Update cryptoki and cryptoki-sys crates

 * Update the cryptoki and cryptoki-sys crates.
 * Remove the psa-crypto-conversions feature from the cryptoki
   dependency in the Cargo.toml file. The psa-crypto crate is
   already being brought up in the Cargo.toml file and this would
   have lead to a crate conflict when upgrading.
 * Remove parsec's dependency on cryptoki's psa-crypto by creating
   helping functions to perform type conversions.
 * Minor changes to the code to update according to the updates
   version of cryptoki.

Signed-off-by: Tomás González <tomasagustin.gonzalezorlando@arm.com>

Cargo.toml

@@ -26,7 +26,7 @@ toml = "0.5.8"
 serde = { version = "1.0.123", features = ["derive"] }
 env_logger = "0.8.3"
 log = { version = "0.4.14", features = ["serde"] }
-cryptoki = { version = "0.3.1", optional = true, features = ["psa-crypto-conversions"] }
+cryptoki = { version = "0.5.0", optional = true, default-features = false }
 picky-asn1-der = { version = "0.4.0", optional = true }
 picky-asn1 = { version = "0.7.2", optional = true }
 tss-esapi = { version = "7.2.0", optional = true }

e2e_tests/Cargo.toml

@@ -30,7 +30,7 @@ picky-asn1 = "0.3.1"
 sha2 = "0.9.3"
 serial_test = "0.5.1"
 regex = "1.6.0"
-cryptoki = "0.3.1"
+cryptoki = { version = "0.5.0", default-features = false }
 snailquote = "0.3.1"
 
 [features]

e2e_tests/tests/all_providers/config/mod.rs

@@ -1,5 +1,6 @@
 // Copyright 2020 Contributors to the Parsec project.
 // SPDX-License-Identifier: Apache-2.0
+use cryptoki::types::AuthPin;
 use e2e_tests::auto_test_keyname;
 use e2e_tests::TestClient;
 use log::{error, info};
@@ -456,27 +457,29 @@ fn activate_cred_no_auth() {
 #[cfg(feature = "pkcs11-provider")]
 fn init_pkcs11_token(lib: &str, so_pin: &str, pin: &str) -> String {
     use cryptoki::context::{CInitializeArgs, Pkcs11};
-    use cryptoki::session::SessionFlags;
     use cryptoki::session::UserType;
     use std::path::Path;
 
     let pkcs11 = Pkcs11::new(Path::new(lib)).unwrap();
     // // initialize the library
     pkcs11.initialize(CInitializeArgs::OsThreads).unwrap();
     let slot = pkcs11.get_slots_with_token().unwrap().pop().unwrap();
-    pkcs11.init_token(slot, so_pin, "Test Token").unwrap();
-    // set flags
-    let mut flags = SessionFlags::new();
-    let _ = flags.set_rw_session(true).set_serial_session(true);
+    pkcs11
+        .init_token(slot, &AuthPin::new(so_pin.to_string()), "Test Token")
+        .unwrap();
     // open a session
-    let session = pkcs11.open_session_no_callback(slot, flags).unwrap();
+    let session = pkcs11.open_rw_session(slot).unwrap();
     // log in the session
-    session.login(UserType::So, Some(so_pin)).unwrap();
-    session.init_pin(pin).unwrap();
+    session
+        .login(UserType::So, Some(&AuthPin::new(so_pin.to_string())))
+        .unwrap();
+    session.init_pin(&AuthPin::new(pin.to_string())).unwrap();
     // get the token serial number
     let token = pkcs11.get_token_info(slot).unwrap();
     pkcs11.finalize();
-    std::str::from_utf8(&token.serialNumber).unwrap().to_owned()
+    std::str::from_utf8(token.serial_number().as_bytes())
+        .unwrap()
+        .to_owned()
 }
 
