Improve key metadata handling

ionut-arm · ionut-arm · commit c35ce86be8c6 · 2020-09-04T11:08:15.000+01:00
This commit improves the handling of key metadata in the PKCS11
provider, allowing the provider to cache metadata in memory instead of
always requesting it from the key info manager.

Signed-off-by: Ionut Mihalcea &lt;ionut.mihalcea@arm.com&gt;
diff --git a/src/key_info_managers/mod.rs b/src/key_info_managers/mod.rs
@@ -77,6 +77,16 @@ impl KeyTriple {
     pub fn belongs_to_provider(&self, provider_id: ProviderID) -> bool {
         self.provider_id == provider_id
     }
+
+    /// Get the key name
+    pub fn key_name(&self) -> &str {
+        &self.key_name
+    }
+
+    /// Get the app name
+    pub fn app_name(&self) -> &ApplicationName {
+        &self.app_name
+    }
 }
 
 /// Converts the error string returned by the ManageKeyInfo methods to
diff --git a/src/providers/mbed_crypto_provider/mod.rs b/src/providers/mbed_crypto_provider/mod.rs
@@ -105,7 +105,7 @@ impl MbedCryptoProvider {
             match store_handle.get_all(ProviderID::MbedCrypto) {
                 Ok(key_triples) => {
                     for key_triple in key_triples.iter().cloned() {
-                        let key_id = match key_management::get_key_id(key_triple, &*store_handle) {
+                        let key_id = match key_management::get_key_id(&key_triple, &*store_handle) {
                             Ok(key_id) => key_id,
                             Err(response_status) => {
                                 error!("Error getting the Key ID for triple:\n{}\n(error: {}), continuing...", key_triple, response_status);
diff --git a/src/providers/pkcs11_provider/asym_encryption.rs b/src/providers/pkcs11_provider/asym_encryption.rs
@@ -1,7 +1,7 @@
 // Copyright 2020 Contributors to the Parsec project.
 // SPDX-License-Identifier: Apache-2.0
 use super::Pkcs11Provider;
-use super::{key_management::get_key_info, utils, KeyPairType, ReadWriteSession, Session};
+use super::{utils, KeyPairType, ReadWriteSession, Session};
 use crate::authenticators::ApplicationName;
 use crate::key_info_managers::KeyTriple;
 use log::{info, trace};
@@ -18,8 +18,7 @@ impl Pkcs11Provider {
         op: psa_asymmetric_encrypt::Operation,
     ) -> Result<psa_asymmetric_encrypt::Result> {
         let key_triple = KeyTriple::new(app_name, ProviderID::Pkcs11, op.key_name.clone());
-        let store_handle = self.key_info_store.read().expect("Key store lock poisoned");
-        let (key_id, key_attributes) = get_key_info(&key_triple, &*store_handle)?;
+        let (key_id, key_attributes) = self.get_key_info(&key_triple)?;
 
         op.validate(key_attributes)?;
 
@@ -69,8 +68,7 @@ impl Pkcs11Provider {
         op: psa_asymmetric_decrypt::Operation,
     ) -> Result<psa_asymmetric_decrypt::Result> {
         let key_triple = KeyTriple::new(app_name, ProviderID::Pkcs11, op.key_name.clone());
-        let store_handle = self.key_info_store.read().expect("Key store lock poisoned");
-        let (key_id, key_attributes) = get_key_info(&key_triple, &*store_handle)?;
+        let (key_id, key_attributes) = self.get_key_info(&key_triple)?;
 
         op.validate(key_attributes)?;
 
diff --git a/src/providers/pkcs11_provider/asym_sign.rs b/src/providers/pkcs11_provider/asym_sign.rs
@@ -1,7 +1,7 @@
 // Copyright 2020 Contributors to the Parsec project.
 // SPDX-License-Identifier: Apache-2.0
 use super::Pkcs11Provider;
-use super::{key_management::get_key_info, utils, KeyPairType, ReadWriteSession, Session};
+use super::{utils, KeyPairType, ReadWriteSession, Session};
 use crate::authenticators::ApplicationName;
 use crate::key_info_managers::KeyTriple;
 use log::{info, trace};
@@ -18,8 +18,7 @@ impl Pkcs11Provider {
         op: psa_sign_hash::Operation,
     ) -> Result<psa_sign_hash::Result> {
         let key_triple = KeyTriple::new(app_name, ProviderID::Pkcs11, op.key_name.clone());
-        let store_handle = self.key_info_store.read().expect("Key store lock poisoned");
-        let (key_id, key_attributes) = get_key_info(&key_triple, &*store_handle)?;
+        let (key_id, key_attributes) = self.get_key_info(&key_triple)?;
 
         op.validate(key_attributes)?;
 
