Allow software operations in PKCS11 provider

This commit adds functionality to the PKCS11 provider to allow it to
handle public key operations in software, using a PSA Crypto-compatible
library. The functionality is enabled via a config flag.

Signed-off-by: Ionut Mihalcea <ionut.mihalcea@arm.com>

Author: ionut-arm

Cargo.toml

@@ -66,7 +66,7 @@ features = ["docs"]
 default = []
 no-parsec-user-and-clients-group = []
 mbed-crypto-provider = ["psa-crypto"]
-pkcs11-provider = ["pkcs11", "picky-asn1-der", "picky-asn1", "picky-asn1-x509"]
+pkcs11-provider = ["pkcs11", "picky-asn1-der", "picky-asn1", "picky-asn1-x509", "psa-crypto"]
 tpm-provider = ["tss-esapi", "picky-asn1-der", "picky-asn1", "picky-asn1-x509"]
 all-providers = ["tpm-provider", "pkcs11-provider", "mbed-crypto-provider"]
 docs = ["pkcs11-provider", "tpm-provider", "tss-esapi/docs", "mbed-crypto-provider"]

ci.sh

@@ -137,7 +137,7 @@ pgrep -f target/debug/parsec >/dev/null
 if [ "$PROVIDER_NAME" = "all" ]; then
     echo "Execute all-providers tests"
     RUST_BACKTRACE=1 cargo test $TEST_FEATURES --manifest-path ./e2e_tests/Cargo.toml all_providers
-    RUST_BACKTRACE=1 cargo test $TEST_FEATURES --manifest-path ./e2e_tests/Cargo.toml config
+    RUST_BACKTRACE=1 cargo test $TEST_FEATURES --manifest-path ./e2e_tests/Cargo.toml config -- --test-threads=1
 else
     # Per provider tests
     echo "Execute normal tests"

config.toml

@@ -80,6 +80,9 @@ key_info_manager = "on-disk-manager"
 # (Optional) User pin for authentication with the specific slot. If not set, no authentication will
 # be used.
 #user_pin = "123456"
+# (Optional) Control whether missing public key operation (such as verifying signatures or asymmetric
+# encryption) are fully performed in software. 
+#software_public_operations = false
 
 # Example of a TPM provider configuration
 #[[provider]]

e2e_tests/provider_cfg/pkcs11/Dockerfile

@@ -2,7 +2,12 @@ FROM ubuntu:18.04
 
 RUN apt-get update && \
 	apt-get install -y wget automake autoconf libtool pkg-config && \
-    apt-get install -y curl libssl-dev libgcc1
+    apt-get install -y curl libssl-dev libgcc1 && \
+	apt-get install -y git make gcc python3 python curl wget libgcc1 cmake && \
+	# These libraries are needed for bindgen as it uses libclang.so
+	apt-get install -y clang libclang-dev && \
+	# Needed for Open SSL
+	apt-get install -y pkg-config libssl-dev
 
 WORKDIR /tmp
 RUN wget https://github.com/opendnssec/SoftHSMv2/archive/2.5.0.tar.gz

e2e_tests/provider_cfg/pkcs11/config.toml

@@ -22,5 +22,6 @@ provider_type = "Pkcs11"
 key_info_manager = "on-disk-manager"
 library_path = "/usr/local/lib/softhsm/libsofthsm2.so"
 user_pin = "123456"
+software_public_operations = false
 # The slot_number mandatory field is going to replace the following line with a valid number
 # slot_number

e2e_tests/tests/config/mod.rs

@@ -74,3 +74,56 @@ fn list_providers() {
         ]
     );
 }
+
+#[cfg(feature = "pkcs11-provider")]
+#[test]
+fn pkcs11_verify_software() {
+    use sha2::{Digest, Sha256};
+    set_config("pkcs11_software.toml");
+    reload_service();
+
+    let mut client = TestClient::new();
+    let key_name = String::from("pkcs11_verify_software");
+
+    let mut hasher = Sha256::new();
+    hasher.update(b"Bob wrote this message.");
+    let hash = hasher.finalize().to_vec();
+
+    client.generate_rsa_sign_key(key_name.clone()).unwrap();
+
+    let signature = client
+        .sign_with_rsa_sha256(key_name.clone(), hash.clone())
+        .unwrap();
+    client
+        .verify_with_rsa_sha256(key_name, hash, signature)
+        .unwrap();
+}
+
+#[cfg(feature = "pkcs11-provider")]
+#[test]
+fn pkcs11_encrypt_software() {
+    set_config("pkcs11_software.toml");
+    reload_service();
+
+    let mut client = TestClient::new();
+    let key_name = String::from("pkcs11_verify_software");
+    let plaintext_msg = [
+        0x69, 0x3E, 0xDB, 0x1B, 0x22, 0x79, 0x03, 0xF4, 0xC0, 0xBF, 0xD6, 0x91, 0x76, 0x37, 0x84,
+        0xA2, 0x94, 0x8E, 0x92, 0x50, 0x35, 0xC2, 0x8C, 0x5C, 0x3C, 0xCA, 0xFE, 0x18, 0xE8, 0x81,
+        0x37, 0x78,
+    ];
+    client
+        .generate_rsa_encryption_keys_rsaoaep_sha1(key_name.clone())
+        .unwrap();
+    let ciphertext = client
+        .asymmetric_encrypt_message_with_rsaoaep_sha1(
+            key_name.clone(),
+            plaintext_msg.to_vec(),
+            vec![],
+        )
+        .unwrap();
+    let plaintext = client
+        .asymmetric_decrypt_message_with_rsaoaep_sha1(key_name, ciphertext, vec![])
+        .unwrap();
+    assert_eq!(&plaintext_msg[..], &plaintext[..]);
+}

