yubihsm 0.20.0

Pure Rust client for YubiHSM2 devices with support for HTTP and USB-based access to the device. Supports most HSM functionality including ECDSA, Ed25519, HMAC, and RSA.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109

//! `MockHsm` presents a thread-safe API by locking interior mutable state,
//! contained in the `State` struct defined in this module.

use std::collections::BTreeMap;

use crate::audit::AuditOption;
use crate::connector::{ConnectionError, ConnectionErrorKind};
use crate::object::{ObjectId, ObjectType};
use crate::session::{
    securechannel::{Challenge, SecureChannel},
    SessionId,
};

use super::{audit::CommandAuditOptions, object::Objects, session::HsmSession};

/// Mutable interior state of the `MockHsm`
#[derive(Debug)]
pub(crate) struct State {
    /// Command-specific audit options
    pub(super) command_audit_options: CommandAuditOptions,

    /// Don't allow command to be performed until log data has been consumed
    /// via the `SetLogIndex` command.
    pub(super) force_audit: AuditOption,

    /// Active sessions with the MockHsm
    sessions: BTreeMap<SessionId, HsmSession>,

    /// Objects within the MockHsm (i.e. keys)
    pub(super) objects: Objects,
}

impl State {
    /// Create a new instance of the server's mutable interior state
    pub fn new() -> Self {
        Self {
            command_audit_options: CommandAuditOptions::default(),
            force_audit: AuditOption::Off,
            sessions: BTreeMap::new(),
            objects: Objects::default(),
        }
    }

    /// Create a new session with the MockHsm
    pub fn create_session(
        &mut self,
        authentication_key_id: ObjectId,
        host_challenge: Challenge,
    ) -> &HsmSession {
        // Generate a random card challenge to send back to the client
        let card_challenge = Challenge::random();

        let session_id = self
            .sessions
            .keys()
            .max()
            .map(|id| id.succ().expect("session count exceeded"))
            .unwrap_or_else(|| SessionId::from_u8(0).unwrap());

        let channel = {
            let authentication_key_obj = self
                .objects
                .get(authentication_key_id, ObjectType::AuthenticationKey)
                .unwrap_or_else(|| {
                    panic!(
                        "MockHsm has no AuthenticationKey in slot {:?}",
                        authentication_key_id
                    )
                });

            SecureChannel::new(
                session_id,
                authentication_key_obj
                    .payload
                    .authentication_key()
                    .expect("auth key payload"),
                host_challenge,
                card_challenge,
            )
        };

        let session = HsmSession::new(session_id, card_challenge, channel);
        assert!(self.sessions.insert(session_id, session).is_none());

        self.get_session(session_id).unwrap()
    }

    /// Obtain the channel for a session by its ID
    pub fn get_session(&mut self, id: SessionId) -> Result<&mut HsmSession, ConnectionError> {
        self.sessions.get_mut(&id).ok_or_else(|| {
            ConnectionError::new(
                ConnectionErrorKind::RequestError,
                Some(format!("invalid session ID: {:?}", id)),
            )
        })
    }

    /// Close an active session
    pub fn close_session(&mut self, id: SessionId) {
        assert!(self.sessions.remove(&id).is_some());
    }

    /// Reset the internal HSM state, closing all connections
    pub fn reset(&mut self) {
        self.command_audit_options = CommandAuditOptions::default();
        self.sessions = BTreeMap::new();
        self.objects = Objects::default();
    }
}