Add key attestation operations

This commit adds the types for the new key attestation operations and their conversions to/from protobuf. Signed-off-by: Ionut Mihalcea <[email protected]>
parallaxsecond · Nov 2, 2021 · b4da173 · b4da173
1 parent e677bfd
commit b4da173
Show file tree

Hide file tree

Showing 11 changed files with 1,052 additions and 15 deletions.
diff --git a/parsec-operations b/parsec-operations
diff --git a/src/operations/attest_key.rs b/src/operations/attest_key.rs
@@ -0,0 +1,41 @@
+// Copyright 2021 Contributors to the Parsec project.
+// SPDX-License-Identifier: Apache-2.0
+//! # AttestKey operation
+//!
+//! Produce an attestation token as proof that the given
+//! key was produced and is stored in the hardware backend.
+use derivative::Derivative;
+use zeroize::Zeroizing;
+
+/// Native operation for key attestation
+#[derive(Derivative)]
+#[derivative(Debug)]
+#[non_exhaustive]
+pub enum Operation {
+    /// Attestation via TPM 2.0 ActivateCredential operation
+    ActivateCredential {
+        /// Name of key to be attested
+        attested_key_name: String,
+        /// Blob of data representing the encrypted credential
+        #[derivative(Debug = "ignore")]
+        credential_blob: Zeroizing<Vec<u8>>,
+        /// Blob of data representing the encrypted secret
+        #[derivative(Debug = "ignore")]
+        secret: Zeroizing<Vec<u8>>,
+        /// Name of key to be used for attesting
+        attesting_key_name: Option<String>,
+    },
+}
+
+/// Native result of key attestation
+#[derive(Derivative)]
+#[derivative(Debug)]
+#[non_exhaustive]
+pub enum Result {
+    /// Result of attestation via TPM 2.0 ActivateCredential operation
+    ActivateCredential {
+        /// Decrypted credential
+        #[derivative(Debug = "ignore")]
+        credential: Zeroizing<Vec<u8>>,
+    },
+}
diff --git a/src/operations/mod.rs b/src/operations/mod.rs
@@ -35,6 +35,8 @@ pub mod delete_client;
 pub mod list_clients;
 pub mod psa_generate_random;
 pub mod psa_raw_key_agreement;
+pub mod attest_key;
+pub mod prepare_key_attestation;
 
 pub use psa_crypto::types::algorithm as psa_algorithm;
 pub use psa_crypto::types::key as psa_key_attributes;
@@ -97,6 +99,10 @@ pub enum NativeOperation {
     PsaSignMessage(psa_sign_message::Operation),
     /// PsaVerifyMessage operation
     PsaVerifyMessage(psa_verify_message::Operation),
+    /// AttestKey operation
+    AttestKey(attest_key::Operation),
+    /// PrepareKeyAttestation operation
+    PrepareKeyAttestation(prepare_key_attestation::Operation),
 }
 
 impl NativeOperation {
@@ -129,6 +135,8 @@ impl NativeOperation {
             NativeOperation::PsaRawKeyAgreement(_) => Opcode::PsaRawKeyAgreement,
             NativeOperation::PsaSignMessage(_) => Opcode::PsaSignMessage,
             NativeOperation::PsaVerifyMessage(_) => Opcode::PsaVerifyMessage,
+            NativeOperation::AttestKey(_) => Opcode::AttestKey,
+            NativeOperation::PrepareKeyAttestation(_) => Opcode::PrepareKeyAttestation,
         }
     }
 }
@@ -189,6 +197,10 @@ pub enum NativeResult {
     PsaSignMessage(psa_sign_message::Result),
     /// PsaVerifyMessage result
     PsaVerifyMessage(psa_verify_message::Result),
+    /// AttestKey result
+    AttestKey(attest_key::Result),
+    /// AttestKey result
+    PrepareKeyAttestation(prepare_key_attestation::Result),
 }
 
