Merge pull request #193 from sbailey-arm/update-to-parsec-interface-0.17.0

Updated Parsec to use latest parsec-interface (0.17.0)

Author: hug-dev

Cargo.toml

@@ -18,7 +18,7 @@ name = "parsec"
 path = "src/bin/main.rs"
 
 [dependencies]
-parsec-interface = "0.16.0"
+parsec-interface = "0.17.0"
 rand = { version = "0.7.2", features = ["small_rng"] }
 base64 = "0.10.1"
 uuid = "0.7.4"
@@ -41,6 +41,7 @@ version = "3.0.0"
 hex = "0.4.2"
 picky = "5.0.0"
 psa-crypto = { version = "0.2.1" , default-features = false, features = ["with-mbed-crypto"], optional = true }
+zeroize = { version = "1.1.0", features = ["zeroize_derive"] }
 
 [dev-dependencies]
 ring = "0.16.12"

src/authenticators/direct_authenticator/mod.rs

@@ -13,18 +13,19 @@ use super::Authenticate;
 use log::error;
 use parsec_interface::requests::request::RequestAuth;
 use parsec_interface::requests::{ResponseStatus, Result};
+use parsec_interface::secrecy::ExposeSecret;
 use std::str;
 
 #[derive(Copy, Clone, Debug)]
 pub struct DirectAuthenticator;
 
 impl Authenticate for DirectAuthenticator {
     fn authenticate(&self, auth: &RequestAuth) -> Result<ApplicationName> {
-        if auth.is_empty() {
+        if auth.buffer.expose_secret().is_empty() {
             error!("The direct authenticator does not expect empty authentication values.");
             Err(ResponseStatus::AuthenticationError)
         } else {
-            match str::from_utf8(auth.bytes()) {
+            match str::from_utf8(auth.buffer.expose_secret()) {
                 Ok(str) => Ok(ApplicationName(String::from(str))),
                 Err(_) => {
                     error!("Error parsing the authentication value as a UTF-8 string.");
@@ -47,7 +48,7 @@ mod test {
         let authenticator = DirectAuthenticator {};
 
         let app_name = "app_name".to_string();
-        let req_auth = RequestAuth::from_bytes(app_name.clone().into_bytes());
+        let req_auth = RequestAuth::new(app_name.clone().into_bytes());
 
         let auth_name = authenticator
             .authenticate(&req_auth)
@@ -60,7 +61,7 @@ mod test {
     fn failed_authentication() {
         let authenticator = DirectAuthenticator {};
         let status = authenticator
-            .authenticate(&RequestAuth::from_bytes(vec![0xff; 5]))
+            .authenticate(&RequestAuth::new(vec![0xff; 5]))
             .expect_err("Authentication should have failed");
 
         assert_eq!(status, ResponseStatus::AuthenticationError);
@@ -70,7 +71,7 @@ mod test {
     fn empty_auth() {
         let authenticator = DirectAuthenticator {};
         let status = authenticator
-            .authenticate(&RequestAuth::from_bytes(Vec::new()))
+            .authenticate(&RequestAuth::new(Vec::new()))
             .expect_err("Empty auth should have failed");
 
         assert_eq!(status, ResponseStatus::AuthenticationError);

src/providers/mbed_provider/asym_sign.rs

@@ -36,7 +36,9 @@ impl MbedProvider {
         match asym_signature::sign_hash(id, alg, &hash, &mut signature) {
             Ok(size) => {
                 signature.resize(size, 0);
-                Ok(psa_sign_hash::Result { signature })
+                Ok(psa_sign_hash::Result {
+                    signature: signature.into(),
+                })
             }
             Err(error) => {
                 let error = ResponseStatus::from(error);

src/providers/mbed_provider/key_management.rs

@@ -11,6 +11,7 @@ use parsec_interface::operations::{
     psa_destroy_key, psa_export_public_key, psa_generate_key, psa_import_key,
 };
 use parsec_interface::requests::{ProviderID, ResponseStatus, Result};
+use parsec_interface::secrecy::ExposeSecret;
 use psa_crypto::operations::key_management as psa_crypto_key_management;
 use psa_crypto::types::key;
 use std::sync::atomic::{AtomicU32, Ordering::Relaxed};
@@ -159,7 +160,11 @@ impl MbedProvider {
             .lock()
             .expect("Grabbing key handle mutex failed");
 
-        match psa_crypto_key_management::import(key_attributes, Some(key_id), &key_data[..]) {
+        match psa_crypto_key_management::import(
+            key_attributes,
+            Some(key_id),
+            key_data.expose_secret(),
+        ) {
             Ok(_) => Ok(psa_import_key::Result {}),
             Err(error) => {
                 remove_key_id(&key_triple, &mut *store_handle)?;
@@ -194,7 +199,9 @@ impl MbedProvider {
         let export_length = psa_crypto_key_management::export_public(id, &mut buffer)?;
 
         buffer.resize(export_length, 0);
-        Ok(psa_export_public_key::Result { data: buffer })
+        Ok(psa_export_public_key::Result {
+            data: buffer.into(),
+        })
     }
 
