Merge pull request #32 from namib-project/aes_cbc_mac

Add (RustCrypto only) support for AES-CBC-MAC

Author: pulsastrix

Cargo.toml

@@ -20,13 +20,14 @@ rustcrypto = ["rustcrypto-aes-gcm", "rustcrypto-aes-kw", "rustcrypto-ecdsa", "ru
 rustcrypto-encrypt = ["rustcrypto-aes-gcm", "rustcrypto-aes-ccm", "rustcrypto-chacha20-poly1305"]
 rustcrypto-sign = ["rustcrypto-ecdsa"]
 rustcrypto-key-distribution = ["rustcrypto-aes-kw"]
-rustcrypto-mac = ["rustcrypto-hmac"]
+rustcrypto-mac = ["rustcrypto-hmac", "rustcrypto-aes-cbc-mac"]
 rustcrypto-aes-gcm = ["dep:aes-gcm", "dep:typenum", "dep:aead", "dep:aes"]
 rustcrypto-aes-ccm = ["dep:ccm", "dep:typenum", "dep:aead", "dep:aes"]
 rustcrypto-chacha20-poly1305 = ["dep:chacha20poly1305", "dep:typenum", "dep:aead"]
 rustcrypto-aes-kw = ["dep:aes-kw", "dep:aes", "dep:typenum", "dep:crypto-common"]
 rustcrypto-ecdsa = ["dep:ecdsa", "dep:p256", "dep:p384", "dep:digest", "dep:sha2", "dep:elliptic-curve"]
 rustcrypto-hmac = ["dep:hmac", "dep:digest", "dep:sha2"]
+rustcrypto-aes-cbc-mac = ["dep:cbc-mac", "dep:aes", "dep:crypto-common", "dep:digest", "dep:typenum"]
 
 [dependencies]
 serde = { version = "1.0", default-features = false, features = ["derive"] }
@@ -52,6 +53,7 @@ aes-kw = { version = "0.2.1", optional = true, default-features = false, feature
 aes = { version = "0.8.4", optional = true, default-features = false }
 hmac = { version = "0.12.1", optional = true, default-features = false }
 digest = { version = "0.10.7", optional = true, default-features = false }
+cbc-mac = { version = "0.1.1", optional = true, default-features = false }
 sha2 = { version = "0.10.8", optional = true, default-features = false }
 elliptic-curve = { version = "0.13.8", default-features = false, optional = true }
 ecdsa = { version = "0.16.9", optional = true, default-features = false, features = ["sha2"] }

build.rs

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2024 The NAMIB Project Developers.
+ * Copyright (c) 2024-2025 The NAMIB Project Developers.
  * Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or
  * https://www.apache.org/licenses/LICENSE-2.0> or the MIT license
  * <LICENSE-MIT or https://opensource.org/licenses/MIT>, at your
@@ -32,7 +32,8 @@ fn main() {
         },
         rustcrypto_mac_base: {
             any(
-                feature = "rustcrypto-hmac"
+                feature = "rustcrypto-hmac",
+                feature = "rustcrypto-aes-cbc-mac"
             )
         },
         rustcrypto_base: {

src/error/mod.rs

@@ -557,7 +557,6 @@ impl<T> From<CoseCipherError<T>> for AccessTokenError<T>
 where
     T: Display,
 {
-    #[must_use]
     fn from(error: CoseCipherError<T>) -> Self {
         AccessTokenError::CoseCipherError(error)
     }
@@ -567,7 +566,6 @@ impl<T> From<CoseError> for AccessTokenError<T>
 where
     T: Display,
 {
-    #[must_use]
     fn from(error: CoseError) -> Self {
         AccessTokenError::CoseError(error)
     }

src/token/cose/crypto_impl/openssl/mod.rs

@@ -97,7 +97,7 @@ impl From<openssl::aes::KeyError> for CoseCipherError<CoseOpensslCipherError> {
 ///         - [x] AES-CCM-16-128-256
 ///         - [x] AES-CCM-64-128-128
 ///         - [x] AES-CCM-64-128-256
-///     - [ ] ChaCha20/Poly1305
+///     - [x] ChaCha20/Poly1305
 /// - Content Key Distribution Methods (for COSE_Recipients)
 ///     - Direct Encryption
 ///         - [ ] Direct Key with KDF

