From 9ed4655cd901dc036b97c51a090fb40195d60354 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miguel=20Mart=C3=ADn?= Date: Thu, 30 Jan 2025 12:56:24 +0100 Subject: [PATCH] chore: update to latest version of aws-nitro-enclaves-cose MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Update to the latest version of aws-nitro-enclaves-cose crate Signed-off-by: Miguel Martín --- .packit.yaml | 2 +- Makefile | 8 +----- data-formats/Cargo.toml | 2 +- data-formats/src/constants/mod.rs | 4 +-- data-formats/src/devicecredential/file.rs | 26 ++++++++----------- data-formats/src/types.rs | 26 ++++++++++++------- fido-device-onboard.spec | 2 +- http-wrapper/Cargo.toml | 2 +- http-wrapper/src/lib.rs | 5 ++-- ...sed-aws-nitro-enclaves-cose-version.patch} | 18 ++++++------- .../0002-fix-aws-nitro-enclaves-cose.patch | 25 ------------------ 11 files changed, 47 insertions(+), 73 deletions(-) rename patches/{0001-Revert-chore-use-git-fork-for-aws-nitro-enclaves-cos.patch => 0001-use-released-aws-nitro-enclaves-cose-version.patch} (56%) delete mode 100644 patches/0002-fix-aws-nitro-enclaves-cose.patch diff --git a/.packit.yaml b/.packit.yaml index 3232c6943..c9674fbd4 100644 --- a/.packit.yaml +++ b/.packit.yaml @@ -8,7 +8,7 @@ files_to_sync: - ".packit.yaml" - "fido-device-onboard.spec" - "fido-device-onboard-rs-*-vendor-patched.tar.xz" - - "patches/0001-Revert-chore-use-git-fork-for-aws-nitro-enclaves-cos.patch" + - "patches/0001-use-released-aws-nitro-enclaves-cose-version.patch" dest: . upstream_package_name: fido-device-onboard diff --git a/Makefile b/Makefile index f2f1f509c..76011a9ed 100644 --- a/Makefile +++ b/Makefile @@ -58,13 +58,7 @@ $(VENDOR_TARBALL): # https://issues.redhat.com/browse/RHEL-65521 args+="--exclude-crate-path idna#tests " rm -rf vendor - # Use the official crate version - patch -p1 < patches/0001-Revert-chore-use-git-fork-for-aws-nitro-enclaves-cos.patch cargo vendor-filterer $${args} - # Reapply the crate patch so cargo build keeps working - patch -p1 -R < patches/0001-Revert-chore-use-git-fork-for-aws-nitro-enclaves-cos.patch - # Patch the official crate so the build works. - patch -p1 < patches/0002-fix-aws-nitro-enclaves-cose.patch tar cJf $(VENDOR_TARBALL) vendor rm -rf vendor @@ -85,7 +79,7 @@ vendor: $(VENDOR_TARBALL) SPEC_FILE=./fido-device-onboard.spec PATCHES_DIR=./patches -PATCH_FILE_NAME=0001-Revert-chore-use-git-fork-for-aws-nitro-enclaves-cos.patch +PATCH_FILE_NAME=0001-use-released-aws-nitro-enclaves-cose-version.patch PATCH_FILE=$(PATCHES_DIR)/$(PATCH_FILE_NAME) RPM_TOP_DIR=$(CURDIR)/rpmbuild RPMS_SPECS_DIR=$(RPM_TOP_DIR)/SPECS diff --git a/data-formats/Cargo.toml b/data-formats/Cargo.toml index 909212d50..304343483 100644 --- a/data-formats/Cargo.toml +++ b/data-formats/Cargo.toml @@ -17,7 +17,7 @@ serde_cbor = "0.11" serde_repr = "0.1.19" serde_tuple = "0.5" thiserror = "1" -aws-nitro-enclaves-cose = { git = "https://github.com/nullr0ute/aws-nitro-enclaves-cose/", rev = "e3938e60d9051690569d1e4fcbe1c0c99d2fafa8" } +aws-nitro-enclaves-cose = { git = "https://github.com/awslabs/aws-nitro-enclaves-cose/", rev = "6064f826d551a9db0bd42e9cf928feaf272e8d17" } uuid = "1.3" num-traits = "0.2" num-derive = "0.4" diff --git a/data-formats/src/constants/mod.rs b/data-formats/src/constants/mod.rs index 96f677d08..51ea8aaf6 100644 --- a/data-formats/src/constants/mod.rs +++ b/data-formats/src/constants/mod.rs @@ -111,8 +111,8 @@ const RS384: i16 = -258; #[repr(i16)] #[non_exhaustive] pub enum DeviceSigType { - StSECP256R1 = (aws_nitro_enclaves_cose::sign::SignatureAlgorithm::ES256 as i16), - StSECP384R1 = (aws_nitro_enclaves_cose::sign::SignatureAlgorithm::ES384 as i16), + StSECP256R1 = (aws_nitro_enclaves_cose::crypto::SignatureAlgorithm::ES256 as i16), + StSECP384R1 = (aws_nitro_enclaves_cose::crypto::SignatureAlgorithm::ES384 as i16), StRSA2048 = RS256, StRSA3072 = RS384, StEPID10 = 90, diff --git a/data-formats/src/devicecredential/file.rs b/data-formats/src/devicecredential/file.rs index b895c0e95..087094c94 100644 --- a/data-formats/src/devicecredential/file.rs +++ b/data-formats/src/devicecredential/file.rs @@ -11,7 +11,9 @@ use crate::{ DeviceCredential, ProtocolVersion, }; -use aws_nitro_enclaves_cose::{error::CoseError, sign::SignatureAlgorithm}; +use aws_nitro_enclaves_cose::{ + crypto::MessageDigest, crypto::SignatureAlgorithm, error::CoseError, +}; use openssl::{pkey::PKey, sign::Signer}; use serde::{Deserialize, Serialize}; use serde_tuple::Serialize_tuple; @@ -249,7 +251,7 @@ impl TpmCoseSigner { public: &tss_esapi::structures::Public, ) -> Result< ( - (SignatureAlgorithm, openssl::hash::MessageDigest), + (SignatureAlgorithm, MessageDigest), tss_esapi::interface_types::algorithm::HashingAlgorithm, usize, ), @@ -264,13 +266,13 @@ impl TpmCoseSigner { }; let param_hash_alg = match hash_alg { tss_esapi::interface_types::algorithm::HashingAlgorithm::Sha256 => { - openssl::hash::MessageDigest::sha256() + MessageDigest::Sha256 } tss_esapi::interface_types::algorithm::HashingAlgorithm::Sha384 => { - openssl::hash::MessageDigest::sha384() + MessageDigest::Sha384 } tss_esapi::interface_types::algorithm::HashingAlgorithm::Sha512 => { - openssl::hash::MessageDigest::sha512() + MessageDigest::Sha512 } _ => { return Err(CoseError::UnsupportedError( @@ -313,16 +315,10 @@ impl TpmCoseSigner { } impl aws_nitro_enclaves_cose::crypto::SigningPublicKey for TpmCoseSigner { - fn get_parameters( - &self, - ) -> Result< - ( - aws_nitro_enclaves_cose::sign::SignatureAlgorithm, - openssl::hash::MessageDigest, - ), - CoseError, - > { - Ok(TpmCoseSigner::public_to_parameters(&self.signing_public)?.0) + fn get_parameters(&self) -> Result<(SignatureAlgorithm, MessageDigest), CoseError> { + Ok(TpmCoseSigner::public_to_parameters(&self.signing_public)? + .0 + .into()) } fn verify(&self, _digest: &[u8], _signature: &[u8]) -> Result { diff --git a/data-formats/src/types.rs b/data-formats/src/types.rs index fba940ad0..a0ab25130 100644 --- a/data-formats/src/types.rs +++ b/data-formats/src/types.rs @@ -7,7 +7,7 @@ use std::{ string::ToString, }; -use