ctx->grp.G, random_gen, NULL);
+    }
     if (r != 0) {
         mbedtls_ecdsa_free(ctx);
         return PICOKEY_EXEC_ERROR;
@@ -617,6 +626,14 @@ mbedtls_ecp_group_id get_ec_group_id_from_attr(const uint8_t *algo, size_t algo_
     else if (memcmp(algorithm_attr_x448 + 2, algo, algo_len) == 0) {
         return MBEDTLS_ECP_DP_CURVE448;
     }
+#ifdef MBEDTLS_EDDSA_C
+    else if (memcmp(algorithm_attr_ed25519 + 2, algo, algo_len) == 0) {
+        return MBEDTLS_ECP_DP_ED25519;
+    }
+    else if (memcmp(algorithm_attr_ed448 + 2, algo, algo_len) == 0) {
+        return MBEDTLS_ECP_DP_ED448;
+    }
+#endif
     return MBEDTLS_ECP_DP_NONE;
 }
 
@@ -635,7 +652,7 @@ void make_rsa_response(mbedtls_rsa_context *rsa) {
     put_uint16_t_be(res_APDU_size - 5, res_APDU + 3);
 }
 
-void make_ecdsa_response(mbedtls_ecdsa_context *ecdsa) {
+void make_ecdsa_response(mbedtls_ecp_keypair *ecdsa) {
     uint8_t pt[MBEDTLS_ECP_MAX_PT_LEN];
     size_t plen = 0;
     mbedtls_ecp_point_write_binary(&ecdsa->grp,
@@ -728,23 +745,33 @@ int rsa_sign(mbedtls_rsa_context *ctx,
     return r;
 }
 
-int ecdsa_sign(mbedtls_ecdsa_context *ctx,
+int ecdsa_sign(mbedtls_ecp_keypair *ctx,
                const uint8_t *data,
                size_t data_len,
                uint8_t *out,
                size_t *out_len) {
-    mbedtls_mpi ri, si;
-    mbedtls_mpi_init(&ri);
-    mbedtls_mpi_init(&si);
-    int r = mbedtls_ecdsa_sign(&ctx->grp, &ri, &si, &ctx->d, data, data_len, random_gen, NULL);
-    if (r == 0) {
-        size_t plen = (ctx->grp.nbits + 7) / 8;
-        mbedtls_mpi_write_binary(&ri, out, plen);
-        mbedtls_mpi_write_binary(&si, out + plen, plen);
-        *out_len = 2 * plen;
+
+    int r = 0;
+#ifdef MBEDTLS_EDDSA_C
+    if (ctx->grp.id == MBEDTLS_ECP_DP_ED25519 || ctx->grp.id == MBEDTLS_ECP_DP_ED448) {
+           r = mbedtls_eddsa_write_signature(ctx, data, data_len, out, 114, out_len, MBEDTLS_EDDSA_PURE, NULL, 0, random_gen, NULL);
+    }
+    else
+#endif
+    {
+        mbedtls_mpi ri, si;
+        mbedtls_mpi_init(&ri);
+        mbedtls_mpi_init(&si);
+        r = mbedtls_ecdsa_sign(&ctx->grp, &ri, &si, &ctx->d, data, data_len, random_gen, NULL);
+        if (r == 0) {
+            size_t plen = (ctx->grp.nbits + 7) / 8;
+            mbedtls_mpi_write_binary(&ri, out, plen);
+            mbedtls_mpi_write_binary(&si, out + plen, plen);
+            *out_len = 2 * plen;
+        }
+        mbedtls_mpi_free(&ri);
+        mbedtls_mpi_free(&si);
     }
-    mbedtls_mpi_free(&ri);
-    mbedtls_mpi_free(&si);
     return r;
 }
 
@@ -754,7 +781,7 @@ extern int cmd_get_next_data();
 extern int cmd_put_data();
 extern int cmd_verify();
 extern int cmd_select_data();
-extern int cmd_version();
+extern int cmd_version_openpgp();
 extern int cmd_import_data();
 extern int cmd_change_pin();
 extern int cmd_mse();
@@ -799,7 +826,7 @@ static const cmd_t cmds[] = {
     { INS_INTERNAL_AUT, cmd_internal_aut },
     { INS_MSE, cmd_mse },
     { INS_IMPORT_DATA, cmd_import_data },
-    { INS_VERSION, cmd_version },
+    { INS_VERSION, cmd_version_openpgp },
     { INS_SELECT_DATA, cmd_select_data },
     { INS_GET_NEXT_DATA, cmd_get_next_data },
     { 0x00, 0x0 }

