Skip to content

Commit

Permalink
Protect keydev if available (only for RP2350).
Browse files Browse the repository at this point in the history
Signed-off-by: Pol Henarejos <[email protected]>
  • Loading branch information
polhenarejos committed Sep 12, 2024
1 parent 95cae29 commit c43006f
Show file tree
Hide file tree
Showing 5 changed files with 27 additions and 3 deletions.
1 change: 1 addition & 0 deletions src/fido/cbor.c
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/

#include "pico_keys.h"
#if !defined(ENABLE_EMULATION) && !defined(ESP_PLATFORM)
#include "pico/stdlib.h"
#endif
Expand Down
7 changes: 6 additions & 1 deletion src/fido/cbor_make_credential.c
Original file line number Diff line number Diff line change
Expand Up @@ -440,7 +440,12 @@ int cbor_make_credential(const uint8_t *data, size_t len) {
if (enterpriseAttestation == 2 || (ka && ka->use_self_attestation == pfalse)) {
mbedtls_ecdsa_free(&ekey);
mbedtls_ecdsa_init(&ekey);
ret = mbedtls_ecp_read_key(MBEDTLS_ECP_DP_SECP256R1, &ekey, file_get_data(ef_keydev), 32);
uint8_t key[32] = {0};
if (load_keydev(key) != 0) {
CBOR_ERROR(CTAP1_ERR_OTHER);
}
ret = mbedtls_ecp_read_key(MBEDTLS_ECP_DP_SECP256R1, &ekey, key, 32);
mbedtls_platform_zeroize(key, sizeof(key));
md = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
self_attestation = false;
}
Expand Down
8 changes: 7 additions & 1 deletion src/fido/cmd_register.c
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,13 @@ int cmd_register() {
return SW_EXEC_ERROR();
}
mbedtls_ecdsa_init(&key);
ret = mbedtls_ecp_read_key(MBEDTLS_ECP_DP_SECP256R1, &key, file_get_data(ef_keydev), 32);
uint8_t key_dev[32] = {0};
ret = load_keydev(key_dev);
if (ret != CCID_OK) {
return SW_EXEC_ERROR();
}
ret = mbedtls_ecp_read_key(MBEDTLS_ECP_DP_SECP256R1, &key, key_dev, 32);
mbedtls_platform_zeroize(key_dev, sizeof(key_dev));
if (ret != CCID_OK) {
mbedtls_ecdsa_free(&key);
return SW_EXEC_ERROR();
Expand Down
12 changes: 12 additions & 0 deletions src/fido/fido.c
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,8 @@
#include "management.h"
#include "hid/ctap_hid.h"
#include "version.h"
#include "crypto_utils.h"
#include "otp.h"

int fido_process_apdu();
int fido_unload();
Expand Down Expand Up @@ -178,12 +180,19 @@ int load_keydev(uint8_t *key) {
if (has_keydev_dec == false && !file_has_data(ef_keydev)) {
return CCID_ERR_MEMORY_FATAL;
}

if (has_keydev_dec == true) {
memcpy(key, keydev_dec, sizeof(keydev_dec));
}
else {
memcpy(key, file_get_data(ef_keydev), file_get_size(ef_keydev));
#ifdef PICO_RP2350
if (aes_decrypt(otp_key_1, NULL, 32 * 8, PICO_KEYS_AES_MODE_CBC, key, 32) != CCID_OK) {
return CCID_EXEC_ERROR;
}
#endif
}

//return mkek_decrypt(key, file_get_size(ef_keydev));
return CCID_OK;
}
Expand Down Expand Up @@ -292,6 +301,9 @@ int scan_files() {
if (ret != CCID_OK) {
return ret;
}
#ifdef PICO_RP2350
ret = aes_encrypt(otp_key_1, NULL, 32 * 8, PICO_KEYS_AES_MODE_CBC, kdata, 32);
#endif
ret = file_put_data(ef_keydev, kdata, (uint16_t)key_size);
mbedtls_platform_zeroize(kdata, sizeof(kdata));
mbedtls_ecdsa_free(&ecdsa);
Expand Down

0 comments on commit c43006f

Please sign in to comment.