From 313aad21daa326c701e914511e64105b3c1be9f0 Mon Sep 17 00:00:00 2001
From: Steffen Vogel <post@steffenvogel.de>
Date: Mon, 9 Dec 2024 16:56:07 +0100
Subject: [PATCH] fix: Pass extended header list as unconstructed TLV

Signed-off-by: Steffen Vogel <post@steffenvogel.de>
---
 key.go | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/key.go b/key.go
index 8d37f8d..e3a4860 100644
--- a/key.go
+++ b/key.go
@@ -150,7 +150,17 @@ func (c *Card) ImportKey(key KeyRef, skImport crypto.PrivateKey) (crypto.Private
 		return nil, ErrUnsupportedKeyType
 	}
 
-	if err := c.putDataTLV(tlv.New(tagExtendedHeaderList, key.crt(), cpkt, cpk)); err != nil {
+	// We are encoding the extended header list as a byte sequence here
+	// as its tag (0x4d) is a non-constructed BER-TLV tag.
+	// Note: this may be a mistake in the specification.
+	hdrData, err := tlv.EncodeBER(
+		key.crt(), cpkt, cpk,
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := c.putDataTLV(tlv.New(tagExtendedHeaderList, hdrData)); err != nil {
 		return nil, fmt.Errorf("failed to import key: %w", err)
 	}