add transport keys to setup scripts

2017-01-27 23:56:29 -05:00 · 2017-01-27 23:56:29 -05:00 · 6795711a54
commit 6795711a54
--- a/firmware/src/cert.c
+++ b/firmware/src/cert.c
@ -2,7 +2,7 @@
 #include <stdint.h>

 code uint8_t __attest[] = 
-"\x30\x82\x01\x9c\x30\x82\x01\x41\x02\x01\x01\x30\x0a\x06\x08\x2a\x86\x48\xce\x3d"
+"\x30\x82\x01\x9a\x30\x82\x01\x41\x02\x01\x01\x30\x0a\x06\x08\x2a\x86\x48\xce\x3d"
 "\x04\x03\x02\x30\x7d\x31\x0b\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x13"
 "\x30\x11\x06\x03\x55\x04\x08\x13\x0a\x53\x6f\x6d\x65\x20\x73\x74\x61\x74\x65\x31"
 "\x12\x30\x10\x06\x03\x55\x04\x07\x13\x09\x53\x6f\x6d\x65\x20\x63\x69\x74\x79\x31"
@ -10,20 +10,23 @@ code uint8_t __attest[] =
 "\x6e\x79\x31\x18\x30\x16\x06\x03\x55\x04\x0b\x13\x0f\x53\x6f\x6d\x65\x20\x64\x65"
 "\x70\x61\x72\x74\x6d\x65\x6e\x74\x31\x14\x30\x12\x06\x03\x55\x04\x03\x13\x0b\x63"
 "\x6f\x6e\x6f\x72\x70\x70\x2e\x63\x6f\x6d\x30\x1e\x17\x0d\x31\x37\x30\x31\x32\x38"
-"\x30\x32\x34\x38\x34\x39\x5a\x17\x0d\x32\x33\x30\x31\x32\x37\x30\x32\x34\x38\x34"
-"\x39\x5a\x30\x36\x31\x0b\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x11\x30"
+"\x30\x34\x35\x34\x30\x37\x5a\x17\x0d\x32\x33\x30\x31\x32\x37\x30\x34\x35\x34\x30"
+"\x37\x5a\x30\x36\x31\x0b\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x11\x30"
 "\x0f\x06\x03\x55\x04\x0a\x13\x08\x55\x32\x46\x20\x5a\x65\x72\x6f\x31\x14\x30\x12"
 "\x06\x03\x55\x04\x03\x13\x0b\x75\x32\x66\x7a\x65\x72\x6f\x2e\x63\x6f\x6d\x30\x59"
 "\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01"
-"\x07\x03\x42\x00\x04\x02\x12\xb2\x98\x38\x90\x14\xfc\x94\x9c\x7d\x83\x42\x2a\x8a"
-"\xf4\x81\x45\x37\xb6\x65\xf3\xb0\xe1\x72\x79\xa3\x95\x5c\x8e\x4f\xfe\x7e\x97\xee"
-"\x4d\x77\x20\x7f\xd7\xf4\x58\x81\xab\x60\x48\x4d\xba\x30\x35\x87\xcc\xe8\x45\x11"
-"\x4d\x3a\x5c\x06\xba\xf9\x95\x35\x64\x30\x0a\x06\x08\x2a\x86\x48\xce\x3d\x04\x03"
-"\x02\x03\x49\x00\x30\x46\x02\x21\x00\x96\xce\xbc\xcf\xd4\x8f\x62\x2d\xe5\x3c\x8c"
-"\x16\x94\x90\x1d\x59\xa8\xec\x80\xf5\x50\xfa\x1e\x60\x87\x48\xb8\x2c\xb2\x26\x2f"
-"\x8a\x02\x21\x00\x94\xac\x4e\xa7\xe6\xa7\xe2\xd8\x92\x16\x90\xc1\x91\x3b\x7b\x9c"
-"\xbd\x59\x14\x2b\xdd\x86\xd8\x43\x39\xbd\x0a\x74\x76\x6b\x8d\x72"
+"\x07\x03\x42\x00\x04\x9d\x83\xdc\x35\x8f\x69\x15\xc3\x58\x49\xca\x9d\x8c\xe4\xc5"
+"\x40\x3c\xba\x9e\xb2\x34\xb6\x10\x94\x52\xd3\x5c\xf9\x4e\x52\x59\x2b\x1b\xbe\x4c"
+"\x32\x2b\x1c\x57\x11\x20\xe1\xe6\xd3\x7f\xc4\x42\xef\x66\xf0\x64\x24\x9a\xcd\xe0"
+"\x13\x87\x59\xe3\x0b\xd3\xd2\x2b\x8a\x30\x0a\x06\x08\x2a\x86\x48\xce\x3d\x04\x03"
+"\x02\x03\x47\x00\x30\x44\x02\x20\x3d\xf1\xf4\x3f\x20\x82\x96\x13\xd6\x58\xb7\x71"
+"\x29\xb7\x2c\xef\x3f\x86\x6c\xff\x54\xa9\xe0\x86\x7d\x33\x4a\x69\x12\x67\x89\xee"
+"\x02\x20\x09\xa0\x51\x59\x0a\x44\x7c\x6b\xae\x56\x57\x62\x7d\x3c\x99\x37\xda\xb5"
+"\x85\x98\x09\xac\x10\x96\x8f\xce\xed\x06\x94\x9b\x96\xb0"
 ;
 const uint16_t __attest_size = sizeof(__attest)-1;

