Merge pull request parallaxsecond#213 from puiterwijk/esapi_rebase

Rebase on new tss_esapi

Author: ionut-arm

Cargo.lock

@@ -33,7 +33,7 @@ log = { version = "0.4.8", features = ["serde"] }
 pkcs11 = { version = "0.4.0", optional = true }
 picky-asn1-der = { version = "0.2.2", optional = true }
 picky-asn1 = { version = "0.2.1", optional = true }
-tss-esapi = { version = "4.0.5-alpha.1", optional = true }
+tss-esapi = { version = "4.0.6-alpha.1", optional = true }
 bincode = "1.1.4"
 structopt = "0.3.5"
 derivative = "2.1.1"

Cargo.toml

@@ -74,7 +74,7 @@ fn check_export_public_possible() -> Result<()> {
         bits: 1024,
         policy: Policy {
             usage_flags: UsageFlags {
-                sign_hash: false,
+                sign_hash: true,
                 verify_hash: false,
                 sign_message: false,
                 verify_message: false,

e2e_tests/tests/per_provider/normal_tests/export_public_key.rs

@@ -71,7 +71,7 @@ fn wrong_usage_flags() {
             usage_flags: UsageFlags {
                 // Forbid signing
                 sign_hash: false,
-                verify_hash: false,
+                verify_hash: true,
                 sign_message: false,
                 verify_message: false,
                 export: false,

e2e_tests/tests/per_provider/normal_tests/key_attributes.rs

@@ -7,6 +7,8 @@ use log::error;
 use parsec_interface::operations::psa_algorithm::*;
 use parsec_interface::operations::{psa_sign_hash, psa_verify_hash};
 use parsec_interface::requests::{ProviderID, ResponseStatus, Result};
+use std::convert::TryFrom;
+use tss_esapi::structures::{Auth, Digest};
 
 impl TpmProvider {
     pub(super) fn psa_sign_hash_internal(
@@ -46,8 +48,11 @@ impl TpmProvider {
         let signature = esapi_context
             .sign(
                 password_context.context,
-                &password_context.auth_value,
-                &op.hash,
+                Some(
+                    Auth::try_from(password_context.auth_value)
+                        .map_err(utils::to_response_status)?,
+                ),
+                Digest::try_from((*op.hash).clone()).map_err(utils::to_response_status)?,
             )
             .map_err(|e| {
                 if crate::utils::GlobalConfig::log_error_details() {
@@ -98,7 +103,11 @@ impl TpmProvider {
         let signature = utils::parsec_to_tpm_signature(op.signature, key_attributes, op.alg)?;
 
         let _ = esapi_context
-            .verify_signature(password_context.context, &op.hash, signature)
+            .verify_signature(
+                password_context.context,
+                Digest::try_from((*op.hash).clone()).map_err(utils::to_response_status)?,
+                signature,
+            )
             .map_err(utils::to_response_status)?;
 
         Ok(psa_verify_hash::Result {})

src/providers/tpm_provider/asym_sign.rs

@@ -88,18 +88,20 @@ impl TpmProvider {
             .expect("ESAPI Context lock poisoned");
 
         let (key_context, auth_value) = esapi_context
-            .create_signing_key(utils::parsec_to_tpm_params(attributes)?, AUTH_VAL_LEN)
+            .create_key(utils::parsec_to_tpm_params(attributes)?, AUTH_VAL_LEN)
             .map_err(|e| {
                 format_error!("Error creating a RSA signing key", e);
                 utils::to_response_status(e)
             })?;
+        // We hardcode the AUTH_VAL_LEN, so we can assume there is an auth_value
+        let auth_value = auth_value.unwrap();
 
         insert_password_context(
             &mut *store_handle,
             key_triple,
             PasswordContext {
                 context: key_context,
-                auth_value,
+                auth_value: auth_value.value().to_vec(),
             },
             attributes,
         )?;

src/providers/tpm_provider/key_management.rs

@@ -19,8 +19,8 @@ use std::collections::HashSet;
 use std::io::ErrorKind;
 use std::str::FromStr;
 use std::sync::{Arc, Mutex, RwLock};
-use tss_esapi::utils::algorithm_specifiers::Cipher;
-use tss_esapi::utils::tcti::Tcti;
+use tss_esapi::constants::algorithm::{Cipher, HashingAlgorithm};
+use tss_esapi::Tcti;
 use uuid::Uuid;
 
 mod asym_sign;
@@ -269,9 +269,7 @@ impl TpmProviderBuilder {
                 .with_root_key_auth_size(ROOT_KEY_AUTH_SIZE)
                 .with_hierarchy_auth(hierarchy_auth)
                 .with_hierarchy(tss_esapi::utils::Hierarchy::Owner)
-                .with_session_hash_alg(
-                    tss_esapi::utils::algorithm_specifiers::HashingAlgorithm::Sha256.into(),
-                )
+                .with_session_hash_alg(HashingAlgorithm::Sha256.into())
                 .with_default_context_cipher(default_cipher)
                 .build()
                 .map_err(|e| {

src/providers/tpm_provider/mod.rs

@@ -10,9 +10,10 @@ use picky_asn1_x509::RSAPublicKey;
 use serde::{Deserialize, Serialize};
 use std::convert::TryInto;
 use tss_esapi::abstraction::transient::KeyParams;
-use tss_esapi::response_code::{Error, Tss2ResponseCodeKind};
-use tss_esapi::utils::algorithm_specifiers::{EllipticCurve, HashingAlgorithm};
+use tss_esapi::constants::algorithm::{EllipticCurve, HashingAlgorithm};
+use tss_esapi::constants::response_code::Tss2ResponseCodeKind;
 use tss_esapi::utils::{AsymSchemeUnion, PublicKey, Signature, SignatureData, TpmsContext};
+use tss_esapi::Error;
 use zeroize::Zeroizing;
 const PUBLIC_EXPONENT: [u8; 3] = [0x01, 0x00, 0x01];
 
@@ -99,11 +100,20 @@ pub fn parsec_to_tpm_params(attributes: Attributes) -> Result<KeyParams> {
                 x @ 1024 | x @ 2048 | x @ 3072 | x @ 4096 => x.try_into().unwrap(), // will not fail on the matched values
                 _ => return Err(ResponseStatus::PsaErrorInvalidArgument),
             };
-            Ok(KeyParams::Rsa {
-                size,
-                scheme: convert_asym_scheme_to_tpm(attributes.policy.permitted_algorithms)?,
-                pub_exponent: 0,
-            })
+            if attributes.is_encrypt_permitted() || attributes.is_decrypt_permitted() {
+                Ok(KeyParams::RsaEncrypt {
+                    size,
+                    pub_exponent: 0,
+                })
+            } else if attributes.is_hash_signable() || attributes.is_hash_verifiable() {
+                Ok(KeyParams::RsaSign {
+                    size,
+                    scheme: convert_asym_scheme_to_tpm(attributes.policy.permitted_algorithms)?,
+                    pub_exponent: 0,
+                })
+            } else {
+                Err(ResponseStatus::PsaErrorNotSupported)
+            }
         }
         Type::EccKeyPair { .. } => Ok(KeyParams::Ecc {
             scheme: convert_asym_scheme_to_tpm(attributes.policy.permitted_algorithms)?,