feat(pki): Add algorithm ID

FirelightFlagboy · FirelightFlagboy · commit b4741435e180 · 2025-09-24T10:57:27.000+02:00
Used to identify which algorithm was used and which to use even tho we only support RSA for now
diff --git a/libparsec/crates/platform_pki/examples/decrypt_message.rs b/libparsec/crates/platform_pki/examples/decrypt_message.rs
@@ -5,7 +5,9 @@ use std::path::PathBuf;
 
 use anyhow::Context;
 use clap::Parser;
-use libparsec_platform_pki::{decrypt_message, CertificateHash, CertificateReference};
+use libparsec_platform_pki::{
+    decrypt_message, CertificateHash, CertificateReference, EncryptionAlgorithm,
+};
 
 #[derive(Debug, Parser)]
 struct Args {
@@ -14,6 +16,9 @@ struct Args {
     certificate_hash: CertificateHash,
     #[command(flatten)]
     content: ContentOpts,
+    /// The algorithm used to encrypt the content.
+    #[arg(long, default_value_t = EncryptionAlgorithm::RsaesOaepSha256)]
+    algorithm: EncryptionAlgorithm,
 }
 
 #[derive(Debug, Clone, clap::Args)]
@@ -39,11 +44,13 @@ fn main() -> anyhow::Result<()> {
         .decode(&b64_data)
         .context("Failed to decode hex encoded data")?;
 
-    let res = decrypt_message(&data, &cert_ref).context("Failed to decrypt message")?;
+    let res =
+        decrypt_message(args.algorithm, &data, &cert_ref).context("Failed to decrypt message")?;
 
     println!(
-        "Decrypted by cert with id: {}",
-        data_encoding::BASE64.encode_display(&res.cert_ref.id)
+        "Decrypted by cert with id {{{}}} with algo {}",
+        data_encoding::BASE64.encode_display(&res.cert_ref.id),
+        args.algorithm
     );
     #[cfg(feature = "hash-sri-display")]
     println!("Decrypted by cert with fingerprint: {}", res.cert_ref.hash);
diff --git a/libparsec/crates/platform_pki/examples/encrypt_message.rs b/libparsec/crates/platform_pki/examples/encrypt_message.rs
@@ -39,8 +39,9 @@ fn main() -> anyhow::Result<()> {
     let res = encrypt_message(&data, &cert_ref).context("Failed to encrypt message")?;
 
     println!(
-        "Encrypted by cert with id: {}",
-        data_encoding::BASE64.encode_display(&res.cert_ref.id)
+        "Encrypted by cert with id {{{}}} using the algorithm {}",
+        data_encoding::BASE64.encode_display(&res.cert_ref.id),
+        res.algo
     );
     #[cfg(feature = "hash-sri-display")]
     println!("Encrypted by cert with fingerprint: {}", res.cert_ref.hash);
diff --git a/libparsec/crates/platform_pki/examples/sign_message.rs b/libparsec/crates/platform_pki/examples/sign_message.rs
@@ -39,8 +39,9 @@ fn main() -> anyhow::Result<()> {
     let res = sign_message(&data, &cert_ref).context("Failed to sign message")?;
 
     println!(
-        "Signed by cert with id: {}",
-        data_encoding::BASE64.encode_display(&res.cert_ref.id)
+        "Signed by cert with id {{{}}} with algorithm {}",
+        data_encoding::BASE64.encode_display(&res.cert_ref.id),
+        res.algo
     );
     #[cfg(feature = "hash-sri-display")]
     println!("Signed by cert with fingerprint: {}", res.cert_ref.hash);
diff --git a/libparsec/crates/platform_pki/src/lib.rs b/libparsec/crates/platform_pki/src/lib.rs
@@ -4,6 +4,8 @@ pub mod errors;
 #[cfg(target_os = "windows")]
 mod windows;
 
+use std::{fmt::Display, str::FromStr};
+
 use bytes::Bytes;
 
