Merge pull request #241 from ionut-arm/soft-pkcs11

ionut-arm · web-flow · commit 54cc1978bb08 · 2020-09-07T14:33:23.000+01:00
Allow software operations in PKCS11 provider
diff --git a/Cargo.toml b/Cargo.toml
@@ -66,7 +66,7 @@ features = ["docs"]
 default = []
 no-parsec-user-and-clients-group = []
 mbed-crypto-provider = ["psa-crypto"]
-pkcs11-provider = ["pkcs11", "picky-asn1-der", "picky-asn1", "picky-asn1-x509"]
+pkcs11-provider = ["pkcs11", "picky-asn1-der", "picky-asn1", "picky-asn1-x509", "psa-crypto"]
 tpm-provider = ["tss-esapi", "picky-asn1-der", "picky-asn1", "picky-asn1-x509"]
 all-providers = ["tpm-provider", "pkcs11-provider", "mbed-crypto-provider"]
 docs = ["pkcs11-provider", "tpm-provider", "tss-esapi/docs", "mbed-crypto-provider"]
diff --git a/ci.sh b/ci.sh
@@ -137,7 +137,7 @@ pgrep -f target/debug/parsec >/dev/null
 if [ "$PROVIDER_NAME" = "all" ]; then
     echo "Execute all-providers tests"
     RUST_BACKTRACE=1 cargo test $TEST_FEATURES --manifest-path ./e2e_tests/Cargo.toml all_providers
-    RUST_BACKTRACE=1 cargo test $TEST_FEATURES --manifest-path ./e2e_tests/Cargo.toml config
+    RUST_BACKTRACE=1 cargo test $TEST_FEATURES --manifest-path ./e2e_tests/Cargo.toml config -- --test-threads=1
 else
     # Per provider tests
     echo "Execute normal tests"
diff --git a/config.toml b/config.toml
@@ -80,6 +80,9 @@ key_info_manager = "on-disk-manager"
 # (Optional) User pin for authentication with the specific slot. If not set, no authentication will
 # be used.
 #user_pin = "123456"
+# (Optional) Control whether missing public key operation (such as verifying signatures or asymmetric
+# encryption) are fully performed in software. 
+#software_public_operations = false
 
 # Example of a TPM provider configuration
 #[[provider]]
diff --git a/e2e_tests/provider_cfg/pkcs11/Dockerfile b/e2e_tests/provider_cfg/pkcs11/Dockerfile
@@ -2,7 +2,12 @@ FROM ubuntu:18.04
 
 RUN apt-get update && \
 	apt-get install -y wget automake autoconf libtool pkg-config && \
-    apt-get install -y curl libssl-dev libgcc1
+    apt-get install -y curl libssl-dev libgcc1 && \
+	apt-get install -y git make gcc python3 python curl wget libgcc1 cmake && \
+	# These libraries are needed for bindgen as it uses libclang.so
+	apt-get install -y clang libclang-dev && \
+	# Needed for Open SSL
+	apt-get install -y pkg-config libssl-dev
 
