Add support for missing HW key

CHANGELOG.md

@@ -11,10 +11,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased][]
 
+## [0.1.1][] - 2023-03-06
+
+- Add support for "missing" hw key ([#16][])
+
+[#16]: https://github.com/trussed-dev/trussed-auth/pull/16
+[0.1.1]: https://github.com/trussed-dev/trussed-auth/releases/tag/v0.1.1
+
 ## [0.1.0][] - 2023-03-03
 
 Initial release with PIN handling and key derivation from PINs.
 
-[Unreleased]: https://github.com/trussed-dev/trussed-auth/compare/0.1.0...HEAD
-[0.1.0]: https://github.com/trussed-dev/trussed-auth/releases/tag/0.1.0
+[Unreleased]: https://github.com/trussed-dev/trussed-auth/compare/v0.1.0...HEAD
+[0.1.0]: https://github.com/trussed-dev/trussed-auth/releases/tag/v0.1.0
 

Cargo.toml

@@ -3,7 +3,7 @@
 
 [package]
 name = "trussed-auth"
-version = "0.1.0"
+version = "0.1.1"
 authors = ["Nitrokey GmbH <info@nitrokey.com>"]
 edition = "2021"
 repository = "https://github.com/trussed-dev/trussed-auth"

src/backend.rs

@@ -32,6 +32,8 @@ pub const MAX_HW_KEY_LEN: usize = 64;
 #[derive(Clone)]
 enum HardwareKey {
     None,
+    /// Means that the hardware key was not obtainable and that operations depending on it should fail
+    Missing,
     Raw(Bytes<MAX_HW_KEY_LEN>),
     Extracted(Hkdf<Sha256>),
 }
@@ -40,6 +42,7 @@ impl fmt::Debug for HardwareKey {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
         match self {
             Self::None => f.debug_tuple("None").finish(),
+            Self::Missing => f.debug_tuple("Missing").finish(),
             Self::Raw(_) => f.debug_tuple("Raw").field(&"[redacted]").finish(),
             Self::Extracted(_) => f.debug_tuple("Raw").field(&"[redacted]").finish(),
         }
@@ -89,6 +92,18 @@ impl AuthBackend {
         }
     }
 
+    /// Creates a new `AuthBackend` with a missing hw key
+    ///
+    /// Contrary to [`new`](Self::new) which uses a default `&[]` key, this will make operations depending on the hardware key to fail:
+    /// - [`set_pin`](crate::AuthClient::set_pin) with `derive_key = true`
+    /// - All operations on a pin that was created with `derive_key = true`
+    pub fn with_missing_hw_key(location: Location) -> Self {
+        Self {
+            location,
+            hw_key: HardwareKey::Missing,
+        }
+    }
+
     fn get_global_salt<R: CryptoRng + RngCore>(
         &self,
         trussed_filestore: &mut impl Filestore,
@@ -146,6 +161,7 @@ impl AuthBackend {
     ) -> Result<Key, Error> {
         Ok(match &self.hw_key {
             HardwareKey::Extracted(okm) => Self::expand(okm, &client_id),
+            HardwareKey::Missing => return Err(Error::MissingHwKey),
             HardwareKey::Raw(hw_k) => {
                 let kdf = self.extract(trussed_filestore, Some(hw_k.clone()), rng)?;
                 Self::expand(kdf, &client_id)
@@ -292,6 +308,7 @@ impl ExtensionImpl<AuthExtension> for AuthBackend {
 #[derive(Clone, Copy, Debug)]
 pub(crate) enum Error {
     NotFound,
+    MissingHwKey,
     ReadFailed,
     WriteFailed,
     DeserializationFailed,
@@ -303,6 +320,7 @@ impl From<Error> for trussed::error::Error {
     fn from(error: Error) -> Self {
         match error {
             Error::NotFound => Self::NoSuchKey,
+            Error::MissingHwKey => Self::GeneralError,
             Error::ReadFailed => Self::FilesystemReadFailure,
             Error::WriteFailed => Self::FilesystemWriteFailure,
             Error::DeserializationFailed => Self::ImplementationError,

tests/backend.rs

@@ -64,6 +64,11 @@ mod dispatch {
                 auth: AuthBackend::with_hw_key(Location::Internal, hw_key),
             }
         }
+        pub fn with_missing_hw_key() -> Self {
+            Self {
+                auth: AuthBackend::with_missing_hw_key(Location::Internal),
+            }
+        }
     }
 
     impl ExtensionDispatch for Dispatch {
@@ -175,6 +180,17 @@ fn run_with_hw_key<F: FnOnce(&mut Client)>(
     })
 }
 
+fn run_with_missing_hw_key<F: FnOnce(&mut Client)>(backends: &'static [BackendId<Backend>], f: F) {
+    virt::with_platform(Ram::default(), |platform| {
+        platform.run_client_with_backends(
+            "test",
+            Dispatch::with_missing_hw_key(),
+            backends,
+            |mut client| f(&mut client),
+        )
+    })
+}
+
 fn random_pin() -> trussed_auth::Pin {
     let mut pin = Bytes::new();
     pin.resize_to_capacity();
@@ -318,6 +334,55 @@ fn hw_key_wrapped() {
     )
 }
 
+#[test]
+fn missing_hw_key() {
+    run_with_missing_hw_key(BACKENDS, |client| {
+        let pin1 = Bytes::from_slice(b"12345678").unwrap();
+        let pin2 = Bytes::from_slice(b"123456").unwrap();
+
+        let reply = syscall!(client.has_pin(Pin::User));
+        assert!(!reply.has_pin);
+
+        assert!(try_syscall!(client.set_pin(Pin::User, pin1.clone(), None, true)).is_err());
+
+        let reply = syscall!(client.has_pin(Pin::User));
+        assert!(!reply.has_pin);
+
+        syscall!(client.set_pin(Pin::User, pin1.clone(), None, false));
+
+        let reply = syscall!(client.has_pin(Pin::User));
+        assert!(reply.has_pin);
+        let reply = syscall!(client.has_pin(Pin::Admin));
+        assert!(!reply.has_pin);
+
+        let reply = syscall!(client.pin_retries(Pin::User));
+        assert_eq!(reply.retries, None);
+
+        let reply = syscall!(client.check_pin(Pin::User, pin1.clone()));
+        assert!(reply.success);
+
+        let reply = syscall!(client.pin_retries(Pin::User));
+        assert_eq!(reply.retries, None);
+
+        let reply = syscall!(client.check_pin(Pin::User, pin2));
+        assert!(!reply.success);
+
+        let result = try_syscall!(client.check_pin(Pin::Admin, pin1.clone()));
+        assert!(result.is_err());
+
+        let reply = syscall!(client.pin_retries(Pin::User));
+        assert_eq!(reply.retries, None);
+
+        syscall!(client.delete_pin(Pin::User));
+
+        let result = try_syscall!(client.check_pin(Pin::User, pin1));
+        assert!(result.is_err());
+
+        let result = try_syscall!(client.pin_retries(Pin::User));
+        assert!(result.is_err());
+    })
+}
+
 #[test]
 fn pin_key() {
     run_with_hw_key(