Use device key encryption v2.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
2026-04-27 00:57:41 +02:00 · 2026-03-27 17:36:28 +01:00
parent f658ef6eab
commit b88e52971f
3 changed files with 18 additions and 7 deletions
--- a/2
+++ b/2
--- a/src/fido/cbor_client_pin.c
+++ b/src/fido/cbor_client_pin.c
@@ -267,8 +267,8 @@ static int __attribute__((unused)) pinUvAuthTokenUsageTimerObserver(void) {
 static int check_keydev_encrypted(const uint8_t pin_token[32]) {
    if (file_get_data(ef_keydev) && *file_get_data(ef_keydev) == 0x01) {
        uint8_t tmp_keydev[61];
-        tmp_keydev[0] = 0x02; // Change format to encrypted
-        encrypt_with_aad(pin_token, file_get_data(ef_keydev) + 1, 32, tmp_keydev + 1);
+        tmp_keydev[0] = 0x03; // Change format to encrypted
+        encrypt_with_aad(pin_token, file_get_data(ef_keydev) + 1, 32, 2, tmp_keydev + 1);
        file_put_data(ef_keydev, tmp_keydev, sizeof(tmp_keydev));
        mbedtls_platform_zeroize(tmp_keydev, sizeof(tmp_keydev));
        low_flash_available();
--- a/src/fido/fido.c
+++ b/src/fido/fido.c
@@ -231,14 +231,25 @@ int load_keydev(uint8_t key[32]) {
        }
        else if (fid_size == 33 || fid_size == 61) {
            uint8_t format = *file_get_data(ef_keydev);
-            if (format == 0x01 || format == 0x02) { // Format indicator
-                if (format == 0x02) {
-                    uint8_t tmp_key[61];
+            if (format == 0x01 || format == 0x02 || format == 0x03) { // Format indicator
+                if (format == 0x02 || format == 0x03) {
+                    uint8_t tmp_key[61], version = format == 0x03 ? 2 : 1;
                    memcpy(tmp_key, file_get_data(ef_keydev), sizeof(tmp_key));
-                    int ret = decrypt_with_aad(session_pin, tmp_key + 1, 60, key);
+                    int ret = decrypt_with_aad(session_pin, tmp_key + 1, 60, version, key);
                    if (ret != PICOKEY_OK) {
                        return PICOKEY_EXEC_ERROR;
                    }
+                    if (format == 0x02) {
+                        tmp_key[0] = 0x03;
+                        ret = encrypt_with_aad(session_pin, key, 32, 2, tmp_key + 1);
+                        if (ret != PICOKEY_OK) {
+                            mbedtls_platform_zeroize(tmp_key, sizeof(tmp_key));
+                            return PICOKEY_EXEC_ERROR;
+                        }
+                        file_put_data(ef_keydev, tmp_key, sizeof(tmp_key));
+                        low_flash_available();
+                    }
+                    mbedtls_platform_zeroize(tmp_key, sizeof(tmp_key));
                }
                else {
                    memcpy(key, file_get_data(ef_keydev) + 1, 32);