Update dependencies for trussed-core and ctaphid-app

Cargo.toml

@@ -9,28 +9,32 @@ description = "Secrets App - a Trussed app to manage OTP and Password Safe featu
 
 [dependencies]
 apdu-app = { version = "0.1",  optional = true }
-ctaphid-dispatch = { version = "0.1", optional = true }
+ctaphid-app = { version = "0.1.0-rc.1", optional = true }
 cbor-smol = "0.5"
 delog = "0.1.6"
-flexiber = { version = "0.1.0", features = ["derive", "heapless"] }
+flexiber = { version = "0.1.1", features = ["derive", "heapless"] }
 heapless = "0.7"
 heapless-bytes = "0.3"
 hex-literal = "0.3"
 iso7816 = "0.1.3"
 littlefs2-core = "0.1"
 serde = { version = "1", default-features = false }
-trussed = { version = "0.1", features = ["clients-3"] }
+trussed-core = { version = "0.1.0-rc.1", features = ["chacha8-poly1305", "crypto-client", "hmac-sha1", "hmac-sha256", "filesystem-client", "sha256", "ui-client"] }
 encrypted_container = { path = "components/encrypted_container" }
 block-padding = "0.3.3"
 bitflags = "2.3.1"
 
 # extension
 trussed-auth = "0.3.0"
 
+[dev-dependencies]
+trussed = { version = "0.1", default-features = false, features = ["clients-3"] }
+
 [features]
 default = ["apdu-dispatch"]
 devel = ["apdu-dispatch", "log-all", "delog/std-log", "devel-counters"]
 apdu-dispatch = ["dep:apdu-app"]
+ctaphid-dispatch = ["dep:ctaphid-app"]
 
 # Count accesses to the read-only and read-write persistence storage
 devel-counters = []
@@ -52,7 +56,5 @@ log-warn = []
 log-error = []
 
 [patch.crates-io]
-ctaphid-dispatch = { git = "https://github.com/Nitrokey/ctaphid-dispatch", tag = "v0.1.1-nitrokey.2" }
-flexiber = { git = "https://github.com/Nitrokey/flexiber", tag = "0.1.1.nitrokey" }
-trussed = { git = "https://github.com/trussed-dev/trussed", rev = "046478b7a4f6e2315acf9112d98308379c2e3eee" }
-trussed-auth = { git = "https://github.com/trussed-dev/trussed-auth", rev = "c030b82ad3441f337af09afe3a69e8a6da5785ea" }
+trussed = { git = "https://github.com/trussed-dev/trussed.git", rev = "6bba8fde36d05c0227769eb63345744e87d84b2b" }
+trussed-auth = { git = "https://github.com/trussed-dev/trussed-auth", rev = "fc53539536d7658c45a492585041742d8cdc45d0" }

components/encrypted_container/Cargo.toml

@@ -11,7 +11,7 @@ description = "Universal AEAD Encrypted Container, using CBOR and Chacha8Poly130
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-trussed = { version = "0.1" }
+trussed-core = { version = "0.1.0-rc.1", features = ["chacha8-poly1305", "crypto-client"] }
 heapless = "0.7"
 heapless-bytes = "0.3"
 serde = { version = "1", default-features = false }

components/encrypted_container/src/container.rs

@@ -6,8 +6,9 @@ use cbor_smol::{cbor_deserialize, cbor_serialize};
 use heapless_bytes::Bytes;
 use serde::de::DeserializeOwned;
 use serde::Serialize;
-use trussed::{
+use trussed_core::{
     try_syscall,
+    mechanisms::Chacha8Poly1305,
     types::{KeyId, Message},
 };
 
