chore: update to latest version of aws-nitro-enclaves-cose

Update to the latest version of aws-nitro-enclaves-cose crate

Signed-off-by: Miguel Martín <[email protected]>

.packit.yaml

@@ -8,7 +8,7 @@ files_to_sync:
       - ".packit.yaml"
       - "fido-device-onboard.spec"
       - "fido-device-onboard-rs-*-vendor-patched.tar.xz"
-      - "patches/0001-Revert-chore-use-git-fork-for-aws-nitro-enclaves-cos.patch"
+      - "patches/0001-use-released-aws-nitro-enclaves-cose-version.patch"
     dest: .
 
 upstream_package_name: fido-device-onboard

Makefile

@@ -58,13 +58,7 @@ $(VENDOR_TARBALL):
 	# https://issues.redhat.com/browse/RHEL-65521
 	args+="--exclude-crate-path idna#tests "
 	rm -rf vendor
-	# Use the official crate version
-	patch -p1 < patches/0001-Revert-chore-use-git-fork-for-aws-nitro-enclaves-cos.patch
 	cargo vendor-filterer $${args}
-	# Reapply the crate patch so cargo build keeps working
-	patch -p1 -R < patches/0001-Revert-chore-use-git-fork-for-aws-nitro-enclaves-cos.patch
-	# Patch the official crate so the build works.
-	patch -p1 < patches/0002-fix-aws-nitro-enclaves-cose.patch
 	tar cJf $(VENDOR_TARBALL) vendor
 	rm -rf vendor
 
@@ -85,7 +79,7 @@ vendor: $(VENDOR_TARBALL)
 
 SPEC_FILE=./fido-device-onboard.spec
 PATCHES_DIR=./patches
-PATCH_FILE_NAME=0001-Revert-chore-use-git-fork-for-aws-nitro-enclaves-cos.patch
+PATCH_FILE_NAME=0001-use-released-aws-nitro-enclaves-cose-version.patch
 PATCH_FILE=$(PATCHES_DIR)/$(PATCH_FILE_NAME)
 RPM_TOP_DIR=$(CURDIR)/rpmbuild
 RPMS_SPECS_DIR=$(RPM_TOP_DIR)/SPECS

data-formats/Cargo.toml

@@ -17,7 +17,7 @@ serde_cbor = "0.11"
 serde_repr = "0.1.19"
 serde_tuple = "0.5"
 thiserror = "1"
-aws-nitro-enclaves-cose = { git = "https://github.com/nullr0ute/aws-nitro-enclaves-cose/", rev = "e3938e60d9051690569d1e4fcbe1c0c99d2fafa8" }
+aws-nitro-enclaves-cose = { git = "https://github.com/awslabs/aws-nitro-enclaves-cose/", rev = "6064f826d551a9db0bd42e9cf928feaf272e8d17" }
 uuid = "1.3"
 num-traits = "0.2"
 num-derive = "0.4"

data-formats/src/constants/mod.rs

@@ -111,8 +111,8 @@ const RS384: i16 = -258;
 #[repr(i16)]
 #[non_exhaustive]
 pub enum DeviceSigType {
-    StSECP256R1 = (aws_nitro_enclaves_cose::sign::SignatureAlgorithm::ES256 as i16),
-    StSECP384R1 = (aws_nitro_enclaves_cose::sign::SignatureAlgorithm::ES384 as i16),
+    StSECP256R1 = (aws_nitro_enclaves_cose::crypto::SignatureAlgorithm::ES256 as i16),
+    StSECP384R1 = (aws_nitro_enclaves_cose::crypto::SignatureAlgorithm::ES384 as i16),
     StRSA2048 = RS256,
     StRSA3072 = RS384,
     StEPID10 = 90,

data-formats/src/devicecredential/file.rs

@@ -11,7 +11,9 @@ use crate::{
     DeviceCredential, ProtocolVersion,
 };
 
-use aws_nitro_enclaves_cose::{error::CoseError, sign::SignatureAlgorithm};
+use aws_nitro_enclaves_cose::{
+    crypto::MessageDigest, crypto::SignatureAlgorithm, error::CoseError,
+};
 use openssl::{pkey::PKey, sign::Signer};
 use serde::{Deserialize, Serialize};
 use serde_tuple::Serialize_tuple;
@@ -249,7 +251,7 @@ impl TpmCoseSigner {
         public: &tss_esapi::structures::Public,
     ) -> Result<
         (
-            (SignatureAlgorithm, openssl::hash::MessageDigest),
+            (SignatureAlgorithm, MessageDigest),
             tss_esapi::interface_types::algorithm::HashingAlgorithm,
             usize,
         ),
@@ -264,13 +266,13 @@ impl TpmCoseSigner {
                 };
                 let param_hash_alg = match hash_alg {
                     tss_esapi::interface_types::algorithm::HashingAlgorithm::Sha256 => {
-                        openssl::hash::MessageDigest::sha256()
+                        MessageDigest::Sha256
                     }
                     tss_esapi::interface_types::algorithm::HashingAlgorithm::Sha384 => {
-                        openssl::hash::MessageDigest::sha384()
+                        MessageDigest::Sha384
                     }
                     tss_esapi::interface_types::algorithm::HashingAlgorithm::Sha512 => {
-                        openssl::hash::MessageDigest::sha512()
+                        MessageDigest::Sha512
                     }
                     _ => {
                         return Err(CoseError::UnsupportedError(
@@ -313,15 +315,7 @@ impl TpmCoseSigner {
 }
 
