Merge pull request #482 from ionut-arm/ts-prov-all

Add TS provider to all-providers

Author: ionut-arm

Cargo.toml

@@ -67,7 +67,7 @@ pkcs11-provider = ["cryptoki", "picky-asn1-der", "picky-asn1", "picky-asn1-x509"
 tpm-provider = ["tss-esapi", "picky-asn1-der", "picky-asn1", "picky-asn1-x509", "hex"]
 cryptoauthlib-provider = ["rust-cryptoauthlib"]
 trusted-service-provider = ["psa-crypto", "bindgen", "prost-build", "prost"]
-all-providers = ["tpm-provider", "pkcs11-provider", "mbed-crypto-provider", "cryptoauthlib-provider"]
+all-providers = ["tpm-provider", "pkcs11-provider", "mbed-crypto-provider", "cryptoauthlib-provider", "trusted-service-provider"]
 
 # Authenticators
 direct-authenticator = []

ci.sh

@@ -175,9 +175,8 @@ if [ "$PROVIDER_NAME" = "pkcs11" ] || [ "$PROVIDER_NAME" = "all" ] || [ "$PROVID
     popd
 fi
 
-if [ "$PROVIDER_NAME" = "trusted-service" ] || [ "$PROVIDER_NAME" = "coverage" ]; then
-    git submodule update --init
-fi
+# Initialising any submodules. Currently used for building the Trusted Service provider
+git submodule update --init
 
 if [ "$PROVIDER_NAME" = "mbed-crypto" ]; then
     # With those variables defined, dynamic linking will be attempted to build the
@@ -276,9 +275,9 @@ if [ "$PROVIDER_NAME" = "cargo-check" ]; then
     RUST_BACKTRACE=1 cargo check --features="pkcs11-provider"
     RUST_BACKTRACE=1 cargo check --features="tpm-provider"
     RUST_BACKTRACE=1 cargo check --features="cryptoauthlib-provider"
-    # To be added when trusted-service is added to all-providers feature
-    #RUST_BACKTRACE=1 cargo check --features="trusted-service-provider"
+    RUST_BACKTRACE=1 cargo check --features="trusted-service-provider"
     RUST_BACKTRACE=1 cargo check --features="all-providers"
+
     RUST_BACKTRACE=1 cargo check --features="direct-authenticator"
     RUST_BACKTRACE=1 cargo check --features="unix-peer-credentials-authenticator"
     RUST_BACKTRACE=1 cargo check --features="jwt-svid-authenticator"

e2e_tests/Cargo.toml

@@ -33,4 +33,4 @@ tpm-provider = []
 pkcs11-provider = []
 cryptoauthlib-provider = []
 trusted-service-provider = []
-all-providers = ["pkcs11-provider","tpm-provider","mbed-crypto-provider","cryptoauthlib-provider"]
+all-providers = ["pkcs11-provider","tpm-provider","mbed-crypto-provider","cryptoauthlib-provider","trusted-service-provider"]

e2e_tests/tests/all_providers/config/mod.rs

@@ -250,3 +250,52 @@ fn allow_export() {
         ResponseStatus::PsaErrorNotPermitted
     );
 }
+
+#[test]
+fn ts_pkcs11_cross() {
+    use super::cross::{import_and_verify, import_and_verify_ecc, setup_sign, setup_sign_ecc};
+    use parsec_client::core::interface::requests::ProviderId;
+    set_config("ts_pkcs11_cross.toml");
+    reload_service();
+
+    let key_name = String::from("ts_pkcs11_sign_cross");
+    let (mut client, pub_key, signature) = setup_sign(ProviderId::TrustedService, key_name.clone());
+    import_and_verify(
+        &mut client,
+        ProviderId::Pkcs11,
+        key_name.clone(),
+        pub_key.clone(),
+        signature.clone(),
+    );
+
+    let key_name_ecc = String::from("ts_pkcs11_sign_cross_ecc");
+    let (mut client, pub_key, signature) =
+        setup_sign_ecc(ProviderId::TrustedService, key_name_ecc.clone());
+    import_and_verify_ecc(
+        &mut client,
+        ProviderId::Pkcs11,
+        key_name_ecc.clone(),
+        pub_key.clone(),
+        signature.clone(),
+    );
+
+    let key_name = String::from("pkcs11_ts_sign_cross");
+    let (mut client, pub_key, signature) = setup_sign(ProviderId::Pkcs11, key_name.clone());
+    import_and_verify(
+        &mut client,
+        ProviderId::TrustedService,
+        key_name.clone(),
+        pub_key.clone(),
+        signature.clone(),
+    );
+
+    let key_name_ecc = String::from("pkcs11_ts_sign_cross_ecc");
+    let (mut client, pub_key, signature) = setup_sign_ecc(ProviderId::Pkcs11, key_name_ecc.clone());
+    import_and_verify_ecc(
+        &mut client,
+        ProviderId::TrustedService,
+        key_name_ecc.clone(),
+        pub_key.clone(),
+        signature.clone(),
+    );
+}

