Add support for psa_generate_random operation for MbedCrypto provider

Signed-off-by: Joe Ellis <joe.ellis@arm.com>

Author: Joe Ellis

e2e_tests/src/lib.rs

@@ -134,6 +134,16 @@ impl TestClient {
         Ok(())
     }
 
+    /// Generates `nbytes` worth of random bytes.
+    pub fn generate_bytes(&mut self, nbytes: usize) -> Result<Vec<u8>> {
+        let random_bytes = self
+            .basic_client
+            .psa_generate_random(nbytes)
+            .map_err(convert_error)?;
+
+        Ok(random_bytes)
+    }
+
     /// Generate a 1024 bits RSA key pair.
     /// The key can only be used for signing/verifying with the RSA PKCS 1v15 signing algorithm with SHA-256 and exporting its public part.
     pub fn generate_rsa_sign_key(&mut self, key_name: String) -> Result<()> {

e2e_tests/tests/all_providers/mod.rs

@@ -57,6 +57,7 @@ fn list_opcodes() {
     let _ = crypto_providers_mbed_crypto.insert(Opcode::PsaAeadEncrypt);
     let _ = crypto_providers_mbed_crypto.insert(Opcode::PsaAeadDecrypt);
     let _ = crypto_providers_mbed_crypto.insert(Opcode::PsaExportKey);
+    let _ = crypto_providers_mbed_crypto.insert(Opcode::PsaGenerateRandom);
 
     let _ = core_provider_opcodes.insert(Opcode::Ping);
     let _ = core_provider_opcodes.insert(Opcode::ListProviders);

e2e_tests/tests/per_provider/normal_tests/generate_random.rs

@@ -0,0 +1,46 @@
+// Copyright 2020 Contributors to the Parsec project.
+// SPDX-License-Identifier: Apache-2.0
+use e2e_tests::TestClient;
+use parsec_client::core::interface::requests::Opcode;
+
+#[test]
+fn simple_generate_random() {
+    let mut client = TestClient::new();
+
+    if !client.is_operation_supported(Opcode::PsaGenerateRandom) {
+        return;
+    }
+
+    // Less than one in ~35 billion chance of collision. Should be good enough for our testing.
+    const NBYTES: usize = 35;
+    let random_bytes_a = client.generate_bytes(NBYTES).unwrap();
+    let random_bytes_b = client.generate_bytes(NBYTES).unwrap();
+
+    assert_eq!(random_bytes_a.len(), NBYTES);
+    assert_eq!(random_bytes_b.len(), NBYTES);
+
+    for (a, b) in random_bytes_a.iter().zip(random_bytes_b.iter()) {
+        if *a != *b {
+            return;
+        }
+    }
+
+    panic!(
+        "Two vectors of {} randomly generated bytes were equal!",
+        NBYTES
+    );
+}
+
+#[test]
+fn generate_zero_bytes() {
+    let mut client = TestClient::new();
+
+    if !client.is_operation_supported(Opcode::PsaGenerateRandom) {
+        return;
+    }
+
+    const NBYTES: usize = 0;
+    let random_bytes = client.generate_bytes(NBYTES).unwrap();
+
+    assert_eq!(random_bytes, vec![]);
+}

e2e_tests/tests/per_provider/normal_tests/mod.rs

@@ -8,6 +8,7 @@ mod basic;
 mod create_destroy_key;
 mod export_key;
 mod export_public_key;
+mod generate_random;
 mod hash;
 mod import_key;
 mod key_agreement;

src/back/backend_handler.rs

@@ -223,9 +223,6 @@ impl BackEndHandler {
                 trace!("psa_aead_decrypt_egress");
                 self.result_to_response(NativeResult::PsaHashCompare(result), header)
             }
-            NativeOperation::PsaGenerateRandom(_) => {
-                panic!("Unsupported in this PR");
-            }
             NativeOperation::PsaRawKeyAgreement(op_raw_key_agreement) => {
                 let app_name =
                     unwrap_or_else_return!(app_name.ok_or(ResponseStatus::NotAuthenticated));
@@ -235,6 +232,12 @@ impl BackEndHandler {
                 trace!("psa_raw_key_agreement_egress");
                 self.result_to_response(NativeResult::PsaRawKeyAgreement(result), header)
             }
+            NativeOperation::PsaGenerateRandom(op_generate_random) => {
+                let result =
+                    unwrap_or_else_return!(self.provider.psa_generate_random(op_generate_random));
+                trace!("psa_generate_random_egress");
+                self.result_to_response(NativeResult::PsaGenerateRandom(result), header)
+            }
         }
     }
 }

