Update TS submodule and add asym encryption

.github/workflows/ci.yml

@@ -13,8 +13,8 @@ jobs:
       #   run: pushd e2e_tests/docker_image && docker build -t parsec-service-test-all -f parsec-service-test-all.Dockerfile . && popd
       - name: Run the container to execute the test script
         run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec ghcr.io/parallaxsecond/parsec-service-test-all /tmp/parsec/ci.sh all
-      # When running the container built on the CI
-      # run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec -t parsec-service-test-all /tmp/parsec/ci.sh all
+        # When running the container built on the CI
+        # run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec -t parsec-service-test-all /tmp/parsec/ci.sh all
 
   mbed-crypto-provider:
     name: Integration tests using Mbed Crypto provider
@@ -26,8 +26,8 @@ jobs:
       #   run: pushd e2e_tests/docker_image && docker build -t parsec-service-test-all -f parsec-service-test-all.Dockerfile . && popd
       - name: Run the container to execute the test script
         run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec ghcr.io/parallaxsecond/parsec-service-test-all /tmp/parsec/ci.sh mbed-crypto
-      # When running the container built on the CI
-      # run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec -t parsec-service-test-all /tmp/parsec/ci.sh mbed-crypto
+        # When running the container built on the CI
+        # run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec -t parsec-service-test-all /tmp/parsec/ci.sh mbed-crypto
 
   pkcs11-provider:
     name: Integration tests using PKCS 11 provider
@@ -40,8 +40,8 @@ jobs:
       - name: Run the container to execute the test script
         # Not running stress tests because they fail, presumably because of the same issue as #264
         run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec ghcr.io/parallaxsecond/parsec-service-test-all /tmp/parsec/ci.sh pkcs11 --no-stress-test
-      # When running the container built on the CI
-      # run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec -t parsec-service-test-all /tmp/parsec/ci.sh pkcs11 --no-stress-test
+        # When running the container built on the CI
+        # run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec -t parsec-service-test-all /tmp/parsec/ci.sh pkcs11 --no-stress-test
 
   tpm-provider:
     name: Integration tests using TPM provider
@@ -53,21 +53,21 @@ jobs:
       #   run: pushd e2e_tests/docker_image && docker build -t parsec-service-test-all -f parsec-service-test-all.Dockerfile . && popd
       - name: Run the container to execute the test script
         run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec ghcr.io/parallaxsecond/parsec-service-test-all /tmp/parsec/ci.sh tpm
-      # When running the container built on the CI
-      # run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec -t parsec-service-test-all /tmp/parsec/ci.sh tpm
+        # When running the container built on the CI
+        # run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec -t parsec-service-test-all /tmp/parsec/ci.sh tpm
 
   trusted-service-provider:
     name: Integration tests using Cypto Trusted Service provider
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
       # Use the following step when updating the `parsec-service-test-all` image
-      # - name: Build the container
-      #   run: pushd e2e_tests/docker_image && docker build -t parsec-service-test-all -f parsec-service-test-all.Dockerfile . && popd
+      - name: Build the container
+        run: pushd e2e_tests/docker_image && docker build -t parsec-service-test-all -f parsec-service-test-all.Dockerfile . && popd
       - name: Run the container to execute the test script
-        run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec ghcr.io/parallaxsecond/parsec-service-test-all /tmp/parsec/ci.sh trusted-service
+        # run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec ghcr.io/parallaxsecond/parsec-service-test-all /tmp/parsec/ci.sh trusted-service
         # When running the container built on the CI
-        # run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec -t parsec-service-test-all /tmp/parsec/ci.sh trusted-service
+        run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec -t parsec-service-test-all /tmp/parsec/ci.sh trusted-service
 
   cryptoauthlib-provider:
     name: Integration tests using CryptoAuthentication Library provider
@@ -80,8 +80,8 @@ jobs:
       - name: Run the container to execute the test script
         # Not running stress tests because rust-cryptoauthlib test-interface does not support required calls
         run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec ghcr.io/parallaxsecond/parsec-service-test-all /tmp/parsec/ci.sh cryptoauthlib --no-stress-test
-      # When running the container built on the CI
-      # run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec -t parsec-service-test-all /tmp/parsec/ci.sh cryptoauthlib --no-stress-test
+        # When running the container built on the CI
+        # run: docker run -v $(pwd):/tmp/parsec -w /tmp/parsec -t parsec-service-test-all /tmp/parsec/ci.sh cryptoauthlib --no-stress-test
 
   fuzz-test-checker:
     name: Check that the fuzz testing framework is still working

