Remove libparsec_platform_pki dependency in libparsec_platform_device_loader

- Introduce `PkiDeviceOperations` trait that works similarly to `AccountVaultOperations`/`OpenBaoDeviceOperations`
- Remove platform-specific code (replaced by using the methods defined in `PkiDeviceOperations`)

Author: touilleMan

Cargo.lock

@@ -20,7 +20,6 @@ libparsec_client_connection = { workspace = true }
 libparsec_crypto = { workspace = true }
 libparsec_platform_async = { workspace = true }
 libparsec_platform_filesystem = { workspace = true }
-libparsec_platform_pki = { workspace = true }
 libparsec_testbed = { workspace = true, optional = true }
 libparsec_types = { workspace = true }
 

libparsec/crates/platform_device_loader/Cargo.toml

@@ -2,7 +2,8 @@
 
 use crate::{
     platform, AccountVaultOperationsFetchOpaqueKeyError, DeviceAccessStrategy,
-    DevicePrimaryProtectionStrategy, OpenBaoOperationsFetchOpaqueKeyError, RemoteOperationServer,
+    DevicePrimaryProtectionStrategy, OpenBaoOperationsFetchOpaqueKeyError,
+    PkiOperationsDecryptOpaqueKeyError, RemoteOperationServer,
 };
 use libparsec_types::prelude::*;
 
@@ -12,7 +13,6 @@ pub(crate) enum LoadCiphertextKeyError {
     #[error("Invalid data")]
     InvalidData,
     #[error("Decryption failed")]
-    #[cfg_attr(target_arch = "wasm32", expect(dead_code))]
     DecryptionFailed,
     /// Note only a subset of load strategies requires server access to
     /// fetch an opaque key that itself protects the ciphertext key
@@ -64,9 +64,31 @@ pub(super) async fn load_ciphertext_key(
             }
         }
 
-        DevicePrimaryProtectionStrategy::PKI { .. } => {
-            let ciphertext_key = platform::load_ciphertext_key_pki(device_file).await?;
-            Ok(ciphertext_key)
+        DevicePrimaryProtectionStrategy::PKI { operations, .. } => {
+            if let DeviceFile::PKI(device) = device_file {
+                if device.certificate_ref != *operations.certificate_ref() {
+                    return Err(LoadCiphertextKeyError::InvalidData);
+                }
+
+                let raw = operations
+                    .decrypt_opaque_key(device.algorithm, device.encrypted_key.as_ref())
+                    .await
+                    .map_err(|err| match err {
+                        PkiOperationsDecryptOpaqueKeyError::UnsupportedAlgorithm => {
+                            LoadCiphertextKeyError::InvalidData
+                        }
+                        PkiOperationsDecryptOpaqueKeyError::DecryptionFailed(_) => {
+                            LoadCiphertextKeyError::DecryptionFailed
+                        }
+                        PkiOperationsDecryptOpaqueKeyError::Internal(e) => {
+                            LoadCiphertextKeyError::Internal(e)
+                        }
+                    })?;
+
+                Ok(raw)
+            } else {
+                Err(LoadCiphertextKeyError::InvalidData)
+            }
         }
 
         DevicePrimaryProtectionStrategy::AccountVault { operations, .. } => {

libparsec/crates/platform_device_loader/src/device/load_ciphertext_key.rs

@@ -1,14 +1,15 @@
 // Parsec Cloud (https://parsec.cloud) Copyright (c) BUSL-1.1 2016-present Scille SAS
 
-use crate::{encrypt_device, platform, DevicePrimaryProtectionStrategy};
-use libparsec_platform_filesystem::{save_content, SaveContentError};
 use std::path::PathBuf;
 
+use libparsec_platform_filesystem::{save_content, SaveContentError};
+use libparsec_types::prelude::*;
+
 use crate::{
-    AccountVaultOperationsUploadOpaqueKeyError, AvailableDevice, DeviceSaveStrategy,
-    OpenBaoOperationsUploadOpaqueKeyError, RemoteOperationServer,
+    encrypt_device, platform, AccountVaultOperationsUploadOpaqueKeyError, AvailableDevice,
+    DevicePrimaryProtectionStrategy, DeviceSaveStrategy, OpenBaoOperationsUploadOpaqueKeyError,
+    PkiOperationsEncryptOpaqueKeyError, RemoteOperationServer,
 };
-use libparsec_types::prelude::*;
 
 #[derive(Debug, thiserror::Error)]
 pub enum SaveDeviceError {
@@ -114,18 +115,51 @@ pub(crate) async fn save_device(
             save_content(&key_file, &file_content).await?;
         }
 
