From 5facbf61cdc922071c66c9ffe189867169c950c4 Mon Sep 17 00:00:00 2001
From: Pol Henarejos <pol.henarejos@cttc.es>
Date: Mon, 25 Aug 2025 01:34:34 +0200
Subject: [PATCH] NK compatibility improvements.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
---
 pico-keys-sdk                   |  2 +-
 src/fido/cbor_make_credential.c |  6 +--
 src/fido/oath.c                 | 75 ++++++++++++++++++++++++++++++++-
 3 files changed, 77 insertions(+), 6 deletions(-)

diff --git a/pico-keys-sdk b/pico-keys-sdk
index 113e720..5984d1f 160000
--- a/pico-keys-sdk
+++ b/pico-keys-sdk
@@ -1 +1 @@
-Subproject commit 113e720fcaaa6b9ca74d114bee1923bb2619ba3b
+Subproject commit 5984d1f72de82e44c18ed0bbbc953e1559a58af6
diff --git a/src/fido/cbor_make_credential.c b/src/fido/cbor_make_credential.c
index 6625532..bd9539d 100644
--- a/src/fido/cbor_make_credential.c
+++ b/src/fido/cbor_make_credential.c
@@ -519,12 +519,12 @@ int cbor_make_credential(const uint8_t *data, size_t len) {
     CBOR_CHECK(cbor_encode_byte_string(&mapEncoder, aut_data, aut_data_len));
     CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x03));
 
-    CBOR_CHECK(cbor_encoder_create_map(&mapEncoder, &mapEncoder2, self_attestation == false || is_nitrokey ? 3 : 2));
+    CBOR_CHECK(cbor_encoder_create_map(&mapEncoder, &mapEncoder2, self_attestation == false || is_nk ? 3 : 2));
     CBOR_CHECK(cbor_encode_text_stringz(&mapEncoder2, "alg"));
-    CBOR_CHECK(cbor_encode_negative_int(&mapEncoder2, self_attestation || is_nitrokey ? -alg : -FIDO2_ALG_ES256));
+    CBOR_CHECK(cbor_encode_negative_int(&mapEncoder2, self_attestation || is_nk ? -alg : -FIDO2_ALG_ES256));
     CBOR_CHECK(cbor_encode_text_stringz(&mapEncoder2, "sig"));
     CBOR_CHECK(cbor_encode_byte_string(&mapEncoder2, sig, olen));
-    if (self_attestation == false || is_nitrokey) {
+    if (self_attestation == false || is_nk) {
         CborEncoder arrEncoder;
         file_t *ef_cert = NULL;
         if (enterpriseAttestation == 2) {
diff --git a/src/fido/oath.c b/src/fido/oath.c
index f0a0adf..40e72a2 100644
--- a/src/fido/oath.c
+++ b/src/fido/oath.c
@@ -44,6 +44,10 @@
 #define TAG_PASSWORD        0x80
 #define TAG_NEW_PASSWORD    0x81
 #define TAG_PIN_COUNTER     0x82
+#define TAG_PWS_LOGIN       0x83
+#define TAG_PWS_PASSWORD    0x84
+#define TAG_PWS_METADATA    0x85
+#define TAG_SERIAL_NUMBER   0x8F
 
 #define ALG_HMAC_SHA1       0x01
 #define ALG_HMAC_SHA256     0x02
@@ -56,6 +60,7 @@
 
 #define PROP_INC            0x01
 #define PROP_TOUCH          0x02
+#define PROP_PIN            0x03
 
 int oath_process_apdu();
 int oath_unload();
@@ -99,6 +104,12 @@ int oath_select(app_t *a, uint8_t force) {
         res_APDU[res_APDU_size++] = TAG_ALGO;
         res_APDU[res_APDU_size++] = 1;
         res_APDU[res_APDU_size++] = ALG_HMAC_SHA1;
+        if (is_nk) {
+            res_APDU[res_APDU_size++] = TAG_SERIAL_NUMBER;
+            res_APDU[res_APDU_size++] = 8;
+            memcpy(res_APDU + res_APDU_size, pico_serial_str, 8);
+            res_APDU_size += 8;
+        }
         apdu.ne = res_APDU_size;
         return PICOKEY_OK;
     }
@@ -270,16 +281,27 @@ int cmd_list() {
     if (validated == false) {
         return SW_SECURITY_STATUS_NOT_SATISFIED();
     }
+    bool ext = (apdu.nc == 1 && apdu.data[0] == 0x01);
     for (int i = 0; i < MAX_OATH_CRED; i++) {
         file_t *ef = search_dynamic_file((uint16_t)(EF_OATH_CRED + i));
         if (file_has_data(ef)) {
-            asn1_ctx_t ctxi, key = { 0 }, name = { 0 };
+            asn1_ctx_t ctxi, key = { 0 }, name = { 0 }, pws = { 0 };
             asn1_ctx_init(file_get_data(ef), file_get_size(ef), &ctxi);
             if (asn1_find_tag(&ctxi, TAG_NAME, &name) == true && asn1_find_tag(&ctxi, TAG_KEY, &key) == true) {
                 res_APDU[res_APDU_size++] = TAG_NAME_LIST;
-                res_APDU[res_APDU_size++] = (uint8_t)(name.len + 1);
+                res_APDU[res_APDU_size++] = (uint8_t)(name.len + 1 + (ext ? 1 : 0));
                 res_APDU[res_APDU_size++] = key.data[0];
                 memcpy(res_APDU + res_APDU_size, name.data, name.len); res_APDU_size += name.len;
+                if (ext) {
+                    uint8_t props = 0x0;
+                    if (asn1_find_tag(&ctxi, TAG_PWS_LOGIN, &pws) == true || asn1_find_tag(&ctxi, TAG_PWS_PASSWORD, &pws) == true || asn1_find_tag(&ctxi, TAG_PWS_METADATA, &pws) == true) {
+                        props |= 0x4;
+                    }
+                    if (asn1_find_tag(&ctxi, TAG_PROPERTY, &pws) == true && (pws.data[0] & PROP_TOUCH)) {
+                        props |= 0x1;
+                    }
+                    res_APDU[res_APDU_size++] = props;
+                }
             }
         }
     }
@@ -626,6 +648,53 @@ int cmd_rename() {
     return SW_OK();
 }
 
