Skip to content

Commit

Permalink
Update cryptoki and cryptoki-sys crates
Browse files Browse the repository at this point in the history
 * Update the cryptoki and cryptoki-sys crates.
 * Remove the psa-crypto-conversions feature from the cryptoki
   dependency in the Cargo.toml file. The psa-crypto crate is
   already being brought up in the Cargo.toml file and this would
   have lead to a crate conflict when upgrading.
 * Remove parsec's dependency on cryptoki's psa-crypto by creating
   helping functions to perform type conversions.
 * Minor changes to the code to update according to the updates
   version of cryptoki.

Signed-off-by: Tomás González <tomasagustin.gonzalezorlando@arm.com>
  • Loading branch information
tgonzalezorlandoarm committed Sep 21, 2023
1 parent 34b45f3 commit 2cd0749
Show file tree
Hide file tree
Showing 11 changed files with 141 additions and 62 deletions.
30 changes: 23 additions & 7 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ toml = "0.5.8"
serde = { version = "1.0.123", features = ["derive"] }
env_logger = "0.8.3"
log = { version = "0.4.14", features = ["serde"] }
cryptoki = { version = "0.3.1", optional = true, features = ["psa-crypto-conversions"] }
cryptoki = { version = "0.5.0", optional = true, default-features = false }
picky-asn1-der = { version = "0.4.0", optional = true }
picky-asn1 = { version = "0.7.2", optional = true }
tss-esapi = { version = "7.2.0", optional = true }
Expand Down
2 changes: 1 addition & 1 deletion e2e_tests/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ picky-asn1 = "0.3.1"
sha2 = "0.9.3"
serial_test = "0.5.1"
regex = "1.6.0"
cryptoki = "0.3.1"
cryptoki = { version = "0.5.0", default-features = false }
snailquote = "0.3.1"

[features]
Expand Down
21 changes: 12 additions & 9 deletions e2e_tests/tests/all_providers/config/mod.rs
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
// Copyright 2020 Contributors to the Parsec project.
// SPDX-License-Identifier: Apache-2.0
use cryptoki::types::AuthPin;
use e2e_tests::auto_test_keyname;
use e2e_tests::TestClient;
use log::{error, info};
Expand Down Expand Up @@ -456,27 +457,29 @@ fn activate_cred_no_auth() {
#[cfg(feature = "pkcs11-provider")]
fn init_pkcs11_token(lib: &str, so_pin: &str, pin: &str) -> String {
use cryptoki::context::{CInitializeArgs, Pkcs11};
use cryptoki::session::SessionFlags;
use cryptoki::session::UserType;
use std::path::Path;

let pkcs11 = Pkcs11::new(Path::new(lib)).unwrap();
// // initialize the library
pkcs11.initialize(CInitializeArgs::OsThreads).unwrap();
let slot = pkcs11.get_slots_with_token().unwrap().pop().unwrap();
pkcs11.init_token(slot, so_pin, "Test Token").unwrap();
// set flags
let mut flags = SessionFlags::new();
let _ = flags.set_rw_session(true).set_serial_session(true);
pkcs11
.init_token(slot, &AuthPin::new(so_pin.to_string()), "Test Token")
.unwrap();
// open a session
let session = pkcs11.open_session_no_callback(slot, flags).unwrap();
let session = pkcs11.open_rw_session(slot).unwrap();
// log in the session
session.login(UserType::So, Some(so_pin)).unwrap();
session.init_pin(pin).unwrap();
session
.login(UserType::So, Some(&AuthPin::new(so_pin.to_string())))
.unwrap();
session.init_pin(&AuthPin::new(pin.to_string())).unwrap();
// get the token serial number
let token = pkcs11.get_token_info(slot).unwrap();
pkcs11.finalize();
std::str::from_utf8(&token.serialNumber).unwrap().to_owned()
std::str::from_utf8(token.serial_number().as_bytes())
.unwrap()
.to_owned()
}

#[cfg(feature = "pkcs11-provider")]
Expand Down
30 changes: 23 additions & 7 deletions fuzz/Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