-        DevicePrimaryProtectionStrategy::PKI { certificate_ref } => {
-            platform::save_device_pki(
-                device,
-                &created_on,
-                &key_file,
-                &server_addr,
-                &protected_on,
-                certificate_ref,
+        DevicePrimaryProtectionStrategy::PKI { operations } => {
+            // Generate a random key
+            let key = SecretKey::generate();
+
+            // Encrypt the key using the public key related to a certificate from the store
+            let (algorithm, encrypted_key) = operations
+                .encrypt_opaque_key(key.as_ref())
+                .await
+                .map_err(|err| match err {
+                    PkiOperationsEncryptOpaqueKeyError::Internal(e) => SaveDeviceError::Internal(e),
+                })?;
+
+            // May check if we are able to decrypt the encrypted key from the previous step
+            assert_eq!(
+                operations
+                    .decrypt_opaque_key(algorithm, encrypted_key.as_ref())
+                    .await
+                    .map_err(|e| SaveDeviceError::Internal(e.into()))?
+                    .as_ref(),
+                key.as_ref()
+            );
+
+            // Use the generated key to encrypt the device content
+            let ciphertext = encrypt_device(device, &key, totp_opaque_key);
+
+            // Save
+            let file_content = DeviceFile::PKI(DeviceFilePKI {
+                created_on,
+                protected_on,
+                server_url: server_addr.clone(),
+                organization_id: device.organization_id().to_owned(),
+                user_id: device.user_id,
+                device_id: device.device_id,
+                human_handle: device.human_handle.to_owned(),
+                device_label: device.device_label.to_owned(),
+                certificate_ref: operations.certificate_ref().to_owned(),
+                encrypted_key,
+                ciphertext,
+                algorithm,
                 totp_opaque_key_id,
-                totp_opaque_key,
-            )
-            .await?;
+            });
+
+            let file_content = file_content.dump();
+
+            save_content(&key_file, &file_content).await?;
         }
 
         DevicePrimaryProtectionStrategy::AccountVault { operations } => {

libparsec/crates/platform_device_loader/src/device/save.rs

@@ -10,7 +10,6 @@ use crate::{
     encrypt_device, LoadCiphertextKeyError, LoadDeviceError, SaveDeviceError,
     PARSEC_BASE_CONFIG_DIR, PARSEC_BASE_DATA_DIR, PARSEC_BASE_HOME_DIR,
 };
-use libparsec_platform_pki::{decrypt_message, encrypt_message};
 use libparsec_types::prelude::*;
 
 const KEYRING_SERVICE: &str = "parsec";
@@ -81,63 +80,6 @@ pub(crate) async fn save_device_keyring(
     Ok(())
 }
 
-#[expect(clippy::too_many_arguments)]
-pub(crate) async fn save_device_pki(
-    device: &LocalDevice,
-    created_on: &DateTime,
-    key_file: &Path,
-    server_addr: &ParsecAddr,
-    protected_on: &DateTime,
-    certificate_ref: &X509CertificateReference,
-    totp_opaque_key_id: Option<TOTPOpaqueKeyID>,
-    totp_opaque_key: Option<&SecretKey>,
-) -> Result<(), SaveDeviceError> {
-    // Generate a random key
-    let secret_key = SecretKey::generate();
-
-    // Encrypt the key using the public key related to a certificate from the store
-    let der = libparsec_platform_pki::get_der_encoded_certificate(certificate_ref)
-        .await
-        .map_err(|e| SaveDeviceError::Internal(e.into()))?;
-    let (algorithm, encrypted_key) = encrypt_message(der, secret_key.as_ref())
-        .await
-        .map_err(|e| SaveDeviceError::Internal(e.into()))?;
-
-    // May check if we are able to decrypt the encrypted key from the previous step
-    assert_eq!(
-        decrypt_message(algorithm, &encrypted_key, certificate_ref)
-            .await
-            .map_err(|e| SaveDeviceError::Internal(e.into()))?
-            .as_ref(),
-        secret_key.as_ref()
-    );
-
-    // Use the generated key to encrypt the device content
-    let ciphertext = encrypt_device(device, &secret_key, totp_opaque_key);
-
-    // Save
-    let file_content = DeviceFile::PKI(DeviceFilePKI {
-        created_on: *created_on,
-        protected_on: *protected_on,
-        server_url: server_addr.clone(),
-        organization_id: device.organization_id().to_owned(),
-        user_id: device.user_id,
-        device_id: device.device_id,
-        human_handle: device.human_handle.to_owned(),
-        device_label: device.device_label.to_owned(),
-        certificate_ref: certificate_ref.to_owned(),
-        encrypted_key,
-        ciphertext,
-        algorithm,
-        totp_opaque_key_id,
-    });
-
-    let file_content = file_content.dump();
-
-    save_content(key_file, &file_content).await?;
-    Ok(())
-}
-
 async fn generate_keyring_user(
     keyring_user_path: &Path,
 ) -> Result<(SecretKey, String), SaveDeviceError> {
@@ -216,25 +158,6 @@ pub(super) async fn load_ciphertext_key_keyring(
     }
 }
 
