Trial miracl-trussed wrapping

Author: nickray

Cargo.toml

@@ -38,6 +38,9 @@ hmac = "0.11"
 sha-1 = { version = "0.9", default-features = false, optional = true }
 sha2 = { version = "0.9", default-features = false }
 
+# miracl
+miracl32 = { version = "0.1.0-alpha.0", optional = true }
+
 # ours
 cosey = "0.3"
 delog = "0.1.0"
@@ -95,6 +98,13 @@ aes256-cbc = []
 chacha8-poly1305 = []
 ed255 = []
 x255 = []
+ed448 = ["miracl32"]
+x448 = ["miracl32"]
+rsa2k = ["miracl32"]
+rsa3k = ["miracl32"]
+rsa4k = ["miracl32"]
+p384 = ["miracl32"]
+p521 = ["miracl32"]
 hmac-blake2s = ["blake2"]
 hmac-sha1 = []
 hmac-sha256 = []

bacon.toml

@@ -11,6 +11,11 @@ default_job = "check"
 command = ["cargo", "check", "--color", "always"]
 need_stdout = false
 
+[jobs.check-miracl]
+# command = ["cargo", "check", "--color", "always", "--features", "clients-1"]
+command = ["cargo", "check", "--color", "always", "--features", "ed448,x448,rsa2k,rsa3k,rsa4k,p384,p521"]
+need_stdout = false
+
 [jobs.check-cortex-m4]
 # command = ["cargo", "check", "--color", "always", "--features", "clients-1"]
 command = ["cargo", "check", "--color", "always", "--target", "thumbv7em-none-eabi"]

src/client/mechanisms.rs

@@ -245,6 +245,58 @@ pub trait P256: CryptoClient {
     }
 }
 
+#[cfg(feature = "p384")]
+impl<S: Syscall> P384 for ClientImplementation<S> {}
+
+pub trait P384: CryptoClient {
+    fn generate_p384_private_key(&mut self, persistence: Location)
+        -> ClientResult<'_, reply::GenerateKey, Self>
+    {
+        self.generate_key(Mechanism::P384, StorageAttributes::new().set_persistence(persistence))
+    }
+
+    fn derive_p384_public_key(&mut self, private_key: KeyId, persistence: Location)
+        -> ClientResult<'_, reply::DeriveKey, Self>
+    {
+        self.derive_key(Mechanism::P384, private_key, None, StorageAttributes::new().set_persistence(persistence))
+    }
+
+    fn deserialize_p384_key<'c>(&'c mut self, serialized_key: &[u8], format: KeySerialization, attributes: StorageAttributes)
+        -> ClientResult<'c, reply::DeserializeKey, Self>
+    {
+        self.deserialize_key(Mechanism::P384, serialized_key, format, attributes)
+    }
+
+    fn serialize_p384_key(&mut self, key: KeyId, format: KeySerialization)
+        -> ClientResult<'_, reply::SerializeKey, Self>
+    {
+        self.serialize_key(Mechanism::P384, key, format)
+    }
+
+    fn sign_p384<'c>(&'c mut self, key: KeyId, message: &[u8], format: SignatureSerialization)
+        -> ClientResult<'c, reply::Sign, Self>
+    {
+        self.sign(Mechanism::P384, key, message, format)
+    }
+
+    fn verify_p384<'c>(&'c mut self, key: KeyId, message: &[u8], signature: &[u8])
+        -> ClientResult<'c, reply::Verify, Self>
+    {
+        self.verify(Mechanism::P384, key, message, signature, SignatureSerialization::Raw)
+    }
+
+    fn agree_p384(&mut self, private_key: KeyId, public_key: KeyId, persistence: Location)
+        -> ClientResult<'_, reply::Agree, Self>
+    {
+        self.agree(
+            Mechanism::P384,
+            private_key,
+            public_key,
+            StorageAttributes::new().set_persistence(persistence),
+        )
+    }
+}
+
 #[cfg(feature = "sha256")]
 impl<S: Syscall> Sha256 for ClientImplementation<S> {}
 

src/config.rs

@@ -18,7 +18,8 @@ pub const MAX_KEY_MATERIAL_LENGTH: usize = 128;
 pub const MAX_SERIALIZED_KEY_LENGTH: usize = 132;
 pub type MAX_SERVICE_CLIENTS = consts::U5;
 pub const MAX_SHORT_DATA_LENGTH: usize = 128;
-pub const MAX_SIGNATURE_LENGTH: usize = 72;
+// 72 was for P256, raw P384 is 96
+pub const MAX_SIGNATURE_LENGTH: usize = 96;
 pub const MAX_USER_ATTRIBUTE_LENGTH: usize = 256;
 
 pub const USER_ATTRIBUTE_NUMBER: u8 = 37;

src/key.rs

@@ -63,6 +63,13 @@ pub enum Kind {
     Ed255,
     P256,
     X255,
+    P384,
+    P521,
+    Rsa2k,
+    Rsa3k,
+    Rsa4k,
+    Ed448,
+    X448,
 }
 
 bitflags::bitflags! {
@@ -136,17 +143,35 @@ impl Kind {
             Kind::Ed255 => 4,
             Kind::P256 => 5,
             Kind::X255 => 6,
+            // following PIV and our extensions
+            Kind::P384 => 0x14,
+            Kind::P521 => 0x15,
+            Kind::Rsa2k => 0x7,
+            Kind::Rsa3k => 0xE0,
+            Kind::Rsa4k => 0xE1,
+            Kind::Ed448 => 0xE4,
+            Kind::X448 => 0xE5,
         }
     }
 
     pub fn try_from(code: u16, length: usize) -> Result<Self, Error> {
+        use Kind::*;
         Ok(match code {
-            1 => Self::Shared(length),
-            2 => Self::Symmetric(length),
-            3 => Self::Symmetric32Nonce(length - 32),
-            4 => Self::Ed255,
-            5 => Self::P256,
-            6 => Self::X255,
+            1 => Shared(length),
+            2 => Symmetric(length),
+            3 => Symmetric32Nonce(length - 32),
+            4 => Ed255,
+            5 => P256,
+            6 => X255,
+
+            0x14 => P384,
+            0x15 => P521,
+            0x7 => Rsa2k,
+            0xE0 => Rsa3k,
+            0xE1 => Rsa4k,
+            0xE4 => Ed448,
+            0xE5 => X448,
+
             _ => return Err(Error::InvalidSerializedKey),
         })
     }

src/mechanisms.rs

@@ -42,6 +42,14 @@ impl crate::service::DeriveKey for HmacSha512 {}
 #[cfg(not(feature = "hmac-sha512"))]
 impl crate::service::Sign for HmacSha512 {}
 
+pub struct P384 {}
+#[cfg(feature = "p384")]
+mod p384;
+
+pub struct Rsa2k {}
+#[cfg(feature = "rsa2k")]
+mod rsa2k;
+
 pub struct P256 {}
 pub struct P256Prehashed {}
 mod p256;