Cargo.toml

@@ -66,7 +66,7 @@ mbed-crypto-provider = ["psa-crypto"]
 pkcs11-provider = ["cryptoki", "picky-asn1-der", "picky-asn1", "picky-asn1-x509", "psa-crypto", "rand"]
 tpm-provider = ["tss-esapi", "picky-asn1-der", "picky-asn1", "picky-asn1-x509", "hex"]
 cryptoauthlib-provider = ["rust-cryptoauthlib"]
-trusted-service-provider = ["mbed-crypto-provider", "bindgen", "prost-build", "prost"]
+trusted-service-provider = ["psa-crypto", "bindgen", "prost-build", "prost"]
 all-providers = ["tpm-provider", "pkcs11-provider", "mbed-crypto-provider", "cryptoauthlib-provider"]
 
 # Authenticators

e2e_tests/docker_image/parsec-service-test-all.Dockerfile

@@ -94,15 +94,18 @@ RUN cd nanopb-0.4.4-linux-x86 \
 RUN rm -rf nanopb-0.4.4-linux-x86 nanopb-0.4.4-linux-x86.tar.gz
 
 # Install mock Trusted Services
-RUN git clone https://git.trustedfirmware.org/TS/trusted-services.git --branch main \
+# Setup git config for patching dependencies
+RUN git config --global user.email "some@email.com"
+RUN git config --global user.name "Parsec Team"
+RUN git clone https://git.trustedfirmware.org/TS/trusted-services.git --branch integration \
 	&& cd trusted-services \
-	&& git reset --hard 2fc7e10c7c21e4dafbf63dc9d00dfc2a7a7fddad
+	&& git reset --hard c1cf9120e4ab0b359a27176b079769b9a7e6bb87
 # Install correct python dependencies
 RUN pip3 install -r trusted-services/requirements.txt
 RUN cd trusted-services/deployments/libts/linux-pc/ \
 	&& cmake . \
 	&& make \
-	&& cp libts.so nanopb_install/lib/libprotobuf-nanopb.a mbedcrypto_install/lib/libmbedcrypto.a /usr/local/lib/
+	&& cp libts.so nanopb_install/lib/libprotobuf-nanopb.a mbedtls_install/lib/libmbedcrypto.a /usr/local/lib/
 RUN rm -rf trusted-services
 
 # Create a new token in a new slot. The slot number assigned will be random

src/providers/trusted_service/asym_encryption.rs

@@ -0,0 +1,64 @@
+// Copyright 2021 Contributors to the Parsec project.
+// SPDX-License-Identifier: Apache-2.0
+use super::Provider;
+use crate::authenticators::ApplicationName;
+use crate::key_info_managers::KeyTriple;
+use log::error;
+use parsec_interface::operations::{psa_asymmetric_decrypt, psa_asymmetric_encrypt};
+use parsec_interface::requests::{ProviderId, Result};
+
+impl Provider {
+    pub(super) fn psa_asymmetric_encrypt_internal(
+        &self,
+        app_name: ApplicationName,
+        op: psa_asymmetric_encrypt::Operation,
+    ) -> Result<psa_asymmetric_encrypt::Result> {
+        let key_name = op.key_name.clone();
+
+        let key_triple = KeyTriple::new(app_name, ProviderId::TrustedService, key_name);
+        let key_id = self.key_info_store.get_key_id(&key_triple)?;
+        let salt_buff = match &op.salt {
+            Some(salt) => salt.to_vec(),
+            None => Vec::new(),
+        };
+
+        match self
+            .context
+            .asym_encrypt(key_id, op.alg, op.plaintext.to_vec(), salt_buff)
+        {
+            Ok(ciphertext) => Ok(psa_asymmetric_encrypt::Result {
+                ciphertext: ciphertext.into(),
+            }),
+            Err(error) => {
+                error!("Encrypt failed with status: {}", error);
+                Err(error)
+            }
+        }
+    }
+
+    pub(super) fn psa_asymmetric_decrypt_internal(
+        &self,
+        app_name: ApplicationName,
+        op: psa_asymmetric_decrypt::Operation,
+    ) -> Result<psa_asymmetric_decrypt::Result> {
+        let key_triple = KeyTriple::new(app_name, ProviderId::TrustedService, op.key_name.clone());
+        let key_id = self.key_info_store.get_key_id(&key_triple)?;
+        let salt_buff = match &op.salt {
+            Some(salt) => salt.to_vec(),
+            None => Vec::new(),
+        };
+
+        match self
+            .context
+            .asym_decrypt(key_id, op.alg, op.ciphertext.to_vec(), salt_buff)
+        {
+            Ok(plaintext) => Ok(psa_asymmetric_decrypt::Result {
+                plaintext: plaintext.into(),
+            }),
+            Err(error) => {
+                error!("Decrypt failed with status: {}", error);
+                Err(error)
+            }
+        }
+    }
+}

