Add key attestation operations

This commit adds the types for the new key attestation operations and
their conversions to/from protobuf.

Signed-off-by: Ionut Mihalcea <[email protected]>

Author: ionut-arm

parsec-operations

@@ -0,0 +1,41 @@
+// Copyright 2021 Contributors to the Parsec project.
+// SPDX-License-Identifier: Apache-2.0
+//! # AttestKey operation
+//!
+//! Produce an attestation token as proof that the given
+//! key was produced and is stored in the hardware backend.
+use derivative::Derivative;
+use zeroize::Zeroizing;
+
+/// Native operation for key attestation
+#[derive(Derivative)]
+#[derivative(Debug)]
+#[non_exhaustive]
+pub enum Operation {
+    /// Attestation via TPM 2.0 ActivateCredential operation
+    ActivateCredential {
+        /// Name of key to be attested
+        attested_key_name: String,
+        /// Blob of data representing the encrypted credential
+        #[derivative(Debug = "ignore")]
+        credential_blob: Zeroizing<Vec<u8>>,
+        /// Blob of data representing the encrypted secret
+        #[derivative(Debug = "ignore")]
+        secret: Zeroizing<Vec<u8>>,
+        /// Name of key to be used for attesting
+        attesting_key_name: Option<String>,
+    },
+}
+
+/// Native result of key attestation
+#[derive(Derivative)]
+#[derivative(Debug)]
+#[non_exhaustive]
+pub enum Result {
+    /// Result of attestation via TPM 2.0 ActivateCredential operation
+    ActivateCredential {
+        /// Decrypted credential
+        #[derivative(Debug = "ignore")]
+        credential: Zeroizing<Vec<u8>>,
+    },
+}

src/operations/attest_key.rs

@@ -33,6 +33,8 @@ pub mod delete_client;
 pub mod list_clients;
 pub mod psa_generate_random;
 pub mod psa_raw_key_agreement;
+pub mod attest_key;
+pub mod prepare_key_attestation;
 
 pub use psa_crypto::types::algorithm as psa_algorithm;
 pub use psa_crypto::types::key as psa_key_attributes;
@@ -91,6 +93,10 @@ pub enum NativeOperation {
     PsaSignMessage(psa_sign_message::Operation),
     /// PsaVerifyMessage operation
     PsaVerifyMessage(psa_verify_message::Operation),
+    /// AttestKey operation
+    AttestKey(attest_key::Operation),
+    /// PrepareKeyAttestation operation
+    PrepareKeyAttestation(prepare_key_attestation::Operation),
 }
 
 impl NativeOperation {
@@ -121,6 +127,8 @@ impl NativeOperation {
             NativeOperation::PsaRawKeyAgreement(_) => Opcode::PsaRawKeyAgreement,
             NativeOperation::PsaSignMessage(_) => Opcode::PsaSignMessage,
             NativeOperation::PsaVerifyMessage(_) => Opcode::PsaVerifyMessage,
+            NativeOperation::AttestKey(_) => Opcode::AttestKey,
+            NativeOperation::PrepareKeyAttestation(_) => Opcode::PrepareKeyAttestation,
         }
     }
 }
@@ -177,6 +185,10 @@ pub enum NativeResult {
     PsaSignMessage(psa_sign_message::Result),
     /// PsaVerifyMessage result
     PsaVerifyMessage(psa_verify_message::Result),
+    /// AttestKey result
+    AttestKey(attest_key::Result),
+    /// AttestKey result
+    PrepareKeyAttestation(prepare_key_attestation::Result),
 }
 
 impl NativeResult {
@@ -207,6 +219,8 @@ impl NativeResult {
             NativeResult::PsaRawKeyAgreement(_) => Opcode::PsaRawKeyAgreement,
             NativeResult::PsaSignMessage(_) => Opcode::PsaSignMessage,
             NativeResult::PsaVerifyMessage(_) => Opcode::PsaVerifyMessage,
+            NativeResult::AttestKey(_) => Opcode::AttestKey,
+            NativeResult::PrepareKeyAttestation(_) => Opcode::PrepareKeyAttestation,
         }
     }
 }
@@ -367,22 +381,36 @@ impl From<psa_hash_compare::Operation> for NativeOperation {
         NativeOperation::PsaHashCompare(op)
     }
 }
+
 impl From<psa_raw_key_agreement::Operation> for NativeOperation {
     fn from(op: psa_raw_key_agreement::Operation) -> Self {
         NativeOperation::PsaRawKeyAgreement(op)
     }
 }
+
 impl From<psa_sign_message::Operation> for NativeOperation {
     fn from(op: psa_sign_message::Operation) -> Self {
         NativeOperation::PsaSignMessage(op)
     }
 }
+
 impl From<psa_verify_message::Operation> for NativeOperation {
     fn from(op: psa_verify_message::Operation) -> Self {
         NativeOperation::PsaVerifyMessage(op)
     }
 }
 
+impl From<attest_key::Operation> for NativeOperation {
+    fn from(op: attest_key::Operation) -> Self {
+        NativeOperation::AttestKey(op)
+    }
+}
+impl From<prepare_key_attestation::Operation> for NativeOperation {
+    fn from(op: prepare_key_attestation::Operation) -> Self {
+        NativeOperation::PrepareKeyAttestation(op)
+    }
+}
+
 impl From<list_providers::Result> for NativeResult {
     fn from(op: list_providers::Result) -> Self {
         NativeResult::ListProviders(op)
@@ -526,3 +554,15 @@ impl From<psa_verify_message::Result> for NativeResult {
         NativeResult::PsaVerifyMessage(op)
     }
 }
+
+impl From<attest_key::Result> for NativeResult {
+    fn from(op: attest_key::Result) -> Self {
+        NativeResult::AttestKey(op)
+    }
+}
+
+impl From<prepare_key_attestation::Result> for NativeResult {
+    fn from(op: prepare_key_attestation::Result) -> Self {
+        NativeResult::PrepareKeyAttestation(op)
+    }
+}

src/operations/mod.rs

@@ -0,0 +1,39 @@
+// Copyright 2021 Contributors to the Parsec project.
+// SPDX-License-Identifier: Apache-2.0
+//! # PrepareKeyAttestation operation
+//!
+//! Produce any parameters required for the AttestKey operation
+use derivative::Derivative;
+use zeroize::Zeroizing;
+
+/// Native operation for retrieving key attestation parameters
+#[derive(Debug)]
+#[non_exhaustive]
+pub enum Operation {
+    /// Get parameters for TPM 2.0 ActivateCredential operation
+    ActivateCredential {
+        /// Name of key to be attested
+        attested_key_name: String,
+        /// Name of key to be used for attesting
+        attesting_key_name: Option<String>,
+    },
+}
+
+/// Native result of retrieving key attestation parameters
+#[derive(Derivative)]
+#[derivative(Debug)]
+#[non_exhaustive]
+pub enum Result {
+    /// Parameters for TPM 2.0 ActivateCredential operation
+    ActivateCredential {
+        /// TPM name of key to be attested
+        #[derivative(Debug = "ignore")]
+        name: Zeroizing<Vec<u8>>,
+        /// TPM public key parameters of object to be attested
+        #[derivative(Debug = "ignore")]
+        public: Zeroizing<Vec<u8>>,
+        /// Public part of attesting key
+        #[derivative(Debug = "ignore")]
+        attesting_key_pub: Zeroizing<Vec<u8>>,
+    },
+}