Nitrokey · sosthene-nitrokey · Apr 4, 2023 · Mar 2, 2023 · Mar 2, 2023 · Mar 3, 2023
diff --git a/Cargo.toml b/Cargo.toml
@@ -30,6 +30,7 @@ trussed = "0.1.0"
 trussed-rsa-alloc = { git = "https://github.com/Nitrokey/trussed-rsa-backend", rev = "311d2366f99cc300b03d61e7f6a0a07abd3e8700", optional = true }
 serde_repr = "0.1"
 hex-literal = "0.3.4"
+trussed-auth = "0.1.0"
 
 # optional dependencies
 apdu-dispatch = { version = "0.1", optional = true }
@@ -53,12 +54,16 @@ serde_cbor = "0.11"
 hex = { version = "0.4", features = ["serde"] }
 
 [features]
+default = []
 std = []
-virtual = ["std", "vpicc"]
+virtual = ["std", "vpicc", "virt"]
+virt = ["std", "trussed/virt"]
+
 rsa = ["trussed-rsa-alloc"]
 rsa2048 = ["rsa"]
 rsa4096 = ["rsa2048"]
 rsa4096-gen = ["rsa4096"]
+
 dangerous-test-real-card = []
 
 # used for delog
@@ -71,9 +76,10 @@ log-error = []
 
 [patch.crates-io]
 interchange = { git = "https://github.com/trussed-dev/interchange", rev = "fe5633466640e1e9a8c06d9b5dd1d0af08c272af" }
-p256-cortex-m4 = { git = "https://github.com/Nitrokey/p256-cortex-m4", tag = "v0.1.0-alpha.6-nitrokey-1" }
 littlefs2 = { git = "https://github.com/Nitrokey/littlefs2", tag = "v0.3.2-nitrokey-2" }
+p256-cortex-m4 = { git = "https://github.com/Nitrokey/p256-cortex-m4", tag = "v0.1.0-alpha.6-nitrokey-1" }
 trussed = { git = "https://github.com/Nitrokey/trussed" , tag = "v0.1.0-nitrokey.8" }
+trussed-auth = { git = "https://github.com/trussed-dev/trussed-auth.git", tag= "v0.1.0"}
 
 [package.metadata.docs.rs]
 all-features = true

diff --git a/examples/virtual.rs b/examples/virtual.rs
@@ -25,15 +25,10 @@
 
 // TODO: add CLI
 
-#[cfg(not(feature = "rsa"))]
-use trussed::virt::with_ram_client;
-#[cfg(feature = "rsa")]
-use trussed_rsa_alloc::virt::with_ram_client;
-
 fn main() {
     env_logger::init();
 
-    with_ram_client("opcard", |client| {
+    opcard::virt::with_ram_client("opcard", |client| {
         let card = opcard::Card::new(client, opcard::Options::default());
         let mut virtual_card = opcard::VirtualCard::new(card);
         let vpicc = vpicc::connect().expect("failed to connect to vpicc");

diff --git a/fuzz/Cargo.toml b/fuzz/Cargo.toml
@@ -25,7 +25,7 @@ log = { version = "0.4", optional = true }
 
 [dependencies.opcard]
 path = ".."
-features = ["virtual"]
+features = ["virt"]
 
 [[bin]]
 name = "fuzz_target_1"

diff --git a/fuzz/fuzz_targets/fuzz_target_1.rs b/fuzz/fuzz_targets/fuzz_target_1.rs
@@ -13,7 +13,7 @@ fuzz_target!(|input: Input| {
     #[cfg(feature = "log")]
     env_logger::builder().is_test(true).try_init().ok();
 
-    trussed::virt::with_ram_client("opcard", move |client| {
+    opcard::virt::with_ram_client("opcard", move |client| {
         let Input {
             commands,
             manufacturer,

diff --git a/src/backend.rs b/src/backend.rs
@@ -10,27 +10,25 @@
 use core::fmt::Debug;
 
 use trussed::try_syscall;
-use trussed::types::Location;
+use trussed_auth::AuthClient;
 
-use crate::command::Password;
 use crate::error::Error;
-use crate::state;
 
 /// Backend that provides data storage and cryptography operations.
 /// Mostly a wrapper around a trussed client
 #[derive(Clone)]
-pub struct Backend<T: trussed::Client> {
+pub struct Backend<T: trussed::Client + AuthClient> {
     client: T,
 }
 
-impl<T: trussed::Client> Debug for Backend<T> {
+impl<T: trussed::Client + AuthClient> Debug for Backend<T> {
     fn fmt(&self, fmt: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
         let Self { client: _client } = self;
         fmt.debug_struct("Backend").finish()
     }
 }
 
