Added asymmetric encrypt and decrypt to Mbed Crypto provider

Signed-off-by: Samuel Bailey <samuel.bailey@arm.com>

CONTRIBUTORS.md

@@ -12,3 +12,4 @@ This file aims to acknowledge the specific contributors referred to in the "Cont
 * Ionut Mihalcea (@ionut-arm)
 * Hugues de Valon (@hug-dev)
 * Jesper Brynolf (@Superhepper)
+* Samuel Bailey (@sbailey-arm)

Cargo.toml

@@ -18,7 +18,7 @@ name = "parsec"
 path = "src/bin/main.rs"
 
 [dependencies]
-parsec-interface = "0.17.0"
+parsec-interface = { path = "../parsec-interface-rs" }
 rand = { version = "0.7.2", features = ["small_rng"] }
 base64 = "0.10.1"
 uuid = "0.7.4"
@@ -40,7 +40,7 @@ derivative = "2.1.1"
 version = "3.0.0"
 hex = "0.4.2"
 picky = "5.0.0"
-psa-crypto = { version = "0.2.1" , default-features = false, features = ["with-mbed-crypto"], optional = true }
+psa-crypto = { version = "0.2.2" , default-features = false, features = ["with-mbed-crypto"], optional = true }
 zeroize = { version = "1.1.0", features = ["zeroize_derive"] }
 
 [dev-dependencies]

e2e_tests/Cargo.toml

@@ -18,10 +18,11 @@ picky-asn1-der = "0.2.2"
 picky-asn1 = "0.2.1"
 serde = { version = "1.0", features = ["derive"] }
 sha2 = "0.8.1"
-parsec-client = { git = "https://github.com/parallaxsecond/parsec-client-rust", features = ["testing"] }
+parsec-client = { path = "../../parsec-client-rust", features = ["testing"] }
 log = "0.4.8"
 rand = "0.7.3"
 
 [dev-dependencies]
 env_logger = "0.7.1"
 uuid = "0.7.4"
+rsa = "0.3.0"

e2e_tests/src/lib.rs

@@ -13,7 +13,7 @@ use parsec_client::auth::AuthenticationData;
 use parsec_client::core::basic_client::BasicClient;
 use parsec_client::core::interface::operations::list_providers::ProviderInfo;
 use parsec_client::core::interface::operations::psa_algorithm::{
-    Algorithm, AsymmetricSignature, Hash,
+    Algorithm, AsymmetricSignature, AsymmetricEncryption, Hash,
 };
 use parsec_client::core::interface::operations::psa_key_attributes::{
     Attributes, Lifetime, Policy, Type, UsageFlags,
@@ -157,6 +157,60 @@ impl TestClient {
         )
     }
 
+    pub fn generate_rsa_encryption_keys_rsapkcs1v15crypt(&mut self, key_name: String) -> Result<()> {
+        self.generate_key(
+            key_name,
+            Attributes {
+                lifetime: Lifetime::Persistent,
+                key_type: Type::RsaKeyPair,
+                bits: 1024,
+                policy: Policy {
+                    usage_flags: UsageFlags {
+                        sign_hash: false,
+                        verify_hash: false,
+                        sign_message: false,
+                        verify_message: false,
+                        export: true,
+                        encrypt: true,
+                        decrypt: true,
+                        cache: false,
+                        copy: false,
+                        derive: false,
+                    },
+                    permitted_algorithms: AsymmetricEncryption::RsaPkcs1v15Crypt.into(),
+                },
+            }
+        )
+    }
+
+    pub fn generate_rsa_encryption_keys_rsaoaep_sha256(&mut self, key_name: String) -> Result<()> {
+        self.generate_key(
+            key_name,
+            Attributes {
+                lifetime: Lifetime::Persistent,
+                key_type: Type::RsaKeyPair,
+                bits: 1024,
+                policy: Policy {
+                    usage_flags: UsageFlags {
+                        sign_hash: false,
+                        verify_hash: false,
+                        sign_message: false,
+                        verify_message: false,
+                        export: true,
+                        encrypt: true,
+                        decrypt: true,
+                        cache: false,
+                        copy: false,
+                        derive: false,
+                    },
+                    permitted_algorithms: AsymmetricEncryption::RsaOaep{
+                        hash_alg: Hash::Sha256,
+                    }.into(),
+                },
+            }
+        )
+    }
+
     /// Imports and creates a key with specific attributes.
     pub fn import_key(
         &mut self,
@@ -287,6 +341,64 @@ impl TestClient {
         )
     }
 
