Nitrokey · robin-nitrokey · Jan 20, 2025 · Dec 20, 2024
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -16,34 +16,24 @@ version = "1.8.0"
 # components
 memory-regions = { path = "components/memory-regions" }
 
-# forked
-admin-app = { git = "https://github.com/Nitrokey/admin-app.git", tag = "v0.1.0-nitrokey.18" }
-fido-authenticator = { git = "https://github.com/Nitrokey/fido-authenticator.git", tag = "v0.1.1-nitrokey.24" }
-trussed = { git = "https://github.com/nitrokey/trussed.git", tag = "v0.1.0-nitrokey.24" }
-
-# unreleased upstream changes
-ctaphid-dispatch = { git = "https://github.com/Nitrokey/ctaphid-dispatch.git", tag = "v0.1.1-nitrokey.3" }
-usbd-ctaphid = { git = "https://github.com/trussed-dev/usbd-ctaphid.git", rev = "dcff9009c3cd1ef9e5b09f8f307aca998fc9a8c8" }
-usbd-ccid = { git = "https://github.com/Nitrokey/usbd-ccid", tag = "v0.2.0-nitrokey.1" }
+# unreleased libraries
 p256-cortex-m4  = { git = "https://github.com/ycrypto/p256-cortex-m4.git", rev = "cdb31e12594b4dc1f045b860a885fdc94d96aee2" }
-
-# unreleased crates
-secrets-app = { git = "https://github.com/Nitrokey/trussed-secrets-app", rev = "fae41aabe63fa674042b3d217d734955f1f2aac2" }
-webcrypt = { git = "https://github.com/nitrokey/nitrokey-websmartcard-rust", tag = "v0.8.0-rc10" }
-opcard = { git = "https://github.com/Nitrokey/opcard-rs", rev = "266176ece535e870f6c6c8f0a303ab329d5d26f3" }
-piv-authenticator = { git = "https://github.com/Nitrokey/piv-authenticator.git", rev = "84ebc022ebacbd1b1964f38f6173010a2fd514f8" }
-trussed-fs-info = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "fs-info-v0.1.0" }
-trussed-chunked = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "chunked-v0.1.0" }
-trussed-manage = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "manage-v0.1.0" }
-trussed-wrap-key-to-file = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "wrap-key-to-file-v0.1.0" }
-trussed-staging = { git = "https://github.com/trussed-dev/trussed-staging.git", rev = "53eba84d2cd0bcacc3a7096d4b7a2490dcf6f069" }
-trussed-auth = { git = "https://github.com/trussed-dev/trussed-auth", rev = "c030b82ad3441f337af09afe3a69e8a6da5785ea" }
-trussed-hkdf = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "hkdf-v0.2.0" }
-trussed-hpke = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "hpke-v0.1.0" }
-trussed-rsa-alloc = { git = "https://github.com/trussed-dev/trussed-rsa-backend.git", tag = "v0.2.1" }
-trussed-usbip = { git = "https://github.com/Nitrokey/pc-usbip-runner.git", tag = "v0.0.1-nitrokey.5" }
-trussed-se050-manage = { git = "https://github.com/Nitrokey/trussed-se050-backend.git", tag = "se050-manage-v0.1.0" }
-trussed-se050-backend = { git = "https://github.com/Nitrokey/trussed-se050-backend.git", rev = "9e1570a957b24995e5234d43f24b8f126c5de2e4" }
+trussed = { git = "https://github.com/trussed-dev/trussed.git", rev = "6bba8fde36d05c0227769eb63345744e87d84b2b" }
+trussed-usbip = { git = "https://github.com/trussed-dev/pc-usbip-runner.git", rev = "4fe4e4e287dac1d92fcd4f97e8926497bfa9d7a9" }
+
+# applications
+admin-app = { git = "https://github.com/Nitrokey/admin-app.git", tag = "v0.1.0-nitrokey.19" }
+fido-authenticator = { git = "https://github.com/Nitrokey/fido-authenticator.git",tag = "v0.1.1-nitrokey.25" }
+opcard = { git = "https://github.com/Nitrokey/opcard-rs", rev = "84fd887ac32b59f3451d1fbee21b04a56b07780b" }
+piv-authenticator = { git = "https://github.com/Nitrokey/piv-authenticator.git", rev = "95408fceeb8035fa055516d9848519a6e54305c5" }
+secrets-app = { git = "https://github.com/Nitrokey/trussed-secrets-app", rev = "01728a5a5cdd825835a1bea00807b8a8e080e2b8" }
+webcrypt = { git = "https://github.com/nitrokey/nitrokey-websmartcard-rust", tag = "v0.8.0-rc11" }
+
+# backends
+trussed-auth = { git = "https://github.com/trussed-dev/trussed-auth", rev = "fc53539536d7658c45a492585041742d8cdc45d0" }
+trussed-rsa-alloc = { git = "https://github.com/trussed-dev/trussed-rsa-backend.git", rev = "743d9aaa3d8a17d7dbf492bd54dc18ab8fca3dc0" }
+trussed-se050-backend = { git = "https://github.com/Nitrokey/trussed-se050-backend.git", rev = "58b442331e997b0c50525276258d66d069478f15" }
+trussed-staging = { git = "https://github.com/trussed-dev/trussed-staging.git", rev = "1e1ca03a3a62ea9b802f4070ea4bce002eeb4bec" }
 
