Fix PIN POLICY

polhenarejos · polhenarejos · commit 1e22908de1b7 · 2024-03-26T20:58:38.000+01:00
Signed-off-by: Pol Henarejos &lt;pol.henarejos@cttc.es&gt;
diff --git a/src/openpgp/piv.c b/src/openpgp/piv.c
@@ -541,7 +541,15 @@ static int cmd_authenticate() {
     if ((meta_len = meta_find(key_ref, &meta)) <= 0) {
         return SW_REFERENCE_NOT_FOUND();
     }
-    if (meta[1] == PINPOLICY_ALWAYS && !has_pwpiv && (key_ref == EF_PIV_KEY_AUTHENTICATION || key_ref == EF_PIV_KEY_SIGNATURE || key_ref == EF_PIV_KEY_KEYMGM || IS_RETIRED(key_ref))) {
+    if (meta[1] == PINPOLICY_DEFAULT) {
+        if (key_ref == EF_PIV_KEY_SIGNATURE) {
+            meta[1] = PINPOLICY_ALWAYS;
+        }
+        else {
+            meta[1] = PINPOLICY_ONCE;
+        }
+    }
+    if ((meta[1] == PINPOLICY_ALWAYS || meta[1] == PINPOLICY_ONCE) && (!has_pwpiv && (key_ref == EF_PIV_KEY_AUTHENTICATION || key_ref == EF_PIV_KEY_SIGNATURE || key_ref == EF_PIV_KEY_KEYMGM || key_ref == EF_PIV_KEY_CARDAUTH || IS_RETIRED(key_ref)))) {
         return SW_SECURITY_STATUS_NOT_SATISFIED();
     }
     uint8_t chal_len = (algo == PIV_ALGO_3DES ? sizeof(challenge) / 2 : sizeof(challenge));
@@ -778,6 +786,9 @@ static int cmd_authenticate() {
             }
         }
     }
+    if (meta[1] == PINPOLICY_ALWAYS) {
+        has_pwpiv = false;
+    }
     return SW_OK();
 }
 
@@ -878,7 +889,11 @@ static int cmd_asym_keygen() {
     }
     else if (a80.data[0] == PIV_ALGO_X25519) {
     }
-    uint8_t meta[] = {a80.data[0], asn1_len(&aaa) ? aaa.data[0] : PINPOLICY_ALWAYS, asn1_len(&aab) ? aab.data[0] : TOUCHPOLICY_ALWAYS, ORIGIN_GENERATED};
+    uint8_t def_pinpol = PINPOLICY_ONCE;
+    if (key_ref == EF_PIV_KEY_SIGNATURE) {
+        def_pinpol = PINPOLICY_ALWAYS;
+    }
+    uint8_t meta[] = {a80.data[0], asn1_len(&aaa) ? aaa.data[0] : def_pinpol, asn1_len(&aab) ? aab.data[0] : TOUCHPOLICY_ALWAYS, ORIGIN_GENERATED};
     meta_add(key_ref, meta, sizeof(meta));
     low_flash_available();
     return SW_OK();
@@ -1205,7 +1220,11 @@ static int cmd_import_asym() {
     else {
         return SW_WRONG_DATA();
     }
-    uint8_t meta[] = { algo,  asn1_len(&aaa) ? aaa.data[0] : PINPOLICY_ALWAYS, asn1_len(&aab) ? aab.data[0] : TOUCHPOLICY_ALWAYS, ORIGIN_IMPORTED };
+    uint8_t def_pinpol = PINPOLICY_ONCE;
+    if (key_ref == EF_PIV_KEY_SIGNATURE) {
+        def_pinpol = PINPOLICY_ALWAYS;
+    }
+    uint8_t meta[] = { algo,  asn1_len(&aaa) ? aaa.data[0] : def_pinpol, asn1_len(&aab) ? aab.data[0] : TOUCHPOLICY_ALWAYS, ORIGIN_IMPORTED };
     meta_add(key_ref, meta, sizeof(meta));
     return SW_OK();
 }