 WORKDIR /tmp
 RUN wget https://github.com/opendnssec/SoftHSMv2/archive/2.5.0.tar.gz
diff --git a/e2e_tests/provider_cfg/pkcs11/config.toml b/e2e_tests/provider_cfg/pkcs11/config.toml
@@ -22,5 +22,6 @@ provider_type = "Pkcs11"
 key_info_manager = "on-disk-manager"
 library_path = "/usr/local/lib/softhsm/libsofthsm2.so"
 user_pin = "123456"
+software_public_operations = false
 # The slot_number mandatory field is going to replace the following line with a valid number
 # slot_number
diff --git a/e2e_tests/tests/config/mod.rs b/e2e_tests/tests/config/mod.rs
@@ -74,3 +74,56 @@ fn list_providers() {
         ]
     );
 }
+
+#[cfg(feature = "pkcs11-provider")]
+#[test]
+fn pkcs11_verify_software() {
+    use sha2::{Digest, Sha256};
+    set_config("pkcs11_software.toml");
+    reload_service();
+
+    let mut client = TestClient::new();
+    let key_name = String::from("pkcs11_verify_software");
+
+    let mut hasher = Sha256::new();
+    hasher.update(b"Bob wrote this message.");
+    let hash = hasher.finalize().to_vec();
+
+    client.generate_rsa_sign_key(key_name.clone()).unwrap();
+
+    let signature = client
+        .sign_with_rsa_sha256(key_name.clone(), hash.clone())
+        .unwrap();
+    client
+        .verify_with_rsa_sha256(key_name, hash, signature)
+        .unwrap();
+}
+
+#[cfg(feature = "pkcs11-provider")]
+#[test]
+fn pkcs11_encrypt_software() {
+    set_config("pkcs11_software.toml");
+    reload_service();
+
+    let mut client = TestClient::new();
+    let key_name = String::from("pkcs11_verify_software");
+    let plaintext_msg = [
+        0x69, 0x3E, 0xDB, 0x1B, 0x22, 0x79, 0x03, 0xF4, 0xC0, 0xBF, 0xD6, 0x91, 0x76, 0x37, 0x84,
+        0xA2, 0x94, 0x8E, 0x92, 0x50, 0x35, 0xC2, 0x8C, 0x5C, 0x3C, 0xCA, 0xFE, 0x18, 0xE8, 0x81,
+        0x37, 0x78,
+    ];
+    client
+        .generate_rsa_encryption_keys_rsaoaep_sha1(key_name.clone())
+        .unwrap();
+    let ciphertext = client
+        .asymmetric_encrypt_message_with_rsaoaep_sha1(
+            key_name.clone(),
+            plaintext_msg.to_vec(),
+            vec![],
+        )
+        .unwrap();
+    let plaintext = client
+        .asymmetric_decrypt_message_with_rsaoaep_sha1(key_name, ciphertext, vec![])
+        .unwrap();
+    assert_eq!(&plaintext_msg[..], &plaintext[..]);
+}
diff --git a/e2e_tests/tests/config/tomls/pkcs11_software.toml b/e2e_tests/tests/config/tomls/pkcs11_software.toml
@@ -0,0 +1,27 @@
+[core_settings]
+# The CI already timestamps the logs
+log_timestamp = false
+log_error_details = true
+
+# The container runs the Parsec service as root, so make sure we disable root
+# checks.
+allow_root = true
+
+[listener]
+listener_type = "DomainSocket"
+# The timeout needs to be smaller than the test client timeout (five seconds) as it is testing
+# that the service does not hang for very big values of body or authentication length.
+timeout = 3000 # in milliseconds
+
+[[key_manager]]
+name = "on-disk-manager"
+manager_type = "OnDisk"
+
+[[provider]]
+provider_type = "Pkcs11"
+key_info_manager = "on-disk-manager"
+library_path = "/usr/local/lib/softhsm/libsofthsm2.so"
+user_pin = "123456"
+software_public_operations = true
+# The slot_number mandatory field is going to replace the following line with a valid number
+# slot_number
diff --git a/e2e_tests/tests/per_provider/normal_tests/asym_encryption.rs b/e2e_tests/tests/per_provider/normal_tests/asym_encryption.rs
@@ -85,10 +85,6 @@ fn simple_asym_encrypt_rsa_oaep_pkcs11() {
     let key_name = String::from("simple_asym_encrypt_rsa_oaep_pkcs11");
     let mut client = TestClient::new();
 
-    if !client.is_operation_supported(Opcode::PsaAsymmetricEncrypt) {
-        return;
-    }
-
     client
         .generate_rsa_encryption_keys_rsaoaep_sha1(key_name.clone())
         .unwrap();
diff --git a/src/providers/mod.rs b/src/providers/mod.rs
@@ -47,6 +47,8 @@ pub enum ProviderConfig {
         slot_number: usize,
         /// User Pin
         user_pin: Option<String>,
+        /// Control whether public key operations are performed in software
+        software_public_operations: Option<bool>,
     },
     /// TPM provider configuration
     Tpm {
diff --git a/src/providers/pkcs11_provider/asym_encryption.rs b/src/providers/pkcs11_provider/asym_encryption.rs
@@ -7,7 +7,7 @@ use crate::key_info_managers::KeyTriple;
 use log::{info, trace};
 use parsec_interface::operations::psa_algorithm::Algorithm;
 use parsec_interface::operations::{psa_asymmetric_decrypt, psa_asymmetric_encrypt};
-use parsec_interface::requests::{ProviderID, Result};
+use parsec_interface::requests::{ProviderID, ResponseStatus, Result};
 use std::convert::TryFrom;
 use utils::CkMechanism;
 
@@ -108,4 +108,45 @@ impl Pkcs11Provider {
             }
         }
     }
+
+    pub(super) fn software_psa_asymmetric_encrypt_internal(
+        &self,
+        app_name: ApplicationName,
+        op: psa_asymmetric_encrypt::Operation,
+    ) -> Result<psa_asymmetric_encrypt::Result> {
+        let key_triple = KeyTriple::new(app_name, ProviderID::Pkcs11, op.key_name.clone());
+        let (_, key_attributes) = self.get_key_info(&key_triple)?;
+
+        op.validate(key_attributes)?;
+
+        let alg = op.alg;
+        let salt_buff = op.salt.as_ref().map(|salt| salt.as_slice());
+        let buffer_size = key_attributes.asymmetric_encrypt_output_size(alg)?;
+        let mut ciphertext = vec![0u8; buffer_size];
+        let pub_key_id = self.move_pub_key_to_psa_crypto(&key_triple)?;
+
+        info!("Encrypting plaintext with PSA Crypto");
+        let res = match psa_crypto::operations::asym_encryption::encrypt(
+            pub_key_id,
+            alg,
+            &op.plaintext,
+            salt_buff,
+            &mut ciphertext,
+        ) {
+            Ok(output_size) => {
+                ciphertext.resize(output_size, 0);
+                Ok(psa_asymmetric_encrypt::Result {
+                    ciphertext: ciphertext.into(),
+                })
+            }
+            Err(error) => {
+                let error = ResponseStatus::from(error);
+                format_error!("Asymmetric encryption failed", error);
+                Err(error)
+            }
+        };
+
+        let _ = self.remove_psa_crypto_pub_key(pub_key_id);
+        res
+    }
 }
diff --git a/src/providers/pkcs11_provider/asym_sign.rs b/src/providers/pkcs11_provider/asym_sign.rs
@@ -7,7 +7,7 @@ use crate::key_info_managers::KeyTriple;
 use log::{info, trace};
 use parsec_interface::operations::psa_algorithm::Algorithm;
 use parsec_interface::operations::{psa_sign_hash, psa_verify_hash};
-use parsec_interface::requests::{ProviderID, Result};
+use parsec_interface::requests::{ProviderID, ResponseStatus, Result};
 use std::convert::TryFrom;
 use utils::CkMechanism;
 
