Split backend and extension

Cargo.toml

@@ -1,38 +1,22 @@
 # Copyright (C) Nitrokey GmbH
 # SPDX-License-Identifier: CC0-1.0
 
-[package]
-name = "trussed-auth"
-version = "0.3.0"
+[workspace]
+members = ["backend", "extension"]
+resolver = "2"
+
+[workspace.package]
 authors = ["Nitrokey GmbH <info@nitrokey.com>"]
 edition = "2021"
-repository = "https://github.com/trussed-dev/trussed-auth"
 license = "Apache-2.0 OR MIT"
-description = "Authentication extension and backend for Trussed"
+repository = "https://github.com/trussed-dev/trussed-auth"
 
-[dependencies]
-chacha20poly1305 = { version = "0.10.1", default-features = false, features = ["reduced-round"] }
-hkdf = "0.12.3"
-hmac = "0.12.1"
-rand_core = "0.6.4"
+[workspace.dependencies]
 serde = { version = "1", default-features = false }
-serde-byte-array = "0.1.2"
-sha2 = { version = "0.10.6", default-features = false }
-subtle = { version = "2.4.1", default-features = false }
-trussed = { version = "0.1.0", default-features = false, features = ["serde-extensions"] }
 trussed-core = { version = "0.1.0-rc.1", features = ["serde-extensions"] }
-littlefs2-core = "0.1.0"
-
-[dev-dependencies]
-quickcheck = { version = "1.0.3", default-features = false }
-rand_core = { version = "0.6.4", default-features = false, features = ["getrandom"] }
-serde_test = "1.0.176"
-trussed = { version = "0.1.0", default-features = false, features = ["clients-1", "crypto-client", "filesystem-client", "hmac-sha256", "serde-extensions", "virt"] }
-admin-app = { version = "0.1.0", features = ["migration-tests"] }
-serde_cbor = { version = "0.11.2", features = ["std"] }
-hex-literal = "0.4.1"
 
 [patch.crates-io]
+trussed-auth = { path = "extension" }
+
 trussed = { git = "https://github.com/trussed-dev/trussed.git", rev = "6bba8fde36d05c0227769eb63345744e87d84b2b" }
-trussed-manage = { git = "https://github.com/trussed-dev/trussed-staging.git", rev = "9355f700831c1a278c334f76382fbf98d82aedcd" }
-admin-app = { git = "https://github.com/Nitrokey/admin-app.git", branch = "ctaphid-app" }
+admin-app = { git = "https://github.com/Nitrokey/admin-app.git", tag = "v0.1.0-nitrokey.19" }

Makefile

@@ -3,18 +3,18 @@
 
 .PHONY: check
 check:
-	RUSTLFAGS='-Dwarnings' cargo check --all-features --all-targets
+	RUSTLFAGS='-Dwarnings' cargo check --all-features --all-targets --workspace
 
 .PHONY: lint
 lint:
-	cargo clippy --all-features --all-targets -- --deny warnings
-	cargo fmt -- --check
-	RUSTDOCFLAGS='-Dwarnings' cargo doc --no-deps
+	cargo clippy --all-features --all-targets --workspace -- --deny warnings
+	cargo fmt --all -- --check
+	RUSTDOCFLAGS='-Dwarnings' cargo doc --no-deps --workspace
 	reuse lint
 
 .PHONY: test
 test:
-	cargo test --all-features
+	cargo test --all-features --workspace
 
 .PHONY: ci
 ci: check lint test

README.md

@@ -5,10 +5,14 @@ SPDX-License-Identifier: CC0-1.0
 
 # trussed-auth
 
-`trussed-auth` is an extension and custom backend for [Trussed][] that provides
-basic PIN handling.
+`trussed-auth` is an extension for [Trussed][] that provides basic PIN
+handling.  `trussed-auth-backend` is a Trussed backend implementing that
+extension using the filesystem.  Other implementations are provided by these
+backends:
+- [`trussed-se050-backend`][]
 
 [Trussed]: https://github.com/trussed-dev/trussed
+[`trussed-se050-backend`]: https://github.com/Nitrokey/trussed-se050-backend
 