src/token/cose/crypto_impl/rustcrypto/mac/aes_cbc_mac.rs

@@ -0,0 +1,133 @@
+/*
+ * Copyright (c) 2025 The NAMIB Project Developers.
+ * Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or
+ * https://www.apache.org/licenses/LICENSE-2.0> or the MIT license
+ * <LICENSE-MIT or https://opensource.org/licenses/MIT>, at your
+ * option. This file may not be copied, modified, or distributed
+ * except according to those terms.
+ *
+ * SPDX-License-Identifier: MIT OR Apache-2.0
+ */
+use coset::{iana, Algorithm};
+use crypto_common::BlockSizeUser;
+use digest::Mac;
+use rand::{CryptoRng, RngCore};
+use typenum::{IsLess, U256};
+
+use crate::error::CoseCipherError;
+use crate::token::cose::crypto_impl::rustcrypto::RustCryptoContext;
+use crate::token::cose::{CoseSymmetricKey, CryptoBackend};
+use aes::cipher::{BlockCipher, BlockEncryptMut};
+use aes::{Aes128, Aes256};
+use alloc::vec::Vec;
+use cbc_mac::CbcMac;
+use crypto_common::KeyInit;
+
+impl<RNG: RngCore + CryptoRng> RustCryptoContext<RNG> {
+    /// Compute the CBC-MAC of `payload` using the given `key` with the block cipher
+    /// `C`.
+    fn compute_cbc_mac_using_block_cipher<
+        C: BlockCipher + BlockEncryptMut + Clone,
+        const TAG_LEN: usize,
+    >(
+        key: &CoseSymmetricKey<'_, <Self as CryptoBackend>::Error>,
+        payload: &[u8],
+    ) -> Vec<u8>
+    where
+        CbcMac<C>: KeyInit + Mac,
+        <C as BlockSizeUser>::BlockSize: typenum::IsLess<U256>,
+        <<C as BlockSizeUser>::BlockSize as IsLess<U256>>::Output: typenum::NonZero,
+    {
+        // Key length must have been validated by caller as per the API contract of
+        // `MacCryptoBackend`.
+        let mut cbc_mac = <CbcMac<C> as Mac>::new_from_slice(&key.k).expect("key length invalid");
+        cbc_mac.update(payload);
+        let mut result = cbc_mac.finalize().into_bytes().to_vec();
+        result.truncate(TAG_LEN);
+        result
+    }
+
+    /// Verify the CBC-MAC of `payload` using the given `key` with the HMAC function `MAC`.
+    fn verify_cbc_mac_using_block_cipher<
+        C: BlockCipher + BlockEncryptMut + Clone,
+        const TAG_LEN: usize,
+    >(
+        key: &CoseSymmetricKey<'_, <Self as CryptoBackend>::Error>,
+        payload: &[u8],
+        tag: &[u8],
+    ) -> Result<(), CoseCipherError<<Self as CryptoBackend>::Error>>
+    where
+        CbcMac<C>: KeyInit + Mac,
+        <C as BlockSizeUser>::BlockSize: typenum::IsLess<U256>,
+        <<C as BlockSizeUser>::BlockSize as IsLess<U256>>::Output: typenum::NonZero,
+    {
+        let mut cbc_mac = <CbcMac<C> as Mac>::new_from_slice(&key.k).unwrap();
+        cbc_mac.update(payload);
+