 #[cfg(feature = "pkcs11-provider")]

src/providers/pkcs11/asym_encryption.rs

@@ -1,18 +1,16 @@
 // Copyright 2020 Contributors to the Parsec project.
 // SPDX-License-Identifier: Apache-2.0
-use super::utils::to_response_status;
+use super::utils::{algorithm_to_mechanism, to_response_status};
 use super::KeyPairType;
 use super::Provider;
 use crate::authenticators::ApplicationIdentity;
 use crate::key_info_managers::KeyIdentity;
 use cryptoki::error::Error;
 use cryptoki::error::RvError;
-use cryptoki::mechanism::Mechanism;
 use log::{info, trace};
 use parsec_interface::operations::psa_algorithm::{Algorithm, AsymmetricEncryption};
 use parsec_interface::operations::{psa_asymmetric_decrypt, psa_asymmetric_encrypt};
 use parsec_interface::requests::{ResponseStatus, Result};
-use std::convert::TryFrom;
 
 impl Provider {
     pub(super) fn psa_asymmetric_encrypt_internal(
@@ -30,7 +28,7 @@ impl Provider {
 
         op.validate(key_attributes)?;
 
-        let mech = Mechanism::try_from(Algorithm::from(op.alg)).map_err(to_response_status)?;
+        let mech = algorithm_to_mechanism(Algorithm::from(op.alg)).map_err(to_response_status)?;
 
         let session = self.new_session()?;
 
@@ -60,8 +58,7 @@ impl Provider {
         let key_attributes = self.key_info_store.get_key_attributes(&key_identity)?;
 
         op.validate(key_attributes)?;
-
-        let mech = Mechanism::try_from(Algorithm::from(op.alg)).map_err(to_response_status)?;
+        let mech = algorithm_to_mechanism(Algorithm::from(op.alg)).map_err(to_response_status)?;
 
         let session = self.new_session()?;
 

src/providers/pkcs11/asym_sign.rs

@@ -1,17 +1,15 @@
 // Copyright 2020 Contributors to the Parsec project.
 // SPDX-License-Identifier: Apache-2.0
-use super::utils::to_response_status;
+use super::utils::{algorithm_to_mechanism, to_response_status};
 use super::Provider;
 use super::{utils, KeyPairType};
 use crate::authenticators::ApplicationIdentity;
 use crate::key_info_managers::KeyIdentity;
-use cryptoki::mechanism::Mechanism;
 use log::{info, trace};
 use parsec_interface::operations::psa_algorithm::Algorithm;
 use parsec_interface::operations::psa_key_attributes::Type;
 use parsec_interface::operations::{psa_sign_hash, psa_verify_hash};
 use parsec_interface::requests::{ResponseStatus, Result};
-use std::convert::TryFrom;
 
 impl Provider {
     pub(super) fn psa_sign_hash_internal(
@@ -30,7 +28,7 @@ impl Provider {
 
         op.validate(key_attributes)?;
 
-        let mech = Mechanism::try_from(Algorithm::from(op.alg)).map_err(to_response_status)?;
+        let mech = algorithm_to_mechanism(Algorithm::from(op.alg)).map_err(to_response_status)?;
 
         let session = self.new_session()?;
 
@@ -68,8 +66,7 @@ impl Provider {
         let key_attributes = self.key_info_store.get_key_attributes(&key_identity)?;
 
         op.validate(key_attributes)?;
-
-        let mech = Mechanism::try_from(Algorithm::from(op.alg)).map_err(to_response_status)?;
+        let mech = algorithm_to_mechanism(Algorithm::from(op.alg)).map_err(to_response_status)?;
 
         let session = self.new_session()?;
 