 [profile.release]
 codegen-units = 1

diff --git a/components/apps/Cargo.toml b/components/apps/Cargo.toml
@@ -7,15 +7,16 @@ edition = "2021"
 delog = "0.1"
 apdu-dispatch = "0.3"
 bitflags = "2"
-ctaphid-dispatch = "0.1"
+ctaphid-dispatch = "0.2"
 embedded-hal = "0.2.7"
 heapless = "0.7"
 heapless-bytes = "0.3"
 se05x = { version = "0.1.1", optional = true}
 serde = { version = "1.0.180", default-features = false }
-trussed = { version = "0.1", features = ["serde-extensions"] }
+trussed = { version = "0.1", default-features = false, features = ["crypto-client", "filesystem-client", "management-client", "serde-extensions", "ui-client"] }
+trussed-core = "0.1.0-rc.1"
 trussed-usbip = { version = "0.0.1", default-features = false, features = ["ctaphid"], optional = true }
-usbd-ctaphid = { version = "0.1", optional = true }
+usbd-ctaphid = { version = "0.2", optional = true }
 utils = { path = "../utils" }
 if_chain = "1.0.2"
 littlefs2-core = "0.1"
@@ -27,13 +28,13 @@ trussed-se050-backend = { version = "0.3.6", optional = true }
 trussed-staging = { version = "0.3.2", features = ["wrap-key-to-file", "chunked", "hkdf", "manage", "fs-info"] }
 
 # Extensions
-trussed-chunked = "0.1.0"
-trussed-hkdf = "0.2.0"
-trussed-manage = "0.1.0"
-trussed-se050-manage = { version = "0.1.0", optional = true }
-trussed-wrap-key-to-file = "0.1.0"
-trussed-fs-info = "0.1.0"
-trussed-hpke = "0.1.0"
+trussed-chunked = "0.2.0"
+trussed-hkdf = "0.3.0"
+trussed-manage = "0.2.0"
+trussed-se050-manage = { version = "0.2.0", optional = true }
+trussed-wrap-key-to-file = "0.2.0"
+trussed-fs-info = "0.2.0"
+trussed-hpke = "0.2.0"
 
 # apps
 admin-app = "0.1.0"
@@ -66,11 +67,11 @@ nkpk = ["fido-authenticator", "factory-reset", "trussed/clients-2"]
 nkpk-provisioner = ["nkpk", "provisioner-app", "trussed/clients-3"]
 
 # apps
-secrets-app = ["dep:secrets-app", "backend-auth"]
+secrets-app = ["dep:secrets-app", "backend-auth", "trussed/chacha8-poly1305", "trussed/hmac-sha1", "trussed/hmac-sha256", "trussed/sha256"]
 webcrypt = ["dep:webcrypt", "backend-auth", "backend-rsa"]
-fido-authenticator = ["dep:fido-authenticator", "usbd-ctaphid"]
-opcard = ["dep:opcard", "backend-rsa", "backend-auth"]
-piv-authenticator = ["dep:piv-authenticator", "backend-rsa", "backend-auth"]
+fido-authenticator = ["dep:fido-authenticator", "usbd-ctaphid", "trussed/aes256-cbc", "trussed/certificate-client", "trussed/chacha8-poly1305", "trussed/ed255", "trussed/hmac-sha256", "trussed/p256", "trussed/sha256"]
+opcard = ["dep:opcard", "backend-rsa", "backend-auth", "trussed/aes256-cbc", "trussed/chacha8-poly1305", "trussed/ed255", "trussed/p256", "trussed/shared-secret", "trussed/x255"]
+piv-authenticator = ["dep:piv-authenticator", "backend-rsa", "backend-auth", "trussed/aes256-cbc", "trussed/chacha8-poly1305", "trussed/ed255", "trussed/p256", "trussed/shared-secret", "trussed/tdes", "trussed/x255"]
 se050 = ["dep:se05x", "trussed-se050-backend", "trussed-se050-manage", "admin-app/se050"]
 
