Skip to content

support for pure-rust make credentials #563

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
baloo wants to merge 2 commits into
base: main
Choose a base branch
from
Open

support for pure-rust make credentials #563

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1182198
bump rustcrypto dependencies to pre-release
baloo Jan 28, 2025
bc89245
Create credentials
baloo Jan 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .codespellrc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
[codespell]
skip = .git,target,Cargo.lock
ignore-words-list = acsend,crate,inout,keypair,daa,de,ser
ignore-words-list = acsend,crate,keypair,inout,daa,de,ser
3 changes: 3 additions & 0 deletions Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
[workspace]
resolver = "3"
members = ["tss-esapi", "tss-esapi-sys"]

[patch.crates-io]
ecdsa = { git = "https://github.com/RustCrypto/signatures.git" }
76 changes: 52 additions & 24 deletions tss-esapi/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,52 +32,68 @@ num-derive = "0.4.2"
num-traits = "0.2.12"
hostname-validator = "1.1.0"
regex = "1.3.9"
zeroize = { version = "1.5.7", features = ["zeroize_derive"] }
zeroize = { version = "1.8.2", features = ["zeroize_derive"] }
tss-esapi-sys = { path = "../tss-esapi-sys", version = "0.7.0-alpha.1" }
x509-cert = { version = "0.2.0", optional = true }
ecdsa = { version = "0.16.9", features = [
x509-cert = { version = "0.3.0-rc.4", optional = true }
aes = { version = "0.9", optional = true }
byte-strings = { version = "0.3.1", optional = true }
cfb-mode = { version = "0.9", optional = true }
cipher = { version = "0.5", optional = true }
des = { version = "0.9", optional = true }
ecdsa = { version = "0.17.0-rc.18", features = [
"algorithm",
"der",
"hazmat",
"arithmetic",
"verifying",
], optional = true }
elliptic-curve = { version = "0.13.8", optional = true, features = [
elliptic-curve = { version = "0.14.0-rc.31", optional = true, features = [
"alloc",
"pkcs8",
] }
p192 = { version = "0.13.0", optional = true }
p224 = { version = "0.13.2", optional = true }
p256 = { version = "0.13.2", optional = true }
p384 = { version = "0.13.0", optional = true }
p521 = { version = "0.13.3", optional = true }
pkcs8 = { version = "0.10.2", optional = true }
rsa = { version = "0.9", optional = true }
sha1 = { version = "0.10.6", optional = true }
sha2 = { version = "0.10.8", optional = true }
sha3 = { version = "0.10.8", optional = true }
sm2 = { version = "0.13.3", optional = true }
sm3 = { version = "0.4.2", optional = true }
digest = { version = "0.10.7", optional = true }
signature = { version = "2.2.0", features = ["std"], optional = true }
hmac = { version = "0.13", optional = true }
p192 = { version = "0.14.0-rc.10", optional = true }
p224 = { version = "0.14.0-rc.10", optional = true }
p256 = { version = "0.14.0-rc.10", optional = true }
p384 = { version = "0.14.0-rc.10", optional = true }
p521 = { version = "0.14.0-rc.10", optional = true }
pkcs8 = { version = "0.11", optional = true }
rand = { version = "0.10", optional = true }
rsa = { version = "0.10.0-rc.18", optional = true }
sha1 = { version = "0.11", optional = true }
sha2 = { version = "0.11", optional = true }
sha3 = { version = "0.12", optional = true }
sm2 = { version = "0.14.0-rc.10", optional = true }
sm3 = { version = "0.5", optional = true }
digest = { version = "0.11.1", optional = true }
signature = { version = "3.0.0-rc.10", features = [
"alloc",
"digest",
], optional = true }
kbkdf = { version = "0.1.0-rc.1", optional = true }
one-step-kdf = { version = "0.1.0-rc.0", optional = true }
cfg-if = "1.0.0"
strum = { version = "0.28.0", optional = true }
strum_macros = { version = "0.28.0", optional = true }
paste = "1.0.14"
getrandom = "0.2.11"
getrandom = "0.4.0"