+        // Validate length of tag as verify_truncated_left() does not know the expected length.
+        if tag.len() != TAG_LEN {
+            return Err(CoseCipherError::VerificationFailure);
+        }
+
+        cbc_mac
+            .verify_truncated_left(tag)
+            .map_err(CoseCipherError::from)
+    }
+
+    /// Compute the CBC-MAC of `payload` using the given `key` with the CBC-MAC function
+    /// specified in the `algorithm`.
+    pub(super) fn compute_cbc_mac(
+        algorithm: iana::Algorithm,
+        key: &CoseSymmetricKey<'_, <Self as CryptoBackend>::Error>,
+        payload: &[u8],
+    ) -> Result<Vec<u8>, CoseCipherError<<Self as CryptoBackend>::Error>> {
+        match algorithm {
+            iana::Algorithm::AES_MAC_128_64 => Ok(Self::compute_cbc_mac_using_block_cipher::<
+                Aes128,
+                8,
+            >(key, payload)),
+            iana::Algorithm::AES_MAC_128_128 => Ok(Self::compute_cbc_mac_using_block_cipher::<
+                Aes128,
+                16,
+            >(key, payload)),
+            iana::Algorithm::AES_MAC_256_64 => Ok(Self::compute_cbc_mac_using_block_cipher::<
+                Aes256,
+                8,
+            >(key, payload)),
+            iana::Algorithm::AES_MAC_256_128 => Ok(Self::compute_cbc_mac_using_block_cipher::<
+                Aes256,
+                16,
+            >(key, payload)),
+            a => Err(CoseCipherError::UnsupportedAlgorithm(Algorithm::Assigned(
+                a,
+            ))),
+        }
+    }
+
+    /// Verify the CBC-MAC `tag` of `payload` using the given `key` with the CBC-MAC
+    /// function specified in the `algorithm`.
+    pub(super) fn verify_cbc_mac(
+        algorithm: iana::Algorithm,
+        key: &CoseSymmetricKey<'_, <Self as CryptoBackend>::Error>,
+        tag: &[u8],
+        payload: &[u8],
+    ) -> Result<(), CoseCipherError<<Self as CryptoBackend>::Error>> {
+        match algorithm {
+            iana::Algorithm::AES_MAC_128_64 => {
+                Self::verify_cbc_mac_using_block_cipher::<Aes128, 8>(key, payload, tag)
+            }
+            iana::Algorithm::AES_MAC_128_128 => {
+                Self::verify_cbc_mac_using_block_cipher::<Aes128, 16>(key, payload, tag)
+            }
+            iana::Algorithm::AES_MAC_256_64 => {
+                Self::verify_cbc_mac_using_block_cipher::<Aes256, 8>(key, payload, tag)
+            }
+            iana::Algorithm::AES_MAC_256_128 => {
+                Self::verify_cbc_mac_using_block_cipher::<Aes256, 16>(key, payload, tag)
+            }
+            a => Err(CoseCipherError::UnsupportedAlgorithm(Algorithm::Assigned(
+                a,
+            ))),
+        }
+    }
+}