 # backends

diff --git a/components/apps/src/lib.rs b/components/apps/src/lib.rs
@@ -8,7 +8,7 @@ const WEBCRYPT_APP_CREDENTIALS_COUNT_LIMIT: u16 = 50;
 use apdu_dispatch::{response::SIZE as ApduResponseSize, App as ApduApp};
 use bitflags::bitflags;
 use core::marker::PhantomData;
-use ctaphid_dispatch::app::App as CtaphidApp;
+use ctaphid_dispatch::{app::App as CtaphidApp, MESSAGE_SIZE as CTAPHID_MESSAGE_SIZE};
 #[cfg(feature = "se050")]
 use embedded_hal::blocking::delay::DelayUs;
 use heapless::Vec;
@@ -32,7 +32,7 @@ use trussed::{
     interrupt::InterruptFlag,
     platform::Syscall,
     store::filestore::ClientFilestore,
-    types::{Location, Path},
+    types::{Location, Mechanism, Path},
     ClientImplementation, Platform, Service,
 };
 
@@ -409,6 +409,44 @@ pub struct Apps<R: Runner> {
     webcrypt: Option<PeekingBypass<'static, FidoApp<R>, WebcryptApp<R>>>,
 }
 
+const fn contains(data: &[Mechanism], item: Mechanism) -> bool {
+    let mut i = 0;
+    while i < data.len() {
+        if data[i].const_eq(item) {
+            return true;
+        }
+        i += 1;
+    }
+    false
+}
+
+/// This function ensures that every mechanism that is enabled in trussed-core is implemented by
+/// at least one backend (trussed or a custom backend).  It panics if it finds an enabled but
+/// unimplemented mechanism.
+const fn validate_mechanisms() {
+    let enabled = Mechanism::ENABLED;
+    let mut i = 0;
+    while i < enabled.len() {
+        let mechanism = enabled[i];
+        i += 1;
+
+        if contains(trussed::types::IMPLEMENTED_MECHANISMS, mechanism) {
+            continue;
+        }
+        #[cfg(feature = "backend-rsa")]
+        if contains(trussed_rsa_alloc::MECHANISMS, mechanism) {
+            continue;
+        }
+        #[cfg(feature = "se050")]
+        if contains(trussed_se050_backend::MECHANISMS, mechanism) {
+            continue;
+        }
+
+        // This mechanism is not implemented by Trussed or any of the backends.
+        mechanism.panic();
+    }
+}
+
 impl<R: Runner> Apps<R> {
     pub fn new<P: Platform>(
         runner: &R,
@@ -421,6 +459,10 @@ impl<R: Runner> Apps<R> {
         ) -> Client<R>,
         data: Data<R>,
     ) -> Self {
+        const {
+            validate_mechanisms();
+        }
+
         let _ = (runner, &mut make_client);
         let Data {
             admin,
@@ -680,9 +722,10 @@ impl<R: Runner> Apps<R> {
 
     pub fn ctaphid_dispatch<F, T>(&mut self, f: F) -> T
     where
-        F: FnOnce(&mut [&mut dyn CtaphidApp<'static>]) -> T,
+        F: FnOnce(&mut [&mut dyn CtaphidApp<'static, CTAPHID_MESSAGE_SIZE>]) -> T,
     {
-        let mut apps: Vec<&mut dyn CtaphidApp<'static>, 4> = Default::default();
+        let mut apps: Vec<&mut dyn CtaphidApp<'static, CTAPHID_MESSAGE_SIZE>, 4> =
+            Default::default();
 
