Comments (12)
should we have a
parsec-interface-rs
dependency in the Mbed Crypto crate?
I'm not sure that adds much value - we can have a dependency on the Mbed crypto crate in the interface crate and implement the conversions there. The Mbed-specific structures and some abstractions for the usage patterns should be defined in the Mbed crate, but nothing more
from parsec.
I think 3 is not so bad and could be implemented relatively easily.
It's true that it won't be a huge effort now, but it might end up requiring a lot of maintenance as new versions are released. It's true, though, that the same effort would be required for maintaining handwritten Rust code as well.
from parsec.
The repo has been created at https://github.com/parallaxsecond/rust-psa-crypto
Feel free to make a pull request with your changes!
from parsec.
As part of that, we should also make the Mbed Crypto crate dynamically load the C shared library to remove the need of building it ourselves.
from parsec.
I propose the following design/ideas for the Mbed Crypto crate.
It will have three goals:
- Link the available Mbed Crypto library on the system (in the default installation location) to the crate. Thtat means that we will no longer compile it ourselves.
- Produce
bindgen
Rust FFI to call the C library from Rust + write the needed preprocessor constants in a separate file (the equivalent of our currentconstants.rs
). That would be the low-level, unsafe, layer. - On top of that layer produce a safe Rust wrapper that uses idomatic Rust features and abstract C types.
There seems to be a lot of duplication between things we use in the Parsec Rust interface and things we would abstract in this crate. For example, the KeyAttributes
structure and the way we convert it to the psa_key_attributes_t
C structure. Should we re-use the same types?
As in, should we have a parsec-interface-rs
dependency in the Mbed Crypto crate? Should those structures be only defined once in the Mbed Crypto crate?
from parsec.
If I understand correctly, bindgen
generates Rust code that lets you directly access structures that are supposed to be opaque (such as psa_key_attributes_t
), while it doesn't give you access to parts of the official API (such as psa_set_key_lifetime
) which are defined as "static" functions or perhaps even as macros. So you might still have to write and compile a static C library consisting of shims/stubs. Or is there a better way?
from parsec.
You understanding is correct and regarding the psa_set_key_***
and psa_get_key_***
accessors particularly, as they are all defined in Mbed Crypto as static inline
, bindgen
can not generate Rust code for those.
The solutions we have:
- rely on the Mbed Crypto implementation of
psa_key_attributes_t
as we do now. Our code will break over different versions of Mbed Crypto that modify the opaque structure. It won't be portable if we want to target another PSA Crypto API implementation. - find a way to compile Mbed Crypto forcing it to not inline the functions. There is a
-fno-inline
switch on GCC but Im wondering if it works even on functions markedstatic inline
in a header file. Probably not. - As you said, in the
build.rs
file compile with Mbed Crypto a library of C functions calling all thestatic inline
functions so thatbindgen
can see them. We could actually do the same for macro values part of the API to not have to define aconstants.rs
file. - Wait that
bindgen
supports that itself
I think 3 is not so bad and could be implemented relatively easily.
from parsec.
That also made me think that this crate we are going to create, it could/should be a psa-crypto-rust
crate and not a mbed-crypto-rust
one (Mbed Crypto being the default).
from parsec.
Renamed the issue as creating a crate that interfaces with PSA Crypto and not only Mbed Crypto is a goal of this.
This should link with Mbed Crypto by default though.
from parsec.
rely on the Mbed Crypto implementation of psa_key_attributes_t as we do now. Our code will break over different versions of Mbed Crypto that modify the opaque structure.
Yes, your code will break. Don't do that.
find a way to compile Mbed Crypto forcing it to not inline the functions.
from parsec.
I'm currently experimenting with this by splitting off part of Parsec into a sub-crate currently called mbed-crypto
, though I'm trying to use just the official PSA Crypto API so that it's not Mbed-specific.
from parsec.
The wrapper is now in a good shape! The next step is import psa-crypto
to be used in the Mbed Crypto Provider. That will be done as part of #177
from parsec.
Related Issues (20)
- Can we have a single "latest" Quickstart release package?
- Parsec fails to compile for arm32 HOT 4
- Vulnerability in SQLite HOT 3
- Investigate using Arm Virtual Hardware in CI
- Suggest using `/dev/tpmrm0` over `/dev/tpm`
- Parsec 1.1 fails to build with meta-security master branch HOT 4
- Parsec Quickstart - Docker: Pull access denied for parallaxsecond/parsec-quickstart, repository does not exist HOT 1
- Update cryptoki version to `0.4.1` HOT 1
- parsec 1.1.0/1.2.0-rc1 fail to build with gcc13 HOT 3
- Generate arm64 quickstart package
- Provide details of built-in providers
- Investigate e2e_tests failure on RasberryPi for PKCS11 backend
- Investigate e2e_tests failure on RasberryPi for TPM backend
- Migrate away from using users crate HOT 1
- Format check errors should only appear in one CI job
- parsec-quickstart container on arm64 HOT 1
- Improve PKCS11 failure mode HOT 1
- e2e_tests/stress.rs: Signature Verification fails sporadically with PsaErrorInvalidArgument
- parsec-cli-tests.sh error: The CSR does not contain the serialNumber field of the Distinguished Name HOT 3
- PKCS11/SoftHSM/RSA issue: Decryption with a different key to the one used for Encryption is allowed HOT 16
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from parsec.