From c7fe63989deb9258c4a41fb0ebf4900c716fb5ad Mon Sep 17 00:00:00 2001
From: Jens Utbult <jens.utbult@yubico.com>
Date: Wed, 13 Nov 2024 10:00:58 +0100
Subject: [PATCH] Eval by credential.

---
 .../Shared/Sessions/FIDO2/YKFFIDO2Session.m       | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/YubiKit/YubiKit/Connections/Shared/Sessions/FIDO2/YKFFIDO2Session.m b/YubiKit/YubiKit/Connections/Shared/Sessions/FIDO2/YKFFIDO2Session.m
index 69d57bc0..8b069d35 100644
--- a/YubiKit/YubiKit/Connections/Shared/Sessions/FIDO2/YKFFIDO2Session.m
+++ b/YubiKit/YubiKit/Connections/Shared/Sessions/FIDO2/YKFFIDO2Session.m
@@ -525,10 +525,19 @@ - (void)getAssertionWithClientNoFilterDataHash:(NSData *)clientDataHash
     if (extensions) {
         [self executeGetSharedSecretWithCompletion:^(NSData * _Nullable sharedSecret, YKFCBORMap * _Nullable cosePlatformPublicKey, NSError * _Nullable error) {
             NSMutableDictionary *authenticatorInputs = [NSMutableDictionary new];
-            if (extensions[@"prf"] && extensions[@"prf"][@"eval"]) {
-                NSString *base64EncodedFirst = extensions[@"prf"][@"eval"][@"first"];
-                NSString *base64EncodedSecond = extensions[@"prf"][@"eval"][@"second"];
+            if (extensions[@"prf"]) {
+                NSDictionary* prf = (NSDictionary*)extensions[@"prf"];
+                NSDictionary* secrets = (NSDictionary*)prf[@"eval"];
                 
+                NSDictionary* evalByCred = (NSDictionary*)prf[@"evalByCredential"];
+                if (evalByCred) {
+                    YKFFIDO2PublicKeyCredentialDescriptor *credentialDescriptor = allowList[0];
+                    NSString *selectedCredentialId = [credentialDescriptor.credentialId ykf_websafeBase64EncodedString];
+                    secrets = evalByCred[selectedCredentialId] ? evalByCred[selectedCredentialId] : secrets;
+                }
+                
+                NSString *base64EncodedFirst = secrets[@"first"];
+                NSString *base64EncodedSecond = secrets[@"second"];
                 NSData *first = [[[NSData alloc] ykf_initWithWebsafeBase64EncodedString:base64EncodedFirst dataLength:base64EncodedFirst.length] ykf_prfSaltData];
                 NSData *second = [[[NSData alloc] ykf_initWithWebsafeBase64EncodedString:base64EncodedSecond dataLength:base64EncodedFirst.length] ykf_prfSaltData];