+    pub fn asymmetric_encrypt_message_with_rsapkcs1v15(
+        &mut self,
+        key_name: String,
+        plaintext: Vec<u8>,
+    ) -> Result<Vec<u8>> {
+        self.asymmetric_encrypt_message(
+            key_name,
+            AsymmetricEncryption::RsaPkcs1v15Crypt,
+            &plaintext,
+            None,
+        )
+    }
+
+    pub fn asymmetric_decrypt_message_with_rsapkcs1v15(
+        &mut self,
+        key_name: String,
+        ciphertext: Vec<u8>,
+    ) -> Result<Vec<u8>> {
+        self.asymmetric_decrypt_message(
+            key_name,
+            AsymmetricEncryption::RsaPkcs1v15Crypt,
+            &ciphertext,
+            None,
+        )
+    }
+
+    pub fn asymmetric_encrypt_message(
+        &mut self,
+        key_name: String,
+        encryption_alg: AsymmetricEncryption,
+        plaintext: &[u8],
+        salt: Option<&[u8]>) -> Result<Vec<u8>> {
+        self.basic_client
+            .psa_asymmetric_encrypt(
+                key_name,
+                encryption_alg,
+                &plaintext,
+                salt,
+            )
+            .map_err(convert_error)
+    }
+
+    pub fn asymmetric_decrypt_message(
+        &mut self,
+        key_name: String,
+        encryption_alg: AsymmetricEncryption,
+        ciphertext: &[u8],
+        salt: Option<&[u8]>) -> Result<Vec<u8>> {
+        self.basic_client
+            .psa_asymmetric_decrypt(
+                key_name,
+                encryption_alg,
+                &ciphertext,
+                salt,
+            )
+            .map_err(convert_error)
+    }
+
     /// Lists the provider available for the Parsec service.
     pub fn list_providers(&mut self) -> Result<Vec<ProviderInfo>> {
         self.basic_client.list_providers().map_err(convert_error)

