Skip to content

Commit 04b5d14

Browse files
ionut-armionut-arm
authored
Merge pull request #124 from ionut-arm/attestation
Add key attestation operations
2 parents e677bfd + b4da173 commit 04b5d14

11 files changed

+1052
-15
lines changed

parsec-operations

src/operations/attest_key.rs

+41
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
// Copyright 2021 Contributors to the Parsec project.
2+
// SPDX-License-Identifier: Apache-2.0
3+
//! # AttestKey operation
4+
//!
5+
//! Produce an attestation token as proof that the given
6+
//! key was produced and is stored in the hardware backend.
7+
use derivative::Derivative;
8+
use zeroize::Zeroizing;
9+
10+
/// Native operation for key attestation
11+
#[derive(Derivative)]
12+
#[derivative(Debug)]
13+
#[non_exhaustive]
14+
pub enum Operation {
15+
/// Attestation via TPM 2.0 ActivateCredential operation
16+
ActivateCredential {
17+
/// Name of key to be attested
18+
attested_key_name: String,
19+
/// Blob of data representing the encrypted credential
20+
#[derivative(Debug = "ignore")]
21+
credential_blob: Zeroizing<Vec<u8>>,
22+
/// Blob of data representing the encrypted secret
23+
#[derivative(Debug = "ignore")]
24+
secret: Zeroizing<Vec<u8>>,
25+
/// Name of key to be used for attesting
26+
attesting_key_name: Option<String>,
27+
},
28+
}
29+
30+
/// Native result of key attestation
31+
#[derive(Derivative)]
32+
#[derivative(Debug)]
33+
#[non_exhaustive]
34+
pub enum Result {
35+
/// Result of attestation via TPM 2.0 ActivateCredential operation
36+
ActivateCredential {
37+
/// Decrypted credential
38+
#[derivative(Debug = "ignore")]
39+
credential: Zeroizing<Vec<u8>>,
40+
},
41+
}

src/operations/mod.rs

+40
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,8 @@ pub mod delete_client;
3535
pub mod list_clients;
3636
pub mod psa_generate_random;
3737
pub mod psa_raw_key_agreement;
38+
pub mod attest_key;
39+
pub mod prepare_key_attestation;
3840

3941
pub use psa_crypto::types::algorithm as psa_algorithm;
4042
pub use psa_crypto::types::key as psa_key_attributes;
@@ -97,6 +99,10 @@ pub enum NativeOperation {
9799
PsaSignMessage(psa_sign_message::Operation),
98100
/// PsaVerifyMessage operation
99101
PsaVerifyMessage(psa_verify_message::Operation),
102+
/// AttestKey operation
103+
AttestKey(attest_key::Operation),
104+
/// PrepareKeyAttestation operation
105+
PrepareKeyAttestation(prepare_key_attestation::Operation),
100106
}
101107

102108
impl NativeOperation {
@@ -129,6 +135,8 @@ impl NativeOperation {
129135
NativeOperation::PsaRawKeyAgreement(_) => Opcode::PsaRawKeyAgreement,
130136
NativeOperation::PsaSignMessage(_) => Opcode::PsaSignMessage,
131137
NativeOperation::PsaVerifyMessage(_) => Opcode::PsaVerifyMessage,
138+
NativeOperation::AttestKey(_) => Opcode::AttestKey,
139+
NativeOperation::PrepareKeyAttestation(_) => Opcode::PrepareKeyAttestation,
132140
}
133141
}
134142
}
@@ -189,6 +197,10 @@ pub enum NativeResult {
189197
PsaSignMessage(psa_sign_message::Result),
190198
/// PsaVerifyMessage result
191199
PsaVerifyMessage(psa_verify_message::Result),
200+
/// AttestKey result
201+
AttestKey(attest_key::Result),
202+
/// AttestKey result
203+
PrepareKeyAttestation(prepare_key_attestation::Result),
192204
}
193205

