Increment the sign counter on signature

Nitrokey · Oct 17, 2022 · 26199cc · 26199cc
1 parent 2e55b4e
commit 26199cc
Show file tree

Hide file tree

Showing 5 changed files with 42 additions and 12 deletions.
diff --git a/src/command/pso.rs b/src/command/pso.rs
@@ -43,6 +43,13 @@ pub fn sign<const R: usize, T: trussed::Client>(
     if !ctx.state.internal.pw1_valid_multiple() {
         ctx.state.runtime.sign_verified = false;
     }
+    ctx.state
+        .internal
+        .increment_sign_count(ctx.backend.client_mut())
+        .map_err(|_err| {
+            error!("Failed to increment sign count");
+            Status::UnspecifiedPersistentExecutionError
+        })?;
 
     match ctx.state.internal.sign_alg() {
         SignatureAlgorithm::Ed255 => sign_ec(ctx, key_id, Mechanism::Ed255),

diff --git a/src/state.rs b/src/state.rs
@@ -648,6 +648,15 @@ impl Internal {
         self.sign_count
     }
 
+    pub fn increment_sign_count(&mut self, client: &mut impl trussed::Client) -> Result<(), Error> {
+        self.sign_count += 1;
+        // Sign count is returned on 3 bytes
+        if self.sign_count & 0xffffff == 0 {
+            self.sign_count = 0xffffff;
+        }
+        self.save(client)
+    }
+
     pub fn key_id(&self, ty: KeyType) -> Option<KeyId> {
         match ty {
             KeyType::Sign => self.signing_key,

diff --git a/tests/crypto-gpg-import.rs b/tests/crypto-gpg-import.rs
@@ -268,7 +268,7 @@ fn gpg_255() {
             ],
             &[
                 vec![r"\[GNUPG:\] CARDCTRL \d D2760001240103040000000000000000"],
-                virt::gpg_status(virt::KeyType::Cv25519NoAut),
+                virt::gpg_status(virt::KeyType::Cv25519NoAut, 1),
                 vec![
                     r"\[GNUPG:\] GET_LINE cardedit.prompt",
                     r"\[GNUPG:\] GET_LINE cardedit.prompt",
@@ -277,7 +277,7 @@ fn gpg_255() {
                     r"\[GNUPG:\] GET_LINE cardedit.prompt",
                 ],
                 virt::gpg_inquire_pin(),
-                virt::gpg_status(virt::KeyType::RsaNone),
+                virt::gpg_status(virt::KeyType::RsaNone, 0),
                 vec![r"\[GNUPG:\] GET_LINE cardedit.prompt"],
             ]
             .into_iter()
@@ -546,7 +546,7 @@ fn gpg_p256() {
             ],
             &[
                 vec![r"\[GNUPG:\] CARDCTRL \d D2760001240103040000000000000000"],
-                virt::gpg_status(virt::KeyType::P256NoAut),
+                virt::gpg_status(virt::KeyType::P256NoAut, 1),
                 vec![
                     r"\[GNUPG:\] GET_LINE cardedit.prompt",
                     r"\[GNUPG:\] GET_LINE cardedit.prompt",
@@ -555,7 +555,7 @@ fn gpg_p256() {
                     r"\[GNUPG:\] GET_LINE cardedit.prompt",
                 ],
                 virt::gpg_inquire_pin(),
-                virt::gpg_status(virt::KeyType::RsaNone),
+                virt::gpg_status(virt::KeyType::RsaNone, 0),
                 vec![r"\[GNUPG:\] GET_LINE cardedit.prompt"],
             ]
             .into_iter()

