Satochip applet v0.11-0.1: support (mandatory) secure channel

Major protocol revision with Secure Channel support based on ECDH. In addition, some code cleanup: - optimisation: support native SHA512 (since v0.10-0.4) - optimisation: support ALG_EC_SVDP_DH_PLAIN_XY (since v0.10-0.4) - cleanup: removed SHA512 java implementation for older cards (since v0.10-0.4) - cleanup: removed ALG_EC_SVDP_DH_PLAIN for older cards (since v0.10-0.4) - remove deprecated instruction (sign_short_message) - improved error message in case of wrong PIN Merge branch 'add-secure-channel'
Toporin · Jun 16, 2020 · e099c75 · e099c75
2 parents be97481 + d8f3dd5
commit e099c75
Show file tree

Hide file tree

Showing 8 changed files with 585 additions and 2,429 deletions.
diff --git a/src/org/satochip/applet/CardEdge.java b/src/org/satochip/applet/CardEdge.java
diff --git a/src/org/satochip/applet/EccComputation.java b/src/org/satochip/applet/EccComputation.java
diff --git a/src/org/satochip/applet/HmacSha160.java b/src/org/satochip/applet/HmacSha160.java
@@ -31,8 +31,6 @@ public class HmacSha160 {
 	public static final short BLOCKSIZE=64; // 64 bytes 
 	public static final short HASHSIZE=20;
 	public static final short MAXMSGSIZE=192; 
-	private static final short SW_UNSUPPORTED_KEYSIZE = (short) 0x9c0E;
-	private static final short SW_UNSUPPORTED_MSGSIZE = (short) 0x9c0F;
 	private static byte[] data;
 
 
@@ -47,10 +45,10 @@ public static short computeHmacSha160(
 			byte[] mac, short mac_offset){
 
 		if (key_length>BLOCKSIZE || key_length<0){
-			ISOException.throwIt(SW_UNSUPPORTED_KEYSIZE); // don't accept keys bigger than block size 
+			ISOException.throwIt(CardEdge.SW_HMAC_UNSUPPORTED_KEYSIZE); // don't accept keys bigger than block size 
 		}
 		if (message_length>MAXMSGSIZE || message_length<0){
-			ISOException.throwIt(SW_UNSUPPORTED_MSGSIZE); 
+			ISOException.throwIt(CardEdge.SW_HMAC_UNSUPPORTED_MSGSIZE); 
 		}
 
 		// compute inner hash

diff --git a/src/org/satochip/applet/HmacSha512.java b/src/org/satochip/applet/HmacSha512.java
@@ -23,30 +23,36 @@
 import javacard.framework.ISOException;
 import javacard.framework.JCSystem;
 import javacard.framework.Util;
+import javacard.security.CryptoException;
+import javacard.security.MessageDigest;
 
 // very limited Hmac-SHA512 implementation
 public class HmacSha512 {
 
 	public static final short BLOCKSIZE=128; // 128 bytes 
 	public static final short HASHSIZE=64;
-	private static final short SW_UNSUPPORTED_KEYSIZE = (short) 0x9c0E;
-	private static final short SW_UNSUPPORTED_MSGSIZE = (short) 0x9c0F;
 	private static byte[] data;
 
+	private static MessageDigest sha512;  
 
 	public static void init(byte[] tmp){
 		data= tmp;
+		try {
+			sha512 = MessageDigest.getInstance(MessageDigest.ALG_SHA_512, false); 
+		} catch (CryptoException e) {
+			ISOException.throwIt(CardEdge.SW_UNSUPPORTED_FEATURE); // unsupported feature => use a more recent card!
+		}
 	}
 
 	public static short computeHmacSha512(byte[] key, short key_offset, short key_length, 
 			byte[] message, short message_offset, short message_length,
 			byte[] mac, short mac_offset){
 
 		if (key_length>BLOCKSIZE || key_length<0){
-			ISOException.throwIt(SW_UNSUPPORTED_KEYSIZE); // don't accept keys bigger than block size 
+			ISOException.throwIt(CardEdge.SW_HMAC_UNSUPPORTED_KEYSIZE); // don't accept keys bigger than block size 
 		}
 		if (message_length>HASHSIZE || message_length<0){
-			ISOException.throwIt(SW_UNSUPPORTED_MSGSIZE); // don't accept messsage bigger than block size (should be sufficient for BIP32)
+			ISOException.throwIt(CardEdge.SW_HMAC_UNSUPPORTED_MSGSIZE); // don't accept message bigger than block size (should be sufficient for BIP32)
 		}
 
 		// compute inner hash
@@ -55,19 +61,17 @@ public static short computeHmacSha512(byte[] key, short key_offset, short key_le
 		}
 		Util.arrayFillNonAtomic(data, key_length, (short)(BLOCKSIZE-key_length), (byte)0x36);		
 		Util.arrayCopyNonAtomic(message, message_offset, data, BLOCKSIZE, message_length);
-		//Sha512.reset();
-		//Sha512.doFinal(data, (short)0, (short)(BLOCKSIZE+message_length), data, BLOCKSIZE); // copy hash result to data buffer!
-		Sha512.resetUpdateDoFinal(data, (short)0, (short)(BLOCKSIZE+message_length), data, BLOCKSIZE); // copy hash result to data buffer!
+		sha512.reset();
+		sha512.doFinal(data, (short)0, (short)(BLOCKSIZE+message_length), data, BLOCKSIZE); // copy hash result to data buffer!
 
 		// compute outer hash
 		for (short i=0; i<key_length; i++){
 			data[i]= (byte) (key[(short)(key_offset+i)] ^ (0x5c));
 		}
 		Util.arrayFillNonAtomic(data, key_length, (short)(BLOCKSIZE-key_length), (byte)0x5c);
 		// previous hash already copied to correct offset in data
-		//Sha512.reset();
-		//Sha512.doFinal(data, (short)0, (short)(BLOCKSIZE+HASHSIZE), mac, mac_offset);
-		Sha512.resetUpdateDoFinal(data, (short)0, (short)(BLOCKSIZE+HASHSIZE), mac, mac_offset);
+		sha512.reset();
+		sha512.doFinal(data, (short)0, (short)(BLOCKSIZE+HASHSIZE), mac, mac_offset);
 
 		return HASHSIZE;
 	}