clone/pico-fido
1
0
Fork 0
mirror of https://github.com/polhenarejos/pico-fido synced 2026-06-11 04:48:16 +02:00
Code Issues Packages Projects Releases Wiki Activity

Use device key encryption v2.

Browse Source 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
This commit is contained in:
Pol Henarejos
2026-03-27 17:36:28 +01:00
parent f658ef6eab
commit b88e52971f
3 changed files with 18 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
pico-keys-sdk

Submodule pico-keys-sdk updated: 94ab2ccef7...9ca3647695

4
src/fido/cbor_client_pin.c
View File

@@ -267,8 +267,8 @@ static int __attribute__((unused)) pinUvAuthTokenUsageTimerObserver(void) {
static int check_keydev_encrypted(const uint8_t pin_token[32]) { static int check_keydev_encrypted(const uint8_t pin_token[32]) {
if (file_get_data(ef_keydev) && *file_get_data(ef_keydev) == 0x01) { if (file_get_data(ef_keydev) && *file_get_data(ef_keydev) == 0x01) {
uint8_t tmp_keydev[61]; uint8_t tmp_keydev[61];
tmp_keydev[0] = 0x02; // Change format to encrypted tmp_keydev[0] = 0x03; // Change format to encrypted
encrypt_with_aad(pin_token, file_get_data(ef_keydev) + 1, 32, tmp_keydev + 1); encrypt_with_aad(pin_token, file_get_data(ef_keydev) + 1, 32, 2, tmp_keydev + 1);
file_put_data(ef_keydev, tmp_keydev, sizeof(tmp_keydev)); file_put_data(ef_keydev, tmp_keydev, sizeof(tmp_keydev));
mbedtls_platform_zeroize(tmp_keydev, sizeof(tmp_keydev)); mbedtls_platform_zeroize(tmp_keydev, sizeof(tmp_keydev));
low_flash_available(); low_flash_available();

19
src/fido/fido.c
View File

@@ -231,14 +231,25 @@ int load_keydev(uint8_t key[32]) {
} }
else if (fid_size == 33 || fid_size == 61) { else if (fid_size == 33 || fid_size == 61) {
uint8_t format = *file_get_data(ef_keydev); uint8_t format = *file_get_data(ef_keydev);
if (format == 0x01 || format == 0x02) { // Format indicator if (format == 0x01 || format == 0x02 || format == 0x03) { // Format indicator
if (format == 0x02) { if (format == 0x02 || format == 0x03) {
uint8_t tmp_key[61]; uint8_t tmp_key[61], version = format == 0x03 ? 2 : 1;
memcpy(tmp_key, file_get_data(ef_keydev), sizeof(tmp_key)); memcpy(tmp_key, file_get_data(ef_keydev), sizeof(tmp_key));
int ret = decrypt_with_aad(session_pin, tmp_key + 1, 60, key); int ret = decrypt_with_aad(session_pin, tmp_key + 1, 60, version, key);
if (ret != PICOKEY_OK) { if (ret != PICOKEY_OK) {
return PICOKEY_EXEC_ERROR; return PICOKEY_EXEC_ERROR;
} }
if (format == 0x02) {
tmp_key[0] = 0x03;
ret = encrypt_with_aad(session_pin, key, 32, 2, tmp_key + 1);
if (ret != PICOKEY_OK) {
mbedtls_platform_zeroize(tmp_key, sizeof(tmp_key));
return PICOKEY_EXEC_ERROR;
}
file_put_data(ef_keydev, tmp_key, sizeof(tmp_key));
low_flash_available();
}
mbedtls_platform_zeroize(tmp_key, sizeof(tmp_key));
} }
else { else {
memcpy(key, file_get_data(ef_keydev) + 1, 32); memcpy(key, file_get_data(ef_keydev) + 1, 32);