 ## License
 

backend/CHANGELOG.md

@@ -0,0 +1,23 @@
+<!--
+Copyright (C) Nitrokey GmbH
+SPDX-License-Identifier: CC0-1.0
+-->
+
+# Changelog
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## Unreleased
+
+Extracted from `trussed-auth` v0.3.0.
+
+### Breaking Changes
+
+- Use serde(rename) to save space on on the size of stored credentials ([#38][])
+- Remove the `dat` intermediary directory in file storage ([#39][])
+- Use `trussed-core` and remove default features for `trussed`
+
+[#38]: https://github.com/trussed-dev/trussed-auth/pull/38
+[#39]: https://github.com/trussed-dev/trussed-auth/pull/39

backend/Cargo.toml

@@ -0,0 +1,35 @@
+# Copyright (C) Nitrokey GmbH
+# SPDX-License-Identifier: CC0-1.0
+
+[package]
+name = "trussed-auth-backend"
+version = "0.1.0"
+description = "Authentication backend for Trussed"
+authors.workspace = true
+edition.workspace = true
+license.workspace = true
+repository.workspace = true
+
+[dependencies]
+serde.workspace = true
+trussed-core.workspace = true
+
+chacha20poly1305 = { version = "0.10.1", default-features = false, features = ["reduced-round"] }
+hkdf = "0.12.3"
+hmac = "0.12.1"
+littlefs2-core = "0.1"
+rand_core = "0.6.4"
+serde-byte-array = "0.1.2"
+sha2 = { version = "0.10.6", default-features = false }
+subtle = { version = "2.4.1", default-features = false }
+trussed = { version = "0.1.0", default-features = false, features = ["serde-extensions"] }
+trussed-auth = { version = "0.3.0" }
+
+[dev-dependencies]
+admin-app = { version = "0.1.0", features = ["migration-tests"] }
+hex-literal = "0.4.1"
+quickcheck = { version = "1.0.3", default-features = false }
+rand_core = { version = "0.6.4", default-features = false, features = ["getrandom"] }
+serde_cbor = { version = "0.11.2", features = ["std"] }
+serde_test = "1.0.176"
+trussed = { version = "0.1.0", default-features = false, features = ["clients-1", "crypto-client", "filesystem-client", "hmac-sha256", "serde-extensions", "virt"] }

src/backend/data.rs → backend/src/data.rs

@@ -18,7 +18,7 @@ use trussed::{
 };
 
 use super::Error;
-use crate::{Pin, PinId, MAX_PIN_LENGTH};
+use trussed_auth::{Pin, PinId, MAX_PIN_LENGTH};
 
 const APP_SALT_PATH: &Path = path!("application_salt");
 

src/backend.rs → backend/src/lib.rs

@@ -1,8 +1,28 @@
 // Copyright (C) Nitrokey GmbH
 // SPDX-License-Identifier: Apache-2.0 or MIT
 
+#![no_std]
+#![warn(
+    missing_debug_implementations,
+    missing_docs,
+    non_ascii_idents,
+    trivial_casts,
+    unused,
+    unused_qualifications,
+    clippy::expect_used,
+    clippy::unwrap_used
+)]
+#![deny(unsafe_code)]
+
+//! A Trussed backend implementing the [`AuthExtension`][].
+//!
+//! [`AuthBackend`][] is an implementation of the [`AuthExtension`][] that stores PINs in the
+//! filesystem.
+
 mod data;
 
+pub mod migrate;
+
 use core::fmt;
 
 use hkdf::Hkdf;
@@ -20,15 +40,11 @@ use trussed::{
     types::{CoreContext, Location},
     Bytes,
 };
+use trussed_auth::{reply, AuthExtension, AuthReply, AuthRequest};
 
-use crate::{
-    backend::data::{expand_app_key, get_app_salt},
-    extension::{reply, AuthExtension, AuthReply, AuthRequest},
-    BACKEND_DIR,
-};
-use data::{Key, PinData, Salt, KEY_LEN, SALT_LEN};
+use data::{delete_app_salt, expand_app_key, get_app_salt, Key, PinData, Salt, KEY_LEN, SALT_LEN};
 
-use self::data::delete_app_salt;
+const BACKEND_DIR: &Path = path!("backend-auth");
 
 /// max accepted length for the hardware initial key material
 pub const MAX_HW_KEY_LEN: usize = 64;
@@ -116,7 +132,7 @@ impl AuthBackend {
     /// Creates a new `AuthBackend` with a missing hw key
     ///
     /// Contrary to [`new`](Self::new) which uses a default `&[]` key, this will make operations depending on the hardware key to fail:
-    /// - [`set_pin`](crate::AuthClient::set_pin) with `derive_key = true`
+    /// - [`set_pin`](trussed_auth::AuthClient::set_pin) with `derive_key = true`
     /// - All operations on a pin that was created with `derive_key = true`
     pub fn with_missing_hw_key(location: Location, layout: FilesystemLayout) -> Self {
         Self {
@@ -412,7 +428,7 @@ impl ExtensionImpl<AuthExtension> for AuthBackend {
 }
 
