Update nethsm client

Cargo.toml

@@ -9,4 +9,7 @@ opt-level = 'z'     # Optimize for size
 lto = true          # Enable link-time optimization
 codegen-units = 1   # Reduce number of codegen units to increase optimizations
 panic = 'abort'     # Abort on panic
-strip = true        # Strip symbols from binary
+strip = true        # Strip symbols from binary
+
+[patch.crates-io]
+nethsm-sdk-rs = { git = "https://github.com/Nitrokey/nethsm-sdk-rs.git", branch = "update" }

pkcs11/src/backend/db/object.rs

@@ -170,9 +170,9 @@ struct KeyData {
 
 fn configure_rsa(key_data: &PublicKey) -> Result<KeyData, Error> {
     let key_data = key_data
-        .key
+        .public
         .as_ref()
-        .ok_or(Error::KeyField("key".to_string()))?;
+        .ok_or(Error::KeyField("public".to_string()))?;
 
     let modulus = key_data
         .modulus
@@ -211,9 +211,9 @@ fn configure_rsa(key_data: &PublicKey) -> Result<KeyData, Error> {
 
 fn configure_ec(key_data: &PublicKey) -> Result<KeyData, Error> {
     let ec_points = key_data
-        .key
+        .public
         .as_ref()
-        .ok_or(Error::KeyField("key".to_string()))?
+        .ok_or(Error::KeyField("public".to_string()))?
         .data
         .as_ref()
         .ok_or(Error::KeyField("data".to_string()))?;
@@ -418,11 +418,11 @@ pub fn from_key_data(
 }
 
 pub fn from_cert_data(
-    cert: String,
+    cert: Vec<u8>,
     key_id: &str,
     raw_id: Option<Vec<u8>>,
 ) -> Result<Object, Error> {
-    let cert = x509_cert::Certificate::from_pem(cert.as_bytes()).map_err(Error::Der)?;
+    let cert = x509_cert::Certificate::from_pem(cert).map_err(Error::Der)?;
 
     let mut cert_der = Vec::new();
     cert.encode_to_vec(&mut cert_der).map_err(Error::Der)?;

pkcs11/src/backend/key.rs

@@ -185,13 +185,7 @@ fn upload_certificate(
     let key_id = id.as_str();
 
     login_ctx.try_(
-        |api_config| {
-            default_api::keys_key_id_cert_put(
-                &api_config,
-                key_id,
-                default_api::KeysKeyIdCertPutBody::ApplicationXPemFile(body),
-            )
-        },
+        |api_config| default_api::keys_key_id_cert_put(&api_config, key_id, body.into_bytes()),
         login::UserMode::Administrator,
     )?;
 
@@ -319,9 +313,9 @@ pub fn create_key_from_template(
     }
 
     let private_key = PrivateKey {
-        mechanisms: mechanisms.clone(),
+        mechanisms,
         r#type,
-        key,
+        private: key,
         restrictions: None,
     };
 
@@ -333,8 +327,6 @@ pub fn create_key_from_template(
                     &api_config,
                     key_id,
                     default_api::KeysKeyIdPutBody::ApplicationJson(private_key),
-                    Some(mechanisms),
-                    None,
                 )
             },
             login::UserMode::Administrator,
@@ -349,8 +341,6 @@ pub fn create_key_from_template(
                 default_api::keys_post(
                     &api_config,
                     default_api::KeysPostBody::ApplicationJson(private_key),
-                    Some(mechanisms),
-                    None,
                 )
             },
             login::UserMode::Administrator,
@@ -524,13 +514,7 @@ pub fn fetch_certificate(
     }
 
     let cert_data = login_ctx.try_(
-        |api_config| {
-            default_api::keys_key_id_cert_get(
-                &api_config,
-                key_id,
-                default_api::KeysKeyIdCertGetAccept::ApplicationXPemFile,
-            )
-        },
+        |api_config| default_api::keys_key_id_cert_get(&api_config, key_id),
         super::login::UserMode::OperatorOrAdministrator,
     )?;
 
@@ -566,7 +550,7 @@ pub fn fetch_loop(
     kind: Option<ObjectKind>,
 ) {
     while let Some(key) = keys.lock().unwrap().pop() {
-        let key_id = key.key.clone();
+        let key_id = key.id.clone();
 
         if matches!(
             kind,

tools/create_web_key.sh

@@ -14,7 +14,7 @@ curl -k -i --fail-with-body -w '\n' -u admin:Administrator -X PUT \
         "RSA_Signature_PSS_SHA256", "RSA_Signature_PSS_SHA384",
         "RSA_Signature_PSS_SHA512" ],
     "type": "RSA",
-    "key": {
+    "private": {
         "publicExponent": "AQAB",
         "primeP": "AOedR8mKUVN2jLE60cbESw+o88d2f19oyAjNLUtnLgYnBIKva10JYDRHa/EXqiStx+cDTNvd5xBVPXFrt56sdpHgW1rL9BkcXX5Z75eNQwCEZOxrHp7uSkefr3we7KCTEvFMnA8tp4tnA5y7J+anlgz5oucmS91JS8O8l/UGGk0Sx52N7aRjEVI8Rbm8Mz91jPPuHevvYy0uqkEwI2nxVTlNadmCrJi3DJ/xVm/8bUTCixBcs9LurDfUI70llz9XqHX/AfOOBc8giIAS8PUDa6djKMbKtKR2OurAdHLFMvUWEMEpUwjS+CyFkv+LtXCnl2J0KqKGDW5DYZOMuYSo71s=",
         "primeQ": "ANAOJHTHgQNr+VWf35WoVYKR6r3fZDy5mtfDlj3i0YRdU7PReanwesNcDiHc1a5nkmVUOpmzG9VmI6vWX2+VEAbW4nukqKsljrla1VZ7RtYsmeoat5vSKwiL1P2fDqjX8xKM1Q94z4wMoXjfuuRbimoOa9uuGpTfKEJolXF0Z6YFUdQWnosOY3GIOQNvVNGYwtczTj2ykVbF3rFepVOhMgvUPKEN0foXAI1yXQECf3nrEHZmNS1IX6m0pqKOdc9xrRZn6Je1E9CLkp52pCkPxWJ0Swep1uk8Lc5MnSo1NmnahVBra8rozvSEEh4p8GVDRsDivzfJYTMEuJS+8pUShCs="

