Move calls from C library to psa-crypto

Parsec no longer calls mbedtls directly, it goes through the psa-crypto Rust interface to the library

Signed-off-by: Samuel Bailey <samuel.bailey@arm.com>

Author: sbailey-arm

Cargo.lock

@@ -18,7 +18,7 @@ name = "parsec"
 path = "src/bin/main.rs"
 
 [dependencies]
-parsec-interface = "0.15.0"
+parsec-interface = { path = "../parsec-interface-rs" }
 rand = "0.7.2"
 base64 = "0.10.1"
 uuid = "0.7.4"
@@ -40,6 +40,7 @@ derivative = "2.1.1"
 version = "3.0.0"
 hex = "0.4.2"
 picky = "5.0.0"
+psa-crypto = { path = "../rust-psa-crypto/psa-crypto", default-features = false, features = ["with-mbed-crypto"] }
 
 [dev-dependencies]
 ring = "0.16.12"

Cargo.toml

@@ -253,15 +253,6 @@ fn main() -> Result<()> {
         setup_mbed_crypto(&mbed_config, &mbed_version)?;
         generate_mbed_bindings(&mbed_config, &mbed_version)?;
 
-        // Request rustc to link the Mbed Crypto static library
-        println!(
-            "cargo:rustc-link-search=native={}/mbed-crypto-{}/library/",
-            mbed_config
-                .mbed_path
-                .unwrap_or_else(|| env::var("OUT_DIR").unwrap()),
-            mbed_version,
-        );
-        println!("cargo:rustc-link-lib=static=mbedcrypto");
     }
 
     Ok(())

build.rs

@@ -56,6 +56,7 @@ fn asym_verify_fail() -> Result<()> {
     let status = client
         .verify_with_rsa_sha256(key_name, HASH.to_vec(), signature)
         .expect_err("Verification should fail.");
+    dbg!("Status: {}", status);
     if !(status == ResponseStatus::PsaErrorInvalidSignature
         || status == ResponseStatus::PsaErrorCorruptionDetected)
     {

e2e_tests/tests/per_provider/normal_tests/asym_sign_verify.rs

@@ -1,12 +1,6 @@
 // Copyright 2019 Contributors to the Parsec project.
 // SPDX-License-Identifier: Apache-2.0
 use e2e_tests::TestClient;
-use parsec_client::core::interface::operations::psa_algorithm::{
-    Algorithm, AsymmetricSignature, Hash,
-};
-use parsec_client::core::interface::operations::psa_key_attributes::{
-    Attributes, Lifetime, Policy, Type, UsageFlags,
-};
 use parsec_client::core::interface::requests::ResponseStatus;
 use parsec_client::core::interface::requests::Result;
 use picky_asn1::wrapper::IntegerAsn1;
@@ -93,12 +87,14 @@ fn create_destroy_twice() -> Result<()> {
 fn generate_public_rsa_check_modulus() -> Result<()> {
     // As stated in the operation page, the public exponent of RSA key pair should be 65537
     // (0x010001).
+    println!("test");
     let mut client = TestClient::new();
-    let key_name = String::from("generate_public_rsa_check_modulus");
+    let key_name = String::from("generate_public_rsa_check_modulus1");
     client.generate_rsa_sign_key(key_name.clone())?;
     let public_key = client.export_public_key(key_name)?;
 
     let public_key: RsaPublicKey = picky_asn1_der::from_bytes(&public_key).unwrap();
+    println!("{:?}", &public_key.public_exponent.as_unsigned_bytes_be()[..]);
     assert_eq!(
         public_key.public_exponent.as_unsigned_bytes_be(),
         [0x01, 0x00, 0x01]
@@ -110,35 +106,13 @@ fn generate_public_rsa_check_modulus() -> Result<()> {
 fn failed_created_key_should_be_removed() -> Result<()> {
     let mut client = TestClient::new();
     let key_name = String::from("failed_created_key_should_be_removed");
+    const GARBAGE_IMPORT_DATA: [u8; 1] = [
+        48,
+    ];
 
-    let attributes = Attributes {
-        lifetime: Lifetime::Persistent,
-        key_type: Type::Arc4,
-        bits: 1024,
-        policy: Policy {
-            usage_flags: UsageFlags {
-                sign_hash: false,
-                verify_hash: true,
-                sign_message: false,
-                verify_message: true,
-                export: false,
-                encrypt: false,
-                decrypt: false,
-                cache: false,
-                copy: false,
-                derive: false,
-            },
-            permitted_algorithms: Algorithm::AsymmetricSignature(
-                AsymmetricSignature::RsaPkcs1v15Sign {
-                    hash_alg: Hash::Sha256.into(),
-                },
-            ),
-        },
-    };
-
-    // Unsupported parameter, should fail
+    // The data being imported is garbage, should fail
     let _ = client
-        .generate_key(key_name.clone(), attributes)
+        .import_rsa_public_key(key_name.clone(), GARBAGE_IMPORT_DATA.to_vec())
         .unwrap_err();
     // The key should not exist anymore in the KIM
     client.generate_rsa_sign_key(key_name)?;

