Add various tests checking contracts

Also adds checks in the providers to prevent generating a public asymmetric key. Signed-off-by: Hugues de Valon <hugues.devalon@arm.com>
parallaxsecond · May 26, 2021 · 96c6f08 · 96c6f08
1 parent f8f3d6b
commit 96c6f08
Show file tree

Hide file tree

Showing 12 changed files with 470 additions and 29 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -15,7 +15,7 @@ name = "parsec"
 path = "src/bin/main.rs"
 
 [dependencies]
-parsec-interface = { git = "https://github.com/parallaxsecond/parsec-interface-rs.git", rev = "a7f3c7e246a64b9474ca3a0a1365b6deee74e7a4"}
+parsec-interface = { git = "https://github.com/parallaxsecond/parsec-interface-rs.git", rev = "6b951390791b398b76eb02c942e24d7c91acc980"}
 rand = { version = "0.8.3", features = ["small_rng"], optional = true }
 base64 = "0.13.0"
 uuid = "0.8.2"
@@ -26,7 +26,7 @@ toml = "0.5.8"
 serde = { version = "1.0.123", features = ["derive"] }
 env_logger = "0.8.3"
 log = { version = "0.4.14", features = ["serde"] }
-cryptoki = { git = "https://github.com/parallaxsecond/rust-cryptoki", rev = "0345c8caa40fd9a64012f053721aa3de52ad3e3e", optional = true, features = ["psa-crypto-conversions"] }
+cryptoki = { git = "https://github.com/parallaxsecond/rust-cryptoki", rev = "da990ddf7475d0f561033018750e4099020bd475", optional = true, features = ["psa-crypto-conversions"] }
 picky-asn1-der = { version = "0.2.4", optional = true }
 picky-asn1 = { version = "0.3.1", optional = true }
 tss-esapi = { git = "https://github.com/parallaxsecond/rust-tss-esapi", rev = "56c487a101dc85e17560416d71f0fc2eb81739a6", optional = true }
@@ -35,7 +35,7 @@ structopt = "0.3.21"
 derivative = "2.2.0"
 version = "3.0.0"
 hex = { version = "0.4.2", optional = true }
-psa-crypto = { git = "https://github.com/parallaxsecond/rust-psa-crypto.git", rev = "15ba7cd048923ae7193b268df51c004e8ceff48e", default-features = false, features = ["operations"], optional = true }
+psa-crypto = { git = "https://github.com/parallaxsecond/rust-psa-crypto.git", rev = "8605006d34944fa880edd3d4d347f460c5585747", default-features = false, features = ["operations"], optional = true }
 zeroize = { version = "1.2.0", features = ["zeroize_derive"] }
 picky-asn1-x509 = { version = "0.4.0", optional = true }
 users = "0.11.0"

diff --git a/e2e_tests/tests/all_providers/normal.rs b/e2e_tests/tests/all_providers/normal.rs
@@ -27,6 +27,32 @@ fn list_providers() {
  assert!(uuids.contains(&Uuid::parse_str("b8ba81e2-e9f7-4bdd-b096-a29d0019960c").unwrap()));
 }
 
+#[test]
+fn list_providers_order_respected() {
+ let mut client = TestClient::new();
+ let providers = client.list_providers().expect("list providers failed");
+ assert_eq!(
+ providers[0].uuid,
+ Uuid::parse_str("1c1139dc-ad7c-47dc-ad6b-db6fdb466552").unwrap()
+ );
+ assert_eq!(
+ providers[1].uuid,
+ Uuid::parse_str("1e4954a4-ff21-46d3-ab0c-661eeb667e1d").unwrap()
+ );
+ assert_eq!(
+ providers[2].uuid,
+ Uuid::parse_str("30e39502-eba6-4d60-a4af-c518b7f5e38f").unwrap()
+ );
+ assert_eq!(
+ providers[3].uuid,
+ Uuid::parse_str("b8ba81e2-e9f7-4bdd-b096-a29d0019960c").unwrap()
+ );
+ assert_eq!(
+ providers[4].uuid,
+ Uuid::parse_str("47049873-2a43-4845-9d72-831eab668784").unwrap()
+ );
+}
+
 #[test]
 fn list_authenticators() {
  let mut client = TestClient::new();
@@ -246,3 +272,31 @@ fn list_and_delete_clients() {
 
