Merge pull request #24 from Nitrokey/revert

Revert #18 and #22

Author: robin-nitrokey

src/api.rs

@@ -43,24 +43,17 @@ generate_enums! {
     ReadDirFilesFirst: 13
     ReadDirFilesNext: 14
     ReadFile: 15
-    ReadChunk: 65
     Metadata: 26
     // ReadCounter: 7
     RandomBytes: 16
     SerializeKey: 17
     Sign: 18
     WriteFile: 19
-    StartChunkedWrite: 66
-    WriteChunk: 67
-    FlushChunks: 68
-    AbortChunkedWrite: 69
     UnsafeInjectKey: 20
     UnsafeInjectSharedKey: 21
     UnwrapKey: 22
-    UnwrapKeyFromFile: 70
     Verify: 23
     WrapKey: 24
-    WrapKeyToFile: 71
 
     Attest: 0xFF
 
@@ -249,10 +242,6 @@ pub mod request {
         ReadFile:
           - location: Location
           - path: PathBuf
-        ReadChunk:
-          - location: Location
-          - pos: OpenSeekFrom
-          - path: PathBuf
 
         Metadata:
           - location: Location
@@ -294,24 +283,6 @@ pub mod request {
           - data: Message
           - user_attribute: Option<UserAttribute>
 
-        StartChunkedWrite:
-          - location: Location
-          - path: PathBuf
-          - data: Message
-          - user_attribute: Option<UserAttribute>
-
-        WriteChunk:
-          - location: Location
-          - pos: OpenSeekFrom
-          - path: PathBuf
-          - data: Message
-        FlushChunks:
-          - location: Location
-          - path: PathBuf
-        AbortChunkedWrite:
-          - location: Location
-          - path: PathBuf
-
         UnsafeInjectKey:
           - mechanism: Mechanism        // -> implies key type
           - raw_key: SerializedKey
@@ -343,23 +314,6 @@ pub mod request {
           - key: KeyId
           - associated_data: ShortData
 
-        // this should always be an AEAD algorithm
-        WrapKeyToFile:
-          - mechanism: Mechanism
-          - wrapping_key: KeyId
-          - key: KeyId
-          - path: PathBuf
-          - location: Location
-          - associated_data: Message
-
-        UnwrapKeyFromFile:
-          - mechanism: Mechanism
-          - key: KeyId
-          - path: PathBuf
-          - file_location: Location
-          - key_location: Location
-          - associated_data: Message
-
         RequestUserConsent:
           - level: consent::Level
           - timeout_milliseconds: u32
@@ -480,9 +434,6 @@ pub mod reply {
 
         ReadFile:
           - data: Message
-        ReadChunk:
-          - data: Message
-          - len: usize
 
         Metadata:
           - metadata: Option<crate::types::Metadata>
@@ -507,11 +458,6 @@ pub mod reply {
             - signature: Signature
 
         WriteFile:
-        StartChunkedWrite:
-        WriteChunk:
-        FlushChunks:
-        AbortChunkedWrite:
-            - aborted: bool
 
         Verify:
             - valid: bool
@@ -525,15 +471,9 @@ pub mod reply {
         UnwrapKey:
             - key: Option<KeyId>
 
-        UnwrapKeyFromFile:
-          - key: Option<KeyId>
-
         WrapKey:
             - wrapped_key: Message
 
-        // this should always be an AEAD algorithm
-        WrapKeyToFile:
-
         // UI
         RequestUserConsent:
             - result: consent::Result

src/client.rs

@@ -531,54 +531,6 @@ pub trait CryptoClient: PollClient {
             associated_data,
         })
     }
-
-    /// Wrap a key to a file
-    /// This enables wrapping keys that don't fit in the buffers used by
-    /// [`write_file`](FilesystemClient::write_file) and [`read_file`](FilesystemClient::read_file)
-    fn wrap_key_to_file(
-        &mut self,
-        mechanism: Mechanism,
-        wrapping_key: KeyId,
-        key: KeyId,
-        path: PathBuf,
-        location: Location,
-        associated_data: &[u8],
-    ) -> ClientResult<'_, reply::WrapKeyToFile, Self> {
-        let associated_data =
-            Bytes::from_slice(associated_data).map_err(|_| ClientError::DataTooLarge)?;
-        self.request(request::WrapKeyToFile {
-            mechanism,
-            wrapping_key,
-            key,
-            path,
-            location,
-            associated_data,
-        })
-    }
-
-    /// Wrap a key to a file
-    /// This enables wrapping keys that don't fit in the buffers used by
-    /// [`write_file`](FilesystemClient::write_file) and [`read_file`](FilesystemClient::read_file)
-    fn unwrap_key_from_file(
-        &mut self,
-        mechanism: Mechanism,
-        key: KeyId,
-        path: PathBuf,
-        file_location: Location,
-        key_location: Location,
-        associated_data: &[u8],
-    ) -> ClientResult<'_, reply::UnwrapKeyFromFile, Self> {
-        let associated_data =
-            Bytes::from_slice(associated_data).map_err(|_| ClientError::DataTooLarge)?;
-        self.request(request::UnwrapKeyFromFile {
-            mechanism,
-            key,
-            path,
-            file_location,
-            key_location,
-            associated_data,
-        })
-    }
 }
 
