From 46e66c8cd39eee18a91b316db24d6d77b184cf89 Mon Sep 17 00:00:00 2001
From: Robin Krahl <robin@nitrokey.com>
Date: Fri, 20 Dec 2024 12:18:22 +0100
Subject: [PATCH] Use trussed-core

---
 Cargo.toml       | 19 +++++++++++--------
 src/container.rs |  2 +-
 src/lib.rs       | 27 +++++++++++++++------------
 src/piv_types.rs |  2 +-
 src/state.rs     | 16 ++++++++--------
 5 files changed, 36 insertions(+), 30 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index f94dc1e..6629cc3 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -13,19 +13,22 @@ required-features = ["vpicc"]
 
 [dependencies]
 apdu-app = { version = "0.1", optional = true }
+cbor-smol = "0.5"
 delog = { version = "0.1.5", optional = true }
 flexiber = { version = "0.1", features = ["derive", "heapless"] }
 heapless = "0.7"
 hex-literal = "0.3"
 iso7816 = "0.1.3"
 serde = { version = "1", default-features = false, features = ["derive"] }
-trussed = { version = "0.1", features = ["serde-extensions"] }
+trussed = { version = "0.1", default-features = false, features = ["aes256-cbc", "chacha8-poly1305", "crypto-client", "ed255", "filesystem-client", "p256", "shared-secret", "serde-extensions", "tdes", "x255"], optional = true }
 trussed-auth = { version = "0.3" }
 untrusted = "0.9"
 vpicc = { version = "0.1.0", optional = true }
 log = "0.4"
 heapless-bytes = "0.3.0"
 subtle = { version = "2", default-features = false }
+# TODO: only enable rsa features when needed
+trussed-core = { version = "0.1.0-rc.1", features = ["aes256-cbc", "chacha8-poly1305", "crypto-client", "ed255", "filesystem-client", "p256", "rsa2048", "rsa4096", "shared-secret", "tdes", "x255"] }
 trussed-rsa-alloc = { version = "0.2.1", features = ["raw"], optional = true }
 trussed-chunked = "0.1.0"
 trussed-hpke = "0.1.0"
@@ -76,13 +79,13 @@ log-error = []
 dangerous-test-real-card = []
 
 [patch.crates-io]
-trussed = { git = "https://github.com/trussed-dev/trussed", rev = "046478b7a4f6e2315acf9112d98308379c2e3eee" }
-trussed-auth = { git = "https://github.com/trussed-dev/trussed-auth.git", rev = "c030b82ad3441f337af09afe3a69e8a6da5785ea" }
-trussed-rsa-alloc = { git = "https://github.com/trussed-dev/trussed-rsa-backend.git", tag = "v0.2.1" }
-trussed-chunked = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "chunked-v0.1.0" }
-trussed-staging = { git = "https://github.com/trussed-dev/trussed-staging.git", rev = "53eba84d2cd0bcacc3a7096d4b7a2490dcf6f069" }
-trussed-hpke = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "hpke-v0.1.0" }
-trussed-wrap-key-to-file = { git = "https://github.com/trussed-dev/trussed-staging.git", tag = "wrap-key-to-file-v0.1.0" }
+trussed = { git = "https://github.com/trussed-dev/trussed", rev = "6bba8fde36d05c0227769eb63345744e87d84b2b" }
+trussed-auth = { git = "https://github.com/trussed-dev/trussed-auth", rev = "fc53539536d7658c45a492585041742d8cdc45d0" }
+trussed-rsa-alloc = { git = "https://github.com/trussed-dev/trussed-rsa-backend.git", rev = "743d9aaa3d8a17d7dbf492bd54dc18ab8fca3dc0" }
+trussed-chunked = { git = "https://github.com/trussed-dev/trussed-staging.git", rev = "9355f700831c1a278c334f76382fbf98d82aedcd" }
+trussed-staging = { git = "https://github.com/trussed-dev/trussed-staging.git", rev = "9355f700831c1a278c334f76382fbf98d82aedcd" }
+trussed-wrap-key-to-file = { git = "https://github.com/trussed-dev/trussed-staging.git", rev = "9355f700831c1a278c334f76382fbf98d82aedcd" }
+trussed-hpke = { git = "https://github.com/trussed-dev/trussed-staging.git", rev = "9355f700831c1a278c334f76382fbf98d82aedcd" }
 
 [profile.dev.package.rsa]
 opt-level = 2
diff --git a/src/container.rs b/src/container.rs
index 3e0c6c8..2df0781 100644
--- a/src/container.rs
+++ b/src/container.rs
@@ -90,7 +90,7 @@ macro_rules! enum_subset {
 }
 
 pub(crate) use enum_subset;
-use trussed::types::Location;
+use trussed_core::types::Location;
 
 /// Security condition for the use of a given key.
 pub enum SecurityCondition {
diff --git a/src/lib.rs b/src/lib.rs
index bd1a47c..dc12ea6 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -36,9 +36,10 @@ use core::convert::TryInto;
 use flexiber::EncodableHeapless;
 use heapless_bytes::Bytes;
 use iso7816::{Data, Status};
-use trussed::types::{KeySerialization, Location, PathBuf, StorageAttributes};
-use trussed::{client, syscall, try_syscall};
 use trussed_auth::AuthClient;
+use trussed_core::mechanisms::{Ed255, Tdes};
+use trussed_core::types::{KeySerialization, Location, Mechanism, PathBuf, StorageAttributes};
+use trussed_core::{syscall, try_syscall, CryptoClient, FilesystemClient};
 
 use constants::*;
 