@@ -110,7 +111,7 @@ impl EncryptedDataContainer {
         encryption_key: KeyId,
     ) -> Result<O>
     where
-        T: trussed::Client + trussed::client::Chacha8Poly1305,
+        T: Chacha8Poly1305,
         O: DeserializeOwned,
     {
         let deserialized_container: EncryptedDataContainer =
@@ -127,7 +128,7 @@ impl EncryptedDataContainer {
         encryption_key: KeyId,
     ) -> Result<EncryptedDataContainer>
     where
-        T: trussed::Client + trussed::client::Chacha8Poly1305,
+        T: Chacha8Poly1305,
         O: Serialize,
     {
         let message = Message::try_from(|buf| {
@@ -148,7 +149,7 @@ impl EncryptedDataContainer {
         encryption_key: KeyId,
     ) -> Result<EncryptedDataContainer>
     where
-        T: trussed::Client + trussed::client::Chacha8Poly1305,
+        T: Chacha8Poly1305,
     {
         #[cfg(dangerous_disable_encryption)]
         {
@@ -187,7 +188,7 @@ impl EncryptedDataContainer {
         encryption_key: KeyId,
     ) -> Result<O>
     where
-        T: trussed::Client + trussed::client::Chacha8Poly1305,
+        T: Chacha8Poly1305,
         O: DeserializeOwned,
     {
         let message = self
@@ -204,7 +205,7 @@ impl EncryptedDataContainer {
         encryption_key: KeyId,
     ) -> Result<Message>
     where
-        T: trussed::Client + trussed::client::Chacha8Poly1305,
+        T: Chacha8Poly1305,
     {
         if self.data.is_empty() {
             return Err(Error::EmptyContainerData);

components/encrypted_container/src/error.rs

@@ -18,25 +18,25 @@ pub enum Error {
 
 pub type Result<T = ()> = core::result::Result<T, Error>;
 
-impl From<Error> for trussed::error::Error {
+impl From<Error> for trussed_core::Error {
     fn from(e: Error) -> Self {
         match e {
             Error::DeserializationToContainerError => {
-                trussed::error::Error::InvalidSerializationFormat
+                trussed_core::Error::InvalidSerializationFormat
             }
             Error::DeserializationToObjectError => {
-                trussed::error::Error::InvalidSerializationFormat
+                trussed_core::Error::InvalidSerializationFormat
             }
-            Error::ObjectSerializationError => trussed::error::Error::InvalidSerializationFormat,
-            Error::ContainerSerializationError => trussed::error::Error::InvalidSerializationFormat,
-            Error::SerializationBufferTooSmall => trussed::error::Error::InternalError,
-            Error::FailedEncryption => trussed::error::Error::InternalError,
+            Error::ObjectSerializationError => trussed_core::Error::InvalidSerializationFormat,
+            Error::ContainerSerializationError => trussed_core::Error::InvalidSerializationFormat,
+            Error::SerializationBufferTooSmall => trussed_core::Error::InternalError,
+            Error::FailedEncryption => trussed_core::Error::InternalError,
             Error::FailedContainerSerialization => {
-                trussed::error::Error::InvalidSerializationFormat
+                trussed_core::Error::InvalidSerializationFormat
             }
-            Error::EmptyContainerData => trussed::error::Error::WrongMessageLength,
-            Error::FailedDecryption => trussed::error::Error::InvalidSerializationFormat,
-            Error::EmptyDecryptedData => trussed::error::Error::WrongMessageLength,
+            Error::EmptyContainerData => trussed_core::Error::WrongMessageLength,
+            Error::FailedDecryption => trussed_core::Error::InvalidSerializationFormat,
+            Error::EmptyDecryptedData => trussed_core::Error::WrongMessageLength,
         }
     }
 }

fuzz/Cargo.toml

@@ -54,15 +54,8 @@ doc = false
 
 
 [patch.crates-io]
-flexiber = { git = "https://github.com/Nitrokey/flexiber", tag = "0.1.1.nitrokey" }
 apdu-dispatch = { git = "https://github.com/trussed-dev/apdu-dispatch.git", rev = "915fc237103fcecc29d0f0b73391f19abf6576de" }
-
-# forked
-trussed = { git = "https://github.com/trussed-dev/trussed", rev = "046478b7a4f6e2315acf9112d98308379c2e3eee" }
-
-# unreleased upstream changes
 ctaphid-dispatch = { git = "https://github.com/Nitrokey/ctaphid-dispatch", tag = "v0.1.1-nitrokey.2" }
-serde-indexed = { git = "https://github.com/nitrokey/serde-indexed.git", tag = "v0.1.0-nitrokey.2" }
+trussed = { git = "https://github.com/trussed-dev/trussed.git", rev = "6bba8fde36d05c0227769eb63345744e87d84b2b" }
+trussed-auth = { git = "https://github.com/trussed-dev/trussed-auth", rev = "fc53539536d7658c45a492585041742d8cdc45d0" }
 
