Skip to content

Commit

Permalink
Merge pull request #399 from RobertDrazkowskiGL/calib-psa-import-key
Browse files Browse the repository at this point in the history 
PSA_IMPORT_KEY introduction.
  • Loading branch information
@hug-dev
hug-dev authored May 4, 2021
2 parents 38a0266 + 937e171 commit 1c51f26
Show file tree
Hide file tree
Showing 13 changed files with 435 additions and 66 deletions.
6 changes: 6 additions & 0 deletions e2e_tests/provider_cfg/cryptoauthlib/config_508a.toml
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
#########################################################################
# The example config file for atecc508a cryptochip.
# There must be an I2C bus with a cryptochip soldered, otherwise provider
# instantiation fails.
# Not to be used by github CI.
#########################################################################
[core_settings]
# The CI already timestamps the logs
log_timestamp = false
Expand Down
39 changes: 39 additions & 0 deletions e2e_tests/provider_cfg/cryptoauthlib/config_608a.toml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
#########################################################################
# The example config file for atecc608a cryptochip.
# There must be an I2C bus with a cryptochip soldered, otherwise provider
# instantiation fails.
# Not to be used by github CI.
#########################################################################
[core_settings]
# The CI already timestamps the logs
log_timestamp = false
log_error_details = true

# The container runs the Parsec service as root, so make sure we disable root
# checks.
allow_root = true

[listener]
listener_type = "DomainSocket"
timeout = 200 # in milliseconds
socket_path = "/tmp/parsec.sock"

[authenticator]
auth_type = "Direct"

[[key_manager]]
name = "on-disk-manager"
manager_type = "OnDisk"
store_path = "./mappings"

[[provider]]
provider_type = "CryptoAuthLib"
key_info_manager = "on-disk-manager"
device_type = "atecc608a"
iface_type = "i2c"
wake_delay = 1600
rx_retries = 20
# i2c parameters for i2c-pseudo proxy
slave_address = 0xc0
bus = 1
baud = 400000
38 changes: 38 additions & 0 deletions e2e_tests/src/lib.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -596,6 +596,44 @@ impl TestClient {
self.import_key(key_name, attributes, data)
}

/// Import a 256 bit ECC public key.
/// The key can only be used for verifying with the Ecdsa signing algorithm with SHA-256.
pub fn import_ecc_public_secp_r1_ecdsa_sha256_key(
&mut self,
key_name: String,
data: Vec<u8>,
) -> Result<()> {
self.import_key(
key_name,
Attributes {
lifetime: Lifetime::Persistent,
key_type: Type::EccPublicKey {
curve_family: EccFamily::SecpR1,
},
bits: 256,
policy: Policy {
usage_flags: UsageFlags {
sign_hash: false,
verify_hash: true,
sign_message: false,
verify_message: true,
export: false,
encrypt: false,
decrypt: false,
cache: false,
copy: false,
derive: false,
},
permitted_algorithms: AsymmetricSignature::Ecdsa {
hash_alg: Hash::Sha256.into(),
}
.into(),
},
},
data,
)
}

/// Exports a key
pub fn export_key(&mut self, key_name: String) -> Result<Vec<u8>> {
self.basic_client
Expand Down
25 changes: 13 additions & 12 deletions e2e_tests/tests/per_provider/normal_tests/asym_sign_verify.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
use e2e_tests::TestClient;
use parsec_client::core::interface::operations::psa_algorithm::*;
use parsec_client::core::interface::operations::psa_key_attributes::*;
use parsec_client::core::interface::requests::{ Opcode, ResponseStatus, Result};
use parsec_client::core::interface::requests::{Opcode, ResponseStatus, Result};
#[cfg(any(feature = "mbed-crypto-provider", feature = "tpm-provider"))]
use ring::signature::{self, UnparsedPublicKey};
use rsa::{PaddingScheme, PublicKey, RSAPublicKey};
Expand Down Expand Up @@ -95,7 +95,6 @@ fn only_verify_from_internet() -> Result<()> {
if !client.is_operation_supported(Opcode::PsaVerifyHash) {
return Ok(());
}

// "Les carottes sont cuites." hashed with SHA256
let digest = vec![
0x02, 0x2b, 0x26, 0xb1, 0xc3, 0x18, 0xdb, 0x73, 0x36, 0xef, 0x6f, 0x50, 0x9c, 0x35, 0xdd,
Expand Down Expand Up @@ -141,16 +140,17 @@ fn only_verify_from_internet() -> Result<()> {
fn simple_sign_hash() -> Result<()> {
let key_name = String::from("simple_sign_hash");
let mut client = TestClient::new();
let mut hasher = Sha256::new();
hasher.update(b"Bob wrote this message.");
let hash = hasher.finalize().to_vec();
if !client.is_operation_supported(Opcode::PsaGenerateKey) {
return Ok(());
}
if !client.is_operation_supported(Opcode::PsaSignHash) {
return Ok(());
}

let mut hasher = Sha256::new();
hasher.update(b"Bob wrote this message.");
let hash = hasher.finalize().to_vec();

client.generate_rsa_sign_key(key_name.clone())?;

let _ = client.sign_with_rsa_sha256(key_name, hash)?;
Expand All @@ -162,17 +162,17 @@ fn simple_sign_hash() -> Result<()> {
fn sign_hash_not_permitted() -> Result<()> {
let key_name = String::from("sign_hash_not_permitted");
let mut client = TestClient::new();
let mut hasher = Sha256::new();
hasher.update(b"Bob wrote this message.");
let hash = hasher.finalize().to_vec();

