Merge pull request #303 from RobertDrazkowskiGL/calib-integration

Add new parsec provider using ATECCx08 cryptochip via CryptoAuthentication Library

Cargo.toml

@@ -18,7 +18,7 @@ name = "parsec"
 path = "src/bin/main.rs"
 
 [dependencies]
-parsec-interface = "0.21.0"
+parsec-interface = "0.22.0"
 rand = { version = "0.7.3", features = ["small_rng"], optional = true }
 base64 = "0.12.3"
 uuid = "0.8.1"
@@ -38,7 +38,7 @@ structopt = "0.3.17"
 derivative = "2.1.1"
 version = "3.0.0"
 hex = { version = "0.4.2", optional = true }
-psa-crypto = { version = "0.6.0", default-features = false, features = ["operations"], optional = true }
+psa-crypto = { version = "0.6.1", default-features = false, features = ["operations"], optional = true }
 zeroize = { version = "1.1.0", features = ["zeroize_derive"] }
 picky-asn1-x509 = { version = "0.3.2", optional = true }
 users = "0.10.0"
@@ -51,11 +51,12 @@ spiffe = { git = "https://github.com/hug-dev/rust-spiffe", branch = "refactor-jw
 rand = { version = "0.7.3", features = ["small_rng"] }
 
 [package.metadata.docs.rs]
-features = ["pkcs11-provider", "tpm-provider", "tss-esapi/docs", "mbed-crypto-provider"]
+features = ["pkcs11-provider", "tpm-provider", "tss-esapi/docs", "mbed-crypto-provider", "cryptoauthlib-provider"]
 
 [features]
 default = []
 mbed-crypto-provider = ["psa-crypto"]
 pkcs11-provider = ["pkcs11", "picky-asn1-der", "picky-asn1", "picky-asn1-x509", "psa-crypto", "rand"]
 tpm-provider = ["tss-esapi", "picky-asn1-der", "picky-asn1", "picky-asn1-x509", "hex"]
-all-providers = ["tpm-provider", "pkcs11-provider", "mbed-crypto-provider"]
+cryptoauthlib-provider = []
+all-providers = ["tpm-provider", "pkcs11-provider", "mbed-crypto-provider", "cryptoauthlib-provider"]

config.toml

@@ -131,3 +131,10 @@ key_info_manager = "on-disk-manager"
 # e.g. "str:password", or to represent a string version of a hex value, e.g. "hex:1a2b3c". If no prefix is
 # provided, the value is considered to be a string.
 #owner_hierarchy_auth = "password"
+
+# Example of a CryptoAuthLib provider configuration
+# All below parameters depend on what devices, interfaces or parameters are required or supported by 
+# "rust-cryptoauthlib" wrapper for cryptoauthlib and underlying hardware.
+#[[provider]]
+#provider_type = "CryptoAuthLib"
+#key_info_manager = "on-disk-manager"

e2e_tests/Cargo.toml

@@ -33,4 +33,5 @@ sha2 = "0.9.1"
 mbed-crypto-provider = []
 tpm-provider = []
 pkcs11-provider = []
-all-providers = ["pkcs11-provider","tpm-provider","mbed-crypto-provider"]
+cryptoauthlib-provider = []
+all-providers = ["pkcs11-provider","tpm-provider","mbed-crypto-provider","cryptoauthlib-provider"]

e2e_tests/provider_cfg/all/config.toml

@@ -38,3 +38,7 @@ library_path = "/usr/local/lib/softhsm/libsofthsm2.so"
 user_pin = "123456"
 # The slot_number mandatory field is going to replace the following line with a valid number
 # slot_number
+
+[[provider]]
+provider_type = "CryptoAuthLib"
+key_info_manager = "on-disk-manager"

e2e_tests/provider_cfg/cryptoauthlib/Dockerfile

@@ -0,0 +1,15 @@
+FROM ubuntu:18.04
+
+ENV PKG_CONFIG_PATH /usr/local/lib/pkgconfig
+
+RUN apt-get update && \
+	apt-get install -y git make gcc python3 python curl wget cmake && \
+	apt-get install -y automake autoconf libtool pkg-config libssl-dev && \
+	# These libraries are needed for bindgen as it uses libclang.so
+	apt-get install -y clang libclang-dev libc6-dev-i386 && \
+	# Install cargo globally to not have to install it for each user for multitenancy tests
+	apt-get install -y cargo
+
+# Add users for multitenancy tests
+RUN useradd -m parsec-client-1
+RUN useradd -m parsec-client-2