         // App 1: webcrypt or fido
         #[cfg(feature = "webcrypt")]
@@ -741,7 +784,7 @@ where
 
     fn with_ctaphid_apps<T>(
         &mut self,
-        f: impl FnOnce(&mut [&mut dyn CtaphidApp<'static>]) -> T,
+        f: impl FnOnce(&mut [&mut dyn CtaphidApp<'static, CTAPHID_MESSAGE_SIZE>]) -> T,
     ) -> T {
         self.ctaphid_dispatch(f)
     }

diff --git a/components/boards/Cargo.toml b/components/boards/Cargo.toml
@@ -9,7 +9,7 @@ apps = { path = "../apps" }
 cortex-m = "0.7"
 cortex-m-rtic = "1.0"
 cortex-m-rt = "0.6.15"
-ctaphid-dispatch = "0.1"
+ctaphid-dispatch = "0.2"
 delog = "0.1"
 embedded-hal = "0.2.3"
 embedded-time = "0.12"
@@ -23,10 +23,10 @@ rand = { version =  "0.8.5", default-features = false }
 rand_chacha = { version = "0.3.1", default-features = false }
 ref-swap = "0.1.0"
 spi-memory = "0.2.0"
-trussed = "0.1"
+trussed = { version = "0.1", default-features = false }
 usb-device = "0.2"
-usbd-ccid = "0.2"
-usbd-ctaphid = "0.1"
+usbd-ccid = "0.3"
+usbd-ctaphid = "0.2"
 utils = { path = "../utils" }
 
 # soc-lpc55

diff --git a/components/boards/src/init.rs b/components/boards/src/init.rs
@@ -6,7 +6,7 @@ use apdu_dispatch::{
 use apps::AUTH_LOCATION;
 use apps::{AdminData, Data, Dispatch, FidoData, InitStatus};
 
-use ctaphid_dispatch::{dispatch::Dispatch as CtaphidDispatch, types::Channel as CtapChannel};
+use ctaphid_dispatch::{Channel as CtapChannel, Dispatch as CtaphidDispatch};
 #[cfg(not(feature = "no-delog"))]
 use delog::delog;
 use interchange::Channel;

diff --git a/components/boards/src/runtime.rs b/components/boards/src/runtime.rs
@@ -1,5 +1,5 @@
 use apdu_dispatch::dispatch::{ApduDispatch, Interface};
-use ctaphid_dispatch::dispatch::Dispatch as CtaphidDispatch;
+use ctaphid_dispatch::Dispatch as CtaphidDispatch;
 use embedded_time::duration::Milliseconds;
 use nfc_device::{traits::nfc::Device as NfcDevice, Iso14443};
 

diff --git a/components/lfs-backup/Cargo.toml b/components/lfs-backup/Cargo.toml
@@ -15,7 +15,8 @@ heapless = "0.7.16"
 serde = { version = "1.0", default-features = false }
 postcard = "1.0"
 
-trussed = "0.1"
+trussed = { version = "0.1", default-features = false }
+trussed-core = "0.1.0-rc.1"
 
 [dev-dependencies]
 rand = "0.8.5"

diff --git a/components/lfs-backup/src/lfs_backup.rs b/components/lfs-backup/src/lfs_backup.rs
@@ -11,9 +11,10 @@ use serde::{Deserialize, Serialize};
 use heapless::Vec;
 use heapless_bytes::Bytes;
 
-use trussed::config::{MAX_MESSAGE_LENGTH, USER_ATTRIBUTE_NUMBER};
+use trussed::config::USER_ATTRIBUTE_NUMBER;
+use trussed_core::config::MAX_MESSAGE_LENGTH;
 
-use trussed::types::{Message, UserAttribute};
+use trussed_core::types::{Message, UserAttribute};
 
 pub const MAX_FS_DEPTH: usize = 8;
 

diff --git a/components/lfs-backup/src/tests.rs b/components/lfs-backup/src/tests.rs
@@ -6,8 +6,8 @@ use heapless_bytes::Bytes;
 
 use crate::lfs_backup::{BackupBackend, FSBackupError, PathCursor, Result, MAX_FS_DEPTH};
 
-use trussed::config::USER_ATTRIBUTE_NUMBER;
-use trussed::types::UserAttribute;
+use trussed_core::config::USER_ATTRIBUTE_NUMBER;
+use trussed_core::types::UserAttribute;
 
 use std::{
     fs::{remove_file, File},

diff --git a/components/provisioner-app/Cargo.toml b/components/provisioner-app/Cargo.toml
@@ -8,14 +8,14 @@ edition = "2018"
 
 [dependencies]
 apdu-app = "0.1"
-ctaphid-dispatch = "0.1"
+ctaphid-app = "0.1.0-rc.1"
 delog = "0.1"
 heapless = "0.7"
 heapless-bytes = "0.3"
 iso7816 = "0.1"
 littlefs2 = "0.5.0"
 salty = { version = "0.3", features = ["cose"] }
-trussed = "0.1"
+trussed = { version = "0.1", default-features = false, features = ["crypto-client"] }
 p256-cortex-m4 = "0.1.0-alpha.6"
 
