Add test for wrapped keys

trussed-dev · daringer · Mar 3, 2023 · Feb 16, 2023 · Feb 17, 2023 · Feb 17, 2023
commit 019965468d0820be3876aeafc93e0d1c8db2d593
diff --git a/src/backend.rs b/src/backend.rs
@@ -25,7 +25,8 @@ use crate::{
 };
 use data::{Key, PinData, Salt, SALT_LEN};
 
-const MAX_HW_KEY_LEN: usize = 64;
+/// max accepted length for the hardware initial key material
+pub const MAX_HW_KEY_LEN: usize = 64;
 
 #[derive(Clone)]
 enum HardwareKey {
@@ -81,11 +82,7 @@ impl AuthBackend {
         trussed_filestore
             .read(&path, self.location)
             .or_else(|_| {
-                if trussed_filestore
-                    .metadata(&path, self.location)
-                    .or(Err(Error::ReadFailed))?
-                    .is_some()
-                {
+                if trussed_filestore.exists(&path, self.location) {
                     return Err(Error::ReadFailed);
                 }
 

diff --git a/src/lib.rs b/src/lib.rs
@@ -69,7 +69,7 @@ use trussed::{
     types::{Bytes, PathBuf},
 };
 
-pub use backend::{AuthBackend, AuthContext};
+pub use backend::{AuthBackend, AuthContext, MAX_HW_KEY_LEN};
 pub use extension::{
     reply, request, AuthClient, AuthExtension, AuthReply, AuthRequest, AuthResult,
 };

diff --git a/tests/backend.rs b/tests/backend.rs
@@ -205,6 +205,50 @@ fn basic() {
     })
 }
 
+#[test]
+fn basic_wrapped() {
+    run(BACKENDS, |client| {
+        let pin1 = Bytes::from_slice(b"12345678").unwrap();
+        let pin2 = Bytes::from_slice(b"123456").unwrap();
+
+        let reply = syscall!(client.has_pin(Pin::User));
+        assert!(!reply.has_pin);
+
+        syscall!(client.set_pin(Pin::User, pin1.clone(), None, true));
+
+        let reply = syscall!(client.has_pin(Pin::User));
+        assert!(reply.has_pin);
+        let reply = syscall!(client.has_pin(Pin::Admin));
+        assert!(!reply.has_pin);
+
+        let reply = syscall!(client.pin_retries(Pin::User));
+        assert_eq!(reply.retries, None);
+
+        let reply = syscall!(client.check_pin(Pin::User, pin1.clone()));
+        assert!(reply.success);
+
+        let reply = syscall!(client.pin_retries(Pin::User));
+        assert_eq!(reply.retries, None);
+
+        let reply = syscall!(client.check_pin(Pin::User, pin2));
+        assert!(!reply.success);
+
+        let result = try_syscall!(client.check_pin(Pin::Admin, pin1.clone()));
+        assert!(result.is_err());
+
+        let reply = syscall!(client.pin_retries(Pin::User));
+        assert_eq!(reply.retries, None);
+
+        syscall!(client.delete_pin(Pin::User));
+
+        let result = try_syscall!(client.check_pin(Pin::User, pin1));
+        assert!(result.is_err());
+
+        let result = try_syscall!(client.pin_retries(Pin::User));
+        assert!(result.is_err());
+    })
+}
+
 #[test]
 fn blocked_pin() {
     run(BACKENDS, |client| {