e2e_tests/provider_cfg/cryptoauthlib/config.toml

@@ -0,0 +1,25 @@
+[core_settings]
+# The CI already timestamps the logs
+log_timestamp = false
+log_error_details = true
+
+# The container runs the Parsec service as root, so make sure we disable root
+# checks.
+allow_root = true
+
+[listener]
+listener_type = "DomainSocket"
+timeout = 200 # in milliseconds
+socket_path = "/tmp/parsec.sock"
+
+[authenticator]
+auth_type = "Direct"
+
+[[key_manager]]
+name = "on-disk-manager"
+manager_type = "OnDisk"
+store_path = "./mappings"
+
+[[provider]]
+provider_type = "CryptoAuthLib"
+key_info_manager = "on-disk-manager"

e2e_tests/tests/all_providers/config/mod.rs

@@ -55,6 +55,7 @@ fn list_providers() {
             Uuid::parse_str("1c1139dc-ad7c-47dc-ad6b-db6fdb466552").unwrap(), // Mbed crypto provider
             Uuid::parse_str("1e4954a4-ff21-46d3-ab0c-661eeb667e1d").unwrap(), // Tpm provider
             Uuid::parse_str("30e39502-eba6-4d60-a4af-c518b7f5e38f").unwrap(), // Pkcs11 provider
+            Uuid::parse_str("b8ba81e2-e9f7-4bdd-b096-a29d0019960c").unwrap(), // CryptoAuthLib provider
             Uuid::parse_str("47049873-2a43-4845-9d72-831eab668784").unwrap(), // Core provider
         ]
     );
@@ -70,6 +71,7 @@ fn list_providers() {
             Uuid::parse_str("30e39502-eba6-4d60-a4af-c518b7f5e38f").unwrap(), // Pkcs11 provider
             Uuid::parse_str("1c1139dc-ad7c-47dc-ad6b-db6fdb466552").unwrap(), // Mbed crypto provider
             Uuid::parse_str("1e4954a4-ff21-46d3-ab0c-661eeb667e1d").unwrap(), // Tpm provider
+            Uuid::parse_str("b8ba81e2-e9f7-4bdd-b096-a29d0019960c").unwrap(), // CryptoAuthLib provider
             Uuid::parse_str("47049873-2a43-4845-9d72-831eab668784").unwrap(), // Core provider
         ]
     );

e2e_tests/tests/all_providers/config/tomls/list_providers_1.toml

@@ -33,3 +33,7 @@ library_path = "/usr/local/lib/softhsm/libsofthsm2.so"
 user_pin = "123456"
 # The slot_number mandatory field is going to replace the following line with a valid number
 # slot_number
+
+[[provider]]
+provider_type = "CryptoAuthLib"
+key_info_manager = "on-disk-manager"

e2e_tests/tests/all_providers/config/tomls/list_providers_2.toml

@@ -33,3 +33,7 @@ provider_type = "Tpm"
 key_info_manager = "on-disk-manager"
 tcti = "mssim"
 owner_hierarchy_auth = "tpm_pass"
+
+[[provider]]
+provider_type = "CryptoAuthLib"
+key_info_manager = "on-disk-manager"

e2e_tests/tests/all_providers/normal.rs

@@ -9,7 +9,7 @@ use std::collections::HashSet;
 fn list_providers() {
     let mut client = TestClient::new();
     let providers = client.list_providers().expect("list providers failed");
-    assert_eq!(providers.len(), 4);
+    assert_eq!(providers.len(), 5);
     let uuids: HashSet<Uuid> = providers.iter().map(|p| p.uuid).collect();
     // Core provider
     assert!(uuids.contains(&Uuid::parse_str("47049873-2a43-4845-9d72-831eab668784").unwrap()));
@@ -19,6 +19,8 @@ fn list_providers() {
     assert!(uuids.contains(&Uuid::parse_str("30e39502-eba6-4d60-a4af-c518b7f5e38f").unwrap()));
     // TPM provider
     assert!(uuids.contains(&Uuid::parse_str("1e4954a4-ff21-46d3-ab0c-661eeb667e1d").unwrap()));
+    // CryptoAuthLib provider
+    assert!(uuids.contains(&Uuid::parse_str("b8ba81e2-e9f7-4bdd-b096-a29d0019960c").unwrap()));
 }
 