  assert!(keys.is_empty());
 }
+
+#[test]
+fn get_and_use_provider_id() {
+ let mut client = TestClient::new();
+ let providers: Vec<ProviderId> = client
+ .list_providers()
+ .expect("list providers failed")
+ .into_iter()
+ .map(|v| v.id)
+ .filter(|v| *v != ProviderId::Core)
+ .collect();
+
+ for provider in providers {
+ client.set_provider(provider);
+ // Checking that the Provider ID returned by ListProviders can be used.
+ // We check that this operation does not fail with ProviderDoesNotExist.
+ let error = client
+ .destroy_key("this_key_does_not_exist".to_string())
+ .unwrap_err();
+ if error == ResponseStatus::ProviderDoesNotExist {
+ panic!(
+ "Was expecting {} but got {}",
+ ResponseStatus::ProviderDoesNotExist,
+ error
+ );
+ }
+ }
+}
diff --git a/e2e_tests/tests/per_provider/normal_tests/asym_encryption.rs b/e2e_tests/tests/per_provider/normal_tests/asym_encryption.rs
@@ -3,6 +3,10 @@
 #![allow(unused, dead_code)]
 
 use e2e_tests::TestClient;
+use parsec_client::core::interface::operations::psa_algorithm::{Algorithm, AsymmetricEncryption};
+use parsec_client::core::interface::operations::psa_key_attributes::{
+ Attributes, Lifetime, Policy, Type, UsageFlags,
+};
 use parsec_client::core::interface::requests::{Opcode, ResponseStatus};
 use rand::rngs::OsRng;
 use rsa::{PaddingScheme, PublicKey, RSAPublicKey};
@@ -357,3 +361,80 @@ fn asym_verify_decrypt_with_internet() {
  .unwrap();
  assert_eq!(ORIGINAL_MESSAGE.as_bytes(), plaintext_bytes.as_slice());
 }
+
+#[test]
+fn asym_encrypt_not_permitted() {
+ let key_name = String::from("asym_encrypt_not_permitted");
+ let mut client = TestClient::new();
+
+ if !client.is_operation_supported(Opcode::PsaAsymmetricEncrypt) {
+ return;
+ }
+
+ let attributes = Attributes {
+ lifetime: Lifetime::Persistent,
+ key_type: Type::RsaKeyPair,
+ bits: 1024,
+ policy: Policy {
+ usage_flags: UsageFlags {
+ sign_hash: false,
+ verify_hash: false,
+ sign_message: false,
+ verify_message: false,
+ export: false,
+ encrypt: false,
+ decrypt: true,
+ cache: false,
+ copy: false,
+ derive: false,
+ },
+ permitted_algorithms: AsymmetricEncryption::RsaPkcs1v15Crypt.into(),
+ },
+ };
+
+ client.generate_key(key_name.clone(), attributes).unwrap();
+
+ let error = client
+ .asymmetric_encrypt_message_with_rsapkcs1v15(key_name.clone(), PLAINTEXT_MESSAGE.to_vec())
+ .unwrap_err();
+ assert_eq!(error, ResponseStatus::PsaErrorNotPermitted);
+}
+
+#[test]
+fn asym_decrypt_not_permitted() {
+ let key_name = String::from("asym_decrypt_not_permitted");
+ let mut client = TestClient::new();
+
+ if !client.is_operation_supported(Opcode::PsaAsymmetricDecrypt) {
+ return;
+ }
+
+ let attributes = Attributes {
+ lifetime: Lifetime::Persistent,
+ key_type: Type::RsaKeyPair,
+ bits: 1024,
+ policy: Policy {
+ usage_flags: UsageFlags {
+ sign_hash: false,
+ verify_hash: false,
+ sign_message: false,
+ verify_message: false,
+ export: false,
+ encrypt: true,
+ decrypt: false,
+ cache: false,
+ copy: false,
+ derive: false,
+ },
+ permitted_algorithms: AsymmetricEncryption::RsaPkcs1v15Crypt.into(),
+ },
+ };
+
+ client.generate_key(key_name.clone(), attributes).unwrap();
+
+ let encrypt_bytes = base64::decode(ENCRYPTED_MESSAGE).unwrap();
+ let error = client
+ .asymmetric_decrypt_message_with_rsapkcs1v15(key_name, encrypt_bytes)
+ .unwrap_err();
+ assert_eq!(error, ResponseStatus::PsaErrorNotPermitted);
+}
diff --git a/e2e_tests/tests/per_provider/normal_tests/asym_sign_verify.rs b/e2e_tests/tests/per_provider/normal_tests/asym_sign_verify.rs
@@ -344,7 +344,11 @@ fn sign_hash_bad_format_rsa_sha256() -> Result<()> {
  Ok(())
 }
 
