diff --git a/src/hsm/cmd_key_domain.c b/src/hsm/cmd_key_domain.c index 06b329c..aeecb31 100644 --- a/src/hsm/cmd_key_domain.c +++ b/src/hsm/cmd_key_domain.c @@ -68,10 +68,16 @@ int cmd_key_domain() { } import_dkek_share(p2, apdu.data); if (++current_dkeks >= dkeks) { - if (save_dkek_key(p2, NULL) != CCID_OK) { - /* On fail, it will return to previous dkek state. */ - import_dkek_share(p2, apdu.data); - return SW_FILE_NOT_FOUND(); + int r = save_dkek_key(p2, NULL); + if (r != CCID_OK) { + if (r == CCID_NO_LOGIN) { + pending_save_dkek = p2; + } + else { + /* On fail, it will return to previous dkek state. */ + import_dkek_share(p2, apdu.data); + return SW_FILE_NOT_FOUND(); + } } } uint8_t t[MAX_KEY_DOMAINS * 2]; diff --git a/src/hsm/kek.c b/src/hsm/kek.c index 8b797ed..54cb5c3 100644 --- a/src/hsm/kek.c +++ b/src/hsm/kek.c @@ -36,6 +36,7 @@ extern bool has_session_pin, has_session_sopin; extern uint8_t session_pin[32], session_sopin[32]; uint8_t mkek_mask[MKEK_KEY_SIZE]; bool has_mkek_mask = false; +uint8_t pending_save_dkek = 0xff; #define POLY 0xedb88320 diff --git a/src/hsm/kek.h b/src/hsm/kek.h index e6b5ade..5c85c2f 100644 --- a/src/hsm/kek.h +++ b/src/hsm/kek.h @@ -74,4 +74,6 @@ extern mse_t mse; extern int mse_decrypt_ct(uint8_t *, size_t); +extern uint8_t pending_save_dkek; + #endif diff --git a/src/hsm/sc_hsm.c b/src/hsm/sc_hsm.c index a7bfcf2..2fd0fd6 100644 --- a/src/hsm/sc_hsm.c +++ b/src/hsm/sc_hsm.c @@ -407,6 +407,10 @@ int check_pin(const file_t *pin, const uint8_t *data, size_t len) { hash_multi(data, len, session_sopin); has_session_sopin = true; } + if (pending_save_dkek != 0xff) { + save_dkek_key(pending_save_dkek, NULL); + pending_save_dkek = 0xff; + } return SW_OK(); }