@@ -66,8 +65,7 @@ impl Pkcs11Provider {
         op: psa_verify_hash::Operation,
     ) -> Result<psa_verify_hash::Result> {
         let key_triple = KeyTriple::new(app_name, ProviderID::Pkcs11, op.key_name.clone());
-        let store_handle = self.key_info_store.read().expect("Key store lock poisoned");
-        let (key_id, key_attributes) = get_key_info(&key_triple, &*store_handle)?;
+        let (key_id, key_attributes) = self.get_key_info(&key_triple)?;
 
         op.validate(key_attributes)?;
 
diff --git a/src/providers/pkcs11_provider/key_management.rs b/src/providers/pkcs11_provider/key_management.rs
@@ -1,11 +1,10 @@
 // Copyright 2020 Contributors to the Parsec project.
 // SPDX-License-Identifier: Apache-2.0
-use super::{utils, KeyInfo, KeyPairType, LocalIdStore, Pkcs11Provider, ReadWriteSession, Session};
+use super::{utils, KeyPairType, Pkcs11Provider, ReadWriteSession, Session};
 use crate::authenticators::ApplicationName;
 use crate::key_info_managers::KeyTriple;
-use crate::key_info_managers::{self, ManageKeyInfo};
-use log::{error, info, trace, warn};
-use parsec_interface::operations::psa_key_attributes::*;
+use log::{error, info, trace};
+use parsec_interface::operations::psa_key_attributes::Type;
 use parsec_interface::operations::{
     psa_destroy_key, psa_export_public_key, psa_generate_key, psa_import_key,
 };
@@ -16,80 +15,6 @@ use picky_asn1_x509::RSAPublicKey;
 use pkcs11::types::{CKR_OK, CK_ATTRIBUTE, CK_OBJECT_HANDLE, CK_SESSION_HANDLE};
 use std::mem;
 
-/// Gets a key identifier and key attributes from the Key Info Manager.
-pub fn get_key_info(
-    key_triple: &KeyTriple,
-    store_handle: &dyn ManageKeyInfo,
-) -> Result<([u8; 4], Attributes)> {
-    match store_handle.get(key_triple) {
-        Ok(Some(key_info)) => {
-            if key_info.id.len() == 4 {
-                let mut dst = [0; 4];
-                dst.copy_from_slice(&key_info.id);
-                Ok((dst, key_info.attributes))
-            } else {
-                error!("Stored Key ID is not valid.");
-                Err(ResponseStatus::KeyInfoManagerError)
-            }
-        }
-        Ok(None) => Err(ResponseStatus::PsaErrorDoesNotExist),
-        Err(string) => Err(key_info_managers::to_response_status(string)),
-    }
-}
-
-pub fn create_key_id(
-    key_triple: KeyTriple,
-    key_attributes: Attributes,
-    store_handle: &mut dyn ManageKeyInfo,
-    local_ids_handle: &mut LocalIdStore,
-) -> Result<[u8; 4]> {
-    let mut key_id = rand::random::<[u8; 4]>();
-    while local_ids_handle.contains(&key_id) {
-        key_id = rand::random::<[u8; 4]>();
-    }
-    let key_info = KeyInfo {
-        id: key_id.to_vec(),
-        attributes: key_attributes,
-    };
-    match store_handle.insert(key_triple.clone(), key_info) {
-        Ok(insert_option) => {
-            if insert_option.is_some() {
-                if crate::utils::GlobalConfig::log_error_details() {
-                    warn!("Overwriting Key triple mapping ({})", key_triple);
-                } else {
-                    warn!("Overwriting Key triple mapping");
-                }
-            }
-            let _ = local_ids_handle.insert(key_id);
-
-            Ok(key_id)
-        }
-        Err(string) => Err(key_info_managers::to_response_status(string)),
-    }
-}
-
-pub fn remove_key_id(
-    key_triple: &KeyTriple,
-    key_id: [u8; 4],
-    store_handle: &mut dyn ManageKeyInfo,
-    local_ids_handle: &mut LocalIdStore,
-) -> Result<()> {
-    match store_handle.remove(key_triple) {
-        Ok(_) => {
-            let _ = local_ids_handle.remove(&key_id);
-            Ok(())
-        }
-        Err(string) => Err(key_info_managers::to_response_status(string)),
-    }
-}
-
-pub fn key_info_exists(key_triple: &KeyTriple, store_handle: &dyn ManageKeyInfo) -> Result<bool> {
-    match store_handle.exists(key_triple) {
-        Ok(val) => Ok(val),
-        Err(string) => Err(key_info_managers::to_response_status(string)),
-    }
-}
-
 impl Pkcs11Provider {
     /// Find the PKCS 11 object handle corresponding to the key ID and the key type (public,
     /// private or any key type) given as parameters for the current session.
@@ -151,20 +76,10 @@ impl Pkcs11Provider {
         let key_attributes = op.attributes;
 