-
+code uint8_t WMASK[] = "\x3a\xf2\x0d\x94\xcb\xa5\x5c\x30\x20\x36\x36\xfc\x11\x59\x12\x02\x6a\xca\xcb\x3d"
+"\x06\x38\x1e\xd4\xc8\xc7\xc4\xab\xe5\x43\xb9\x90\x5e\xc5\x9d\xe4";
+code uint8_t RMASK[] = "\x54\x6d\xd4\xed\xe8\x20\x10\x13\xe2\x9f\xa8\x94\xde\x82\xd0\xe3\xa8\xc2\x49\x9c"
+"\x41\x4b\x3b\x94\x18\xca\x10\x0c\x20\x5d\x20\x3e";
--- a/firmware/src/u2f.c
+++ b/firmware/src/u2f.c
@ -41,8 +41,6 @@
 #include "bsp.h"
 #include "u2f.h"

-code uint8_t WMASK[] = "\xd7\x53\x3f\x4a\xb4\x0c\xee\x39\xc2\x52\xf8\x83\x86\x59\xde\xe0\x82\xfb\xae\x50\x55\x01\x27\x6b\x74\x1f\xb6\xa1\x93\xb6\xf5\x92\xe4\x11\x17\x3f";
-code uint8_t RMASK[] = "ueragfeaiswuftwiauekygfikslezgdhf";

 // void u2f_response_writeback(uint8_t * buf, uint8_t len);
 static int16_t u2f_register(struct u2f_register_request * req);
--- a/tools/gencert/cbytes.py
+++ b/tools/gencert/cbytes.py
@ -6,13 +6,18 @@ from __future__ import print_function
    Output a c file with the DER certificate.
    Read der file as input
 """
-import sys,fileinput
+import sys,fileinput,binascii

-if len(sys.argv) != 2:
-    print('usage: %s <certificate.der>' % sys.argv[0])
+if len(sys.argv) not in [2,3]:
+    print('usage: %s <certificate.der|hex-input> [-s]' % sys.argv[0])
+    print('    -s: just output c string (for general use)')
    sys.exit(1)

-buf = bytearray(open(sys.argv[1], 'rb').read())
+buf = None
+try:
+    buf = bytearray(open(sys.argv[1], 'rb').read())
+except:
+    buf = bytearray(binascii.unhexlify(sys.argv[1]))

 c_str = ''
 size = len(buf)
@ -22,8 +27,14 @@ a = ''.join(map(lambda c:'\\x%02x'%c, buf))
 for i in range(0,len(a), 80):
    c_str += ("\""+a[i:i+80]+"\"\n")

+if '-s' in sys.argv:
+    print(c_str)
+    sys.exit(0)
+
 print('// generated')
 print('#include <stdint.h>')
 print()
 print('code uint8_t __attest[] = \n%s;' % c_str)
 print('const uint16_t __attest_size = sizeof(__attest)-1;')
+
+
--- a/tools/setup_device.sh
+++ b/tools/setup_device.sh
@ -67,10 +67,21 @@ done


 echo "generate attestation certificate..."
-gencert.sh "$1" "$(cat pubkey.hex)" attest.der > ../firmware/src/cert.c
-
+gencert.sh "$1" "$(cat pubkey.hex|head -n 1)" attest.der > ../firmware/src/cert.c
 [[ "$?" -ne "0" ]] && exit 1