src/openpgp/openpgp.h

@@ -59,6 +59,7 @@ extern int pin_reset_retries(const file_t *pin, bool force);
 #define ALGO_RSA        0x01
 #define ALGO_ECDH       0x12
 #define ALGO_ECDSA      0x13
+#define ALGO_EDDSA      0x16
 #define ALGO_AES        0x70
 #define ALGO_AES_128    0x71
 #define ALGO_AES_192    0x72
@@ -71,8 +72,8 @@ extern int check_pin(const file_t *pin, const uint8_t *data, size_t len);
 extern mbedtls_ecp_group_id get_ec_group_id_from_attr(const uint8_t *algo, size_t algo_len);
 extern int reset_sig_count();
 extern uint16_t algo_dec, algo_aut, pk_dec, pk_aut;
-extern bool wait_button_pressed(uint16_t fid);
-extern void scan_files();
+extern bool wait_button_pressed_fid(uint16_t fid);
+extern void scan_files_openpgp();
 extern int load_aes_key(uint8_t *aes_key, file_t *fkey);
 extern int inc_sig_count();
 extern int dek_encrypt(uint8_t *data, size_t len);

src/openpgp/piv.c

@@ -218,7 +218,7 @@ static void scan_files_piv() {
             uint8_t *key = (uint8_t *)"\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08";
             file_t *ef = search_by_fid(EF_PIV_KEY_CARDMGM, NULL, SPECIFY_ANY);
             file_put_data(ef, key, 24);
-            uint8_t meta[] = { PIV_ALGO_AES192, PINPOLICY_ALWAYS, TOUCHPOLICY_ALWAYS, ORIGIN_GENERATED };
+            uint8_t meta[] = { PIV_ALGO_AES192, PINPOLICY_ALWAYS, TOUCHPOLICY_ALWAYS };
             meta_add(EF_PIV_KEY_CARDMGM, meta, sizeof(meta));
             has_pwpiv = false;
             memset(session_pwpiv, 0, sizeof(session_pwpiv));
@@ -458,74 +458,76 @@ static int cmd_get_metadata() {
         res_APDU[res_APDU_size++] = 2;
         res_APDU[res_APDU_size++] = meta[1];
         res_APDU[res_APDU_size++] = meta[2];
-        res_APDU[res_APDU_size++] = 0x3;
-        res_APDU[res_APDU_size++] = 1;
-        res_APDU[res_APDU_size++] = meta[3];
-        if (meta[0] == PIV_ALGO_RSA1024 || meta[0] == PIV_ALGO_RSA2048 || meta[0] == PIV_ALGO_RSA3072 || meta[0] == PIV_ALGO_RSA4096 || meta[0] == PIV_ALGO_ECCP256 || meta[0] == PIV_ALGO_ECCP384) {
-            res_APDU[res_APDU_size++] = 0x4;
-            res_APDU[res_APDU_size++] = 0; // Filled later
-            uint8_t *pk = &res_APDU[res_APDU_size];
-            if (meta[0] == PIV_ALGO_RSA1024 || meta[0] == PIV_ALGO_RSA2048 || meta[0] == PIV_ALGO_RSA3072 || meta[0] == PIV_ALGO_RSA4096) {
-                mbedtls_rsa_context ctx;
-                mbedtls_rsa_init(&ctx);
-                int r = load_private_key_rsa(&ctx, ef_key, false);
-                if (r != PICOKEY_OK) {
-                    mbedtls_rsa_free(&ctx);
-                    return SW_EXEC_ERROR();
-                }
-                res_APDU[res_APDU_size++] = 0x81;
-                res_APDU[res_APDU_size++] = 0x82;
-                put_uint16_t_be(mbedtls_mpi_size(&ctx.N), res_APDU + res_APDU_size); res_APDU_size += 2;
-                mbedtls_mpi_write_binary(&ctx.N, res_APDU + res_APDU_size, mbedtls_mpi_size(&ctx.N));
-                res_APDU_size += mbedtls_mpi_size(&ctx.N);
-                res_APDU[res_APDU_size++] = 0x82;
-                res_APDU[res_APDU_size++] = mbedtls_mpi_size(&ctx.E) & 0xff;
-                mbedtls_mpi_write_binary(&ctx.E, res_APDU + res_APDU_size, mbedtls_mpi_size(&ctx.E));
-                res_APDU_size += mbedtls_mpi_size(&ctx.E);
-                mbedtls_rsa_free(&ctx);
-            }
-            else {
-                mbedtls_ecdsa_context ctx;
-                mbedtls_ecdsa_init(&ctx);
