Nitrokey · robin-nitrokey · Oct 17, 2024 · Jul 31, 2024 · Aug 2, 2024 · Aug 5, 2024
diff --git a/.cargo/config → .cargo/config.toml b/.cargo/config → .cargo/config.toml
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Changelog
 
+## [v0.3.8][] (2024-10-17)
+
+[v0.3.8]: https://github.com/Nitrokey/piv-authenticator/releases/tag/v0.3.8
+
+- Encrypt data on external flash ([#57](https://github.com/Nitrokey/piv-authenticator/pull/57))
+
 ## [v0.3.7][] (2024-04-21)
 
 - Bump rsa backend version ([#53][])

diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "piv-authenticator"
-version = "0.3.7"
+version = "0.3.8"
 authors = ["Nicolas Stalder <[email protected]>", "Nitrokey GmbH"]
 edition = "2021"
 license = "Apache-2.0 OR MIT"
@@ -33,10 +33,13 @@ heapless-bytes = "0.3.0"
 subtle = { version = "2", default-features = false }
 trussed-rsa-alloc = { version = "0.2.1", features = ["raw"], optional = true }
 trussed-chunked = "0.1.0"
-trussed-staging = { version = "0.3.0", features = ["chunked"], default-features = false, optional = true }
+trussed-hpke = "0.1.0"
+trussed-wrap-key-to-file = "0.1.0"
+trussed-staging = { version = "0.3.2", features = ["chunked", "hpke", "wrap-key-to-file"], default-features = false, optional = true }
+littlefs2 = "0.4.0"
+cfg-if = "1.0.0"
 
 [dev-dependencies]
-littlefs2 = "0.3.2"
 rand_core = { version = "0.6", features = ["getrandom"] }
 trussed = { version = "0.1.0", features = ["virt"] }
 env_logger = "0.9"
@@ -48,7 +51,7 @@ ron  = "0.8"
 des = "0.8"
 aes = "0.8.2"
 stoppable_thread = "0.2.1"
-expectrl = "0.6.0"
+expectrl = "0.7.0"
 iso7816 = { version = "0.1.2", features = ["std"] }
 
 # Examples
@@ -76,13 +79,17 @@ log-debug = []
 log-warn = []
 log-error = []
 
+dangerous-test-real-card = []
+
 [patch.crates-io]
 trussed = { git = "https://github.com/Nitrokey/trussed" , tag = "v0.1.0-nitrokey.18" }
-littlefs2 = { git = "https://github.com/trussed-dev/littlefs2.git", rev = "ebd27e49ca321089d01d8c9b169c4aeb58ceeeca" }
+littlefs2 = { git = "https://github.com/trussed-dev/littlefs2.git", rev = "498fee7f7b908cb14e6ac18dca8442e19c89c0a9" }
 trussed-auth = { git = "https://github.com/trussed-dev/trussed-auth.git", tag = "v0.3.0"}
 trussed-rsa-alloc = { git = "https://github.com/trussed-dev/trussed-rsa-backend.git", tag = "v0.2.1" }
 trussed-chunked = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "chunked-v0.1.0" }
-trussed-staging = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "v0.3.0" }
+trussed-staging = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "v0.3.2" }
+trussed-hpke = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "hpke-v0.1.0" }
+trussed-wrap-key-to-file = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "wrap-key-to-file-v0.1.0" }
 apdu-dispatch = { git = "https://github.com/Nitrokey/apdu-dispatch", tag = "v0.1.2-nitrokey.2" }
 trussed-usbip = { git = "https://github.com/Nitrokey/pc-usbip-runner.git", tag = "v0.0.1-nitrokey.1" }
 usbd-ccid = { git = "https://github.com/Nitrokey/usbd-ccid", tag = "v0.2.0-nitrokey.1" }

diff --git a/Makefile b/Makefile
@@ -1,7 +1,11 @@
 .NOTPARALLEL:
 
+-include variables.mk
+
 export RUST_LOG ?= info,cargo_tarpaulin=off
 TEST_FEATURES ?=vpicc,pivy-tests,opensc-tests,rsa
+export PIV_DANGEROUS_TEST_CARD_READER ?= Virtual PCD 00 00
+export PIV_DANGEROUS_TEST_CARD_PIV_SERIAL ?= 04 B2 BB FB 54 40 4A E3 9B B8 6A E3 CA 82 9C 24
 
 .PHONY: build-cortex-m4
 build-cortex-m4:
@@ -11,6 +15,10 @@ build-cortex-m4:
 test:
 	cargo test --features $(TEST_FEATURES)
 
+.PHONY: dangerous-test-real-card
+dangerous-test-real-card:
+	cargo test --features $(TEST_FEATURES),dangerous-test-real-card
+
 .PHONY: check
 check:
 	RUSTLFAGS='-Dwarnings' cargo check --all-features --all-targets

diff --git a/src/container.rs b/src/container.rs
@@ -2,6 +2,8 @@ use core::convert::TryFrom;
 
 use hex_literal::hex;
 
+use littlefs2::{path, path::Path};
+
 macro_rules! enum_subset {
     (
 
@@ -74,10 +76,21 @@ macro_rules! enum_subset {
                 }
             }
         }
+
+        impl $name {
+            #[allow(unused)]
+            pub(crate) fn all() -> &'static [Self] {
+                &[$(
+                    $(#[cfg($inner)])?
+                    Self::$var,
+                )*]
+            }
+        }
     }
 }
 
 pub(crate) use enum_subset;
+use trussed::types::Location;
 
