From a5d89fa29465fb542b5affcdbe4a81ea2e74ad63 Mon Sep 17 00:00:00 2001 From: Robin Krahl Date: Fri, 1 Mar 2024 16:19:52 +0100 Subject: [PATCH] Add nonce to wrap_key and unwrap_key syscalls This patch adds a nonce argument to the wrap_key and unwrap_key syscalls to be able to use the Aes256Cbc mechanism with a non-zero IV in the future. --- src/api.rs | 2 ++ src/client.rs | 5 +++++ src/client/mechanisms.rs | 5 ++++- src/mechanisms/aes256cbc.rs | 2 +- src/mechanisms/chacha8poly1305.rs | 2 +- 5 files changed, 13 insertions(+), 3 deletions(-) diff --git a/src/api.rs b/src/api.rs index a792c6cfaaa..327dec41c9f 100644 --- a/src/api.rs +++ b/src/api.rs @@ -312,6 +312,7 @@ pub mod request { - wrapping_key: KeyId - wrapped_key: Message - associated_data: Message + - nonce: ShortData - attributes: StorageAttributes Verify: @@ -327,6 +328,7 @@ pub mod request { - wrapping_key: KeyId - key: KeyId - associated_data: ShortData + - nonce: Option RequestUserConsent: - level: consent::Level diff --git a/src/client.rs b/src/client.rs index 8897b4cf3c6..cf6e88001a6 100644 --- a/src/client.rs +++ b/src/client.rs @@ -537,15 +537,18 @@ pub trait CryptoClient: PollClient { wrapping_key: KeyId, wrapped_key: Message, associated_data: &[u8], + nonce: &[u8], attributes: StorageAttributes, ) -> ClientResult<'c, reply::UnwrapKey, Self> { let associated_data = Message::from_slice(associated_data).map_err(|_| ClientError::DataTooLarge)?; + let nonce = ShortData::from_slice(nonce).map_err(|_| ClientError::DataTooLarge)?; self.request(request::UnwrapKey { mechanism, wrapping_key, wrapped_key, associated_data, + nonce, attributes, }) } @@ -556,6 +559,7 @@ pub trait CryptoClient: PollClient { wrapping_key: KeyId, key: KeyId, associated_data: &[u8], + nonce: Option, ) -> ClientResult<'_, reply::WrapKey, Self> { let associated_data = Bytes::from_slice(associated_data).map_err(|_| ClientError::DataTooLarge)?; @@ -564,6 +568,7 @@ pub trait CryptoClient: PollClient { wrapping_key, key, associated_data, + nonce, }) } } diff --git a/src/client/mechanisms.rs b/src/client/mechanisms.rs index 0d0dab65e44..2003876b4ed 100644 --- a/src/client/mechanisms.rs +++ b/src/client/mechanisms.rs @@ -17,7 +17,7 @@ pub trait Aes256Cbc: CryptoClient { wrapping_key: KeyId, key: KeyId, ) -> ClientResult<'_, reply::WrapKey, Self> { - self.wrap_key(Mechanism::Aes256Cbc, wrapping_key, key, &[]) + self.wrap_key(Mechanism::Aes256Cbc, wrapping_key, key, &[], None) } } @@ -81,6 +81,7 @@ pub trait Chacha8Poly1305: CryptoClient { wrapping_key, Message::from_slice(wrapped_key).map_err(|_| ClientError::DataTooLarge)?, associated_data, + &[], StorageAttributes::new().set_persistence(location), ) } @@ -90,12 +91,14 @@ pub trait Chacha8Poly1305: CryptoClient { wrapping_key: KeyId, key: KeyId, associated_data: &[u8], + nonce: Option<&[u8; 12]>, ) -> ClientResult<'c, reply::WrapKey, Self> { self.wrap_key( Mechanism::Chacha8Poly1305, wrapping_key, key, associated_data, + nonce.and_then(|nonce| ShortData::from_slice(nonce).ok()), ) } } diff --git a/src/mechanisms/aes256cbc.rs b/src/mechanisms/aes256cbc.rs index 6b0ca4c8fcb..2b114e00f35 100644 --- a/src/mechanisms/aes256cbc.rs +++ b/src/mechanisms/aes256cbc.rs @@ -83,7 +83,7 @@ impl WrapKey for super::Aes256Cbc { key: request.wrapping_key, message, associated_data: request.associated_data.clone(), - nonce: None, + nonce: request.nonce.clone(), }; let encryption_reply = ::encrypt(keystore, &encryption_request)?; diff --git a/src/mechanisms/chacha8poly1305.rs b/src/mechanisms/chacha8poly1305.rs index 9fe96030bc1..e2cb68cf9c4 100644 --- a/src/mechanisms/chacha8poly1305.rs +++ b/src/mechanisms/chacha8poly1305.rs @@ -183,7 +183,7 @@ impl WrapKey for super::Chacha8Poly1305 { key: request.wrapping_key, message, associated_data: request.associated_data.clone(), - nonce: None, + nonce: request.nonce.clone(), }; let encryption_reply = ::encrypt(keystore, &encryption_request)?;