parsec-service 1.5.0

A language-agnostic API to secure services in a platform-agnostic way
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70

// Copyright 2021 Contributors to the Parsec project.
// SPDX-License-Identifier: Apache-2.0

use super::{Provider, utils};
use crate::authenticators::ApplicationIdentity;
use crate::providers::crypto_capability::CanDoCrypto;
use log::{info, trace};
use parsec_interface::operations::can_do_crypto;
use parsec_interface::operations::psa_key_attributes::{Attributes, Type};
use parsec_interface::requests::ResponseStatus::PsaErrorNotSupported;
use parsec_interface::requests::Result;

impl CanDoCrypto for Provider {
    fn can_do_crypto_internal(
        &self,
        _application_identity: &ApplicationIdentity,
        op: can_do_crypto::Operation,
    ) -> Result<can_do_crypto::Result> {
        trace!("can_do_crypto_internal");

        // Check attributes compatibility with the provider
        match op.attributes.key_type {
            Type::RsaKeyPair | Type::RsaPublicKey => {
                let _ =
                    utils::rsa_key_bits(op.attributes.bits).map_err(|_| PsaErrorNotSupported)?;
                Ok(can_do_crypto::Result)
            }
            Type::EccKeyPair { .. } | Type::EccPublicKey { .. } => {
                let _ = utils::convert_curve_to_tpm(op.attributes)?;
                Ok(can_do_crypto::Result)
            }
            _ => {
                info!("Unsupported key type {:?}", op.attributes.key_type);
                Err(PsaErrorNotSupported)
            }
        }
    }

    fn use_check_internal(&self, attributes: Attributes) -> Result<can_do_crypto::Result> {
        trace!("use_check_internal");

        let _ = utils::parsec_to_tpm_params(attributes).map_err(|_| PsaErrorNotSupported)?;

        // TO-DO we also need to check capabilities of used TMP module.
        // TPM_GetCapability support in the tss-esapi crate is required.
        Ok(can_do_crypto::Result)
    }

    fn generate_check_internal(&self, attributes: Attributes) -> Result<can_do_crypto::Result> {
        trace!("generate_check_internal");
        match attributes.key_type {
            Type::RsaKeyPair | Type::EccKeyPair { .. } => Ok(can_do_crypto::Result),
            _ => {
                info!("Unsupported key type {:?}", attributes.key_type);
                Err(PsaErrorNotSupported)
            }
        }
    }

    fn import_check_internal(&self, attributes: Attributes) -> Result<can_do_crypto::Result> {
        trace!("import_check_internal");
        match attributes.key_type {
            Type::RsaPublicKey | Type::EccPublicKey { .. } => Ok(can_do_crypto::Result),
            _ => {
                info!("Unsupported key type {:?}", attributes.key_type);
                Err(PsaErrorNotSupported)
            }
        }
    }
}