-# unreleased crates
-trussed-auth = { git = "https://github.com/trussed-dev/trussed-auth", rev = "c030b82ad3441f337af09afe3a69e8a6da5785ea" }

src/authenticator.rs

@@ -11,10 +11,14 @@ use core::time::Duration;
 use flexiber::EncodableHeapless;
 use heapless_bytes::Bytes;
 use iso7816::{Data, Status};
-use littlefs2_core::path;
-use trussed::types::Location;
-use trussed::types::{KeyId, Message};
-use trussed::{self, client, syscall, try_syscall};
+use littlefs2_core::{path, PathBuf};
+use trussed_core::types::Location;
+use trussed_core::types::{KeyId, Message};
+use trussed_core::{
+    mechanisms::{Chacha8Poly1305, HmacSha1, HmacSha256, Sha256},
+    CryptoClient, FilesystemClient, UiClient,
+};
+use trussed_core::{syscall, try_syscall};
 
 use crate::calculate::hmac_challenge;
 use crate::command::CredentialData::HmacData;
@@ -31,6 +35,31 @@ use crate::{
 #[cfg(feature = "brute-force-delay")]
 use crate::REQUIRED_DELAY_ON_FAILED_VERIFICATION;
 
+/// The requirements for the Trussed client.
+pub trait Client:
+    CryptoClient
+    + FilesystemClient
+    + UiClient
+    + HmacSha1
+    + HmacSha256
+    + Sha256
+    + Chacha8Poly1305
+    + trussed_auth::AuthClient
+{
+}
+
+impl<T> Client for T where
+    T: CryptoClient
+        + FilesystemClient
+        + UiClient
+        + HmacSha1
+        + HmacSha256
+        + Sha256
+        + Chacha8Poly1305
+        + trussed_auth::AuthClient
+{
+}
+
 /// The options for the authenticator app.
 #[derive(Clone, Copy, Debug)]
 #[non_exhaustive]
@@ -205,17 +234,9 @@ impl AnswerToSelect {
     }
 }
 
-impl<T> Authenticator<T>
-where
-    T: client::Client
-        + client::HmacSha1
-        + client::HmacSha256
-        + client::Sha256
-        + client::Chacha8Poly1305
-        + trussed_auth::AuthClient,
-{
-    fn credential_directory() -> trussed::types::PathBuf {
-        trussed::types::PathBuf::from(path!("cred"))
+impl<T: Client> Authenticator<T> {
+    fn credential_directory() -> PathBuf {
+        PathBuf::from(path!("cred"))
     }
 
     /// Create new Authenticator instance
@@ -401,9 +422,7 @@ where
         for loc in [Location::External, Location::Internal, Location::Volatile] {
             info_now!(":: reset - delete all keys and files in {:?}", loc);
             let _r1 = try_syscall!(self.trussed.delete_all(loc));
-            let _r2 = try_syscall!(self
-                .trussed
-                .remove_dir_all(loc, trussed::types::PathBuf::new()));
+            let _r2 = try_syscall!(self.trussed.remove_dir_all(loc, PathBuf::new()));
             debug_now!(":: reset - results {:?} {:?}", _r1, _r2);
         }
 
@@ -672,7 +691,7 @@ where
         }
     }
 
-    fn filename_for_label(&mut self, label: &[u8]) -> trussed::types::PathBuf {
+    fn filename_for_label(&mut self, label: &[u8]) -> PathBuf {
         let label_hash = syscall!(self.trussed.hash_sha256(label)).hash;
 
