tss-esapi: move public keys to rustcrypto ecosystem

baloo · baloo · commit 03f955e6d3e3 · 2024-08-03T11:34:57.000-07:00
Signed-off-by: Arthur Gautier &lt;arthur.gautier@arista.com&gt;
diff --git a/tss-esapi/Cargo.toml b/tss-esapi/Cargo.toml
@@ -27,9 +27,15 @@ hostname-validator = "1.1.0"
 regex = "1.3.9"
 zeroize = { version = "1.5.7", features = ["zeroize_derive"] }
 tss-esapi-sys = { path = "../tss-esapi-sys", version = "0.5.0" }
-oid = { version = "0.2.1", optional = true }
-picky-asn1 = { version = "0.8.0", optional = true }
-picky-asn1-x509 = { version = "0.12.0", optional = true }
+x509-cert = { version = "0.2.0", optional = true }
+elliptic-curve = { version = "0.13.8", optional = true, features = ["alloc", "pkcs8"] }
+p192 = { version = "0.13.0", optional = true }
+p224 = { version = "0.13.2", optional = true }
+p256 = { version = "0.13.2", optional = true }
+p384 = { version = "0.13.0", optional = true }
+p521 = { version = "0.13.3", optional = true }
+sm2 = { version = "0.13.3", optional = true }
+rsa = { version = "0.9", optional = true }
 cfg-if = "1.0.0"
 strum = { version = "0.25.0", optional = true }
 strum_macros = { version = "0.25.0", optional = true }
@@ -47,5 +53,5 @@ semver = "1.0.7"
 [features]
 default = ["abstraction"]
 generate-bindings = ["tss-esapi-sys/generate-bindings"]
-abstraction = ["oid", "picky-asn1", "picky-asn1-x509"]
+abstraction = ["elliptic-curve", "rsa", "x509-cert", "p192", "p224", "p256", "p384", "p521", "sm2"]
 integration-tests = ["strum", "strum_macros"]
diff --git a/tss-esapi/src/abstraction/public.rs b/tss-esapi/src/abstraction/public.rs
@@ -6,123 +6,176 @@ use crate::structures::{Public, RsaExponent};
 use crate::{Error, WrapperErrorKind};
 
 use core::convert::TryFrom;
-use oid::ObjectIdentifier;
-use picky_asn1::bit_string::BitString;
-use picky_asn1::wrapper::{IntegerAsn1, OctetStringAsn1};
-use picky_asn1_x509::{
-    AlgorithmIdentifier, EcParameters, EcPoint, PublicKey, RsaPublicKey, SubjectPublicKeyInfo,
+use elliptic_curve::{
+    // See TODO below, you're upgrading from 0.13 to 0.14 and
+    // that moved the implementation from generic-array to
+    // hybrid-array, you can now use TryFrom
+    generic_array::typenum::Unsigned,
+    sec1::{EncodedPoint, FromEncodedPoint, ModulusSize, ToEncodedPoint},
+    AffinePoint,
+    CurveArithmetic,
+    FieldBytesSize,
+    PublicKey,
 };
+use rsa::{pkcs8::EncodePublicKey, BigUint, RsaPublicKey};
+use x509_cert::spki::SubjectPublicKeyInfoOwned;
 
-/// Can be converted from [`crate::structures::Public`] when not a fully constructed
-/// [`picky_asn1_x509::SubjectPublicKeyInfo`] is required.
-///
-/// # Details
-/// Holds either [`picky_asn1_x509::RsaPublicKey`] for [`crate::structures::Public::Rsa`] or
-/// [`picky_asn1_x509::EcPoint`] for [`crate::structures::Public::Ecc`].
-///
-/// This object can be serialized and deserialized
-/// using serde if the `serde` feature is enabled.
-#[derive(Debug, PartialEq, Eq, Clone)]
-#[cfg_attr(feature = "serde", derive(serde::Deserialize, serde::Serialize))]
-pub enum DecodedKey {
-    RsaPublicKey(RsaPublicKey),
-    EcPoint(EcPoint),
+impl<C> TryFrom<&Public> for PublicKey<C>
+where
+    C: CurveArithmetic + AssociatedTpmCurve,
+    FieldBytesSize<C>: ModulusSize,
+    AffinePoint<C>: FromEncodedPoint<C> + ToEncodedPoint<C>,
+{
+    type Error = Error;
+
+    fn try_from(value: &Public) -> Result<Self, Self::Error> {
+        match value {
+            Public::Ecc {
+                parameters, unique, ..
+            } => {
+                if parameters.ecc_curve() != C::TPM_CURVE {
+                    return Err(Error::local_error(WrapperErrorKind::InvalidParam));
+                }
+
+                let x = unique.x().as_bytes();
+                let y = unique.y().as_bytes();
+
+                // TODO: When elliptic_curve bumps to 0.14, we can use the TryFrom implementation instead
+                // of checking lengths manually
+                if x.len() != FieldBytesSize::<C>::USIZE {
+                    return Err(Error::local_error(WrapperErrorKind::InvalidParam));
+                }
+                if y.len() != FieldBytesSize::<C>::USIZE {
+                    return Err(Error::local_error(WrapperErrorKind::InvalidParam));
+                }
+
+                let encoded_point =
+                    EncodedPoint::<C>::from_affine_coordinates(x.into(), y.into(), false);
+                let public_key = PublicKey::<C>::try_from(&encoded_point)
+                    .map_err(|_| Error::local_error(WrapperErrorKind::InvalidParam))?;
+
+                Ok(public_key)
+            }
+            _ => Err(Error::local_error(WrapperErrorKind::UnsupportedParam)),
+        }
+    }
 }
 
