diff --git a/src/core_api.rs b/src/core_api.rs index 2620205..fbc09a0 100644 --- a/src/core_api.rs +++ b/src/core_api.rs @@ -199,11 +199,9 @@ fn prepare_rsa_pkcs1v15(message: &[u8], keysize: usize) -> Result, Er const SERIALIZED_P256_LEN: usize = 64; const SERIALIZED_P384_LEN: usize = 96; -#[cfg(feature = "large-ecc")] -const SERIALIZED_P521_LEN: usize = 128; +const SERIALIZED_P521_LEN: usize = 132; const SERIALIZED_BRAINPOOL_P256R1_LEN: usize = 64; const SERIALIZED_BRAINPOOL_P384R1_LEN: usize = 96; -#[cfg(feature = "large-ecc")] const SERIALIZED_BRAINPOOL_P512R1_LEN: usize = 128; const MAX_SERIALIZED_LEN: usize = 128; @@ -581,7 +579,6 @@ impl> Se050Backend { Ok(reply::DeriveKey { key: result }) } - #[cfg(feature = "large-ecc")] KeyType::P521 => { let material = self .se @@ -636,7 +633,6 @@ impl> Se050Backend { Ok(reply::DeriveKey { key: result }) } - #[cfg(feature = "large-ecc")] KeyType::BrainpoolP512R1 => { let material = self .se @@ -732,11 +728,9 @@ impl> Se050Backend { KeyType::X255 => Kind::X255, KeyType::P256 => Kind::P256, KeyType::P384 => Kind::P384, - #[cfg(feature = "large-ecc")] KeyType::P521 => Kind::P521, KeyType::BrainpoolP256R1 => Kind::BrainpoolP256R1, KeyType::BrainpoolP384R1 => Kind::BrainpoolP384R1, - #[cfg(feature = "large-ecc")] KeyType::BrainpoolP512R1 => Kind::BrainpoolP512R1, KeyType::Rsa2048 | KeyType::Rsa3072 | KeyType::Rsa4096 => { unreachable!("Volatile rsa keys are derived in a separate function") @@ -960,11 +954,9 @@ impl> Se050Backend { Mechanism::X255 => (Kind::X255, KeyType::X255), Mechanism::P256 => (Kind::P256, KeyType::P256), Mechanism::P384 => (Kind::P384, KeyType::P384), - #[cfg(feature = "large-ecc")] Mechanism::P521 => (Kind::P521, KeyType::P521), Mechanism::BrainpoolP256R1 => (Kind::BrainpoolP256R1, KeyType::BrainpoolP256R1), Mechanism::BrainpoolP384R1 => (Kind::BrainpoolP384R1, KeyType::BrainpoolP384R1), - #[cfg(feature = "large-ecc")] Mechanism::BrainpoolP512R1 => (Kind::BrainpoolP512R1, KeyType::BrainpoolP512R1), Mechanism::Rsa2048Raw | Mechanism::Rsa2048Pkcs1v15 => { return self.generate_volatile_rsa_key( @@ -1031,7 +1023,6 @@ impl> Se050Backend { error!("Failed to generate volatile key: {_err:?}"); Error::FunctionFailed })?, - #[cfg(feature = "large-ecc")] Mechanism::P521 => self .se .run_command(&generate_p521(object_id.0, true), buf) @@ -1053,7 +1044,6 @@ impl> Se050Backend { error!("Failed to generate volatile key: {_err:?}"); Error::FunctionFailed })?, - #[cfg(feature = "large-ecc")] Mechanism::BrainpoolP512R1 => self .se .run_command(&generate_brainpool_p512r1(object_id.0, true), buf) @@ -1130,7 +1120,6 @@ impl> Se050Backend { Error::FunctionFailed })?, Mechanism::P384Prehashed => return Err(Error::MechanismParamInvalid), - #[cfg(feature = "large-ecc")] Mechanism::P521 => self .se .run_command(&generate_p521(object_id.0, false), buf) @@ -1138,7 +1127,6 @@ impl> Se050Backend { error!("Failed to generate key: {_err:?}"); Error::FunctionFailed })?, - #[cfg(feature = "large-ecc")] Mechanism::P521Prehashed => return Err(Error::MechanismParamInvalid), Mechanism::BrainpoolP256R1 => self .se @@ -1156,7 +1144,6 @@ impl> Se050Backend { Error::FunctionFailed })?, Mechanism::BrainpoolP384R1Prehashed => return Err(Error::MechanismParamInvalid), - #[cfg(feature = "large-ecc")] Mechanism::BrainpoolP512R1 => self .se .run_command(&generate_brainpool_p512r1(object_id.0, false), buf) @@ -1164,7 +1151,6 @@ impl> Se050Backend { error!