Merge pull request #143 from Nitrokey/rsa3072-tests

Add RSA 3072 bits tests
Nitrokey · Apr 25, 2023 · d2ed9c4 · d2ed9c4
2 parents 3a2546e + e8146d2
commit d2ed9c4
Show file tree

Hide file tree

Showing 9 changed files with 719 additions and 38 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -68,8 +68,11 @@ virt = ["std", "trussed/virt"]
 
 rsa = ["trussed-rsa-alloc"]
 rsa2048 = ["rsa"]
-rsa4096 = ["rsa2048"]
-rsa4096-gen = ["rsa4096"]
+rsa2048-gen = ["rsa2048"]
+rsa3072 = ["rsa2048"]
+rsa3072-gen = ["rsa3072", "rsa2048-gen"]
+rsa4096 = ["rsa3072"]
+rsa4096-gen = ["rsa4096", "rsa3072-gen"]
 
 dangerous-test-real-card = []
 

diff --git a/Makefile b/Makefile
@@ -33,16 +33,16 @@ fix:
 
 .PHONY: test
 test:
-	cargo test --features vpicc,rsa2048,rsa4096-gen gpg_crypto,sequoia_gen_key
-	cargo test --features vpicc,rsa2048,rsa4096
+	cargo test --features vpicc,rsa4096-gen gpg_crypto,sequoia_gen_key
+	cargo test --features vpicc,rsa4096
 
 
 .PHONY: test
 dangerous-real-card-test:
 	ps aux | grep pcscd | grep -v grep || sudo pcscd
-	cargo test --features rsa4096,dangerous-test-real-card sequoia
+	cargo test --features rsa2048-gen,rsa4096,dangerous-test-real-card sequoia
 	sudo pkill pcscd
-	cargo test --features rsa4096,dangerous-test-real-card gpg
+	cargo test --features rsa2048-gen,rsa4096,dangerous-test-real-card gpg
 
 .PHONY: fuzz
 fuzz: fuzz-corpus

diff --git a/README.md b/README.md
@@ -28,6 +28,7 @@ key import, signing, decrypting, card administration).
 Here are the currently supported algorithms:
 
 - RSA-2048
+- RSA-3072 (no key generation, key import only)
 - RSA-4096 (no key generation, key import only)
 - EcDSA and ECDH for P256
 - EdDSA and ECDH for Curve25519

