Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for more elliptic curves #163

Closed
wants to merge 16 commits into from
Closed

Add support for more elliptic curves #163

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
23c79a9
Remove default syscalls from default features
robin-nitrokey Dec 15, 2023
80c4713
Merge pull request #31 from Nitrokey/default-syscalls
robin-nitrokey Dec 15, 2023
419dd5c
Merge branch 'trussed-dev:main' into main
robin-nitrokey Dec 15, 2023
bd48d6b
Run cargo fmt
sosthene-nitrokey Feb 1, 2024
085814a
Fix clippy warnings
sosthene-nitrokey Feb 1, 2024
578071b
Fix badly formatted dependency
sosthene-nitrokey Feb 1, 2024
2583e09
Merge pull request #32 from Nitrokey/fmt
sosthene-nitrokey Feb 2, 2024
cb7bd32
Merge pull request #37 from trussed-dev/main
robin-nitrokey Mar 4, 2024
2e7dd7c
Merge branch 'trussed-main'
sosthene-nitrokey Apr 4, 2024
c12172b
Fix warning
sosthene-nitrokey Jun 7, 2024
720006d
Merge pull request #42 from Nitrokey/fix-clippy-warnings
sosthene-nitrokey Jun 7, 2024
40e3128
Merge pull request #41 from trussed-dev/main
sosthene-nitrokey Jun 7, 2024
723029a
Add support for p384 and p521 nist curves
sosthene-nitrokey Apr 19, 2024
9d3a7ec
Fix clippy warnings
sosthene-nitrokey Jul 8, 2024
0ccdd46
Add p384 and p521 tests to CI
sosthene-nitrokey Jul 8, 2024
540ad72
Add brainpool mechanisms
sosthene-nitrokey Jul 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ jobs:
if: matrix.target == 'x86_64-unknown-linux-gnu'

- name: Run tests
run: cargo test --features serde-extensions,virt
run: cargo test --features serde-extensions,virt,p384,p521
if: matrix.target == 'x86_64-unknown-linux-gnu'

- name: Check formatting
Expand Down
7 changes: 6 additions & 1 deletion Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,9 @@ littlefs2 = "0.4.0"
p256-cortex-m4 = { version = "0.1.0-alpha.6", features = ["prehash", "sec1-signatures"] }
salty = { version = "0.3.0", features = ["cose"] }
serde-indexed = "0.1.0"
p384 = { version = "0.13.0", optional = true, default-features = false, features = ["sha384", "ecdh", "ecdsa"] }
p521 = { version = "0.13.3", optional = true, default-features = false, features = ["sha512", "ecdh", "ecdsa"] }
ecdsa = { version = "0.16.9", optional = true, default-features = false }
Comment on lines +60 to +62
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: move to the RustCrypto section


[dev-dependencies]
# Testing
Expand All @@ -69,7 +72,7 @@ trussed-derive = { path = "derive" }
# rand_core = { version = "0.5", features = ["getrandom"] }

[features]
default = ["default-mechanisms", "default-syscalls", "clients-5"]
default = ["default-mechanisms", "clients-5"]
serde-extensions = []
std = []
verbose-tests = ["littlefs2/ll-assertions"]
Expand Down Expand Up @@ -110,6 +113,8 @@ hmac-sha1 = []
hmac-sha256 = []
hmac-sha512 = []
p256 = []
p384 = ["dep:p384"]
p521 = ["dep:p521", "dep:ecdsa"]
sha256 = []
tdes = ["des"]
totp = ["sha-1"]
Expand Down
9 changes: 6 additions & 3 deletions src/client.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,11 +84,14 @@ use crate::interrupt::InterruptFlag;
use crate::pipe::{TrussedRequester, TRUSSED_INTERCHANGE};
use crate::service::Service;
use crate::types::{
consent, reboot, Bytes, CertId, CounterId, KeyId, KeySerialization, Location, Mechanism,
MediumData, Message, PathBuf, Platform, SerializedKey, ShortData, Signature,
SignatureSerialization, StorageAttributes, UserAttribute,
consent, reboot, Bytes, CertId, KeyId, KeySerialization, Location, Mechanism, MediumData,
Message, PathBuf, Platform, SerializedKey, ShortData, Signature, SignatureSerialization,
StorageAttributes, UserAttribute,
};

#[cfg(feature = "counter-client")]
use crate::types::CounterId;

pub use crate::platform::Syscall;

pub mod mechanisms;
Expand Down
179 changes: 179 additions & 0 deletions src/client/mechanisms.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -402,6 +402,185 @@ pub trait P256: CryptoClient {
}
}

#[cfg(feature = "p384")]
impl<S: Syscall, E> P384 for ClientImplementation<S, E> {}

#[cfg(feature = "p384")]
pub trait P384: CryptoClient {
fn generate_p384_private_key(
&mut self,
persistence: Location,
) -> ClientResult<'_, reply::GenerateKey, Self> {
self.generate_key(
Mechanism::P384,
StorageAttributes::new().set_persistence(persistence),
)
}

fn derive_p384_public_key(
&mut self,
private_key: KeyId,
persistence: Location,
) -> ClientResult<'_, reply::DeriveKey, Self> {
self.derive_key(
Mechanism::P384,
private_key,
None,
StorageAttributes::new().set_persistence(persistence),
)
}

fn deserialize_p384_key<'c>(
&'c mut self,
serialized_key: &[u8],
format: KeySerialization,
attributes: StorageAttributes,
) -> ClientResult<'c, reply::DeserializeKey, Self> {
self.deserialize_key(Mechanism::P384, serialized_key, format, attributes)
}

fn serialize_p384_key(
&mut self,
key: KeyId,
format: KeySerialization,
) -> ClientResult<'_, reply::SerializeKey, Self> {
self.serialize_key(Mechanism::P384, key, format)
}