 impl aws_nitro_enclaves_cose::crypto::SigningPublicKey for TpmCoseSigner {
-    fn get_parameters(
-        &self,
-    ) -> Result<
-        (
-            aws_nitro_enclaves_cose::sign::SignatureAlgorithm,
-            openssl::hash::MessageDigest,
-        ),
-        CoseError,
-    > {
+    fn get_parameters(&self) -> Result<(SignatureAlgorithm, MessageDigest), CoseError> {
         Ok(TpmCoseSigner::public_to_parameters(&self.signing_public)?.0)
     }
 

data-formats/src/types.rs

@@ -7,7 +7,7 @@ use std::{
     string::ToString,
 };
 
-use aws_nitro_enclaves_cose::crypto::{SigningPrivateKey, SigningPublicKey};
+use aws_nitro_enclaves_cose::crypto::{Openssl, SigningPrivateKey, SigningPublicKey};
 use aws_nitro_enclaves_cose::CoseSign1 as COSESignInner;
 use serde_bytes::ByteBuf;
 use serde_repr::{Deserialize_repr, Serialize_repr};
@@ -1806,7 +1806,7 @@ impl COSESign {
         };
         let payload = payload.serialize_data()?;
 
-        let inner = COSESignInner::new(&payload, &unprotected.into(), sign_key)?;
+        let inner = COSESignInner::new::<Openssl>(&payload, &unprotected.into(), sign_key)?;
 
         Self::new_from_inner(inner)
     }
@@ -1830,14 +1830,18 @@ impl COSESign {
         let mut protected: aws_nitro_enclaves_cose::header_map::HeaderMap = protected.into();
         protected.insert(1.into(), (sig_alg as i8).into());
 
-        let inner =
-            COSESignInner::new_with_protected(&payload, &protected, &unprotected.into(), sign_key)?;
+        let inner = COSESignInner::new_with_protected::<Openssl>(
+            &payload,
+            &protected,
+            &unprotected.into(),
+            sign_key,
+        )?;
 
         Self::new_from_inner(inner)
     }
 
     pub fn verify(&self, sign_key: &dyn SigningPublicKey) -> Result<(), Error> {
-        if self.cached_inner.verify_signature(sign_key)? {
+        if self.cached_inner.verify_signature::<Openssl>(sign_key)? {
             Ok(())
         } else {
             Err(Error::InconsistentValue("Signature verification failed"))
@@ -1860,15 +1864,15 @@ impl COSESign {
     where
         T: Serializable,
     {
-        let payload = self.cached_inner.get_payload(None)?;
+        let payload = self.cached_inner.get_payload::<Openssl>(None)?;
         Ok(UnverifiedValue(T::deserialize_data(&payload)?))
     }
 
     pub fn get_payload<T>(&self, key: &dyn SigningPublicKey) -> Result<T, Error>
     where
         T: Serializable,
     {
-        let payload = self.cached_inner.get_payload(Some(key))?;
+        let payload = self.cached_inner.get_payload::<Openssl>(Some(key))?;
         T::deserialize_data(&payload)
     }
 
@@ -1896,7 +1900,9 @@ impl COSESign {
     where
         T: serde::de::DeserializeOwned,
     {
-        let (protected, _) = self.cached_inner.get_protected_and_payload(None)?;
+        let (protected, _) = self
+            .cached_inner
+            .get_protected_and_payload::<Openssl>(None)?;
         match protected.get(&header_key.cbor_value()) {
             None => Ok(None),
             Some(val) => Ok(Some(UnverifiedValue(serde_cbor::value::from_value(
@@ -1913,7 +1919,9 @@ impl COSESign {
     where
         T: serde::de::DeserializeOwned,
     {
-        let (protected, _) = self.cached_inner.get_protected_and_payload(Some(key))?;
+        let (protected, _) = self
+            .cached_inner
+            .get_protected_and_payload::<Openssl>(Some(key))?;
         match protected.get(&header_key.cbor_value()) {
             None => Ok(None),
             Some(val) => Ok(Some(serde_cbor::value::from_value(val.clone())?)),

fido-device-onboard.spec

@@ -11,7 +11,7 @@ License:        BSD-3-Clause
 URL:            https://github.com/fdo-rs/fido-device-onboard-rs
 Source0:        %{url}/archive/v%{version}/%{name}-rs-%{version}.tar.gz
 Source1:        %{name}-rs-%{version}-vendor-patched.tar.xz
-Patch1:         0001-Revert-chore-use-git-fork-for-aws-nitro-enclaves-cos.patch
+Patch1:         0001-use-released-aws-nitro-enclaves-cose-version.patch
 
