End of placement code dump

All of the remaining edits made to the parsec service while I've been on placement, some may not be working but I believe that all relevent test currently pass.

Signed-off-by: Sam Davis <[email protected]>

config.toml

@@ -208,7 +208,9 @@ key_info_manager = "sqlite-manager"
 # (Optional) Allows the service to still start without this provider if there is no TPM on the system. The priority list of providers will be as if this provider was commented out.
 #skip_if_no_tpm = false
 # (Optional) List of values to be used in the pcr list.
-#rot_config = {pcr_list = [0,1,2] ,pcr_hash_alg = "Sha256"}
+#root_of_trust = {pcr_list = [0,1,2] ,pcr_hash_alg = "Sha256"}
+# (Optional) Configuration for the attesting key
+#attesting_key = "Rsa"
 
 # Example of a CryptoAuthLib provider configuration
 # All below parameters depend on what devices, interfaces or parameters are required or supported by

e2e_tests/Cargo.toml

@@ -11,7 +11,7 @@ publish = false
 
 [dependencies]
 serde = { version = "1.0.123", features = ["derive"] }
-parsec-client = { git = "https://github.com/parallaxsecond/parsec-client-rust", rev = "bf01a58fe20a65f6151fc32c7c6c9d09ae7b741f", features = ["testing", "spiffe-auth"] }
+parsec-client = { git = "https://github.com/kakemone/parsec-client-rust", branch = "attested-tls", features = ["testing", "spiffe-auth"] }
 log = "0.4.14"
 # Compatible version with crate rsa
 rand = "0.7.3"

e2e_tests/provider_cfg/tpm/config.toml

@@ -26,5 +26,5 @@ store_path = "./mappings"
 provider_type = "Tpm"
 key_info_manager = "on-disk-manager"
 tcti = "mssim:host=127.0.0.1,port=2321"
-owner_hierarchy_auth = "hex:74706d5f70617373" # "tpm_pass" in hex
-endorsement_hierarchy_auth = "str:endorsement_pass"
+owner_hierarchy_auth = ""
+endorsement_hierarchy_auth = ""

e2e_tests/src/lib.rs

@@ -916,6 +916,25 @@ impl TestClient {
             .activate_credential_attestation(key_name, attesting_key, credential, secret)
             .map_err(convert_error)
     }
+
+    pub fn certify_and_quote(
+        &self,
+        key_name: String,
+        nonce: Vec<u8>,
+    ) -> Result<(Vec<u8>, Vec<u8>)> {
+        self.certify_and_quote_with_key(key_name, None, nonce)
+    }
+
+    pub fn certify_and_quote_with_key(
+        &self,
+        key_name: String,
+        attesting_key: Option<String>,
+        nonce: Vec<u8>,
+    ) -> Result<(Vec<u8>, Vec<u8>)> {
+        self.basic_client
+            .certify_and_quote_attestation(key_name, attesting_key, nonce)
+            .map_err(convert_error)
+    }
 }
 
 impl Default for TestClient {

e2e_tests/tests/all_providers/config/mod.rs

@@ -383,3 +383,72 @@ fn activate_cred_no_auth() {
         ResponseStatus::PsaErrorGenericError
     );
 }
+
+#[test]
+fn attestation_rsa() {
+    set_config("attestation_rsa.toml");
+    reload_service();
+
+    let mut client = TestClient::new();
+    let key_name = auto_test_keyname!();
+    client.generate_rsa_sign_key(key_name.clone()).unwrap();
+
+    let _ = client.certify_and_quote(key_name, vec![0x88; 16]).unwrap();
+}
+
+#[test]
+fn attestation_ecc() {
+    set_config("attestation_ecc.toml");
+    reload_service();
+
+    let mut client = TestClient::new();
+    let key_name = auto_test_keyname!();
+    client.generate_rsa_sign_key(key_name.clone()).unwrap();
+
+    let _ = client.certify_and_quote(key_name, vec![0x88; 16]).unwrap();
+}
+
+#[test]
+fn attestation_none() {
+    set_config("attestation_none.toml");
+    reload_service();
+
+    let mut client = TestClient::new();
+    let key_name = auto_test_keyname!();
+    client.generate_rsa_sign_key(key_name.clone()).unwrap();
+
+    assert_eq!(
+        client.certify_and_quote(key_name, vec![0x88; 16]),
+        Err(ResponseStatus::PsaErrorDoesNotExist)
+    )
+}
+
+#[test]
+fn root_of_trust_does_not_exist() {
+    set_config("root_of_trust_does_not_exist.toml");
+    reload_service();
+
+    let mut client = TestClient::new();
+    let key_name = auto_test_keyname!();
+    client.generate_rsa_sign_key(key_name.clone()).unwrap();
+
+    assert_eq!(
+        client.certify_and_quote(key_name, vec![0x88; 16]),
+        Err(ResponseStatus::PsaErrorGenericError)
+    )
+}
+
+#[test]
+fn root_of_trust_invalid() {
+    set_config("root_of_trust_invalid.toml");
+    reload_service();
+
+    let mut client = TestClient::new();
+    let key_name = auto_test_keyname!();
+    client.generate_rsa_sign_key(key_name.clone()).unwrap();
+
+    assert_eq!(
+        client.certify_and_quote(key_name, vec![0x88; 16]),
+        Err(ResponseStatus::PsaErrorGenericError)
+    )
+}