src/providers/trusted_service/context/asym_encryption.rs

@@ -0,0 +1,58 @@
+// Copyright 2021 Contributors to the Parsec project.
+// SPDX-License-Identifier: Apache-2.0
+use super::ts_protobuf::{
+    AsymmetricDecryptIn, AsymmetricDecryptOut, AsymmetricEncryptIn, AsymmetricEncryptOut,
+};
+use super::Context;
+use parsec_interface::operations::psa_algorithm::AsymmetricEncryption;
+use parsec_interface::requests::ResponseStatus;
+use std::convert::TryInto;
+use zeroize::Zeroize;
+
+impl Context {
+    pub fn asym_encrypt(
+        &self,
+        key_id: u32,
+        alg: AsymmetricEncryption,
+        mut plaintext: Vec<u8>,
+        mut salt: Vec<u8>,
+    ) -> Result<Vec<u8>, ResponseStatus> {
+        let alg = alg.try_into().map_err(|e| {
+            plaintext.zeroize();
+            salt.zeroize();
+            e
+        })?;
+        let req = AsymmetricEncryptIn {
+            id: key_id,
+            alg,
+            plaintext,
+            salt,
+        };
+        let AsymmetricEncryptOut { ciphertext } = self.send_request(&req)?;
+
+        Ok(ciphertext)
+    }
+
+    pub fn asym_decrypt(
+        &self,
+        key_id: u32,
+        alg: AsymmetricEncryption,
+        mut ciphertext: Vec<u8>,
+        mut salt: Vec<u8>,
+    ) -> Result<Vec<u8>, ResponseStatus> {
+        let alg = alg.try_into().map_err(|e| {
+            ciphertext.zeroize();
+            salt.zeroize();
+            e
+        })?;
+        let req = AsymmetricDecryptIn {
+            id: key_id,
+            alg,
+            ciphertext,
+            salt,
+        };
+        let AsymmetricDecryptOut { plaintext } = self.send_request(&req)?;
+
+        Ok(plaintext)
+    }
+}

src/providers/trusted_service/context/asym_sign.rs

@@ -17,11 +17,11 @@ impl Context {
     ) -> Result<Vec<u8>, Error> {
         info!("Handling SignHash request");
         let proto_req = SignHashIn {
-            handle: 0,
+            id: key_id,
             hash,
             alg: algorithm.try_into()?,
         };
-        let SignHashOut { signature } = self.send_request_with_key(proto_req, key_id)?;
+        let SignHashOut { signature } = self.send_request(&proto_req)?;
 
         Ok(signature)
     }
@@ -36,12 +36,12 @@ impl Context {
     ) -> Result<(), Error> {
         info!("Handling VerifyHash request");
         let proto_req = VerifyHashIn {
-            handle: 0,
+            id: key_id,
             hash,
             signature,
             alg: algorithm.try_into()?,
         };
-        self.send_request_with_key(proto_req, key_id)?;
+        self.send_request(&proto_req)?;
 
         Ok(())
     }

src/providers/trusted_service/context/key_management.rs

@@ -2,13 +2,12 @@
 // SPDX-License-Identifier: Apache-2.0
 use super::error::Error;
 use super::ts_protobuf::{
-    CloseKeyIn, DestroyKeyIn, DestroyKeyOut, ExportPublicKeyIn, GenerateKeyIn, GenerateKeyOut,
-    ImportKeyIn, ImportKeyOut, KeyAttributes, KeyLifetime, KeyPolicy, OpenKeyIn, OpenKeyOut,
+    DestroyKeyIn, DestroyKeyOut, ExportPublicKeyIn, GenerateKeyIn, ImportKeyIn, KeyAttributes,
+    KeyLifetime, KeyPolicy,
 };
 use super::Context;
 use log::info;
 use psa_crypto::types::key::Attributes;
-use psa_crypto::types::status::Error as PsaError;
 use std::convert::{TryFrom, TryInto};
 use zeroize::Zeroize;
 
