parallaxsecond
diff --git a/‎Cargo.lock
Lines changed: 4 additions & 4 deletions b/‎Cargo.lock
Lines changed: 4 additions & 4 deletions
diff --git a/‎Cargo.toml
Lines changed: 2 additions & 2 deletions b/‎Cargo.toml
Lines changed: 2 additions & 2 deletions
diff --git a/‎e2e_tests/tests/per_provider/normal_tests/key_attributes.rs
Lines changed: 5 additions & 2 deletions b/‎e2e_tests/tests/per_provider/normal_tests/key_attributes.rs
Lines changed: 5 additions & 2 deletions
diff --git a/‎src/providers/tpm_provider/asym_sign.rs
Lines changed: 24 additions & 67 deletions b/‎src/providers/tpm_provider/asym_sign.rs
Lines changed: 24 additions & 67 deletions
diff --git a/‎src/providers/tpm_provider/key_management.rs
Lines changed: 6 additions & 25 deletions b/‎src/providers/tpm_provider/key_management.rs
Lines changed: 6 additions & 25 deletions
@@ -18,7 +18,7 @@ name = "parsec"
 path = "src/bin/main.rs"
 
 [dependencies]
-parsec-interface = "0.14.0"
+parsec-interface = "0.14.1"
 rand = "0.7.2"
 base64 = "0.10.1"
 uuid = "0.7.4"
@@ -33,7 +33,7 @@ log = { version = "0.4.8", features = ["serde"] }
 pkcs11 = { version = "0.4.0", optional = true }
 picky-asn1-der = { version = "0.2.2", optional = true }
 picky-asn1 = { version = "0.2.1", optional = true }
-tss-esapi = { version = "4.0.0-alpha.1", optional = true }
+tss-esapi = { version = "4.0.2-alpha.1", optional = true }
 bincode = "1.1.4"
 structopt = "0.3.5"
 derivative = "2.1.1"
 
@@ -2,7 +2,7 @@
 // SPDX-License-Identifier: Apache-2.0
 use e2e_tests::TestClient;
 use parsec_client::core::interface::operations::psa_algorithm::{
-    Algorithm, AsymmetricSignature, Cipher, Hash,
+    Algorithm, AsymmetricSignature, Hash,
 };
 use parsec_client::core::interface::operations::psa_key_attributes::{
     KeyAttributes, KeyPolicy, KeyType, UsageFlags,
@@ -100,7 +100,10 @@ fn wrong_permitted_algorithm() {
 
     let key_type = KeyType::RsaKeyPair;
     // Do not permit RSA PKCS 1v15 signing algorithm with SHA-256.
-    let permitted_algorithm = Algorithm::Cipher(Cipher::Ctr);
+    let permitted_algorithm =
+        Algorithm::AsymmetricSignature(AsymmetricSignature::RsaPkcs1v15Sign {
+            hash_alg: Hash::Sha512,
+        });
     let key_attributes = KeyAttributes {
         key_type,
         key_bits: 1024,
 
@@ -7,71 +7,51 @@ use log::error;
 use parsec_interface::operations::psa_algorithm::*;
 use parsec_interface::operations::{psa_sign_hash, psa_verify_hash};
 use parsec_interface::requests::{ProviderID, ResponseStatus, Result};
-use tss_esapi::{constants::TPM2_ALG_SHA256, utils::AsymSchemeUnion, utils::Signature};
 
 impl TpmProvider {
     pub(super) fn psa_sign_hash_internal(
         &self,
         app_name: ApplicationName,
         op: psa_sign_hash::Operation,
     ) -> Result<psa_sign_hash::Result> {
-        let key_name = op.key_name;
-        let hash = op.hash;
-        let alg = op.alg;
-        let key_triple = KeyTriple::new(app_name, ProviderID::Tpm, key_name);
+        let key_triple = KeyTriple::new(app_name, ProviderID::Tpm, op.key_name.clone());
 
         let store_handle = self.key_info_store.read().expect("Key store lock poisoned");
         let mut esapi_context = self
             .esapi_context
             .lock()
             .expect("ESAPI Context lock poisoned");
 