("Failed to generate key: {_err:?}"); Error::FunctionFailed })?, - #[cfg(feature = "large-ecc")] Mechanism::BrainpoolP512R1Prehashed => return Err(Error::MechanismParamInvalid), Mechanism::Rsa2048Raw | Mechanism::Rsa2048Pkcs1v15 => self .se @@ -1199,11 +1185,9 @@ impl> Se050Backend { // TODO First write curve somehow Mechanism::P256 => KeyType::P256, Mechanism::P384 => KeyType::P384, - #[cfg(feature = "large-ecc")] Mechanism::P521 => KeyType::P521, Mechanism::BrainpoolP256R1 => KeyType::BrainpoolP256R1, Mechanism::BrainpoolP384R1 => KeyType::BrainpoolP384R1, - #[cfg(feature = "large-ecc")] Mechanism::BrainpoolP512R1 => KeyType::BrainpoolP512R1, Mechanism::Rsa2048Raw | Mechanism::Rsa2048Pkcs1v15 => KeyType::Rsa2048, Mechanism::Rsa3072Raw | Mechanism::Rsa3072Pkcs1v15 => KeyType::Rsa3072, @@ -1230,11 +1214,9 @@ impl> Se050Backend { let kind = match (req.mechanism, priv_parsed_ty) { (Mechanism::P256, KeyType::P256) => Kind::P256, (Mechanism::P384, KeyType::P384) => Kind::P384, - #[cfg(feature = "large-ecc")] (Mechanism::P521, KeyType::P521) => Kind::P521, (Mechanism::BrainpoolP256R1, KeyType::BrainpoolP256R1) => Kind::BrainpoolP256R1, (Mechanism::BrainpoolP384R1, KeyType::BrainpoolP384R1) => Kind::BrainpoolP384R1, - #[cfg(feature = "large-ecc")] (Mechanism::BrainpoolP512R1, KeyType::BrainpoolP512R1) => Kind::BrainpoolP512R1, (Mechanism::X255, KeyType::X255) => Kind::X255, _ => return Err(Error::WrongKeyKind), @@ -1680,7 +1662,6 @@ impl> Se050Backend { (Mechanism::P384Prehashed, KeyType::P384) => { (Kind::P384, EcDsaSignatureAlgo::Sha384, 48) } - #[cfg(feature = "large-ecc")] (Mechanism::P521Prehashed, KeyType::P521) => { (Kind::P521, EcDsaSignatureAlgo::Sha512, 66) } @@ -1690,7 +1671,6 @@ impl> Se050Backend { (Mechanism::BrainpoolP384R1Prehashed, KeyType::BrainpoolP384R1) => { (Kind::BrainpoolP384R1, EcDsaSignatureAlgo::Sha384, 48) } - #[cfg(feature = "large-ecc")] (Mechanism::BrainpoolP512R1Prehashed, KeyType::BrainpoolP512R1) => { (Kind::BrainpoolP512R1, EcDsaSignatureAlgo::Sha512, 64) } @@ -1826,7 +1806,6 @@ impl> Se050Backend { core_keystore, ns, ), - #[cfg(feature = "large-ecc")] Mechanism::P521Prehashed => self.verify_ecdsa_prehashed( req, Kind::P521, @@ -1851,7 +1830,6 @@ impl> Se050Backend { core_keystore, ns, ), - #[cfg(feature = "large-ecc")] Mechanism::BrainpoolP512R1Prehashed => self.verify_ecdsa_prehashed( req, Kind::BrainpoolP512R1, @@ -2100,11 +2078,9 @@ impl> Se050Backend { match req.mechanism { Mechanism::P256 => self.deserialize_p256_key(req, core_keystore), Mechanism::P384 => self.deserialize_p384_key(req, core_keystore), - #[cfg(feature = "large-ecc")] Mechanism::P521 => self.deserialize_p521_key(req, core_keystore), Mechanism::BrainpoolP256R1 => self.deserialize_brainpool_p256r1_key(req, core_keystore), Mechanism::BrainpoolP384R1 => self.deserialize_brainpool_p384r1_key(req, core_keystore), - #[cfg(feature = "large-ecc")] Mechanism::BrainpoolP512R1 => self.deserialize_brainpool_p512r1_key(req, core_keystore), Mechanism::X255 => self.deserialize_x255_key(req, core_keystore), Mechanism::Ed255 => self.deserialize_ed255_key(req, core_keystore), @@ -2168,7 +2144,6 @@ impl> Se050Backend { self.deserialize_ec_key(req, core_keystore, Kind::P384, SERIALIZED_P384_LEN) } - #[cfg(feature = "large-ecc")] fn deserialize_p521_key( &mut self, req: &request::DeserializeKey, @@ -2203,7 +2178,6 @@ impl> Se050Backend { ) } - #[cfg(feature = "large-ecc")] fn deserialize_brainpool_p512r1_key( &mut self, req: &request::DeserializeKey, @@ -2297,11 +2271,9 @@ impl> Se050Backend { match req.mechanism { Mechanism::P256 => self.serialize_p256_key(req, core_keystore), Mechanism::P384 => self.serialize_p384_key(req, core_keystore), - #[cfg(feature = "large-ecc")] Mechanism::P521 => self.serialize_p521_key(req, core_keystore), Mechanism::BrainpoolP256R1 => self.serialize_brainpool_p256r1_key(req, core_keystore), Mechanism::BrainpoolP384R1 => self.serialize_brainpool_p384r1_key(req, core_keystore), - #[cfg(feature = "large-ecc")] Mechanism::BrainpoolP512R1 => self.serialize_brainpool_p512r1_key(req, core_keystore), Mechanism::X255 => self.serialize_x255_key(req, core_keystore), Mechanism::Ed255 => self.serialize_ed255_key(req, core_keystore), @@ -2356,7 +2328,6 @@ impl> Se050Backend { ) -> Result { self.serialize_ec_key(req, core_keystore, Kind::P384, SERIALIZED_P384_LEN) } - #[cfg(feature = "large-ecc")] fn serialize_p521_key( &mut self, req: &request::SerializeKey, @@ -2388,7 +2359,6 @@ impl> Se050Backend { SERIALIZED_BRAINPOOL_P384R1_LEN, ) } - #[cfg(feature = "large-ecc")] fn serialize_brainpool_p512r1_key( &mut self, req: &request::SerializeKey, @@ -2470,8 +2440,33 @@ impl> Se050Backend { | ParsedObjectId::SaltValue(_) => return Err(Error::ObjectHandleInvalid), // We delete the exported data, which can be imported again if unwrapped. - ParsedObjectId::VolatileKey(_obj_id) => { - debug!("Clearing data for {:?}", _obj_id.0); + ParsedObjectId::VolatileKey(object_id) => { + debug!("Clearing data for {:?}", object_id.0); + let r = self + .se + .run_command( + &CheckObjectExists { + object_id: object_id.0, + }, + &mut [0; 10], + ) + .map_err(|_err| { + error_now!("Failed to check still existence of volatile key: {_err:?}"); + Error::FunctionFailed + })?; + if r.result.is_success() { + self.se + .run_command( + &DeleteSecureObject { + object_id: object_id.0, + }, + &mut [0; 10], + ) + .map_err(|_err| { + error_now!("Failed to delete volatile key: {_err:?}"); + Error::FunctionFailed + })?; + } se050_keystore.delete_key(&req.key) } // We delete the key that protects the actual RSA private key data, which can be imported again if unwrapped. @@ -2566,6 +2561,64 @@ impl> Se050Backend { Ok(()) } + fn re_import_volatile( + &mut self, + id: VolatileObjectId, + ty: KeyType, + material: &[u8], + buf: &mut [u8], + ) -> Result<(), Error> { + let res = self + .se + .run_command(&CheckObjectExists { object_id: id.0 }, buf) + .map_err(|_err| { + error!("Failed to check existence"); + Error::FunctionFailed + })?; + if !res.result.is_success() { + let curve = match ty { + KeyType::Ed255 => EcCurve::IdEccEd25519, + KeyType::X255 => EcCurve::IdEccMontDh25519, + KeyType::P256 => EcCurve::NistP256, + KeyType::P384 => EcCurve::NistP384, + KeyType::P521 => EcCurve::NistP521, + KeyType::BrainpoolP256R1 => EcCurve::Brainpool256, + KeyType::BrainpoolP384R1 => EcCurve::Brainpool384, + KeyType::BrainpoolP512R1 => EcCurve::Brainpool512, + _ => unreachable!