// generally, don't offer multiple versions of a mechanism, if possible.
// try using the simplest when given the choice.
// hashing is something users can do themselves hopefully :)
//
// on the other hand: if users need sha256, then if the service runs in secure trustzone
// domain, we'll maybe need two copies of the sha2 code
fn sign_p384<'c>(
&'c mut self,
key: KeyId,
message: &[u8],
format: SignatureSerialization,
) -> ClientResult<'c, reply::Sign, Self> {
self.sign(Mechanism::P384, key, message, format)
}

fn verify_p384<'c>(
&'c mut self,
key: KeyId,
message: &[u8],
signature: &[u8],
) -> ClientResult<'c, reply::Verify, Self> {
self.verify(
Mechanism::P384,
key,
message,
signature,
SignatureSerialization::Raw,
)
}

fn agree_p384(
&mut self,
private_key: KeyId,
public_key: KeyId,
persistence: Location,
) -> ClientResult<'_, reply::Agree, Self> {
self.agree(
Mechanism::P384,
private_key,
public_key,
StorageAttributes::new().set_persistence(persistence),
)
}
}

#[cfg(feature = "p521")]
impl<S: Syscall, E> P521 for ClientImplementation<S, E> {}

pub trait P521: CryptoClient {
fn generate_p521_private_key(
&mut self,
persistence: Location,
) -> ClientResult<'_, reply::GenerateKey, Self> {
self.generate_key(
Mechanism::P521,
StorageAttributes::new().set_persistence(persistence),
)
}

fn derive_p521_public_key(
&mut self,
private_key: KeyId,
persistence: Location,
) -> ClientResult<'_, reply::DeriveKey, Self> {
self.derive_key(
Mechanism::P521,
private_key,
None,
StorageAttributes::new().set_persistence(persistence),
)
}

fn deserialize_p521_key<'c>(
&'c mut self,
serialized_key: &[u8],
format: KeySerialization,
attributes: StorageAttributes,
) -> ClientResult<'c, reply::DeserializeKey, Self> {
self.deserialize_key(Mechanism::P521, serialized_key, format, attributes)
}

fn serialize_p521_key(
&mut self,
key: KeyId,
format: KeySerialization,
) -> ClientResult<'_, reply::SerializeKey, Self> {
self.serialize_key(Mechanism::P521, key, format)
}

// generally, don't offer multiple versions of a mechanism, if possible.
// try using the simplest when given the choice.
// hashing is something users can do themselves hopefully :)
//
// on the other hand: if users need sha256, then if the service runs in secure trustzone
// domain, we'll maybe need two copies of the sha2 code
fn sign_p521<'c>(
&'c mut self,
key: KeyId,
message: &[u8],
format: SignatureSerialization,
) -> ClientResult<'c, reply::Sign, Self> {
self.sign(Mechanism::P521, key, message, format)
}

fn verify_p521<'c>(
&'c mut self,
key: KeyId,
message: &[u8],
signature: &[u8],
) -> ClientResult<'c, reply::Verify, Self> {
self.verify(
Mechanism::P521,
key,
message,
signature,
SignatureSerialization::Raw,
)
}

fn agree_p521(
&mut self,
private_key: KeyId,
public_key: KeyId,
persistence: Location,
) -> ClientResult<'_, reply::Agree, Self> {
self.agree(
Mechanism::P521,
private_key,
public_key,
StorageAttributes::new().set_persistence(persistence),
)
}
}

#[cfg(feature = "sha256")]
impl<S: Syscall, E> Sha256 for ClientImplementation<S, E> {}

Expand Down
15 changes: 15 additions & 0 deletions src/key.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,11 @@ pub enum Kind {
Rsa4096,
Ed255,
P256,
P384,
P521,
BrainpoolP256R1,
BrainpoolP384R1,
BrainpoolP512R1,
X255,
}

Expand Down Expand Up @@ -211,6 +216,11 @@ impl Kind {
Kind::Rsa2048 => 7,
Kind::Rsa3072 => 8,
Kind::Rsa4096 => 9,
Kind::P384 => 10,
Kind::P521 => 11,
Kind::BrainpoolP256R1 => 12,
Kind::BrainpoolP384R1 => 13,
Kind::BrainpoolP512R1 => 14,
}
}

Expand All @@ -225,6 +235,11 @@ impl Kind {
7 => Kind::Rsa2048,
8 => Kind::Rsa3072,
9 => Kind::Rsa4096,
10 => Kind::P384,
11 => Kind::P521,
12 => Kind::BrainpoolP256R1,
13 => Kind::BrainpoolP384R1,
14 => Kind::BrainpoolP512R1,
_ => return Err(Error::InvalidSerializedKey),
})
}
Expand Down
8 changes: 8 additions & 0 deletions src/mechanisms.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,14 @@ pub struct P256 {}
pub struct P256Prehashed {}
mod p256;

pub struct P384 {}
pub struct P384Prehashed {}
mod p384;

pub struct P521 {}
pub struct P521Prehashed {}
mod p521;

pub struct Sha256 {}
mod sha256;

Expand Down
Loading
Loading