Merge pull request parallaxsecond#227 from ionut-arm/pkcs11-upgrade

Update attribute handling in PKCS11 provider

Author: ionut-arm

Cargo.lock

@@ -42,7 +42,7 @@ hex = "0.4.2"
 picky = "5.0.0"
 psa-crypto = { version = "0.5.0" , default-features = false, features = ["operations"], optional = true }
 zeroize = { version = "1.1.0", features = ["zeroize_derive"] }
-picky-asn1-x509 = { version = "0.1.0", optional = true }
+picky-asn1-x509 = { version = "0.3.0", optional = true }
 users = "0.10.0"
 libc = "0.2.72"
 

Cargo.toml

@@ -68,8 +68,10 @@ while [ "$#" -gt 0 ]; do
             cp $(pwd)/e2e_tests/provider_cfg/$1/config.toml $CONFIG_PATH
             if [ "$PROVIDER_NAME" = "all" ]; then
                 FEATURES="--features=all-providers,no-parsec-user-and-clients-group"
+                TEST_FEATURES="--features=all-providers"
             else
                 FEATURES="--features=$1-provider,no-parsec-user-and-clients-group"
+                TEST_FEATURES="--features=$1-provider"
             fi
         ;;
         *)
@@ -134,15 +136,15 @@ pgrep -f target/debug/parsec >/dev/null
 
 if [ "$PROVIDER_NAME" = "all" ]; then
     echo "Execute all-providers tests"
-    RUST_BACKTRACE=1 cargo test --manifest-path ./e2e_tests/Cargo.toml all_providers
-    RUST_BACKTRACE=1 cargo test --manifest-path ./e2e_tests/Cargo.toml config
+    RUST_BACKTRACE=1 cargo test $TEST_FEATURES --manifest-path ./e2e_tests/Cargo.toml all_providers
+    RUST_BACKTRACE=1 cargo test $TEST_FEATURES --manifest-path ./e2e_tests/Cargo.toml config
 else
     # Per provider tests
     echo "Execute normal tests"
-    RUST_BACKTRACE=1 cargo test --manifest-path ./e2e_tests/Cargo.toml normal_tests
+    RUST_BACKTRACE=1 cargo test $TEST_FEATURES --manifest-path ./e2e_tests/Cargo.toml normal_tests
 
     echo "Execute persistent test, before the reload"
-    RUST_BACKTRACE=1 cargo test --manifest-path ./e2e_tests/Cargo.toml persistent_before
+    RUST_BACKTRACE=1 cargo test $TEST_FEATURES --manifest-path ./e2e_tests/Cargo.toml persistent_before
 
     # Create a fake mapping file for the root application, the provider and a
     # key name of "Test Key". It contains a valid KeyInfo structure.
@@ -170,7 +172,7 @@ else
     sleep 5
 
     echo "Execute persistent test, after the reload"
-    RUST_BACKTRACE=1 cargo test --manifest-path ./e2e_tests/Cargo.toml persistent_after
+    RUST_BACKTRACE=1 cargo test $TEST_FEATURES --manifest-path ./e2e_tests/Cargo.toml persistent_after
 
     if [ -z "$NO_STRESS_TEST" ]; then
         echo "Shutdown Parsec"
@@ -186,6 +188,6 @@ else
         sleep 5
 
         echo "Execute stress tests"
-        RUST_BACKTRACE=1 cargo test --manifest-path ./e2e_tests/Cargo.toml stress_test
+        RUST_BACKTRACE=1 cargo test $TEST_FEATURES --manifest-path ./e2e_tests/Cargo.toml stress_test
 	fi
 fi

ci.sh

@@ -28,3 +28,9 @@ uuid = "0.7.4"
 rsa = "0.3.0"
 picky-asn1-x509 = "0.1.0"
 base64 = "0.12.3"
+
+[features]
+mbed-crypto-provider = []
+tpm-provider = []
+pkcs11-provider = []
+all-providers = ["pkcs11-provider","tpm-provider","mbed-crypto-provider"]

e2e_tests/Cargo.toml

@@ -253,6 +253,36 @@ impl TestClient {
         )
     }
 
+    #[allow(deprecated)]
+    pub fn generate_rsa_encryption_keys_rsaoaep_sha1(&mut self, key_name: String) -> Result<()> {
+        self.generate_key(
+            key_name,
+            Attributes {
+                lifetime: Lifetime::Persistent,
+                key_type: Type::RsaKeyPair,
+                bits: 1024,
+                policy: Policy {
+                    usage_flags: UsageFlags {
+                        sign_hash: false,
+                        verify_hash: false,
+                        sign_message: false,
+                        verify_message: false,
+                        export: true,
+                        encrypt: true,
+                        decrypt: true,
+                        cache: false,
+                        copy: false,
+                        derive: false,
+                    },
+                    permitted_algorithms: AsymmetricEncryption::RsaOaep {
+                        hash_alg: Hash::Sha1,
+                    }
+                    .into(),
+                },
+            },
+        )
+    }
+
     pub fn generate_ecc_key_pair_secpk1_deterministic_ecdsa_sha256(
         &mut self,
         key_name: String,
@@ -611,6 +641,40 @@ impl TestClient {
         )
     }
 