 /// Security condition for the use of a given key.
 pub enum SecurityCondition {
@@ -87,8 +100,23 @@ pub enum SecurityCondition {
     Always,
 }
 
-#[derive(Clone, Copy, Debug, Eq, PartialEq)]
-pub struct RetiredIndex(u8);
+/// Security condition for the use of a given key.
+pub enum KeySecurityCondition {
+    Pin(&'static Path),
+    /// Pin must be checked **just before**
+    PinAlways(&'static Path),
+    Always,
+}
+
+impl From<KeySecurityCondition> for SecurityCondition {
+    fn from(value: KeySecurityCondition) -> Self {
+        match value {
+            KeySecurityCondition::Pin(_) => SecurityCondition::Pin,
+            KeySecurityCondition::PinAlways(_) => SecurityCondition::PinAlways,
+            KeySecurityCondition::Always => SecurityCondition::Always,
+        }
+    }
+}
 
 crate::enum_u8! {
     #[derive(Debug)]
@@ -131,26 +159,70 @@ crate::enum_u8! {
 }
 
 impl KeyReference {
+    #[deprecated]
     pub fn use_security_condition(self) -> SecurityCondition {
         match self {
             Self::SecureMessaging
             | Self::CardAuthentication
-            | Self::PivCardApplicationAdministration
-            | Self::KeyManagement => SecurityCondition::Always,
+            | Self::PivCardApplicationAdministration => SecurityCondition::Always,
             Self::DigitalSignature => SecurityCondition::PinAlways,
             _ => SecurityCondition::Pin,
         }
     }
+
+    pub fn name(self) -> &'static Path {
+        match self {
+            Self::GlobalPin => path!("GlobalPin"),
+            Self::SecureMessaging => path!("SecureMessaging"),
+            Self::ApplicationPin => path!("ApplicationPin"),
+            Self::PinUnblockingKey => path!("PinUnblockingKey"),
+            Self::PrimaryFinger => path!("PrimaryFinger"),
+            Self::SecondaryFinger => path!("SecondaryFinger"),
+            Self::PairingCode => path!("PairingCode"),
+
+            Self::PivAuthentication => path!("PivAuthentication"),
+            Self::PivCardApplicationAdministration => path!("PivCardApplicationAdministration"),
+            Self::DigitalSignature => path!("DigitalSignature"),
+            Self::KeyManagement => path!("KeyManagement"),
+            Self::CardAuthentication => path!("CardAuthentication"),
+
+            Self::Retired01 => path!("Retired01"),
+            Self::Retired02 => path!("Retired02"),
+            Self::Retired03 => path!("Retired03"),
+            Self::Retired04 => path!("Retired04"),
+            Self::Retired05 => path!("Retired05"),
+            Self::Retired06 => path!("Retired06"),
+            Self::Retired07 => path!("Retired07"),
+            Self::Retired08 => path!("Retired08"),
+            Self::Retired09 => path!("Retired09"),
+            Self::Retired10 => path!("Retired10"),
+            Self::Retired11 => path!("Retired11"),
+            Self::Retired12 => path!("Retired12"),
+            Self::Retired13 => path!("Retired13"),
+            Self::Retired14 => path!("Retired14"),
+            Self::Retired15 => path!("Retired15"),
+            Self::Retired16 => path!("Retired16"),
+            Self::Retired17 => path!("Retired17"),
+            Self::Retired18 => path!("Retired18"),
+            Self::Retired19 => path!("Retired19"),
+            Self::Retired20 => path!("Retired20"),
+        }
+    }
 }
 
-macro_rules! impl_use_security_condition {
-    ($($name:ident),*) => {
+macro_rules! impl_sub_enum_methods {
+    ($($name:ident,)*) => {
         $(
             impl $name {
                 pub fn use_security_condition(self) -> SecurityCondition {
                     let tmp: KeyReference = self.into();
+                    #[allow(deprecated)]
                     tmp.use_security_condition()
                 }
+                pub fn name(self) -> &'static Path {
+                    let tmp: KeyReference = self.into();
+                    tmp.name()
+                }
             }
         )*
     };
@@ -191,7 +263,20 @@ enum_subset! {
         Retired18,
         Retired19,
         Retired20,
+    }
+}
+
+impl AsymmetricKeyReference {
+    /// Get the location to store a new key (important for keys that are encrypted and should be generated in volatile stoarge)
+    pub fn storage(self, storage: Location) -> Location {
+        match self {
+            Self::CardAuthentication => storage,
+            _ => Location::Volatile,
+        }
+    }
 
+    pub fn is_encrypted(self) -> bool {
+        !matches!(self, Self::CardAuthentication)
     }
 }
 
@@ -251,12 +336,12 @@ enum_subset! {
     }
 }
 
-impl_use_security_condition!(
+impl_sub_enum_methods!(
     AttestKeyReference,
     AsymmetricKeyReference,
     ChangeReferenceKeyReference,
     VerifyKeyReference,
-    AuthenticateKeyReference
+    AuthenticateKeyReference,
 );
 
 macro_rules! impl_try_from {

diff --git a/src/derp.rs b/src/derp.rs