noxtls 0.1.3

TLS/DTLS protocol and connection state machine for the noxtls Rust stack.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149

// Copyright (c) 2019-2026, Argenox Technologies LLC
// All rights reserved.
//
// SPDX-License-Identifier: GPL-2.0-only OR LicenseRef-Argenox-Commercial-License
//
// This file is part of the NoxTLS Library.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by the
// Free Software Foundation; version 2 of the License.
//
// Alternatively, this file may be used under the terms of a commercial
// license from Argenox Technologies LLC.
//
// See `noxtls/LICENSE` and `noxtls/LICENSE.md` in this repository for full details.
// CONTACT: info@argenox.com

use crate::internal_alloc::Vec;
use noxtls_core::Result;
use noxtls_psa::{
    KeyDecryptRequest as PsaKeyDecryptRequest, KeyDeriveRequest as PsaKeyDeriveRequest,
    KeySignRequest as PsaKeySignRequest, PsaCryptoBackend, PsaDecryptAlgorithm, PsaDeriveAlgorithm,
    PsaExternalKeyHandle, PsaProvider, PsaSignAlgorithm,
};

use super::{
    ExternalKeyHandle, ExternalKeyProvider, KeyDecryptAlgorithm, KeyDecryptRequest,
    KeyDeriveAlgorithm, KeyDeriveRequest, KeySignAlgorithm, KeySignRequest,
};

/// Adapts `noxtls-psa` backends to the `ExternalKeyProvider` trait boundary.
#[derive(Clone, Debug)]
pub struct PsaExternalKeyProvider<B: PsaCryptoBackend> {
    provider: PsaProvider<B>,
}

impl<B: PsaCryptoBackend> PsaExternalKeyProvider<B> {
    /// Constructs a provider adapter from a concrete PSA backend.
    ///
    /// # Arguments
    ///
    /// * `backend` — Concrete PSA backend implementation used for all operations.
    ///
    /// # Returns
    ///
    /// New adapter implementing [`ExternalKeyProvider`].
    pub fn new(backend: B) -> Self {
        Self {
            provider: PsaProvider::new(backend),
        }
    }

    /// Converts an external key handle into PSA-owned identifier bytes.
    ///
    /// # Arguments
    ///
    /// * `handle` — noxtls external key handle from provider requests.
    ///
    /// # Returns
    ///
    /// Converted PSA handle carrying an owned identifier copy.
    fn convert_handle(handle: &ExternalKeyHandle) -> PsaExternalKeyHandle {
        PsaExternalKeyHandle::new(handle.as_bytes().to_vec())
    }
}

impl<B: PsaCryptoBackend> ExternalKeyProvider for PsaExternalKeyProvider<B> {
    /// Executes signing operations through the PSA provider backend.
    ///
    /// # Arguments
    ///
    /// * `request` — noxtls signing request containing key handle and algorithm.
    ///
    /// # Returns
    ///
    /// Signature bytes generated by the backend.
    ///
    /// # Errors
    ///
    /// Returns backend/provider errors for invalid handles, policy violations, or sign failures.
    fn sign(&self, request: &KeySignRequest<'_>) -> Result<Vec<u8>> {
        let algorithm = match request.algorithm {
            KeySignAlgorithm::RsaPkcs1Sha256 => PsaSignAlgorithm::RsaPkcs1Sha256,
            KeySignAlgorithm::RsaPssSha256 => PsaSignAlgorithm::RsaPssSha256,
        };
        let handle = Self::convert_handle(request.handle);
        let mapped = PsaKeySignRequest {
            handle: &handle,
            algorithm,
            message: request.message,
            salt: request.salt,
        };
        self.provider.sign(&mapped)
    }

    /// Executes decrypt operations through the PSA provider backend.
    ///
    /// # Arguments
    ///
    /// * `request` — noxtls decrypt request containing key handle and algorithm.
    ///
    /// # Returns
    ///
    /// Plaintext bytes returned by the backend.
    ///
    /// # Errors
    ///
    /// Returns a uniform decrypt failure error for backend decrypt failures.
    fn decrypt(&self, request: &KeyDecryptRequest<'_>) -> Result<Vec<u8>> {
        let algorithm = match request.algorithm {
            KeyDecryptAlgorithm::RsaPkcs1v15 => PsaDecryptAlgorithm::RsaPkcs1v15,
            KeyDecryptAlgorithm::RsaOaepSha256 => PsaDecryptAlgorithm::RsaOaepSha256,
        };
        let handle = Self::convert_handle(request.handle);
        let mapped = PsaKeyDecryptRequest {
            handle: &handle,
            algorithm,
            ciphertext: request.ciphertext,
            label: request.label,
        };
        self.provider.decrypt(&mapped)
    }

    /// Executes key-derivation operations through the PSA provider backend.
    ///
    /// # Arguments
    ///
    /// * `request` — noxtls derive request containing key handle and peer public key.
    ///
    /// # Returns
    ///
    /// Shared secret bytes derived by the backend.
    ///
    /// # Errors
    ///
    /// Returns backend/provider errors for invalid handles, policy violations, or derive failures.
    fn derive_shared_secret(&self, request: &KeyDeriveRequest<'_>) -> Result<Vec<u8>> {
        let algorithm = match request.algorithm {
            KeyDeriveAlgorithm::X25519 => PsaDeriveAlgorithm::X25519,
        };
        let handle = Self::convert_handle(request.handle);
        let mapped = PsaKeyDeriveRequest {
            handle: &handle,
            algorithm,
            peer_public_key: request.peer_public_key,
        };
        self.provider.derive(&mapped)
    }
}