e2e_tests/tests/per_provider/normal_tests/create_destroy_key.rs

@@ -1,14 +1,17 @@
 // Copyright 2020 Contributors to the Parsec project.
 // SPDX-License-Identifier: Apache-2.0
-use super::constants::PSA_SUCCESS;
-use super::utils::{self, KeyHandle};
-use super::{key_management, psa_crypto_binding, MbedProvider};
+use super::utils;
+use super::{key_management, MbedProvider};
 use crate::authenticators::ApplicationName;
 use crate::key_info_managers::KeyTriple;
 use log::{error, info};
 use parsec_interface::operations::{psa_sign_hash, psa_verify_hash};
-use parsec_interface::requests::{ProviderID, Result};
+use parsec_interface::requests::{ProviderID, ResponseStatus, Result};
+use psa_crypto::operations::key_management as new_key_management;
+use psa_crypto::operations::asym_signature;
+use psa_crypto::types::key;
 
+#[allow(unused)]
 impl MbedProvider {
     pub(super) fn psa_sign_hash_internal(
         &self,
@@ -28,50 +31,29 @@ impl MbedProvider {
             .key_handle_mutex
             .lock()
             .expect("Grabbing key handle mutex failed");
-
-        let mut key_handle;
-        let mut key_attrs;
-        // Safety:
-        //   * at this point the provider has been instantiated so Mbed Crypto has been initialized
-        //   * self.key_handle_mutex prevents concurrent accesses
-        //   * self.key_slot_semaphore prevents overflowing key slots
-        unsafe {
-            key_handle = KeyHandle::open(key_id)?;
-            key_attrs = key_handle.attributes()?;
-        }
-
-        let buffer_size = utils::psa_asymmetric_sign_output_size(key_attrs.as_ref())?;
+        let id = key::Id::from_persistent_key_id(key_id);
+        let key_attributes = new_key_management::get_key_attributes(id)?;
+        let buffer_size = utils::psa_asymmetric_sign_output_size(&key_attributes)?;
         let mut signature = vec![0u8; buffer_size];
         let mut signature_size = 0;
 
-        let sign_status;
-        // Safety: same conditions than above.
-        unsafe {
-            sign_status = psa_crypto_binding::psa_asymmetric_sign(
-                key_handle.raw(),
-                utils::convert_algorithm(&alg.into())?,
-                hash.as_ptr(),
-                hash.len() as u64,
-                signature.as_mut_ptr(),
-                buffer_size as u64,
-                &mut signature_size,
-            );
-            key_attrs.reset();
-            key_handle.close()?;
-        };
 
-        if sign_status == PSA_SUCCESS {
-            let mut res = psa_sign_hash::Result {
-                signature: Vec::new(),
-            };
-            res.signature.resize(signature_size as usize, 0);
-            res.signature
-                .copy_from_slice(&signature[0..signature_size as usize]);
-
-            Ok(res)
-        } else {
-            error!("Sign status: {}", sign_status);
-            Err(utils::convert_status(sign_status))
+        match asym_signature::sign_hash(id, alg, &hash, &mut signature)
+            {
+            Ok(size) => {
+                let mut res = psa_sign_hash::Result {
+                    signature: Vec::new(),
+                };
+                res.signature.resize(size, 0);
+                res.signature
+                    .copy_from_slice(&signature[0..size]);
+                Ok(res)
+            }
+            Err(error) => {
+                let error = ResponseStatus::from(error);
+                error!("Sign status: {}", error);
+                Err(error)
+            }
         }
     }
 
@@ -95,32 +77,14 @@ impl MbedProvider {
             .lock()
             .expect("Grabbing key handle mutex failed");
 
-        let mut key_handle;
-        let mut key_attrs;
-        let verify_status;
-        // Safety:
-        //   * at this point the provider has been instantiated so Mbed Crypto has been initialized
-        //   * self.key_handle_mutex prevents concurrent accesses
-        //   * self.key_slot_semaphore prevents overflowing key slots
-        unsafe {
-            key_handle = KeyHandle::open(key_id)?;
-            key_attrs = key_handle.attributes()?;
-            verify_status = psa_crypto_binding::psa_asymmetric_verify(
-                key_handle.raw(),
-                utils::convert_algorithm(&alg.into())?,
-                hash.as_ptr(),
-                hash.len() as u64,
-                signature.as_ptr(),
-                signature.len() as u64,
-            );
-            key_attrs.reset();
-            key_handle.close()?;
-        }
-
-        if verify_status == PSA_SUCCESS {
-            Ok(psa_verify_hash::Result {})
-        } else {
-            Err(utils::convert_status(verify_status))
+        let id = key::Id::from_persistent_key_id(key_id);
+        match asym_signature::verify_hash(id, alg, &hash, &signature) {
+            Ok(()) => Ok(psa_verify_hash::Result {}),
+            Err(error) => {
+                let error = ResponseStatus::from(error);
+                error!("Verify status: {}", error);
+                Err(error)
+            }
         }
     }
 }