fix(core/optiga): add correct key usage to OID_PIN_CMAC

8 months ago · 240f4f56cd
parent 3c413ecf02
commit 240f4f56cd
3 changed files with 4 additions and 0 deletions
--- a/core/embed/trezorhal/optiga/optiga.c
+++ b/core/embed/trezorhal/optiga/optiga.c
@ -293,6 +293,7 @@ static bool optiga_pin_init_metadata(void) {
  metadata.change = OPTIGA_META_ACCESS_ALWAYS;
  metadata.read = OPTIGA_META_ACCESS_NEVER;
  metadata.execute = ACCESS_PIN_STRETCH_COUNTER;
+  metadata.key_usage = OPTIGA_META_KEY_USE_ENC;
  if (!optiga_set_metadata(OID_PIN_CMAC, &metadata)) {
    return false;
  }
--- a/core/embed/trezorhal/optiga/optiga_commands.c
+++ b/core/embed/trezorhal/optiga/optiga_commands.c
@ -42,6 +42,8 @@ const optiga_metadata_item OPTIGA_META_ACCESS_ALWAYS = {
    (const uint8_t[]){OPTIGA_ACCESS_COND_ALW}, 1};
 const optiga_metadata_item OPTIGA_META_ACCESS_NEVER = {
    (const uint8_t[]){OPTIGA_ACCESS_COND_NEV}, 1};
+const optiga_metadata_item OPTIGA_META_KEY_USE_ENC = {
+    (const uint8_t[]){OPTIGA_KEY_USAGE_ENC}, 1};
 const optiga_metadata_item OPTIGA_META_KEY_USE_KEYAGREE = {
    (const uint8_t[]){OPTIGA_KEY_USAGE_KEYAGREE}, 1};
 static const optiga_metadata_item OPTIGA_META_VERSION_DEFAULT = {
--- a/core/embed/trezorhal/optiga_commands.h
+++ b/core/embed/trezorhal/optiga_commands.h
@ -137,6 +137,7 @@ typedef struct {
 extern const optiga_metadata_item OPTIGA_META_LCS_OPERATIONAL;
 extern const optiga_metadata_item OPTIGA_META_ACCESS_ALWAYS;
 extern const optiga_metadata_item OPTIGA_META_ACCESS_NEVER;
+extern const optiga_metadata_item OPTIGA_META_KEY_USE_ENC;
 extern const optiga_metadata_item OPTIGA_META_KEY_USE_KEYAGREE;

 optiga_result optiga_parse_metadata(const uint8_t *serialized,