Support new ENDORSEMENT syscalls and clean-up syscall ids and parsing

Author: nroggeman-ledger

CHANGELOG.md

@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.26.0] 2026-02-13
+
+### Added
+- Support API_LEVEL_26
+- Support new ENDORSEMENT syscalls
+
 ## [0.25.13] 2025-12-09
 
 ### Fix

sdk/bolos_syscalls.h

@@ -21,6 +21,8 @@
 
 #define cx_ecdsa_init_public_key sys_cx_ecfp_init_public_key
 
+#define ENDORSEMENT_HASH_LENGTH CX_SHA256_SIZE
+
 /**********************
  *      TYPEDEFS
  **********************/
@@ -43,7 +45,9 @@ static char CODE_HASH[] = "12345678abcdef0000fedcba8765432";
  *   GLOBAL FUNCTIONS
  **********************/
 
-// Pre API_LEVEL_23 syscalls
+///////////////////////////////////////
+// API_LEVEL_22
+///////////////////////////////////////
 
 unsigned int sys_os_endorsement_get_code_hash(uint8_t *buffer)
 {
@@ -161,7 +165,9 @@ unsigned long sys_os_endorsement_key1_sign_without_code_hash(uint8_t *data,
   return signature[1] + 2;
 }
 
-// API_LEVEL_23 and above
+///////////////////////////////////////
+// API_LEVEL_23 to API_LEVEL_25
+///////////////////////////////////////
 
 bolos_err_t sys_ENDORSEMENT_get_public_key(ENDORSEMENT_slot_t slot,
                                            uint8_t *out_public_key,
@@ -272,3 +278,46 @@ bolos_err_t sys_ENDORSEMENT_get_public_key_certificate(ENDORSEMENT_slot_t slot,
 
   return 0;
 }
+
+///////////////////////////////////////
+// API_LEVEL_26 and above
+///////////////////////////////////////
+
+bolos_err_t sys_ENDORSEMENT_GET_PUB_KEY(ENDORSEMENT_slot_t slot,
+                                        uint8_t *out_public_key,
+                                        size_t *out_public_key_length)
+{
+  uint8_t key_len;
+  bolos_err_t ret =
+      sys_ENDORSEMENT_get_public_key(slot, out_public_key, &key_len);
+  *out_public_key_length = key_len;
+  return ret;
+}
+
+bolos_err_t sys_ENDORSEMENT_KEY1_SIGN_DATA(uint8_t *data, size_t data_length,
+                                           uint8_t *out_signature,
+                                           size_t *out_signature_length)
+{
+  return sys_ENDORSEMENT_key1_sign_data(data, data_length, out_signature,
+                                        out_signature_length);
+}
+
+bolos_err_t sys_ENDORSEMENT_GET_CODE_HASH(uint8_t *out_hash, size_t hash_length)
+{
+  if (!out_hash || (hash_length < ENDORSEMENT_HASH_LENGTH)) {
+    return 1;
+  }
+
+  return sys_ENDORSEMENT_get_code_hash(out_hash);
+}
+
+bolos_err_t sys_ENDORSEMENT_GET_PUB_KEY_SIG(ENDORSEMENT_slot_t slot,
+                                            uint8_t *out_buffer,
+                                            size_t *out_length)
+{
+  uint8_t len;
+  bolos_err_t ret =
+      sys_ENDORSEMENT_get_public_key_certificate(slot, out_buffer, &len);
+  *out_length = len;
+  return ret;
+}

src/bolos/endorsement.c

@@ -33,7 +33,9 @@ typedef enum {
  * GLOBAL PROTOTYPES
  **********************/
 
-/// Legacy syscalls (before API_LEVEL_23)
+///////////////////////////////////////
+// API_LEVEL_22
+///////////////////////////////////////
 
 unsigned long sys_os_endorsement_get_public_key(uint8_t index, uint8_t *buffer);
 
@@ -57,7 +59,9 @@ sys_os_endorsement_get_public_key_certificate(unsigned char index,
 unsigned int sys_os_endorsement_get_public_key_certificate_new(
     unsigned char index, unsigned char *buffer, unsigned char *length);
 
-/// Refactored syscalls (API_LEVEL_23 and above)
+///////////////////////////////////////
+// API_LEVEL_23 to API_LEVEL_25
+///////////////////////////////////////
 
 bolos_err_t sys_ENDORSEMENT_get_public_key(ENDORSEMENT_slot_t slot,
                                            uint8_t *out_public_key,
@@ -68,7 +72,7 @@ bolos_err_t sys_ENDORSEMENT_key1_sign_data(uint8_t *data, uint32_t data_length,
                                            uint32_t *out_signature_length);
 
 bolos_err_t
-sys_ENDORSEMENT_key1_sign_without_code_hash(uint8_t *data, size_t dataLength,
+sys_ENDORSEMENT_key1_sign_without_code_hash(uint8_t *data, uint32_t dataLength,
                                             uint8_t *signature,
                                             uint32_t *out_signature_length);
 