e2e_tests/tests/per_provider/normal_tests/asym_encryption.rs

@@ -0,0 +1,115 @@
+// Copyright 2020 Contributors to the Parsec project.
+// SPDX-License-Identifier: Apache-2.0
+use e2e_tests::TestClient;
+use parsec_client::core::interface::requests::ResponseStatus;
+use rsa::{RSAPublicKey, PaddingScheme, PublicKey};
+use rand::rngs::OsRng;
+
+
+const PLAINTEXT_MESSAGE: [u8; 32] = [
+    0x69, 0x3E, 0xDB, 0x1B, 0x22, 0x79, 0x03, 0xF4, 0xC0, 0xBF, 0xD6, 0x91, 0x76, 0x37, 0x84, 0xA2,
+    0x94, 0x8E, 0x92, 0x50, 0x35, 0xC2, 0x8C, 0x5C, 0x3C, 0xCA, 0xFE, 0x18, 0xE8, 0x81, 0x37, 0x78,
+];
+
+#[test]
+fn simple_asym_encrypt_rsa_pkcs() {
+    let key_name = String::from("asym_encrypt_and_decrypt_rsa_pkcs");
+    let mut client = TestClient::new();
+    client.generate_rsa_encryption_keys_rsapkcs1v15crypt(key_name.clone()).unwrap();
+    let _ciphertext = client.asymmetric_encrypt_message_with_rsapkcs1v15(
+        key_name.clone(),
+        PLAINTEXT_MESSAGE.to_vec(),
+    ).unwrap();
+}
+
+#[test]
+fn asym_encrypt_no_key() {
+    let key_name = String::from("asym_encrypt_no_key");
+    let mut client = TestClient::new();
+    let status = client.
+        asymmetric_encrypt_message_with_rsapkcs1v15(
+            key_name,
+            PLAINTEXT_MESSAGE.to_vec(),
+        )
+        .expect_err("Key should not exist.");
+    assert_eq!(status, ResponseStatus::PsaErrorDoesNotExist);
+}
+
+#[test]
+fn asym_decrypt_no_key() {
+    let key_name = String::from("asym_decrypt_no_key");
+    let mut client = TestClient::new();
+    let status = client.
+        asymmetric_decrypt_message_with_rsapkcs1v15(
+            key_name,
+            PLAINTEXT_MESSAGE.to_vec(),
+        )
+        .expect_err("Key should not exist.");
+    assert_eq!(status, ResponseStatus::PsaErrorDoesNotExist);
+}
+
+#[test]
+fn asym_encrypt_wrong_algorithm() {
+    let key_name = String::from("asym_encrypt_wrong_algorithm");
+    let mut client = TestClient::new();
+    let _key_id = client.generate_rsa_encryption_keys_rsaoaep_sha256(key_name.clone()).unwrap();
+    let status = client.asymmetric_encrypt_message_with_rsapkcs1v15(
+        key_name.clone(),
+        PLAINTEXT_MESSAGE.to_vec(),
+    ).unwrap_err();
+    assert_eq!(status, ResponseStatus::PsaErrorNotPermitted);
+}
+
+#[test]
+fn asym_encrypt_and_decrypt_rsa_pkcs() {
+    let key_name = String::from("asym_encrypt_and_decrypt_rsa_pkcs");
+    let mut client = TestClient::new();
+    client.generate_rsa_encryption_keys_rsapkcs1v15crypt(key_name.clone()).unwrap();
+    let ciphertext = client.asymmetric_encrypt_message_with_rsapkcs1v15(
+        key_name.clone(),
+        PLAINTEXT_MESSAGE.to_vec(),
+    ).unwrap();
+    let plaintext = client.asymmetric_decrypt_message_with_rsapkcs1v15(
+        key_name,
+        ciphertext,
+    ).unwrap();
+    assert_eq!(PLAINTEXT_MESSAGE.to_vec(), plaintext);
+}
+
+#[test]
+fn asym_encrypt_decrypt_rsa_pkcs_different_keys() {
+    let key_name_1 = String::from("asym_encrypt_and_decrypt_rsa_pkcs_different_keys_1");
+    let key_name_2 = String::from("asym_encrypt_and_decrypt_rsa_pkcs_different_keys_2");
+    let mut client = TestClient::new();
+    client.generate_rsa_encryption_keys_rsapkcs1v15crypt(key_name_1.clone()).unwrap();
+    client.generate_rsa_encryption_keys_rsapkcs1v15crypt(key_name_2.clone()).unwrap();
+    let ciphertext = client.asymmetric_encrypt_message_with_rsapkcs1v15(
+        key_name_1.clone(),
+        PLAINTEXT_MESSAGE.to_vec(),
+    ).unwrap();
+    let _res = client.asymmetric_decrypt_message_with_rsapkcs1v15(
+        key_name_2.clone(),
+        ciphertext,
+    ).unwrap_err();
+}
+
+#[test]
+fn asym_encrypt_verify_decrypt_with_rsa_crate() {
+    let key_name = String::from("asym_encrypt_verify_decrypt_with_rsa_crate");
+    let mut client = TestClient::new();
+
+    client.generate_rsa_encryption_keys_rsapkcs1v15crypt(key_name.clone()).unwrap();
+    let pub_key = client.export_public_key(key_name.clone()).unwrap();
+
+    let rsa_pub_key = RSAPublicKey::from_pkcs1(&pub_key).unwrap();
+    let ciphertext = rsa_pub_key.encrypt(&mut OsRng, PaddingScheme::new_pkcs1v15_encrypt(), &PLAINTEXT_MESSAGE).unwrap();
+
+    let plaintext = client.asymmetric_decrypt_message_with_rsapkcs1v15(
+        key_name.clone(),
+        ciphertext,
+    ).unwrap();
+
+    assert_eq!(&PLAINTEXT_MESSAGE[..], &plaintext[..]);
+
+}
+

e2e_tests/tests/per_provider/normal_tests/mod.rs

@@ -8,3 +8,4 @@ mod export_public_key;
 mod import_key;
 mod key_attributes;
 mod ping;
+mod asym_encryption;

src/back/backend_handler.rs

@@ -159,6 +159,24 @@ impl BackEndHandler {
                 trace!("psa_verify_hash egress");
                 self.result_to_response(NativeResult::PsaVerifyHash(result), header)
             }
+            NativeOperation::PsaAsymmetricEncrypt(op_asymmetric_encrypt) => {
+                let app_name =
+                    unwrap_or_else_return!(app_name.ok_or(ResponseStatus::NotAuthenticated));
+                let result = unwrap_or_else_return!(self
+                    .provider
+                    .psa_asymmetric_encrypt(app_name, op_asymmetric_encrypt));
+                trace!("psa_asymmetric_encrypt_egress");
+                self.result_to_response(NativeResult::PsaAsymmetricEncrypt(result), header)
+            }
+            NativeOperation::PsaAsymmetricDecrypt(op_asymmetric_decrypt) => {
+                let app_name =
+                    unwrap_or_else_return!(app_name.ok_or(ResponseStatus::NotAuthenticated));
+                let result = unwrap_or_else_return!(self
+                    .provider
+                    .psa_asymmetric_decrypt(app_name, op_asymmetric_decrypt));
+                trace!("psa_asymmetric_encrypt_egress");
+                self.result_to_response(NativeResult::PsaAsymmetricDecrypt(result), header)
+            }
         }
     }
 }