194206
impl NativeResult {
@@ -221,6 +233,8 @@ impl NativeResult {
221233
NativeResult::PsaRawKeyAgreement(_) => Opcode::PsaRawKeyAgreement,
222234
NativeResult::PsaSignMessage(_) => Opcode::PsaSignMessage,
223235
NativeResult::PsaVerifyMessage(_) => Opcode::PsaVerifyMessage,
236+
NativeResult::AttestKey(_) => Opcode::AttestKey,
237+
NativeResult::PrepareKeyAttestation(_) => Opcode::PrepareKeyAttestation,
224238
}
225239
}
226240
}
@@ -393,22 +407,36 @@ impl From<psa_hash_compare::Operation> for NativeOperation {
393407
NativeOperation::PsaHashCompare(op)
394408
}
395409
}
410+
396411
impl From<psa_raw_key_agreement::Operation> for NativeOperation {
397412
fn from(op: psa_raw_key_agreement::Operation) -> Self {
398413
NativeOperation::PsaRawKeyAgreement(op)
399414
}
400415
}
416+
401417
impl From<psa_sign_message::Operation> for NativeOperation {
402418
fn from(op: psa_sign_message::Operation) -> Self {
403419
NativeOperation::PsaSignMessage(op)
404420
}
405421
}
422+
406423
impl From<psa_verify_message::Operation> for NativeOperation {
407424
fn from(op: psa_verify_message::Operation) -> Self {
408425
NativeOperation::PsaVerifyMessage(op)
409426
}
410427
}
411428

429+
impl From<attest_key::Operation> for NativeOperation {
430+
fn from(op: attest_key::Operation) -> Self {
431+
NativeOperation::AttestKey(op)
432+
}
433+
}
434+
impl From<prepare_key_attestation::Operation> for NativeOperation {
435+
fn from(op: prepare_key_attestation::Operation) -> Self {
436+
NativeOperation::PrepareKeyAttestation(op)
437+
}
438+
}
439+
412440
impl From<list_providers::Result> for NativeResult {
413441
fn from(op: list_providers::Result) -> Self {
414442
NativeResult::ListProviders(op)
@@ -564,3 +592,15 @@ impl From<psa_verify_message::Result> for NativeResult {
564592
NativeResult::PsaVerifyMessage(op)
565593
}
566594
}
595+
596+
impl From<attest_key::Result> for NativeResult {
597+
fn from(op: attest_key::Result) -> Self {
598+
NativeResult::AttestKey(op)
599+
}
600+
}
601+
602+
impl From<prepare_key_attestation::Result> for NativeResult {
603+
fn from(op: prepare_key_attestation::Result) -> Self {
604+
NativeResult::PrepareKeyAttestation(op)
605+
}
606+
}

src/operations/prepare_key_attestation.rs

+39
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
// Copyright 2021 Contributors to the Parsec project.
2+
// SPDX-License-Identifier: Apache-2.0
3+
//! # PrepareKeyAttestation operation
4+
//!
5+
//! Produce any parameters required for the AttestKey operation
6+
use derivative::Derivative;
7+
use zeroize::Zeroizing;
8+
9+
/// Native operation for retrieving key attestation parameters
10+
#[derive(Debug)]
11+
#[non_exhaustive]
12+
pub enum Operation {
13+
/// Get parameters for TPM 2.0 ActivateCredential operation
14+
ActivateCredential {
15+
/// Name of key to be attested
16+
attested_key_name: String,
17+
/// Name of key to be used for attesting
18+
attesting_key_name: Option<String>,
19+
},
20+
}
21+
22+
/// Native result of retrieving key attestation parameters
23+
#[derive(Derivative)]
24+
#[derivative(Debug)]
25+
#[non_exhaustive]
26+
pub enum Result {
27+
/// Parameters for TPM 2.0 ActivateCredential operation
28+
ActivateCredential {
29+
/// TPM name of key to be attested
30+
#[derivative(Debug = "ignore")]
31+
name: Zeroizing<Vec<u8>>,
32+
/// TPM public key parameters of object to be attested
33+
#[derivative(Debug = "ignore")]
34+
public: Zeroizing<Vec<u8>>,
35+
/// Public part of attesting key
36+
#[derivative(Debug = "ignore")]
37+
attesting_key_pub: Zeroizing<Vec<u8>>,
38+
},
39+
}

0 commit comments

Comments
 (0)