WIP: api: bind the public key API

mathstuf · mathstuf · commit 8f8dc3617220 · 2017-01-11T17:31:18.000-05:00
diff --git a/src/api.rs b/src/api.rs
@@ -344,6 +344,128 @@ pub struct Key {
     id: KeyringSerial,
 }
 
+/// Structure to store results from a query on optional feature support for a key.
+pub struct KeySupportInfo {
+    /// Features supported by the key.
+    pub supported_ops: KeyctlSupportFlags,
+    /// The size of the key (in bits).
+    pub key_size: u32,
+    /// The maximum size of a data blob which may be signed.
+    pub max_data_size: u16,
+    /// The maximum size of a signature blob.
+    pub max_sig_size: u16,
+    /// The maximum size of a blob to be encrypted.
+    pub max_enc_size: u16,
+    /// The maximum size of a blob to be decrypted.
+    pub max_dec_size: u16,
+}
+
+impl KeySupportInfo {
+    fn from_c(c_info: keyctl_pkey_query) -> Self {
+        KeySupportInfo {
+            supported_ops: c_info.supported_ops,
+            key_size: c_info.key_size,
+            max_data_size: c_info.max_data_size,
+            max_sig_size: c_info.max_sig_size,
+            max_enc_size: c_info.max_enc_size,
+            max_dec_size: c_info.max_dec_size,
+        }
+    }
+}
+
+/// Encodings supported by the kernel.
+pub enum KeyctlEncoding {
+    RSASSA_PKCS1_v1_5,
+    RSAES_PKCS1_v1_5,
+    RSASSA_PSS,
+    RSAES_OAEP,
+    /// For extensibility.
+    OtherEncoding(String),
+}
+
+impl KeyctlEncoding {
+    fn encoding(&self) -> &str {
+        match *self {
+            KeyctlEncoding::RSASSA_PKCS1_v1_5    => "pkcs1",
+            KeyctlEncoding::RSAES_PKCS1_v1_5     => "pkcs1",
+            KeyctlEncoding::RSASSA_PSS           => "pss",
+            KeyctlEncoding::RSAES_OAEP           => "oaep",
+            KeyctlEncoding::OtherEncoding(ref s) => &s,
+        }
+    }
+}
+
+/// Hashes supported by the kernel.
+pub enum KeyctlHash {
+    MD4,
+    MD5,
+    SHA1,
+    SHA224,
+    SHA256,
+    SHA384,
+    SHA512,
+    RIPE_MD_128,
+    RIPE_MD_160,
+    RIPE_MD_256,
+    RIPE_MD_320,
+    WP_256,
+    WP_384,
+    WP_512,
+    TGR_128,
+    TGR_160,
+    TGR_192,
+    SM3_256,
+    /// For extensibility.
+    OtherEncoding(String),
+}
+
+impl KeyctlHash {
+    fn hash(&self) -> &str {
+        match *self {
+            KeyctlHash::MD4                  => "md4",
+            KeyctlHash::MD5                  => "md5",
+            KeyctlHash::SHA1                 => "sha1",
+            KeyctlHash::SHA224               => "sha224",
+            KeyctlHash::SHA256               => "sha256",
+            KeyctlHash::SHA384               => "sha384",
+            KeyctlHash::SHA512               => "sha512",
+            KeyctlHash::RIPE_MD_128          => "rmd128",
+            KeyctlHash::RIPE_MD_160          => "rmd160",
+            KeyctlHash::RIPE_MD_256          => "rmd256",
+            KeyctlHash::RIPE_MD_320          => "rmd320",
+            KeyctlHash::WP_256               => "wp256",
+            KeyctlHash::WP_384               => "wp384",
+            KeyctlHash::WP_512               => "wp512",
+            KeyctlHash::TGR_128              => "tgr128",
+            KeyctlHash::TGR_160              => "tgr160",
+            KeyctlHash::TGR_192              => "tgr192",
+            KeyctlHash::SM3_256              => "sm3-256",
+            KeyctlHash::OtherEncoding(ref s) => &s,
+        }
+    }
+}
+
+/// Options for output from public key functions (encryption, decryption, signing, and verifying).
+pub struct PublicKeyOptions {
+    /// The encoding of the encrypted blob or the signature.
+    pub encoding: Option<KeyctlEncoding>,
+    /// Hash algorithm to use (if the encoding uses it).
+    pub hash: Option<KeyctlHash>,
+}
+
+impl PublicKeyOptions {
+    fn info(&self) -> String {
+        let options = [
+            ("enc", self.encoding.as_ref().map(KeyctlEncoding::encoding)),
+            ("hash", self.hash.as_ref().map(KeyctlHash::hash)),
+        ].iter().map(|&(key, value)| {
+            value.map_or_else(String::new,
+                              |v| format!("{}={}", key, v))
+        }).collect::<Vec<_>>();
+        options.join(" ").trim().to_owned()
+    }
+}
+
 impl Key {
     /// Requests a key with the given description by searching the thread, process, and session
     /// keyrings.
@@ -445,12 +567,61 @@ impl Key {
 
