openpgp-card: allow additional status in factory reset

The opcard-rs implementation may return StatusBytes::ExecutionErrorNonVolatileMemoryUnchanged in some circumstances. Also see https://gitlab.com/openpgp-card/openpgp-card/-/issues/70 Fixes #70
2023-09-02 16:46:56 +02:00 · 2023-09-02 16:46:56 +02:00 · 4d5d9e7ee1
commit 4d5d9e7ee1
parent 82662e6d46
2 changed files with 25 additions and 16 deletions
--- a/openpgp-card/src/errors.rs
+++ b/openpgp-card/src/errors.rs
@ -73,6 +73,9 @@ pub enum StatusBytes {
    #[error("Password not checked, {0} allowed retries")]
    PasswordNotChecked(u8),

+    #[error("Execution error with non-volatile memory unchanged")]
+    ExecutionErrorNonVolatileMemoryUnchanged,
+
    #[error("Triggering by the card {0}")]
    TriggeringByCard(u8),

@ -145,6 +148,7 @@ impl From<(u8, u8)> for StatusBytes {

            (0x62, 0x85) => StatusBytes::TerminationState,
            (0x63, 0xC0..=0xCF) => StatusBytes::PasswordNotChecked(status.1 & 0xf),
+            (0x64, 0x00) => StatusBytes::ExecutionErrorNonVolatileMemoryUnchanged,
            (0x64, 0x02..=0x80) => StatusBytes::TriggeringByCard(status.1),
            (0x65, 0x01) => StatusBytes::MemoryFailure,
            (0x66, 0x00) => StatusBytes::SecurityRelatedIssues,
--- a/openpgp-card/src/lib.rs
+++ b/openpgp-card/src/lib.rs
@ -661,15 +661,18 @@ impl<'a> Transaction<'a> {
        log::info!("OpenPgpTransaction: factory_reset");

        // send 4 bad requests to verify pw1
-        // [apdu 00 20 00 81 08 40 40 40 40 40 40 40 40]
        for _ in 0..4 {
-            log::info!("  verify_pw1_81");
-            let verify = commands::verify_pw1_81([0x40; 8].to_vec());
-            let resp = self.send_command(verify, false)?;
-            if !(resp.status() == StatusBytes::SecurityStatusNotSatisfied
-                || resp.status() == StatusBytes::AuthenticationMethodBlocked
-                || matches!(resp.status(), StatusBytes::PasswordNotChecked(_)))
-            {
+            let resp = self.verify_pw1_sign(&[0x40; 8]);
+
+            if !(matches!(
+                resp,
+                Err(Error::CardStatus(StatusBytes::SecurityStatusNotSatisfied))
+                    | Err(Error::CardStatus(StatusBytes::AuthenticationMethodBlocked))
+                    | Err(Error::CardStatus(
+                        StatusBytes::ExecutionErrorNonVolatileMemoryUnchanged
+                    ))
+                    | Err(Error::CardStatus(StatusBytes::PasswordNotChecked(_)))
+            )) {
                return Err(Error::InternalError(
                    "Unexpected status for reset, at pw1.".into(),
                ));
@ -677,16 +680,18 @@ impl<'a> Transaction<'a> {
        }

        // send 4 bad requests to verify pw3
-        // [apdu 00 20 00 83 08 40 40 40 40 40 40 40 40]
        for _ in 0..4 {
-            log::info!("  verify_pw3");
-            let verify = commands::verify_pw3([0x40; 8].to_vec());
-            let resp = self.send_command(verify, false)?;
+            let resp = self.verify_pw3(&[0x40; 8]);

-            if !(resp.status() == StatusBytes::SecurityStatusNotSatisfied
-                || resp.status() == StatusBytes::AuthenticationMethodBlocked
-                || matches!(resp.status(), StatusBytes::PasswordNotChecked(_)))
-            {
+            if !(matches!(
+                resp,
+                Err(Error::CardStatus(StatusBytes::SecurityStatusNotSatisfied))
+                    | Err(Error::CardStatus(StatusBytes::AuthenticationMethodBlocked))
+                    | Err(Error::CardStatus(
+                        StatusBytes::ExecutionErrorNonVolatileMemoryUnchanged
+                    ))
+                    | Err(Error::CardStatus(StatusBytes::PasswordNotChecked(_)))
+            )) {
                return Err(Error::InternalError(
                    "Unexpected status for reset, at pw3.".into(),
                ));