Add a TPM provider

This provider uses the tss-esapi crate to interface with a TSS 2.0
Enhanced System library.
Adds new configuration entries to select the TPM provider and which
TCTI device to use.
The TPM provider currently only supports RSA key, signing and verifying
operations.

Co-authored-by: Ionut Mihalcea <[email protected]>
Signed-off-by: Hugues de Valon <[email protected]>

Author: hug-dev

Cargo.lock

@@ -11,7 +11,7 @@ name = "parsec"
 path = "src/bin/main.rs"
 
 [dependencies]
-parsec-interface = { git = "https://github.com/parallaxsecond/parsec-interface-rs", tag = "0.3.0" }
+parsec-interface = { git = "https://github.com/parallaxsecond/parsec-interface-rs", tag = "0.4.0" }
 rand = "0.7.2"
 base64 = "0.10.1"
 uuid = "0.7.4"
@@ -26,12 +26,12 @@ log = { version = "0.4.8", features = ["serde"] }
 pkcs11 = { version = "0.4.0", optional = true }
 # Using a fork of the serde_asn1_der crate to have big integer support. Check https://github.com/KizzyCode/serde_asn1_der/issues/1
 serde_asn1_der = { git = "https://github.com/Devolutions/serde_asn1_der", rev = "ec1035879034ac9f09f1242fb49ed04c9aecdcae", optional = true, features = ["extra_types"] }
-der-parser = "3.0.2"
-nom = "5.0.1"
 num-bigint-dig = "0.5"
+tss-esapi = { git = "https://github.com/parallaxsecond/rust-tss-esapi", tag = "0.4.0", optional = true }
+bincode = "1.1.4"
 
 [dev-dependencies]
-parsec-client-test = { git = "https://github.com/parallaxsecond/parsec-client-test", tag = "0.1.7" }
+parsec-client-test = { git = "https://github.com/parallaxsecond/parsec-client-test", tag = "0.1.8" }
 num_cpus = "1.10.1"
 
 [build-dependencies]
@@ -47,3 +47,4 @@ mbed-crypto-version = "mbedcrypto-2.0.0"
 default = ["mbed-crypto-provider", "pkcs11-provider"]
 mbed-crypto-provider = []
 pkcs11-provider = ["pkcs11", "serde_asn1_der"]
+tpm-provider = ["tss-esapi", "serde_asn1_der"]

Cargo.toml

@@ -99,6 +99,7 @@ This project uses the following third party crates:
 * pkcs11 (Apache-2.0)
 * a fork of serde\_asn1\_der at `https://github.com/Devolutions/serde_asn1_der` (BSD-3-Clause and MIT)
 * num-bigint-dig (MIT and Apache-2.0)
+* bincode (MIT)
 
 This project uses the following third party libraries:
 * [Mbed Crypto](https://github.com/ARMmbed/mbed-crypto) (Apache-2.0)

README.md

@@ -59,3 +59,13 @@ key_id_manager = "on-disk-manager"
 # (Optional) User pin for authentication with the specific slot. If not set, no authentication will
 # be used.
 #user_pin = "123456"
+
+# Example of a TPM provider configuration
+#[[provider]]
+#provider_type = "TpmProvider"
+#key_id_manager = "on-disk-manager"
+# (Required) TPM TCTI device to use with this provider. Options are:
+# - "device": uses the TPM device on /dev/tpm0
+# - "mssim": uses the simulation TPM with the socket
+# - "tabrmd": uses the TPM2 Access Broker & Resource Management Daemon
+#tcti = "mssim"

config.toml

@@ -23,17 +23,22 @@ pub mod pkcs11_provider;
 #[cfg(feature = "mbed-crypto-provider")]
 pub mod mbed_provider;
 
+#[cfg(feature = "tpm-provider")]
+pub mod tpm_provider;
+
 #[derive(Deserialize, Debug)]
 pub enum ProviderType {
     MbedProvider,
     Pkcs11Provider,
+    TpmProvider,
 }
 
 impl ProviderType {
     pub fn to_provider_id(&self) -> ProviderID {
         match self {
             ProviderType::MbedProvider => ProviderID::MbedProvider,
             ProviderType::Pkcs11Provider => ProviderID::Pkcs11Provider,
+            ProviderType::TpmProvider => ProviderID::TpmProvider,
         }
     }
 }
@@ -45,6 +50,7 @@ pub struct ProviderConfig {
     pub library_path: Option<String>,
     pub slot_number: Option<usize>,
     pub user_pin: Option<String>,
+    pub tcti: Option<String>,
 }
 
 use crate::authenticators::ApplicationName;