Add helpers to read public keys

baloo · baloo · commit 30e1d77706dc · 2023-11-25T13:57:34.000-08:00
Signed-off-by: Arthur Gautier &lt;baloo@superbaloo.net&gt;
diff --git a/cryptoki-rustcrypto/src/ecdsa.rs b/cryptoki-rustcrypto/src/ecdsa.rs
@@ -29,6 +29,46 @@ use thiserror::Error;
 
 use crate::SessionLike;
 
+pub fn read_key<S: SessionLike, C: SignAlgorithm>(
+    session: &S,
+    template: impl Into<Vec<Attribute>>,
+) -> Result<PublicKey<C>, Error>
+where
+    FieldBytesSize<C>: ModulusSize,
+    AffinePoint<C>: FromEncodedPoint<C> + ToEncodedPoint<C>,
+{
+    let mut template = template.into();
+    template.push(Attribute::Class(ObjectClass::PUBLIC_KEY));
+    template.push(Attribute::KeyType(KeyType::EC));
+    template.push(Attribute::EcParams(C::OID.to_der().unwrap()));
+
+    let keys = session.find_objects(&template)?;
+    if let Some(public_key) = keys.first() {
+        let attribute_pk = session.get_attributes(*public_key, &[AttributeType::EcPoint])?;
+
+        let mut ec_point = None;
+        for attribute in attribute_pk {
+            match attribute {
+                Attribute::EcPoint(p) if ec_point.is_none() => {
+                    ec_point = Some(p);
+                }
+                _ => {}
+            }
+        }
+
+        let ec_point = ec_point.ok_or(Error::MissingAttribute(AttributeType::EcPoint))?;
+
+        // documented as "DER-encoding of ANSI X9.62 ECPoint value Q"
+        // https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.1/os/pkcs11-spec-v3.1-os.html#_Toc111203418
+        // https://www.rfc-editor.org/rfc/rfc5480#section-2.2
+        let ec_point = OctetStringRef::from_der(&ec_point).unwrap();
+
+        Ok(PublicKey::<C>::from_sec1_bytes(ec_point.as_bytes())?)
+    } else {
+        Err(Error::MissingKey)
+    }
+}
+
 #[derive(Error, Debug)]
 pub enum Error {
     #[error("Cryptoki error: {0}")]
@@ -39,6 +79,9 @@ pub enum Error {
 
     #[error("Elliptic curve error: {0}")]
     Ecdsa(#[from] ecdsa::elliptic_curve::Error),
+
+    #[error("Key not found")]
+    MissingKey,
 }
 
 pub trait SignAlgorithm: PrimeCurve + CurveArithmetic + AssociatedOid + DigestPrimitive {
@@ -53,7 +96,6 @@ impl SignAlgorithm for p256::NistP256 {
 
 pub struct Signer<C: SignAlgorithm, S: SessionLike> {
     session: S,
-    _public_key: ObjectHandle,
     private_key: ObjectHandle,
     verifying_key: VerifyingKey<C>,
 }
@@ -79,13 +121,7 @@ where
         let attribute_pk = session.get_attributes(private_key, &[AttributeType::Id])?;
 
         // Second we'll lookup a public key with the same label/ec params/ec point
-        let mut template = vec![
-            Attribute::Private(false),
-            Attribute::Label(label.to_vec()),
-            Attribute::Class(ObjectClass::PUBLIC_KEY),
-            Attribute::KeyType(KeyType::EC),
-            Attribute::EcParams(C::OID.to_der().unwrap()),
-        ];
+        let mut template = vec![Attribute::Private(false), Attribute::Label(label.to_vec())];
         let mut id = None;
         for attribute in attribute_pk {
             match attribute {
@@ -97,32 +133,14 @@ where
             }
         }
 
-        let public_key = session.find_objects(&template)?.remove(0);
-        let attribute_pk = session.get_attributes(public_key, &[AttributeType::EcPoint])?;
+        id.ok_or(Error::MissingAttribute(AttributeType::Id))?;
 
