From b88e52971f5dfd119e1d539daadf1308662cfc67 Mon Sep 17 00:00:00 2001
From: Pol Henarejos <pol.henarejos@cttc.es>
Date: Fri, 27 Mar 2026 17:36:28 +0100
Subject: [PATCH] Use device key encryption v2.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
---
 pico-keys-sdk              |  2 +-
 src/fido/cbor_client_pin.c |  4 ++--
 src/fido/fido.c            | 19 +++++++++++++++----
 3 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/pico-keys-sdk b/pico-keys-sdk
index 94ab2cc..9ca3647 160000
--- a/pico-keys-sdk
+++ b/pico-keys-sdk
@@ -1 +1 @@
-Subproject commit 94ab2ccef750848fe0f58bcfb90f74570818d48e
+Subproject commit 9ca3647695792cca77ae1bfa40d87f78fc9d23d6
diff --git a/src/fido/cbor_client_pin.c b/src/fido/cbor_client_pin.c
index a58ceee..b11b10e 100644
--- a/src/fido/cbor_client_pin.c
+++ b/src/fido/cbor_client_pin.c
@@ -267,8 +267,8 @@ static int __attribute__((unused)) pinUvAuthTokenUsageTimerObserver(void) {
 static int check_keydev_encrypted(const uint8_t pin_token[32]) {
     if (file_get_data(ef_keydev) && *file_get_data(ef_keydev) == 0x01) {
         uint8_t tmp_keydev[61];
-        tmp_keydev[0] = 0x02; // Change format to encrypted
-        encrypt_with_aad(pin_token, file_get_data(ef_keydev) + 1, 32, tmp_keydev + 1);
+        tmp_keydev[0] = 0x03; // Change format to encrypted
+        encrypt_with_aad(pin_token, file_get_data(ef_keydev) + 1, 32, 2, tmp_keydev + 1);
         file_put_data(ef_keydev, tmp_keydev, sizeof(tmp_keydev));
         mbedtls_platform_zeroize(tmp_keydev, sizeof(tmp_keydev));
         low_flash_available();
diff --git a/src/fido/fido.c b/src/fido/fido.c
index 014eeca..678f889 100644
--- a/src/fido/fido.c
+++ b/src/fido/fido.c
@@ -231,14 +231,25 @@ int load_keydev(uint8_t key[32]) {
         }
         else if (fid_size == 33 || fid_size == 61) {
             uint8_t format = *file_get_data(ef_keydev);
-            if (format == 0x01 || format == 0x02) { // Format indicator
-                if (format == 0x02) {
-                    uint8_t tmp_key[61];
+            if (format == 0x01 || format == 0x02 || format == 0x03) { // Format indicator
+                if (format == 0x02 || format == 0x03) {
+                    uint8_t tmp_key[61], version = format == 0x03 ? 2 : 1;
                     memcpy(tmp_key, file_get_data(ef_keydev), sizeof(tmp_key));
-                    int ret = decrypt_with_aad(session_pin, tmp_key + 1, 60, key);
+                    int ret = decrypt_with_aad(session_pin, tmp_key + 1, 60, version, key);
                     if (ret != PICOKEY_OK) {
                         return PICOKEY_EXEC_ERROR;
                     }
+                    if (format == 0x02) {
+                        tmp_key[0] = 0x03;
+                        ret = encrypt_with_aad(session_pin, key, 32, 2, tmp_key + 1);
+                        if (ret != PICOKEY_OK) {
+                            mbedtls_platform_zeroize(tmp_key, sizeof(tmp_key));
+                            return PICOKEY_EXEC_ERROR;
+                        }
+                        file_put_data(ef_keydev, tmp_key, sizeof(tmp_key));
+                        low_flash_available();
+                    }
+                    mbedtls_platform_zeroize(tmp_key, sizeof(tmp_key));
                 }
                 else {
                     memcpy(key, file_get_data(ef_keydev) + 1, 32);