     /// Compute a Diffie-Hellman prime for use as a shared secret or public key.
     pub fn compute_dh(private: &Key, prime: &Key, base: &Key) -> Result<Vec<u8>> {
-        let sz = try!(check_call_ret(unsafe { keyctl_dh_compute(private.id, prime.id, base.id, ptr::null() as *mut libc::c_char, 0) }));
+        let sz = try!(check_call_ret(unsafe { keyctl_dh_compute(private.id, prime.id, base.id, ptr::null_mut() as *mut libc::c_char, 0) }));
         let mut buffer = Vec::with_capacity(sz as usize);
         let actual_sz = try!(check_call_ret(unsafe { keyctl_dh_compute(private.id, prime.id, base.id, buffer.as_mut_ptr() as *mut libc::c_char, sz as usize) }));
         unsafe { buffer.set_len(actual_sz as usize) };
         Ok(buffer)
     }
+
+    /// Query which optionally supported features may be used by the key.
+    pub fn query_support(&self, password: &Option<Key>) -> Result<KeySupportInfo> {
+        let mut info = keyctl_pkey_query::new();
+        let password_id = password.as_ref().map_or(0, |pass| pass.id);
+        try!(check_call_ret(unsafe { keyctl_pkey_query(self.id, password_id, &mut info) }));
+        Ok(KeySupportInfo::from_c(info))
+    }
+
+    /// Encrypt data using the key.
+    pub fn encrypt(&self, password: &Option<Key>, options: &PublicKeyOptions, data: &[u8]) -> Result<Vec<u8>> {
+        let password_id = password.as_ref().map_or(0, |pass| pass.id);
+        let info_cstr = CString::new(options.info()).unwrap();
+        let sz = try!(self.query_support(password)).max_enc_size;
+        let mut buffer = Vec::with_capacity(sz as usize);
+        let actual_sz = try!(check_call_ret(unsafe { keyctl_pkey_encrypt(self.id, password_id, info_cstr.as_ptr(), data.as_ptr() as *const libc::c_void, data.len(), buffer.as_mut_ptr() as *mut libc::c_void, buffer.len()) }));
+        unsafe { buffer.set_len(actual_sz as usize) };
+        Ok(buffer)
+    }
+
+    /// Decrypt data using the key.
+    pub fn decrypt(&self, password: &Option<Key>, options: &PublicKeyOptions, data: &[u8]) -> Result<Vec<u8>> {
+        let password_id = password.as_ref().map_or(0, |pass| pass.id);
+        let info_cstr = CString::new(options.info()).unwrap();
+        let sz = try!(self.query_support(password)).max_dec_size;
+        let mut buffer = Vec::with_capacity(sz as usize);
+        let actual_sz = try!(check_call_ret(unsafe { keyctl_pkey_decrypt(self.id, password_id, info_cstr.as_ptr(), data.as_ptr() as *const libc::c_void, data.len(), buffer.as_mut_ptr() as *mut libc::c_void, buffer.len()) }));
+        unsafe { buffer.set_len(actual_sz as usize) };
+        Ok(buffer)
+    }
+
+    /// Sign data using the key.
+    pub fn sign(&self, password: &Option<Key>, options: &PublicKeyOptions, data: &[u8]) -> Result<Vec<u8>> {
+        let password_id = password.as_ref().map_or(0, |pass| pass.id);
+        let info_cstr = CString::new(options.info()).unwrap();
+        let sz = try!(self.query_support(password)).max_sig_size;
+        let mut buffer = Vec::with_capacity(sz as usize);
+        let actual_sz = try!(check_call_ret(unsafe { keyctl_pkey_sign(self.id, password_id, info_cstr.as_ptr(), data.as_ptr() as *const libc::c_void, data.len(), buffer.as_mut_ptr() as *mut libc::c_void, buffer.len()) }));
+        unsafe { buffer.set_len(actual_sz as usize) };
+        Ok(buffer)
+    }
+
+    /// Verify a signature of the data using the key.
+    pub fn verify(&self, password: &Option<Key>, options: &PublicKeyOptions, data: &[u8], signature: &[u8]) -> Result<bool> {
+        let password_id = password.as_ref().map_or(0, |pass| pass.id);
+        let info_cstr = CString::new(options.info()).unwrap();
+        let res = try!(check_call_ret(unsafe { keyctl_pkey_sign(self.id, password_id, info_cstr.as_ptr(), data.as_ptr() as *const libc::c_void, data.len(), signature.as_ptr() as *mut libc::c_void, signature.len()) }));
+        Ok(res == 0)
+    }
 }
 
 /// Structure representing the metadata about a key or keyring.
diff --git a/src/constants.rs b/src/constants.rs
@@ -182,6 +182,20 @@ bitflags! {
     }
 }
 