+int cmd_get_credential() {
+    asn1_ctx_t ctxi, name = { 0 };
+    if (apdu.nc < 3) {
+        return SW_INCORRECT_PARAMS();
+    }
+    if (apdu.data[0] != TAG_NAME) {
+        return SW_WRONG_DATA();
+    }
+    asn1_ctx_init(apdu.data, (uint16_t)apdu.nc, &ctxi);
+    if (asn1_find_tag(&ctxi, TAG_NAME, &name) == false) {
+        return SW_WRONG_DATA();
+    }
+    file_t *ef = find_oath_cred(name.data, name.len);
+    if (file_has_data(ef) == false) {
+        return SW_DATA_INVALID();
+    }
+    asn1_ctx_t login = { 0 }, pw = { 0 }, meta = { 0 }, prop = { 0 };
+    asn1_ctx_init(file_get_data(ef), file_get_size(ef), &ctxi);
+    if (asn1_find_tag(&ctxi, TAG_NAME, &name) == true) {
+        res_APDU[res_APDU_size++] = TAG_NAME;
+        res_APDU[res_APDU_size++] = (uint8_t)(name.len);
+        memcpy(res_APDU + res_APDU_size, name.data, name.len); res_APDU_size += name.len;
+    }
+    if (asn1_find_tag(&ctxi, TAG_PWS_LOGIN, &login) == true) {
+        res_APDU[res_APDU_size++] = TAG_PWS_LOGIN;
+        res_APDU[res_APDU_size++] = (uint8_t)(login.len);
+        memcpy(res_APDU + res_APDU_size, login.data, login.len); res_APDU_size += login.len;
+    }
+    if (asn1_find_tag(&ctxi, TAG_PWS_PASSWORD, &pw) == true) {
+        res_APDU[res_APDU_size++] = TAG_PWS_PASSWORD;
+        res_APDU[res_APDU_size++] = (uint8_t)(pw.len);
+        memcpy(res_APDU + res_APDU_size, pw.data, pw.len); res_APDU_size += pw.len;
+    }
+    if (asn1_find_tag(&ctxi, TAG_PWS_METADATA, &meta) == true) {
+        res_APDU[res_APDU_size++] = TAG_PWS_METADATA;
+        res_APDU[res_APDU_size++] = (uint8_t)(meta.len);
+        memcpy(res_APDU + res_APDU_size, meta.data, meta.len); res_APDU_size += meta.len;
+    }
+    if (asn1_find_tag(&ctxi, TAG_PROPERTY, &prop) == true) {
+        res_APDU[res_APDU_size++] = TAG_PROPERTY;
+        res_APDU[res_APDU_size++] = (uint8_t)(prop.len);
+        memcpy(res_APDU + res_APDU_size, prop.data, prop.len); res_APDU_size += prop.len;
+    }
+    apdu.ne = res_APDU_size;
+    return SW_OK();
+}
+
 #define INS_PUT             0x01
 #define INS_DELETE          0x02
 #define INS_SET_CODE        0x03
@@ -640,6 +709,7 @@ int cmd_rename() {
 #define INS_VERIFY_PIN      0xb2
 #define INS_CHANGE_PIN      0xb3
 #define INS_SET_PIN         0xb4
+#define INS_GET_CREDENTIAL  0xb5
 
 static const cmd_t cmds[] = {
     { INS_PUT, cmd_put },
@@ -656,6 +726,7 @@ static const cmd_t cmds[] = {
     { INS_CHANGE_PIN, cmd_change_otp_pin },
     { INS_VERIFY_PIN, cmd_verify_otp_pin },
     { INS_VERIFY_CODE, cmd_verify_hotp },
+    { INS_GET_CREDENTIAL, cmd_get_credential },
     { 0x00, 0x0 }
 };