signature: Add Signature operation

Implement:

 * OSSL_FUNC_SIGNATURE_SIGN_INIT

as indicated by
https://www.openssl.org/docs/man3.0/man7/provider-signature.html

Signed-off-by: Tomás González <tomasagustin.gonzalezorlando@arm.com>

Author: tgonzalezorlandoarm

parsec-openssl-provider/src/keymgmt/mod.rs

@@ -15,7 +15,7 @@ use crate::{
 };
 use parsec_openssl2::types::VOID_PTR;
 use parsec_openssl2::*;
-use std::sync::{Arc, Mutex};
+use std::sync::{Arc, Mutex, MutexGuard};
 
 pub struct ParsecProviderKeyObject {
     provctx: Arc<ParsecProviderContext>,
@@ -39,6 +39,14 @@ impl ParsecProviderKeyObject {
             key_name: None.into(),
         }
     }
+
+    pub fn get_provctx(&self) -> Arc<ParsecProviderContext> {
+        self.provctx.clone()
+    }
+
+    pub fn get_key_name(&self) -> MutexGuard<'_, Option<String>> {
+        self.key_name.lock().unwrap()
+    }
 }
 
 /*

parsec-openssl-provider/src/lib.rs

@@ -117,6 +117,7 @@ openssl_errors::openssl_errors! {
             PROVIDER_KEYMGMT_SET_PARAMS("parsec_provider_kmgmt_set_params");
             PROVIDER_KEYMGMT_VALIDATE("parsec_provider_kmgmt_validate");
             PROVIDER_QUERY("parsec_provider_query");
+            PROVIDER_SIGNATURE_SIGN("parsec_provider_signature_sign");
             PROVIDER_SIGNATURE_SIGN_INIT("parsec_provider_signature_sign_init");
             PROVIDER_TEARDOWN("parsec_provider_teardown");
         }

parsec-openssl-provider/src/signature/mod.rs

@@ -4,12 +4,14 @@
 use crate::keymgmt::ParsecProviderKeyObject;
 use crate::openssl_bindings::{
     OSSL_ALGORITHM, OSSL_DISPATCH, OSSL_FUNC_SIGNATURE_FREECTX, OSSL_FUNC_SIGNATURE_NEWCTX,
-    OSSL_FUNC_SIGNATURE_SIGN_INIT, OSSL_PARAM,
+    OSSL_FUNC_SIGNATURE_SIGN, OSSL_FUNC_SIGNATURE_SIGN_INIT, OSSL_PARAM,
 };
 use crate::{
     PARSEC_PROVIDER_DESCRIPTION_ECDSA, PARSEC_PROVIDER_DESCRIPTION_RSA,
     PARSEC_PROVIDER_DFLT_PROPERTIES, PARSEC_PROVIDER_ECDSA_NAME, PARSEC_PROVIDER_RSA_NAME,
 };
+use parsec_client::core::interface::operations::psa_algorithm::Algorithm;
+use parsec_client::core::interface::operations::psa_key_attributes::{Attributes, EccFamily, Type};
 use parsec_openssl2::types::VOID_PTR;
 use parsec_openssl2::*;
 
@@ -97,20 +99,136 @@ unsafe extern "C" fn parsec_provider_signature_sign_init(
     }
 }
 
