Merge pull request #578 from RobertDrazkowskiGL/calib-psa-rawkey

[CryptoAuthLib provider] PsaRawKeyAgreement operation implementation

Author: ionut-arm

Cargo.lock

@@ -41,15 +41,16 @@ picky-asn1-x509 = { version = "0.4.0", optional = true }
 users = "0.11.0"
 libc = "0.2.86"
 anyhow = "1.0.38"
-rust-cryptoauthlib = { version = "0.4.2", optional = true }
+rust-cryptoauthlib = { version = "0.4.4", optional = true }
 spiffe = { version = "0.2.0", optional = true }
 prost = { version = "0.8.0", optional = true }
 rusqlite = { version = "0.25.3", features = ["bundled"] }
 num-traits = "0.2.14"
 
 [dev-dependencies]
 rand = { version = "0.8.3", features = ["small_rng"] }
-rust-cryptoauthlib = { version = "0.4.2", features=["software-backend"]}
+rust-cryptoauthlib = { version = "0.4.4", features=["software-backend"]}
+
 
 [build-dependencies]
 bindgen = { version = "0.57.0", optional = true }

Cargo.toml

@@ -23,11 +23,13 @@ const EXPECTED_OUTPUT_SECPR1: [u8; 32] = [
     0x2f, 0xef, 0x8e, 0x9e, 0xce, 0x7d, 0xce, 0x03, 0x81, 0x24, 0x64, 0xd0, 0x4b, 0x94, 0x42, 0xde,
 ];
 
+#[cfg(not(feature = "cryptoauthlib-provider"))]
 const OUR_KEY_DATA_BRAINPOOL_R1: [u8; 32] = [
     0x81, 0xdb, 0x1e, 0xe1, 0x00, 0x15, 0x0f, 0xf2, 0xea, 0x33, 0x8d, 0x70, 0x82, 0x71, 0xbe, 0x38,
     0x30, 0x0c, 0xb5, 0x42, 0x41, 0xd7, 0x99, 0x50, 0xf7, 0x7b, 0x06, 0x30, 0x39, 0x80, 0x4f, 0x1d,
 ];
 
+#[cfg(not(feature = "cryptoauthlib-provider"))]
 const PEER_PUBLIC_KEY_BRAINPOOL_R1: [u8; 65] = [
     0x04, 0x8d, 0x2d, 0x68, 0x8c, 0x6c, 0xf9, 0x3e, 0x11, 0x60, 0xad, 0x04, 0xcc, 0x44, 0x29, 0x11,
     0x7d, 0xc2, 0xc4, 0x18, 0x25, 0xe1, 0xe9, 0xfc, 0xa0, 0xad, 0xdd, 0x34, 0xe6, 0xf1, 0xb3, 0x9f,
@@ -36,6 +38,7 @@ const PEER_PUBLIC_KEY_BRAINPOOL_R1: [u8; 65] = [
     0x6a,
 ];
 
+#[cfg(not(feature = "cryptoauthlib-provider"))]
 const EXPECTED_OUTPUT_BRAINPOOL_R1: [u8; 32] = [
     0x89, 0xaf, 0xc3, 0x9d, 0x41, 0xd3, 0xb3, 0x27, 0x81, 0x4b, 0x80, 0x94, 0x0b, 0x04, 0x25, 0x90,
     0xf9, 0x65, 0x56, 0xec, 0x91, 0xe6, 0xae, 0x79, 0x39, 0xbc, 0xe3, 0x1f, 0x3a, 0x18, 0xbf, 0x2b,
@@ -49,7 +52,7 @@ fn key_agreement_not_supported() {
             client
                 .raw_key_agreement(
                     RawKeyAgreement::Ecdh,
-                    String::from("some key"),
+                    String::from("some key name"),
                     &PEER_PUBLIC_KEY_SECPR1
                 )
                 .unwrap_err(),
@@ -84,6 +87,14 @@ fn raw_key_agreement_secpr1() {
         return;
     }
 
+    // Section needed for crytpoauthlib if first slot is configured as ECC because it has has unusual access behavior
+    // and user need to be aware of that.
+    // Use this section only if first slot is configured as ECC.
+    #[cfg(feature = "cryptoauthlib-provider")]
+    {
+        let key_name_0 = auto_test_keyname!("0");
+        client.generate_ecc_pair_secp_r1_key(key_name_0).unwrap();
+    } // end of section
     client
         .import_ecc_pair_secp_r1_key(key_name.clone(), OUR_KEY_DATA_SECPR1.to_vec())
         .unwrap();
@@ -94,6 +105,7 @@ fn raw_key_agreement_secpr1() {
     assert_eq!(&EXPECTED_OUTPUT_SECPR1, shared_secret.as_slice());
 }
 
+#[cfg(not(feature = "cryptoauthlib-provider"))]
 #[test]
 fn raw_key_agreement_brainpoolpr1() {
     let key_name = auto_test_keyname!();
@@ -127,6 +139,14 @@ fn raw_key_agreement_two_generated_parties() {
         return;
     }
 
