kmwebnet/OpenSK
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #511 from ia0/attestation_store

Browse Source 
Abstract attestation support
This commit is contained in:
Julien Cretin
2022-07-14 13:27:48 +02:00
committed by GitHub
parent 4736cc63c4 07a28fe611
commit d2377740ab
11 changed files with 278 additions and 163 deletions
Download Patch File Download Diff File Expand all files Collapse all files

100
src/api/attestation_store.rs Normal file
View File

@@ -0,0 +1,100 @@
use alloc::vec::Vec;
use persistent_store::{StoreError, StoreUpdate};
use crate::env::Env;
/// Identifies an attestation.
#[derive(Clone, PartialEq, Eq)]
pub enum Id {
Batch,
Enterprise,
}
#[cfg_attr(feature = "std", derive(Debug, PartialEq, Eq))]
pub struct Attestation {
/// ECDSA private key (big-endian).
pub private_key: [u8; 32],
pub certificate: Vec<u8>,
}
/// Stores enterprise or batch attestations.
pub trait AttestationStore {
/// Returns an attestation given its id, if it exists.
///
/// This should always return the attestation. Checking whether it is ok to use the attestation
/// is done in the CTAP library.
fn get(&mut self, id: &Id) -> Result<Option<Attestation>, Error>;
/// Sets the attestation for a given id.
///
/// This function may not be supported.
fn set(&mut self, id: &Id, attestation: Option<&Attestation>) -> Result<(), Error>;
}
/// Attestation store errors.
#[derive(Copy, Clone, Debug, PartialEq, Eq)]
#[non_exhaustive]
pub enum Error {
Storage,
Internal,
NoSupport,
}
/// Keys of the environment store reserved for the attestation store.
pub const STORAGE_KEYS: &[usize] = &[1, 2];
pub fn helper_get(env: &mut impl Env) -> Result<Option<Attestation>, Error> {
let private_key = env.store().find(PRIVATE_KEY_STORAGE_KEY)?;
let certificate = env.store().find(CERTIFICATE_STORAGE_KEY)?;
let (private_key, certificate) = match (private_key, certificate) {
(Some(x), Some(y)) => (x, y),
(None, None) => return Ok(None),
_ => return Err(Error::Internal),
};
if private_key.len() != 32 {
return Err(Error::Internal);
}
Ok(Some(Attestation {
private_key: *array_ref![private_key, 0, 32],
certificate,
}))
}
pub fn helper_set(env: &mut impl Env, attestation: Option<&Attestation>) -> Result<(), Error> {
let updates = match attestation {
None => [
StoreUpdate::Remove {
key: PRIVATE_KEY_STORAGE_KEY,
},
StoreUpdate::Remove {
key: CERTIFICATE_STORAGE_KEY,
},
],
Some(attestation) => [
StoreUpdate::Insert {
key: PRIVATE_KEY_STORAGE_KEY,
value: &attestation.private_key[..],
},
StoreUpdate::Insert {
key: CERTIFICATE_STORAGE_KEY,
value: &attestation.certificate[..],
},
],
};
Ok(env.store().transaction(&updates)?)
}
const PRIVATE_KEY_STORAGE_KEY: usize = STORAGE_KEYS[0];
const CERTIFICATE_STORAGE_KEY: usize = STORAGE_KEYS[1];
impl From<StoreError> for Error {
fn from(error: StoreError) -> Self {
match error {
StoreError::InvalidArgument
| StoreError::NoCapacity
| StoreError::NoLifetime
| StoreError::InvalidStorage => Error::Internal,
StoreError::StorageError => Error::Storage,
}
}
}

1
src/api/mod.rs
View File

@@ -17,6 +17,7 @@
//! The [environment](crate::env::Env) is split into components. Each component has an API described
//! by a trait. This module gathers the API of those components.
pub mod attestation_store;
pub mod connection;
pub mod customization;
pub mod firmware_protection;

13
src/ctap/apdu.rs
View File

@@ -16,6 +16,8 @@ use alloc::vec::Vec;
use byteorder::{BigEndian, ByteOrder};
use core::convert::TryFrom;
use crate::api::attestation_store;
const APDU_HEADER_LEN: usize = 4;
#[derive(Clone, Debug, PartialEq, Eq)]
@@ -44,6 +46,17 @@ impl From<ApduStatusCode> for u16 {
}
}
impl From<attestation_store::Error> for ApduStatusCode {
fn from(error: attestation_store::Error) -> Self {
use attestation_store::Error;
match error {
Error::Storage => ApduStatusCode::SW_MEMERR,
Error::Internal => ApduStatusCode::SW_INTERNAL_EXCEPTION,
Error::NoSupport => ApduStatusCode::SW_INTERNAL_EXCEPTION,
}
}
}
#[allow(dead_code)]
pub enum ApduInstructions {
Select = 0xA4,

