Merge pull request #633 from mohamedasaker-arm/feature/119-Implement-…

…configurable-exclusion-of-deprecated-primitives

Feature/119 implement configurable exclusion of deprecated primitives

Cargo.toml

@@ -15,7 +15,7 @@ name = "parsec"
 path = "src/bin/main.rs"
 
 [dependencies]
-parsec-interface = "0.26.0"
+parsec-interface = { git = "https://github.com/parallaxsecond/parsec-interface-rs.git", rev = "b2a4b6656f693b61f7fdac593de5fbbb1853d58e" }
 rand = { version = "0.8.3", features = ["small_rng"], optional = true }
 base64 = "0.13.0"
 uuid = "0.8.2"

config.toml

@@ -36,6 +36,11 @@
 # for buffers larger than this threshold will be rejected. Defaults to 1MB.
 #buffer_size_limit = 1048576
 
+# Decide whether deprecated algorithms and key types are allowed when generating keys or not.
+# Note: While importing a deprecated key, only a warning log is generated.
+# The default behaviour is to reject the deprecated primitives. Hence, the default value is false.
+#allow_deprecated = false
+
 # (Required) Configuration for the service IPC listener component.
 [listener]
 # (Required) Type of IPC that the service will support.

e2e_tests/Cargo.toml

@@ -11,7 +11,7 @@ publish = false
 
 [dependencies]
 serde = { version = "1.0.123", features = ["derive"] }
-parsec-client = { git = "https://github.com/parallaxsecond/parsec-client-rust", rev = "bf01a58fe20a65f6151fc32c7c6c9d09ae7b741f", features = ["testing", "spiffe-auth"] }
+parsec-client = { git = "https://github.com/parallaxsecond/parsec-client-rust", rev = "fd083591923c4aeab2bb3eb9c5d0be3c3b48bd37", features = ["testing", "spiffe-auth"] }
 log = "0.4.14"
 # Compatible version with crate rsa
 rand = "0.7.3"

e2e_tests/provider_cfg/cryptoauthlib/config.toml

@@ -6,6 +6,8 @@ log_error_details = true
 # The container runs the Parsec service as root, so make sure we disable root
 # checks.
 allow_root = true
+# Allow deprecated for testing
+allow_deprecated = true
 
 [listener]
 listener_type = "DomainSocket"

e2e_tests/provider_cfg/mbed-crypto/config.toml

@@ -6,6 +6,8 @@ log_error_details = true
 # The container runs the Parsec service as root, so make sure we disable root
 # checks.
 allow_root = true
+# Allow deprecated for testing
+allow_deprecated = true
 
 [listener]
 listener_type = "DomainSocket"

e2e_tests/provider_cfg/pkcs11/config.toml

@@ -6,6 +6,8 @@ log_error_details = true
 # The container runs the Parsec service as root, so make sure we disable root
 # checks.
 allow_root = true
+# Allow deprecated for testing
+allow_deprecated = true
 
 [listener]
 listener_type = "DomainSocket"

e2e_tests/provider_cfg/tpm/config.toml

@@ -6,6 +6,8 @@ log_error_details = true
 # The container runs the Parsec service as root, so make sure we disable root
 # checks.
 allow_root = true
+# Allow deprecated for testing
+allow_deprecated = true
 
 [listener]
 listener_type = "DomainSocket"

e2e_tests/provider_cfg/trusted-service/config.toml

@@ -6,6 +6,8 @@ log_error_details = true
 # The container runs the Parsec service as root, so make sure we disable root
 # checks.
 allow_root = true
+# Allow deprecated for testing
+allow_deprecated = true
 
 [listener]
 listener_type = "DomainSocket"