 

diff --git a/components/provisioner-app/src/apdu.rs b/components/provisioner-app/src/apdu.rs
@@ -2,7 +2,7 @@ use crate::{Error, Provisioner};
 use apdu_app::{App, CommandView, Data, Interface, Result, Status};
 use core::convert::{TryFrom, TryInto};
 use iso7816::{Aid, Instruction};
-use trussed::{client, store::Store, types::LfsStorage, Client};
+use trussed::{client, store::Store, types::LfsStorage};
 
 const SOLO_PROVISIONER_AID: &[u8] = &[0xA0, 0x00, 0x00, 0x08, 0x47, 0x01, 0x00, 0x00, 0x01];
 
@@ -34,7 +34,7 @@ impl<S, FS, T> iso7816::App for Provisioner<S, FS, T>
 where
     S: Store,
     FS: 'static + LfsStorage,
-    T: Client + client::X255 + client::HmacSha256,
+    T: client::CryptoClient,
 {
     fn aid(&self) -> Aid {
         Aid::new(SOLO_PROVISIONER_AID)
@@ -45,7 +45,7 @@ impl<S, FS, T, const R: usize> App<R> for Provisioner<S, FS, T>
 where
     S: Store,
     FS: 'static + LfsStorage,
-    T: Client + client::X255 + client::HmacSha256,
+    T: client::CryptoClient,
 {
     fn select(
         &mut self,

diff --git a/components/provisioner-app/src/ctaphid.rs b/components/provisioner-app/src/ctaphid.rs
@@ -1,19 +1,16 @@
 use crate::{Instruction, Provisioner};
 use core::convert::TryFrom;
-use ctaphid_dispatch::{
-    app::App,
-    command::{Command, VendorCommand},
-    types::{Error, Message},
-};
-use trussed::{client, store::Store, types::LfsStorage, Client};
+use ctaphid_app::{App, Command, Error, VendorCommand};
+use heapless_bytes::Bytes;
+use trussed::{client, store::Store, types::LfsStorage};
 
 const COMMAND_PROVISIONER: VendorCommand = VendorCommand::H71;
 
-impl<S, FS, T> App<'static> for Provisioner<S, FS, T>
+impl<S, FS, T, const N: usize> App<'_, N> for Provisioner<S, FS, T>
 where
     S: Store,
     FS: 'static + LfsStorage,
-    T: Client + client::X255 + client::HmacSha256,
+    T: client::CryptoClient,
 {
     fn commands(&self) -> &'static [Command] {
         &[Command::Vendor(COMMAND_PROVISIONER)]
@@ -22,8 +19,8 @@ where
     fn call(
         &mut self,
         command: Command,
-        request: &Message,
-        response: &mut Message,
+        request: &[u8],
+        response: &mut Bytes<N>,
     ) -> Result<(), Error> {
         if command != Command::Vendor(COMMAND_PROVISIONER) {
             return Err(Error::InvalidCommand);

diff --git a/components/provisioner-app/src/lib.rs b/components/provisioner-app/src/lib.rs
@@ -29,7 +29,6 @@ use trussed::{
     store::{self, Store},
     syscall,
     types::LfsStorage,
-    Client,
 };
 
 const TESTER_FILENAME_ID: [u8; 2] = [0xe1, 0x01];
@@ -114,7 +113,7 @@ pub struct Provisioner<S, FS, T>
 where
     S: Store,
     FS: 'static + LfsStorage,
-    T: Client + client::X255 + client::HmacSha256,
+    T: client::CryptoClient,
 {
     trussed: T,
 
@@ -134,7 +133,7 @@ impl<S, FS, T> Provisioner<S, FS, T>
 where
     S: Store,
     FS: 'static + LfsStorage,
-    T: Client + client::X255 + client::HmacSha256,
+    T: client::CryptoClient,
 {
     pub fn new(
         trussed: T,

diff --git a/runners/embedded/Cargo.toml b/runners/embedded/Cargo.toml
@@ -23,10 +23,10 @@ utils = { path = "../../components/utils", features = ["storage"] }
 
 ### protocols and dispatchers
 apdu-dispatch = "0.3"
-ctaphid-dispatch = "0.1"
+ctaphid-dispatch = "0.2"
 
 ### trussed core
-trussed = "0.1"
+trussed = { version = "0.1", default-features = false }
 interchange = "0.3"
 
 ### usb machinery