e2e_tests/tests/all_providers/config/tomls/attestation_ecc.toml

@@ -0,0 +1,32 @@
+[core_settings]
+# The CI already timestamps the logs
+log_timestamp = false
+log_error_details = true
+
+# The container runs the Parsec service as root, so make sure we disable root
+# checks.
+allow_root = true
+
+[listener]
+listener_type = "DomainSocket"
+# The timeout needs to be smaller than the test client timeout (five seconds) as it is testing
+# that the service does not hang for very big values of body or authentication length.
+timeout = 3000 # in milliseconds
+socket_path = "/tmp/parsec.sock"
+
+[authenticator]
+auth_type = "Direct"
+
+[[key_manager]]
+name = "on-disk-manager"
+manager_type = "OnDisk"
+store_path = "./mappings"
+
+[[provider]]
+provider_type = "Tpm"
+key_info_manager = "on-disk-manager"
+tcti = "mssim:host=127.0.0.1,port=2321"
+owner_hierarchy_auth = ""
+endorsement_hierarchy_auth = ""
+root_of_trust = {pcr_list = [0,1,2] ,pcr_hash_alg = "Sha256"}
+attesting_key = "Ecc"

e2e_tests/tests/all_providers/config/tomls/attestation_none.toml

@@ -0,0 +1,31 @@
+[core_settings]
+# The CI already timestamps the logs
+log_timestamp = false
+log_error_details = true
+
+# The container runs the Parsec service as root, so make sure we disable root
+# checks.
+allow_root = true
+
+[listener]
+listener_type = "DomainSocket"
+# The timeout needs to be smaller than the test client timeout (five seconds) as it is testing
+# that the service does not hang for very big values of body or authentication length.
+timeout = 3000 # in milliseconds
+socket_path = "/tmp/parsec.sock"
+
+[authenticator]
+auth_type = "Direct"
+
+[[key_manager]]
+name = "on-disk-manager"
+manager_type = "OnDisk"
+store_path = "./mappings"
+
+[[provider]]
+provider_type = "Tpm"
+key_info_manager = "on-disk-manager"
+tcti = "mssim:host=127.0.0.1,port=2321"
+owner_hierarchy_auth = ""
+endorsement_hierarchy_auth = ""
+root_of_trust = {pcr_list = [0,1,2] ,pcr_hash_alg = "Sha256"}

e2e_tests/tests/all_providers/config/tomls/attestation_rsa.toml

@@ -0,0 +1,32 @@
+[core_settings]
+# The CI already timestamps the logs
+log_timestamp = false
+log_error_details = true
+
+# The container runs the Parsec service as root, so make sure we disable root
+# checks.
+allow_root = true
+
+[listener]
+listener_type = "DomainSocket"
+# The timeout needs to be smaller than the test client timeout (five seconds) as it is testing
+# that the service does not hang for very big values of body or authentication length.
+timeout = 3000 # in milliseconds
+socket_path = "/tmp/parsec.sock"
+
+[authenticator]
+auth_type = "Direct"
+
+[[key_manager]]
+name = "on-disk-manager"
+manager_type = "OnDisk"
+store_path = "./mappings"
+
+[[provider]]
+provider_type = "Tpm"
+key_info_manager = "on-disk-manager"
+tcti = "mssim:host=127.0.0.1,port=2321"
+owner_hierarchy_auth = ""
+endorsement_hierarchy_auth = ""
+root_of_trust = {pcr_list = [0,1,2] ,pcr_hash_alg = "Sha256"}
+attesting_key = "Rsa"