     pub(super) fn psa_destroy_key_internal(

src/providers/pkcs11_provider/asym_sign.rs

@@ -84,15 +84,17 @@ impl Pkcs11Provider {
                 info!("Signing operation initialized.");
                 let digest_info = DigestInfo {
                     oid: AlgorithmIdentifier::new_sha(SHAVariant::SHA2_256),
-                    digest: hash.into(),
+                    digest: hash.to_vec().into(),
                 };
                 let digest_info = picky_asn1_der::to_vec(&digest_info)
                     // should not fail - if it does, there's some error in our stack
                     .or(Err(ResponseStatus::PsaErrorGenericError))?;
 
                 trace!("Sign command");
                 match self.backend.sign(session.session_handle(), &digest_info) {
-                    Ok(signature) => Ok(psa_sign_hash::Result { signature }),
+                    Ok(signature) => Ok(psa_sign_hash::Result {
+                        signature: signature.into(),
+                    }),
                     Err(e) => {
                         format_error!("Failed to execute signing operation", e);
                         Err(utils::to_response_status(e))
@@ -175,7 +177,7 @@ impl Pkcs11Provider {
                 info!("Verify operation initialized.");
                 let digest_info = DigestInfo {
                     oid: AlgorithmIdentifier::new_sha(SHAVariant::SHA2_256),
-                    digest: hash.into(),
+                    digest: hash.to_vec().into(),
                 };
                 let digest_info = picky_asn1_der::to_vec(&digest_info)
                     // should not fail - if it does, there's some error in our stack

src/providers/pkcs11_provider/key_management.rs

@@ -13,6 +13,7 @@ use parsec_interface::operations::{
     psa_destroy_key, psa_export_public_key, psa_generate_key, psa_import_key,
 };
 use parsec_interface::requests::{ProviderID, ResponseStatus, Result};
+use parsec_interface::secrecy::ExposeSecret;
 use picky_asn1::wrapper::IntegerAsn1;
 use pkcs11::types::{CKR_OK, CK_ATTRIBUTE, CK_MECHANISM, CK_OBJECT_HANDLE, CK_SESSION_HANDLE};
 use std::mem;
@@ -276,16 +277,17 @@ impl Pkcs11Provider {
 
         let mut template: Vec<CK_ATTRIBUTE> = Vec::new();
 
-        let public_key: RsaPublicKey = picky_asn1_der::from_bytes(&op.data).or_else(|e| {
-            format_error!("Failed to parse RsaPublicKey data", e);
-            remove_key_id(
-                &key_triple,
-                key_id,
-                &mut *store_handle,
-                &mut local_ids_handle,
-            )?;
-            Err(ResponseStatus::PsaErrorInvalidArgument)
-        })?;
+        let public_key: RsaPublicKey = picky_asn1_der::from_bytes(op.data.expose_secret())
+            .or_else(|e| {
+                format_error!("Failed to parse RsaPublicKey data", e);
+                remove_key_id(
+                    &key_triple,
+                    key_id,
+                    &mut *store_handle,
+                    &mut local_ids_handle,
+                )?;
+                Err(ResponseStatus::PsaErrorInvalidArgument)
+            })?;
 
         if public_key.modulus.is_negative() || public_key.public_exponent.is_negative() {
             error!("Only positive modulus and public exponent are supported.");
@@ -473,7 +475,7 @@ impl Pkcs11Provider {
                         format_error!("Could not serialise key elements", err);
                         Err(ResponseStatus::PsaErrorCommunicationFailure)
                     })?;
-                    Ok(psa_export_public_key::Result { data })
+                    Ok(psa_export_public_key::Result { data: data.into() })
                 }
             }
             Err(e) => {

src/providers/tpm_provider/asym_sign.rs

@@ -57,7 +57,7 @@ impl TpmProvider {
             })?;
 
         Ok(psa_sign_hash::Result {
-            signature: utils::signature_data_to_bytes(signature.signature, key_attributes)?,
+            signature: utils::signature_data_to_bytes(signature.signature, key_attributes)?.into(),
         })
     }
 

src/providers/tpm_provider/key_management.rs

@@ -13,6 +13,7 @@ use parsec_interface::operations::{
     psa_destroy_key, psa_export_public_key, psa_generate_key, psa_import_key,
 };
 use parsec_interface::requests::{ProviderID, ResponseStatus, Result};
+use parsec_interface::secrecy::ExposeSecret;
 
 // Public exponent value for all RSA keys.
 const PUBLIC_EXPONENT: [u8; 3] = [0x01, 0x00, 0x01];
@@ -129,10 +130,11 @@ impl TpmProvider {
             .lock()
             .expect("ESAPI Context lock poisoned");
 
-        let public_key: RsaPublicKey = picky_asn1_der::from_bytes(&key_data).or_else(|err| {
-            format_error!("Could not deserialise key elements", err);
-            Err(ResponseStatus::PsaErrorInvalidArgument)
-        })?;
+        let public_key: RsaPublicKey = picky_asn1_der::from_bytes(key_data.expose_secret())
+            .or_else(|err| {
+                format_error!("Could not deserialise key elements", err);
+                Err(ResponseStatus::PsaErrorInvalidArgument)
+            })?;
 
         if public_key.modulus.is_negative() || public_key.public_exponent.is_negative() {
             error!("Only positive modulus and public exponent are supported.");
@@ -222,7 +224,7 @@ impl TpmProvider {
             })?;
 