-#[cfg(feature = "cryptoauthlib-provider")]
+#[cfg(not(any(
+ feature = "mbed-crypto-provider",
+ feature = "pkcs11-provider",
+ feature = "trusted-service-provider"
+)))]
 #[test]
 fn sign_hash_bad_format_ecdsa_sha256() -> Result<()> {
  let key_name = String::from("sign_hash_bad_format_ecdsa_sha256");
@@ -843,6 +847,110 @@ fn sign_verify_message_ecc() {
  .unwrap();
 }
 
+#[test]
+fn sign_message_not_permitted() {
+ let key_name = String::from("sign_message_not_permitted");
+ let mut client = TestClient::new();
+
+ if !client.is_operation_supported(Opcode::PsaSignMessage) {
+ return;
+ }
+
+ let msg = b"Bob wrote this message.";
+
+ client
+ .generate_key(
+ key_name.clone(),
+ Attributes {
+ lifetime: Lifetime::Persistent,
+ key_type: Type::EccKeyPair {
+ curve_family: EccFamily::SecpR1,
+ },
+ bits: 256,
+ policy: Policy {
+ usage_flags: UsageFlags {
+ sign_hash: false,
+ verify_hash: false,
+ sign_message: false,
+ verify_message: false,
+ export: false,
+ encrypt: false,
+ decrypt: false,
+ cache: false,
+ copy: false,
+ derive: false,
+ },
+ permitted_algorithms: AsymmetricSignature::Ecdsa {
+ hash_alg: Hash::Sha256.into(),
+ }
+ .into(),
+ },
+ },
+ )
+ .unwrap();
+
+ let error = client
+ .sign_msg_with_ecdsa_sha256(key_name.clone(), msg.to_vec())
+ .unwrap_err();
+
+ assert_eq!(error, ResponseStatus::PsaErrorNotPermitted);
+}
+
+#[test]
+fn verify_message_not_permitted() {
+ let key_name = String::from("verify_message_not_permitted");
+ let mut client = TestClient::new();
+
+ if !client.is_operation_supported(Opcode::PsaVerifyMessage)
+ || !client.is_operation_supported(Opcode::PsaSignMessage)
+ {
+ return;
+ }
+
+ let msg = b"Bob wrote this message.";
+
+ client
+ .generate_key(
+ key_name.clone(),
+ Attributes {
+ lifetime: Lifetime::Persistent,
+ key_type: Type::EccKeyPair {
+ curve_family: EccFamily::SecpR1,
+ },
+ bits: 256,
+ policy: Policy {
+ usage_flags: UsageFlags {
+ sign_hash: false,
+ verify_hash: false,
+ sign_message: true,
+ verify_message: false,
+ export: false,
+ encrypt: false,
+ decrypt: false,
+ cache: false,
+ copy: false,
+ derive: false,
+ },
+ permitted_algorithms: AsymmetricSignature::Ecdsa {
+ hash_alg: Hash::Sha256.into(),
+ }
+ .into(),
+ },
+ },
+ )
+ .unwrap();
+
+ let signature = client
+ .sign_msg_with_ecdsa_sha256(key_name.clone(), msg.to_vec())
+ .unwrap();
+
+ let error = client
+ .verify_msg_with_ecdsa_sha256(key_name.clone(), msg.to_vec(), signature)
+ .unwrap_err();
+
+ assert_eq!(error, ResponseStatus::PsaErrorNotPermitted);
+}
+
 #[cfg(feature = "tpm-provider")]
 #[test]
 fn wildcard_hash_not_supported() {