41
src/ctap/ctap1.rs
View File

@@ -17,7 +17,7 @@ use super::apdu::{Apdu, ApduStatusCode};
use super::credential_id::{decrypt_credential_id, encrypt_to_credential_id};
use super::crypto_wrapper::PrivateKey;
use super::CtapState;
use crate::ctap::storage;
use crate::api::attestation_store::{self, Attestation, AttestationStore};
use crate::env::Env;
use alloc::vec::Vec;
use arrayref::array_ref;
@@ -258,11 +258,12 @@ impl Ctap1Command {
return Err(Ctap1StatusCode::SW_INTERNAL_EXCEPTION);
}
let certificate = storage::attestation_certificate(env)
.map_err(|_| Ctap1StatusCode::SW_MEMERR)?
.ok_or(Ctap1StatusCode::SW_INTERNAL_EXCEPTION)?;
let private_key = storage::attestation_private_key(env)
.map_err(|_| Ctap1StatusCode::SW_INTERNAL_EXCEPTION)?
let Attestation {
private_key,
certificate,
} = env
.attestation_store()
.get(&attestation_store::Id::Batch)?
.ok_or(Ctap1StatusCode::SW_INTERNAL_EXCEPTION)?;
let mut response = Vec::with_capacity(105 + key_handle.len() + certificate.len());
@@ -346,10 +347,10 @@ impl Ctap1Command {
mod test {
use super::super::credential_id::CBOR_CREDENTIAL_ID_SIZE;
use super::super::data_formats::SignatureAlgorithm;
use super::super::key_material;
use super::*;
use crate::api::customization::Customization;
use crate::clock::TEST_CLOCK_FREQUENCY_HZ;
use crate::ctap::storage;
use crate::env::test::TestEnv;
use crypto::Hash256;
@@ -423,21 +424,13 @@ mod test {
// Certificate and private key are missing
assert_eq!(response, Err(Ctap1StatusCode::SW_INTERNAL_EXCEPTION));
let fake_key = [0x41u8; key_material::ATTESTATION_PRIVATE_KEY_LENGTH];
assert!(storage::set_attestation_private_key(&mut env, &fake_key).is_ok());
ctap_state.u2f_up_state.consume_up(CtapInstant::new(0));
ctap_state.u2f_up_state.grant_up(CtapInstant::new(0));
let response = Ctap1Command::process_command(
&mut env,
&message,
&mut ctap_state,
CtapInstant::new(0_u64),
);
// Certificate is still missing
assert_eq!(response, Err(Ctap1StatusCode::SW_INTERNAL_EXCEPTION));
let fake_cert = [0x99u8; 100]; // Arbitrary length
assert!(storage::set_attestation_certificate(&mut env, &fake_cert[..]).is_ok());
let attestation = Attestation {
private_key: [0x41; 32],
certificate: vec![0x99; 100],
};
env.attestation_store()
.set(&attestation_store::Id::Batch, Some(&attestation))
.unwrap();
ctap_state.u2f_up_state.consume_up(CtapInstant::new(0));
ctap_state.u2f_up_state.grant_up(CtapInstant::new(0));
let response =
@@ -455,8 +448,8 @@ mod test {
.is_some());
const CERT_START: usize = 67 + CBOR_CREDENTIAL_ID_SIZE;
assert_eq!(
&response[CERT_START..CERT_START + fake_cert.len()],
&fake_cert[..]
&response[CERT_START..][..attestation.certificate.len()],
&attestation.certificate
);
}