+    #[allow(deprecated)]
+    pub fn asymmetric_encrypt_message_with_rsaoaep_sha1(
+        &mut self,
+        key_name: String,
+        plaintext: Vec<u8>,
+        salt: Vec<u8>,
+    ) -> Result<Vec<u8>> {
+        self.asymmetric_encrypt_message(
+            key_name,
+            AsymmetricEncryption::RsaOaep {
+                hash_alg: Hash::Sha1,
+            },
+            &plaintext,
+            Some(&salt),
+        )
+    }
+
+    #[allow(deprecated)]
+    pub fn asymmetric_decrypt_message_with_rsaoaep_sha1(
+        &mut self,
+        key_name: String,
+        ciphertext: Vec<u8>,
+        salt: Vec<u8>,
+    ) -> Result<Vec<u8>> {
+        self.asymmetric_decrypt_message(
+            key_name,
+            AsymmetricEncryption::RsaOaep {
+                hash_alg: Hash::Sha1,
+            },
+            &ciphertext,
+            Some(&salt),
+        )
+    }
+
     pub fn asymmetric_encrypt_message(
         &mut self,
         key_name: String,

e2e_tests/src/lib.rs

@@ -45,10 +45,10 @@ fn list_opcodes() {
     let _ = crypto_providers_hsm.insert(Opcode::PsaVerifyHash);
     let _ = crypto_providers_hsm.insert(Opcode::PsaImportKey);
     let _ = crypto_providers_hsm.insert(Opcode::PsaExportPublicKey);
+    let _ = crypto_providers_hsm.insert(Opcode::PsaAsymmetricDecrypt);
+    let _ = crypto_providers_hsm.insert(Opcode::PsaAsymmetricEncrypt);
 
-    let mut crypto_providers_tpm = crypto_providers_hsm.clone();
-    let _ = crypto_providers_tpm.insert(Opcode::PsaAsymmetricDecrypt);
-    let _ = crypto_providers_tpm.insert(Opcode::PsaAsymmetricEncrypt);
+    let crypto_providers_tpm = crypto_providers_hsm.clone();
 
     let mut crypto_providers_mbed_crypto = crypto_providers_tpm.clone();
     let _ = crypto_providers_mbed_crypto.insert(Opcode::PsaHashCompute);

e2e_tests/tests/all_providers/mod.rs

@@ -1,7 +1,9 @@
 // Copyright 2020 Contributors to the Parsec project.
 // SPDX-License-Identifier: Apache-2.0
+#![allow(unused, dead_code)]
+
 use e2e_tests::TestClient;
-use parsec_client::core::interface::requests::{Opcode, ProviderID, ResponseStatus};
+use parsec_client::core::interface::requests::{Opcode, ResponseStatus};
 use rand::rngs::OsRng;
 use rsa::{PaddingScheme, PublicKey, RSAPublicKey};
 
@@ -52,6 +54,10 @@ fn simple_asym_encrypt_rsa_pkcs() {
         .unwrap();
 }
 
+// Test is ignored for PKCS11 because the library we use for testing does not support
+// other hash algorithms to be used with OAEP apart from SHA1.
+// See: https://github.com/opendnssec/SoftHSMv2/issues/474
+#[cfg(not(feature = "pkcs11-provider"))]
 #[test]
 fn simple_asym_encrypt_rsa_oaep() {
     let key_name = String::from("simple_asym_encrypt_rsa_oaep");
@@ -73,10 +79,41 @@ fn simple_asym_encrypt_rsa_oaep() {
         .unwrap();
 }
 