diff --git a/src/command/gen.rs b/src/command/gen.rs
@@ -38,16 +38,31 @@ pub fn sign<const R: usize, T: trussed::Client + AuthClient>(
             gen_ec_key(ctx.lend(), KeyType::Sign, CurveAlgo::EcDsaP256)
         }
         SignatureAlgorithm::Rsa2048 => {
-            gen_rsa_key(ctx.lend(), KeyType::Sign, Mechanism::Rsa2048Pkcs1v15)
+            #[cfg(feature = "rsa2048-gen")]
+            return gen_rsa_key(ctx.lend(), KeyType::Sign, Mechanism::Rsa2048Pkcs1v15);
+            #[cfg(not(feature = "rsa2048-gen"))]
+            {
+                warn!("Attempt to generate key disabled {:?}", algo);
+                return Err(Status::FunctionNotSupported);
+            }
         }
         SignatureAlgorithm::Rsa3072 => {
-            gen_rsa_key(ctx.lend(), KeyType::Sign, Mechanism::Rsa3072Pkcs1v15)
+            #[cfg(feature = "rsa3072-gen")]
+            return gen_rsa_key(ctx.lend(), KeyType::Sign, Mechanism::Rsa3072Pkcs1v15);
+            #[cfg(not(feature = "rsa3072-gen"))]
+            {
+                warn!("Attempt to generate key disabled {:?}", algo);
+                return Err(Status::FunctionNotSupported);
+            }
         }
         SignatureAlgorithm::Rsa4096 => {
             #[cfg(feature = "rsa4096-gen")]
             return gen_rsa_key(ctx.lend(), KeyType::Sign, Mechanism::Rsa4096Pkcs1v15);
             #[cfg(not(feature = "rsa4096-gen"))]
-            return Err(Status::FunctionNotSupported);
+            {
+                warn!("Attempt to generate key disabled {:?}", algo);
+                return Err(Status::FunctionNotSupported);
+            }
         }
     }
 }
@@ -61,16 +76,31 @@ pub fn dec<const R: usize, T: trussed::Client + AuthClient>(
         DecryptionAlgorithm::X255 => gen_ec_key(ctx.lend(), KeyType::Dec, CurveAlgo::X255),
         DecryptionAlgorithm::EcDhP256 => gen_ec_key(ctx.lend(), KeyType::Dec, CurveAlgo::EcDhP256),
         DecryptionAlgorithm::Rsa2048 => {
-            gen_rsa_key(ctx.lend(), KeyType::Dec, Mechanism::Rsa2048Pkcs1v15)
+            #[cfg(feature = "rsa2048-gen")]
+            return gen_rsa_key(ctx.lend(), KeyType::Dec, Mechanism::Rsa2048Pkcs1v15);
+            #[cfg(not(feature = "rsa2048-gen"))]
+            {
+                warn!("Attempt to generate key disabled {:?}", algo);
+                return Err(Status::FunctionNotSupported);
+            }
         }
         DecryptionAlgorithm::Rsa3072 => {
-            gen_rsa_key(ctx.lend(), KeyType::Dec, Mechanism::Rsa3072Pkcs1v15)
+            #[cfg(feature = "rsa3072-gen")]
+            return gen_rsa_key(ctx.lend(), KeyType::Dec, Mechanism::Rsa3072Pkcs1v15);
+            #[cfg(not(feature = "rsa3072-gen"))]
+            {
+                warn!("Attempt to generate key disabled {:?}", algo);
+                return Err(Status::FunctionNotSupported);
+            }
         }
         DecryptionAlgorithm::Rsa4096 => {
             #[cfg(feature = "rsa4096-gen")]
             return gen_rsa_key(ctx.lend(), KeyType::Dec, Mechanism::Rsa4096Pkcs1v15);
             #[cfg(not(feature = "rsa4096-gen"))]
-            return Err(Status::FunctionNotSupported);
+            {
+                warn!("Attempt to generate key disabled {:?}", algo);
+                return Err(Status::FunctionNotSupported);
+            }
         }
     }
 }
@@ -86,21 +116,36 @@ pub fn aut<const R: usize, T: trussed::Client + AuthClient>(
             gen_ec_key(ctx.lend(), KeyType::Aut, CurveAlgo::EcDsaP256)
         }
         AuthenticationAlgorithm::Rsa2048 => {
-            gen_rsa_key(ctx.lend(), KeyType::Aut, Mechanism::Rsa2048Pkcs1v15)
+            #[cfg(feature = "rsa2048-gen")]
+            return gen_rsa_key(ctx.lend(), KeyType::Aut, Mechanism::Rsa2048Pkcs1v15);
+            #[cfg(not(feature = "rsa2048-gen"))]
+            {
+                warn!("Attempt to generate key disabled {:?}", algo);
+                return Err(Status::FunctionNotSupported);
+            }
         }
         AuthenticationAlgorithm::Rsa3072 => {
-            gen_rsa_key(ctx.lend(), KeyType::Aut, Mechanism::Rsa3072Pkcs1v15)
+            #[cfg(feature = "rsa3072-gen")]
+            return gen_rsa_key(ctx.lend(), KeyType::Aut, Mechanism::Rsa3072Pkcs1v15);
+            #[cfg(not(feature = "rsa3072-gen"))]
+            {
+                warn!("Attempt to generate key disabled {:?}", algo);
+                return Err(Status::FunctionNotSupported);
+            }
         }
         AuthenticationAlgorithm::Rsa4096 => {
             #[cfg(feature = "rsa4096-gen")]
             return gen_rsa_key(ctx.lend(), KeyType::Aut, Mechanism::Rsa4096Pkcs1v15);
             #[cfg(not(feature = "rsa4096-gen"))]
-            return Err(Status::FunctionNotSupported);
+            {
+                warn!("Attempt to generate key disabled {:?}", algo);
+                return Err(Status::FunctionNotSupported);
+            }
         }
     }
 }
 
-#[cfg(feature = "rsa")]
+#[cfg(feature = "rsa2048-gen")]
 fn gen_rsa_key<const R: usize, T: trussed::Client + AuthClient>(
     mut ctx: LoadedContext<'_, R, T>,
     key: KeyType,
@@ -318,15 +363,6 @@ fn read_rsa_key<const R: usize, T: trussed::Client + AuthClient>(
     Ok(())
 }
 
-#[cfg(not(feature = "rsa"))]
-fn gen_rsa_key<const R: usize, T: trussed::Client + AuthClient>(
-    _ctx: LoadedContext<'_, R, T>,
-    _key: KeyType,
-    _mechanism: Mechanism,
-) -> Result<(), Status> {
-    Err(Status::FunctionNotSupported)
-}
-
 #[cfg(not(feature = "rsa"))]
 fn read_rsa_key<const R: usize, T: trussed::Client + AuthClient>(
     _ctx: LoadedContext<'_, R, T>,

diff --git a/src/command/private_key_template.rs b/src/command/private_key_template.rs
@@ -208,6 +208,16 @@ fn put_rsa<const R: usize, T: trussed::Client + AuthClient>(
     ctx: LoadedContext<'_, R, T>,
     mechanism: Mechanism,
 ) -> Result<Option<(KeyId, KeyId)>, Status> {
+    match mechanism {
+        #[cfg(feature = "rsa2048")]
+        Mechanism::Rsa2048Pkcs1v15 => {}
+        #[cfg(feature = "rsa3072")]
+        Mechanism::Rsa3072Pkcs1v15 => {}
+        #[cfg(feature = "rsa4096")]
+        Mechanism::Rsa4096Pkcs1v15 => {}
+        _ => return Err(Status::FunctionNotSupported),
+    };
+
     let key_data = parse_rsa_template(ctx.data).ok_or_else(|| {
         warn!("Unable to parse RSA key");
         Status::IncorrectDataParameter