-impl<T: trussed::Client> Backend<T> {
+impl<T: trussed::Client + AuthClient> Backend<T> {
     /// Create new backend from a trussed client
     pub fn new(client: T) -> Self {
         Self { client }
@@ -41,19 +39,6 @@ impl<T: trussed::Client> Backend<T> {
         &mut self.client
     }
 
-    /// Checks whether the given value matches the pin of the given type.
-    pub fn verify_pin(
-        &mut self,
-        storage: Location,
-        pin: Password,
-        value: &[u8],
-        state: &mut state::Persistent,
-    ) -> bool {
-        state
-            .verify_pin(&mut self.client, storage, value, pin)
-            .is_ok()
-    }
-
     /// Ask for confirmation of presence from the user with a default timeout of 15 seconds
     pub fn confirm_user_present(&mut self) -> Result<bool, Error> {
         try_syscall!(self.client_mut().confirm_user_present(15_000))

diff --git a/src/card.rs b/src/card.rs
@@ -4,6 +4,7 @@
 use hex_literal::hex;
 use iso7816::Status;
 use trussed::types::Location;
+use trussed_auth::AuthClient;
 
 pub(crate) mod reply;
 
@@ -24,13 +25,13 @@ pub const PGP_SMARTCARD_VERSION: [u8; 2] = [3, 4];
 /// This is the main entry point for this crate.  It takes care of the command handling and state
 /// management.
 #[derive(Clone, Debug)]
-pub struct Card<T: trussed::Client> {
+pub struct Card<T: trussed::Client + AuthClient> {
     backend: Backend<T>,
     options: Options,
     state: State,
 }
 
-impl<T: trussed::Client> Card<T> {
+impl<T: trussed::Client + AuthClient> Card<T> {
     /// Creates a new OpenPGP card with the given backend and options.
     pub fn new(client: T, options: Options) -> Self {
         let state = State::default();
@@ -66,20 +67,29 @@ impl<T: trussed::Client> Card<T> {
 
     /// Resets the state of the card.
     pub fn reset(&mut self) {
+        self.state.volatile.clear(self.backend.client_mut());
         let state = State::default();
         self.state = state;
     }
 }
 
-impl<T: trussed::Client> iso7816::App for Card<T> {
+impl<T: trussed::Client + AuthClient> Drop for Card<T> {
+    fn drop(&mut self) {
+        self.reset()
+    }
+}
+
+impl<T: trussed::Client + AuthClient> iso7816::App for Card<T> {
     fn aid(&self) -> iso7816::Aid {
         // TODO: check truncation length
         iso7816::Aid::new_truncatable(&self.options.aid(), RID.len())
     }
 }
 
 #[cfg(feature = "apdu-dispatch")]
-impl<T: trussed::Client, const C: usize, const R: usize> apdu_dispatch::App<C, R> for Card<T> {
+impl<T: trussed::Client + AuthClient, const C: usize, const R: usize> apdu_dispatch::App<C, R>
+    for Card<T>
+{
     fn select(
         &mut self,
         command: &iso7816::Command<C>,
@@ -162,15 +172,15 @@ impl Default for Options {
 }
 
 #[derive(Debug)]
-pub struct Context<'a, const R: usize, T: trussed::Client> {
+pub struct Context<'a, const R: usize, T: trussed::Client + AuthClient> {
     pub backend: &'a mut Backend<T>,
     pub options: &'a Options,
     pub state: &'a mut State,
     pub data: &'a [u8],
     pub reply: Reply<'a, R>,
 }
 
-impl<'a, const R: usize, T: trussed::Client> Context<'a, R, T> {
+impl<'a, const R: usize, T: trussed::Client + AuthClient> Context<'a, R, T> {
     pub fn load_state(&mut self) -> Result<LoadedContext<'_, R, T>, Status> {
         Ok(LoadedContext {
             state: self
@@ -201,15 +211,15 @@ impl<'a, const R: usize, T: trussed::Client> Context<'a, R, T> {
 
 #[derive(Debug)]
 /// Context with the persistent state loaded from flash
-pub struct LoadedContext<'a, const R: usize, T: trussed::Client> {
+pub struct LoadedContext<'a, const R: usize, T: trussed::Client + AuthClient> {
     pub backend: &'a mut Backend<T>,
     pub options: &'a Options,
     pub state: LoadedState<'a>,
     pub data: &'a [u8],
     pub reply: Reply<'a, R>,
 }
 
-impl<'a, const R: usize, T: trussed::Client> LoadedContext<'a, R, T> {
+impl<'a, const R: usize, T: trussed::Client + AuthClient> LoadedContext<'a, R, T> {
     /// Lend the context
     ///
     /// The resulting `LoadedContext` has a shorter lifetime than the original one, meaning that it