diff --git a/YubiKit/YubiKit/Connections/Shared/Sessions/FIDO2/YKFFIDO2Session.m b/YubiKit/YubiKit/Connections/Shared/Sessions/FIDO2/YKFFIDO2Session.m index 69d57bc0..8b069d35 100644 --- a/YubiKit/YubiKit/Connections/Shared/Sessions/FIDO2/YKFFIDO2Session.m +++ b/YubiKit/YubiKit/Connections/Shared/Sessions/FIDO2/YKFFIDO2Session.m @@ -525,10 +525,19 @@ - (void)getAssertionWithClientNoFilterDataHash:(NSData *)clientDataHash if (extensions) { [self executeGetSharedSecretWithCompletion:^(NSData * _Nullable sharedSecret, YKFCBORMap * _Nullable cosePlatformPublicKey, NSError * _Nullable error) { NSMutableDictionary *authenticatorInputs = [NSMutableDictionary new]; - if (extensions[@"prf"] && extensions[@"prf"][@"eval"]) { - NSString *base64EncodedFirst = extensions[@"prf"][@"eval"][@"first"]; - NSString *base64EncodedSecond = extensions[@"prf"][@"eval"][@"second"]; + if (extensions[@"prf"]) { + NSDictionary* prf = (NSDictionary*)extensions[@"prf"]; + NSDictionary* secrets = (NSDictionary*)prf[@"eval"]; + NSDictionary* evalByCred = (NSDictionary*)prf[@"evalByCredential"]; + if (evalByCred) { + YKFFIDO2PublicKeyCredentialDescriptor *credentialDescriptor = allowList[0]; + NSString *selectedCredentialId = [credentialDescriptor.credentialId ykf_websafeBase64EncodedString]; + secrets = evalByCred[selectedCredentialId] ? evalByCred[selectedCredentialId] : secrets; + } + + NSString *base64EncodedFirst = secrets[@"first"]; + NSString *base64EncodedSecond = secrets[@"second"]; NSData *first = [[[NSData alloc] ykf_initWithWebsafeBase64EncodedString:base64EncodedFirst dataLength:base64EncodedFirst.length] ykf_prfSaltData]; NSData *second = [[[NSData alloc] ykf_initWithWebsafeBase64EncodedString:base64EncodedSecond dataLength:base64EncodedFirst.length] ykf_prfSaltData];