 /// Create counters, increment existing counters.
@@ -670,20 +622,6 @@ pub trait FilesystemClient: PollClient {
         self.request(request::ReadFile { location, path })
     }
 
-    // Read part of a file, up to 1KiB starting at `pos`
-    fn read_file_chunk(
-        &mut self,
-        location: Location,
-        path: PathBuf,
-        pos: OpenSeekFrom,
-    ) -> ClientResult<'_, reply::ReadChunk, Self> {
-        self.request(request::ReadChunk {
-            location,
-            path,
-            pos,
-        })
-    }
-
     /// Fetch the Metadata for a file or directory
     ///
     /// If the file doesn't exists, return None
@@ -722,64 +660,6 @@ pub trait FilesystemClient: PollClient {
             user_attribute,
         })
     }
-
-    /// Begin writing a file that can be larger than 1KiB
-    ///
-    /// More chunks can be written with [`write_file_chunk`](FilesystemClient::write_file_chunk).
-    /// Before the data becomes readable, it needs to be flushed with [`flush_chunks`](FilesystemClient::flush_chunks), or aborted with [`abort_chunked_write`](FilesystemClient::abort_chunked_write)
-    ///
-    /// Chunked writes are buffered in memory. Failing to abort or flush a chunked write will lead to a memory leak, that can be solved by a power cycle.
-    fn start_chunked_write(
-        &mut self,
-        location: Location,
-        path: PathBuf,
-        data: Message,
-        user_attribute: Option<UserAttribute>,
-    ) -> ClientResult<'_, reply::StartChunkedWrite, Self> {
-        self.request(request::StartChunkedWrite {
-            location,
-            path,
-            data,
-            user_attribute,
-        })
-    }
-
-    /// Write part of a file
-    ///
-    /// See [`start_chunked_write`](FilesystemClient::start_chunked_write).
-    fn write_file_chunk(
-        &mut self,
-        location: Location,
-        path: PathBuf,
-        data: Message,
-        pos: OpenSeekFrom,
-    ) -> ClientResult<'_, reply::WriteChunk, Self> {
-        self.request(request::WriteChunk {
-            location,
-            path,
-            data,
-            pos,
-        })
-    }
-
-    /// Flush a file opened with [`start_chunked_write`](FilesystemClient::start_chunked_write).
-    /// Only after this will the content of the file be readable
-    fn flush_chunks(
-        &mut self,
-        location: Location,
-        path: PathBuf,
-    ) -> ClientResult<'_, reply::FlushChunks, Self> {
-        self.request(request::FlushChunks { location, path })
-    }
-
-    /// Abort writes to a file opened with [`start_chunked_write`](FilesystemClient::start_chunked_write).
-    fn abort_chunked_write(
-        &mut self,
-        location: Location,
-        path: PathBuf,
-    ) -> ClientResult<'_, reply::AbortChunkedWrite, Self> {
-        self.request(request::AbortChunkedWrite { location, path })
-    }
 }
 
 /// All the other methods that are fit to expose.

src/lib.rs

@@ -36,7 +36,6 @@ pub mod serde_extensions;
 pub mod service;
 pub mod store;
 pub mod types;
-pub mod utils;
 