 #[cfg(target_os = "windows")]
@@ -53,8 +55,8 @@ pub use windows::show_certificate_selection_dialog;
 mod platform {
     use crate::{
         CertificateDer, CertificateReference, DecryptMessageError, DecryptedMessage,
-        EncryptMessageError, EncryptedMessage, GetDerEncodedCertificateError, SignMessageError,
-        SignedMessage,
+        EncryptMessageError, EncryptedMessage, EncryptionAlgorithm, GetDerEncodedCertificateError,
+        SignMessageError, SignedMessage,
     };
 
     pub fn get_der_encoded_certificate(
@@ -82,10 +84,11 @@ mod platform {
     }
 
     pub fn decrypt_message(
+        algo: EncryptionAlgorithm,
         encrypted_message: &[u8],
         certificate_ref: &CertificateReference,
     ) -> Result<DecryptedMessage, DecryptMessageError> {
-        let _ = (encrypted_message, certificate_ref);
+        let _ = (algo, encrypted_message, certificate_ref);
         unimplemented!("platform not supported")
     }
 }
@@ -98,15 +101,77 @@ pub struct CertificateDer {
     pub der_content: Bytes,
 }
 
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum SignatureAlgorithm {
+    RsassaPssSha256,
+}
+
+impl From<SignatureAlgorithm> for &'static str {
+    fn from(value: SignatureAlgorithm) -> Self {
+        match value {
+            SignatureAlgorithm::RsassaPssSha256 => "RSASSA-PSS-SHA256",
+        }
+    }
+}
+
+impl Display for SignatureAlgorithm {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.write_str((*self).into())
+    }
+}
+
+impl FromStr for SignatureAlgorithm {
+    type Err = &'static str;
+
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        match s {
+            "RSASSA-PSS-SHA256" => Ok(Self::RsassaPssSha256),
+            _ => Err("Unknown signature algorithm"),
+        }
+    }
+}
+
 pub struct SignedMessage {
+    pub algo: SignatureAlgorithm,
     pub cert_ref: CertificateReferenceIdOrHash,
     pub signed_message: Bytes,
 }
 
 pub use errors::SignMessageError;
 pub use platform::sign_message;
 
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum EncryptionAlgorithm {
+    RsaesOaepSha256,
+}
+
+impl From<EncryptionAlgorithm> for &'static str {
+    fn from(value: EncryptionAlgorithm) -> Self {
+        match value {
+            EncryptionAlgorithm::RsaesOaepSha256 => "RSAES-OAEP-SHA256",
+        }
+    }
+}
+
+impl FromStr for EncryptionAlgorithm {
+    type Err = &'static str;
+
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        match s {
+            "RSAES-OAEP-SHA256" => Ok(Self::RsaesOaepSha256),
+            _ => Err("Unknown encryption algorithm"),
+        }
+    }
+}
+
+impl Display for EncryptionAlgorithm {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.write_str((*self).into())
+    }
+}
+
 pub struct EncryptedMessage {
+    pub algo: EncryptionAlgorithm,
     pub cert_ref: CertificateReferenceIdOrHash,
     pub ciphered: Bytes,
 }
diff --git a/libparsec/crates/platform_pki/src/windows/mod.rs b/libparsec/crates/platform_pki/src/windows/mod.rs
@@ -5,7 +5,8 @@ use std::ffi::c_void;
 use crate::{
     CertificateDer, CertificateHash, CertificateReference, CertificateReferenceIdOrHash,
     DecryptMessageError, DecryptedMessage, EncryptMessageError, EncryptedMessage,
-    GetDerEncodedCertificateError, SignMessageError, SignedMessage,
+    EncryptionAlgorithm, GetDerEncodedCertificateError, SignMessageError, SignatureAlgorithm,
+    SignedMessage,
 };
 use bytes::Bytes;
 use schannel::{
@@ -221,18 +222,19 @@ pub fn sign_message(
     let reference = get_id_and_hash_from_cert_context(&cert_context)
         .map_err(SignMessageError::CannotGetCertificateInfo)?;
     let keypair = get_keypair(&cert_context)?;
-    let signed_message = match keypair {
+    let (algo, signed_message) = match keypair {
         // We do not support a CryptoAPI provider as its API is marked for depreciation by windows.
         PrivateKey::CryptProv(..) => {
             todo!("Use CryptGetUserKey to get the keypair")
         }
         // Handle to a CryptoGraphy Next Generation (CNG) API
-        PrivateKey::NcryptKey(handle) => ncrypt_sign_message(message, &handle).map(Into::into),
+        PrivateKey::NcryptKey(handle) => ncrypt_sign_message_with_rsa(message, &handle),
     }
     .map_err(SignMessageError::CannotSign)?;
 