104
src/ctap/mod.rs
View File

@@ -64,6 +64,7 @@ use self::status_code::Ctap2StatusCode;
use self::timed_permission::TimedPermission;
#[cfg(feature = "with_ctap1")]
use self::timed_permission::U2fUserPresenceState;
use crate::api::attestation_store::{self, Attestation, AttestationStore};
use crate::api::connection::{HidConnection, SendOrRecvStatus};
use crate::api::customization::Customization;
use crate::api::firmware_protection::FirmwareProtection;
@@ -920,21 +921,31 @@ impl CtapState {
let mut signature_data = auth_data.clone();
signature_data.extend(client_data_hash);
let (signature, x5c) = if env.customization().use_batch_attestation() || ep_att {
let attestation_private_key = storage::attestation_private_key(env)?
.ok_or(Ctap2StatusCode::CTAP2_ERR_VENDOR_INTERNAL_ERROR)?;
let attestation_key =
crypto::ecdsa::SecKey::from_bytes(&attestation_private_key).unwrap();
let attestation_certificate = storage::attestation_certificate(env)?
.ok_or(Ctap2StatusCode::CTAP2_ERR_VENDOR_INTERNAL_ERROR)?;
(
attestation_key
.sign_rfc6979::<Sha256>(&signature_data)
.to_asn1_der(),
Some(vec![attestation_certificate]),
)
let attestation_id = if ep_att {
Some(attestation_store::Id::Enterprise)
} else if env.customization().use_batch_attestation() {
Some(attestation_store::Id::Batch)
} else {
(private_key.sign_and_encode(env, &signature_data)?, None)
None
};
let (signature, x5c) = match attestation_id {
Some(id) => {
let Attestation {
private_key,
certificate,
} = env
.attestation_store()
.get(&id)?
.ok_or(Ctap2StatusCode::CTAP2_ERR_VENDOR_INTERNAL_ERROR)?;
let attestation_key = crypto::ecdsa::SecKey::from_bytes(&private_key).unwrap();
(
attestation_key
.sign_rfc6979::<Sha256>(&signature_data)
.to_asn1_der(),
Some(vec![certificate]),
)
}
None => (private_key.sign_and_encode(env, &signature_data)?, None),
};
let attestation_statement = PackedAttestationStatement {
alg: SignatureAlgorithm::ES256 as i64,
@@ -1341,41 +1352,26 @@ impl CtapState {
if params.attestation_material.is_some() || params.lockdown {
check_user_presence(env, channel)?;
}
// This command is for U2F support and we use the batch attestation there.
let attestation_id = attestation_store::Id::Batch;
// Sanity checks
let current_priv_key = storage::attestation_private_key(env)?;
let current_cert = storage::attestation_certificate(env)?;
let current_attestation = env.attestation_store().get(&attestation_id)?;
let response = match params.attestation_material {
// Only reading values.
None => AuthenticatorVendorConfigureResponse {
cert_programmed: current_cert.is_some(),
pkey_programmed: current_priv_key.is_some(),
cert_programmed: current_attestation.is_some(),
pkey_programmed: current_attestation.is_some(),
},
// Device is already fully programmed. We don't leak information.
Some(_) if current_cert.is_some() && current_priv_key.is_some() => {
AuthenticatorVendorConfigureResponse {
cert_programmed: true,
pkey_programmed: true,
}
}
// Device is partially or not programmed. We complete the process.
Some(data) => {
if let Some(current_cert) = &current_cert {
if current_cert != &data.certificate {
return Err(Ctap2StatusCode::CTAP1_ERR_INVALID_PARAMETER);
}
}
if let Some(current_priv_key) = &current_priv_key {
if current_priv_key != &data.private_key {
return Err(Ctap2StatusCode::CTAP1_ERR_INVALID_PARAMETER);
}
}
if current_cert.is_none() {
storage::set_attestation_certificate(env, &data.certificate)?;
}
if current_priv_key.is_none() {
storage::set_attestation_private_key(env, &data.private_key)?;
// We don't overwrite the attestation if it's already set. We don't return any error
// to not leak information.
if current_attestation.is_none() {
let attestation = Attestation {
private_key: data.private_key,
certificate: data.certificate,
};
env.attestation_store()
.set(&attestation_id, Some(&attestation))?;
}
AuthenticatorVendorConfigureResponse {
cert_programmed: true,
@@ -3148,12 +3144,11 @@ mod test {
))
);
assert_eq!(
storage::attestation_certificate(&mut env).unwrap().unwrap(),
dummy_cert
);
assert_eq!(
storage::attestation_private_key(&mut env).unwrap().unwrap(),
dummy_key
env.attestation_store().get(&attestation_store::Id::Batch),
Ok(Some(Attestation {
private_key: dummy_key,
certificate: dummy_cert.to_vec(),
}))
);
// Try to inject other dummy values and check that initial values are retained.
@@ -3179,12 +3174,11 @@ mod test {
))
);
assert_eq!(
storage::attestation_certificate(&mut env).unwrap().unwrap(),
dummy_cert
);
assert_eq!(
storage::attestation_private_key(&mut env).unwrap().unwrap(),
dummy_key
env.attestation_store().get(&attestation_store::Id::Batch),
Ok(Some(Attestation {
private_key: dummy_key,
certificate: dummy_cert.to_vec(),
}))
);
// Now try to lock the device