 impl NativeResult {
@@ -221,6 +233,8 @@ impl NativeResult {
             NativeResult::PsaRawKeyAgreement(_) => Opcode::PsaRawKeyAgreement,
             NativeResult::PsaSignMessage(_) => Opcode::PsaSignMessage,
             NativeResult::PsaVerifyMessage(_) => Opcode::PsaVerifyMessage,
+            NativeResult::AttestKey(_) => Opcode::AttestKey,
+            NativeResult::PrepareKeyAttestation(_) => Opcode::PrepareKeyAttestation,
         }
     }
 }
@@ -393,22 +407,36 @@ impl From<psa_hash_compare::Operation> for NativeOperation {
         NativeOperation::PsaHashCompare(op)
     }
 }
+
 impl From<psa_raw_key_agreement::Operation> for NativeOperation {
     fn from(op: psa_raw_key_agreement::Operation) -> Self {
         NativeOperation::PsaRawKeyAgreement(op)
     }
 }
+
 impl From<psa_sign_message::Operation> for NativeOperation {
     fn from(op: psa_sign_message::Operation) -> Self {
         NativeOperation::PsaSignMessage(op)
     }
 }
+
 impl From<psa_verify_message::Operation> for NativeOperation {
     fn from(op: psa_verify_message::Operation) -> Self {
         NativeOperation::PsaVerifyMessage(op)
     }
 }
 
+impl From<attest_key::Operation> for NativeOperation {
+    fn from(op: attest_key::Operation) -> Self {
+        NativeOperation::AttestKey(op)
+    }
+}
+impl From<prepare_key_attestation::Operation> for NativeOperation {
+    fn from(op: prepare_key_attestation::Operation) -> Self {
+        NativeOperation::PrepareKeyAttestation(op)
+    }
+}
+
 impl From<list_providers::Result> for NativeResult {
     fn from(op: list_providers::Result) -> Self {
         NativeResult::ListProviders(op)
@@ -564,3 +592,15 @@ impl From<psa_verify_message::Result> for NativeResult {
         NativeResult::PsaVerifyMessage(op)
     }
 }
+
+impl From<attest_key::Result> for NativeResult {
+    fn from(op: attest_key::Result) -> Self {
+        NativeResult::AttestKey(op)
+    }
+}
+
+impl From<prepare_key_attestation::Result> for NativeResult {
+    fn from(op: prepare_key_attestation::Result) -> Self {
+        NativeResult::PrepareKeyAttestation(op)
+    }
+}
diff --git a/src/operations/prepare_key_attestation.rs b/src/operations/prepare_key_attestation.rs
@@ -0,0 +1,39 @@
+// Copyright 2021 Contributors to the Parsec project.
+// SPDX-License-Identifier: Apache-2.0
+//! # PrepareKeyAttestation operation
+//!
+//! Produce any parameters required for the AttestKey operation
+use derivative::Derivative;
+use zeroize::Zeroizing;
+
+/// Native operation for retrieving key attestation parameters
+#[derive(Debug)]
+#[non_exhaustive]
+pub enum Operation {
+    /// Get parameters for TPM 2.0 ActivateCredential operation
+    ActivateCredential {
+        /// Name of key to be attested
+        attested_key_name: String,
+        /// Name of key to be used for attesting
+        attesting_key_name: Option<String>,
+    },
+}
+
+/// Native result of retrieving key attestation parameters
+#[derive(Derivative)]
+#[derivative(Debug)]
+#[non_exhaustive]
+pub enum Result {
+    /// Parameters for TPM 2.0 ActivateCredential operation
+    ActivateCredential {
+        /// TPM name of key to be attested
+        #[derivative(Debug = "ignore")]
+        name: Zeroizing<Vec<u8>>,
+        /// TPM public key parameters of object to be attested
+        #[derivative(Debug = "ignore")]
+        public: Zeroizing<Vec<u8>>,
+        /// Public part of attesting key
+        #[derivative(Debug = "ignore")]
+        attesting_key_pub: Zeroizing<Vec<u8>>,
+    },
+}
+2 −0		.github/CODEOWNERS
+8 −0		.github/workflows/ci.yml
+21 −0		buf.yaml
+22 −0		ci/check_breaking_changes.sh
+30 −0		protobuf/attest_key.proto
+24 −0		protobuf/can_do_crypto.proto
+30 −0		protobuf/prepare_key_attestation.proto