e2e_tests/tests/all_providers/config/tomls/ts_pkcs11_cross.toml

@@ -0,0 +1,36 @@
+[core_settings]
+# The CI already timestamps the logs
+log_timestamp = false
+log_error_details = true
+
+# The container runs the Parsec service as root, so make sure we disable root
+# checks.
+allow_root = true
+
+[listener]
+listener_type = "DomainSocket"
+# The timeout needs to be smaller than the test client timeout (five seconds) as it is testing
+# that the service does not hang for very big values of body or authentication length.
+timeout = 3000 # in milliseconds
+socket_path = "/tmp/parsec.sock"
+
+[authenticator]
+auth_type = "Direct"
+
+[[key_manager]]
+name = "on-disk-manager"
+manager_type = "OnDisk"
+store_path = "./mappings"
+
+[[provider]]
+provider_type = "TrustedService"
+key_info_manager = "on-disk-manager"
+
+[[provider]]
+provider_type = "Pkcs11"
+key_info_manager = "on-disk-manager"
+library_path = "/usr/local/lib/softhsm/libsofthsm2.so"
+user_pin = "123456"
+software_public_operations = true
+# The slot_number mandatory field is going to replace the following line with a valid number
+# slot_number

e2e_tests/tests/all_providers/cross.rs

@@ -13,7 +13,7 @@ const PLAINTEXT_MESSAGE: [u8; 32] = [
     0x94, 0x8E, 0x92, 0x50, 0x35, 0xC2, 0x8C, 0x5C, 0x3C, 0xCA, 0xFE, 0x18, 0xE8, 0x81, 0x37, 0x78,
 ];
 
-fn setup_sign(provider: ProviderId, key_name: String) -> (TestClient, Vec<u8>, Vec<u8>) {
+pub fn setup_sign(provider: ProviderId, key_name: String) -> (TestClient, Vec<u8>, Vec<u8>) {
     let mut client = TestClient::new();
     client.set_provider(provider);
     client.generate_rsa_sign_key(key_name.clone()).unwrap();
@@ -27,7 +27,7 @@ fn setup_sign(provider: ProviderId, key_name: String) -> (TestClient, Vec<u8>, V
     (client, pub_key, signature)
 }
 
-fn setup_sign_ecc(provider: ProviderId, key_name: String) -> (TestClient, Vec<u8>, Vec<u8>) {
+pub fn setup_sign_ecc(provider: ProviderId, key_name: String) -> (TestClient, Vec<u8>, Vec<u8>) {
     let mut client = TestClient::new();
     client.set_provider(provider);
     client
@@ -55,7 +55,7 @@ fn setup_asym_encr(provider: ProviderId, key_name: String) -> (TestClient, Vec<u
     (client, pub_key)
 }
 
-fn import_and_verify(
+pub fn import_and_verify(
     client: &mut TestClient,
     provider: ProviderId,
     key_name: String,
@@ -71,7 +71,7 @@ fn import_and_verify(
         .unwrap();
 }
 
-fn import_and_verify_ecc(
+pub fn import_and_verify_ecc(
     client: &mut TestClient,
     provider: ProviderId,
     key_name: String,