src/token/cose/crypto_impl/rustcrypto/mac/hmac.rs

@@ -17,7 +17,6 @@ use sha2::{Sha256, Sha384, Sha512};
 use crate::error::CoseCipherError;
 use crate::token::cose::crypto_impl::rustcrypto::RustCryptoContext;
 use crate::token::cose::{CoseSymmetricKey, CryptoBackend};
-use aead::Buffer;
 use alloc::vec::Vec;
 
 impl<RNG: RngCore + CryptoRng> RustCryptoContext<RNG> {

src/token/cose/crypto_impl/rustcrypto/mac/mod.rs

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2024 The NAMIB Project Developers.
+ * Copyright (c) 2024-2025 The NAMIB Project Developers.
  * Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or
  * https://www.apache.org/licenses/LICENSE-2.0> or the MIT license
  * <LICENSE-MIT or https://opensource.org/licenses/MIT>, at your
@@ -17,6 +17,8 @@ use alloc::vec::Vec;
 use coset::iana;
 use rand::{CryptoRng, RngCore};
 
+#[cfg(feature = "rustcrypto-aes-cbc-mac")]
+mod aes_cbc_mac;
 #[cfg(feature = "rustcrypto-hmac")]
 mod hmac;
 
@@ -41,4 +43,25 @@ impl<RNG: RngCore + CryptoRng> MacCryptoBackend for RustCryptoContext<RNG> {
     ) -> Result<(), CoseCipherError<Self::Error>> {
         Self::verify_hmac(algorithm, &key, tag, payload)
     }
+
+    #[cfg(feature = "rustcrypto-aes-cbc-mac")]
+    fn compute_cbc_mac(
+        &mut self,
+        algorithm: iana::Algorithm,
+        key: CoseSymmetricKey<'_, Self::Error>,
+        payload: &[u8],
+    ) -> Result<Vec<u8>, CoseCipherError<Self::Error>> {
+        Self::compute_cbc_mac(algorithm, &key, payload)
+    }
+
+    #[cfg(feature = "rustcrypto-aes-cbc-mac")]
+    fn verify_cbc_mac(
+        &mut self,
+        algorithm: iana::Algorithm,
+        key: CoseSymmetricKey<'_, Self::Error>,
+        tag: &[u8],
+        payload: &[u8],
+    ) -> Result<(), CoseCipherError<Self::Error>> {
+        Self::verify_cbc_mac(algorithm, &key, tag, payload)
+    }
 }

src/token/cose/crypto_impl/rustcrypto/mod.rs

@@ -85,7 +85,7 @@ impl From<ecdsa::elliptic_curve::Error> for CoseCipherError<CoseRustCryptoCipher
     }
 }
 
-#[cfg(feature = "rustcrypto-hmac")]
+#[cfg(any(feature = "rustcrypto-hmac", feature = "rustcrypto-aes-cbc-mac"))]
 impl From<digest::MacError> for CoseCipherError<CoseRustCryptoCipherError> {
     fn from(_value: digest::MacError) -> Self {
         CoseCipherError::VerificationFailure
@@ -132,11 +132,11 @@ impl From<ecdsa::Error> for CoseCipherError<CoseRustCryptoCipherError> {
 ///         - [x] HMAC 256/256
 ///         - [x] HMAC 384/384
 ///         - [x] HMAC 512/512
-///     - [ ] AES-CBC-MAC
-///         - [ ] AES-MAC 128/64
-///         - [ ] AES-MAC 256/64
-///         - [ ] AES-MAC 128/128
-///         - [ ] AES-MAC 256/128
+///     - [x] AES-CBC-MAC
+///         - [x] AES-MAC 128/64
+///         - [x] AES-MAC 256/64
+///         - [x] AES-MAC 128/128
+///         - [x] AES-MAC 256/128
 /// - Content Encryption Algorithms (for COSE_Encrypt and COSE_Encrypt0)
 ///     - [x] AES-GCM
 ///         - [x] A128GCM
@@ -151,7 +151,7 @@ impl From<ecdsa::Error> for CoseCipherError<CoseRustCryptoCipherError> {
 ///         - [x] AES-CCM-16-128-256
 ///         - [x] AES-CCM-64-128-128
 ///         - [x] AES-CCM-64-128-256
-///     - [ ] ChaCha20/Poly1305
+///     - [x] ChaCha20/Poly1305
 /// - Content Key Distribution Methods (for COSE_Recipients)
 ///     - Direct Encryption
 ///         - [ ] Direct Key with KDF

src/token/cose/maced/mac/tests.rs

@@ -32,7 +32,10 @@ use crate::token::cose::{test_helper, CryptoBackend};
 
 #[cfg(feature = "openssl")]
 use crate::token::cose::test_helper::openssl_ctx;
-#[cfg(all(feature = "rustcrypto-hmac", feature = "rustcrypto-aes-kw"))]
+#[cfg(all(
+    any(feature = "rustcrypto-hmac", feature = "rustcrypto-aes-cbc-mac"),
+    feature = "rustcrypto-aes-kw"
+))]
 use crate::token::cose::test_helper::rustcrypto_ctx;
 
 impl<B: CryptoBackend + MacCryptoBackend + KeyDistributionCryptoBackend> CoseStructTestHelper<B>
@@ -179,6 +182,39 @@ fn cose_examples_mac_self_signed<B: MacCryptoBackend + KeyDistributionCryptoBack
     test_helper::perform_cose_self_signed_test::<CoseMac, B>(test_path, backend);
 }
 
