Add a syscall to get PKI info

include/os_pki.h

@@ -183,4 +183,23 @@ SYSCALL bool os_pki_verify(uint8_t *descriptor_hash PLENGTH(descriptor_hash_len)
                            size_t                   descriptor_hash_len,
                            uint8_t *signature       PLENGTH(signature_len),
                            size_t                   signature_len);
+
+/**
+ * @brief Get information from the last validated certificate.
+ *
+ * @param[out] key_usage        Certificate role (expected key usage)
+ * @param[out] trusted_name     Buffer for the trusted name.
+ *                              The size of the buffer must be less than
+ *                              #CERTIFICATE_TRUSTED_NAME_MAXLEN
+ * @param[out] trusted_name_len Trusted name length
+ * @param[out] public_key       Certificate public key
+ * @return Error code
+ * @retval 0x0000 Success
+ * @retval 0x4119 trusted_name buffer is too small to contain the trusted name
+ * @retval 0x3202 Failed to initialize public key
+ */
+SYSCALL bolos_err_t os_pki_get_info(uint8_t                  *key_usage,
+                                    uint8_t                  *trusted_name,
+                                    size_t                   *trusted_name_len,
+                                    cx_ecfp_384_public_key_t *public_key);
 #endif  // HAVE_LEDGER_PKI

include/syscalls.h

@@ -195,6 +195,7 @@
 #if defined(HAVE_LEDGER_PKI)
 #define SYSCALL_os_pki_load_certificate_ID 0x060000aa
 #define SYSCALL_os_pki_verify_ID           0x040000ab
+#define SYSCALL_os_pki_get_info_ID         0x040000ac
 #endif  // HAVE_LEDGER_PKI
 
 #ifdef HAVE_CUSTOM_CA_DETAILS_IN_SETTINGS

src/os_io_seproxyhal.c

@@ -1174,28 +1174,16 @@ unsigned int os_io_seproxyhal_pki_load_certificate(uint8_t *buffer,
                                                    size_t   buffer_len,
                                                    uint8_t  key_usage)
 {
-    uint32_t                 error;
+    uint32_t                 sw;
     cx_ecfp_384_public_key_t public_key;
-    uint8_t                  trusted_name[CERTIFICATE_TRUSTED_NAME_MAXLEN] = {0};
-    size_t                   trusted_name_len = CERTIFICATE_TRUSTED_NAME_MAXLEN;
-    uint8_t                  offset           = 0;
-
-    if ((error = os_pki_load_certificate(
-             key_usage, buffer, buffer_len, trusted_name, &trusted_name_len, &public_key))) {
-        U2BE_ENCODE(G_io_apdu_buffer, 0, error);
-        offset = 2;
-    }
-    else {
-        G_io_apdu_buffer[0] = trusted_name_len;
-        offset++;
-        memcpy(G_io_apdu_buffer + offset, trusted_name, trusted_name_len);
-        offset += trusted_name_len;
-        memcpy(G_io_apdu_buffer + offset, public_key.W, public_key.W_len);
-        offset += public_key.W_len;
-        U2BE_ENCODE(G_io_apdu_buffer + offset, 0, SWO_SUCCESS);
-        offset += 2;
+
+    sw = os_pki_load_certificate(key_usage, buffer, buffer_len, NULL, NULL, &public_key);
+    if (0 == sw) {
+        sw = SWO_SUCCESS;
     }
-    return offset;
+    explicit_bzero(&public_key, sizeof(cx_ecfp_384_public_key_t));
+    U2BE_ENCODE(G_io_apdu_buffer, 0, sw);
+    return 2;
 }
 #endif  // HAVE_LEDGER_PKI
 

src/syscalls.c

@@ -1392,6 +1392,19 @@ bool os_pki_verify(uint8_t *descriptor_hash,
     parameters[3] = (unsigned int) signature_len;
     return (bool) SVC_Call(SYSCALL_os_pki_verify_ID, parameters);
 }
+
+bolos_err_t os_pki_get_info(uint8_t                  *key_usage,
+                            uint8_t                  *trusted_name,
+                            size_t                   *trusted_name_len,
+                            cx_ecfp_384_public_key_t *public_key)
+{
+    unsigned int parameters[4];
+    parameters[0] = (unsigned int) key_usage;
+    parameters[1] = (unsigned int) trusted_name;
+    parameters[2] = (unsigned int) trusted_name_len;
+    parameters[3] = (unsigned int) public_key;
+    return (bolos_err_t) SVC_Call(SYSCALL_os_pki_get_info_ID, parameters);
+}
 #endif  // HAVE_LEDGER_PKI
 
 unsigned int os_endorsement_get_code_hash(unsigned char *buffer)