From 54fb02995f51395b6d03d038512cfbe326830c11 Mon Sep 17 00:00:00 2001
From: Pol Henarejos <pol.henarejos@cttc.es>
Date: Thu, 11 Sep 2025 11:31:45 +0200
Subject: [PATCH] Add 4 pseudorandom bytes to allow indexing used by some RP
 entities.

Fixes #185

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
---
 src/fido/credential.c | 8 ++++++--
 src/fido/credential.h | 2 +-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/fido/credential.c b/src/fido/credential.c
index 3ba18f6..5fca7d0 100644
--- a/src/fido/credential.c
+++ b/src/fido/credential.c
@@ -429,16 +429,20 @@ int credential_derive_resident(const uint8_t *cred_id, size_t cred_id_len, uint8
     memset(outk, 0, CRED_RESIDENT_LEN);
     const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
     uint8_t *cred_idr = outk + CRED_RESIDENT_HEADER_LEN;
+    mbedtls_md_hmac(md_info, cred_idr, 32, pico_serial.id, sizeof(pico_serial.id), outk);
+    memcpy(outk + 4, CRED_PROTO_RESIDENT, CRED_PROTO_RESIDENT_LEN);
+    outk[4 + CRED_PROTO_RESIDENT_LEN] = 0x00;
+    outk[4 + CRED_PROTO_RESIDENT_LEN + 1] = 0x00;
+
     mbedtls_md_hmac(md_info, cred_idr, 32, (uint8_t *) "SLIP-0022", 9, cred_idr);
     mbedtls_md_hmac(md_info, cred_idr, 32, (uint8_t *) cred_id, CRED_PROTO_LEN, cred_idr);
     mbedtls_md_hmac(md_info, cred_idr, 32, (uint8_t *) "resident", 8, cred_idr);
     mbedtls_md_hmac(md_info, cred_idr, 32, cred_id, cred_id_len, cred_idr);
-    memcpy(outk, CRED_PROTO_RESIDENT, CRED_PROTO_RESIDENT_LEN);
     return 0;
 }
 
 bool credential_is_resident(const uint8_t *cred_id, size_t cred_id_len) {
-    return memcmp(cred_id, CRED_PROTO_RESIDENT, CRED_PROTO_RESIDENT_LEN) == 0;
+    return memcmp(cred_id + 4, CRED_PROTO_RESIDENT, CRED_PROTO_RESIDENT_LEN) == 0;
 }
 
 int credential_load_resident(const file_t *ef, const uint8_t *rp_id_hash, Credential *cred) {
diff --git a/src/fido/credential.h b/src/fido/credential.h
index 3b3bbab..8e140e4 100644
--- a/src/fido/credential.h
+++ b/src/fido/credential.h
@@ -70,7 +70,7 @@ typedef struct Credential {
 
 #define CRED_PROTO_RESIDENT                 CRED_PROTO_23_S
 #define CRED_PROTO_RESIDENT_LEN             4
-#define CRED_RESIDENT_HEADER_LEN            (CRED_PROTO_RESIDENT_LEN + 4)
+#define CRED_RESIDENT_HEADER_LEN            (CRED_PROTO_RESIDENT_LEN + 6)
 #define CRED_RESIDENT_LEN                   (CRED_RESIDENT_HEADER_LEN + 32)
 
 typedef enum