Add a PKCS 11 provider

This provider will interface with a PKCS 11 dynamic library to
communicate with a PKCS 11 device.
Add PKCS 11 configuration for the user to enter the path of the dynamic
PKCS 11 library to load, the slot number where the device is and the
user pin of that device.
Removes provider-dependant information in the tests: they shoudl be
generic no matter what provider is currently used.
The PKCS 11 provider currently only supports RSA Key pair generation,
importing and exporting public keys, signing and verifying with those
RSA keys.

Co-authored-by: Paul Howard <[email protected]>
Signed-off-by: Hugues de Valon <[email protected]>

Cargo.toml

@@ -1,7 +1,8 @@
 [package]
 name = "parsec"
 version = "0.1.0"
-authors = ["Ionut Mihalcea <[email protected]>",
+authors = ["Paul Howard <[email protected]>",
+           "Ionut Mihalcea <[email protected]>",
            "Hugues de Valon <[email protected]>"]
 edition = "2018"
 
@@ -10,7 +11,7 @@ name = "parsec"
 path = "src/bin/main.rs"
 
 [dependencies]
-parsec-interface = { git = "https://github.com/parallaxsecond/parsec-interface-rs", tag = "0.2.1" }
+parsec-interface = { git = "https://github.com/parallaxsecond/parsec-interface-rs", tag = "0.3.0" }
 rand = "0.7.2"
 base64 = "0.10.1"
 uuid = "0.7.4"
@@ -22,9 +23,15 @@ toml = "0.4.2"
 serde = { version = "1.0", features = ["derive"] }
 env_logger = "0.7.1"
 log = { version = "0.4.8", features = ["serde"] }
+pkcs11 = { version = "0.4.0", optional = true }
+# Using a fork of the serde_asn1_der crate to have big integer support. Check https://github.com/KizzyCode/serde_asn1_der/issues/1
+serde_asn1_der = { git = "https://github.com/Devolutions/serde_asn1_der", rev = "ec1035879034ac9f09f1242fb49ed04c9aecdcae", optional = true, features = ["extra_types"] }
+der-parser = "3.0.2"
+nom = "5.0.1"
+num-bigint-dig = "0.5"
 
 [dev-dependencies]
-parsec-client-test = { git = "https://github.com/parallaxsecond/parsec-client-test", tag = "0.1.6" }
+parsec-client-test = { git = "https://github.com/parallaxsecond/parsec-client-test", tag = "0.1.7" }
 num_cpus = "1.10.1"
 
 [build-dependencies]
@@ -37,6 +44,6 @@ serde = { version = "1.0", features = ["derive"] }
 mbed-crypto-version = "mbedcrypto-2.0.0"
 
 [features]
-default = ["mbed"]
+default = ["mbed", "pkcs11-provider"]
 mbed = []
-
+pkcs11-provider = ["pkcs11", "serde_asn1_der"]

README.md

@@ -96,6 +96,9 @@ This project uses the following third party crates:
 * sd-notify (MIT and Apache-2.0)
 * log (MIT and Apache-2.0)
 * env\_logger (MIT and Apache-2.0)
+* pkcs11 (Apache-2.0)
+* a fork of serde\_asn1\_der at `https://github.com/Devolutions/serde_asn1_der` (BSD-3-Clause and MIT)
+* num-bigint-dig (MIT and Apache-2.0)
 
 This project uses the following third party libraries:
 * [Mbed Crypto](https://github.com/ARMmbed/mbed-crypto) (Apache-2.0)

config.toml

@@ -1,4 +1,4 @@
-# PARSEC Service Configuration File
+# Parsec Configuration File
 
 # (Required) Core settings apply to the service as a whole rather than to individual components within it.
 [core_settings]
@@ -46,3 +46,16 @@ provider_type = "MbedProvider"
 
 # (Required) Name of key ID manager that will support this provider.
 key_id_manager = "on-disk-manager"
+
+# Example of a PKCS 11 provider configuration
+#[[provider]]
+#provider_type = "Pkcs11Provider"
+#key_id_manager = "on-disk-manager"
+# (Required for this provider) Path to the location of the dynamic library loaded by this provider.
+# For the PKCS 11 provider, this library implements the PKCS 11 API on the target platform.
+#library_path = "/usr/local/lib/softhsm/libsofthsm2.so"
+# (Required) PKCS 11 slot that will be used by Parsec.
+#slot_number = 123456789
+# (Optional) User pin for authentication with the specific slot. If not set, no authentication will
+# be used.
+#user_pin = "123456"

src/front/listener.rs

@@ -21,12 +21,12 @@ pub trait ReadWrite: std::io::Read + std::io::Write {}
 // Automatically implements ReadWrite for all types that implement Read and Write.
 impl<T: std::io::Read + std::io::Write> ReadWrite for T {}
 
-#[derive(Deserialize)]
+#[derive(Deserialize, Debug)]
 pub enum ListenerType {
     DomainSocket,
 }
 
-#[derive(Deserialize)]
+#[derive(Deserialize, Debug)]
 pub struct ListenerConfig {
     pub listener_type: ListenerType,
     pub timeout: u64,

src/key_id_managers/mod.rs

@@ -25,12 +25,12 @@ use std::fmt;
 
 pub mod on_disk_manager;
 
-#[derive(Deserialize)]
+#[derive(Deserialize, Debug)]
 pub enum KeyIdManagerType {
     OnDisk,
 }
 
-#[derive(Deserialize)]
+#[derive(Deserialize, Debug)]
 pub struct KeyIdManagerConfig {
     pub name: String,
     pub manager_type: KeyIdManagerType,
@@ -50,7 +50,7 @@ impl fmt::Display for KeyTriple {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
         write!(
             f,
-            "Application Name: \"{}\"\nProvider ID: {}\nKey Name: \"{}\"",
+            "Application Name: \"{}\", Provider ID: {}, Key Name: \"{}\"",
             self.app_name, self.provider_id, self.key_name
         )
     }

src/providers/mod.rs

@@ -17,26 +17,34 @@ use serde::Deserialize;
 
 pub mod core_provider;
 
+#[cfg(feature = "pkcs11-provider")]
+pub mod pkcs11_provider;
+
 #[cfg(feature = "mbed")]
 pub mod mbed_provider;
 
-#[derive(Deserialize)]
+#[derive(Deserialize, Debug)]
 pub enum ProviderType {
     MbedProvider,
+    Pkcs11Provider,
 }
 
 impl ProviderType {
     pub fn to_provider_id(&self) -> ProviderID {
         match self {
             ProviderType::MbedProvider => ProviderID::MbedProvider,
+            ProviderType::Pkcs11Provider => ProviderID::Pkcs11Provider,
         }
     }
 }
 
-#[derive(Deserialize)]
+#[derive(Deserialize, Debug)]
 pub struct ProviderConfig {
     pub provider_type: ProviderType,
     pub key_id_manager: String,
+    pub library_path: Option<String>,
+    pub slot_number: Option<usize>,
+    pub user_pin: Option<String>,
 }
 
 use crate::authenticators::ApplicationName;