 #[cfg(feature = "virt")]
 #[cfg_attr(docsrs, doc(cfg(feature = "virt")))]

src/mechanisms/chacha8poly1305.rs

@@ -1,6 +1,5 @@
 use crate::api::*;
 // use crate::config::*;
-use crate::config::MAX_SERIALIZED_KEY_LENGTH;
 use crate::error::Error;
 use crate::key;
 use crate::service::*;
@@ -16,95 +15,6 @@ const TOTAL_LEN: usize = KEY_LEN + NONCE_LEN;
 const TAG_LEN: usize = 16;
 const KIND: key::Kind = key::Kind::Symmetric(KEY_LEN);
 const KIND_NONCE: key::Kind = key::Kind::Symmetric32Nonce(NONCE_LEN);
-const WRAPPED_TO_FILE_LEN: usize = MAX_SERIALIZED_KEY_LENGTH + NONCE_LEN + TAG_LEN;
-
-#[cfg(feature = "chacha8-poly1305")]
-impl super::Chacha8Poly1305 {
-    pub fn wrap_key_to_file(
-        keystore: &mut impl Keystore,
-        filestore: &mut impl Filestore,
-        request: &request::WrapKeyToFile,
-    ) -> Result<reply::WrapKeyToFile, Error> {
-        use chacha20poly1305::aead::{AeadMutInPlace, KeyInit};
-        use chacha20poly1305::ChaCha8Poly1305;
-        use rand_core::RngCore as _;
-
-        let serialized_key = keystore.load_key(key::Secrecy::Secret, None, &request.key)?;
-
-        let mut data =
-            Bytes::<WRAPPED_TO_FILE_LEN>::from_slice(&serialized_key.serialize()).unwrap();
-        let material_len = data.len();
-        data.resize_default(material_len + NONCE_LEN).unwrap();
-        let (material, nonce) = data.split_at_mut(material_len);
-        keystore.rng().fill_bytes(nonce);
-        let nonce = (&*nonce).try_into().unwrap();
-
-        let key = keystore.load_key(key::Secrecy::Secret, Some(KIND), &request.wrapping_key)?;
-        let chachakey: [u8; KEY_LEN] = (&*key.material).try_into().unwrap();
-        let mut aead = ChaCha8Poly1305::new(&GenericArray::clone_from_slice(&chachakey));
-        let tag = aead
-            .encrypt_in_place_detached(
-                <&GenericArray<_, _> as From<&[u8; NONCE_LEN]>>::from(nonce),
-                &request.associated_data,
-                material,
-            )
-            .unwrap();
-        data.extend_from_slice(&tag).unwrap();
-        filestore.write(&request.path, request.location, &data)?;
-        Ok(reply::WrapKeyToFile {})
-    }
-
-    pub fn unwrap_key_from_file(
-        keystore: &mut impl Keystore,
-        filestore: &mut impl Filestore,
-        request: &request::UnwrapKeyFromFile,
-    ) -> Result<reply::UnwrapKeyFromFile, Error> {
-        use chacha20poly1305::aead::{AeadMutInPlace, KeyInit};
-        use chacha20poly1305::ChaCha8Poly1305;
-        let mut data: Bytes<WRAPPED_TO_FILE_LEN> =
-            filestore.read(&request.path, request.file_location)?;
-
-        let data_len = data.len();
-        if data_len < TAG_LEN + NONCE_LEN {
-            error!("Attempt to unwrap file that doesn't contain a key");
-            return Err(Error::InvalidSerializedKey);
-        }
-        let (tmp, tag) = data.split_at_mut(data_len - TAG_LEN);
-        let tmp_len = tmp.len();
-        let (material, nonce) = tmp.split_at_mut(tmp_len - NONCE_LEN);
-
-        // Coerce to array
-        let nonce = (&*nonce).try_into().unwrap();
-        let tag = (&*tag).try_into().unwrap();
-
-        let key = keystore.load_key(key::Secrecy::Secret, Some(KIND), &request.key)?;
-        let chachakey: [u8; KEY_LEN] = (&*key.material).try_into().unwrap();
-        let mut aead = ChaCha8Poly1305::new(&GenericArray::clone_from_slice(&chachakey));
-        if aead
-            .decrypt_in_place_detached(
-                <&GenericArray<_, _> as From<&[u8; NONCE_LEN]>>::from(nonce),
-                &request.associated_data,
-                material,
-                <&GenericArray<_, _> as From<&[u8; TAG_LEN]>>::from(tag),
-            )
-            .is_err()
-        {
-            return Ok(reply::UnwrapKeyFromFile { key: None });
-        }
-        let key = key::Key::try_deserialize(material)?;
-        let info = key::Info {
-            flags: key.flags,
-            kind: key.kind,
-        };
-        let key = keystore.store_key(
-            request.key_location,
-            key::Secrecy::Secret,
-            info,
-            &key.material,
-        )?;
-        Ok(reply::UnwrapKeyFromFile { key: Some(key) })
-    }
-}
 
 #[cfg(feature = "chacha8-poly1305")]
 impl GenerateKey for super::Chacha8Poly1305 {