(), + }; + self.se + .run_command( + &WriteEcKey::builder() + .key_type(P1KeyType::KeyPair) + .object_id(id.0) + .policy(POLICY) + .transient(true) + .curve(curve) + .build(), + buf, + ) + .map_err(|_err| { + error!("Failed to re-import volatile key: {_err:?}"); + Error::FunctionFailed + })?; + } + + self.se + .run_command( + &ImportObject::builder() + .transient(true) + .object_id(id.0) + .serialized_object(material) + .build(), + buf, + ) + .map_err(|_err| { + error!("Failed to re-import volatile key: {_err:?}"); + Error::FunctionFailed + }) + } + pub(crate) fn unwrap_key( &mut self, req: &request::UnwrapKey, @@ -2630,11 +2683,9 @@ impl> Se050Backend { Kind::X255 => KeyType::X255, Kind::P256 => KeyType::P256, Kind::P384 => KeyType::P384, - #[cfg(feature = "large-ecc")] Kind::P521 => KeyType::P521, Kind::BrainpoolP256R1 => KeyType::BrainpoolP256R1, Kind::BrainpoolP384R1 => KeyType::BrainpoolP384R1, - #[cfg(feature = "large-ecc")] Kind::BrainpoolP512R1 => KeyType::BrainpoolP512R1, _ => return Err(Error::FunctionFailed), }; @@ -2649,7 +2700,12 @@ impl> Se050Backend { } else { return Err(Error::ObjectHandleInvalid); } - self.ensure_exists(mat.object_id.0, &mut [0; 128])?; + self.re_import_volatile( + mat.object_id, + key_ty, + mat.exported_material, + &mut [0; 128], + )?; key_id_for_obj(mat.object_id.0, key_ty) } WrappedKeyType::VolatileRsa => { @@ -3045,11 +3101,9 @@ impl> Se050Backend { Mechanism::X255 => (Kind::X255, KeyType::X255), Mechanism::P256 => (Kind::P256, KeyType::P256), Mechanism::P384 => (Kind::P384, KeyType::P384), - #[cfg(feature = "large-ecc")] Mechanism::P521 => (Kind::P521, KeyType::P521), Mechanism::BrainpoolP256R1 => (Kind::BrainpoolP256R1, KeyType::BrainpoolP256R1), Mechanism::BrainpoolP384R1 => (Kind::BrainpoolP384R1, KeyType::BrainpoolP384R1), - #[cfg(feature = "large-ecc")] Mechanism::BrainpoolP512R1 => (Kind::BrainpoolP512R1, KeyType::BrainpoolP512R1), Mechanism::Rsa2048Raw | Mechanism::Rsa2048Pkcs1v15 => { return self.unsafe_inject_volatile_rsa( @@ -3187,7 +3241,6 @@ impl> Se050Backend { Error::FunctionFailed })?; } - #[cfg(feature = "large-ecc")] Mechanism::P521 => { // TODO: Find a way to get the public key, so that `derive` works self.se @@ -3245,7 +3298,6 @@ impl> Se050Backend { Error::FunctionFailed })?; } - #[cfg(feature = "large-ecc")] Mechanism::BrainpoolP512R1 => { // TODO: Find a way to get the public key, so that `derive` works self.se @@ -3445,7 +3497,6 @@ impl> Se050Backend { Error::FunctionFailed })?; } - #[cfg(feature = "large-ecc")] Mechanism::P521Prehashed | Mechanism::P521 => { // TODO: Check if public key is required self.se @@ -3500,7 +3551,6 @@ impl> Se050Backend { Error::FunctionFailed })?; } - #[cfg(feature = "large-ecc")] Mechanism::BrainpoolP512R1Prehashed | Mechanism::BrainpoolP512R1 => { // TODO: Find a way to get the public key, so that `derive` works self.se @@ -3539,11 +3589,9 @@ impl> Se050Backend { // TODO First write curve somehow Mechanism::P256 => KeyType::P256, Mechanism::P384 => KeyType::P384, - #[cfg(feature = "large-ecc")] Mechanism::P521 => KeyType::P521, Mechanism::BrainpoolP256R1 => KeyType::BrainpoolP256R1, Mechanism::BrainpoolP384R1 => KeyType::BrainpoolP384R1, - #[cfg(feature = "large-ecc")] Mechanism::BrainpoolP512R1 => KeyType::BrainpoolP512R1, Mechanism::Rsa2048Raw | Mechanism::Rsa2048Pkcs1v15 => KeyType::Rsa2048, Mechanism::Rsa3072Raw | Mechanism::Rsa3072Pkcs1v15 => KeyType::Rsa3072, @@ -3643,7 +3691,6 @@ fn generate_p384(object_id: ObjectId, transient: bool) -> WriteEcKey<'static> { generate_ec_key(object_id, transient, EcCurve::NistP384) } -#[cfg(feature = "large-ecc")] fn generate_p521(object_id: ObjectId, transient: bool) -> WriteEcKey<'static> { generate_ec_key(object_id, transient, EcCurve::NistP521) } @@ -3656,7 +3703,6 @@ fn generate_brainpool_p384r1(object_id: ObjectId, transient: bool) -> WriteEcKey generate_ec_key(object_id, transient, EcCurve::Brainpool384) } -#[cfg(feature = "large-ecc")] fn generate_brainpool_p512r1(object_id: ObjectId, transient: bool) -> WriteEcKey<'static> { generate_ec_key(object_id, transient, EcCurve::Brainpool512) } @@ -3679,17 +3725,13 @@ fn supported(mechanism: Mechanism) -> bool { Mechanism::P256Prehashed, Mechanism::P384, Mechanism::P384Prehashed, - #[cfg(feature = "large-ecc")] Mechanism::P521, - #[cfg(feature = "large-ecc")] Mechanism::P521Prehashed, Mechanism::BrainpoolP256R1, Mechanism::BrainpoolP256R1Prehashed, Mechanism::BrainpoolP384R1, Mechanism::BrainpoolP384R1Prehashed, - #[cfg(feature = "large-ecc")] Mechanism::BrainpoolP512R1, - #[cfg(feature = "large-ecc")] Mechanism::BrainpoolP512R1Prehashed, Mechanism::Rsa2048Raw, Mechanism::Rsa3072Raw, diff --git a/src/lib.rs b/src/lib.rs index 6434585..360d8af 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -42,7 +42,7 @@ const BACKEND_DIR: &Path = path!("se050-bak"); pub const GLOBAL_ATTEST_ID: ObjectId = ObjectId(hex!("F0000012")); /// The version to know wether it should be re-configured -pub const SE050_CONFIGURE_VERSION: u32 = 2; +pub const SE050_CONFIGURE_VERSION: u32 = 3; pub enum Se05xLocation { Persistent, @@ -200,7 +200,7 @@ mod tests { // History of previous SE050_CONFIGURE_VERSION and the curves they used let curves_versions: &[(u32, &[_])] = &[ ( - 2, + 3, &[ PRIME256V1_INITIALIZER, SECP384R1_INITIALIZER, @@ -210,6 +210,16 @@ mod tests { BRAINPOOL_P512R1_INITIALIZER, ], ), + ( + 2, + &[ + PRIME256V1_INITIALIZER, + SECP384R1_INITIALIZER, + SECP521R1_INITIALIZER, + BRAINPOOL_P256R1_INITIALIZER, + BRAINPOOL_P384R1_INITIALIZER, + ], + ), (1, &[PRIME256V1_INITIALIZER, SECP521R1_INITIALIZER]), (0, &[]), ]; diff --git a/src/namespacing.rs b/src/namespacing.rs index 48c0d78..6aedffc 100644 --- a/src/namespacing.rs +++ b/src/namespacing.rs @@ -349,11 +349,9 @@ enum_number! { Rsa3072 = 0x5, Rsa4096 = 0x6, P384 = 0x7, - #[cfg(feature = "large-ecc")] P521 = 0x8, BrainpoolP256R1 = 0x9, BrainpoolP384R1 = 0xA, - #[cfg(feature = "large-ecc")] BrainpoolP512R1 = 0xB, } } @@ -365,11 +363,9 @@ impl KeyType { Self::X255 => Kind::X255, Self::P256 => Kind::P256, Self::P384 => Kind::P384, - #[cfg(feature = "large-ecc")] Self::P521 => Kind::P521, Self::BrainpoolP256R1 => Kind::BrainpoolP256R1, Self::BrainpoolP384R1 => Kind::BrainpoolP384R1, - #[cfg(feature = "large-ecc")] Self::BrainpoolP512R1 => Kind::BrainpoolP512R1, Self::Rsa2048 => Kind::Rsa2048, Self::Rsa3072 => Kind::Rsa3072,