         // todo: maybe use a counter instead (put it in our persistent state).
@@ -683,7 +702,7 @@ where
             hex_filename[2 * i + 1] = LOOKUP[(value & 0xF) as usize];
         }
 
-        let filename = trussed::types::PathBuf::try_from(hex_filename.as_ref()).unwrap();
+        let filename = PathBuf::try_from(hex_filename.as_ref()).unwrap();
         let mut path = Self::credential_directory();
         path.push(&filename);
         info_now!("filename: {}", path.as_str_ref_with_trailing_nul());
@@ -1124,7 +1143,7 @@ where
         Ok(())
     }
 
-    fn _debug_trussed_backend_error(_e: trussed::Error, _l: u32) -> Status {
+    fn _debug_trussed_backend_error(_e: trussed_core::Error, _l: u32) -> Status {
         info_now!("Trussed backend error: {:?} (line {:?})", _e, _l);
         Status::UnspecifiedNonpersistentExecutionError
     }
@@ -1229,7 +1248,7 @@ where
         use crate::UP_TIMEOUT_MILLISECONDS;
         let result = syscall!(self.trussed.confirm_user_present(UP_TIMEOUT_MILLISECONDS)).result;
         result.map_err(|err| match err {
-            trussed::types::consent::Error::TimedOut => Status::SecurityStatusNotSatisfied,
+            trussed_core::types::consent::Error::TimedOut => Status::SecurityStatusNotSatisfied,
             _ => Status::UnspecifiedPersistentExecutionError,
         })
     }
@@ -1358,15 +1377,7 @@ impl<T> iso7816::App for Authenticator<T> {
 }
 
 #[cfg(feature = "apdu-dispatch")]
-impl<T, const R: usize> apdu_app::App<R> for Authenticator<T>
-where
-    T: client::Client
-        + client::HmacSha1
-        + client::HmacSha256
-        + client::Sha256
-        + client::Chacha8Poly1305
-        + trussed_auth::AuthClient,
-{
+impl<T: Client, const R: usize> apdu_app::App<R> for Authenticator<T> {
     fn select(
         &mut self,
         _interface: iso7816::Interface,

src/calculate.rs

@@ -8,15 +8,17 @@ use iso7816::Status;
 
 use crate::oath;
 use crate::Result;
-use trussed::types::Signature;
-use trussed::{
-    client, try_syscall,
+use trussed_core::types::Signature;
+use trussed_core::{
+    mechanisms::{HmacSha1, HmacSha256},
+    try_syscall,
     types::{KeyId, Location},
+    CryptoClient,
 };
 
 fn with_key<T, F, O>(trussed: &mut T, key: &[u8], f: F) -> Result<O>
 where
-    T: client::Client,
+    T: CryptoClient,
     F: FnOnce(&mut T, KeyId) -> O,
 {
     let injected = try_syscall!(trussed.unsafe_inject_shared_key(key, Location::Volatile,))
@@ -40,7 +42,7 @@ pub fn calculate<T>(
     key: &[u8],
 ) -> Result<[u8; 4]>
 where
-    T: client::Client + client::HmacSha1 + client::HmacSha256 + client::Sha256,
+    T: HmacSha1 + HmacSha256,
 {
     with_key(trussed, key, |trussed, key| {
         use oath::Algorithm::*;
@@ -71,7 +73,7 @@ pub fn hmac_challenge<T>(
     key: &[u8],
 ) -> Result<Signature>
 where
-    T: client::Client + client::HmacSha1,
+    T: HmacSha1,
 {
     with_key(trussed, key, |trussed, key| {
         use oath::Algorithm::*;

src/credential.rs

@@ -11,7 +11,7 @@ use crate::command::{
 use crate::oath::{Algorithm, Kind};
 use iso7816::Status;
 use serde::{Deserialize, Serialize};
-use trussed::types::ShortData;
+use trussed_core::types::ShortData;
 
 #[derive(Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
 pub struct CredentialFlat {