-        let mut ec_point = None;
-        for attribute in attribute_pk {
-            match attribute {
-                Attribute::EcPoint(p) if ec_point.is_none() => {
-                    ec_point = Some(p);
-                }
-                _ => {}
-            }
-        }
-
-        let ec_point = ec_point.ok_or(Error::MissingAttribute(AttributeType::EcPoint))?;
-
-        // documented as "DER-encoding of ANSI X9.62 ECPoint value Q"
-        // https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.1/os/pkcs11-spec-v3.1-os.html#_Toc111203418
-        // https://www.rfc-editor.org/rfc/rfc5480#section-2.2
-        let ec_point = OctetStringRef::from_der(&ec_point).unwrap();
-        let public = PublicKey::<C>::from_sec1_bytes(ec_point.as_bytes())?;
+        let public = read_key(&session, template)?;
         let verifying_key = public.into();
 
         Ok(Self {
             session,
             private_key,
-            _public_key: public_key,
             verifying_key,
         })
     }
diff --git a/cryptoki-rustcrypto/src/rsa/mod.rs b/cryptoki-rustcrypto/src/rsa/mod.rs
@@ -1,20 +1,67 @@
 // Copyright 2023 Contributors to the Parsec project.
 // SPDX-License-Identifier: Apache-2.0
 
-use cryptoki::mechanism::{
-    rsa::{PkcsMgfType, PkcsPssParams},
-    Mechanism, MechanismType,
+use cryptoki::{
+    mechanism::{
+        rsa::{PkcsMgfType, PkcsPssParams},
+        Mechanism, MechanismType,
+    },
+    object::{Attribute, AttributeType, KeyType, ObjectClass},
 };
-use cryptoki::object::AttributeType;
 use der::oid::AssociatedOid;
+use rsa::{BigUint, RsaPublicKey};
 use signature::digest::Digest;
 use std::convert::TryInto;
 use thiserror::Error;
 
-pub mod pkcs1v15;
+use crate::SessionLike;
 
+pub mod pkcs1v15;
 pub mod pss;
 
+pub fn read_key<S: SessionLike>(
+    session: &S,
+    template: impl Into<Vec<Attribute>>,
+) -> Result<RsaPublicKey, Error> {
+    let mut template: Vec<Attribute> = template.into();
+    template.push(Attribute::Class(ObjectClass::PUBLIC_KEY));
+    template.push(Attribute::KeyType(KeyType::RSA));
+
+    let keys = session.find_objects(&template)?;
+    if let Some(key) = keys.first() {
+        let attribute_pk = session.get_attributes(
+            *key,
+            &[AttributeType::Modulus, AttributeType::PublicExponent],
+        )?;
+
+        let mut modulus = None;
+        let mut public_exponent = None;
+
+        for attribute in attribute_pk {
+            match attribute {
+                Attribute::Modulus(m) if modulus.is_none() => {
+                    modulus = Some(m.clone());
+                }
+                Attribute::PublicExponent(e) if public_exponent.is_none() => {
+                    public_exponent = Some(e.clone());
+                }
+                _ => {}
+            }
+        }
+
+        let modulus = modulus
+            .ok_or(Error::MissingAttribute(AttributeType::Modulus))
+            .map(|v| BigUint::from_bytes_be(v.as_slice()))?;
+        let public_exponent = public_exponent
+            .ok_or(Error::MissingAttribute(AttributeType::PublicExponent))
+            .map(|v| BigUint::from_bytes_be(v.as_slice()))?;
+
+        Ok(RsaPublicKey::new(modulus, public_exponent)?)
+    } else {
+        Err(Error::MissingKey)
+    }
+}
+
 #[derive(Debug, Error)]
 pub enum Error {
     #[error("Cryptoki error: {0}")]
@@ -25,6 +72,9 @@ pub enum Error {
 
     #[error("RSA error: {0}")]
     Rsa(#[from] rsa::Error),
+
+    #[error("Key not found")]
+    MissingKey,
 }
 
 pub trait DigestSigning: Digest + AssociatedOid {
diff --git a/cryptoki-rustcrypto/src/rsa/pkcs1v15.rs b/cryptoki-rustcrypto/src/rsa/pkcs1v15.rs
@@ -6,17 +6,15 @@ use der::AnyRef;
 use rsa::{
     pkcs1,
     pkcs1v15::{Signature, VerifyingKey},
-    BigUint, RsaPublicKey,
 };
 use spki::{AlgorithmIdentifierRef, AssociatedAlgorithmIdentifier, SignatureAlgorithmIdentifier};
 use std::convert::TryFrom;
 