 # Because nobody cares
 ExcludeArch: %{ix86}

http-wrapper/Cargo.toml

@@ -20,7 +20,7 @@ openssl = "0.10.70"
 
 fdo-data-formats = { path = "../data-formats", version = "0.5.3" }
 fdo-store = { path = "../store", version = "0.5.3" }
-aws-nitro-enclaves-cose = { git = "https://github.com/nullr0ute/aws-nitro-enclaves-cose/", rev = "e3938e60d9051690569d1e4fcbe1c0c99d2fafa8" }
+aws-nitro-enclaves-cose = { git = "https://github.com/awslabs/aws-nitro-enclaves-cose/", rev = "6064f826d551a9db0bd42e9cf928feaf272e8d17" }
 
 # Server-side
 uuid = { version = "1.3", features = ["v4"], optional = true }

http-wrapper/src/lib.rs

@@ -1,5 +1,6 @@
 use serde::{Deserialize, Serialize};
 
+use aws_nitro_enclaves_cose::crypto::Openssl;
 use aws_nitro_enclaves_cose::error::CoseError;
 use aws_nitro_enclaves_cose::{CipherConfiguration, CoseEncrypt0};
 use fdo_data_formats::types::{CipherSuite, DerivedKeys};
@@ -56,7 +57,7 @@ impl EncryptionKeys {
                 Some(DerivedKeys::Combined { sevk: k }) => k,
                 _ => panic!(),
             };
-            CoseEncrypt0::new(plaintext, CipherConfiguration::Gcm, &k[..])
+            CoseEncrypt0::new::<Openssl>(plaintext, CipherConfiguration::Gcm, &k[..])
                 .map(|c| c.as_bytes(true))?
         }
     }
@@ -71,7 +72,7 @@ impl EncryptionKeys {
                 _ => panic!(),
             };
             match CoseEncrypt0::from_bytes(ciphertext) {
-                Ok(v) => match v.decrypt(k) {
+                Ok(v) => match v.decrypt::<Openssl>(k) {
                     Ok((_, _, payload)) => Ok(payload),
                     Err(e) => Err(e),
                 },

patches/0001-Revert-chore-use-git-fork-for-aws-nitro-enclaves-cos.patch → patches/0001-use-released-aws-nitro-enclaves-cose-version.patch

@@ -1,26 +1,26 @@
 diff --git a/data-formats/Cargo.toml b/data-formats/Cargo.toml
-index 9dafc344..4a398aa6 100644
+index 30434348..c5a1aedd 100644
 --- a/data-formats/Cargo.toml
 +++ b/data-formats/Cargo.toml
 @@ -17,7 +17,7 @@ serde_cbor = "0.11"
  serde_repr = "0.1.19"
  serde_tuple = "0.5"
  thiserror = "1"
--aws-nitro-enclaves-cose = { git = "https://github.com/nullr0ute/aws-nitro-enclaves-cose/", rev = "e3938e60d9051690569d1e4fcbe1c0c99d2fafa8" }
-+aws-nitro-enclaves-cose = "0.4.0"
+-aws-nitro-enclaves-cose = { git = "https://github.com/awslabs/aws-nitro-enclaves-cose/", rev = "6064f826d551a9db0bd42e9cf928feaf272e8d17" }
++aws-nitro-enclaves-cose = "0.5.2"
  uuid = "1.3"
  num-traits = "0.2"
  num-derive = "0.4"
 diff --git a/http-wrapper/Cargo.toml b/http-wrapper/Cargo.toml
-index ee02419b..1af8f35f 100644
+index 5259dfb0..495a346f 100644
 --- a/http-wrapper/Cargo.toml
 +++ b/http-wrapper/Cargo.toml
-@@ -20,7 +20,7 @@ openssl = "0.10.66"
-
+@@ -20,7 +20,7 @@ openssl = "0.10.70"
+ 
  fdo-data-formats = { path = "../data-formats", version = "0.5.3" }
  fdo-store = { path = "../store", version = "0.5.3" }
--aws-nitro-enclaves-cose = { git = "https://github.com/nullr0ute/aws-nitro-enclaves-cose/", rev = "e3938e60d9051690569d1e4fcbe1c0c99d2fafa8" }
-+aws-nitro-enclaves-cose = "0.4.0"
-
+-aws-nitro-enclaves-cose = { git = "https://github.com/awslabs/aws-nitro-enclaves-cose/", rev = "6064f826d551a9db0bd42e9cf928feaf272e8d17" }
++aws-nitro-enclaves-cose = "0.5.2"
+ 
  # Server-side
  uuid = { version = "1.3", features = ["v4"], optional = true }