e2e_tests/tests/all_providers/config/tomls/root_of_trust_does_not_exist.toml

@@ -0,0 +1,31 @@
+[core_settings]
+# The CI already timestamps the logs
+log_timestamp = false
+log_error_details = true
+
+# The container runs the Parsec service as root, so make sure we disable root
+# checks.
+allow_root = true
+
+[listener]
+listener_type = "DomainSocket"
+# The timeout needs to be smaller than the test client timeout (five seconds) as it is testing
+# that the service does not hang for very big values of body or authentication length.
+timeout = 3000 # in milliseconds
+socket_path = "/tmp/parsec.sock"
+
+[authenticator]
+auth_type = "Direct"
+
+[[key_manager]]
+name = "on-disk-manager"
+manager_type = "OnDisk"
+store_path = "./mappings"
+
+[[provider]]
+provider_type = "Tpm"
+key_info_manager = "on-disk-manager"
+tcti = "mssim:host=127.0.0.1,port=2321"
+owner_hierarchy_auth = ""
+endorsement_hierarchy_auth = ""
+attesting_key = "Rsa"

e2e_tests/tests/all_providers/config/tomls/root_of_trust_invalid.toml

@@ -0,0 +1,32 @@
+[core_settings]
+# The CI already timestamps the logs
+log_timestamp = false
+log_error_details = true
+
+# The container runs the Parsec service as root, so make sure we disable root
+# checks.
+allow_root = true
+
+[listener]
+listener_type = "DomainSocket"
+# The timeout needs to be smaller than the test client timeout (five seconds) as it is testing
+# that the service does not hang for very big values of body or authentication length.
+timeout = 3000 # in milliseconds
+socket_path = "/tmp/parsec.sock"
+
+[authenticator]
+auth_type = "Direct"
+
+[[key_manager]]
+name = "on-disk-manager"
+manager_type = "OnDisk"
+store_path = "./mappings"
+
+[[provider]]
+provider_type = "Tpm"
+key_info_manager = "on-disk-manager"
+tcti = "mssim:host=127.0.0.1,port=2321"
+owner_hierarchy_auth = ""
+endorsement_hierarchy_auth = ""
+root_of_trust = {pcr_list = [0,1,32] ,pcr_hash_alg = "Sha256"}
+attesting_key = "Rsa"

e2e_tests/tests/per_provider/normal_tests/key_attestation.rs

@@ -212,4 +212,56 @@ mod activate_credential {
         // The first 2 bytes of the name represent the hash algorithm used
         assert_eq!(prep_activ_cred.name[2..], hash[..]);
     }
+
+    #[test]
+    fn certify_and_quote() {
+        let key_name = auto_test_keyname!();
+        let mut client = TestClient::new();
+        let nonce = vec![88, 32];
+        if !client.is_operation_supported(Opcode::PrepareKeyAttestation) {
+            return;
+        }
+        client
+            .generate_rsa_sign_key(key_name.clone())
+            .expect("Failed to generate key");
+
+        let _ = client
+            .certify_and_quote(key_name, nonce)
+            .expect("Attestation failed");
+    }
+    #[test]
+    fn certify_and_quote_with_non_existing_key() {
+        let key_name = auto_test_keyname!();
+        let mut client = TestClient::new();
+        let nonce = vec![88, 32];
+        if !client.is_operation_supported(Opcode::PrepareKeyAttestation) {
+            return;
+        }
+
+        assert_eq!(
+            client.certify_and_quote(key_name, nonce).unwrap_err(),
+            //I don't think that this is the correct error
+            ResponseStatus::PsaErrorDoesNotExist
+        );
+    }
+
+    #[test]
+    fn certify_and_quote_with_unsupported_key() {
+        let key_name = auto_test_keyname!();
+        let mut client = TestClient::new();
+        let nonce = vec![88, 32];
+        if !client.is_operation_supported(Opcode::PrepareKeyAttestation) {
+            return;
+        }
+
+        client
+            .generate_ecc_key_pair_secpr1_ecdsa_sha256(key_name.clone())
+            .expect("Failed to generate key");
+
+        assert_eq!(
+            client.certify_and_quote(key_name, nonce).unwrap_err(),
+            //I don't think that this is the correct error
+            ResponseStatus::PsaErrorCommunicationFailure
+        );
+    }
 }