Merge pull request #184 from Nitrokey/apdu-dispatch-020

Update apdu-dispatch and reject calls from contactless interface

CHANGELOG.md

@@ -7,6 +7,32 @@ SPDX-License-Identifier: CC0-1.0
 
 ## Unreleased
 
+### Bugfixes
+
+- Reject all requests over NFC ([#184][])
+- Fix missing state save that could lead to a corrupted state ([#170][])
+- Fix crash when signing more than 1024 bytes ([#174][])
+
+### Changes
+
+- Add variables.mk file ([#177][])
+- Tests: add support for gnupg over pcscd ([#180][])
+- Update CI setup ([#175][] and [#183][])
+- Update delog dependency ([#181][])
+- Fix `sha1collisiondetection ` dependency version ([#179][] and [#182][])
+
+[#184]: https://github.com/Nitrokey/opcard-rs/issues/184
+[#182]: https://github.com/Nitrokey/opcard-rs/issues/182
+[#179]: https://github.com/Nitrokey/opcard-rs/issues/179
+[#181]: https://github.com/Nitrokey/opcard-rs/issues/181
+[#183]: https://github.com/Nitrokey/opcard-rs/issues/183
+[#175]: https://github.com/Nitrokey/opcard-rs/issues/175
+[#180]: https://github.com/Nitrokey/opcard-rs/issues/180
+[#180]: https://github.com/Nitrokey/opcard-rs/issues/180
+[#177]: https://github.com/Nitrokey/opcard-rs/issues/177
+[#170]: https://github.com/Nitrokey/opcard-rs/issues/170
+[#174]: https://github.com/Nitrokey/opcard-rs/issues/174
+
 ## [v1.1.1][] (2023-07-04)
 
 ### Bugfixes

Cargo.toml

@@ -59,7 +59,7 @@ serde_cbor = "0.11"
 hex = { version = "0.4", features = ["serde"] }
 
 # usbip
-trussed-usbip = { git = "https://github.com/trussed-dev/pc-usbip-runner", default-features = false, features = ["ccid"], rev = "f3a680ca4c9a1411838ae0774f1713f79d4c2979" }
+trussed-usbip = { version = "0.0.1", default-features = false, features = ["ccid"] }
 
 [features]
 default = []
@@ -92,6 +92,9 @@ trussed = { git = "https://github.com/trussed-dev/trussed" , rev = "55ea391367fc
 trussed-auth = { git = "https://github.com/trussed-dev/trussed-auth.git", tag = "v0.2.2"}
 trussed-rsa-alloc = { git = "https://github.com/Nitrokey/trussed-rsa-backend", tag = "v0.1.0" }
 trussed-staging = { git = "https://github.com/Nitrokey/trussed-staging", tag = "v0.1.0" }
+apdu-dispatch = { git = "https://github.com/trussed-dev/apdu-dispatch", rev = "915fc237103fcecc29d0f0b73391f19abf6576de" }
+trussed-usbip = { git = "https://github.com/Nitrokey/pc-usbip-runner.git", rev = "43655c47e13687f96fab607e6f06b331538c6bfc" }
+usbd-ccid = { git = "https://github.com/trussed-dev/usbd-ccid", rev = "eeea54f85cfa69a43c676b63c030608830ea35ea" }
 
 [package.metadata.docs.rs]
 all-features = true

examples/usbip.rs

@@ -22,7 +22,7 @@ struct OpcardApp {
     opcard: opcard::Card<VirtClient>,
 }
 
-impl trussed_usbip::Apps<VirtClient, Dispatch> for OpcardApp {
+impl trussed_usbip::Apps<'_, VirtClient, Dispatch> for OpcardApp {
     type Data = ();
     fn new<B: ClientBuilder<VirtClient, Dispatch>>(builder: &B, _data: ()) -> Self {
         OpcardApp {

src/card.rs

@@ -91,18 +91,27 @@ impl<T: Client> iso7816::App for Card<T> {
 impl<T: Client, const C: usize, const R: usize> apdu_dispatch::App<C, R> for Card<T> {
     fn select(
         &mut self,
+        interface: apdu_dispatch::dispatch::Interface,
         command: &iso7816::Command<C>,
         reply: &mut heapless::Vec<u8, R>,
     ) -> Result<(), Status> {
+        use apdu_dispatch::dispatch::Interface;
+        if interface != Interface::Contact {
+            return Err(Status::ConditionsOfUseNotSatisfied);
+        }
         self.handle(command, reply)
     }
 
     fn call(
         &mut self,
-        _interface: apdu_dispatch::dispatch::Interface,
+        interface: apdu_dispatch::dispatch::Interface,
         command: &iso7816::Command<C>,
         reply: &mut heapless::Vec<u8, R>,
     ) -> Result<(), Status> {
+        use apdu_dispatch::dispatch::Interface;
+        if interface != Interface::Contact {
+            return Err(Status::ConditionsOfUseNotSatisfied);
+        }
         self.handle(command, reply)
     }
 

src/command/data.rs

@@ -1105,7 +1105,7 @@ fn put_status_bytes<const R: usize, T: crate::card::Client>(
         1 => true,
         _input => {
             warn!("Incorrect PW status byte {_input:x}");
-            return Err(Status::IncorrectDataParameter)?;
+            return Err(Status::IncorrectDataParameter);
         }
     };
 
@@ -1243,7 +1243,7 @@ fn put_arbitrary_user_enc_do<const R: usize, T: crate::card::Client>(
     ctx: LoadedContext<'_, R, T>,
     obj: ArbitraryDO,
 ) -> Result<(), Status> {
-    let Some(k) =ctx.state.volatile.other_verified_kek() else {
+    let Some(k) = ctx.state.volatile.other_verified_kek() else {
         return Err(Status::SecurityStatusNotSatisfied);
     };
     put_arbitrary_enc_do(ctx, obj, k)

src/command/private_key_template.rs

@@ -182,7 +182,7 @@ fn parse_rsa_template(data: &[u8]) -> Option<RsaImportFormat> {
     let mut acc = 0;
     for i in 0..3 {
         let Some(tag) = template.first() else {
-            warn!("Missing template data. Only got up to {:x}", i+0x90);
+            warn!("Missing template data. Only got up to {:x}", i + 0x90);
             return None;
         };
         if *tag != i + 0x91 {

tests/command-response.rs

@@ -133,7 +133,6 @@ fn serialize_len(len: usize) -> heapless::Vec<u8, 3> {
     } else if let Ok(len) = u16::try_from(len) {
         let arr = len.to_be_bytes();
         buf.extend_from_slice(&[0x82, arr[0], arr[1]]).ok();
-    } else {
     }
     buf
 }

tests/crypto-gpg.rs

@@ -30,7 +30,7 @@ fn attr_ec_ask() -> Vec<&'static str> {
     .collect()
 }
 
-#[cfg(any(feature = "rsa2048-gen"))]
+#[cfg(feature = "rsa2048-gen")]
 fn attr_rsa_ask() -> Vec<&'static str> {
     iter::repeat(
         [