src/providers/mbed_crypto_provider/generate_random.rs

@@ -0,0 +1,30 @@
+use super::MbedCryptoProvider;
+use parsec_interface::operations::psa_generate_random;
+use parsec_interface::requests::{ResponseStatus, Result};
+use psa_crypto::operations::other::generate_random;
+
+impl MbedCryptoProvider {
+    pub(super) fn psa_generate_random_internal(
+        &self,
+        op: psa_generate_random::Operation,
+    ) -> Result<psa_generate_random::Result> {
+        let buffer_size = op.size;
+        if buffer_size > crate::utils::GlobalConfig::buffer_size_limit() {
+            let error = ResponseStatus::ResponseTooLarge;
+            format_error!("Generate random status", error);
+            return Err(error);
+        }
+
+        let mut buffer = vec![0u8; buffer_size];
+        match generate_random(&mut buffer) {
+            Ok(_) => Ok(psa_generate_random::Result {
+                random_bytes: buffer.into(),
+            }),
+            Err(error) => {
+                let error = ResponseStatus::from(error);
+                format_error!("Generate random status", error);
+                Err(error)
+            }
+        }
+    }
+}

src/providers/mbed_crypto_provider/mod.rs

@@ -11,8 +11,9 @@ use log::{error, trace};
 use parsec_interface::operations::list_providers::ProviderInfo;
 use parsec_interface::operations::{
     psa_aead_decrypt, psa_aead_encrypt, psa_asymmetric_decrypt, psa_asymmetric_encrypt,
-    psa_destroy_key, psa_export_key, psa_export_public_key, psa_generate_key, psa_hash_compare,
-    psa_hash_compute, psa_import_key, psa_raw_key_agreement, psa_sign_hash, psa_verify_hash,
+    psa_destroy_key, psa_export_key, psa_export_public_key, psa_generate_key, psa_generate_random,
+    psa_hash_compare, psa_hash_compute, psa_import_key, psa_raw_key_agreement, psa_sign_hash,
+    psa_verify_hash,
 };
 use parsec_interface::requests::{Opcode, ProviderID, ResponseStatus, Result};
 use psa_crypto::types::{key, status};
@@ -27,12 +28,12 @@ use uuid::Uuid;
 mod aead;
 mod asym_encryption;
 mod asym_sign;
+mod generate_random;
 mod hash;
 mod key_agreement;
-#[allow(dead_code)]
 mod key_management;
 
-const SUPPORTED_OPCODES: [Opcode; 14] = [
+const SUPPORTED_OPCODES: [Opcode; 15] = [
     Opcode::PsaGenerateKey,
     Opcode::PsaDestroyKey,
     Opcode::PsaSignHash,
@@ -47,6 +48,7 @@ const SUPPORTED_OPCODES: [Opcode; 14] = [
     Opcode::PsaHashCompare,
     Opcode::PsaHashCompute,
     Opcode::PsaRawKeyAgreement,
+    Opcode::PsaGenerateRandom,
 ];
 
 /// Mbed Crypto provider structure
@@ -284,6 +286,14 @@ impl Provide for MbedCryptoProvider {
         trace!("psa_raw_key_agreement");
         self.psa_raw_key_agreement(app_name, op)
     }
+
+    fn psa_generate_random(
+        &self,
+        op: psa_generate_random::Operation,
+    ) -> Result<psa_generate_random::Result> {
+        trace!("psa_generate_random ingress");
+        self.psa_generate_random_internal(op)
+    }
 }
 
 /// Mbed Crypto provider builder

src/providers/mod.rs

@@ -91,8 +91,8 @@ use crate::authenticators::ApplicationName;
 use parsec_interface::operations::{
     list_authenticators, list_opcodes, list_providers, ping, psa_aead_decrypt, psa_aead_encrypt,
     psa_asymmetric_decrypt, psa_asymmetric_encrypt, psa_destroy_key, psa_export_key,
-    psa_export_public_key, psa_generate_key, psa_hash_compare, psa_hash_compute, psa_import_key,
-    psa_raw_key_agreement, psa_sign_hash, psa_verify_hash,
+    psa_export_public_key, psa_generate_key, psa_generate_random, psa_hash_compare,
+    psa_hash_compute, psa_import_key, psa_raw_key_agreement, psa_sign_hash, psa_verify_hash,
 };
 use parsec_interface::requests::{ResponseStatus, Result};
 
@@ -279,4 +279,13 @@ pub trait Provide {
         trace!("psa_raw_key_agreement ingress");
         Err(ResponseStatus::PsaErrorNotSupported)
     }
+
+    /// Execute a GenerateRandom operation.
+    fn psa_generate_random(
+        &self,
+        _op: psa_generate_random::Operation,
+    ) -> Result<psa_generate_random::Result> {
+        trace!("psa_generate_random ingress");
+        Err(ResponseStatus::PsaErrorNotSupported)
+    }
 }