@@ -31,10 +30,7 @@ impl Context {
                 }),
             }),
         };
-        let GenerateKeyOut { handle } = self.send_request(&generate_req)?;
-
-        let close_req = CloseKeyIn { handle };
-        self.send_request(&close_req)?;
+        let _ = self.send_request(&generate_req)?;
 
         Ok(())
     }
@@ -74,10 +70,7 @@ impl Context {
             }),
             data,
         };
-        let ImportKeyOut { handle } = self.send_request(&import_req)?;
-
-        let close_req = CloseKeyIn { handle };
-        self.send_request(&close_req)?;
+        let _ = self.send_request(&import_req)?;
 
         Ok(())
     }
@@ -88,37 +81,16 @@ impl Context {
     /// format.
     pub fn export_public_key(&self, id: u32) -> Result<Vec<u8>, Error> {
         info!("Handling ExportPublicKey request");
-        self.send_request_with_key(ExportPublicKeyIn::default(), id)
+        let req = ExportPublicKeyIn { id };
+        self.send_request(&req)
     }
 
     /// Destroy a key given its ID.
     pub fn destroy_key(&self, key_id: u32) -> Result<(), Error> {
         info!("Handling DestroyKey request");
-        let open_req = OpenKeyIn { id: key_id };
-        let OpenKeyOut { handle } = self.send_request(&open_req)?;
 
-        let destroy_req = DestroyKeyIn { handle };
+        let destroy_req = DestroyKeyIn { id: key_id };
         let _proto_resp: DestroyKeyOut = self.send_request(&destroy_req)?;
         Ok(())
     }
-
-    /// Verify if a key with a given ID exists.
-    pub fn check_key_exists(&self, key_id: u32) -> Result<bool, Error> {
-        info!("Handling CheckKey request");
-        let open_req = OpenKeyIn { id: key_id };
-        match self.send_request(&open_req) {
-            Ok(OpenKeyOut { handle }) => {
-                let close_req = CloseKeyIn { handle };
-                self.send_request(&close_req)?;
-                Ok(true)
-            }
-            Err(e) => {
-                if e == Error::PsaCrypto(PsaError::DoesNotExist) {
-                    Ok(false)
-                } else {
-                    Err(e)
-                }
-            }
-        }
-    }
 }

src/providers/trusted_service/context/mod.rs

@@ -10,7 +10,10 @@ use std::ptr::null_mut;
 use std::slice;
 use std::sync::Mutex;
 use ts_binding::*;
-use ts_protobuf::{CloseKeyIn, GetOpcode, OpenKeyIn, OpenKeyOut, SetHandle};
+use ts_protobuf::GetOpcode;
+
+// Bindgen fails to generate this constant.
+pub const PSA_KEY_ID_USER_MAX: u32 = 0x3fffffff;
 
 #[allow(
     non_snake_case,
@@ -30,6 +33,7 @@ pub mod ts_binding {
     include!(concat!(env!("OUT_DIR"), "/ts_bindings.rs"));
 }
 
+mod asym_encryption;
 mod asym_sign;
 pub mod error;
 mod key_management;
@@ -176,27 +180,6 @@ impl Context {
 
         Ok(resp)
     }
-
-    // Send a request that requires a key, given the key's ID.
-    // This function is responsible for opening the key, for sending the
-    // request with `send_request` and for closing the key afterwards.
-    fn send_request_with_key<T: Message + Default>(
-        &self,
-        mut req: impl Message + GetOpcode + SetHandle,
-        key_id: u32,
-    ) -> Result<T, Error> {
-        let open_req = OpenKeyIn { id: key_id };
-        let OpenKeyOut { handle } = self.send_request(&open_req)?;
-
-        req.set_handle(handle);
-        let res = self.send_request(&req);
-        let close_req = CloseKeyIn { handle };
-
-        let res_close = self.send_request(&close_req);
-        let res = res?;
-        res_close?;
-        Ok(res)
-    }
 }
 
 impl Drop for Context {