diff --git a/src/backend.rs b/src/backend.rs index c7ebfdb..894f567 100644 --- a/src/backend.rs +++ b/src/backend.rs @@ -328,7 +328,7 @@ impl ExtensionImpl for AuthBackend { let salt = get_app_salt(fs, rng, self.location)?; let key = expand_app_key( &salt, - &self.get_app_key(client_id, trussed_fs, ctx, rng)?, + &self.get_app_key(client_id, global_fs, ctx, rng)?, &request.info, ); let key_id = keystore.store_key( diff --git a/tests/backend.rs b/tests/backend.rs index 8194806..5b7f4f6 100644 --- a/tests/backend.rs +++ b/tests/backend.rs @@ -125,7 +125,7 @@ use trussed::{ client::{ClientImplementation, FilesystemClient, HmacSha256}, service::Service, syscall, try_syscall, - types::{Bytes, Location, PathBuf}, + types::{Bytes, Location, Message, PathBuf}, virt::{self, Ram}, }; use trussed_auth::{AuthClient as _, PinId, MAX_HW_KEY_LEN}; @@ -662,3 +662,30 @@ fn delete_all_pins() { assert!(result.is_err()); }) } + +#[test] +fn application_key() { + run(BACKENDS, |client| { + let info1 = Message::from_slice(b"test1").unwrap(); + let info2 = Message::from_slice(b"test2").unwrap(); + let app_key1 = syscall!(client.get_application_key(info1.clone())).key; + let app_key2 = syscall!(client.get_application_key(info2)).key; + let mac1 = syscall!(client.sign_hmacsha256(app_key1, b"Some data")).signature; + let mac2 = syscall!(client.sign_hmacsha256(app_key2, b"Some data")).signature; + // Different info leads to different keys + assert_ne!(mac1, mac2); + + let app_key1_again = syscall!(client.get_application_key(info1.clone())).key; + let mac1_again = syscall!(client.sign_hmacsha256(app_key1_again, b"Some data")).signature; + // Same info leads to same key + assert_eq!(mac1, mac1_again); + + syscall!(client.delete_all_pins()); + + // After deletion same info leads to different keys + let app_key1_after_delete = syscall!(client.get_application_key(info1)).key; + let mac1_after_delete = + syscall!(client.sign_hmacsha256(app_key1_after_delete, b"Some data")).signature; + assert_ne!(mac1, mac1_after_delete); + }) +}