-impl TryFrom<Public> for DecodedKey {
+impl TryFrom<&Public> for RsaPublicKey {
     type Error = Error;
 
-    fn try_from(value: Public) -> Result<Self, Self::Error> {
-        public_to_decoded_key(&value)
+    fn try_from(value: &Public) -> Result<Self, Self::Error> {
+        match value {
+            Public::Rsa {
+                unique, parameters, ..
+            } => {
+                let exponent = match parameters.exponent() {
+                    RsaExponent::ZERO_EXPONENT => BigUint::from(65537u32),
+                    _ => BigUint::from(parameters.exponent().value()),
+                };
+                let modulus = BigUint::from_bytes_be(unique.as_bytes());
+
+                let public_key = RsaPublicKey::new(modulus, exponent)
+                    .map_err(|_| Error::local_error(WrapperErrorKind::InvalidParam))?;
+
+                Ok(public_key)
+            }
+            _ => Err(Error::local_error(WrapperErrorKind::UnsupportedParam)),
+        }
     }
 }
 
-impl TryFrom<Public> for SubjectPublicKeyInfo {
+impl TryFrom<&Public> for SubjectPublicKeyInfoOwned {
     type Error = Error;
 
-    /// Converts [`crate::structures::Public::Rsa`] and [`crate::structures::Public::Ecc`] to [`picky_asn1_x509::SubjectPublicKeyInfo`].
+    /// Converts [`crate::structures::Public::Rsa`] and [`crate::structures::Public::Ecc`] to [`x509_cert::spki::SubjectPublicKeyInfoOwned`].
     ///
     /// # Details
-    /// The result can be used to convert TPM public keys to DER using `picky_asn1_der`.
+    /// The result can be used to convert TPM public keys to DER using `x509-cert`.
     ///
     /// # Errors
     /// * if other instances of [`crate::structures::Public`] are used `UnsupportedParam` will be returned.
-    fn try_from(value: Public) -> Result<Self, Self::Error> {
-        let decoded_key = public_to_decoded_key(&value)?;
-
-        match (value, decoded_key) {
-            (Public::Rsa { .. }, DecodedKey::RsaPublicKey(key)) => Ok(SubjectPublicKeyInfo {
-                algorithm: AlgorithmIdentifier::new_rsa_encryption(),
-                subject_public_key: PublicKey::Rsa(key.into()),
-            }),
-            (Public::Ecc { parameters, .. }, DecodedKey::EcPoint(point)) => {
-                Ok(SubjectPublicKeyInfo {
-                    algorithm: AlgorithmIdentifier::new_elliptic_curve(EcParameters::NamedCurve(
-                        curve_oid(parameters.ecc_curve())?.into(),
-                    )),
-                    subject_public_key: PublicKey::Ec(BitString::with_bytes(point).into()),
-                })
+    fn try_from(value: &Public) -> Result<Self, Self::Error> {
+        match value {
+            Public::Rsa { .. } => {
+                let public_key = RsaPublicKey::try_from(value)?;
+
+                Ok(public_key
+                    .to_public_key_der()
+                    .map_err(|_| Error::local_error(WrapperErrorKind::InvalidParam))?
+                    .decode_msg::<Self>()
+                    .map_err(|_| Error::local_error(WrapperErrorKind::InvalidParam))?)
+            }
+            #[allow(unused)]
+            Public::Ecc { parameters, .. } => {
+                macro_rules! read_key {
+                    ($curve:expr, $key_type:ty) => {
+                        if parameters.ecc_curve() == <$key_type>::TPM_CURVE {
+                            let public_key = PublicKey::<$key_type>::try_from(value)?;
+
+                            return Ok(public_key
+                                .to_public_key_der()
+                                .map_err(|_| Error::local_error(WrapperErrorKind::InvalidParam))?
+                                .decode_msg::<Self>()
+                                .map_err(|_| {
+                                    Error::local_error(WrapperErrorKind::InvalidParam)
+                                })?);
+                        }
+                    };
+                }
+
+                #[cfg(feature = "p192")]
+                read_key!(EccCurve::NistP192, p192::NistP192);
+                #[cfg(feature = "p224")]
+                read_key!(EccCurve::NistP224, p224::NistP224);
+                #[cfg(feature = "p256")]
+                read_key!(EccCurve::NistP256, p256::NistP256);
+                #[cfg(feature = "p384")]
+                read_key!(EccCurve::NistP384, p384::NistP384);
+                #[cfg(feature = "p521")]
+                read_key!(EccCurve::NistP521, p521::NistP521);
+                #[cfg(feature = "sm2")]
+                read_key!(EccCurve::Sm2P256, sm2::Sm2);
+
+                Err(Error::local_error(WrapperErrorKind::UnsupportedParam))
             }
             _ => Err(Error::local_error(WrapperErrorKind::UnsupportedParam)),
         }
     }
 }
 