+    // Section needed for crytpoauthlib if first slot is configured as ECC because it has has unusual access behavior
+    // and user need to be aware of that.
+    // Use this section only if first slot is configured as ECC.
+    #[cfg(feature = "cryptoauthlib-provider")]
+    {
+        let key_name_0 = auto_test_keyname!("0");
+        client.generate_ecc_pair_secp_r1_key(key_name_0).unwrap();
+    } // end of section
     client
         .generate_ecc_pair_secp_r1_key(key_name_1.clone())
         .unwrap();
@@ -143,5 +163,6 @@ fn raw_key_agreement_two_generated_parties() {
     let shared_secret_2_then_1 = client
         .raw_key_agreement(RawKeyAgreement::Ecdh, key_name_2, &public_key_1)
         .unwrap();
+
     assert_eq!(shared_secret_1_then_2, shared_secret_2_then_1);
 }

e2e_tests/tests/per_provider/normal_tests/key_agreement.rs

@@ -0,0 +1,53 @@
+// Copyright 2022 Contributors to the Parsec project.
+// SPDX-License-Identifier: Apache-2.0
+use super::Provider;
+use crate::authenticators::ApplicationIdentity;
+use crate::key_info_managers::KeyIdentity;
+use parsec_interface::operations::psa_algorithm::RawKeyAgreement;
+use parsec_interface::operations::psa_raw_key_agreement;
+use parsec_interface::requests::{ResponseStatus, Result};
+use parsec_interface::secrecy::Secret;
+
+impl Provider {
+    pub(super) fn psa_raw_key_agreement_internal(
+        &self,
+        application_identity: &ApplicationIdentity,
+        op: psa_raw_key_agreement::Operation,
+    ) -> Result<psa_raw_key_agreement::Result> {
+        let key_identity = KeyIdentity::new(
+            application_identity.clone(),
+            self.provider_identity.clone(),
+            op.private_key_name.clone(),
+        );
+        let key_id = self.key_info_store.get_key_id::<u8>(&key_identity)?;
+        let key_attributes = self.key_info_store.get_key_attributes(&key_identity)?;
+        op.validate(key_attributes)?;
+
+        match op.alg {
+            RawKeyAgreement::Ecdh => {
+                let parameters = rust_cryptoauthlib::EcdhParams {
+                    out_target: rust_cryptoauthlib::EcdhTarget::Output,
+                    slot_id: Some(key_id),
+                    ..Default::default()
+                };
+                let mut key_data = op.peer_key.to_vec();
+                if key_data.len() == 65 {
+                    key_data = op.peer_key[1..].to_vec();
+                }
+                match self.device.ecdh(parameters, &key_data) {
+                    Ok(result) => {
+                        let shared_secret = result.pms.unwrap().to_vec();
+                        Ok(psa_raw_key_agreement::Result {
+                            shared_secret: Secret::new(shared_secret),
+                        })
+                    }
+                    Err(status) => {
+                        format_error!("Raw key agreement status: ", status);
+                        Err(ResponseStatus::PsaErrorGenericError)
+                    }
+                }
+            }
+            _ => Err(ResponseStatus::PsaErrorNotSupported),
+        }
+    }
+}

src/providers/cryptoauthlib/key_agreement.rs

@@ -327,7 +327,7 @@ fn get_calib_key_type(attributes: &Attributes) -> Result<rust_cryptoauthlib::Key
             if attributes.bits == 256 || attributes.bits == 0 {
                 Ok(rust_cryptoauthlib::KeyType::P256EccKey)
             } else {
-                Err(ResponseStatus::PsaErrorNotSupported)
+                Err(ResponseStatus::PsaErrorInvalidArgument)
             }
         }
         _ => Err(ResponseStatus::PsaErrorNotSupported),

src/providers/cryptoauthlib/key_management.rs

@@ -21,8 +21,8 @@ use uuid::Uuid;
 use parsec_interface::operations::{
     psa_aead_decrypt, psa_aead_encrypt, psa_cipher_decrypt, psa_cipher_encrypt, psa_destroy_key,
     psa_export_key, psa_export_public_key, psa_generate_key, psa_generate_random, psa_hash_compare,
-    psa_hash_compute, psa_import_key, psa_sign_hash, psa_sign_message, psa_verify_hash,
-    psa_verify_message,
+    psa_hash_compute, psa_import_key, psa_raw_key_agreement, psa_sign_hash, psa_sign_message,
+    psa_verify_hash, psa_verify_message,
 };
 
 mod access_keys;
@@ -31,6 +31,7 @@ mod asym_sign;
 mod cipher;
 mod generate_random;
 mod hash;
+mod key_agreement;
 mod key_management;
 mod key_slot;
 mod key_slot_storage;
@@ -229,6 +230,7 @@ impl Provider {
                     && self.supported_opcodes.insert(Opcode::PsaExportKey)
                     && self.supported_opcodes.insert(Opcode::PsaAeadEncrypt)
                     && self.supported_opcodes.insert(Opcode::PsaAeadDecrypt)
+                    && self.supported_opcodes.insert(Opcode::PsaRawKeyAgreement)
                 {
                     Some(())
                 } else {
@@ -486,6 +488,19 @@ impl Provide for Provider {
             self.psa_aead_decrypt_internal(application_identity, op)
         }
     }
+
+    fn psa_raw_key_agreement(
+        &self,
+        application_identity: &ApplicationIdentity,
+        op: psa_raw_key_agreement::Operation,
+    ) -> Result<psa_raw_key_agreement::Result> {
+        trace!("psa_raw_key_agreement ingress");
+        if !self.supported_opcodes.contains(&Opcode::PsaRawKeyAgreement) {
+            Err(ResponseStatus::PsaErrorNotSupported)
+        } else {
+            self.psa_raw_key_agreement_internal(application_identity, op)
+        }
+    }
 }
 
 /// CryptoAuthentication Library Provider builder