src/providers/pkcs11/capability_discovery.rs

@@ -2,19 +2,19 @@
 // SPDX-License-Identifier: Apache-2.0
 
 #![allow(trivial_numeric_casts)]
+use super::utils::algorithm_to_mechanism;
 use super::{utils, Provider};
 use crate::authenticators::ApplicationIdentity;
 use crate::providers::crypto_capability::CanDoCrypto;
 use crate::providers::pkcs11::to_response_status;
-use cryptoki::mechanism::{Mechanism, MechanismInfo, MechanismType};
+use cryptoki::mechanism::{MechanismInfo, MechanismType};
 use cryptoki::types::Ulong;
 use log::{info, trace};
 use parsec_interface::operations::can_do_crypto;
 use parsec_interface::operations::psa_algorithm::*;
 use parsec_interface::operations::psa_key_attributes::{Attributes, Type};
 use parsec_interface::requests::ResponseStatus::PsaErrorNotSupported;
 use parsec_interface::requests::Result;
-use std::convert::TryFrom;
 
 impl CanDoCrypto for Provider {
     fn can_do_crypto_internal(
@@ -65,7 +65,7 @@ impl CanDoCrypto for Provider {
             .backend
             .get_mechanism_list(self.slot_number)
             .map_err(to_response_status)?;
-        let mechanism = Mechanism::try_from(attributes.policy.permitted_algorithms)
+        let mechanism = algorithm_to_mechanism(attributes.policy.permitted_algorithms)
             .map_err(to_response_status)?;
         if !(supported_mechanisms.contains(&mechanism.mechanism_type())) {
             info!("Mechanism {:?} is not supported", mechanism);
@@ -77,8 +77,8 @@ impl CanDoCrypto for Provider {
             .get_mechanism_info(self.slot_number, mechanism.mechanism_type())
             .map_err(to_response_status)?;
         if std::any::type_name::<Ulong>() == std::any::type_name::<u64>() {
-            if !((attributes.bits as u64) >= (*mechanism_info.min_key_size()).into()
-                && (attributes.bits as u64) <= (*mechanism_info.max_key_size()).into())
+            if !((attributes.bits as u64) >= (mechanism_info.min_key_size() as u64)
+                && (attributes.bits as u64) <= (mechanism_info.max_key_size()) as u64)
             {
                 info!(
                     "Incorrect key size {} for mechanism {:?}",
@@ -87,8 +87,8 @@ impl CanDoCrypto for Provider {
                 return Err(PsaErrorNotSupported);
             }
         } else {
-            if !((attributes.bits as u64) >= (*mechanism_info.min_key_size() as u64)
-                && (attributes.bits as u64) <= (*mechanism_info.max_key_size() as u64))
+            if !((attributes.bits as u64) >= (mechanism_info.min_key_size() as u64)
+                && (attributes.bits as u64) <= (mechanism_info.max_key_size() as u64))
             {
                 info!(
                     "Incorrect key size {} for mechanism {:?}",

src/providers/pkcs11/key_management.rs

@@ -1,6 +1,6 @@
 // Copyright 2020 Contributors to the Parsec project.
 // SPDX-License-Identifier: Apache-2.0
-use super::utils::to_response_status;
+use super::utils::{algorithm_to_mechanism, to_response_status};
 use super::{utils, KeyPairType, Provider};
 use crate::authenticators::ApplicationIdentity;
 use crate::key_info_managers::KeyIdentity;
@@ -17,7 +17,7 @@ use parsec_interface::requests::{ResponseStatus, Result};
 use parsec_interface::secrecy::ExposeSecret;
 use picky_asn1::wrapper::{IntegerAsn1, OctetStringAsn1};
 use picky_asn1_x509::RsaPublicKey;
-use std::convert::{TryFrom, TryInto};
+use std::convert::TryInto;
 
 impl Provider {
     /// Find the PKCS 11 object handle corresponding to the key ID and the key type (public,
@@ -117,7 +117,7 @@ impl Provider {
         let mut pub_template = vec![
             Attribute::Id(key_id.to_be_bytes().to_vec()),
             Attribute::Token(true.into()),
-            Attribute::AllowedMechanisms(vec![Mechanism::try_from(
+            Attribute::AllowedMechanisms(vec![algorithm_to_mechanism(
                 key_attributes.policy.permitted_algorithms,
             )
             .map_err(to_response_status)?