e2e_tests/tests/all_providers/config/mod.rs

@@ -7,7 +7,7 @@ use parsec_client::core::interface::operations::list_providers::Uuid;
 use parsec_client::core::interface::operations::psa_algorithm::Hash;
 use parsec_client::core::interface::operations::psa_algorithm::{Algorithm, AsymmetricSignature};
 use parsec_client::core::interface::operations::psa_key_attributes::{
- Attributes, Lifetime, Policy, Type, UsageFlags,
+ Attributes, EccFamily, Lifetime, Policy, Type, UsageFlags,
 };
 use parsec_client::core::interface::requests::ResponseStatus;
 use regex::Regex;
@@ -530,3 +530,164 @@ fn pkcs11_pin_str_fmt_with_hex_word() {
  "hex:1100220033",
  );
 }
+
+#[test]
+fn reject_deprecated() {
+ set_config("reject_deprecated.toml");
+ reload_service();
+
+ let mut client = TestClient::new();
+ let mut usage_flags: UsageFlags = Default::default();
+ let _ = usage_flags
+ .set_sign_hash()
+ .set_verify_hash()
+ .set_sign_message()
+ .set_verify_message()
+ .set_export();
+ assert_eq!(
+ client.generate_key(
+ "reject_deprecated_key".to_owned(),
+ Attributes {
+ lifetime: Lifetime::Volatile,
+ key_type: Type::RsaKeyPair,
+ bits: 1024,
+ policy: Policy {
+ usage_flags,
+ permitted_algorithms: Algorithm::AsymmetricSignature(
+ AsymmetricSignature::RsaPkcs1v15Sign {
+ hash_alg: Hash::Md5.into(),
+ },
+ ),
+ },
+ },
+ ),
+ Err(ResponseStatus::DeprecatedPrimitive)
+ );
+ assert_eq!(
+ client.generate_key(
+ "reject_non_deprecated_key".to_owned(),
+ Attributes {
+ lifetime: Lifetime::Volatile,
+ key_type: Type::RsaKeyPair,
+ bits: 1024,
+ policy: Policy {
+ usage_flags,
+ permitted_algorithms: Algorithm::AsymmetricSignature(
+ AsymmetricSignature::RsaPkcs1v15Sign {
+ hash_alg: Hash::Sha256.into(),
+ },
+ ),
+ },
+ },
+ ),
+ Ok(())
+ );
+
+ // Even if the key is deprecated only a warning on the service logs should appear while importing it.
+ assert_eq!(
+ client.import_key(
+ "reject_deprecated_key_import".to_owned(),
+ Attributes {
+ lifetime: Lifetime::Volatile,
+ key_type: Type::EccKeyPair {
+ curve_family: EccFamily::SecpR1,
+ },
+ bits: 256,
+ policy: Policy {
+ usage_flags,
+ permitted_algorithms: Algorithm::AsymmetricSignature(
+ AsymmetricSignature::RsaPkcs1v15Sign {
+ hash_alg: Hash::Md5.into(),
+ },
+ ),
+ },
+ },
+ vec![
+ 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD,
+ 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF,
+ 0xDE, 0xAD, 0xBE, 0xEF
+ ],
+ ),
+ Ok(())
+ );
+}
+
+#[test]
+fn allow_deprecated() {
+ set_config("allow_deprecated.toml");
+ reload_service();
+
+ let mut client = TestClient::new();
+ let mut usage_flags: UsageFlags = Default::default();
+ let _ = usage_flags
+ .set_sign_hash()
+ .set_verify_hash()
+ .set_sign_message()
+ .set_verify_message()
+ .set_export();
+ assert_eq!(
+ client.generate_key(
+ "allow_deprecated_key".to_owned(),
+ Attributes {
+ lifetime: Lifetime::Volatile,
+ key_type: Type::RsaKeyPair,
+ bits: 1024,
+ policy: Policy {
+ usage_flags,
+ permitted_algorithms: Algorithm::AsymmetricSignature(
+ AsymmetricSignature::RsaPkcs1v15Sign {
+ hash_alg: Hash::Md5.into(),
+ },
+ ),
+ },
+ },
+ ),
+ Ok(())
+ );
+ assert_eq!(
+ client.generate_key(
+ "allow_non_deprecated_key".to_owned(),
+ Attributes {
+ lifetime: Lifetime::Volatile,
+ key_type: Type::RsaKeyPair,
+ bits: 1024,
+ policy: Policy {
+ usage_flags,
+ permitted_algorithms: Algorithm::AsymmetricSignature(
+ AsymmetricSignature::RsaPkcs1v15Sign {
+ hash_alg: Hash::Sha256.into(),
+ },
+ ),
+ },
+ },
+ ),
+ Ok(())
+ );
+
+ assert_eq!(
+ client.import_key(
+ "allow_deprecated_key_import".to_owned(),
+ Attributes {
+ lifetime: Lifetime::Volatile,
+ key_type: Type::EccKeyPair {
+ curve_family: EccFamily::SecpR1,
+ },
+ bits: 256,
+ policy: Policy {
+ usage_flags,
+ permitted_algorithms: Algorithm::AsymmetricSignature(
+ AsymmetricSignature::RsaPkcs1v15Sign {
+ hash_alg: Hash::Md5.into(),
+ },
+ ),
+ },
+ },
+ vec![
+ 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD,
+ 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF,
+ 0xDE, 0xAD, 0xBE, 0xEF
+ ],
+ ),
+ Ok(())
+ );
+}

e2e_tests/tests/all_providers/config/tomls/allow_deprecated.toml

@@ -0,0 +1,22 @@
+[core_settings]
+# The CI already timestamps the logs
+log_timestamp = false
+log_error_details = true
+allow_deprecated = true
+
+[listener]
+listener_type = "DomainSocket"
+timeout = 200 # in milliseconds
+socket_path = "/tmp/parsec.sock"
+
+[authenticator]
+auth_type = "Direct"
+
+[[key_manager]]
+name = "sqlite-manager"
+manager_type = "SQLite"
+database_path = "./kim-mappings/sqlite/sqlite-key-info-manager.sqlite3"
+
+[[provider]]
+provider_type = "MbedCrypto"
+key_info_manager = "sqlite-manager"

e2e_tests/tests/all_providers/config/tomls/pkcs11_software.toml

@@ -6,6 +6,7 @@ log_error_details = true
 # The container runs the Parsec service as root, so make sure we disable root
 # checks.
 allow_root = true
+allow_deprecated = true
 