-pub(super) async fn load_ciphertext_key_pki(
-    device_file: &DeviceFile,
-) -> Result<SecretKey, LoadCiphertextKeyError> {
-    if let DeviceFile::PKI(device) = device_file {
-        decrypt_message(
-            device.algorithm,
-            device.encrypted_key.as_ref(),
-            &device.certificate_ref,
-        )
-        .await
-        .map_err(|_| LoadCiphertextKeyError::InvalidData)?
-        .as_ref()
-        .try_into()
-        .map_err(|_| LoadCiphertextKeyError::InvalidData)
-    } else {
-        Err(LoadCiphertextKeyError::InvalidData)
-    }
-}
-
 pub(super) fn get_default_data_base_dir() -> PathBuf {
     let mut path = if let Ok(data_dir) = std::env::var(PARSEC_BASE_DATA_DIR) {
         PathBuf::from(data_dir)

libparsec/crates/platform_device_loader/src/native/mod.rs

@@ -110,6 +110,41 @@ pub enum OpenBaoOperationsUploadOpaqueKeyError {
     BadServerResponse(anyhow::Error),
 }
 
+/*
+ * PKI operations
+ */
+
+pub trait PkiDeviceOperations: std::fmt::Debug + Send + Sync {
+    fn certificate_ref(&self) -> &X509CertificateReference;
+    fn encrypt_opaque_key(
+        &self,
+        opaque_key: &[u8],
+    ) -> PinBoxFutureResult<(PKIEncryptionAlgorithm, Bytes), PkiOperationsEncryptOpaqueKeyError>;
+    fn decrypt_opaque_key(
+        &self,
+        algorithm: PKIEncryptionAlgorithm,
+        encrypted_opaque_key: &[u8],
+    ) -> PinBoxFutureResult<SecretKey, PkiOperationsDecryptOpaqueKeyError>;
+}
+
+#[derive(Debug, thiserror::Error)]
+pub enum PkiOperationsEncryptOpaqueKeyError {
+    // TODO: Add SCWS-specific errors here (typically if the SCWS service is not reachable)
+    #[error(transparent)]
+    Internal(anyhow::Error),
+}
+
+#[derive(Debug, thiserror::Error)]
+pub enum PkiOperationsDecryptOpaqueKeyError {
+    #[error("Unsupported algorithm")]
+    UnsupportedAlgorithm,
+    #[error("Decryption failed: {0}")]
+    DecryptionFailed(anyhow::Error),
+    // TODO: Add SCWS-specific errors here (typically if the SCWS service is not reachable)
+    #[error(transparent)]
+    Internal(anyhow::Error),
+}
+
 /*
  * DeviceSaveStrategy
  */
@@ -121,7 +156,7 @@ pub enum DevicePrimaryProtectionStrategy {
         password: Password,
     },
     PKI {
-        certificate_ref: X509CertificateReference,
+        operations: Arc<dyn PkiDeviceOperations>,
     },
     AccountVault {
         operations: Arc<dyn AccountVaultOperations>,
@@ -136,10 +171,8 @@ impl DevicePrimaryProtectionStrategy {
         match self {
             Self::Keyring => AvailableDeviceType::Keyring,
             Self::Password { .. } => AvailableDeviceType::Password,
-            Self::PKI {
-                certificate_ref, ..
-            } => AvailableDeviceType::PKI {
-                certificate_ref: certificate_ref.to_owned(),
+            Self::PKI { operations, .. } => AvailableDeviceType::PKI {
+                certificate_ref: operations.certificate_ref().to_owned(),
             },
             Self::AccountVault { .. } => AvailableDeviceType::AccountVault,
             Self::OpenBao { operations, .. } => AvailableDeviceType::OpenBao {

libparsec/crates/platform_device_loader/src/strategy.rs

@@ -16,31 +16,12 @@ pub(crate) async fn save_device_keyring(
     panic!("Keyring not supported on Web")
 }
 
-pub(crate) async fn save_device_pki(
-    _: &LocalDevice,
-    _: &DateTime,
-    _: &Path,
-    _: &ParsecAddr,
-    _: &DateTime,
-    _: &X509CertificateReference,
-    _: Option<TOTPOpaqueKeyID>,
-    _: Option<&SecretKey>,
-) -> Result<(), SaveDeviceError> {
-    panic!("PKI not supported on Web")
-}
-
 pub(super) async fn load_ciphertext_key_keyring(
     _: &DeviceFile,
 ) -> Result<SecretKey, LoadCiphertextKeyError> {
     panic!("Keyring not supported on Web")
 }
 
-pub(super) async fn load_ciphertext_key_pki(
-    _: &DeviceFile,
-) -> Result<SecretKey, LoadCiphertextKeyError> {
-    panic!("PKI not supported on Web")
-}
-
 pub(super) fn is_keyring_available() -> bool {
     false
 }