Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add RSA 3072 bits tests #143

Merged
merged 4 commits into from
Apr 25, 2023
Merged

Add RSA 3072 bits tests #143

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
518070c
Add RSA3072 tests
sosthene-nitrokey Apr 17, 2023
9f09896
Add gen flags for rsa2048 and rsa3072
sosthene-nitrokey Apr 18, 2023
4063c34
Put rsa key import behind flags
sosthene-nitrokey Apr 18, 2023
e8146d2
Document RSA 3072 support
sosthene-nitrokey Apr 19, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 5 additions & 2 deletions Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,8 +68,11 @@ virt = ["std", "trussed/virt"]

rsa = ["trussed-rsa-alloc"]
rsa2048 = ["rsa"]
rsa4096 = ["rsa2048"]
rsa4096-gen = ["rsa4096"]
rsa2048-gen = ["rsa2048"]
rsa3072 = ["rsa2048"]
rsa3072-gen = ["rsa3072", "rsa2048-gen"]
rsa4096 = ["rsa3072"]
rsa4096-gen = ["rsa4096", "rsa3072-gen"]

dangerous-test-real-card = []

Expand Down
8 changes: 4 additions & 4 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,16 +33,16 @@ fix:

.PHONY: test
test:
cargo test --features vpicc,rsa2048,rsa4096-gen gpg_crypto,sequoia_gen_key
cargo test --features vpicc,rsa2048,rsa4096
cargo test --features vpicc,rsa4096-gen gpg_crypto,sequoia_gen_key
cargo test --features vpicc,rsa4096


.PHONY: test
dangerous-real-card-test:
ps aux | grep pcscd | grep -v grep || sudo pcscd
cargo test --features rsa4096,dangerous-test-real-card sequoia
cargo test --features rsa2048-gen,rsa4096,dangerous-test-real-card sequoia
sudo pkill pcscd
cargo test --features rsa4096,dangerous-test-real-card gpg
cargo test --features rsa2048-gen,rsa4096,dangerous-test-real-card gpg

.PHONY: fuzz
fuzz: fuzz-corpus
Expand Down
1 change: 1 addition & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ key import, signing, decrypting, card administration).
Here are the currently supported algorithms:

- RSA-2048
- RSA-3072 (no key generation, key import only)
- RSA-4096 (no key generation, key import only)
robin-nitrokey marked this conversation as resolved.
Show resolved Hide resolved
- EcDSA and ECDH for P256
- EdDSA and ECDH for Curve25519
Expand Down
74 changes: 55 additions & 19 deletions src/command/gen.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,16 +38,31 @@ pub fn sign<const R: usize, T: trussed::Client + AuthClient>(
gen_ec_key(ctx.lend(), KeyType::Sign, CurveAlgo::EcDsaP256)
}
SignatureAlgorithm::Rsa2048 => {
gen_rsa_key(ctx.lend(), KeyType::Sign, Mechanism::Rsa2048Pkcs1v15)
#[cfg(feature = "rsa2048-gen")]
return gen_rsa_key(ctx.lend(), KeyType::Sign, Mechanism::Rsa2048Pkcs1v15);
#[cfg(not(feature = "rsa2048-gen"))]
{
warn!("Attempt to generate key disabled {:?}", algo);
return Err(Status::FunctionNotSupported);
}
}
SignatureAlgorithm::Rsa3072 => {
gen_rsa_key(ctx.lend(), KeyType::Sign, Mechanism::Rsa3072Pkcs1v15)
#[cfg(feature = "rsa3072-gen")]
return gen_rsa_key(ctx.lend(), KeyType::Sign, Mechanism::Rsa3072Pkcs1v15);
#[cfg(not(feature = "rsa3072-gen"))]
{
warn!("Attempt to generate key disabled {:?}", algo);
return Err(Status::FunctionNotSupported);
}
}
SignatureAlgorithm::Rsa4096 => {
#[cfg(feature = "rsa4096-gen")]
return gen_rsa_key(ctx.lend(), KeyType::Sign, Mechanism::Rsa4096Pkcs1v15);
#[cfg(not(feature = "rsa4096-gen"))]
return Err(Status::FunctionNotSupported);
{
warn!("Attempt to generate key disabled {:?}", algo);
return Err(Status::FunctionNotSupported);
}
}
}
}
Expand All @@ -61,16 +76,31 @@ pub fn dec<const R: usize, T: trussed::Client + AuthClient>(
DecryptionAlgorithm::X255 => gen_ec_key(ctx.lend(), KeyType::Dec, CurveAlgo::X255),
DecryptionAlgorithm::EcDhP256 => gen_ec_key(ctx.lend(), KeyType::Dec, CurveAlgo::EcDhP256),
DecryptionAlgorithm::Rsa2048 => {
gen_rsa_key(ctx.lend(), KeyType::Dec, Mechanism::Rsa2048Pkcs1v15)
#[cfg(feature = "rsa2048-gen")]
return gen_rsa_key(ctx.lend(), KeyType::Dec, Mechanism::Rsa2048Pkcs1v15);
#[cfg(not(feature = "rsa2048-gen"))]
{
warn!("Attempt to generate key disabled {:?}", algo);
return Err(Status::FunctionNotSupported);
}
}
DecryptionAlgorithm::Rsa3072 => {
gen_rsa_key(ctx.lend(), KeyType::Dec, Mechanism::Rsa3072Pkcs1v15)
#[cfg(feature = "rsa3072-gen")]
return gen_rsa_key(ctx.lend(), KeyType::Dec, Mechanism::Rsa3072Pkcs1v15);
#[cfg(not(feature = "rsa3072-gen"))]
{
warn!("Attempt to generate key disabled {:?}", algo);
return Err(Status::FunctionNotSupported);
}
}
DecryptionAlgorithm::Rsa4096 => {
#[cfg(feature = "rsa4096-gen")]
return gen_rsa_key(ctx.lend(), KeyType::Dec, Mechanism::Rsa4096Pkcs1v15);
#[cfg(not(feature = "rsa4096-gen"))]
return Err(Status::FunctionNotSupported);
{
warn!("Attempt to generate key disabled {:?}", algo);
return Err(Status::FunctionNotSupported);
}
}
}
}
Expand All @@ -86,21 +116,36 @@ pub fn aut<const R: usize, T: trussed::Client + AuthClient>(
gen_ec_key(ctx.lend(), KeyType::Aut, CurveAlgo::EcDsaP256)
}
AuthenticationAlgorithm::Rsa2048 => {
gen_rsa_key(ctx.lend(), KeyType::Aut, Mechanism::Rsa2048Pkcs1v15)
#[cfg(feature = "rsa2048-gen")]
return gen_rsa_key(ctx.lend(), KeyType::Aut, Mechanism::Rsa2048Pkcs1v15);
#[cfg(not(feature = "rsa2048-gen"))]
{
warn!("Attempt to generate key disabled {:?}", algo);
return Err(Status::FunctionNotSupported);
}
}
AuthenticationAlgorithm::Rsa3072 => {
gen_rsa_key(ctx.lend(), KeyType::Aut, Mechanism::Rsa3072Pkcs1v15)
#[cfg(feature = "rsa3072-gen")]
return gen_rsa_key(ctx.lend(), KeyType::Aut, Mechanism::Rsa3072Pkcs1v15);
#[cfg(not(feature = "rsa3072-gen"))]
{
warn!("Attempt to generate key disabled {:?}", algo);
return Err(Status::FunctionNotSupported);
}
}
AuthenticationAlgorithm::Rsa4096 => {
#[cfg(feature = "rsa4096-gen")]
return gen_rsa_key(ctx.lend(), KeyType::Aut, Mechanism::Rsa4096Pkcs1v15);
#[cfg(not(feature = "rsa4096-gen"))]
return Err(Status::FunctionNotSupported);
{
warn!("Attempt to generate key disabled {:?}", algo);
return Err(Status::FunctionNotSupported);
}
}
}
}

#[cfg(feature = "rsa")]
#[cfg(feature = "rsa2048-gen")]
fn gen_rsa_key<const R: usize, T: trussed::Client + AuthClient>(
mut ctx: LoadedContext<'_, R, T>,
key: KeyType,
Expand Down Expand Up @@ -318,15 +363,6 @@ fn read_rsa_key<const R: usize, T: trussed::Client + AuthClient>(
Ok(())
}

#[cfg(not(feature = "rsa"))]
fn gen_rsa_key<const R: usize, T: trussed::Client + AuthClient>(
_ctx: LoadedContext<'_, R, T>,
_key: KeyType,
_mechanism: Mechanism,
) -> Result<(), Status> {
Err(Status::FunctionNotSupported)
}

#[cfg(not(feature = "rsa"))]
fn read_rsa_key<const R: usize, T: trussed::Client + AuthClient>(
_ctx: LoadedContext<'_, R, T>,
Expand Down
10 changes: 10 additions & 0 deletions src/command/private_key_template.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -208,6 +208,16 @@ fn put_rsa<const R: usize, T: trussed::Client + AuthClient>(
ctx: LoadedContext<'_, R, T>,
mechanism: Mechanism,
) -> Result<Option<(KeyId, KeyId)>, Status> {
match mechanism {
#[cfg(feature = "rsa2048")]
Mechanism::Rsa2048Pkcs1v15 => {}
#[cfg(feature = "rsa3072")]
Mechanism::Rsa3072Pkcs1v15 => {}
#[cfg(feature = "rsa4096")]
Mechanism::Rsa4096Pkcs1v15 => {}
_ => return Err(Status::FunctionNotSupported),
};

let key_data = parse_rsa_template(ctx.data).ok_or_else(|| {
warn!("Unable to parse RSA key");
Status::IncorrectDataParameter
Expand Down
Loading