feat(startauthsession): add full support for algo/bits/mode combinations

hyperfinitism · hyperfinitism · commit c13b173b9a1f · 2026-03-28T14:58:42.000+09:00
Instead of only supporting the two constants (AES_128_CFB and AES_256_CFB)
pre-defined in the upstream tss-esapi and the manually defined XOR, parse
a structured "algo-bits-mode" format that covers all symmetric algorithms
available in tss-esapi:

- AES with 128/192/256 key bits and CFB/CBC/ECB/OFB/CTR modes
- SM4 with 128 key bits and all modes
- Camellia with 128/192/256 key bits and all modes
- XOR with any supported hash algorithm (xor-sha256, etc.)
- null

Legacy shorthand forms ("aes128cfb", "aes256cfb" and "xor") remain accepted
for backwards compatibility.

Signed-off-by: Takuma IMAMURA &lt;209989118+hyperfinitism@users.noreply.github.com&gt;
diff --git a/src/cmd/startauthsession.rs b/src/cmd/startauthsession.rs
@@ -42,7 +42,7 @@ pub struct StartAuthSessionCmd {
     #[arg(long = "audit-session", conflicts_with_all = ["policy_session", "hmac_session"])]
     pub audit_session: bool,
 
-    /// Symmetric algorithm for session encryption (aes128cfb, aes256cfb, xor, null)
+    /// Symmetric algorithm for session encryption (e.g. aes-128-cfb, sm4-128-cfb, camellia-256-cbc, xor-sha256, null)
     #[arg(long = "symmetric", default_value = "aes128cfb", value_parser = parse::parse_symmetric_definition)]
     pub symmetric: SymmetricDefinition,
 
diff --git a/src/parse.rs b/src/parse.rs
@@ -16,6 +16,7 @@ use tss_esapi::attributes::NvIndexAttributesBuilder;
 use tss_esapi::handles::AuthHandle;
 use tss_esapi::interface_types::algorithm::{HashingAlgorithm, SymmetricMode};
 use tss_esapi::interface_types::ecc::EccCurve;
+use tss_esapi::interface_types::key_bits::{AesKeyBits, CamelliaKeyBits, Sm4KeyBits};
 use tss_esapi::interface_types::reserved_handles::{Hierarchy, HierarchyAuth, Provision};
 use tss_esapi::structures::{
     Auth, Data, HashScheme, PcrSelectionList, PcrSelectionListBuilder, PcrSlot, SensitiveData,
@@ -484,21 +485,121 @@ pub fn parse_ecc_curve(s: &str) -> Result<EccCurve, String> {
 // Symmetric definition (for sessions)
 // ---------------------------------------------------------------------------
 
