ifd-jcecard 0.2.0

PC/SC IFD Handler for jcecard virtual OpenPGP and PIV smart card
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145

//! Security State for OpenPGP card
//!
//! Tracks which PINs have been verified in the current session.

/// Security conditions for OpenPGP card operations
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum SecurityCondition {
    /// PW1 verified for signing (mode 81)
    PW1_81,
    /// PW1 verified for decryption/authentication (mode 82)
    PW1_82,
    /// PW3 (admin PIN) verified
    PW3,
}

/// Tracks security state for the current session
pub struct SecurityState {
    /// PW1 verified for signing
    pw1_81_verified: bool,
    /// PW1 verified for decrypt/auth
    pw1_82_verified: bool,
    /// PW3 verified
    pw3_verified: bool,
    /// Whether PW1 verification persists across commands
    pw1_valid_multiple: bool,
}

impl SecurityState {
    /// Create a new security state
    pub fn new() -> Self {
        Self {
            pw1_81_verified: false,
            pw1_82_verified: false,
            pw3_verified: false,
            pw1_valid_multiple: true,
        }
    }

    /// Set a security condition as verified
    pub fn set_verified(&mut self, condition: SecurityCondition) {
        match condition {
            SecurityCondition::PW1_81 => self.pw1_81_verified = true,
            SecurityCondition::PW1_82 => self.pw1_82_verified = true,
            SecurityCondition::PW3 => self.pw3_verified = true,
        }
    }

    /// Check if a security condition is satisfied
    pub fn is_verified(&self, condition: SecurityCondition) -> bool {
        match condition {
            SecurityCondition::PW1_81 => self.pw1_81_verified,
            SecurityCondition::PW1_82 => self.pw1_82_verified,
            SecurityCondition::PW3 => self.pw3_verified,
        }
    }

    /// Clear a specific security condition
    pub fn clear(&mut self, condition: SecurityCondition) {
        match condition {
            SecurityCondition::PW1_81 => self.pw1_81_verified = false,
            SecurityCondition::PW1_82 => self.pw1_82_verified = false,
            SecurityCondition::PW3 => self.pw3_verified = false,
        }
    }

    /// Clear all security conditions (on card reset or power cycle)
    pub fn clear_all(&mut self) {
        self.pw1_81_verified = false;
        self.pw1_82_verified = false;
        self.pw3_verified = false;
    }

    /// Called after a signing operation
    /// If PW1 is not set to "valid for multiple commands", clear PW1_81
    pub fn after_sign(&mut self) {
        if !self.pw1_valid_multiple {
            self.pw1_81_verified = false;
        }
    }

    /// Set whether PW1 verification persists across commands
    pub fn set_pw1_valid_multiple(&mut self, valid: bool) {
        self.pw1_valid_multiple = valid;
    }

    /// Get whether PW1 verification persists across commands
    pub fn pw1_valid_multiple(&self) -> bool {
        self.pw1_valid_multiple
    }
}

impl Default for SecurityState {
    fn default() -> Self {
        Self::new()
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_initial_state() {
        let state = SecurityState::new();
        assert!(!state.is_verified(SecurityCondition::PW1_81));
        assert!(!state.is_verified(SecurityCondition::PW1_82));
        assert!(!state.is_verified(SecurityCondition::PW3));
    }

    #[test]
    fn test_set_verified() {
        let mut state = SecurityState::new();
        state.set_verified(SecurityCondition::PW1_81);
        assert!(state.is_verified(SecurityCondition::PW1_81));
        assert!(!state.is_verified(SecurityCondition::PW1_82));
    }

    #[test]
    fn test_clear_all() {
        let mut state = SecurityState::new();
        state.set_verified(SecurityCondition::PW1_81);
        state.set_verified(SecurityCondition::PW3);
        state.clear_all();
        assert!(!state.is_verified(SecurityCondition::PW1_81));
        assert!(!state.is_verified(SecurityCondition::PW3));
    }

    #[test]
    fn test_after_sign_single() {
        let mut state = SecurityState::new();
        state.set_pw1_valid_multiple(false);
        state.set_verified(SecurityCondition::PW1_81);
        state.after_sign();
        assert!(!state.is_verified(SecurityCondition::PW1_81));
    }

    #[test]
    fn test_after_sign_multiple() {
        let mut state = SecurityState::new();
        state.set_pw1_valid_multiple(true);
        state.set_verified(SecurityCondition::PW1_81);
        state.after_sign();
        assert!(state.is_verified(SecurityCondition::PW1_81));
    }
}