tools/tests/decrypt_aes.sh

@@ -27,7 +27,7 @@ curl -k -i --fail-with-body -w '\n' -u admin:Administrator -X PUT \
       "AES_Decryption_CBC"
       ],
     "type": "Generic",
-    "key": {
+    "private": {
       "data": "'$B64'"
     }
 }'
@@ -46,4 +46,4 @@ pkcs11-tool --module ./target/debug/libnethsm_pkcs11.so  -v --decrypt \
   --iv $IV --output-file _data.decrypt
 
 diff _input _data.decrypt
-
+

tools/tests/delete_key_certificate.sh

@@ -13,13 +13,13 @@ curl -k -u admin:Administrator -v -X DELETE \
   https://localhost:8443/api/v1/keys/$KEYID
 
 curl -k -i -w '\n' -u admin:Administrator -X PUT \
-  "https://localhost:8443/api/v1/keys/${KEYID}?mechanisms=RSA_Decryption_RAW,RSA_Decryption_PKCS1,RSA_Decryption_OAEP_MD5,RSA_Decryption_OAEP_SHA1,RSA_Decryption_OAEP_SHA224,RSA_Decryption_OAEP_SHA256,RSA_Decryption_OAEP_SHA384,RSA_Decryption_OAEP_SHA512,RSA_Signature_PKCS1,RSA_Signature_PSS_MD5,RSA_Signature_PSS_SHA1,RSA_Signature_PSS_SHA224,RSA_Signature_PSS_SHA256,RSA_Signature_PSS_SHA384,RSA_Signature_PSS_SHA512" \
-  -H 'Content-Type: application/x-pem-file' \
-  --data-binary '@_privatekey.pem'
+  "https://localhost:8443/api/v1/keys/${KEYID}" \
+  -F "arguments={\"mechanisms\": [\"RSA_Decryption_RAW\",\"RSA_Decryption_PKCS1\",\"RSA_Decryption_OAEP_MD5\",\"RSA_Decryption_OAEP_SHA1\",\"RSA_Decryption_OAEP_SHA224\",\"RSA_Decryption_OAEP_SHA256\",\"RSA_Decryption_OAEP_SHA384\",\"RSA_Decryption_OAEP_SHA512\",\"RSA_Signature_PKCS1\",\"RSA_Signature_PSS_MD5\",\"RSA_Signature_PSS_SHA1\",\"RSA_Signature_PSS_SHA224\",\"RSA_Signature_PSS_SHA256\",\"RSA_Signature_PSS_SHA384\",\"RSA_Signature_PSS_SHA512\"]}" \
+  -F "key_file=@_privatekey.pem"
 
 curl -k -i -w '\n' -u admin:Administrator -X PUT \
   https://localhost:8443/api/v1/keys/${KEYID}/cert \
-  -H 'Content-Type: application/x-pem-file' \
+  -H 'Content-Type: application/octet-stream' \
   --data-binary '@_certificate.pem'
 # delete the key
 pkcs11-tool --module ./target/debug/libnethsm_pkcs11.so -v  \
@@ -28,10 +28,10 @@ pkcs11-tool --module ./target/debug/libnethsm_pkcs11.so -v  \
 ## check that the key is gone
 RESPONSE=$(curl -s -k -u operator:opPassphrase -v -X GET \
   https://localhost:8443/api/v1/keys/$KEYID/cert \
-  -H 'Accept: application/x-pem-file' -o /dev/null -w "%{http_code}")
+  -H 'Accept: application/octet-stream' -o /dev/null -w "%{http_code}")
 
-if [ $RESPONSE -eq 406 ]; then
-  echo "Got 406 error, cert was deleted"
+if [ $RESPONSE -eq 404 ]; then
+  echo "Got 404 error, cert was deleted"
 else
   echo "No 404 error, response code was $RESPONSE"
   exit 1

tools/tests/encrypt_aes.sh

@@ -27,7 +27,7 @@ curl -k -i --fail-with-body -w '\n' -u admin:Administrator -X PUT \
       "AES_Decryption_CBC"
       ],
     "type": "Generic",
-    "key": {
+    "private": {
       "data": "'$B64'"
     }
 }'
@@ -47,4 +47,4 @@ pkcs11-tool --module ./target/debug/libnethsm_pkcs11.so  -v --encrypt \
 openssl aes-256-cbc -nopad -d -in _data.crypt -out _data.decrypt -K $(cat _aes.key | xxd -c 256 -p) -iv $IV
 
 diff _input _data.decrypt
-
+