 #[test]
@@ -141,7 +143,7 @@ fn list_keys() {
         .collect();
 
     assert_eq!(key_names.len(), 3);
-    assert!(key_names.contains(&(key1.clone(),ProviderID::MbedCrypto)));
-    assert!(key_names.contains(&(key2.clone(),ProviderID::Pkcs11)));
-    assert!(key_names.contains(&(key3.clone(),ProviderID::Tpm)));
+    assert!(key_names.contains(&(key1.clone(), ProviderID::MbedCrypto)));
+    assert!(key_names.contains(&(key2.clone(), ProviderID::Pkcs11)));
+    assert!(key_names.contains(&(key3.clone(), ProviderID::Tpm)));
 }

src/providers/cryptoauthlib/mod.rs

@@ -0,0 +1,102 @@
+// Copyright 2021 Contributors to the Parsec project.
+// SPDX-License-Identifier: Apache-2.0
+//! Microchip CryptoAuthentication Library provider
+//!
+//! This provider is a hardware based implementation of PSA Crypto, Mbed Crypto.
+use super::Provide;
+use crate::authenticators::ApplicationName;
+use crate::key_info_managers::ManageKeyInfo;
+use derivative::Derivative;
+use log::trace;
+use parsec_interface::operations::list_keys;
+use parsec_interface::operations::list_keys::KeyInfo;
+use parsec_interface::operations::list_providers::ProviderInfo;
+use parsec_interface::requests::{Opcode, ProviderID, ResponseStatus, Result};
+use std::collections::HashSet;
+use std::io::{Error, ErrorKind};
+use std::sync::{Arc, RwLock};
+use uuid::Uuid;
+
+const SUPPORTED_OPCODES: [Opcode; 0] = [];
+
+/// CryptoAuthLib provider structure
+#[derive(Derivative)]
+#[derivative(Debug, Clone, Copy)]
+pub struct Provider {
+    // device: rust_cryptoauthlib::AtcaDevice,
+}
+
+impl Provider {
+    /// Creates and initialise a new instance of CryptoAuthLibProvider
+    fn new(_key_info_store: Arc<RwLock<dyn ManageKeyInfo + Send + Sync>>) -> Option<Provider> {
+        Some(Provider {})
+    }
+}
+
+impl Provide for Provider {
+    fn describe(&self) -> Result<(ProviderInfo, HashSet<Opcode>)> {
+        trace!("describe ingress");
+        Ok((ProviderInfo {
+            // Assigned UUID for this provider: b8ba81e2-e9f7-4bdd-b096-a29d0019960c
+            uuid: Uuid::parse_str("b8ba81e2-e9f7-4bdd-b096-a29d0019960c").or(Err(ResponseStatus::InvalidEncoding))?,
+            description: String::from("User space hardware provider, utilizing MicrochipTech CryptoAuthentication Library for ATECCx08 chips"),
+            vendor: String::from("Arm"),
+            version_maj: 0,
+            version_min: 1,
+            version_rev: 0,
+            id: ProviderID::CryptoAuthLib,
+        }, SUPPORTED_OPCODES.iter().copied().collect()))
+    }
+
+    fn list_keys(
+        &self,
+        _app_name: ApplicationName,
+        _op: list_keys::Operation,
+    ) -> Result<list_keys::Result> {
+        trace!("list_keys ingress");
+        let keys: Vec<KeyInfo> = Vec::new();
+
+        Ok(list_keys::Result { keys })
+    }
+}
+
+/// CryptoAuthentication Library Provider builder
+#[derive(Default, Derivative)]
+#[derivative(Debug)]
+pub struct ProviderBuilder {
+    #[derivative(Debug = "ignore")]
+    key_info_store: Option<Arc<RwLock<dyn ManageKeyInfo + Send + Sync>>>,
+}
+
+impl ProviderBuilder {
+    /// Create a new CryptoAuthLib builder
+    pub fn new() -> ProviderBuilder {
+        ProviderBuilder {
+            key_info_store: None,
+        }
+    }
+
+    /// Add a KeyInfo manager
+    pub fn with_key_info_store(
+        mut self,
+        key_info_store: Arc<RwLock<dyn ManageKeyInfo + Send + Sync>>,
+    ) -> ProviderBuilder {
+        self.key_info_store = Some(key_info_store);
+
+        self
+    }
+
+    /// Attempt to build CryptoAuthLib Provider
+    pub fn build(self) -> std::io::Result<Provider> {
+        Provider::new(
+            self.key_info_store
+                .ok_or_else(|| Error::new(ErrorKind::InvalidData, "missing key info store"))?,
+        )
+        .ok_or_else(|| {
+            Error::new(
+                ErrorKind::InvalidData,
+                "CryptoAuthLib Provider initialization failed",
+            )
+        })
+    }
+}