13
src/ctap/status_code.rs
View File

@@ -12,8 +12,8 @@
// See the License for the specific language governing permissions and
// limitations under the License.
use crate::api::key_store;
use crate::api::user_presence::UserPresenceError;
use crate::api::{attestation_store, key_store};
// CTAP specification (version 20190130) section 6.3
// For now, only the CTAP2 codes are here, the CTAP1 are not included.
@@ -100,3 +100,14 @@ impl From<key_store::Error> for Ctap2StatusCode {
Self::CTAP2_ERR_VENDOR_INTERNAL_ERROR
}
}
impl From<attestation_store::Error> for Ctap2StatusCode {
fn from(error: attestation_store::Error) -> Self {
use attestation_store::Error;
match error {
Error::Storage => Self::CTAP2_ERR_VENDOR_HARDWARE_FAILURE,
Error::Internal => Self::CTAP2_ERR_VENDOR_INTERNAL_ERROR,
Error::NoSupport => Self::CTAP2_ERR_VENDOR_INTERNAL_ERROR,
}
}
}

103
src/ctap/storage.rs
View File

@@ -14,6 +14,7 @@
mod key;
use crate::api::attestation_store::{self, AttestationStore};
use crate::api::customization::Customization;
use crate::api::key_store::KeyStore;
use crate::ctap::client_pin::PIN_AUTH_LENGTH;
@@ -437,58 +438,6 @@ pub fn commit_large_blob_array(
)?)
}
/// Returns the attestation private key if defined.
pub fn attestation_private_key(
env: &mut impl Env,
) -> Result<Option<[u8; key_material::ATTESTATION_PRIVATE_KEY_LENGTH]>, Ctap2StatusCode> {
match env.store().find(key::ATTESTATION_PRIVATE_KEY)? {
None => Ok(None),
Some(key) if key.len() == key_material::ATTESTATION_PRIVATE_KEY_LENGTH => {
Ok(Some(*array_ref![
key,
0,
key_material::ATTESTATION_PRIVATE_KEY_LENGTH
]))
}
Some(_) => Err(Ctap2StatusCode::CTAP2_ERR_VENDOR_INTERNAL_ERROR),
}
}
/// Sets the attestation private key.
///
/// If it is already defined, it is overwritten.
pub fn set_attestation_private_key(
env: &mut impl Env,
attestation_private_key: &[u8; key_material::ATTESTATION_PRIVATE_KEY_LENGTH],
) -> Result<(), Ctap2StatusCode> {
match env.store().find(key::ATTESTATION_PRIVATE_KEY)? {
None => Ok(env
.store()
.insert(key::ATTESTATION_PRIVATE_KEY, attestation_private_key)?),
Some(_) => Err(Ctap2StatusCode::CTAP2_ERR_VENDOR_INTERNAL_ERROR),
}
}
/// Returns the attestation certificate if defined.
pub fn attestation_certificate(env: &mut impl Env) -> Result<Option<Vec<u8>>, Ctap2StatusCode> {
Ok(env.store().find(key::ATTESTATION_CERTIFICATE)?)
}
/// Sets the attestation certificate.
///
/// If it is already defined, it is overwritten.
pub fn set_attestation_certificate(
env: &mut impl Env,
attestation_certificate: &[u8],
) -> Result<(), Ctap2StatusCode> {
match env.store().find(key::ATTESTATION_CERTIFICATE)? {
None => Ok(env
.store()
.insert(key::ATTESTATION_CERTIFICATE, attestation_certificate)?),
Some(_) => Err(Ctap2StatusCode::CTAP2_ERR_VENDOR_INTERNAL_ERROR),
}
}
/// Returns the AAGUID.
pub fn aaguid(env: &mut impl Env) -> Result<[u8; key_material::AAGUID_LENGTH], Ctap2StatusCode> {
let aaguid = env
@@ -546,7 +495,11 @@ pub fn enterprise_attestation(env: &mut impl Env) -> Result<bool, Ctap2StatusCod
/// Marks enterprise attestation as enabled.
pub fn enable_enterprise_attestation(env: &mut impl Env) -> Result<(), Ctap2StatusCode> {
if attestation_private_key(env)?.is_none() || attestation_certificate(env)?.is_none() {