@@ -802,7 +803,7 @@ impl<'a, T: Client> LoadedAuthenticator<'a, T> {
         .shared_secret;
 
         let serialized_secret = syscall!(self.trussed.serialize_key(
-            trussed::types::Mechanism::SharedSecret,
+            Mechanism::SharedSecret,
             shared_secret,
             KeySerialization::Raw
         ))
@@ -888,7 +889,7 @@ impl<'a, T: Client> LoadedAuthenticator<'a, T> {
                 let serialized_key = syscall!(self.trussed.serialize_key(
                     parsed_mechanism.key_mechanism(),
                     public_key,
-                    trussed::types::KeySerialization::Raw
+                    KeySerialization::Raw
                 ))
                 .serialized_key;
                 reply.expand(&[0x7F, 0x49])?;
@@ -907,7 +908,7 @@ impl<'a, T: Client> LoadedAuthenticator<'a, T> {
                 let tmp = syscall!(self.trussed.serialize_key(
                     parsed_mechanism.key_mechanism(),
                     public_key,
-                    trussed::types::KeySerialization::RsaParts
+                    KeySerialization::RsaParts
                 ))
                 .serialized_key;
                 let serialized = RsaPublicParts::deserialize(&tmp).map_err(|_err| {
@@ -1060,7 +1061,7 @@ impl<'a, T: Client> LoadedAuthenticator<'a, T> {
                 let q = tlv::get_do(&[0x02], data).ok_or(Status::IncorrectDataParameter)?;
                 let e = tlv::get_do(&[0x03], data).ok_or(Status::IncorrectDataParameter)?;
                 let id = syscall!(self.trussed.unsafe_inject_key(
-                    trussed::types::Mechanism::Rsa2048Raw,
+                    Mechanism::Rsa2048Raw,
                     &RsaImportFormat { e, p, q }.serialize().map_err(|_err| {
                         error!("Failed rsa import serialization: {_err:?}");
                         Status::UnspecifiedNonpersistentExecutionError
@@ -1085,21 +1086,23 @@ impl<'a, T: Client> LoadedAuthenticator<'a, T> {
 
 /// Super trait with all trussed extensions required by opcard
 pub trait Client:
-    trussed::Client
+    CryptoClient
+    + FilesystemClient
     + AuthClient
     + ChunkedClient
-    + trussed::client::Ed255
-    + client::Tdes
+    + Ed255
+    + Tdes
     + WrapKeyToFileClient
     + HpkeClient
 {
 }
 impl<
-        C: trussed::Client
+        C: CryptoClient
+            + FilesystemClient
             + AuthClient
             + ChunkedClient
-            + trussed::client::Ed255
-            + client::Tdes
+            + Ed255
+            + Tdes
             + WrapKeyToFileClient
             + HpkeClient,
     > Client for C
diff --git a/src/piv_types.rs b/src/piv_types.rs
index 40a6bb9..c869125 100644
--- a/src/piv_types.rs
+++ b/src/piv_types.rs
@@ -3,7 +3,7 @@ use core::convert::{TryFrom, TryInto};
 use flexiber::Encodable;
 use hex_literal::hex;
 use serde::{Deserialize, Serialize};
-use trussed::types::{Mechanism, SignatureSerialization};
+use trussed_core::types::{Mechanism, SignatureSerialization};
 
 #[macro_export]
 macro_rules! enum_u8 {
diff --git a/src/state.rs b/src/state.rs
index fa5ce39..99b2047 100644
--- a/src/state.rs
+++ b/src/state.rs
@@ -5,15 +5,14 @@ use flexiber::EncodableHeapless;
 use heapless::Vec;
 use heapless_bytes::Bytes;
 use iso7816::Status;
-use littlefs2_core::path;
-use trussed::Client;
-use trussed::{
+use littlefs2_core::{path, Path, PathBuf};
+use trussed_chunked::utils;
+use trussed_core::{
     api::reply::Metadata,
     config::MAX_MESSAGE_LENGTH,
     syscall, try_syscall,
-    types::{KeyId, KeySerialization, Location, Mechanism, Path, PathBuf, StorageAttributes},
+    types::{KeyId, KeySerialization, Location, Mechanism, Message, StorageAttributes},
 };
-use trussed_chunked::utils;
 
 use crate::piv_types::CardHolderUniqueIdentifier;
 use crate::reply::Reply;
@@ -292,7 +291,7 @@ pub struct UseValidKey {
 }
 
 impl UseValidKey {
-    pub fn clear(mut self, client: &mut impl Client) {
+    pub fn clear(mut self, client: &mut impl crate::Client) {
         if self.need_clear {
             syscall!(client.clear(self.key));
         }
@@ -906,7 +905,7 @@ impl Persistent {
             return Self::initialize(client, options);
         };
 
-        let mut parsed: Self = trussed::cbor_deserialize(&bytes).map_err(|_err| {
+        let mut parsed: Self = cbor_smol::cbor_deserialize(&bytes).map_err(|_err| {
             error!("{_err:?}");
             Status::UnspecifiedPersistentExecutionError
         })?;
@@ -915,7 +914,8 @@ impl Persistent {
     }
 
     pub fn save(&mut self, client: &mut impl crate::Client) {
-        let data: trussed::types::Message = trussed::cbor_serialize_bytes(&self).unwrap();
+        let mut data = Message::new();
+        cbor_smol::cbor_serialize_to(&self, &mut data).unwrap();
 
         syscall!(client.write_file(self.storage, PathBuf::from(Self::FILENAME), data, None,));
     }