+fn get_signature_len(key_attrs: Attributes) -> Result<usize, String> {
+    match key_attrs.key_type {
+        Type::RsaKeyPair => Ok(key_attrs.bits / 8),
+        Type::EccKeyPair {
+            curve_family: EccFamily::SecpR1,
+        } => {
+            let size_times_two: usize = key_attrs.bits * 2;
+            Ok(size_times_two.div_ceil(8))
+        }
+        _ => Err("Key type not recognized".to_string()),
+    }
+}
+
+/*
+performs the actual signing itself. A previously initialised signature context is passed in the ctx parameter. The data
+to be signed is pointed to be the tbs parameter which is tbslen bytes long. Unless sig is NULL, the signature should be
+written to the location pointed to by the sig parameter and it should not exceed sigsize bytes in length. The length of
+the signature should be written to *siglen. If sig is NULL then the maximum length of the signature should be written
+to *siglen.
+*/
+unsafe extern "C" fn parsec_provider_signature_sign(
+    ctx: VOID_PTR,
+    sig: *mut std::os::raw::c_uchar,
+    siglen: *mut std::os::raw::c_uint,
+    sigsize: std::os::raw::c_uint,
+    tbs: *const std::os::raw::c_uchar,
+    tbslen: std::os::raw::c_uint,
+) -> std::os::raw::c_int {
+    let result = super::r#catch(Some(|| super::Error::PROVIDER_SIGNATURE_SIGN), || {
+        if ctx.is_null() || tbs.is_null() || siglen.is_null() {
+            return Err("Received unexpected NULL pointer as an argument.".into());
+        }
+
+        Arc::increment_strong_count(ctx as *const ParsecProviderSignatureContext);
+        let arc_sig_ctx = Arc::from_raw(ctx as *const ParsecProviderSignatureContext);
+
+        let keyobj = match *arc_sig_ctx.keyobj.lock().unwrap() {
+            None => {
+                return Err("Key Object not set. This should be done through sign_init()".into())
+            }
+            Some(ref keyobj) => keyobj.clone(),
+        };
+
+        let key_name_binding = keyobj.get_key_name();
+        let key_name = match *key_name_binding {
+            None => return Err("Key name not set in the Key Object".into()),
+            Some(ref name) => name,
+        };
+
+        let key_attributes = keyobj
+            .get_provctx()
+            .get_client()
+            .key_attributes(key_name)
+            .map_err(|e| format!("Failed to get specified key's attributes: {}", e))?;
+        let siglength = get_signature_len(key_attributes).map_err(|e| {
+            format!(
+                "Failed to Get correct signature length for the given key:  {}",
+                e
+            )
+        })?;
+
+        if sig.is_null() {
+            *siglen = siglength as std::os::raw::c_uint;
+            return Ok(OPENSSL_SUCCESS);
+        }
+
+        if tbs.is_null() {
+            return Err("Received unexpected NULL pointer as an argument.".into());
+        }
+
+        let tbs_slice: &[u8] = core::slice::from_raw_parts(tbs, tbslen as usize);
+
+        let sign_algorithm = match key_attributes.policy.permitted_algorithms {
+            Algorithm::AsymmetricSignature(signature_algo) => signature_algo,
+            _ => {
+                return Err(
+                    "Specified key does not permit the AsymmetricSignature algorithm".into(),
+                )
+            }
+        };
+
+        let sign_res: Vec<u8> = keyobj
+            .get_provctx()
+            .get_client()
+            .psa_sign_hash(key_name, tbs_slice, sign_algorithm)
+            .map_err(|_| "Parsec Client failed to sign".to_string())?;
+
+        if sigsize >= sign_res.len() as u32 {
+            std::ptr::copy(sign_res.as_ptr(), sig, sign_res.len());
+            *siglen = sign_res.len() as u32;
+            Ok(OPENSSL_SUCCESS)
+        } else {
+            Err(format!(
+                "Signature length is bigger than sigsize. Signature length: {}",
+                sign_res.len()
+            )
+            .into())
+        }
+    });
+
+    match result {
+        Ok(result) => result,
+        Err(()) => OPENSSL_ERROR,
+    }
+}
+
 pub type SignatureNewCtxPtr =
     unsafe extern "C" fn(VOID_PTR, *const std::os::raw::c_char) -> VOID_PTR;
 pub type SignatureFreeCtxPtr = unsafe extern "C" fn(VOID_PTR);
+pub type SignatureSignPtr = unsafe extern "C" fn(
+    VOID_PTR,
+    *mut std::os::raw::c_uchar,
+    *mut std::os::raw::c_uint,
+    std::os::raw::c_uint,
+    *const std::os::raw::c_uchar,
+    std::os::raw::c_uint,
+) -> std::os::raw::c_int;
 pub type SignatureSignInitPtr =
     unsafe extern "C" fn(VOID_PTR, VOID_PTR, *const OSSL_PARAM) -> std::os::raw::c_int;
 
 const OSSL_FUNC_SIGNATURE_NEWCTX_PTR: SignatureNewCtxPtr = parsec_provider_signature_newctx;
 const OSSL_FUNC_SIGNATURE_FREECTX_PTR: SignatureFreeCtxPtr = parsec_provider_signature_freectx;
+const OSSL_FUNC_SIGNATURE_SIGN_PTR: SignatureSignPtr = parsec_provider_signature_sign;
 const OSSL_FUNC_SIGNATURE_SIGN_INIT_PTR: SignatureSignInitPtr = parsec_provider_signature_sign_init;
 
 const PARSEC_PROVIDER_ECDSA_SIGN_IMPL: [OSSL_DISPATCH; 1] = [ossl_dispatch!()];
-const PARSEC_PROVIDER_RSA_SIGN_IMPL: [OSSL_DISPATCH; 4] = [
+const PARSEC_PROVIDER_RSA_SIGN_IMPL: [OSSL_DISPATCH; 5] = [
     unsafe { ossl_dispatch!(OSSL_FUNC_SIGNATURE_NEWCTX, OSSL_FUNC_SIGNATURE_NEWCTX_PTR) },
     unsafe { ossl_dispatch!(OSSL_FUNC_SIGNATURE_FREECTX, OSSL_FUNC_SIGNATURE_FREECTX_PTR) },
+    unsafe { ossl_dispatch!(OSSL_FUNC_SIGNATURE_SIGN, OSSL_FUNC_SIGNATURE_SIGN_PTR) },
     unsafe {
         ossl_dispatch!(
             OSSL_FUNC_SIGNATURE_SIGN_INIT,