IOS-8949 Ability to enable encryption for specific commands (#398)

tureck1y · web-flow · commit f429d3b3d6e3 · 2025-01-28T20:19:08.000Z
diff --git a/Example/TangemSdkExample/AppModel.swift b/Example/TangemSdkExample/AppModel.swift
@@ -58,13 +58,18 @@ class AppModel: ObservableObject {
         config.handleErrors = self.handleErrors
         config.filter.allowedCardTypes = FirmwareVersion.FirmwareType.allCases
         config.accessCodeRequestPolicy = accessCodeRequestPolicy
+
+        var loggers: [TangemSdkLogger] = [ConsoleLogger()]
+
         if displayLogs {
-            config.logConfig = .custom(logLevel: Log.Level.allCases,
-                                       loggers: [ConsoleLogger(), logger])
-        } else {
-            config.logConfig = .verbose
+            loggers.append(logger)
         }
 
+        config.logConfig = .custom(
+            logLevel: Log.Level.allCases,
+            loggers: [ConsoleLogger(), logger]
+        )
+
         config.defaultDerivationPaths = [
             .secp256k1: [try! DerivationPath(rawPath: "m/0'/1")],
             .secp256r1: [try! DerivationPath(rawPath: "m/0'/1")],
diff --git a/TangemSdk/TangemSdk/Common/APDU/CommandApdu.swift b/TangemSdk/TangemSdk/Common/APDU/CommandApdu.swift
@@ -66,9 +66,12 @@ public struct CommandApdu: Equatable {
         guard let encryptionKey = encryptionKey, p1 == EncryptionMode.none.byteValue else { //skip if already encrypted or empty encryptionKey
             return self
         }
+        
         let crc = data.crc16()
         let tlvDataToEncrypt = data.count.bytes2 + crc + data
         let encryptedPayload = try tlvDataToEncrypt.encrypt(with: encryptionKey)
+        Log.apdu("C-APDU encrypted")
+
         return CommandApdu(cla: self.cla, ins: self.ins, p1: encryptionMode.byteValue, p2: self.p2, le: self.le, tlv: Data(encryptedPayload))
     }
     
diff --git a/TangemSdk/TangemSdk/Common/Core/CardSession.swift b/TangemSdk/TangemSdk/Common/Core/CardSession.swift
@@ -281,6 +281,7 @@ public class CardSession {
     ///   - completion: Completion handler. Invoked by nfc-reader
     public final func send(apdu: CommandApdu, completion: @escaping CompletionResult<ResponseApdu>) {
         Log.session("Send")
+
         guard sendSubscription.isEmpty else {
             Log.error(TangemSdkError.busy)
             completion(.failure(.busy))
@@ -361,8 +362,10 @@ public class CardSession {
     private func prepareSession<T: CardSessionRunnable>(for runnable: T, completion: @escaping CompletionResult<Void>) {
         Log.session("Prepare card session")
         preflightReadMode = runnable.preflightReadMode
+        environment.encryptionMode = runnable.encryptionMode
 
-        Log.session("Current policy is \(environment.config.accessCodeRequestPolicy)")
+        Log.session("Access code policy is \(environment.config.accessCodeRequestPolicy)")
+        Log.session("Encryption mode is \(environment.encryptionMode)")
 
         guard runnable.shouldAskForAccessCode else {
             Log.session("Skip an access codes request")
@@ -477,6 +480,8 @@ public class CardSession {
                     let secret = try encryptionHelper.generateSecret(keyB: response.sessionKeyB)
                     let sessionKey = (secret + protocolKey).getSha256()
                     self.environment.encryptionKey = sessionKey
+
+                    Log.session("The encryption established")
                     return ()
                 }
                 .mapError{$0.toTangemSdkError()}
diff --git a/TangemSdk/TangemSdk/Common/Core/CardSessionRunnable.swift b/TangemSdk/TangemSdk/Common/Core/CardSessionRunnable.swift
@@ -15,7 +15,10 @@ public protocol CardSessionRunnable {
     
     /// Allow SDK to fetch access code from the local encrypted repository when running the command
     var shouldAskForAccessCode: Bool { get }
-    
+
+    /// An enforced encryption mode. Managed by a card if none. None by default.
+    var encryptionMode: EncryptionMode { get }
+
     /// Simple interface for responses received after sending commands to Tangem cards.
     associatedtype Response
     
@@ -36,7 +39,9 @@ extension CardSessionRunnable {
     public var preflightReadMode: PreflightReadMode { .fullCardRead }
     
     public var shouldAskForAccessCode: Bool { true }
-    
+
+    public var encryptionMode: EncryptionMode { .none }
+
     public func prepare(_ session: CardSession, completion: @escaping CompletionResult<Void>) {
         completion(.success(()))
     }
diff --git a/TangemSdk/TangemSdk/Operations/Wallet/CreateWalletTask.swift b/TangemSdk/TangemSdk/Operations/Wallet/CreateWalletTask.swift
@@ -18,6 +18,10 @@ import Foundation
  * RemainingSignature is set to MaxSignatures.
  */
 public class CreateWalletTask: CardSessionRunnable {
+    public var encryptionMode: EncryptionMode {
+        privateKey == nil ? .none : .strong
+    }
+
     private let curve: EllipticCurve
     private let privateKey: ExtendedPrivateKey?
     private var derivationTask: DeriveWalletPublicKeysTask? = nil

Original file line number	Diff line number	Diff line change
`@@ -66,9 +66,12 @@ public struct CommandApdu: Equatable {`
`66`	`66`	`guard let encryptionKey = encryptionKey, p1 == EncryptionMode.none.byteValue else { //skip if already encrypted or empty encryptionKey`
`67`	`67`	`return self`
`68`	`68`	`}`
	`69`	`+`
`69`	`70`	`let crc = data.crc16()`
`70`	`71`	`let tlvDataToEncrypt = data.count.bytes2 + crc + data`
`71`	`72`	`let encryptedPayload = try tlvDataToEncrypt.encrypt(with: encryptionKey)`
	`73`	`+ Log.apdu("C-APDU encrypted")`
	`74`	`+`
`72`	`75`	`return CommandApdu(cla: self.cla, ins: self.ins, p1: encryptionMode.byteValue, p2: self.p2, le: self.le, tlv: Data(encryptedPayload))`
`73`	`76`	`}`
`74`	`77`