9 changes: 3 additions & 6 deletions src/providers/pkcs11/asym_encryption.rs
Original file line number Diff line number Diff line change
@@ -1,18 +1,16 @@
// Copyright 2020 Contributors to the Parsec project.
// SPDX-License-Identifier: Apache-2.0
use super::utils::to_response_status;
use super::utils::{algorithm_to_mechanism, to_response_status};
use super::KeyPairType;
use super::Provider;
use crate::authenticators::ApplicationIdentity;
use crate::key_info_managers::KeyIdentity;
use cryptoki::error::Error;
use cryptoki::error::RvError;
use cryptoki::mechanism::Mechanism;
use log::{info, trace};
use parsec_interface::operations::psa_algorithm::{Algorithm, AsymmetricEncryption};
use parsec_interface::operations::{psa_asymmetric_decrypt, psa_asymmetric_encrypt};
use parsec_interface::requests::{ResponseStatus, Result};
use std::convert::TryFrom;

impl Provider {
pub(super) fn psa_asymmetric_encrypt_internal(
Expand All @@ -30,7 +28,7 @@ impl Provider {

op.validate(key_attributes)?;

let mech = Mechanism::try_from(Algorithm::from(op.alg)).map_err(to_response_status)?;
let mech = algorithm_to_mechanism(Algorithm::from(op.alg)).map_err(to_response_status)?;

let session = self.new_session()?;

Expand Down Expand Up @@ -60,8 +58,7 @@ impl Provider {
let key_attributes = self.key_info_store.get_key_attributes(&key_identity)?;

op.validate(key_attributes)?;

let mech = Mechanism::try_from(Algorithm::from(op.alg)).map_err(to_response_status)?;
let mech = algorithm_to_mechanism(Algorithm::from(op.alg)).map_err(to_response_status)?;

let session = self.new_session()?;

Expand Down
9 changes: 3 additions & 6 deletions src/providers/pkcs11/asym_sign.rs
Original file line number Diff line number Diff line change
@@ -1,17 +1,15 @@
// Copyright 2020 Contributors to the Parsec project.
// SPDX-License-Identifier: Apache-2.0
use super::utils::to_response_status;
use super::utils::{algorithm_to_mechanism, to_response_status};
use super::Provider;
use super::{utils, KeyPairType};
use crate::authenticators::ApplicationIdentity;
use crate::key_info_managers::KeyIdentity;
use cryptoki::mechanism::Mechanism;
use log::{info, trace};
use parsec_interface::operations::psa_algorithm::Algorithm;
use parsec_interface::operations::psa_key_attributes::Type;
use parsec_interface::operations::{psa_sign_hash, psa_verify_hash};
use parsec_interface::requests::{ResponseStatus, Result};
use std::convert::TryFrom;

impl Provider {
pub(super) fn psa_sign_hash_internal(
Expand All @@ -30,7 +28,7 @@ impl Provider {

op.validate(key_attributes)?;

let mech = Mechanism::try_from(Algorithm::from(op.alg)).map_err(to_response_status)?;
let mech = algorithm_to_mechanism(Algorithm::from(op.alg)).map_err(to_response_status)?;

let session = self.new_session()?;

Expand Down Expand Up @@ -68,8 +66,7 @@ impl Provider {
let key_attributes = self.key_info_store.get_key_attributes(&key_identity)?;

op.validate(key_attributes)?;

let mech = Mechanism::try_from(Algorithm::from(op.alg)).map_err(to_response_status)?;
let mech = algorithm_to_mechanism(Algorithm::from(op.alg)).map_err(to_response_status)?;

let session = self.new_session()?;

Expand Down
14 changes: 7 additions & 7 deletions src/providers/pkcs11/capability_discovery.rs
Original file line number Diff line number Diff line change
Expand Up @@ -2,19 +2,19 @@
// SPDX-License-Identifier: Apache-2.0