     Ok(SignedMessage {
-        signed_message,
+        algo,
+        signed_message: signed_message.into(),
         cert_ref: reference,
     })
 }
@@ -246,7 +248,11 @@ fn get_keypair(context: &CertContext) -> Result<PrivateKey, crate::errors::BaseK
         .map_err(crate::errors::BaseKeyPairError::CannotAcquireKeypair)
 }
 
-fn ncrypt_sign_message(message: &[u8], handle: &NcryptKey) -> std::io::Result<Vec<u8>> {
+fn ncrypt_sign_message_with_rsa(
+    message: &[u8],
+    handle: &NcryptKey,
+) -> std::io::Result<(SignatureAlgorithm, Vec<u8>)> {
+    const ALGO: SignatureAlgorithm = SignatureAlgorithm::RsassaPssSha256;
     let hash = sha2::Sha256::digest(message);
     // SAFETY: NcryptKey is obtain from an NCRYPT_KEY_HANDLE, here we retrieve the underlying
     // handle.
@@ -305,7 +311,7 @@ fn ncrypt_sign_message(message: &[u8], handle: &NcryptKey) -> std::io::Result<Ve
         if res != 0 {
             return Err(std::io::Error::last_os_error());
         }
-        Ok(buff)
+        Ok((ALGO, buff))
     }
 }
 
@@ -319,23 +325,28 @@ pub fn encrypt_message(
     let reference = get_id_and_hash_from_cert_context(&cert_context)
         .map_err(EncryptMessageError::CannotGetCertificateInfo)?;
     let keypair = get_keypair(&cert_context)?;
-    let ciphered = match keypair {
+    let (algo, ciphered) = match keypair {
         // We do not support a CryptoAPI provider as its API is marked for depreciation by windows.
         PrivateKey::CryptProv(..) => {
             todo!("Use CryptGetUserKey to get the keypair")
         }
         // Handle to a CryptoGraphy Next Generation (CNG) API
-        PrivateKey::NcryptKey(handle) => ncrypt_encrypt_message(message, &handle).map(Into::into),
+        PrivateKey::NcryptKey(handle) => ncrypt_encrypt_message_with_rsa(message, &handle),
     }
     .map_err(EncryptMessageError::CannotEncrypt)?;
 
     Ok(EncryptedMessage {
-        ciphered,
+        algo,
+        ciphered: ciphered.into(),
         cert_ref: reference,
     })
 }
 
-fn ncrypt_encrypt_message(message: &[u8], handle: &NcryptKey) -> std::io::Result<Vec<u8>> {
+fn ncrypt_encrypt_message_with_rsa(
+    message: &[u8],
+    handle: &NcryptKey,
+) -> std::io::Result<(EncryptionAlgorithm, Vec<u8>)> {
+    const ALGO: EncryptionAlgorithm = EncryptionAlgorithm::RsaesOaepSha256;
     // SAFETY: NcryptKey is obtain from an NCRYPT_KEY_HANDLE, here we retrieve the underlying
     // handle.
     let raw_handle = unsafe { RawPointer::as_ptr(handle) } as NCRYPT_KEY_HANDLE;
@@ -390,11 +401,12 @@ fn ncrypt_encrypt_message(message: &[u8], handle: &NcryptKey) -> std::io::Result
         if res != 0 {
             return Err(std::io::Error::last_os_error());
         }
-        Ok(buff)
+        Ok((ALGO, buff))
     }
 }
 
 pub fn decrypt_message(
+    algo: EncryptionAlgorithm,
     encrypted_message: &[u8],
     certificate_ref: &CertificateReference,
 ) -> Result<DecryptedMessage, DecryptMessageError> {
@@ -411,7 +423,10 @@ pub fn decrypt_message(
         }
         // Handle to a CryptoGraphy Next Generation (CNG) API
         PrivateKey::NcryptKey(handle) => {
-            ncrypt_decrypt_message(encrypted_message, &handle).map(Into::into)
+            if algo != EncryptionAlgorithm::RsaesOaepSha256 {
+                todo!("Unsupported encryption algo '{algo}'");
+            }
+            ncrypt_decrypt_message_with_rsa(encrypted_message, &handle).map(Into::into)
         }
     }
     .map_err(DecryptMessageError::CannotDecrypt)?;
@@ -422,7 +437,7 @@ pub fn decrypt_message(
     })
 }
 
-fn ncrypt_decrypt_message(
+fn ncrypt_decrypt_message_with_rsa(
     encrypted_message: &[u8],
     handle: &NcryptKey,
 ) -> std::io::Result<Vec<u8>> {
