fix(core/prodtest): Fix Optiga metadata version information handling.

[no changelog]

core/embed/prodtest/optiga_prodtest.c

@@ -509,8 +509,9 @@ void keyfido_write(char *data) {
   // Set change access condition for the FIDO key to Int(0xE0E8), so that we
   // can write the FIDO key using the trust anchor in OID 0xE0E8.
   memzero(&metadata, sizeof(metadata));
-  metadata.change.ptr = (const uint8_t *)"\x21\xe0\xe8";
-  metadata.change.len = 3;
+  metadata.change = (const optiga_metadata_item)OPTIGA_ACCESS_CONDITION(
+      OPTIGA_ACCESS_COND_INT, OID_TRUST_ANCHOR);
+  metadata.version = OPTIGA_META_VERSION_DEFAULT;
   if (!set_metadata(OID_KEY_FIDO, &metadata)) {
     return;
   }

core/embed/prodtest/optiga_prodtest.h

@@ -17,7 +17,7 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
-#ifndef PRODTEST_OPTIGA_PRODTESTS_H
+#ifndef PRODTEST_OPTIGA_PRODTEST_H
 #define PRODTEST_OPTIGA_PRODTEST_H
 
 #include <stdbool.h>
@@ -30,7 +30,7 @@
 #define OID_KEY_DEV OPTIGA_OID_ECC_KEY + 0
 #define OID_KEY_FIDO OPTIGA_OID_ECC_KEY + 2
 #define OID_KEY_PAIRING OPTIGA_OID_PTFBIND_SECRET
-#define OID_TRUST_ANCHOR OPTIGA_OID_CA_CERT + 0
+#define OID_TRUST_ANCHOR (OPTIGA_OID_CA_CERT + 0)
 
 typedef enum {
   OPTIGA_LOCKED_TRUE,

core/embed/trezorhal/optiga/optiga_commands.c

@@ -47,8 +47,8 @@ const optiga_metadata_item OPTIGA_META_KEY_USE_ENC = {
     (const uint8_t[]){OPTIGA_KEY_USAGE_ENC}, 1};
 const optiga_metadata_item OPTIGA_META_KEY_USE_KEYAGREE = {
     (const uint8_t[]){OPTIGA_KEY_USAGE_KEYAGREE}, 1};
-static const optiga_metadata_item OPTIGA_META_VERSION_DEFAULT = {
-    (const uint8_t *)"\xC1\x02\x00\x00", 4};
+const optiga_metadata_item OPTIGA_META_VERSION_DEFAULT = {
+    (const uint8_t[]){0x00, 0x00}, 2};
 
 static optiga_result process_output(uint8_t **out_data, size_t *out_size) {
   // Check that there is no trailing output data in the response.
@@ -823,7 +823,8 @@ optiga_result optiga_set_trust_anchor(void) {
       0xb0, 0xa5, 0x21, 0x2c, 0x54, 0x3a, 0x6c, 0x04, 0x72,
   };
 
-  return optiga_set_data_object(0xe0e8, false, TA_CERT, sizeof(TA_CERT));
+  return optiga_set_data_object(OPTIGA_OID_CA_CERT, false, TA_CERT,
+                                sizeof(TA_CERT));
 }
 
 /*
@@ -849,7 +850,8 @@ optiga_result optiga_set_priv_key(uint16_t oid, const uint8_t priv_key[32]) {
     if (metadata.version.len != 2) {
       return OPTIGA_ERR_UNEXPECTED;
     }
-    payload_version = (metadata.version.ptr[0] << 8) + metadata.version.ptr[1];
+    payload_version =
+        ((metadata.version.ptr[0] & 0x7f) << 8) + metadata.version.ptr[1];
   }
   payload_version += 1;
 

core/embed/trezorhal/optiga_commands.h

@@ -141,6 +141,7 @@ extern const optiga_metadata_item OPTIGA_META_ACCESS_ALWAYS;
 extern const optiga_metadata_item OPTIGA_META_ACCESS_NEVER;
 extern const optiga_metadata_item OPTIGA_META_KEY_USE_ENC;
 extern const optiga_metadata_item OPTIGA_META_KEY_USE_KEYAGREE;
+extern const optiga_metadata_item OPTIGA_META_VERSION_DEFAULT;
 
 optiga_result optiga_parse_metadata(const uint8_t *serialized,
                                     size_t serialized_size,