-use super::{DigestSigning, Error};
+use super::{read_key, DigestSigning, Error};
 use crate::SessionLike;
 
 pub struct Signer<D: DigestSigning, S: SessionLike> {
     session: S,
-    _public_key: ObjectHandle,
     private_key: ObjectHandle,
     verifying_key: VerifyingKey<D>,
 }
@@ -40,12 +38,7 @@ impl<D: DigestSigning, S: SessionLike> Signer<D, S> {
         )?;
 
         // Second we'll lookup a public key with the same label/modulus/public exponent
-        let mut template = vec![
-            Attribute::Private(false),
-            Attribute::Label(label.to_vec()),
-            Attribute::Class(ObjectClass::PUBLIC_KEY),
-            Attribute::KeyType(KeyType::RSA),
-        ];
+        let mut template = vec![Attribute::Private(false), Attribute::Label(label.to_vec())];
         let mut modulus = None;
         let mut public_exponent = None;
         for attribute in attribute_pk {
@@ -62,21 +55,13 @@ impl<D: DigestSigning, S: SessionLike> Signer<D, S> {
             }
         }
 
-        let modulus = modulus
-            .ok_or(Error::MissingAttribute(AttributeType::Modulus))
-            .map(|v| BigUint::from_bytes_be(v.as_slice()))?;
-        let public_exponent = public_exponent
-            .ok_or(Error::MissingAttribute(AttributeType::PublicExponent))
-            .map(|v| BigUint::from_bytes_be(v.as_slice()))?;
-
-        let public_key = session.find_objects(&template)?.remove(0);
+        let public_key = read_key(&session, template)?;
 
-        let verifying_key = VerifyingKey::new(RsaPublicKey::new(modulus, public_exponent)?);
+        let verifying_key = VerifyingKey::new(public_key);
 
         Ok(Self {
             session,
             private_key,
-            _public_key: public_key,
             verifying_key,
         })
     }
diff --git a/cryptoki-rustcrypto/src/rsa/pss.rs b/cryptoki-rustcrypto/src/rsa/pss.rs
@@ -7,7 +7,6 @@ use rsa::{
     pkcs1::{self, RsaPssParams},
     pkcs8::{self},
     pss::{Signature, VerifyingKey},
-    BigUint, RsaPublicKey,
 };
 use signature::digest::Digest;
 use spki::{
@@ -16,12 +15,11 @@ use spki::{
 };
 use std::convert::TryFrom;
 
-use super::{DigestSigning, Error};
+use super::{read_key, DigestSigning, Error};
 use crate::SessionLike;
 
 pub struct Signer<D: DigestSigning, S: SessionLike> {
     session: S,
-    _public_key: ObjectHandle,
     private_key: ObjectHandle,
     verifying_key: VerifyingKey<D>,
     salt_len: usize,
@@ -46,12 +44,7 @@ impl<D: DigestSigning, S: SessionLike> Signer<D, S> {
         )?;
 
         // Second we'll lookup a public key with the same label/modulus/public exponent
-        let mut template = vec![
-            Attribute::Private(false),
-            Attribute::Label(label.to_vec()),
-            Attribute::Class(ObjectClass::PUBLIC_KEY),
-            Attribute::KeyType(KeyType::RSA),
-        ];
+        let mut template = vec![Attribute::Private(false), Attribute::Label(label.to_vec())];
         let mut modulus = None;
         let mut public_exponent = None;
         for attribute in attribute_pk {
@@ -68,22 +61,14 @@ impl<D: DigestSigning, S: SessionLike> Signer<D, S> {
             }
         }
 
-        let modulus = modulus
-            .ok_or(Error::MissingAttribute(AttributeType::Modulus))
-            .map(|v| BigUint::from_bytes_be(v.as_slice()))?;
-        let public_exponent = public_exponent
-            .ok_or(Error::MissingAttribute(AttributeType::PublicExponent))
-            .map(|v| BigUint::from_bytes_be(v.as_slice()))?;
-
-        let public_key = session.find_objects(&template)?.remove(0);
+        let public_key = read_key(&session, template)?;
 
-        let verifying_key = VerifyingKey::new(RsaPublicKey::new(modulus, public_exponent)?);
+        let verifying_key = VerifyingKey::new(public_key);
         let salt_len = <D as Digest>::output_size();
 
         Ok(Self {
             session,
             private_key,
-            _public_key: public_key,
             verifying_key,
             salt_len,
         })