+// As of now, we don't support CBC-MAC with the OpenSSL backend.
+// OpenSSL does not provide a ready-made function for performing CBC-MAC,
+// which means that we would need to build the missing functionality from the
+// existing CBC functions ourselves (which is probably not worth the effort).
+#[cfg(all(feature = "rustcrypto-aes-cbc-mac", feature = "rustcrypto-aes-kw"))]
+#[rstest]
+#[cfg_attr(
+    all(feature = "rustcrypto-aes-cbc-mac", feature = "rustcrypto-aes-kw"),
+    case::rustcrypto(rustcrypto_ctx())
+)]
+fn cose_examples_cbc_mac_mac_reference_output<
+    B: MacCryptoBackend + KeyDistributionCryptoBackend,
+>(
+    #[files("tests/cose_examples/cbc-mac-examples/cbc-mac-0*.json")] test_path: PathBuf,
+    #[case] backend: B,
+) {
+    test_helper::perform_cose_reference_output_test::<CoseMac, B>(test_path, backend);
+}
+
+// As of now, we don't support CBC-MAC with the OpenSSL backend.
+#[cfg(all(feature = "rustcrypto-aes-cbc-mac", feature = "rustcrypto-aes-kw"))]
+#[rstest]
+#[cfg_attr(
+    all(feature = "rustcrypto-aes-cbc-mac", feature = "rustcrypto-aes-kw"),
+    case::rustcrypto(rustcrypto_ctx())
+)]
+fn cose_examples_cbc_mac_mac_self_signed<B: MacCryptoBackend + KeyDistributionCryptoBackend>(
+    #[files("tests/cose_examples/cbc-mac-examples/cbc-mac-0*.json")] test_path: PathBuf,
+    #[case] backend: B,
+) {
+    test_helper::perform_cose_self_signed_test::<CoseMac, B>(test_path, backend);
+}
+
 #[rstest]
 #[cfg_attr(feature = "openssl", case::openssl(openssl_ctx()))]
 #[cfg_attr(

src/token/cose/maced/mac0/tests.rs

@@ -26,7 +26,7 @@ use crate::token::cose::{test_helper, CryptoBackend};
 
 #[cfg(feature = "openssl")]
 use crate::token::cose::test_helper::openssl_ctx;
-#[cfg(feature = "rustcrypto-hmac")]
+#[cfg(any(feature = "rustcrypto-hmac", feature = "rustcrypto-aes-cbc-mac"))]
 use crate::token::cose::test_helper::rustcrypto_ctx;
 
 impl<B: CryptoBackend + MacCryptoBackend> CoseStructTestHelper<B> for CoseMac0 {
@@ -160,6 +160,34 @@ fn cose_examples_mac0_self_signed<B: MacCryptoBackend>(
     test_helper::perform_cose_self_signed_test::<CoseMac0, B>(test_path, backend);
 }
 
+// As of now, we don't support CBC-MAC with the OpenSSL backend.
+#[cfg(feature = "rustcrypto-aes-cbc-mac")]
+#[rstest]
+#[cfg_attr(
+    all(feature = "rustcrypto-aes-cbc-mac"),
+    case::rustcrypto(rustcrypto_ctx())
+)]
+fn cose_examples_cbc_mac_mac0_reference_output<B: MacCryptoBackend>(
+    #[files("tests/cose_examples/cbc-mac-examples/cbc-mac-enc-*.json")] test_path: PathBuf,
+    #[case] backend: B,
+) {
+    test_helper::perform_cose_reference_output_test::<CoseMac0, B>(test_path, backend);
+}
+
+// As of now, we don't support CBC-MAC with the OpenSSL backend.
+#[cfg(feature = "rustcrypto-aes-cbc-mac")]
+#[rstest]
+#[cfg_attr(
+    all(feature = "rustcrypto-aes-cbc-mac"),
+    case::rustcrypto(rustcrypto_ctx())
+)]
+fn cose_examples_cbc_mac_mac0_self_signed<B: MacCryptoBackend>(
+    #[files("tests/cose_examples/cbc-mac-examples/cbc-mac-enc-*.json")] test_path: PathBuf,
+    #[case] backend: B,
+) {
+    test_helper::perform_cose_self_signed_test::<CoseMac0, B>(test_path, backend);
+}
+
 #[rstest]
 #[cfg_attr(feature = "openssl", case::openssl(openssl_ctx()))]
 #[cfg_attr(feature = "rustcrypto-hmac", case::rustcrypto(rustcrypto_ctx()))]