@@ -104,4 +104,35 @@ impl Pkcs11Provider {
             }
         }
     }
+
+    pub(super) fn software_psa_verify_hash_internal(
+        &self,
+        app_name: ApplicationName,
+        op: psa_verify_hash::Operation,
+    ) -> Result<psa_verify_hash::Result> {
+        let key_triple = KeyTriple::new(app_name, ProviderID::Pkcs11, op.key_name.clone());
+        let (_, key_attributes) = self.get_key_info(&key_triple)?;
+
+        op.validate(key_attributes)?;
+
+        let pub_key_id = self.move_pub_key_to_psa_crypto(&key_triple)?;
+
+        info!("Verifying signature with PSA Crypto");
+        let res = match psa_crypto::operations::asym_signature::verify_hash(
+            pub_key_id,
+            op.alg,
+            &op.hash,
+            &op.signature,
+        ) {
+            Ok(()) => Ok(psa_verify_hash::Result {}),
+            Err(error) => {
+                let error = ResponseStatus::from(error);
+                format_error!("Verify hash failed", error);
+                Err(error)
+            }
+        };
+
+        let _ = self.remove_psa_crypto_pub_key(pub_key_id);
+        res
+    }
 }
diff --git a/src/providers/pkcs11_provider/key_management.rs b/src/providers/pkcs11_provider/key_management.rs
@@ -4,7 +4,7 @@ use super::{utils, KeyPairType, Pkcs11Provider, ReadWriteSession, Session};
 use crate::authenticators::ApplicationName;
 use crate::key_info_managers::KeyTriple;
 use log::{error, info, trace};
-use parsec_interface::operations::psa_key_attributes::Type;
+use parsec_interface::operations::psa_key_attributes::{Id, Lifetime, Type};
 use parsec_interface::operations::{
     psa_destroy_key, psa_export_public_key, psa_generate_key, psa_import_key,
 };
@@ -62,6 +62,42 @@ impl Pkcs11Provider {
             }
         }
     }
+
+    pub(super) fn move_pub_key_to_psa_crypto(&self, key_triple: &KeyTriple) -> Result<Id> {
+        info!("Attempting to export public key");
+        let export_operation = psa_export_public_key::Operation {
+            key_name: key_triple.key_name().to_owned(),
+        };
+        let psa_export_public_key::Result { data } =
+            self.psa_export_public_key_internal(key_triple.app_name().clone(), export_operation)?;
+
+        info!("Importing public key into PSA Crypto");
+        let (_, mut attributes) = self.get_key_info(key_triple)?;
+        attributes.lifetime = Lifetime::Volatile;
+        attributes.key_type = match attributes.key_type {
+            Type::RsaKeyPair | Type::RsaPublicKey => Type::RsaPublicKey,
+            Type::EccKeyPair { curve_family } | Type::EccPublicKey { curve_family } => {
+                Type::EccPublicKey { curve_family }
+            }
+            Type::DhKeyPair { group_family } | Type::DhPublicKey { group_family } => {
+                Type::DhPublicKey { group_family }
+            }
+            _ => return Err(ResponseStatus::PsaErrorInvalidArgument),
+        };
+        let id = psa_crypto::operations::key_management::import(attributes, None, &data)?;
+
+        Ok(id)
+    }
+
+    pub(super) fn remove_psa_crypto_pub_key(&self, pub_key_id: Id) -> Result<()> {
+        info!("Removing public key stored in PSA.");
+        unsafe { psa_crypto::operations::key_management::destroy(pub_key_id) }.map_err(|e| {
+            error!("Failed to remove public key from PSA Crypto.");
+            e
+        })?;
+        Ok(())
+    }
+
     pub(super) fn psa_generate_key_internal(
         &self,
         app_name: ApplicationName,
diff --git a/src/providers/pkcs11_provider/mod.rs b/src/providers/pkcs11_provider/mod.rs
diff --git a/src/utils/service_builder.rs b/src/utils/service_builder.rs