Original file line number	Diff line number	Diff line change
`@@ -541,7 +541,15 @@ static int cmd_authenticate() {`
`541`	`541`	`if ((meta_len = meta_find(key_ref, &meta)) <= 0) {`
`542`	`542`	`return SW_REFERENCE_NOT_FOUND();`
`543`	`543`	`}`
`544`		`- if (meta[1] == PINPOLICY_ALWAYS && !has_pwpiv && (key_ref == EF_PIV_KEY_AUTHENTICATION \|\| key_ref == EF_PIV_KEY_SIGNATURE \|\| key_ref == EF_PIV_KEY_KEYMGM \|\| IS_RETIRED(key_ref))) {`
	`544`	`+ if (meta[1] == PINPOLICY_DEFAULT) {`
	`545`	`+ if (key_ref == EF_PIV_KEY_SIGNATURE) {`
	`546`	`+ meta[1] = PINPOLICY_ALWAYS;`
	`547`	`+ }`
	`548`	`+ else {`
	`549`	`+ meta[1] = PINPOLICY_ONCE;`
	`550`	`+ }`
	`551`	`+ }`
	`552`	`+ if ((meta[1] == PINPOLICY_ALWAYS \|\| meta[1] == PINPOLICY_ONCE) && (!has_pwpiv && (key_ref == EF_PIV_KEY_AUTHENTICATION \|\| key_ref == EF_PIV_KEY_SIGNATURE \|\| key_ref == EF_PIV_KEY_KEYMGM \|\| key_ref == EF_PIV_KEY_CARDAUTH \|\| IS_RETIRED(key_ref)))) {`
`545`	`553`	`return SW_SECURITY_STATUS_NOT_SATISFIED();`
`546`	`554`	`}`
`547`	`555`	`uint8_t chal_len = (algo == PIV_ALGO_3DES ? sizeof(challenge) / 2 : sizeof(challenge));`
`@@ -778,6 +786,9 @@ static int cmd_authenticate() {`
`778`	`786`	`}`
`779`	`787`	`}`
`780`	`788`	`}`
	`789`	`+ if (meta[1] == PINPOLICY_ALWAYS) {`
	`790`	`+ has_pwpiv = false;`
	`791`	`+ }`
`781`	`792`	`return SW_OK();`
`782`	`793`	`}`
`783`	`794`
`@@ -878,7 +889,11 @@ static int cmd_asym_keygen() {`
`878`	`889`	`}`
`879`	`890`	`else if (a80.data[0] == PIV_ALGO_X25519) {`
`880`	`891`	`}`
`881`		`- uint8_t meta[] = {a80.data[0], asn1_len(&aaa) ? aaa.data[0] : PINPOLICY_ALWAYS, asn1_len(&aab) ? aab.data[0] : TOUCHPOLICY_ALWAYS, ORIGIN_GENERATED};`
	`892`	`+ uint8_t def_pinpol = PINPOLICY_ONCE;`
	`893`	`+ if (key_ref == EF_PIV_KEY_SIGNATURE) {`
	`894`	`+ def_pinpol = PINPOLICY_ALWAYS;`
	`895`	`+ }`
	`896`	`+ uint8_t meta[] = {a80.data[0], asn1_len(&aaa) ? aaa.data[0] : def_pinpol, asn1_len(&aab) ? aab.data[0] : TOUCHPOLICY_ALWAYS, ORIGIN_GENERATED};`
`882`	`897`	`meta_add(key_ref, meta, sizeof(meta));`
`883`	`898`	`low_flash_available();`
`884`	`899`	`return SW_OK();`
`@@ -1205,7 +1220,11 @@ static int cmd_import_asym() {`
`1205`	`1220`	`else {`
`1206`	`1221`	`return SW_WRONG_DATA();`
`1207`	`1222`	`}`
`1208`		`- uint8_t meta[] = { algo, asn1_len(&aaa) ? aaa.data[0] : PINPOLICY_ALWAYS, asn1_len(&aab) ? aab.data[0] : TOUCHPOLICY_ALWAYS, ORIGIN_IMPORTED };`
	`1223`	`+ uint8_t def_pinpol = PINPOLICY_ONCE;`
	`1224`	`+ if (key_ref == EF_PIV_KEY_SIGNATURE) {`
	`1225`	`+ def_pinpol = PINPOLICY_ALWAYS;`
	`1226`	`+ }`
	`1227`	`+ uint8_t meta[] = { algo, asn1_len(&aaa) ? aaa.data[0] : def_pinpol, asn1_len(&aab) ? aab.data[0] : TOUCHPOLICY_ALWAYS, ORIGIN_IMPORTED };`
`1209`	`1228`	`meta_add(key_ref, meta, sizeof(meta));`
`1210`	`1229`	`return SW_OK();`
`1211`	`1230`	`}`