-/// Parse a symmetric algorithm definition for session encryption.
+/// Parse a symmetric algorithm definition.
 ///
-/// Accepted values: `aes128cfb`, `aes256cfb`, `xor`, `null`.
+/// Accepted formats:
+/// - `aes-{128,192,256}-{cfb,cbc,ecb,ofb,ctr}` — AES with key size and mode
+/// - `sm4-128-{cfb,cbc,ecb,ofb,ctr}` — SM4 with key size and mode
+/// - `camellia-{128,192,256}-{cfb,cbc,ecb,ofb,ctr}` — Camellia with key size and mode
+/// - `xor-{sha1,sha256,...}` — XOR with a hashing algorithm
+/// - `null` — no symmetric algorithm
+///
+/// Legacy shorthand forms `aes128cfb` and `aes256cfb` are also accepted.
 ///
 /// Intended for use as a clap `value_parser`.
 pub fn parse_symmetric_definition(s: &str) -> Result<SymmetricDefinition, String> {
-    match s.to_lowercase().as_str() {
-        "aes128cfb" | "aes-128-cfb" => Ok(SymmetricDefinition::AES_128_CFB),
-        "aes256cfb" | "aes-256-cfb" => Ok(SymmetricDefinition::AES_256_CFB),
-        "xor" => Ok(SymmetricDefinition::Xor {
-            hashing_algorithm: HashingAlgorithm::Sha256,
-        }),
-        "null" => Ok(SymmetricDefinition::Null),
+    let lower = s.to_lowercase();
+
+    // Handle "null" first.
+    if lower == "null" {
+        return Ok(SymmetricDefinition::Null);
+    }
+
+    // Legacy shorthand aliases for backwards compatibility.
+    match lower.as_str() {
+        "aes128cfb" => {
+            return Ok(SymmetricDefinition::Aes {
+                key_bits: AesKeyBits::Aes128,
+                mode: SymmetricMode::Cfb,
+            });
+        }
+        "aes256cfb" => {
+            return Ok(SymmetricDefinition::Aes {
+                key_bits: AesKeyBits::Aes256,
+                mode: SymmetricMode::Cfb,
+            });
+        }
+        "xor" => {
+            return Ok(SymmetricDefinition::Xor {
+                hashing_algorithm: HashingAlgorithm::Sha256,
+            });
+        }
+        _ => {}
+    }
+
+    let parts: Vec<&str> = lower.split('-').collect();
+
+    match parts[0] {
+        "aes" => {
+            if parts.len() != 3 {
+                return Err(format!(
+                    "expected 'aes-<bits>-<mode>' (e.g. aes-128-cfb), got: '{s}'"
+                ));
+            }
+            let key_bits = match parts[1] {
+                "128" => AesKeyBits::Aes128,
+                "192" => AesKeyBits::Aes192,
+                "256" => AesKeyBits::Aes256,
+                _ => {
+                    return Err(format!(
+                        "unsupported AES key size: {} (expected 128, 192, or 256)",
+                        parts[1]
+                    ));
+                }
+            };
+            let mode = parse_symmetric_mode(parts[2])?;
+            Ok(SymmetricDefinition::Aes { key_bits, mode })
+        }
+        "sm4" => {
+            if parts.len() != 3 {
+                return Err(format!(
+                    "expected 'sm4-128-<mode>' (e.g. sm4-128-cfb), got: '{s}'"
+                ));
+            }
+            let key_bits = match parts[1] {
+                "128" => Sm4KeyBits::Sm4_128,
+                _ => {
+                    return Err(format!(
+                        "unsupported SM4 key size: {} (expected 128)",
+                        parts[1]
+                    ));
+                }
+            };
+            let mode = parse_symmetric_mode(parts[2])?;
+            Ok(SymmetricDefinition::Sm4 { key_bits, mode })
+        }
+        "camellia" => {
+            if parts.len() != 3 {
+                return Err(format!(
+                    "expected 'camellia-<bits>-<mode>' (e.g. camellia-128-cfb), got: '{s}'"
+                ));
+            }
+            let key_bits = match parts[1] {
+                "128" => CamelliaKeyBits::Camellia128,
+                "192" => CamelliaKeyBits::Camellia192,
+                "256" => CamelliaKeyBits::Camellia256,
+                _ => {
+                    return Err(format!(
+                        "unsupported Camellia key size: {} (expected 128, 192, or 256)",
+                        parts[1]
+                    ));
+                }
+            };
+            let mode = parse_symmetric_mode(parts[2])?;
+            Ok(SymmetricDefinition::Camellia { key_bits, mode })
+        }
+        "xor" => {
+            if parts.len() != 2 {
+                return Err(format!(
+                    "expected 'xor-<hash>' (e.g. xor-sha256), got: '{s}'"
+                ));
+            }
+            let hashing_algorithm = parse_hashing_algorithm(parts[1])?;
+            Ok(SymmetricDefinition::Xor { hashing_algorithm })
+        }
         _ => Err(format!(
-            "unsupported symmetric definition: {s} (supported: aes128cfb, aes256cfb, xor, null)"
+            "unsupported symmetric algorithm: '{}'; expected aes, sm4, camellia, xor, or null",
+            parts[0]
         )),
     }
 }