if !client.is_operation_supported(Opcode::PsaGenerateKey) {
return Ok(());
}
if !client.is_operation_supported(Opcode::PsaSignHash) {
return Ok(());
}

let mut hasher = Sha256::new();
hasher.update(b"Bob wrote this message.");
let hash = hasher.finalize().to_vec();

let attributes = Attributes {
lifetime: Lifetime::Persistent,
key_type: Type::RsaKeyPair,
Expand Down Expand Up @@ -211,16 +211,16 @@ fn sign_hash_not_permitted() -> Result<()> {
fn sign_hash_bad_format() -> Result<()> {
let key_name = String::from("sign_hash_bad_format");
let mut client = TestClient::new();
let hash1 = vec![0xEE; 31];
let hash2 = vec![0xBB; 33];

if !client.is_operation_supported(Opcode::PsaGenerateKey) {
return Ok(());
}
if !client.is_operation_supported(Opcode::PsaSignHash) {
return Ok(());
}

let hash1 = vec![0xEE; 31];
let hash2 = vec![0xBB; 33];

client.generate_rsa_sign_key(key_name.clone())?;

let status1 = client
Expand Down Expand Up @@ -433,6 +433,7 @@ fn asym_verify_with_rsa_crate() {
fn verify_with_ring() {
let key_name = String::from("verify_with_ring");
let mut client = TestClient::new();

let message = b"Bob wrote this message.";

client.generate_long_rsa_sign_key(key_name.clone()).unwrap();
Expand Down
3 changes: 1 addition & 2 deletions e2e_tests/tests/per_provider/normal_tests/auth.rs
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
// Copyright 2019 Contributors to the Parsec project.
// SPDX-License-Identifier: Apache-2.0
use e2e_tests::TestClient;
use parsec_client::core::interface::requests::{Opcode, ResponseStatus};
use parsec_client::core::interface::requests::Result;
use parsec_client::core::interface::requests::{Opcode, Result, ResponseStatus};

#[test]
fn two_auths_same_key_name() -> Result<()> {
Expand Down
24 changes: 18 additions & 6 deletions e2e_tests/tests/per_provider/normal_tests/create_destroy_key.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,9 @@ fn create_and_destroy() {
#[cfg(not(feature = "cryptoauthlib-provider"))]
client.generate_rsa_sign_key(key_name.clone()).unwrap();
#[cfg(feature = "cryptoauthlib-provider")]
client.generate_ecc_key_pair_secpr1_ecdsa_sha256(key_name.clone()).unwrap();
client
.generate_ecc_key_pair_secpr1_ecdsa_sha256(key_name.clone())
.unwrap();
client.destroy_key(key_name).unwrap();
}

Expand All @@ -41,7 +43,9 @@ fn create_twice() {
}
#[cfg(feature = "cryptoauthlib-provider")]
{
client.generate_ecc_key_pair_secpr1_ecdsa_sha256(key_name.clone()).unwrap();
client
.generate_ecc_key_pair_secpr1_ecdsa_sha256(key_name.clone())
.unwrap();
let status = client
.generate_ecc_key_pair_secpr1_ecdsa_sha256(key_name)
.expect_err("A key with the same name can not be created twice.");
Expand Down Expand Up @@ -75,7 +79,9 @@ fn create_destroy_and_operation() {
#[cfg(not(feature = "cryptoauthlib-provider"))]
client.generate_rsa_sign_key(key_name.clone()).unwrap();
#[cfg(feature = "cryptoauthlib-provider")]
client.generate_ecc_key_pair_secpr1_ecdsa_sha256(key_name.clone()).unwrap();
client
.generate_ecc_key_pair_secpr1_ecdsa_sha256(key_name.clone())
.unwrap();

client.destroy_key(key_name.clone()).unwrap();

Expand All @@ -102,8 +108,12 @@ fn create_destroy_twice() {
}
#[cfg(feature = "cryptoauthlib-provider")]
{
client.generate_ecc_key_pair_secpr1_ecdsa_sha256(key_name.clone()).unwrap();
client.generate_ecc_key_pair_secpr1_ecdsa_sha256(key_name_2.clone()).unwrap();
client
.generate_ecc_key_pair_secpr1_ecdsa_sha256(key_name.clone())
.unwrap();
client
.generate_ecc_key_pair_secpr1_ecdsa_sha256(key_name_2.clone())
.unwrap();
}

client.destroy_key(key_name).unwrap();
Expand All @@ -125,7 +135,9 @@ fn generate_public_rsa_check_modulus() {
#[cfg(not(feature = "cryptoauthlib-provider"))]
client.generate_rsa_sign_key(key_name.clone()).unwrap();
#[cfg(feature = "cryptoauthlib-provider")]
client.generate_ecc_key_pair_secpr1_ecdsa_sha256(key_name.clone()).unwrap();
client
.generate_ecc_key_pair_secpr1_ecdsa_sha256(key_name.clone())
.unwrap();

let public_key = client.export_public_key(key_name).unwrap();

Expand Down
2 changes: 1 addition & 1 deletion e2e_tests/tests/per_provider/normal_tests/export_public_key.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@
use e2e_tests::TestClient;
use parsec_client::core::interface::operations::psa_algorithm::*;
use parsec_client::core::interface::operations::psa_key_attributes::*;
use parsec_client::core::interface::requests::Opcode;
use parsec_client::core::interface::requests::ResponseStatus;
use parsec_client::core::interface::requests::Result;
use parsec_client::core::interface::requests::Opcode;
use picky_asn1_x509::RSAPublicKey;

#[test]
Expand Down
Loading

0 comments on commit 1c51f26

Please sign in to comment.