         Ok(psa_export_public_key::Result {
-            data: utils::pub_key_to_bytes(pub_key_data, key_attributes)?,
+            data: utils::pub_key_to_bytes(pub_key_data, key_attributes)?.into(),
         })
     }
 

src/providers/tpm_provider/utils.rs

@@ -13,6 +13,7 @@ use tss_esapi::abstraction::transient::KeyParams;
 use tss_esapi::response_code::{Error, Tss2ResponseCodeKind};
 use tss_esapi::utils::algorithm_specifiers::{EllipticCurve, HashingAlgorithm};
 use tss_esapi::utils::{AsymSchemeUnion, PublicKey, Signature, SignatureData, TpmsContext};
+use zeroize::Zeroizing;
 const PUBLIC_EXPONENT: [u8; 3] = [0x01, 0x00, 0x01];
 
 /// Convert the TSS library specific error values to ResponseStatus values that are returned on
@@ -233,7 +234,7 @@ pub fn signature_data_to_bytes(data: SignatureData, key_attributes: Attributes)
 }
 
 pub fn parsec_to_tpm_signature(
-    data: Vec<u8>,
+    data: Zeroizing<Vec<u8>>,
     key_attributes: Attributes,
     signature_alg: AsymmetricSignature,
 ) -> Result<Signature> {
@@ -243,9 +244,12 @@ pub fn parsec_to_tpm_signature(
     })
 }
 
-fn bytes_to_signature_data(data: Vec<u8>, key_attributes: Attributes) -> Result<SignatureData> {
+fn bytes_to_signature_data(
+    data: Zeroizing<Vec<u8>>,
+    key_attributes: Attributes,
+) -> Result<SignatureData> {
     match key_attributes.key_type {
-        Type::RsaKeyPair | Type::RsaPublicKey => Ok(SignatureData::RsaSignature(data)),
+        Type::RsaKeyPair | Type::RsaPublicKey => Ok(SignatureData::RsaSignature(data.to_vec())),
         Type::EccKeyPair { .. } | Type::EccPublicKey { .. } => {
             // ECDSA signature data is represented the concatenation of the two result values, r and s,
             // in big endian format, as described here:
@@ -255,7 +259,7 @@ fn bytes_to_signature_data(data: Vec<u8>, key_attributes: Attributes) -> Result<
                 return Err(ResponseStatus::PsaErrorInvalidArgument);
             }
 
-            let mut r = data;
+            let mut r = data.to_vec();
             let s = r.split_off(p_size);
             Ok(SignatureData::EcdsaSignature { r, s })
         }

tests/providers/tpm.rs

@@ -116,15 +116,15 @@ fn verify_with_ring() {
                 alg: AsymmetricSignature::RsaPkcs1v15Sign {
                     hash_alg: Hash::Sha256.into(),
                 },
-                hash: HASH.clone(),
+                hash: HASH.clone().into(),
             },
         )
         .unwrap();
 
     let psa_export_public_key::Result { data } = TPM_PROVIDER
         .psa_export_public_key(app_name, psa_export_public_key::Operation { key_name })
         .unwrap();
-    let pk = UnparsedPublicKey::new(&signature::RSA_PKCS1_2048_8192_SHA256, data);
+    let pk = UnparsedPublicKey::new(&signature::RSA_PKCS1_2048_8192_SHA256, data.to_vec());
     pk.verify(&MESSAGE, &sign).unwrap();
 }
 
@@ -144,15 +144,15 @@ fn verify_ecc_with_ring() {
                 alg: AsymmetricSignature::Ecdsa {
                     hash_alg: Hash::Sha256.into(),
                 },
-                hash: HASH.clone(),
+                hash: HASH.clone().into(),
             },
         )
         .unwrap();
 
     let psa_export_public_key::Result { data } = TPM_PROVIDER
         .psa_export_public_key(app_name, psa_export_public_key::Operation { key_name })
         .unwrap();
-    let pk = UnparsedPublicKey::new(&signature::ECDSA_P256_SHA256_FIXED, data);
+    let pk = UnparsedPublicKey::new(&signature::ECDSA_P256_SHA256_FIXED, data.to_vec());
     pk.verify(&MESSAGE, &sign).unwrap();
 }
 
@@ -172,7 +172,7 @@ fn sign_verify_ecc() {
                 alg: AsymmetricSignature::Ecdsa {
                     hash_alg: Hash::Sha256.into(),
                 },
-                hash: HASH.clone(),
+                hash: HASH.clone().into(),
             },
         )
         .unwrap();
@@ -185,7 +185,7 @@ fn sign_verify_ecc() {
                 alg: AsymmetricSignature::Ecdsa {
                     hash_alg: Hash::Sha256.into(),
                 },
-                hash: HASH.clone(),
+                hash: HASH.clone().into(),
                 signature: sign,
             },
         )