#![allow(trivial_numeric_casts)]
use super::utils::algorithm_to_mechanism;
use super::{utils, Provider};
use crate::authenticators::ApplicationIdentity;
use crate::providers::crypto_capability::CanDoCrypto;
use crate::providers::pkcs11::to_response_status;
use cryptoki::mechanism::{Mechanism, MechanismInfo, MechanismType};
use cryptoki::mechanism::{MechanismInfo, MechanismType};
use cryptoki::types::Ulong;
use log::{info, trace};
use parsec_interface::operations::can_do_crypto;
use parsec_interface::operations::psa_algorithm::*;
use parsec_interface::operations::psa_key_attributes::{Attributes, Type};
use parsec_interface::requests::ResponseStatus::PsaErrorNotSupported;
use parsec_interface::requests::Result;
use std::convert::TryFrom;

impl CanDoCrypto for Provider {
fn can_do_crypto_internal(
Expand Down Expand Up @@ -65,7 +65,7 @@ impl CanDoCrypto for Provider {
.backend
.get_mechanism_list(self.slot_number)
.map_err(to_response_status)?;
let mechanism = Mechanism::try_from(attributes.policy.permitted_algorithms)
let mechanism = algorithm_to_mechanism(attributes.policy.permitted_algorithms)
.map_err(to_response_status)?;
if !(supported_mechanisms.contains(&mechanism.mechanism_type())) {
info!("Mechanism {:?} is not supported", mechanism);
Expand All @@ -77,8 +77,8 @@ impl CanDoCrypto for Provider {
.get_mechanism_info(self.slot_number, mechanism.mechanism_type())
.map_err(to_response_status)?;
if std::any::type_name::<Ulong>() == std::any::type_name::<u64>() {
if !((attributes.bits as u64) >= (*mechanism_info.min_key_size()).into()
&& (attributes.bits as u64) <= (*mechanism_info.max_key_size()).into())
if !((attributes.bits as u64) >= (mechanism_info.min_key_size() as u64)
&& (attributes.bits as u64) <= (mechanism_info.max_key_size()) as u64)
{
info!(
"Incorrect key size {} for mechanism {:?}",
Expand All @@ -87,8 +87,8 @@ impl CanDoCrypto for Provider {
return Err(PsaErrorNotSupported);
}
} else {
if !((attributes.bits as u64) >= (*mechanism_info.min_key_size() as u64)
&& (attributes.bits as u64) <= (*mechanism_info.max_key_size() as u64))
if !((attributes.bits as u64) >= (mechanism_info.min_key_size() as u64)
&& (attributes.bits as u64) <= (mechanism_info.max_key_size() as u64))
{
info!(
"Incorrect key size {} for mechanism {:?}",
Expand Down
6 changes: 3 additions & 3 deletions src/providers/pkcs11/key_management.rs
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
// Copyright 2020 Contributors to the Parsec project.
// SPDX-License-Identifier: Apache-2.0
use super::utils::to_response_status;
use super::utils::{algorithm_to_mechanism, to_response_status};
use super::{utils, KeyPairType, Provider};
use crate::authenticators::ApplicationIdentity;
use crate::key_info_managers::KeyIdentity;
Expand All @@ -17,7 +17,7 @@ use parsec_interface::requests::{ResponseStatus, Result};
use parsec_interface::secrecy::ExposeSecret;
use picky_asn1::wrapper::{IntegerAsn1, OctetStringAsn1};
use picky_asn1_x509::RsaPublicKey;
use std::convert::{TryFrom, TryInto};
use std::convert::TryInto;

impl Provider {
/// Find the PKCS 11 object handle corresponding to the key ID and the key type (public,
Expand Down Expand Up @@ -117,7 +117,7 @@ impl Provider {
let mut pub_template = vec![
Attribute::Id(key_id.to_be_bytes().to_vec()),
Attribute::Token(true.into()),
Attribute::AllowedMechanisms(vec![Mechanism::try_from(
Attribute::AllowedMechanisms(vec![algorithm_to_mechanism(
key_attributes.policy.permitted_algorithms,
)
.map_err(to_response_status)?
Expand Down
Loading

0 comments on commit 2cd0749

Please sign in to comment.