+wkey=$(cbytes.py "$(cat pubkey.hex|head -n 2|tail -n1)" -s)
+[[ "$?" -ne "0" ]] && exit 1
+
+rkey=$(cbytes.py "$(cat pubkey.hex|tail -n 1)" -s)
+[[ "$?" -ne "0" ]] && exit 1
+
+
+echo "" >> ../firmware/src/cert.c
+echo "code uint8_t WMASK[] = $wkey;" >> ../firmware/src/cert.c
+echo "code uint8_t RMASK[] = $rkey;" >> ../firmware/src/cert.c
+
+
 if [[ -n $SN_build ]] ; then
    echo "setting SN to $SN_build"
    sed -i "/#define SER_STRING.*/c\#define SER_STRING \"$SN_build\""  ../firmware/src/descriptors.c
--- a/tools/u2f_zero_client/client.py
+++ b/tools/u2f_zero_client/client.py
@ -155,56 +155,56 @@ def do_configure(h,output):
    config = "\x01\x23\x6d\x10\x00\x00\x50\x00\xd7\x2c\xa5\x71\xee\xc0\x85\x00\xc0\x00\x55\x00\x83\x71\x81\x01\x83\x71\xC1\x01\x83\x71\x83\x71\x83\x71\xC1\x71\x01\x01\x83\x71\x83\x71\xC1\x71\x83\x71\x83\x71\x83\x71\x83\xa0\xff\xff\xff\xff\x00\x00\x00\x00\xff\xff\xff\xff\x00\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x55\x55\xff\xff\x00\x00\x00\x00\x00\x00\x13\x00\x3C\x00\x13\x00\x3C\x00\x13\x00\x3C\x00\x13\x00\x3C\x00\x3c\x00\x3C\x00\x13\x00\x3C\x00\x13\x00\x3C\x00\x13\x00\x33\x00"


-    if 1:
-        h.write([0,commands.U2F_CONFIG_IS_BUILD])
-        data = h.read(64,1000)
-        if data[1] == 1:
-            print( 'Device is configured.')
-        else:
-            die('Device not configured')
+    h.write([0,commands.U2F_CONFIG_IS_BUILD])
+    data = h.read(64,1000)
+    if data[1] == 1:
+        print( 'Device is configured.')
+    else:
+        die('Device not configured')

-        time.sleep(0.250)
+    time.sleep(0.250)

-        h.write([0,commands.U2F_CONFIG_GET_SERIAL_NUM])
-        while True:
-            data = read_n_tries(h,5,64,1000)
-            l = data[1]
-            print( 'read %i bytes' % l)
-            if data[0] == commands.U2F_CONFIG_GET_SERIAL_NUM:
-                break
-        print( data)
-        config = array.array('B',data[2:2+l]).tostring() + config[l:]
-        print( 'conf: ', binascii.hexlify(config))
-        time.sleep(0.250)
-
-
-        crc = get_crc(config)
-        print( 'crc is ', [hex(x) for x in crc])
-        h.write([0,commands.U2F_CONFIG_LOCK] + crc)
+    h.write([0,commands.U2F_CONFIG_GET_SERIAL_NUM])
+    while True:
        data = read_n_tries(h,5,64,1000)
-
-        if data[1] == 1:
-            print( 'locked eeprom with crc ',crc)
-        else:
-            die('not locked')
-
-        time.sleep(0.250)
-
-        h.write([0,commands.U2F_CONFIG_GENKEY])
-        data = read_n_tries(h,5,64,1000)
-        data = array.array('B',data).tostring()
-        data = binascii.hexlify(data)
-        print( 'generated key:')
-        print( data)
-        open(output,'w+').write(data)
+        l = data[1]
+        print( 'read %i bytes' % l)
+        if data[0] == commands.U2F_CONFIG_GET_SERIAL_NUM:
+            break
+    print( data)
+    config = array.array('B',data[2:2+l]).tostring() + config[l:]
+    print( 'conf: ', binascii.hexlify(config))
+    time.sleep(0.250)


-    trans_key = [random.randint(0,255)&0xff for x in range(0,32)]
-    h.write([0,commands.U2F_CONFIG_LOAD_TRANS_KEY]+trans_key)
+    crc = get_crc(config)
+    print( 'crc is ', [hex(x) for x in crc])
+    h.write([0,commands.U2F_CONFIG_LOCK] + crc)
+    data = read_n_tries(h,5,64,1000)
+
+    if data[1] == 1:
+        print( 'locked eeprom with crc ',crc)
+    else:
+        die('not locked')
+
+    time.sleep(0.250)
+
+    h.write([0,commands.U2F_CONFIG_GENKEY])
+    data = read_n_tries(h,5,64,1000)
+    data = array.array('B',data).tostring()
+    data = binascii.hexlify(data)
+
+    wkey = [random.randint(0,255)&0xff for x in range(0,32)]
+    rkey = [random.randint(0,255)&0xff for x in range(0,32)]
+    h.write([0,commands.U2F_CONFIG_LOAD_TRANS_KEY]+wkey)
+
+    wkey = get_write_mask(''.join([chr(x) for x in wkey]))
+    rkey = get_write_mask(''.join([chr(x) for x in rkey]))[:64]
+
+    print('writing keys to ', output)
+    print(data)
+    open(output,'w+').write(data +'\n' + wkey + '\n' + rkey)

-    mask = get_write_mask(''.join([chr(x) for x in trans_key]))
-    print('write mask: ', mask)
-    open(output+'_mask','w+').write(mask)
    print( 'Done')