[dev-dependencies]
assert_fs = "1.1.3"
aes = "0.9.0-pre.2"
env_logger = "0.11.5"
hex-literal = "1"
rsa = { version = "0.10.0-pre.3" }
serde_json = "^1.0.108"
sha2 = { version = "0.10.8", features = ["oid"] }
sha2 = { version = "0.11", features = ["oid"] }
socket2 = "0.6.3"
tss-esapi = { path = ".", features = [
"integration-tests",
"serde",
"abstraction",
"rustcrypto-full",
] }
x509-cert = { version = "0.2.0", features = ["builder"] }
p256 = { version = "0.14.0-rc.9", features = ["ecdh"] }
rand = "0.10"
x509-cert = { version = "0.3.0-rc.4", features = ["builder"] }

[build-dependencies]
semver = "1.0.7"
Expand All @@ -87,16 +103,26 @@ default = ["abstraction"]
generate-bindings = ["tss-esapi-sys/generate-bindings"]
abstraction = ["rustcrypto"]
integration-tests = ["strum", "strum_macros"]

rustcrypto = [
"byte-strings",
"cfb-mode",
"cipher",
"one-step-kdf",
"digest",
"ecdsa",
"elliptic-curve",
"elliptic-curve/ecdh",
"hmac",
"kbkdf",
"pkcs8",
"rand",
"signature",
"x509-cert",
]
rustcrypto-full = [
"rustcrypto",
"aes",
"des",
"p192",
"p224",
"p256",
Expand All @@ -109,6 +135,8 @@ rustcrypto-full = [
"sm2",
"sm3",
]

rsa = ["dep:rsa", "kbkdf"]
sha1 = ["dep:sha1", "rsa?/sha1"]
sha2 = ["dep:sha2", "rsa?/sha2"]
bundled = ["tss-esapi-sys/bundled"]
69 changes: 43 additions & 26 deletions tss-esapi/src/abstraction/no_tpm/quote.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,19 +13,16 @@ use digest::{Digest, DynDigest};
#[cfg(any(feature = "p224", feature = "p256", feature = "p384"))]
use crate::{abstraction::public::AssociatedTpmCurve, structures::EccSignature};
#[cfg(any(feature = "p224", feature = "p256", feature = "p384"))]
use ecdsa::{
PrimeCurve, SignatureSize, VerifyingKey,
hazmat::{DigestPrimitive, VerifyPrimitive},
};
use ecdsa::{PrimeCurve, SignatureSize, VerifyingKey, hazmat::DigestAlgorithm};
#[cfg(any(feature = "p224", feature = "p256", feature = "p384"))]
use elliptic_curve::{
CurveArithmetic, FieldBytesSize,
generic_array::ArrayLength,
array::ArraySize,
point::AffinePoint,
sec1::{FromEncodedPoint, ModulusSize, ToEncodedPoint},
sec1::{FromSec1Point, ModulusSize, ToSec1Point},
};
#[cfg(any(feature = "p224", feature = "p256", feature = "p384"))]
use signature::hazmat::PrehashVerifier;
use signature::DigestVerifier;

#[cfg(feature = "rsa")]
use rsa::{RsaPublicKey, pkcs1v15, pss};
Expand All @@ -40,9 +37,9 @@ fn verify_ecdsa<C>(
hashing_algorithm: HashingAlgorithm,
) -> Result<bool>
where
C: PrimeCurve + CurveArithmetic + DigestPrimitive + AssociatedTpmCurve,
AffinePoint<C>: VerifyPrimitive<C> + FromEncodedPoint<C> + ToEncodedPoint<C>,
SignatureSize<C>: ArrayLength<u8>,
C: PrimeCurve + CurveArithmetic + DigestAlgorithm + AssociatedTpmCurve,
AffinePoint<C>: FromSec1Point<C> + ToSec1Point<C>,
SignatureSize<C>: ArraySize,
FieldBytesSize<C>: ModulusSize,
{
let Ok(signature) = ecdsa::Signature::<C>::try_from(signature) else {
Expand All @@ -56,25 +53,45 @@ where