         let key_triple = KeyTriple::new(app_name, ProviderID::Pkcs11, key_name);
-        let mut store_handle = self
-            .key_info_store
-            .write()
-            .expect("Key store lock poisoned");
-        let mut local_ids_handle = self.local_ids.write().expect("Local ID lock poisoned");
-        if key_info_exists(&key_triple, &*store_handle)? {
+        if self.key_info_exists(&key_triple)? {
             return Err(ResponseStatus::PsaErrorAlreadyExists);
         }
-        let key_id = create_key_id(
-            key_triple.clone(),
-            key_attributes,
-            &mut *store_handle,
-            &mut local_ids_handle,
-        )?;
+        let key_id = self.create_key_id(key_triple.clone(), key_attributes)?;
 
         let (mech, mut pub_template, mut priv_template, mut allowed_mechanism) =
             utils::parsec_to_pkcs11_params(key_attributes, &key_id)?;
@@ -178,12 +93,7 @@ impl Pkcs11Provider {
 
         let session = Session::new(self, ReadWriteSession::ReadWrite).or_else(|err| {
             format_error!("Error creating a new session", err);
-            remove_key_id(
-                &key_triple,
-                key_id,
-                &mut *store_handle,
-                &mut local_ids_handle,
-            )?;
+            let _ = self.remove_key_id(&key_triple)?;
             Err(err)
         })?;
 
@@ -204,12 +114,7 @@ impl Pkcs11Provider {
             Ok(_key) => Ok(psa_generate_key::Result {}),
             Err(e) => {
                 format_error!("Generate Key Pair operation failed", e);
-                remove_key_id(
-                    &key_triple,
-                    key_id,
-                    &mut *store_handle,
-                    &mut local_ids_handle,
-                )?;
+                let _ = self.remove_key_id(&key_triple)?;
                 Err(utils::to_response_status(e))
             }
         }
@@ -228,43 +133,23 @@ impl Pkcs11Provider {
         let key_name = op.key_name;
         let key_attributes = op.attributes;
         let key_triple = KeyTriple::new(app_name, ProviderID::Pkcs11, key_name);
-        let mut store_handle = self
-            .key_info_store
-            .write()
-            .expect("Key store lock poisoned");
-        let mut local_ids_handle = self.local_ids.write().expect("Local ID lock poisoned");
-        if key_info_exists(&key_triple, &*store_handle)? {
+        if self.key_info_exists(&key_triple)? {
             return Err(ResponseStatus::PsaErrorAlreadyExists);
         }
-        let key_id = create_key_id(
-            key_triple.clone(),
-            key_attributes,
-            &mut *store_handle,
-            &mut local_ids_handle,
-        )?;
+        let key_id = self.create_key_id(key_triple.clone(), key_attributes)?;
 
         let mut template: Vec<CK_ATTRIBUTE> = Vec::new();
 