if env
.attestation_store()
.get(&attestation_store::Id::Enterprise)?
.is_none()
{
return Err(Ctap2StatusCode::CTAP2_ERR_VENDOR_INTERNAL_ERROR);
}
if !enterprise_attestation(env)? {
@@ -696,6 +649,7 @@ fn serialize_min_pin_length_rp_ids(rp_ids: Vec<String>) -> Result<Vec<u8>, Ctap2
#[cfg(test)]
mod test {
use super::*;
use crate::api::attestation_store::{self, Attestation, AttestationStore};
use crate::ctap::crypto_wrapper::PrivateKey;
use crate::ctap::data_formats::{PublicKeyCredentialSource, PublicKeyCredentialType};
use crate::env::test::TestEnv;
@@ -1033,25 +987,26 @@ mod test {
init(&mut env).unwrap();
// Make sure the attestation are absent. There is no batch attestation in tests.
assert!(attestation_private_key(&mut env).unwrap().is_none());
assert!(attestation_certificate(&mut env).unwrap().is_none());
assert_eq!(
env.attestation_store().get(&attestation_store::Id::Batch),
Ok(None)
);
// Make sure the persistent keys are initialized to dummy values.
let dummy_key = [0x41u8; key_material::ATTESTATION_PRIVATE_KEY_LENGTH];
let dummy_cert = [0xddu8; 20];
set_attestation_private_key(&mut env, &dummy_key).unwrap();
set_attestation_certificate(&mut env, &dummy_cert).unwrap();
let dummy_attestation = Attestation {
private_key: [0x41; key_material::ATTESTATION_PRIVATE_KEY_LENGTH],
certificate: vec![0xdd; 20],
};
env.attestation_store()
.set(&attestation_store::Id::Batch, Some(&dummy_attestation))
.unwrap();
assert_eq!(&aaguid(&mut env).unwrap(), key_material::AAGUID);
// The persistent keys stay initialized and preserve their value after a reset.
reset(&mut env).unwrap();
assert_eq!(
&attestation_private_key(&mut env).unwrap().unwrap(),
&dummy_key
);
assert_eq!(
attestation_certificate(&mut env).unwrap().unwrap(),
&dummy_cert
env.attestation_store().get(&attestation_store::Id::Batch),
Ok(Some(dummy_attestation))
);
assert_eq!(&aaguid(&mut env).unwrap(), key_material::AAGUID);
}
@@ -1187,17 +1142,13 @@ mod test {
fn test_enterprise_attestation() {
let mut env = TestEnv::new();
assert!(!enterprise_attestation(&mut env).unwrap());
assert_eq!(
enable_enterprise_attestation(&mut env),
Err(Ctap2StatusCode::CTAP2_ERR_VENDOR_INTERNAL_ERROR)
);
assert!(!enterprise_attestation(&mut env).unwrap());
let dummy_key = [0x41u8; key_material::ATTESTATION_PRIVATE_KEY_LENGTH];
let dummy_cert = [0xddu8; 20];
set_attestation_private_key(&mut env, &dummy_key).unwrap();
set_attestation_certificate(&mut env, &dummy_cert).unwrap();
let dummy_attestation = Attestation {
private_key: [0x41; key_material::ATTESTATION_PRIVATE_KEY_LENGTH],
certificate: vec![0xdd; 20],
};
env.attestation_store()
.set(&attestation_store::Id::Enterprise, Some(&dummy_attestation))
.unwrap();
assert!(!enterprise_attestation(&mut env).unwrap());
assert_eq!(enable_enterprise_attestation(&mut env), Ok(()));

7
src/ctap/storage/key.rs
View File

@@ -61,11 +61,8 @@ make_partition! {
// WARNING: Keys should not be deleted but prefixed with `_` to avoid accidentally reusing them.
/// The attestation private key.
ATTESTATION_PRIVATE_KEY = 1;
/// The attestation certificate.
ATTESTATION_CERTIFICATE = 2;
/// Reserved for the attestation store implementation of the environment.
_RESERVED_ATTESTATION_STORE = 1..3;
/// The aaguid.
AAGUID = 3;