match hashing_algorithm {
#[cfg(feature = "sha1")]
HashingAlgorithm::Sha1 => {
let hash = sha1::Sha1::digest(message);
Ok(verifying_key.verify_prehash(&hash, &signature).is_ok())
}
HashingAlgorithm::Sha1 => Ok(verifying_key
.verify_digest(
|d: &mut sha1::Sha1| {
Digest::update(d, message);
Ok(())
},
&signature,
)
.is_ok()),
#[cfg(feature = "sha2")]
HashingAlgorithm::Sha256 => {
let hash = sha2::Sha256::digest(message);
Ok(verifying_key.verify_prehash(&hash, &signature).is_ok())
}
HashingAlgorithm::Sha256 => Ok(verifying_key
.verify_digest(
|d: &mut sha2::Sha256| {
Digest::update(d, message);
Ok(())
},
&signature,
)
.is_ok()),
#[cfg(feature = "sha2")]
HashingAlgorithm::Sha384 => {
let hash = sha2::Sha384::digest(message);
Ok(verifying_key.verify_prehash(&hash, &signature).is_ok())
}
HashingAlgorithm::Sha384 => Ok(verifying_key
.verify_digest(
|d: &mut sha2::Sha384| {
Digest::update(d, message);
Ok(())
},
&signature,
)
.is_ok()),
#[cfg(feature = "sha2")]
HashingAlgorithm::Sha512 => {
let hash = sha2::Sha512::digest(message);
Ok(verifying_key.verify_prehash(&hash, &signature).is_ok())
}
HashingAlgorithm::Sha512 => Ok(verifying_key
.verify_digest(
|d: &mut sha2::Sha512| {
Digest::update(d, message);
Ok(())
},
&signature,
)
.is_ok()),
_ => Err(Error::WrapperError(WrapperErrorKind::UnsupportedParam)),
}
}
Expand Down
48 changes: 25 additions & 23 deletions tss-esapi/src/abstraction/public.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,16 +9,16 @@ use crate::{Error, WrapperErrorKind};
use core::convert::TryFrom;
use elliptic_curve::{
AffinePoint, CurveArithmetic, FieldBytesSize, PublicKey,
generic_array::typenum::Unsigned,
sec1::{EncodedPoint, FromEncodedPoint, ModulusSize, ToEncodedPoint},
array::typenum::Unsigned,
sec1::{FromSec1Point, ModulusSize, Sec1Point, ToSec1Point},
};

use x509_cert::spki::SubjectPublicKeyInfoOwned;

#[cfg(feature = "rsa")]
use {
crate::structures::RsaExponent,
rsa::{BigUint, RsaPublicKey},
rsa::{BoxedUint, RsaPublicKey},
};

#[cfg(any(
Expand All @@ -41,7 +41,7 @@ impl<C> TryFrom<&Public> for PublicKey<C>
where
C: CurveArithmetic + AssociatedTpmCurve,
FieldBytesSize<C>: ModulusSize,
AffinePoint<C>: FromEncodedPoint<C> + ToEncodedPoint<C>,
AffinePoint<C>: FromSec1Point<C> + ToSec1Point<C>,
{
type Error = Error;

Expand All @@ -57,15 +57,13 @@ where
let x = unique.x().as_bytes();
let y = unique.y().as_bytes();

if x.len() != FieldBytesSize::<C>::USIZE {
return Err(Error::local_error(WrapperErrorKind::InvalidParam));
}
if y.len() != FieldBytesSize::<C>::USIZE {
return Err(Error::local_error(WrapperErrorKind::InvalidParam));
}

let encoded_point =
EncodedPoint::<C>::from_affine_coordinates(x.into(), y.into(), false);
let encoded_point = Sec1Point::<C>::from_affine_coordinates(
x.try_into()
.map_err(|_| Error::local_error(WrapperErrorKind::InvalidParam))?,
y.try_into()
.map_err(|_| Error::local_error(WrapperErrorKind::InvalidParam))?,
false,
);
let public_key = PublicKey::<C>::try_from(&encoded_point)
.map_err(|_| Error::local_error(WrapperErrorKind::InvalidParam))?;