         let public_key: RSAPublicKey = picky_asn1_der::from_bytes(op.data.expose_secret())
             .or_else(|e| {
                 format_error!("Failed to parse RsaPublicKey data", e);
-                remove_key_id(
-                    &key_triple,
-                    key_id,
-                    &mut *store_handle,
-                    &mut local_ids_handle,
-                )?;
+                let _ = self.remove_key_id(&key_triple)?;
                 Err(ResponseStatus::PsaErrorInvalidArgument)
             })?;
 
         if public_key.modulus.is_negative() || public_key.public_exponent.is_negative() {
             error!("Only positive modulus and public exponent are supported.");
-            remove_key_id(
-                &key_triple,
-                key_id,
-                &mut *store_handle,
-                &mut local_ids_handle,
-            )?;
+            let _ = self.remove_key_id(&key_triple)?;
             return Err(ResponseStatus::PsaErrorInvalidArgument);
         }
 
@@ -281,6 +166,8 @@ impl Pkcs11Provider {
             } else {
                 error!("`bits` field of key attributes must be either 0 or equal to the size of the key in `data`.");
             }
+
+            let _ = self.remove_key_id(&key_triple)?;
             return Err(ResponseStatus::PsaErrorInvalidArgument);
         }
 
@@ -320,12 +207,7 @@ impl Pkcs11Provider {
 
         let session = Session::new(self, ReadWriteSession::ReadWrite).or_else(|err| {
             format_error!("Error creating a new session", err);
-            remove_key_id(
-                &key_triple,
-                key_id,
-                &mut *store_handle,
-                &mut local_ids_handle,
-            )?;
+            let _ = self.remove_key_id(&key_triple)?;
             Err(err)
         })?;
 
@@ -344,12 +226,7 @@ impl Pkcs11Provider {
             Ok(_key) => Ok(psa_import_key::Result {}),
             Err(e) => {
                 format_error!("Import operation failed", e);
-                remove_key_id(
-                    &key_triple,
-                    key_id,
-                    &mut *store_handle,
-                    &mut local_ids_handle,
-                )?;
+                let _ = self.remove_key_id(&key_triple)?;
                 Err(utils::to_response_status(e))
             }
         }
@@ -362,8 +239,7 @@ impl Pkcs11Provider {
     ) -> Result<psa_export_public_key::Result> {
         let key_name = op.key_name;
         let key_triple = KeyTriple::new(app_name, ProviderID::Pkcs11, key_name);
-        let store_handle = self.key_info_store.read().expect("Key store lock poisoned");
-        let (key_id, _key_attributes) = get_key_info(&key_triple, &*store_handle)?;
+        let (key_id, _key_attributes) = self.get_key_info(&key_triple)?;
 
         let session = Session::new(self, ReadWriteSession::ReadOnly)?;
         if crate::utils::GlobalConfig::log_error_details() {
@@ -458,12 +334,7 @@ impl Pkcs11Provider {
     ) -> Result<psa_destroy_key::Result> {
         let key_name = op.key_name;
         let key_triple = KeyTriple::new(app_name, ProviderID::Pkcs11, key_name);
-        let mut store_handle = self
-            .key_info_store
-            .write()
-            .expect("Key store lock poisoned");
-        let mut local_ids_handle = self.local_ids.write().expect("Local ID lock poisoned");
-        let (key_id, _) = get_key_info(&key_triple, &*store_handle)?;
+        let (key_id, _) = self.get_key_info(&key_triple)?;
 
         let session = Session::new(self, ReadWriteSession::ReadWrite)?;
         if crate::utils::GlobalConfig::log_error_details() {
@@ -510,12 +381,7 @@ impl Pkcs11Provider {
             }
         };
 
-        remove_key_id(
-            &key_triple,
-            key_id,
-            &mut *store_handle,
-            &mut local_ids_handle,
-        )?;
+        let _ = self.remove_key_id(&key_triple)?;
 
         Ok(psa_destroy_key::Result {})
     }
diff --git a/src/providers/pkcs11_provider/key_metadata.rs b/src/providers/pkcs11_provider/key_metadata.rs
diff --git a/src/providers/pkcs11_provider/mod.rs b/src/providers/pkcs11_provider/mod.rs
