-
Notifications
You must be signed in to change notification settings - Fork 67
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update TS submodule and add asym encryption #406
Closed
Closed
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -94,15 +94,18 @@ RUN cd nanopb-0.4.4-linux-x86 \ | |
RUN rm -rf nanopb-0.4.4-linux-x86 nanopb-0.4.4-linux-x86.tar.gz | ||
|
||
# Install mock Trusted Services | ||
RUN git clone https://git.trustedfirmware.org/TS/trusted-services.git --branch main \ | ||
# Setup git config for patching dependencies | ||
RUN git config --global user.email "some@email.com" | ||
RUN git config --global user.name "Parsec Team" | ||
Comment on lines
+98
to
+99
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Was it failing before without this? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, they've added some step in their build process to apply git patches to some dependencies, I think, and this is needed :( |
||
RUN git clone https://git.trustedfirmware.org/TS/trusted-services.git --branch integration \ | ||
&& cd trusted-services \ | ||
&& git reset --hard 2fc7e10c7c21e4dafbf63dc9d00dfc2a7a7fddad | ||
&& git reset --hard c1cf9120e4ab0b359a27176b079769b9a7e6bb87 | ||
# Install correct python dependencies | ||
RUN pip3 install -r trusted-services/requirements.txt | ||
RUN cd trusted-services/deployments/libts/linux-pc/ \ | ||
&& cmake . \ | ||
&& make \ | ||
&& cp libts.so nanopb_install/lib/libprotobuf-nanopb.a mbedcrypto_install/lib/libmbedcrypto.a /usr/local/lib/ | ||
&& cp libts.so nanopb_install/lib/libprotobuf-nanopb.a mbedtls_install/lib/libmbedcrypto.a /usr/local/lib/ | ||
RUN rm -rf trusted-services | ||
|
||
# Create a new token in a new slot. The slot number assigned will be random | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
// Copyright 2021 Contributors to the Parsec project. | ||
// SPDX-License-Identifier: Apache-2.0 | ||
use super::Provider; | ||
use crate::authenticators::ApplicationName; | ||
use crate::key_info_managers::KeyTriple; | ||
use log::error; | ||
use parsec_interface::operations::{psa_asymmetric_decrypt, psa_asymmetric_encrypt}; | ||
use parsec_interface::requests::{ProviderId, Result}; | ||
|
||
impl Provider { | ||
pub(super) fn psa_asymmetric_encrypt_internal( | ||
&self, | ||
app_name: ApplicationName, | ||
op: psa_asymmetric_encrypt::Operation, | ||
) -> Result<psa_asymmetric_encrypt::Result> { | ||
let key_name = op.key_name.clone(); | ||
|
||
let key_triple = KeyTriple::new(app_name, ProviderId::TrustedService, key_name); | ||
let key_id = self.key_info_store.get_key_id(&key_triple)?; | ||
let salt_buff = match &op.salt { | ||
Some(salt) => salt.to_vec(), | ||
None => Vec::new(), | ||
}; | ||
|
||
match self | ||
.context | ||
.asym_encrypt(key_id, op.alg, op.plaintext.to_vec(), salt_buff) | ||
{ | ||
Ok(ciphertext) => Ok(psa_asymmetric_encrypt::Result { | ||
ciphertext: ciphertext.into(), | ||
}), | ||
Err(error) => { | ||
error!("Encrypt failed with status: {}", error); | ||
Err(error) | ||
} | ||
} | ||
} | ||
|
||
pub(super) fn psa_asymmetric_decrypt_internal( | ||
&self, | ||
app_name: ApplicationName, | ||
op: psa_asymmetric_decrypt::Operation, | ||
) -> Result<psa_asymmetric_decrypt::Result> { | ||
let key_triple = KeyTriple::new(app_name, ProviderId::TrustedService, op.key_name.clone()); | ||
let key_id = self.key_info_store.get_key_id(&key_triple)?; | ||
let salt_buff = match &op.salt { | ||
Some(salt) => salt.to_vec(), | ||
None => Vec::new(), | ||
}; | ||
|
||
match self | ||
.context | ||
.asym_decrypt(key_id, op.alg, op.ciphertext.to_vec(), salt_buff) | ||
{ | ||
Ok(plaintext) => Ok(psa_asymmetric_decrypt::Result { | ||
plaintext: plaintext.into(), | ||
}), | ||
Err(error) => { | ||
error!("Decrypt failed with status: {}", error); | ||
Err(error) | ||
} | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
// Copyright 2021 Contributors to the Parsec project. | ||
// SPDX-License-Identifier: Apache-2.0 | ||
use super::ts_protobuf::{ | ||
AsymmetricDecryptIn, AsymmetricDecryptOut, AsymmetricEncryptIn, AsymmetricEncryptOut, | ||
}; | ||
use super::Context; | ||
use parsec_interface::operations::psa_algorithm::AsymmetricEncryption; | ||
use parsec_interface::requests::ResponseStatus; | ||
use std::convert::TryInto; | ||
use zeroize::Zeroize; | ||
|
||
impl Context { | ||
pub fn asym_encrypt( | ||
&self, | ||
key_id: u32, | ||
alg: AsymmetricEncryption, | ||
mut plaintext: Vec<u8>, | ||
mut salt: Vec<u8>, | ||
) -> Result<Vec<u8>, ResponseStatus> { | ||
let alg = alg.try_into().map_err(|e| { | ||
plaintext.zeroize(); | ||
salt.zeroize(); | ||
e | ||
})?; | ||
let req = AsymmetricEncryptIn { | ||
id: key_id, | ||
alg, | ||
plaintext, | ||
salt, | ||
}; | ||
let AsymmetricEncryptOut { ciphertext } = self.send_request(&req)?; | ||
|
||
Ok(ciphertext) | ||
} | ||
|
||
pub fn asym_decrypt( | ||
&self, | ||
key_id: u32, | ||
alg: AsymmetricEncryption, | ||
mut ciphertext: Vec<u8>, | ||
mut salt: Vec<u8>, | ||
) -> Result<Vec<u8>, ResponseStatus> { | ||
let alg = alg.try_into().map_err(|e| { | ||
ciphertext.zeroize(); | ||
salt.zeroize(); | ||
e | ||
})?; | ||
let req = AsymmetricDecryptIn { | ||
id: key_id, | ||
alg, | ||
ciphertext, | ||
salt, | ||
}; | ||
let AsymmetricDecryptOut { plaintext } = self.send_request(&req)?; | ||
|
||
Ok(plaintext) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Where do we actually need
psa-crypto
for this provider?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All over the place - we use the conversions implemented in
psa-crypto
to native types to fill in the protobuf objects. For example, the protobuf contract forKeyPolicy
contains au32
alg
field to which we can just convert using the PSA crate, because it expects the same values as PSA Crypto would (just in a protobuf wrapper)There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alright, make sense!