-                int r = load_private_key_ecdsa(&ctx, ef_key, false);
-                if (r != PICOKEY_OK) {
-                    mbedtls_ecdsa_free(&ctx);
-                    return SW_EXEC_ERROR();
-                }
-                uint8_t pt[MBEDTLS_ECP_MAX_PT_LEN];
-                size_t plen = 0;
-                mbedtls_ecp_point_write_binary(&ctx.grp, &ctx.Q, MBEDTLS_ECP_PF_UNCOMPRESSED, &plen, pt, sizeof(pt));
-                mbedtls_ecdsa_free(&ctx);
-                res_APDU[res_APDU_size++] = 0x86;
-                if (plen >= 128) {
+        if (key_ref != EF_PIV_KEY_CARDMGM) {
+            res_APDU[res_APDU_size++] = 0x3;
+            res_APDU[res_APDU_size++] = 1;
+            res_APDU[res_APDU_size++] = meta[3];
+            if (meta[0] == PIV_ALGO_RSA1024 || meta[0] == PIV_ALGO_RSA2048 || meta[0] == PIV_ALGO_RSA3072 || meta[0] == PIV_ALGO_RSA4096 || meta[0] == PIV_ALGO_ECCP256 || meta[0] == PIV_ALGO_ECCP384) {
+                res_APDU[res_APDU_size++] = 0x4;
+                res_APDU[res_APDU_size++] = 0; // Filled later
+                uint8_t *pk = &res_APDU[res_APDU_size];
+                if (meta[0] == PIV_ALGO_RSA1024 || meta[0] == PIV_ALGO_RSA2048 || meta[0] == PIV_ALGO_RSA3072 || meta[0] == PIV_ALGO_RSA4096) {
+                    mbedtls_rsa_context ctx;
+                    mbedtls_rsa_init(&ctx);
+                    int r = load_private_key_rsa(&ctx, ef_key, false);
+                    if (r != PICOKEY_OK) {
+                        mbedtls_rsa_free(&ctx);
+                        return SW_EXEC_ERROR();
+                    }
                     res_APDU[res_APDU_size++] = 0x81;
+                    res_APDU[res_APDU_size++] = 0x82;
+                    put_uint16_t_be(mbedtls_mpi_size(&ctx.N), res_APDU + res_APDU_size); res_APDU_size += 2;
+                    mbedtls_mpi_write_binary(&ctx.N, res_APDU + res_APDU_size, mbedtls_mpi_size(&ctx.N));
+                    res_APDU_size += mbedtls_mpi_size(&ctx.N);
+                    res_APDU[res_APDU_size++] = 0x82;
+                    res_APDU[res_APDU_size++] = mbedtls_mpi_size(&ctx.E) & 0xff;
+                    mbedtls_mpi_write_binary(&ctx.E, res_APDU + res_APDU_size, mbedtls_mpi_size(&ctx.E));
+                    res_APDU_size += mbedtls_mpi_size(&ctx.E);
+                    mbedtls_rsa_free(&ctx);
+                }
+                else {
+                    mbedtls_ecdsa_context ctx;
+                    mbedtls_ecdsa_init(&ctx);
+                    int r = load_private_key_ecdsa(&ctx, ef_key, false);
+                    if (r != PICOKEY_OK) {
+                        mbedtls_ecdsa_free(&ctx);
+                        return SW_EXEC_ERROR();
+                    }
+                    uint8_t pt[MBEDTLS_ECP_MAX_PT_LEN];
+                    size_t plen = 0;
+                    mbedtls_ecp_point_write_binary(&ctx.grp, &ctx.Q, MBEDTLS_ECP_PF_UNCOMPRESSED, &plen, pt, sizeof(pt));
+                    mbedtls_ecdsa_free(&ctx);
+                    res_APDU[res_APDU_size++] = 0x86;
+                    if (plen >= 128) {
+                        res_APDU[res_APDU_size++] = 0x81;
+                    }
+                    res_APDU[res_APDU_size++] = plen;
+                    memcpy(res_APDU + res_APDU_size, pt, plen);
+                    res_APDU_size += plen;
+                }
+                uint16_t pk_len = res_APDU_size - (pk - res_APDU);
+                if (pk_len > 255) {
+                    memmove(pk + 2, pk, pk_len);