e2e_tests/tests/config/tomls/pkcs11_software.toml

@@ -0,0 +1,27 @@
+[core_settings]
+# The CI already timestamps the logs
+log_timestamp = false
+log_error_details = true
+
+# The container runs the Parsec service as root, so make sure we disable root
+# checks.
+allow_root = true
+
+[listener]
+listener_type = "DomainSocket"
+# The timeout needs to be smaller than the test client timeout (five seconds) as it is testing
+# that the service does not hang for very big values of body or authentication length.
+timeout = 3000 # in milliseconds
+
+[[key_manager]]
+name = "on-disk-manager"
+manager_type = "OnDisk"
+
+[[provider]]
+provider_type = "Pkcs11"
+key_info_manager = "on-disk-manager"
+library_path = "/usr/local/lib/softhsm/libsofthsm2.so"
+user_pin = "123456"
+software_public_operations = true
+# The slot_number mandatory field is going to replace the following line with a valid number
+# slot_number

e2e_tests/tests/per_provider/normal_tests/asym_encryption.rs

@@ -85,10 +85,6 @@ fn simple_asym_encrypt_rsa_oaep_pkcs11() {
     let key_name = String::from("simple_asym_encrypt_rsa_oaep_pkcs11");
     let mut client = TestClient::new();
 
-    if !client.is_operation_supported(Opcode::PsaAsymmetricEncrypt) {
-        return;
-    }
-
     client
         .generate_rsa_encryption_keys_rsaoaep_sha1(key_name.clone())
         .unwrap();

src/providers/mod.rs

@@ -47,6 +47,8 @@ pub enum ProviderConfig {
         slot_number: usize,
         /// User Pin
         user_pin: Option<String>,
+        /// Control whether public key operations are performed in software
+        software_public_operations: Option<bool>,
     },
     /// TPM provider configuration
     Tpm {

src/providers/pkcs11_provider/asym_encryption.rs

@@ -7,7 +7,7 @@ use crate::key_info_managers::KeyTriple;
 use log::{info, trace};
 use parsec_interface::operations::psa_algorithm::Algorithm;
 use parsec_interface::operations::{psa_asymmetric_decrypt, psa_asymmetric_encrypt};
-use parsec_interface::requests::{ProviderID, Result};
+use parsec_interface::requests::{ProviderID, ResponseStatus, Result};
 use std::convert::TryFrom;
 use utils::CkMechanism;
 
@@ -108,4 +108,45 @@ impl Pkcs11Provider {
             }
         }
     }
+
+    pub(super) fn software_psa_asymmetric_encrypt_internal(
+        &self,
+        app_name: ApplicationName,
+        op: psa_asymmetric_encrypt::Operation,
+    ) -> Result<psa_asymmetric_encrypt::Result> {
+        let key_triple = KeyTriple::new(app_name, ProviderID::Pkcs11, op.key_name.clone());
+        let (_, key_attributes) = self.get_key_info(&key_triple)?;
+
+        op.validate(key_attributes)?;
+
+        let alg = op.alg;
+        let salt_buff = op.salt.as_ref().map(|salt| salt.as_slice());
+        let buffer_size = key_attributes.asymmetric_encrypt_output_size(alg)?;
+        let mut ciphertext = vec![0u8; buffer_size];
+        let pub_key_id = self.move_pub_key_to_psa_crypto(&key_triple)?;
+
+        info!("Encrypting plaintext with PSA Crypto");
+        let res = match psa_crypto::operations::asym_encryption::encrypt(
+            pub_key_id,
+            alg,
+            &op.plaintext,
+            salt_buff,
+            &mut ciphertext,
+        ) {
+            Ok(output_size) => {
+                ciphertext.resize(output_size, 0);
+                Ok(psa_asymmetric_encrypt::Result {
+                    ciphertext: ciphertext.into(),
+                })
+            }
+            Err(error) => {
+                let error = ResponseStatus::from(error);
+                format_error!("Asymmetric encryption failed", error);
+                Err(error)
+            }
+        };
+
+        let _ = self.remove_psa_crypto_pub_key(pub_key_id);
+        res
+    }
 }