aws_nitro_enclaves_cose::crypto::{SigningPrivateKey, SigningPublicKey}; +use aws_nitro_enclaves_cose::crypto::{Openssl, SigningPrivateKey, SigningPublicKey}; use aws_nitro_enclaves_cose::CoseSign1 as COSESignInner; use serde_bytes::ByteBuf; use serde_repr::{Deserialize_repr, Serialize_repr}; @@ -1806,7 +1806,7 @@ impl COSESign { }; let payload = payload.serialize_data()?; - let inner = COSESignInner::new(&payload, &unprotected.into(), sign_key)?; + let inner = COSESignInner::new::(&payload, &unprotected.into(), sign_key)?; Self::new_from_inner(inner) } @@ -1830,14 +1830,18 @@ impl COSESign { let mut protected: aws_nitro_enclaves_cose::header_map::HeaderMap = protected.into(); protected.insert(1.into(), (sig_alg as i8).into()); - let inner = - COSESignInner::new_with_protected(&payload, &protected, &unprotected.into(), sign_key)?; + let inner = COSESignInner::new_with_protected::( + &payload, + &protected, + &unprotected.into(), + sign_key, + )?; Self::new_from_inner(inner) } pub fn verify(&self, sign_key: &dyn SigningPublicKey) -> Result<(), Error> { - if self.cached_inner.verify_signature(sign_key)? { + if self.cached_inner.verify_signature::(sign_key)? { Ok(()) } else { Err(Error::InconsistentValue("Signature verification failed")) @@ -1860,7 +1864,7 @@ impl COSESign { where T: Serializable, { - let payload = self.cached_inner.get_payload(None)?; + let payload = self.cached_inner.get_payload::(None)?; Ok(UnverifiedValue(T::deserialize_data(&payload)?)) } @@ -1868,7 +1872,7 @@ impl COSESign { where T: Serializable, { - let payload = self.cached_inner.get_payload(Some(key))?; + let payload = self.cached_inner.get_payload::(Some(key))?; T::deserialize_data(&payload) } @@ -1896,7 +1900,9 @@ impl COSESign { where T: serde::de::DeserializeOwned, { - let (protected, _) = self.cached_inner.get_protected_and_payload(None)?; + let (protected, _) = self + .cached_inner + .get_protected_and_payload::(None)?; match protected.get(&header_key.cbor_value()) { None => Ok(None), Some(val) => Ok(Some(UnverifiedValue(serde_cbor::value::from_value( @@ -1913,7 +1919,9 @@ impl COSESign { where T: serde::de::DeserializeOwned, { - let (protected, _) = self.cached_inner.get_protected_and_payload(Some(key))?; + let (protected, _) = self + .cached_inner + .get_protected_and_payload::(Some(key))?; match protected.get(&header_key.cbor_value()) { None => Ok(None), Some(val) => Ok(Some(serde_cbor::value::from_value(val.clone())?)), diff --git a/fido-device-onboard.spec b/fido-device-onboard.spec index 3fdb24e16..25f40f75b 100644 --- a/fido-device-onboard.spec +++ b/fido-device-onboard.spec @@ -11,7 +11,7 @@ License: BSD-3-Clause URL: https://github.com/fdo-rs/fido-device-onboard-rs Source0: %{url}/archive/v%{version}/%{name}-rs-%{version}.tar.gz Source1: %{name}-rs-%{version}-vendor-patched.tar.xz -Patch1: 0001-Revert-chore-use-git-fork-for-aws-nitro-enclaves-cos.patch +Patch1: 0001-use-released-aws-nitro-enclaves-cose-version.patch # Because nobody cares ExcludeArch: %{ix86} diff --git a/http-wrapper/Cargo.toml b/http-wrapper/Cargo.toml index 