+                    pk[-1] = 0x82;
+                    pk[0] = pk_len >> 8;
+                    pk[1] = pk_len & 0xff;
+                    res_APDU_size += 2;
+                }
+                else if (pk_len > 127) {
+                    memmove(pk + 1, pk, pk_len);
+                    pk[-1] = 0x81;
+                    pk[0] = pk_len;
+                    res_APDU_size += 1;
+                }
+                else {
+                    pk[-1] = pk_len;
                 }
-                res_APDU[res_APDU_size++] = plen;
-                memcpy(res_APDU + res_APDU_size, pt, plen);
-                res_APDU_size += plen;
-            }
-            uint16_t pk_len = res_APDU_size - (pk - res_APDU);
-            if (pk_len > 255) {
-                memmove(pk + 2, pk, pk_len);
-                pk[-1] = 0x82;
-                pk[0] = pk_len >> 8;
-                pk[1] = pk_len & 0xff;
-                res_APDU_size += 2;
-            }
-            else if (pk_len > 127) {
-                memmove(pk + 1, pk, pk_len);
-                pk[-1] = 0x81;
-                pk[0] = pk_len;
-                res_APDU_size += 1;
-            }
-            else {
-                pk[-1] = pk_len;
             }
         }
     }
     if (key_ref == EF_PIV_PIN || key_ref == EF_PIV_PUK || key_ref == EF_PIV_KEY_CARDMGM) {
         uint8_t dhash[32];
-        int32_t eq = false;
+        int32_t eq = 0;
         if (key_ref == EF_PIV_PIN) {
             double_hash_pin((const uint8_t *)"\x31\x32\x33\x34\x35\x36\xFF\xFF", 8, dhash);
             eq = memcmp(dhash, file_get_data(ef_key) + 1, file_get_size(ef_key) - 1);
@@ -539,7 +541,7 @@ static int cmd_get_metadata() {
         }
         res_APDU[res_APDU_size++] = 0x5;
         res_APDU[res_APDU_size++] = 1;
-        res_APDU[res_APDU_size++] = eq;
+        res_APDU[res_APDU_size++] = eq == 0;
         if (key_ref == EF_PIV_PIN || key_ref == EF_PIV_PUK) {
             file_t *pw_status;
             if (!(pw_status = search_by_fid(EF_PW_PRIV, NULL, SPECIFY_EF))) {
@@ -983,12 +985,13 @@ static int cmd_set_mgmkey() {
     }
     uint8_t touch = P2(apdu);
     if (touch != 0xFF && touch != 0xFE) {
-        if (touch == 0xFF) {
-            touch = TOUCHPOLICY_NEVER;
-        }
-        else if (touch == 0xFE) {
-            touch = TOUCHPOLICY_ALWAYS;
-        }
+        return SW_INCORRECT_P1P2();
+    }
+    if (touch == 0xFF) {
+        touch = TOUCHPOLICY_NEVER;
+    }
+    else if (touch == 0xFE) {
+        touch = TOUCHPOLICY_ALWAYS;
     }
     uint8_t algo = apdu.data[0], key_ref = apdu.data[1], pinlen = apdu.data[2];
     if ((key_ref != EF_PIV_KEY_CARDMGM) || (!(algo == PIV_ALGO_AES128 && pinlen == 16) && !(algo == PIV_ALGO_AES192 && pinlen == 24) && !(algo == PIV_ALGO_AES256 && pinlen == 32) && !(algo == PIV_ALGO_3DES && pinlen == 24))) {

src/openpgp/version.h

@@ -29,7 +29,7 @@
 #define PIV_VERSION_MINOR (PIV_VERSION & 0xff)
 
 
-#define PIPGP_VERSION 0x0304
+#define PIPGP_VERSION 0x0306
 
 #define PIPGP_VERSION_MAJOR ((PIPGP_VERSION >> 8) & 0xff)
 #define PIPGP_VERSION_MINOR (PIPGP_VERSION & 0xff)

tests/build-in-docker.sh

@@ -3,5 +3,5 @@
 source tests/docker_env.sh
 #run_in_docker rm -rf CMakeFiles
 run_in_docker mkdir -p build_in_docker
-run_in_docker -w "$PWD/build_in_docker" cmake -DENABLE_EMULATION=1 ..
+run_in_docker -w "$PWD/build_in_docker" cmake -DENABLE_EMULATION=1 -DENABLE_EDDSA=1 ..
 run_in_docker -w "$PWD/build_in_docker" make -j ${NUM_PROC}