 [listener]
 listener_type = "DomainSocket"

e2e_tests/tests/all_providers/config/tomls/reject_deprecated.toml

@@ -0,0 +1,22 @@
+[core_settings]
+# The CI already timestamps the logs
+log_timestamp = false
+log_error_details = true
+allow_deprecated = false
+
+[listener]
+listener_type = "DomainSocket"
+timeout = 200 # in milliseconds
+socket_path = "/tmp/parsec.sock"
+
+[authenticator]
+auth_type = "Direct"
+
+[[key_manager]]
+name = "sqlite-manager"
+manager_type = "SQLite"
+database_path = "./kim-mappings/sqlite/sqlite-key-info-manager.sqlite3"
+
+[[provider]]
+provider_type = "MbedCrypto"
+key_info_manager = "sqlite-manager"

src/lib.rs

@@ -47,6 +47,32 @@ macro_rules! format_error {
  };
 }
 
+#[allow(unused)]
+macro_rules! deprecation_check {
+ ($operation:ident, $warning:expr, $return_flag:expr) => {
+ if let Err(ResponseStatus::DeprecatedPrimitive) = $operation.check_deprecated() {
+ log::warn!("{}", $warning);
+ if $return_flag && !crate::utils::GlobalConfig::allow_deprecated() {
+ return Err(ResponseStatus::DeprecatedPrimitive);
+ }
+ }
+ };
+}
+
+#[allow(unused)]
+macro_rules! warn_on_deprecated {
+ ($operation:ident, $warning:expr) => {
+ deprecation_check!($operation, $warning, false);
+ };
+}
+
+#[allow(unused)]
+macro_rules! return_on_deprecated {
+ ($operation:ident, $warning:expr) => {
+ deprecation_check!($operation, $warning, true);
+ };
+}
+
 pub mod authenticators;
 pub mod back;
 pub mod front;

src/providers/cryptoauthlib/key_management.rs

@@ -5,6 +5,7 @@ use super::Provider;
 use crate::authenticators::ApplicationIdentity;
 use log::{error, warn};
 use parsec_interface::operations::psa_key_attributes::{Attributes, EccFamily, Type};
+use parsec_interface::operations::utils_deprecated_primitives::CheckDeprecated;
 use parsec_interface::operations::{
  psa_destroy_key, psa_export_key, psa_export_public_key, psa_generate_key, psa_import_key,
 };
@@ -18,6 +19,8 @@ impl Provider {
  application_identity: &ApplicationIdentity,
  op: psa_generate_key::Operation,
  ) -> Result<psa_generate_key::Result> {
+ return_on_deprecated!(op, "The key requested to generate is deprecated");
+
  let key_name = op.key_name;
  let key_identity = self
  .key_info_store
@@ -111,6 +114,8 @@ impl Provider {
  application_identity: &ApplicationIdentity,
  op: psa_import_key::Operation,
  ) -> Result<psa_import_key::Result> {
+ warn_on_deprecated!(op, "The key requested to import is deprecated");
+
  let key_name = op.key_name;
  let key_identity = self
  .key_info_store

src/providers/mbed_crypto/key_management.rs

@@ -5,6 +5,7 @@ use crate::authenticators::ApplicationIdentity;
 use crate::key_info_managers::KeyIdentity;
 use log::error;
 use parsec_interface::operations::psa_key_attributes::{Attributes, Type};
+use parsec_interface::operations::utils_deprecated_primitives::CheckDeprecated;
 use parsec_interface::operations::{
  psa_destroy_key, psa_export_key, psa_export_public_key, psa_generate_key, psa_import_key,
 };
@@ -38,6 +39,8 @@ impl Provider {
  application_identity: &ApplicationIdentity,
  op: psa_generate_key::Operation,
  ) -> Result<psa_generate_key::Result> {
+ return_on_deprecated!(op, "The key requested to generate is deprecated");
+
  let key_name = op.key_name;
  let key_attributes = Provider::check_key_size(op.attributes, false)?;
  let key_identity = KeyIdentity::new(
@@ -83,6 +86,8 @@ impl Provider {
  application_identity: &ApplicationIdentity,
  op: psa_import_key::Operation,
  ) -> Result<psa_import_key::Result> {
+ warn_on_deprecated!(op, "The key requested to import is deprecated");
+
  let key_name = op.key_name;
  let key_attributes = Provider::check_key_size(op.attributes, true)?;
  let key_data = op.data;