Expand All @@ -86,10 +84,10 @@ impl TryFrom<&Public> for RsaPublicKey {
unique, parameters, ..
} => {
let exponent = match parameters.exponent() {
RsaExponent::ZERO_EXPONENT => BigUint::from(RSA_DEFAULT_EXP),
_ => BigUint::from(parameters.exponent().value()),
RsaExponent::ZERO_EXPONENT => BoxedUint::from(RSA_DEFAULT_EXP),
_ => BoxedUint::from(parameters.exponent().value()),
};
let modulus = BigUint::from_bytes_be(unique.as_bytes());
let modulus = BoxedUint::from_be_slice_vartime(unique.as_bytes());

let public_key = RsaPublicKey::new(modulus, exponent)
.map_err(|_| Error::local_error(WrapperErrorKind::InvalidParam))?;
Expand Down Expand Up @@ -163,7 +161,7 @@ impl<C> TryFrom<&TpmPublicKey> for PublicKey<C>
where
C: CurveArithmetic + AssociatedTpmCurve,
FieldBytesSize<C>: ModulusSize,
AffinePoint<C>: FromEncodedPoint<C> + ToEncodedPoint<C>,
AffinePoint<C>: FromSec1Point<C> + ToSec1Point<C>,
{
type Error = Error;

Expand All @@ -173,17 +171,21 @@ where
let x = x.as_slice();
let y = y.as_slice();

// TODO: When elliptic_curve bumps to 0.14, we can use the TryFrom implementation instead
// of checking lengths manually
if x.len() != FieldBytesSize::<C>::USIZE {
return Err(Error::local_error(WrapperErrorKind::InvalidParam));
}
if y.len() != FieldBytesSize::<C>::USIZE {
return Err(Error::local_error(WrapperErrorKind::InvalidParam));
}

let encoded_point =
EncodedPoint::<C>::from_affine_coordinates(x.into(), y.into(), false);
let encoded_point = Sec1Point::<C>::from_affine_coordinates(
x.try_into()
.map_err(|_| Error::local_error(WrapperErrorKind::InvalidParam))?,
y.try_into()
.map_err(|_| Error::local_error(WrapperErrorKind::InvalidParam))?,
false,
);

let public_key = PublicKey::<C>::try_from(&encoded_point)
.map_err(|_| Error::local_error(WrapperErrorKind::InvalidParam))?;

Expand All @@ -201,8 +203,8 @@ impl TryFrom<&TpmPublicKey> for RsaPublicKey {
fn try_from(value: &TpmPublicKey) -> Result<Self, Self::Error> {
match value {
TpmPublicKey::Rsa(modulus) => {
let exponent = BigUint::from(RSA_DEFAULT_EXP);
let modulus = BigUint::from_bytes_be(modulus.as_slice());
let exponent = BoxedUint::from(RSA_DEFAULT_EXP);
let modulus = BoxedUint::from_be_slice_vartime(modulus.as_slice());

let public_key = RsaPublicKey::new(modulus, exponent)
.map_err(|_| Error::local_error(WrapperErrorKind::InvalidParam))?;
Expand Down
20 changes: 12 additions & 8 deletions tss-esapi/src/abstraction/signatures.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,16 +8,16 @@ use crate::{

use std::convert::TryFrom;

use ecdsa::SignatureSize;
use ecdsa::{EcdsaCurve, SignatureSize};
use elliptic_curve::{
FieldBytes, FieldBytesSize, PrimeCurve,
generic_array::{ArrayLength, typenum::Unsigned},
array::{ArraySize, typenum::Unsigned},
};

impl<C> TryFrom<&EccSignature> for ecdsa::Signature<C>
where
C: PrimeCurve,
SignatureSize<C>: ArrayLength<u8>,
C: PrimeCurve + EcdsaCurve,
SignatureSize<C>: ArraySize,
{
type Error = Error;

Expand All @@ -33,8 +33,12 @@ where
}

let signature = ecdsa::Signature::from_scalars(
FieldBytes::<C>::clone_from_slice(r),
FieldBytes::<C>::clone_from_slice(s),
FieldBytes::<C>::try_from(r)
.map_err(|_| Error::local_error(WrapperErrorKind::InvalidParam))?
.clone(),
FieldBytes::<C>::try_from(s)
.map_err(|_| Error::local_error(WrapperErrorKind::InvalidParam))?
.clone(),
)
.map_err(|_| Error::local_error(WrapperErrorKind::InvalidParam))?;
Ok(signature)
Expand All @@ -43,8 +47,8 @@ where

impl<C> TryFrom<&Signature> for ecdsa::Signature<C>
where
C: PrimeCurve,
SignatureSize<C>: ArrayLength<u8>,
C: PrimeCurve + EcdsaCurve,
SignatureSize<C>: ArraySize,
{
type Error = Error;

Expand Down
Loading
Loading