Merge pull request #100 from ionut-arm/activate-cred

ionut-arm · web-flow · commit 119664eac501 · 2021-11-12T16:00:48.000Z
Add activate credential attestation methods
diff --git a/src/core/basic_client.rs b/src/core/basic_client.rs
@@ -5,6 +5,7 @@ use super::operation_client::OperationClient;
 use crate::auth::Authentication;
 use crate::error::{ClientErrorKind, Error, Result};
 use log::{debug, warn};
+use parsec_interface::operations::attest_key::{Operation as AttestKey, Result as AttestKeyResult};
 use parsec_interface::operations::can_do_crypto::{CheckType, Operation as CanDoCrypto};
 use parsec_interface::operations::delete_client::Operation as DeleteClient;
 use parsec_interface::operations::list_authenticators::{
@@ -15,6 +16,9 @@ use parsec_interface::operations::list_keys::{KeyInfo, Operation as ListKeys};
 use parsec_interface::operations::list_opcodes::Operation as ListOpcodes;
 use parsec_interface::operations::list_providers::{Operation as ListProviders, ProviderInfo};
 use parsec_interface::operations::ping::Operation as Ping;
+use parsec_interface::operations::prepare_key_attestation::{
+    Operation as PrepareKeyAttestation, Result as PrepareKeyAttestationResult,
+};
 use parsec_interface::operations::psa_aead_decrypt::Operation as PsaAeadDecrypt;
 use parsec_interface::operations::psa_aead_encrypt::Operation as PsaAeadEncrypt;
 use parsec_interface::operations::psa_algorithm::{
@@ -1309,12 +1313,109 @@ impl BasicClient {
         Ok(())
     }
 
+    /// **[Cryptographic Operation]** Get data required to prepare an
+    /// ActivateCredential key attestation.
+    ///
+    /// Retrieve the binary blobs required by a third party to perform a
+    /// MakeCredential operation, in preparation for a key attestation using
+    /// ActivateCredential.
+    ///
+    /// **This key attestation method is TPM-specific**
+    pub fn prepare_activate_credential(
+        &self,
+        attested_key_name: String,
+        attesting_key_name: Option<String>,
+    ) -> Result<PrepareActivateCredential> {
+        self.can_use_provider(ProviderId::Tpm)?;
+
+        let op = PrepareKeyAttestation::ActivateCredential {
+            attested_key_name,
+            attesting_key_name,
+        };
+
+        let res = self.op_client.process_operation(
+            NativeOperation::PrepareKeyAttestation(op),
+            ProviderId::Tpm,
+            &self.auth_data,
+        )?;
+
+        if let NativeResult::PrepareKeyAttestation(
+            PrepareKeyAttestationResult::ActivateCredential {
+                name,
+                public,
+                attesting_key_pub,
+            },
+        ) = res
+        {
+            Ok(PrepareActivateCredential {
+                name: name.to_vec(),
+                public: public.to_vec(),
+                attesting_key_pub: attesting_key_pub.to_vec(),
+            })
+        } else {
+            // Should really not be reached given the checks we do, but it's not impossible if some
+            // changes happen in the interface
+            Err(Error::Client(ClientErrorKind::InvalidServiceResponseType))
+        }
+    }
+
+    /// **[Cryptographic Operation]** Perform a key attestation operation via
+    /// ActivateCredential
+    ///
+    /// **This key attestation method is TPM-specific**
+    ///
+    /// You can see more details on the inner-workings, and on the requirements
+    /// for this operation [here](https://parallaxsecond.github.io/parsec-book/parsec_client/operations/attest_key.html).
+    ///
+    /// Before performing an ActivateCredential attestation you must compute
+    /// the `credential_blob` and `secret` parameters using the outputs from
+    /// the `prepare_activate_credential` method.
+    pub fn activate_credential_attestation(
+        &self,
+        attested_key_name: String,
+        attesting_key_name: Option<String>,
+        credential_blob: Vec<u8>,
+        secret: Vec<u8>,
+    ) -> Result<Vec<u8>> {
+        self.can_use_provider(ProviderId::Tpm)?;
+
+        let op = AttestKey::ActivateCredential {
+            attested_key_name,
+            attesting_key_name,
+            credential_blob: credential_blob.into(),
+            secret: secret.into(),
+        };
+
+        let res = self.op_client.process_operation(
+            NativeOperation::AttestKey(op),
+            ProviderId::Tpm,
+            &self.auth_data,
+        )?;
+
+        if let NativeResult::AttestKey(AttestKeyResult::ActivateCredential { credential }) = res {
+            Ok(credential.to_vec())
+        } else {
+            // Should really not be reached given the checks we do, but it's not impossible if some
+            // changes happen in the interface
+            Err(Error::Client(ClientErrorKind::InvalidServiceResponseType))
+        }
+    }
+
     fn can_provide_crypto(&self) -> Result<ProviderId> {
         match self.implicit_provider {
             ProviderId::Core => Err(Error::Client(ClientErrorKind::InvalidProvider)),
             crypto_provider => Ok(crypto_provider),
         }
     }
+
+    fn can_use_provider(&self, provider: ProviderId) -> Result<()> {
+        let providers = self.list_providers()?;
+        if providers.iter().any(|prov| prov.id == provider) {
+            Ok(())
+        } else {
+            Err(Error::Client(ClientErrorKind::NoProvider))
+        }
+    }
 }
 
 impl Default for BasicClient {
@@ -1326,3 +1427,15 @@ impl Default for BasicClient {
         }
     }
 }
+
+/// Wrapper for the data needed to prepare for an
+/// ActivateCredential attestation.
+#[derive(Debug)]
+pub struct PrepareActivateCredential {
+    /// TPM name of key to be attested
+    pub name: Vec<u8>,
+    /// Bytes representing the serialized version of the key public parameters
+    pub public: Vec<u8>,
+    /// The public part of the attesting key
+    pub attesting_key_pub: Vec<u8>,
+}