@@ -78,6 +82,25 @@ bolos_err_t sys_ENDORSEMENT_get_public_key_certificate(ENDORSEMENT_slot_t slot,
                                                        uint8_t *out_buffer,
                                                        uint8_t *out_length);
 
+///////////////////////////////////////
+// API_LEVEL_26 and above
+///////////////////////////////////////
+
+bolos_err_t sys_ENDORSEMENT_GET_PUB_KEY(ENDORSEMENT_slot_t slot,
+                                        uint8_t *out_public_key,
+                                        size_t *out_public_key_length);
+
+bolos_err_t sys_ENDORSEMENT_KEY1_SIGN_DATA(uint8_t *data, size_t data_length,
+                                           uint8_t *out_signature,
+                                           size_t *out_signature_length);
+
+bolos_err_t sys_ENDORSEMENT_GET_CODE_HASH(uint8_t *out_hash,
+                                          size_t hash_length);
+
+bolos_err_t sys_ENDORSEMENT_GET_PUB_KEY_SIG(ENDORSEMENT_slot_t slot,
+                                            uint8_t *out_buffer,
+                                            size_t *out_length);
+
 /**********************
  *      MACROS
  **********************/

src/bolos/endorsement.h

@@ -32,14 +32,6 @@ static bolos_err_t get_version(uint8_t *buffer_out, size_t *buffer_out_length);
 static bolos_err_t get_seed_cookie(uint8_t *buffer_out,
                                    size_t *buffer_out_length);
 #endif // HAVE_SEED_COOKIE
-#if defined(DEBUG_OS_STACK_CONSUMPTION)
-static bolos_err_t get_stack_consumption(uint8_t mode, uint8_t *buffer_out,
-                                         size_t *buffer_out_length);
-#endif // DEBUG_OS_STACK_CONSUMPTION
-#if defined(HAVE_LEDGER_PKI)
-static bolos_err_t pki_load_certificate(uint8_t *buffer, size_t buffer_len,
-                                        uint8_t key_usage);
-#endif // HAVE_LEDGER_PKI
 
 /* Exported variables --------------------------------------------------------*/
 
@@ -115,42 +107,6 @@ static bolos_err_t get_seed_cookie(uint8_t *buffer_out,
 }
 #endif // HAVE_SEED_COOKIE
 
-#if defined(DEBUG_OS_STACK_CONSUMPTION)
-static bolos_err_t get_stack_consumption(uint8_t mode, uint8_t *buffer_out,
-                                         size_t *buffer_out_length)
-{
-  bolos_err_t err = 0x6985;
-  int status = os_stack_operations(mode);
-
-  *buffer_out_length = 0;
-  if (status != -1) {
-    U4BE_ENCODE(buffer_out, 0x00, status);
-    *buffer_out_length += 4;
-    err = SWO_SUCCESS;
-  }
-
-  return err;
-}
-#endif // DEBUG_OS_STACK_CONSUMPTION
-
-#if defined(HAVE_LEDGER_PKI)
-static bolos_err_t pki_load_certificate(uint8_t *buffer, size_t buffer_len,
-                                        uint8_t key_usage)
-{
-  bolos_err_t err = 0x6985;
-  cx_ecfp_384_public_key_t public_key;
-
-  err = os_pki_load_certificate(key_usage, buffer, buffer_len, NULL, NULL,
-                                &public_key);
-  if (err == 0) {
-    err = SWO_SUCCESS;
-  }
-  explicit_bzero(&public_key, sizeof(cx_ecfp_384_public_key_t));
-
-  return err;
-}
-#endif // HAVE_LEDGER_PKI
-
 /* Exported functions --------------------------------------------------------*/
 bolos_err_t os_io_handle_default_apdu(uint8_t *buffer_in,
                                       size_t buffer_in_length,
@@ -216,15 +172,6 @@ bolos_err_t os_io_handle_default_apdu(uint8_t *buffer_in,
       }
       break;
 
-#if defined(HAVE_LEDGER_PKI)
-    case DEFAULT_APDU_INS_LOAD_CERTIFICATE:
-      *buffer_out_length = 0;
-      err =
-          pki_load_certificate(&buffer_in[APDU_OFF_LC + 1],
-                               buffer_in[APDU_OFF_LC], buffer_in[APDU_OFF_P1]);
-      break;
-#endif // HAVE_LEDGER_PKI
-
     default:
       err = 0x6e01;
       goto end;