414cc8066..5259dfb0a 100644 --- a/http-wrapper/Cargo.toml +++ b/http-wrapper/Cargo.toml @@ -20,7 +20,7 @@ openssl = "0.10.70" fdo-data-formats = { path = "../data-formats", version = "0.5.3" } fdo-store = { path = "../store", version = "0.5.3" } -aws-nitro-enclaves-cose = { git = "https://github.com/nullr0ute/aws-nitro-enclaves-cose/", rev = "e3938e60d9051690569d1e4fcbe1c0c99d2fafa8" } +aws-nitro-enclaves-cose = { git = "https://github.com/awslabs/aws-nitro-enclaves-cose/", rev = "6064f826d551a9db0bd42e9cf928feaf272e8d17" } # Server-side uuid = { version = "1.3", features = ["v4"], optional = true } diff --git a/http-wrapper/src/lib.rs b/http-wrapper/src/lib.rs index ccf67d024..44277aefe 100644 --- a/http-wrapper/src/lib.rs +++ b/http-wrapper/src/lib.rs @@ -1,5 +1,6 @@ use serde::{Deserialize, Serialize}; +use aws_nitro_enclaves_cose::crypto::Openssl; use aws_nitro_enclaves_cose::error::CoseError; use aws_nitro_enclaves_cose::{CipherConfiguration, CoseEncrypt0}; use fdo_data_formats::types::{CipherSuite, DerivedKeys}; @@ -56,7 +57,7 @@ impl EncryptionKeys { Some(DerivedKeys::Combined { sevk: k }) => k, _ => panic!(), }; - CoseEncrypt0::new(plaintext, CipherConfiguration::Gcm, &k[..]) + CoseEncrypt0::new::(plaintext, CipherConfiguration::Gcm, &k[..]) .map(|c| c.as_bytes(true))? } } @@ -71,7 +72,7 @@ impl EncryptionKeys { _ => panic!(), }; match CoseEncrypt0::from_bytes(ciphertext) { - Ok(v) => match v.decrypt(k) { + Ok(v) => match v.decrypt::(k) { Ok((_, _, payload)) => Ok(payload), Err(e) => Err(e), }, diff --git a/patches/0001-Revert-chore-use-git-fork-for-aws-nitro-enclaves-cos.patch b/patches/0001-use-released-aws-nitro-enclaves-cose-version.patch similarity index 56% rename from patches/0001-Revert-chore-use-git-fork-for-aws-nitro-enclaves-cos.patch rename to patches/0001-use-released-aws-nitro-enclaves-cose-version.patch index ae4ccf69b..dee5eeb1b 100644 --- a/patches/0001-Revert-chore-use-git-fork-for-aws-nitro-enclaves-cos.patch +++ b/patches/0001-use-released-aws-nitro-enclaves-cose-version.patch @@ -1,26 +1,26 @@ diff --git a/data-formats/Cargo.toml b/data-formats/Cargo.toml -index 9dafc344..4a398aa6 100644 +index 30434348..c5a1aedd 100644 --- a/data-formats/Cargo.toml +++ b/data-formats/Cargo.toml @@ -17,7 +17,7 @@ serde_cbor = "0.11" serde_repr = "0.1.19" serde_tuple = "0.5" thiserror = "1" --aws-nitro-enclaves-cose = { git = "https://github.com/nullr0ute/aws-nitro-enclaves-cose/", rev = "e3938e60d9051690569d1e4fcbe1c0c99d2fafa8" } -+aws-nitro-enclaves-cose = "0.4.0" +-aws-nitro-enclaves-cose = { git = "https://github.com/awslabs/aws-nitro-enclaves-cose/", rev = "6064f826d551a9db0bd42e9cf928feaf272e8d17" } ++aws-nitro-enclaves-cose = "0.5.2" uuid = "1.3" num-traits = "0.2" num-derive = "0.4" diff --git a/http-wrapper/Cargo.toml b/http-wrapper/Cargo.toml -index ee02419b..1af8f35f 100644 +index 5259dfb0..495a346f 100644 --- a/http-wrapper/Cargo.toml +++ b/http-wrapper/Cargo.toml -@@ -20,7 +20,7 @@ openssl = "0.10.66" - +@@ -20,7 +20,7 @@ openssl = "0.10.70" + fdo-data-formats = { path = "../data-formats", version = "0.5.3" } fdo-store = { path = "../store", version = "0.5.3" } --aws-nitro-enclaves-cose = { git = "https://github.com/nullr0ute/aws-nitro-enclaves-cose/", rev = "e3938e60d9051690569d1e4fcbe1c0c99d2fafa8" } -+aws-nitro-enclaves-cose = "0.4.0" - +-aws-nitro-enclaves-cose = { git = "https://github.com/awslabs/aws-nitro-enclaves-cose/", rev = "6064f826d551a9db0bd42e9cf928feaf272e8d17" } ++aws-nitro-enclaves-cose = "0.5.2" + # Server-side uuid = { version = "1.3", features = ["v4"], optional = true } diff --git a/patches/0002-fix-aws-nitro-enclaves-cose.patch b/patches/0002-fix-aws-nitro-enclaves-cose.patch deleted file mode 100644 index 6fa09e4f6..000000000 --- a/patches/0002-fix-aws-nitro-enclaves-cose.patch +++ /dev/null @@ -1,25 +0,0 @@ -Backport of https://github.com/awslabs/aws-nitro-enclaves-cose/pull/66 - -diff --git a/vendor/aws-nitro-enclaves-cose/.cargo-checksum.json b/vendor/aws-nitro-enclaves-cose/.cargo-checksum.json -index dd788a8..1035b7b 100644 ---- a/vendor/aws-nitro-enclaves-cose/.cargo-checksum.json -+++ b/vendor/aws-nitro-enclaves-cose/.cargo-checksum.json -@@ -1 +1 @@ --{"files":{"CHANGELOG.md":"182c816f6cdcf13b370be9e712a0e7cf5b7c6b6612dc81c3b3d477abfca58e86","CODE_OF_CONDUCT.md":"34b6c98d5c23127ae6769e95e483e5bf6d3704ae1f0d3ae4e69d15f4ede118b6","CONTRIBUTING.md":"b050a75d5f6d2236ed40ad91dc53c4a4b30da184f9298f6f18507beae5fd7cb7","Cargo.toml":"d3ba98a34c9dcbff42da7e04d123b1687840738851e0630035e1f6e620a6fd98","LICENSE":"09e8a9bcec8067104652c168685ab0931e7868f9c8284b66f5ae6edae5f1130b","NOTICE":"d4290ed64c2edd0fce1d84e3f9dfb2881240fe534def76b8cd29ed6af683e287","README.md":"b16c142f4056384bb274fa7c9d0c2d73faf573cc2123a0bf4825970f88a67fc4","src/crypto/mod.rs":"a509e065cd0c3ed4c05484af9a7c45397ebf2a8b3f0d22578410f22484ffc33c","src/crypto/openssl_pkey.rs":"e9344a26ba101925a8e1c82960ff3d20a3df603be43132671bb15846ee96e829","src/crypto/tpm.rs":"2f8ec59523020319a4f63ca1e4bf3a4ae20c3acf8ca8ffd38e53ccd99611af3f","src/encrypt.rs":"ba89d5f221f0e4379d6f67dd946a00b183639b00bcf6918a4d3c441c4328894d","src/error.rs":"48fd4b84f9b4a7f5fc7ac52c2ce792d258c257908609270bf7751938082e19b7","src/header_map.rs":"88b3d7575ea4fd8eaaf4497a9d3c27ff43ec4da0213994aecf1ec9b5b89553c0","src/lib.rs":"8dbe7fe8206cfc76f46324c25418b37d0daf1ce23fc8b3219e1d89043c8e00de","src/sign.rs":"5a45658fa820ac9b5285c0987b66a58eb4f5b4373ab1aa07a73240848de098b2"},"package":"4e2fe3e862758ef5bb5d89868141ab28781d96347522b60eb6abeaf7f9acd4bc"} -\ No newline at end of file -+{"files":{},"package":"4e2fe3e862758ef5bb5d89868141ab28781d96347522b60eb6abeaf7f9acd4bc"} -diff --git a/vendor/aws-nitro-enclaves-cose/src/sign.rs b/vendor/aws-nitro-enclaves-cose/src/sign.rs -index 6426ac0..93f59ec 100644 ---- a/vendor/aws-nitro-enclaves-cose/src/sign.rs -+++ b/vendor/aws-nitro-enclaves-cose/src/sign.rs -@@ -135,8 +135,10 @@ pub struct SigStructure( - #[serde(skip_serializing_if = "Option::is_none")] - Option, - /// external_aad : bstr, -+ #[serde(default)] - ByteBuf, - /// payload : bstr -+ #[serde(default)] - ByteBuf, - ); -