-        if alg
-            != (AsymmetricSignature::RsaPkcs1v15Sign {
-                hash_alg: Hash::Sha256,
-            })
-        {
-            error!(
-                "The TPM provider currently only supports signature algorithm to be RSA PKCS#1 v1.5 and the text hashed with SHA-256.");
-            return Err(ResponseStatus::PsaErrorNotSupported);
-        }
-
-        if hash.len() != 32 {
-            error!("The SHA-256 hash must be 32 bytes long.");
-            return Err(ResponseStatus::PsaErrorInvalidArgument);
-        }
-
         let (password_context, key_attributes) =
             key_management::get_password_context(&*store_handle, key_triple)?;
 
-        key_attributes.can_sign_hash()?;
-        key_attributes.permits_alg(alg.into())?;
-        key_attributes.compatible_with_alg(alg.into())?;
-
-        match alg {
-            AsymmetricSignature::RsaPkcs1v15Sign {
-                hash_alg: Hash::Sha256,
-            } => (),
+        match op.alg {
+            AsymmetricSignature::RsaPkcs1v15Sign { .. } => (),
+            AsymmetricSignature::Ecdsa { .. } => (),
             _ => {
                 error!(
-                    "The TPM provider currently only supports \"RSA PKCS#1 v1.5 signature with hashing\" algorithm with SHA-256 as hashing algorithm for the PsaSignHash operation.");
+                    "Requested algorithm is not supported by the TPM provider: {:?}",
+                    op.alg
+                );
                 return Err(ResponseStatus::PsaErrorNotSupported);
             }
         }
 
+        op.validate(key_attributes)?;
+
         let signature = esapi_context
             .sign(
                 password_context.context,
                 &password_context.auth_value,
-                &hash,
+                &op.hash,
             )
             .or_else(|e| {
                 error!("Error signing: {}.", e);
                 Err(utils::to_response_status(e))
             })?;
 
         Ok(psa_sign_hash::Result {
-            signature: signature.signature,
+            signature: utils::signature_data_to_bytes(signature.signature, key_attributes)?,
         })
     }
 
@@ -80,59 +60,36 @@ impl TpmProvider {
         app_name: ApplicationName,
         op: psa_verify_hash::Operation,
     ) -> Result<psa_verify_hash::Result> {
-        let key_name = op.key_name;
-        let hash = op.hash;
-        let alg = op.alg;
-        let signature = op.signature;
-        let key_triple = KeyTriple::new(app_name, ProviderID::Tpm, key_name);
+        let key_triple = KeyTriple::new(app_name, ProviderID::Tpm, op.key_name.clone());
 
         let store_handle = self.key_info_store.read().expect("Key store lock poisoned");
         let mut esapi_context = self
             .esapi_context
             .lock()
             .expect("ESAPI Context lock poisoned");
 
-        if alg
-            != (AsymmetricSignature::RsaPkcs1v15Sign {
-                hash_alg: Hash::Sha256,
-            })
-        {
-            error!(
-                "The TPM provider currently only supports signature algorithm to be RSA PKCS#1 v1.5 and the text hashed with SHA-256.");
-            return Err(ResponseStatus::PsaErrorNotSupported);
-        }
-
-        if hash.len() != 32 {
-            error!("The SHA-256 hash must be 32 bytes long.");
-            return Err(ResponseStatus::PsaErrorInvalidArgument);
-        }
-
-        let signature = Signature {
-            scheme: AsymSchemeUnion::RSASSA(TPM2_ALG_SHA256),
-            signature,
-        };
-
         let (password_context, key_attributes) =
             key_management::get_password_context(&*store_handle, key_triple)?;
 
-        key_attributes.can_verify_hash()?;
-        key_attributes.permits_alg(alg.into())?;
-        key_attributes.compatible_with_alg(alg.into())?;
-
-        match alg {
-            AsymmetricSignature::RsaPkcs1v15Sign {
-                hash_alg: Hash::Sha256,
-            } => (),
+        match op.alg {
+            AsymmetricSignature::RsaPkcs1v15Sign { .. } => (),
+            AsymmetricSignature::Ecdsa { .. } => (),
             _ => {
                 error!(
-                    "The TPM provider currently only supports \"RSA PKCS#1 v1.5 signature with hashing\" algorithm with SHA-256 as hashing algorithm for the PsaVerifyHash operation.");
+                    "Requested algorithm is not supported by the TPM provider: {:?}",
+                    op.alg
+                );
                 return Err(ResponseStatus::PsaErrorNotSupported);
             }
         }
 