-// Test is ignored as TPMs do not support labels that don't end in a 0 byte
+#[cfg(feature = "pkcs11-provider")]
+#[test]
+fn simple_asym_encrypt_rsa_oaep_pkcs11() {
+    let key_name = String::from("simple_asym_encrypt_rsa_oaep_pkcs11");
+    let mut client = TestClient::new();
+
+    if !client.is_operation_supported(Opcode::PsaAsymmetricEncrypt) {
+        return;
+    }
+
+    client
+        .generate_rsa_encryption_keys_rsaoaep_sha1(key_name.clone())
+        .unwrap();
+    let ciphertext = client
+        .asymmetric_encrypt_message_with_rsaoaep_sha1(
+            key_name.clone(),
+            PLAINTEXT_MESSAGE.to_vec(),
+            vec![],
+        )
+        .unwrap();
+
+    let plaintext = client
+        .asymmetric_decrypt_message_with_rsaoaep_sha1(key_name, ciphertext, vec![])
+        .unwrap();
+
+    assert_eq!(&PLAINTEXT_MESSAGE[..], &plaintext[..]);
+}
+
+// Test is ignored for TPMs as they do not support labels that don't end in a 0 byte
 // A resolution for this has not been reached yet, so keeping as is
 // See: https://github.com/parallaxsecond/parsec/issues/217
-#[ignore]
+// Test is ignored for PKCS11 because the library we use for testing does not support
+// other hash algorithms to be used with OAEP apart from SHA1.
+// See: https://github.com/opendnssec/SoftHSMv2/issues/474
+#[cfg(not(any(feature = "pkcs11-provider", feature = "tpm-provider")))]
 #[test]
 fn simple_asym_decrypt_oaep_with_salt() {
     let key_name = String::from("simple_asym_decrypt_oaep_with_salt");
@@ -232,10 +269,13 @@ fn asym_encrypt_verify_decrypt_with_rsa_crate() {
     assert_eq!(&PLAINTEXT_MESSAGE[..], &plaintext[..]);
 }
 
-// Test is ignored as TPMs do not support labels that don't end in a 0 byte
+// Test is ignored for TPMs as they do not support labels that don't end in a 0 byte
 // A resolution for this has not been reached yet, so keeping as is
 // See: https://github.com/parallaxsecond/parsec/issues/217
-#[ignore]
+// Test is ignored for PKCS11 because the library we use for testing does not support
+// other hash algorithms to be used with OAEP apart from SHA1.
+// See: https://github.com/opendnssec/SoftHSMv2/issues/474
+#[cfg(not(any(feature = "pkcs11-provider", feature = "tpm-provider")))]
 #[test]
 fn asym_encrypt_verify_decrypt_with_rsa_crate_oaep() {
     let key_name = String::from("asym_encrypt_verify_decrypt_with_rsa_crate_oaep");
@@ -269,16 +309,16 @@ fn asym_encrypt_verify_decrypt_with_rsa_crate_oaep() {
 }
 
 /// Uses key pair generated online to decrypt a message that has been pre-encrypted
+// PKCS 11 does not support important key pairs
+// TPM does not support importing "general use keys"
+#[cfg(not(any(feature = "pkcs11-provider", feature = "tpm-provider")))]
 #[test]
 fn asym_verify_decrypt_with_internet() {
     let key_name = String::from("asym_derify_decrypt_with_pick");
     let mut client = TestClient::new();
 
     // Check if decrypt is supported
-    // TPM does not support importing "general use keys"
-    if !client.is_operation_supported(Opcode::PsaAsymmetricDecrypt)
-        || client.provider().unwrap() == ProviderID::Tpm
-    {
+    if !client.is_operation_supported(Opcode::PsaAsymmetricDecrypt) {
         return;
     }
 

e2e_tests/tests/per_provider/normal_tests/asym_encryption.rs

@@ -5,6 +5,7 @@ use parsec_client::core::interface::operations::psa_algorithm::*;
 use parsec_client::core::interface::operations::psa_key_attributes::*;
 use parsec_client::core::interface::requests::ResponseStatus;
 use parsec_client::core::interface::requests::Result;
+use rsa::{PaddingScheme, PublicKey, RSAPublicKey};
 use sha2::{Digest, Sha256};
 
 const HASH: [u8; 32] = [
@@ -312,3 +313,27 @@ fn fail_verify_hash2() -> Result<()> {
     assert_eq!(status, ResponseStatus::PsaErrorInvalidSignature);
     Ok(())
 }
+
+#[test]
+fn asym_verify_with_rsa_crate() {
+    let key_name = String::from("asym_verify_with_rsa_crate");
+    let mut client = TestClient::new();
+
+    client.generate_rsa_sign_key(key_name.clone()).unwrap();
+    let pub_key = client.export_public_key(key_name.clone()).unwrap();
+
+    let rsa_pub_key = RSAPublicKey::from_pkcs1(&pub_key).unwrap();
+
+    let mut hasher = Sha256::new();
+    hasher.update(b"Bob wrote this message.");
+    let hash = hasher.finalize().to_vec();
+    let signature = client.sign_with_rsa_sha256(key_name, hash.clone()).unwrap();
+
+    rsa_pub_key
+        .verify(
+            PaddingScheme::new_pkcs1v15_sign(Some(rsa::Hash::SHA2_256)),
+            &hash,
+            &signature,
+        )
+        .unwrap();
+}