rust-tss-esapi icon indicating copy to clipboard operation
rust-tss-esapi copied to clipboard
verified publisher icon parallaxsecond

WIP: adds a `signature::Signer` interface

Open baloo opened this issue 1 year ago • 1 comments

This brings an implementation of a signature::Signer for keys stored on the TPM.

This is intend to make for easier re-use of this crate and to allow to:

  • Create certificates https://docs.rs/x509-cert/latest/x509_cert/builder/struct.CertificateBuilder.html
  • Create CSRs https://docs.rs/x509-cert/latest/x509_cert/builder/struct.RequestBuilder.html
  • Sign documents with S/MIME https://docs.rs/cms/latest/cms/builder/index.html

Here is an implementation of an SSH agent making use of that infrastructure: https://github.com/wiktor-k/ssh-agent-lib/pull/87

baloo avatar Aug 03 '24 23:08 baloo

Sorry for reviewing a WIP though I found it a little bit interesting so I couldn't help my self. Feel free to disregard anything I have commented on.

Oh, no, thanks for reviewing it! I sent it a bit early as this is work I've been putting off for almost a year now. I'm doing it mostly to get a sense whether this is a direction the project could go or not.

baloo avatar Aug 04 '24 20:08 baloo

The two remaining failing tests should be fixed by https://github.com/parallaxsecond/rust-tss-esapi/pull/562 I'll rebase once that merges.

baloo avatar Jan 24 '25 22:01 baloo

@baloo why EcSigner depends on TransientKeyContext? The only method is used there is sign(). Besides TransientKeyContext is limited to RSA key as a primary. it would be better IMO either

  1. to have a constructor that that accepts Context and KeyHandle in TransientKeyContext/Builder. Currently fields are private
  2. Or maybe turn (partially) TransientKeyContext into a trait since EcSigner uses its methods (actually only sign() so far).

I should probably explain the use case: I'm loading a key that is stored on TPM as Persistent and currently there is no way to use EcSigner with such keys. TransientTpmContext is transient for reasons but then it limits usage of EcSigner

Sure, I can implement my own signer but if we can make EcSigner more versatile it would be very cool

rucoder avatar Feb 02 '25 20:02 rucoder

This is a good point. I think I like the idea of making a trait but I'm not sure how to do it yet, TransientKeyContext and Context::sign are pretty dissimilar.

baloo avatar Feb 03 '25 03:02 baloo

I have a rough follow-up PR for the trait option: https://github.com/baloo/rust-tss-esapi/pull/1

baloo avatar Feb 03 '25 07:02 baloo

It was also missing the implementation for an RSA signer: https://github.com/baloo/rust-tss-esapi/pull/2

baloo avatar Feb 05 '25 07:02 baloo

Ah, one thing that I keep forgetting - could you please document the new feature (in the README)?

ionut-arm avatar Feb 08 '25 21:02 ionut-arm

anything else needed here?

baloo avatar Feb 25 '25 03:02 baloo

@baloo if possible I'd like to do one last test with x509 and TLS coming weekend. Otherwise looks great!

rucoder avatar Feb 25 '25 10:02 rucoder

@rucoder just so you know, there are a bunch of improvements in the upcoming release of x509-cert and we changed everything to a trait based profile. I'm the author for the x509-cert builder (and would love feedback).

The trait-based approach proved much more flexible for us. We expect the stable release of rustcrypto crates in 3-4 months.

https://github.com/parallaxsecond/rust-tss-esapi/pull/563 should pull the pre-releases if you wanted to try that. I published the Cargo.lock here: https://github.com/baloo/rust-tss-esapi/tree/baloo/make-credentials%2Block (you will need the Cargo.lock as we're migrating the ecosystem to rand_core 0.9 the ecosystem is a construction site at the moment :D)

baloo avatar Feb 25 '25 17:02 baloo