parsec-service 1.5.0

A language-agnostic API to secure services in a platform-agnostic way
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113

// Copyright 2021 Contributors to the Parsec project.
// SPDX-License-Identifier: Apache-2.0
//! Crypto capabilities trait for Parsec providers
//!
//! The trait provides generic crypto compatibility checking methods
//! https://parallaxsecond.github.io/parsec-book/parsec_client/operations/can_do_crypto.html
//! https://parallaxsecond.github.io/parsec-book/parsec_client/operations/service_api_coverage.html

use crate::authenticators::ApplicationIdentity;
use log::{info, trace};
use parsec_interface::operations::can_do_crypto;
use parsec_interface::operations::can_do_crypto::{CheckType, Operation};
use parsec_interface::operations::psa_algorithm::Algorithm;
use parsec_interface::operations::psa_key_attributes::Attributes;
use parsec_interface::requests::ResponseStatus::PsaErrorNotSupported;
use parsec_interface::requests::Result;

/// Provider interface for checking crypto capabilities
///
/// Definition of the interface that a provider must expand to
/// be correctly checked for crypto compatibility.
pub trait CanDoCrypto {
    /// Check if the crypto operation is supported by provider.
    /// This method is called by Provide trait and doesn't need to be changed.
    fn can_do_crypto_main(
        &self,
        application_identity: &ApplicationIdentity,
        op: Operation,
    ) -> Result<can_do_crypto::Result> {
        trace!("can_do_crypto_main in CanDoCrypto trait");
        let _ = self.can_do_crypto_internal(application_identity, op)?;

        match op.check_type {
            CheckType::Generate => self.generate_check(op.attributes),
            CheckType::Import => self.import_check(op.attributes),
            CheckType::Use => self.use_check(op.attributes),
            CheckType::Derive => self.derive_check(op.attributes),
        }
    }

    /// Common checks if an existing key of the key type that defined in the attributes
    /// and the same length can be used to perform the algorithm in policy.key_algorithm
    fn use_check(&self, attributes: Attributes) -> Result<can_do_crypto::Result> {
        trace!("Use check in CanDoCrypto trait");
        if attributes.policy.permitted_algorithms == Algorithm::None {
            info!("No algorithm defined for the operation");
            return Err(PsaErrorNotSupported);
        }
        if !(attributes.policy.usage_flags.decrypt()
            || attributes.policy.usage_flags.encrypt()
            || attributes.policy.usage_flags.sign_hash()
            || attributes.policy.usage_flags.sign_message()
            || attributes.policy.usage_flags.verify_hash()
            || attributes.policy.usage_flags.verify_message())
        {
            info!("No usage flags defined for the operation");
            return Err(PsaErrorNotSupported);
        }
        attributes
            .compatible_with_alg(attributes.policy.permitted_algorithms)
            .map_err(|_| PsaErrorNotSupported)?;

        self.use_check_internal(attributes)
    }

    /// Common checks if a key with the attributes can be generated
    fn generate_check(&self, attributes: Attributes) -> Result<can_do_crypto::Result> {
        trace!("Generate check in CanDoCrypto trait");
        let _ = self.generate_check_internal(attributes)?;

        if attributes.policy.permitted_algorithms != Algorithm::None {
            return self.use_check(attributes);
        }
        Ok(can_do_crypto::Result)
    }

    /// Common checks if a key with the attributes can be imported.
    fn import_check(&self, attributes: Attributes) -> Result<can_do_crypto::Result> {
        trace!("Import check in CanDoCrypto trait");
        let _ = self.import_check_internal(attributes)?;

        if attributes.policy.permitted_algorithms != Algorithm::None {
            return self.use_check(attributes);
        }
        Ok(can_do_crypto::Result)
    }

    /// Checks if a key with the attributes can be derived.
    fn derive_check(&self, _attributes: Attributes) -> Result<can_do_crypto::Result> {
        info!("Derive check type is not supported");
        Err(PsaErrorNotSupported)
    }

    /// Provider specific heck if the crypto operation is supported by provider.
    /// This method should be re-implemented by providers.
    fn can_do_crypto_internal(
        &self,
        _application_identity: &ApplicationIdentity,
        _op: Operation,
    ) -> Result<can_do_crypto::Result>;

    /// Provider specific Use check.
    /// This method should be re-implemented by providers.
    fn use_check_internal(&self, _attributes: Attributes) -> Result<can_do_crypto::Result>;

    /// Provider specific Generate check.
    /// This method should be re-implemented by providers.
    fn generate_check_internal(&self, attributes: Attributes) -> Result<can_do_crypto::Result>;

    /// Provider specific Import check.
    /// This method should be re-implemented by providers.
    fn import_check_internal(&self, attributes: Attributes) -> Result<can_do_crypto::Result>;
}