+        op.validate(key_attributes)?;
+
+        let signature = utils::parsec_to_tpm_signature(op.signature, key_attributes, op.alg)?;
+
         let _ = esapi_context
-            .verify_signature(password_context.context, &hash, signature)
-            .or_else(|e| Err(utils::to_response_status(e)))?;
+            .verify_signature(password_context.context, &op.hash, signature)
+            .map_err(utils::to_response_status)?;
 
         Ok(psa_verify_hash::Result {})
     }
 
@@ -13,7 +13,6 @@ use parsec_interface::operations::{
     psa_destroy_key, psa_export_public_key, psa_generate_key, psa_import_key,
 };
 use parsec_interface::requests::{ProviderID, ResponseStatus, Result};
-use picky_asn1::wrapper::IntegerAsn1;
 
 // Public exponent value for all RSA keys.
 const PUBLIC_EXPONENT: [u8; 3] = [0x01, 0x00, 0x01];
@@ -69,17 +68,9 @@ impl TpmProvider {
         app_name: ApplicationName,
         op: psa_generate_key::Operation,
     ) -> Result<psa_generate_key::Result> {
-        if op.attributes.key_type != KeyType::RsaKeyPair {
-            error!("The TPM provider currently only supports creating RSA key pairs.");
-            return Err(ResponseStatus::PsaErrorNotSupported);
-        }
-
         let key_name = op.key_name;
         let attributes = op.attributes;
         let key_triple = KeyTriple::new(app_name, ProviderID::Tpm, key_name);
-        // This should never panic on 32 bits or more machines.
-        let key_size = std::convert::TryFrom::try_from(op.attributes.key_bits)
-            .expect("Conversion to usize failed.");
 
         let mut store_handle = self
             .key_info_store
@@ -91,7 +82,7 @@ impl TpmProvider {
             .expect("ESAPI Context lock poisoned");
 
         let (key_context, auth_value) = esapi_context
-            .create_rsa_signing_key(key_size, AUTH_VAL_LEN)
+            .create_signing_key(utils::parsec_to_tpm_params(attributes)?, AUTH_VAL_LEN)
             .or_else(|e| {
                 error!("Error creating a RSA signing key: {}.", e);
                 Err(utils::to_response_status(e))
@@ -199,7 +190,7 @@ impl TpmProvider {
             .lock()
             .expect("ESAPI Context lock poisoned");
 
-        let (password_context, _key_attributes) = get_password_context(&*store_handle, key_triple)?;
+        let (password_context, key_attributes) = get_password_context(&*store_handle, key_triple)?;
 
         let pub_key_data = esapi_context
             .read_public_key(password_context.context)
@@ -208,18 +199,9 @@ impl TpmProvider {
                 Err(utils::to_response_status(e))
             })?;
 
-        let key = RsaPublicKey {
-            // To produce a valid ASN.1 RSAPublicKey structure, 0x00 is put in front of the positive
-            // modulus if highest significant bit is one, to differentiate it from a negative number.
-            modulus: IntegerAsn1::from_unsigned_bytes_be(pub_key_data),
-            public_exponent: IntegerAsn1::from_signed_bytes_be(PUBLIC_EXPONENT.to_vec()),
-        };
-        let key_data = picky_asn1_der::to_vec(&key).or_else(|err| {
-            error!("Could not serialise key elements: {}.", err);
-            Err(ResponseStatus::PsaErrorCommunicationFailure)
-        })?;
-
-        Ok(psa_export_public_key::Result { data: key_data })
+        Ok(psa_export_public_key::Result {
+            data: utils::pub_key_to_bytes(pub_key_data, key_attributes)?,
+        })
     }
 
     pub(super) fn psa_destroy_key_internal(
@@ -234,10 +216,9 @@ impl TpmProvider {
             .write()
             .expect("Key store lock poisoned");
 
-        let error_closure = |e| Err(key_info_managers::to_response_status(e));
         if store_handle
             .remove(&key_triple)
-            .or_else(error_closure)?
+            .map_err(key_info_managers::to_response_status)?
             .is_none()
         {
             error!(