From 7d7e283295eb8aa6c43d75b71653afe317e01a14 Mon Sep 17 00:00:00 2001
From: Anton Antonov <Anton.Antonov@arm.com>
Date: Fri, 22 Oct 2021 11:18:46 +0100
Subject: [PATCH] Use ec_params for can-do-crypto checks instead of hard-coded
 values

Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
---
 src/providers/pkcs11/capability_discovery.rs | 33 ++++++--------------
 1 file changed, 10 insertions(+), 23 deletions(-)

diff --git a/src/providers/pkcs11/capability_discovery.rs b/src/providers/pkcs11/capability_discovery.rs
index 9586c8fa..f0f6e152 100644
--- a/src/providers/pkcs11/capability_discovery.rs
+++ b/src/providers/pkcs11/capability_discovery.rs
@@ -1,5 +1,5 @@
 #![allow(unused, trivial_numeric_casts)]
-use super::Provider;
+use super::{utils, Provider};
 use crate::authenticators::ApplicationName;
 use crate::providers::pkcs11::to_response_status;
 use cryptoki::types::mechanism::Mechanism;
@@ -25,22 +25,15 @@ impl Provider {
         op: can_do_crypto::Operation,
     ) -> Result<can_do_crypto::Result> {
         let attributes = op.attributes;
-        let check_type = op.check_type;
-        let supported_ecc_family_sizes = [192, 224, 256, 384, 512];
         match attributes.key_type {
-            Type::EccKeyPair {
-                curve_family: EccFamily::SecpR1,
-            }
-            | Type::EccPublicKey {
-                curve_family: EccFamily::SecpR1,
-            } => {
-                if !(supported_ecc_family_sizes.contains(&attributes.bits)) {
+            Type::EccKeyPair { curve_family } | Type::EccPublicKey { curve_family } => {
+                let _ = utils::ec_params(curve_family, attributes.bits).map_err(|_| {
                     info!(
-                        "Unsupported size {} for SecpR1 curve family",
-                        attributes.bits
+                        "Unsupported EC curve family {} or key size {}",
+                        curve_family, attributes.bits
                     );
-                    return Err(PsaErrorNotSupported);
-                }
+                    PsaErrorNotSupported
+                })?;
             }
             Type::RsaKeyPair | Type::RsaPublicKey => (),
             _ => {
@@ -48,7 +41,7 @@ impl Provider {
                 return Err(PsaErrorNotSupported);
             }
         }
-        match check_type {
+        match op.check_type {
             CheckType::Generate => return self.generate_check(attributes),
             CheckType::Import => return self.import_check(attributes),
             CheckType::Use => return self.use_check(attributes),
@@ -119,10 +112,7 @@ impl Provider {
 
     fn generate_check(&self, attributes: Attributes) -> Result<can_do_crypto::Result> {
         match attributes.key_type {
-            Type::RsaKeyPair => (),
-            Type::EccKeyPair {
-                curve_family: EccFamily::SecpR1,
-            } => (),
+            Type::RsaKeyPair | Type::EccKeyPair { .. } => (),
             _ => {
                 info!("Unsupported key type {:?}", attributes.key_type);
                 return Err(PsaErrorNotSupported);
@@ -136,10 +126,7 @@ impl Provider {
 
     fn import_check(&self, attributes: Attributes) -> Result<can_do_crypto::Result> {
         match attributes.key_type {
-            Type::RsaPublicKey => (),
-            Type::EccPublicKey {
-                curve_family: EccFamily::SecpR1,
-            } => (),
+            Type::RsaPublicKey | Type::EccPublicKey { .. } => (),
             _ => {
                 info!("Unsupported key type {:?}", attributes.key_type);
                 return Err(PsaErrorNotSupported);