-/// Converts [`crate::structures::Public::Rsa`] and [`crate::structures::Public::Ecc`] to [DecodedKey].
-///
-/// # Details
-/// Does basic key conversion to either RSA or ECC. In RSA conversion the TPM zero exponent is replaced with `65537`.
-///
-/// # Errors
-/// * if other instances of [`crate::structures::Public`] are used `UnsupportedParam` will be returned.
-fn public_to_decoded_key(public: &Public) -> Result<DecodedKey, Error> {
-    match public {
-        Public::Rsa {
-            unique, parameters, ..
-        } => {
-            let exponent = match parameters.exponent() {
-                RsaExponent::ZERO_EXPONENT => 65537,
-                _ => parameters.exponent().value(),
-            }
-            .to_be_bytes();
-            Ok(DecodedKey::RsaPublicKey(RsaPublicKey {
-                modulus: IntegerAsn1::from_bytes_be_unsigned(unique.as_bytes().to_vec()),
-                public_exponent: IntegerAsn1::from_bytes_be_signed(exponent.to_vec()),
-            }))
-        }
-        Public::Ecc { unique, .. } => {
-            let x = unique.x().as_bytes().to_vec();
-            let y = unique.y().as_bytes().to_vec();
-            Ok(DecodedKey::EcPoint(OctetStringAsn1(
-                elliptic_curve_point_to_octet_string(x, y),
-            )))
-        }
+/// Provides the value of the curve used in this crate for the specific curve.
+pub trait AssociatedTpmCurve {
+    /// Value of the curve when interacting with the TPM.
+    const TPM_CURVE: EccCurve;
+}
 
-        _ => Err(Error::local_error(WrapperErrorKind::UnsupportedParam)),
-    }
+#[cfg(feature = "p192")]
+impl AssociatedTpmCurve for p192::NistP192 {
+    const TPM_CURVE: EccCurve = EccCurve::NistP192;
 }
 
-// Taken from https://github.com/parallaxsecond/parsec/blob/561235f3cc37bcff3d9a6cb29c84eeae5d55100b/src/providers/tpm/utils.rs#L319
-// Points on elliptic curves are represented as defined in section 2.3.3 of https://www.secg.org/sec1-v2.pdf
-// The (uncompressed) representation is [ 0x04 || x || y ] where x and y are the coordinates of the point
-fn elliptic_curve_point_to_octet_string(mut x: Vec<u8>, mut y: Vec<u8>) -> Vec<u8> {
-    let mut octet_string = vec![0x04];
-    octet_string.append(&mut x);
-    octet_string.append(&mut y);
-    octet_string
+#[cfg(feature = "p224")]
+impl AssociatedTpmCurve for p224::NistP224 {
+    const TPM_CURVE: EccCurve = EccCurve::NistP224;
 }
 
-// Map TPM supported ECC curves to their respective OIDs
-fn curve_oid(ecc_curve: EccCurve) -> Result<ObjectIdentifier, Error> {
-    match ecc_curve {
-        EccCurve::NistP192 => Ok(picky_asn1_x509::oids::secp192r1()),
-        EccCurve::NistP224 => Ok(picky_asn1_x509::oids::secp256r1()),
-        EccCurve::NistP256 => Ok(picky_asn1_x509::oids::secp256r1()),
-        EccCurve::NistP384 => Ok(picky_asn1_x509::oids::secp384r1()),
-        EccCurve::NistP521 => Ok(picky_asn1_x509::oids::secp521r1()),
-        //  Barreto-Naehrig curves seem to not have any OIDs
-        EccCurve::BnP256 => Err(Error::local_error(WrapperErrorKind::UnsupportedParam)),
-        EccCurve::BnP638 => Err(Error::local_error(WrapperErrorKind::UnsupportedParam)),
-        EccCurve::Sm2P256 => Ok(ObjectIdentifier::try_from("1.2.156.10197.1.301").unwrap()),
-    }
+#[cfg(feature = "p256")]
+impl AssociatedTpmCurve for p256::NistP256 {
+    const TPM_CURVE: EccCurve = EccCurve::NistP256;
+}
+
+#[cfg(feature = "p384")]
+impl AssociatedTpmCurve for p384::NistP384 {
+    const TPM_CURVE: EccCurve = EccCurve::NistP384;
+}
+
+#[cfg(feature = "p521")]
+impl AssociatedTpmCurve for p521::NistP521 {
+    const TPM_CURVE: EccCurve = EccCurve::NistP521;
+}
+
+#[cfg(feature = "sm2")]
+impl AssociatedTpmCurve for sm2::Sm2 {
+    const TPM_CURVE: EccCurve = EccCurve::Sm2P256;
 }
diff --git a/tss-esapi/tests/integration_tests/abstraction_tests/public_tests.rs b/tss-esapi/tests/integration_tests/abstraction_tests/public_tests.rs