3
src/env/mod.rs vendored
View File

@@ -12,6 +12,7 @@
// See the License for the specific language governing permissions and
// limitations under the License.
use crate::api::attestation_store::AttestationStore;
use crate::api::connection::HidConnection;
use crate::api::customization::Customization;
use crate::api::firmware_protection::FirmwareProtection;
@@ -36,11 +37,13 @@ pub trait Env {
type Write: core::fmt::Write;
type Customization: Customization;
type HidConnection: HidConnection;
type AttestationStore: AttestationStore;
fn rng(&mut self) -> &mut Self::Rng;
fn user_presence(&mut self) -> &mut Self::UserPresence;
fn store(&mut self) -> &mut Store<Self::Storage>;
fn key_store(&mut self) -> &mut Self::KeyStore;
fn attestation_store(&mut self) -> &mut Self::AttestationStore;
/// Returns the upgrade storage instance.
///

25
src/env/test/mod.rs vendored
View File

@@ -13,11 +13,12 @@
// limitations under the License.
use self::upgrade_storage::BufferUpgradeStorage;
use crate::api::attestation_store::AttestationStore;
use crate::api::connection::{HidConnection, SendOrRecvResult, SendOrRecvStatus};
use crate::api::customization::DEFAULT_CUSTOMIZATION;
use crate::api::firmware_protection::FirmwareProtection;
use crate::api::key_store;
use crate::api::user_presence::{UserPresence, UserPresenceResult};
use crate::api::{attestation_store, key_store};
use crate::clock::ClockInt;
use crate::env::Env;
use customization::TestCustomization;
@@ -150,11 +151,29 @@ impl FirmwareProtection for TestEnv {
impl key_store::Helper for TestEnv {}
impl AttestationStore for TestEnv {
fn get(
&mut self,
_id: &attestation_store::Id,
) -> Result<Option<attestation_store::Attestation>, attestation_store::Error> {
attestation_store::helper_get(self)
}
fn set(
&mut self,
_id: &attestation_store::Id,
attestation: Option<&attestation_store::Attestation>,
) -> Result<(), attestation_store::Error> {
attestation_store::helper_set(self, attestation)
}
}
impl Env for TestEnv {
type Rng = TestRng256;
type UserPresence = TestUserPresence;
type Storage = BufferStorage;
type KeyStore = Self;
type AttestationStore = Self;
type UpgradeStorage = BufferUpgradeStorage;
type FirmwareProtection = Self;
type Write = TestWrite;
@@ -177,6 +196,10 @@ impl Env for TestEnv {
self
}
fn attestation_store(&mut self) -> &mut Self {
self
}
fn upgrade_storage(&mut self) -> Option<&mut Self::UpgradeStorage> {
self.upgrade_storage.as_mut()
}

31
src/env/tock/mod.rs vendored
View File

@@ -13,11 +13,12 @@
// limitations under the License.
pub use self::storage::{TockStorage, TockUpgradeStorage};
use crate::api::attestation_store::AttestationStore;
use crate::api::connection::{HidConnection, SendOrRecvError, SendOrRecvResult, SendOrRecvStatus};
use crate::api::customization::{CustomizationImpl, DEFAULT_CUSTOMIZATION};
use crate::api::firmware_protection::FirmwareProtection;
use crate::api::key_store;
use crate::api::user_presence::{UserPresence, UserPresenceError, UserPresenceResult};
use crate::api::{attestation_store, key_store};
use crate::clock::{ClockInt, KEEPALIVE_DELAY_MS};
use crate::env::Env;
use core::cell::Cell;
@@ -196,11 +197,35 @@ impl FirmwareProtection for TockEnv {
impl key_store::Helper for TockEnv {}
impl AttestationStore for TockEnv {
fn get(
&mut self,
id: &attestation_store::Id,
) -> Result<Option<attestation_store::Attestation>, attestation_store::Error> {
if !matches!(id, attestation_store::Id::Batch) {
return Err(attestation_store::Error::NoSupport);
}
attestation_store::helper_get(self)
}
fn set(
&mut self,
id: &attestation_store::Id,
attestation: Option<&attestation_store::Attestation>,
) -> Result<(), attestation_store::Error> {
if !matches!(id, attestation_store::Id::Batch) {
return Err(attestation_store::Error::NoSupport);
}
attestation_store::helper_set(self, attestation)
}
}
impl Env for TockEnv {
type Rng = TockRng256;
type UserPresence = Self;
type Storage = TockStorage;
type KeyStore = Self;
type AttestationStore = Self;
type UpgradeStorage = TockUpgradeStorage;
type FirmwareProtection = Self;
type Write = Console;
@@ -223,6 +248,10 @@ impl Env for TockEnv {
self
}
fn attestation_store(&mut self) -> &mut Self {
self
}
fn upgrade_storage(&mut self) -> Option<&mut Self::UpgradeStorage> {
self.upgrade_storage.as_mut()
}