 #[derive(Clone, Copy, Debug)]
-pub(crate) enum Error {
+enum Error {
     NotFound,
     MissingHwKey,
     ReadFailed,

src/migrate.rs → backend/src/migrate.rs

@@ -35,7 +35,7 @@ fn migrate_single(fs: &dyn DynFilesystem, path: &Path) -> Result<(), Error> {
 ///
 /// ```rust
 ///# use littlefs2_core::{DynFilesystem, Error, path};
-///# use trussed_auth::migrate::migrate_remove_dat;
+///# use trussed_auth_backend::migrate::migrate_remove_dat;
 ///# fn test(fs: &dyn DynFilesystem) -> Result<(), Error> {
 /// migrate_remove_dat(fs, &[path!("secrets"), path!("opcard")])?;
 ///#     Ok(())

tests/backend.rs → backend/tests/backend.rs

@@ -11,7 +11,8 @@ mod dispatch {
         service::ServiceResources,
         types::{Bytes, Context, Location},
     };
-    use trussed_auth::{AuthBackend, AuthContext, AuthExtension, MAX_HW_KEY_LEN};
+    use trussed_auth::AuthExtension;
+    use trussed_auth_backend::{AuthBackend, AuthContext, MAX_HW_KEY_LEN};
 
     pub const BACKENDS: &[BackendId<Backend>] =
         &[BackendId::Custom(Backend::Auth), BackendId::Core];
@@ -55,7 +56,10 @@ mod dispatch {
     impl Dispatch {
         pub fn new() -> Self {
             Self {
-                auth: AuthBackend::new(Location::Internal, trussed_auth::FilesystemLayout::V0),
+                auth: AuthBackend::new(
+                    Location::Internal,
+                    trussed_auth_backend::FilesystemLayout::V0,
+                ),
             }
         }
 
@@ -64,15 +68,15 @@ mod dispatch {
                 auth: AuthBackend::with_hw_key(
                     Location::Internal,
                     hw_key,
-                    trussed_auth::FilesystemLayout::V0,
+                    trussed_auth_backend::FilesystemLayout::V0,
                 ),
             }
         }
         pub fn with_missing_hw_key() -> Self {
             Self {
                 auth: AuthBackend::with_missing_hw_key(
                     Location::Internal,
-                    trussed_auth::FilesystemLayout::V0,
+                    trussed_auth_backend::FilesystemLayout::V0,
                 ),
             }
         }
@@ -136,7 +140,8 @@ use trussed::{
     types::{Bytes, Location, Message, PathBuf},
     virt::{self, Ram},
 };
-use trussed_auth::{AuthClient as _, PinId, MAX_HW_KEY_LEN};
+use trussed_auth::{AuthClient as _, PinId};
+use trussed_auth_backend::MAX_HW_KEY_LEN;
 
 use dispatch::{Backend, Dispatch, BACKENDS};
 

CHANGELOG.md → extension/CHANGELOG.md

@@ -11,14 +11,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased][]
 
-- Use serde(rename) to save space on on the size of stored credentials ([#38][])
-- Remove the `dat` intermediary directory in file storage ([#39][])
-- Use `trussed-core` and remove default features for `trussed`
+[Unreleased]: https://github.com/trussed-dev/trussed-auth/compare/v0.3.0...HEAD
 
-[#38]: https://github.com/trussed-dev/trussed-auth/pull/38
-[#39]: https://github.com/trussed-dev/trussed-auth/pull/39
+### Breaking Changes
 
-[Unreleased]: https://github.com/trussed-dev/trussed-auth/compare/v0.3.0...HEAD
+- Extract `AuthBackend` into `trussed-auth-backend` crate
+- Use `trussed-core` and remove default features for `trussed`
 
 ## [0.3.0][] - 2024-03-22
 

extension/Cargo.toml

@@ -0,0 +1,18 @@
+# Copyright (C) Nitrokey GmbH
+# SPDX-License-Identifier: CC0-1.0
+
+[package]
+name = "trussed-auth"
+version = "0.3.0"
+description = "Authentication extension for Trussed"
+authors.workspace = true
+edition.workspace = true
+license.workspace = true
+repository.workspace = true
+
+[dependencies]
+serde.workspace = true
+trussed-core.workspace = true
+
+[dev-dependencies]
+heapless-bytes = "0.3"