+/// They kernel type for representing support for optional features.
+///
+/// TODO: explain more
+pub type KeyctlSupportFlags = u32;
+
+bitflags! {
+    flags KeyctlSupportFlag: KeyctlSupportFlags {
+        const SUPPORTS_ENCRYPT  = 0x01,
+        const SUPPORTS_DECRYPT  = 0x02,
+        const SUPPORTS_SIGN     = 0x04,
+        const SUPPORTS_VERIFY   = 0x08,
+    }
+}
+
 #[test]
 fn test_keyring_ids() {
     assert_eq!(SpecialKeyring::ThreadKeyring.serial(),
@@ -250,3 +264,11 @@ fn test_permission_bits() {
     assert_eq!(OTHER_SET_ATTRIBUTE.bits, KEY_OTH_SETATTR);
     assert_eq!(OTHER_ALL.bits, KEY_OTH_ALL);
 }
+
+#[test]
+fn test_support_flags() {
+    assert_eq!(SUPPORTS_ENCRYPT.bits, KEYCTL_SUPPORTS_ENCRYPT);
+    assert_eq!(SUPPORTS_DECRYPT.bits, KEYCTL_SUPPORTS_DECRYPT);
+    assert_eq!(SUPPORTS_SIGN.bits, KEYCTL_SUPPORTS_SIGN);
+    assert_eq!(SUPPORTS_VERIFY.bits, KEYCTL_SUPPORTS_VERIFY);
+}
diff --git a/src/ffi.rs b/src/ffi.rs
@@ -58,6 +58,41 @@ pub const KEY_OTH_LINK:    key_perm_t = 0x00000010;
 pub const KEY_OTH_SETATTR: key_perm_t = 0x00000020;
 pub const KEY_OTH_ALL:     key_perm_t = 0x0000003f;
 
+// No actual type in the API, but create one for simplicity.
+#[allow(non_camel_case_types)]
+pub type _keyctl_support_t = libc::uint32_t;
+
+pub const KEYCTL_SUPPORTS_ENCRYPT: _keyctl_support_t = 0x01;
+pub const KEYCTL_SUPPORTS_DECRYPT: _keyctl_support_t = 0x02;
+pub const KEYCTL_SUPPORTS_SIGN:    _keyctl_support_t = 0x04;
+pub const KEYCTL_SUPPORTS_VERIFY:  _keyctl_support_t = 0x08;
+
+#[repr(C)]
+#[allow(non_camel_case_types)]
+pub struct keyctl_pkey_query {
+    pub supported_ops:  libc::uint32_t,
+    pub key_size:       libc::uint32_t,
+    pub max_data_size:  libc::uint16_t,
+    pub max_sig_size:   libc::uint16_t,
+    pub max_enc_size:   libc::uint16_t,
+    pub max_dec_size:   libc::uint16_t,
+    __spare:            [libc::uint32_t; 10],
+}
+
+impl keyctl_pkey_query {
+    pub fn new() -> Self {
+        keyctl_pkey_query {
+            supported_ops: 0,
+            key_size: 0,
+            max_data_size: 0,
+            max_sig_size: 0,
+            max_enc_size: 0,
+            max_dec_size: 0,
+            __spare: [0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
+        }
+    }
+}
+
 #[link(name = "keyutils")]
 extern "C" {
     pub fn add_key(
@@ -173,4 +208,45 @@ extern "C" {
         buffer:     *mut libc::c_char,
         buflen:     libc::size_t)
         -> libc::c_long;
+    pub fn keyctl_pkey_query(
+        key:        key_serial_t,
+        password:   key_serial_t,
+        info:       *mut keyctl_pkey_query)
+        -> libc::c_long;
+    pub fn keyctl_pkey_encrypt(
+        key:        key_serial_t,
+        password:   key_serial_t,
+        info:       *const libc::c_char,
+        data:       *const libc::c_void,
+        data_len:   libc::size_t,
+        enc:        *mut libc::c_void,
+        enc_len:    libc::size_t)
+        -> libc::c_long;
+    pub fn keyctl_pkey_decrypt(
+        key:        key_serial_t,
+        password:   key_serial_t,
+        info:       *const libc::c_char,
+        enc:        *const libc::c_void,
+        enc_len:    libc::size_t,
+        data:       *mut libc::c_void,
+        data_len:   libc::size_t)
+        -> libc::c_long;
+    pub fn keyctl_pkey_sign(
+        key:        key_serial_t,
+        password:   key_serial_t,
+        info:       *const libc::c_char,
+        data:       *const libc::c_void,
+        data_len:   libc::size_t,
+        sig:        *mut libc::c_void,
+        sig_len:    libc::size_t)
+        -> libc::c_long;
+    pub fn keyctl_pkey_verify(
+        key:        key_serial_t,
+        password:   key_serial_t,
+        info:       *const libc::c_char,
+        data:       *const libc::c_void,
+        data_len:   libc::size_t,
+        sig:        *const libc::c_void,
+        sig_len:    libc::size_t)
+        -> libc::c_long;
 }