src/providers/mod.rs

@@ -23,6 +23,9 @@ pub mod mbed_crypto;
 #[cfg(feature = "tpm-provider")]
 pub mod tpm;
 
+#[cfg(feature = "cryptoauthlib-provider")]
+pub mod cryptoauthlib;
+
 /// Provider configuration structure
 /// For providers configs in Parsec config.toml we use a format similar
 /// to the one described in the Internally Tagged Enum representation
@@ -59,6 +62,11 @@ pub enum ProviderConfig {
         /// Owner Hierarchy Authentication
         owner_hierarchy_auth: String,
     },
+    /// Microchip CryptoAuthentication Library provider configuration
+    CryptoAuthLib {
+        /// Name of the Key Info Manager to use
+        key_info_manager: String,
+    },
 }
 
 impl ProviderConfig {
@@ -77,6 +85,10 @@ impl ProviderConfig {
                 ref key_info_manager,
                 ..
             } => key_info_manager,
+            ProviderConfig::CryptoAuthLib {
+                ref key_info_manager,
+                ..
+            } => key_info_manager,
         }
     }
     /// Get the Provider ID of the provider
@@ -85,6 +97,7 @@ impl ProviderConfig {
             ProviderConfig::MbedCrypto { .. } => ProviderID::MbedCrypto,
             ProviderConfig::Pkcs11 { .. } => ProviderID::Pkcs11,
             ProviderConfig::Tpm { .. } => ProviderID::Tpm,
+            ProviderConfig::CryptoAuthLib { .. } => ProviderID::CryptoAuthLib,
         }
     }
 }

src/utils/service_builder.rs

@@ -37,16 +37,20 @@ use std::sync::RwLock;
 use std::time::Duration;
 use threadpool::{Builder as ThreadPoolBuilder, ThreadPool};
 
+#[cfg(feature = "cryptoauthlib-provider")]
+use crate::providers::cryptoauthlib::ProviderBuilder as CryptoAuthLibProviderBuilder;
 #[cfg(feature = "mbed-crypto-provider")]
 use crate::providers::mbed_crypto::ProviderBuilder as MbedCryptoProviderBuilder;
 #[cfg(feature = "pkcs11-provider")]
 use crate::providers::pkcs11::ProviderBuilder as Pkcs11ProviderBuilder;
 #[cfg(feature = "tpm-provider")]
 use crate::providers::tpm::ProviderBuilder as TpmProviderBuilder;
+
 #[cfg(any(
     feature = "mbed-crypto-provider",
     feature = "pkcs11-provider",
-    feature = "tpm-provider"
+    feature = "tpm-provider",
+    feature = "cryptoauthlib-provider"
 ))]
 use log::info;
 
@@ -277,7 +281,8 @@ fn build_providers(
     not(all(
         feature = "mbed-crypto-provider",
         feature = "pkcs11-provider",
-        feature = "tpm-provider"
+        feature = "tpm-provider",
+        feature = "cryptoauthlib-provider"
     )),
     allow(unused_variables),
     allow(clippy::match_single_binding)
@@ -330,10 +335,20 @@ unsafe fn get_provider(
                     .build()?,
             ))
         }
+        #[cfg(feature = "cryptoauthlib-provider")]
+        ProviderConfig::CryptoAuthLib { .. } => {
+            info!("Creating a CryptoAuthentication Library Provider.");
+            Ok(Arc::new(
+                CryptoAuthLibProviderBuilder::new()
+                    .with_key_info_store(key_info_manager)
+                    .build()?,
+            ))
+        }
         #[cfg(not(all(
             feature = "mbed-crypto-provider",
             feature = "pkcs11-provider",
-            feature = "tpm-provider"
+            feature = "tpm-provider",
+            feature = "cryptoauthlib-provider"
         )))]
         _ => {
             error!(