common: Move AuthTag from common to the library

Move the AuthTag structure from the common.rs file to the Keylime
library in crypto::auth_tag

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>

Author: ansasaki

keylime-agent/src/common.rs

@@ -33,11 +33,6 @@ use tss_esapi::{
     structures::PcrSlot, traits::UnMarshall, utils::TpmsContext,
 };
 
-/*
- * Constants and static variables
- */
-pub const AUTH_TAG_LEN: usize = 48;
-
 #[derive(Serialize, Deserialize, Debug)]
 pub(crate) struct APIVersion {
     major: u32,
@@ -83,32 +78,6 @@ where
     }
 }
 
-#[derive(Debug, Clone, Serialize, Deserialize)]
-pub struct AuthTag {
-    bytes: Vec<u8>,
-}
-
-impl AsRef<[u8]> for AuthTag {
-    fn as_ref(&self) -> &[u8] {
-        self.bytes.as_slice()
-    }
-}
-
-impl TryFrom<&[u8]> for AuthTag {
-    type Error = String;
-
-    fn try_from(v: &[u8]) -> std::result::Result<Self, Self::Error> {
-        match v.len() {
-            AUTH_TAG_LEN => {
-                Ok(AuthTag { bytes: v.to_vec() })
-            }
-            other => Err(format!(
-                "auth tag length {other} does not correspond to valid SHA-384 HMAC",
-            )),
-        }
-    }
-}
-
 #[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
 pub struct EncryptedData {
     bytes: Vec<u8>,

keylime-agent/src/keys_handler.rs

@@ -2,7 +2,7 @@
 // Copyright 2021 Keylime Authors
 
 use crate::{
-    common::{AuthTag, EncryptedData, JsonWrapper},
+    common::{EncryptedData, JsonWrapper},
     config::KeylimeConfig,
     payloads::{Payload, PayloadMessage},
     Error, QuoteData, Result,
@@ -12,6 +12,7 @@ use base64::{engine::general_purpose, Engine as _};
 use keylime::crypto::{
     self,
     symmkey::{KeySet, SymmKey},
+    auth_tag::AuthTag,
 };
 use log::*;
 use serde::{Deserialize, Serialize};

keylime/src/crypto.rs

@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: Apache-2.0
 // Copyright 2021 Keylime Authors
 
+pub mod auth_tag;
 pub mod symmkey;
 pub mod x509;
 
@@ -34,6 +35,7 @@ use thiserror::Error;
 pub const AES_128_KEY_LEN: usize = 16;
 pub const AES_256_KEY_LEN: usize = 32;
 pub const AES_BLOCK_SIZE: usize = 16;
+pub const AUTH_TAG_LEN: usize = 48;
 
 #[derive(Error, Debug)]
 pub enum CryptoError {

keylime/src/crypto/auth_tag.rs

@@ -0,0 +1,52 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2025 Keylime Authors
+
+use crate::crypto::AUTH_TAG_LEN;
+use serde::{Deserialize, Serialize};
+use thiserror::Error;
+
+#[derive(Debug, Error)]
+pub enum AuthTagError {
+    // Invalid authentication tag size
+    #[error("auth tag length {0} does not correspond to valid SHA-384 HMAC")]
+    InvalidAuthTagSize(usize),
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct AuthTag {
+    bytes: Vec<u8>,
+}
+
+impl AsRef<[u8]> for AuthTag {
+    fn as_ref(&self) -> &[u8] {
+        self.bytes.as_slice()
+    }
+}
+
+impl TryFrom<&[u8]> for AuthTag {
+    type Error = AuthTagError;
+
+    fn try_from(v: &[u8]) -> std::result::Result<Self, Self::Error> {
+        match v.len() {
+            AUTH_TAG_LEN => Ok(AuthTag { bytes: v.to_vec() }),
+            _ => Err(AuthTagError::InvalidAuthTagSize(v.len())),
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_convert() {
+        let a: [u8; AUTH_TAG_LEN] = [0xAA; AUTH_TAG_LEN];
+        let invalid: [u8; 32] = [0xBB; 32];
+
+        let r = AuthTag::try_from(a.as_ref());
+        assert!(r.is_ok());
+
+        let r = AuthTag::try_from(invalid.as_ref());
+        assert!(r.is_err());
+    }
+}