diff --git a/tests/crypto-gpg.rs b/tests/crypto-gpg.rs
@@ -93,7 +93,7 @@ fn gpg_255() {
             ],
             &[
                 vec![r"\[GNUPG:\] CARDCTRL \d D2760001240103040000000000000000"],
-                virt::gpg_status(virt::KeyType::RsaNone,),
+                virt::gpg_status(virt::KeyType::RsaNone,0),
                 vec![
                     r"\[GNUPG:\] GET_LINE cardedit.prompt",
                     r"\[GNUPG:\] GET_LINE cardedit.prompt",
@@ -249,7 +249,7 @@ fn gpg_255() {
             ],
             &[
                 vec![r"\[GNUPG:\] CARDCTRL \d D2760001240103040000000000000000"],
-                virt::gpg_status(virt::KeyType::Cv25519),
+                virt::gpg_status(virt::KeyType::Cv25519, 5),
                 vec![
                     r"\[GNUPG:\] GET_LINE cardedit.prompt",
                     r"\[GNUPG:\] GET_LINE cardedit.prompt",
@@ -258,7 +258,7 @@ fn gpg_255() {
                     r"\[GNUPG:\] GET_LINE cardedit.prompt",
                 ],
                 virt::gpg_inquire_pin(),
-                virt::gpg_status(virt::KeyType::RsaNone),
+                virt::gpg_status(virt::KeyType::RsaNone, 0),
                 vec![r"\[GNUPG:\] GET_LINE cardedit.prompt"],
             ]
             .into_iter()
@@ -328,7 +328,7 @@ fn gpg_p256() {
             ],
             &[
                 vec![r"\[GNUPG:\] CARDCTRL \d D2760001240103040000000000000000"],
-                virt::gpg_status(virt::KeyType::RsaNone,),
+                virt::gpg_status(virt::KeyType::RsaNone,0),
                 vec![
                     r"\[GNUPG:\] GET_LINE cardedit.prompt",
                     r"\[GNUPG:\] GET_LINE cardedit.prompt",
@@ -486,7 +486,7 @@ fn gpg_p256() {
             ],
             &[
                 vec![r"\[GNUPG:\] CARDCTRL \d D2760001240103040000000000000000"],
-                virt::gpg_status(virt::KeyType::P256),
+                virt::gpg_status(virt::KeyType::P256, 5),
                 vec![
                     r"\[GNUPG:\] GET_LINE cardedit.prompt",
                     r"\[GNUPG:\] GET_LINE cardedit.prompt",
@@ -495,7 +495,7 @@ fn gpg_p256() {
                     r"\[GNUPG:\] GET_LINE cardedit.prompt",
                 ],
                 virt::gpg_inquire_pin(),
-                virt::gpg_status(virt::KeyType::RsaNone),
+                virt::gpg_status(virt::KeyType::RsaNone, 0),
                 vec![r"\[GNUPG:\] GET_LINE cardedit.prompt"],
             ]
             .into_iter()

diff --git a/tests/virt/mod.rs b/tests/virt/mod.rs
@@ -74,7 +74,7 @@ pub enum KeyType {
 }
 
 #[allow(unused)]
-pub fn gpg_status(key: KeyType) -> Vec<&'static str> {
+pub fn gpg_status(key: KeyType, sign_count: usize) -> Vec<&'static str> {
     let (first, sec, third, fpr, grp) = match key {
         KeyType::Cv25519 => (
             r"keyattr:1:22:Ed25519:",
@@ -112,6 +112,20 @@ pub fn gpg_status(key: KeyType) -> Vec<&'static str> {
             "grp:[0]{40}:[0]{40}:[0]{40}:",
         ),
     };
+    // FIXME: This seems bad, but still less noisy than using `String` and adding `.to_string()` everywhere
+    let signcount = match sign_count {
+        0 => r"sigcount:0:::",
+        1 => r"sigcount:1:::",
+        2 => r"sigcount:2:::",
+        3 => r"sigcount:3:::",
+        4 => r"sigcount:4:::",
+        5 => r"sigcount:5:::",
+        6 => r"sigcount:6:::",
+        7 => r"sigcount:7:::",
+        8 => r"sigcount:8:::",
+        9 => r"sigcount:9:::",
+        _ => todo!(),
+    };
 
     let fprtimes = r"fprtime:\d*:\d*:\d*:";
 
@@ -131,7 +145,7 @@ pub fn gpg_status(key: KeyType) -> Vec<&'static str> {
         third,
         r"maxpinlen:127:127:127:",
         r"pinretry:3:3:3:",
-        r"sigcount:0:::",
+        signcount,
         r"kdf:off:",
         r"cafpr::::",
         fpr,