diff --git a/Cargo.lock b/Cargo.lock index f8804f3..6d42b0b 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -104,11 +104,6 @@ version = "1.5.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b645a089122eccb6111b4f81cbc1a49f5900ac4666bb93ac027feaecf15607bf" -[[package]] -name = "base64ct" -version = "1.5.3" -source = "git+https://github.com/RustCrypto/formats#9c3ad4366d7f6132d770fe1ead839fbca295cff9" - [[package]] name = "bitflags" version = "1.3.2" @@ -253,11 +248,6 @@ version = "0.9.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "795bc6e66a8e340f075fcf6227e417a2dc976b92b91f3cdc778bb858778b6747" -[[package]] -name = "const-oid" -version = "0.10.0-pre" -source = "git+https://github.com/RustCrypto/formats#9c3ad4366d7f6132d770fe1ead839fbca295cff9" - [[package]] name = "convert_case" version = "0.4.0" @@ -334,20 +324,7 @@ version = "0.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f1a467a65c5e759bce6e65eaf91cc29f466cdc57cb65777bd646872a8a1fd4de" dependencies = [ - "const-oid 0.9.4", - "pem-rfc7468 0.6.0", - "zeroize", -] - -[[package]] -name = "der" -version = "0.7.0-pre" -source = "git+https://github.com/RustCrypto/formats#9c3ad4366d7f6132d770fe1ead839fbca295cff9" -dependencies = [ - "const-oid 0.10.0-pre", - "der_derive 0.7.0-pre", - "flagset", - "pem-rfc7468 0.7.0-pre", + "const-oid", "zeroize", ] @@ -357,24 +334,13 @@ version = "0.7.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "56acb310e15652100da43d130af8d97b509e95af61aab1c5a7939ef24337ee17" dependencies = [ - "const-oid 0.9.4", - "der_derive 0.7.1", + "const-oid", + "der_derive", "flagset", - "pem-rfc7468 0.7.0", + "pem-rfc7468", "zeroize", ] -[[package]] -name = "der_derive" -version = "0.7.0-pre" -source = "git+https://github.com/RustCrypto/formats#9c3ad4366d7f6132d770fe1ead839fbca295cff9" -dependencies = [ - "proc-macro-error", - "proc-macro2", - "quote", - "syn 1.0.107", -] - [[package]] name = "der_derive" version = "0.7.1" @@ -406,17 +372,16 @@ version = "0.1.0" dependencies = [ "anyhow", "clap", - "const-oid 0.10.0-pre", - "ecdsa 0.16.7", + "const-oid", "env_logger", "hex", "log", - "p384 0.12.0", - "pem-rfc7468 0.7.0-pre", + "p384 0.13.0", + "pem-rfc7468", "ring-compat", "sha2", "thiserror", - "x509-cert 0.2.0-pre", + "x509-cert", ] [[package]] @@ -437,7 +402,7 @@ dependencies = [ "anyhow", "chrono", "clap", - "const-oid 0.9.4", + "const-oid", "corncobs", "dice-mfg-msgs", "env_logger", @@ -449,7 +414,7 @@ dependencies = [ "sha3", "string-error", "tempfile", - "x509-cert 0.2.4", + "x509-cert", "yubihsm", "zerocopy", "zeroize", @@ -474,7 +439,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292" dependencies = [ "block-buffer", - "const-oid 0.9.4", + "const-oid", "crypto-common", "subtle", ] @@ -487,7 +452,6 @@ checksum = "12844141594ad74185a926d030f3b605f6a903b4e3fec351f3ea338ac5b7637e" dependencies = [ "der 0.6.1", "elliptic-curve 0.12.3", - "rfc6979 0.3.1", "signature 2.0.0", ] @@ -500,8 +464,9 @@ dependencies = [ "der 0.7.6", "digest", "elliptic-curve 0.13.4", - "rfc6979 0.4.0", + "rfc6979", "signature 2.0.0", + "spki 0.7.2", ] [[package]] @@ -535,9 +500,6 @@ dependencies = [ "ff 0.12.1", "generic-array", "group 0.12.1", - "hkdf", - "pem-rfc7468 0.6.0", - "pkcs8", "rand_core", "sec1 0.3.0", "subtle", @@ -556,6 +518,9 @@ dependencies = [ "ff 0.13.0", "generic-array", "group 0.13.0", + "hkdf", + "pem-rfc7468", + "pkcs8 0.10.2", "rand_core", "sec1 0.7.1", "subtle", @@ -982,7 +947,6 @@ dependencies = [ "ecdsa 0.15.1", "elliptic-curve 0.12.3", "primeorder 0.12.1", - "sha2", ] [[package]] @@ -1016,30 +980,13 @@ dependencies = [ "base64", ] -[[package]] -name = "pem-rfc7468" -version = "0.6.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "24d159833a9105500e0398934e205e0773f0b27529557134ecfc51c27646adac" -dependencies = [ - "base64ct 1.5.3 (registry+https://github.com/rust-lang/crates.io-index)", -] - -[[package]] -name = "pem-rfc7468" -version = "0.7.0-pre" -source = "git+https://github.com/RustCrypto/formats#9c3ad4366d7f6132d770fe1ead839fbca295cff9" -dependencies = [ - "base64ct 1.5.3 (git+https://github.com/RustCrypto/formats)", -] - [[package]] name = "pem-rfc7468" version = "0.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "88b39c9bfcfc231068454382784bb460aae594343fb030d46e9f50a645418412" dependencies = [ - "base64ct 1.5.3 (registry+https://github.com/rust-lang/crates.io-index)", + "base64ct", ] [[package]] @@ -1052,6 +999,16 @@ dependencies = [ "spki 0.6.0", ] +[[package]] +name = "pkcs8" +version = "0.10.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7" +dependencies = [ + "der 0.7.6", + "spki 0.7.2", +] + [[package]] name = "pkg-config" version = "0.3.26" @@ -1153,17 +1110,6 @@ version = "0.6.28" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "456c603be3e8d448b072f410900c09faf164fbce2d480456f50eea6e25f9c848" -[[package]] -name = "rfc6979" -version = "0.3.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7743f17af12fa0b03b803ba12cd6a8d9483a587e89c69445e3909655c0b9fabb" -dependencies = [ - "crypto-bigint 0.4.9", - "hmac", - "zeroize", -] - [[package]] name = "rfc6979" version = "0.4.0" @@ -1203,7 +1149,7 @@ dependencies = [ "opaque-debug", "p256 0.12.0", "p384 0.12.0", - "pkcs8", + "pkcs8 0.9.0", "ring", "signature 2.0.0", ] @@ -1313,7 +1259,7 @@ dependencies = [ "base16ct 0.1.1", "der 0.6.1", "generic-array", - "pkcs8", + "pkcs8 0.9.0", "subtle", "zeroize", ] @@ -1327,6 +1273,7 @@ dependencies = [ "base16ct 0.2.0", "der 0.7.6", "generic-array", + "pkcs8 0.10.2", "subtle", "zeroize", ] @@ -1454,26 +1401,17 @@ version = "0.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "67cf02bbac7a337dc36e4f5a693db6c21e7863f45070f7064577eb4367a3212b" dependencies = [ - "base64ct 1.5.3 (registry+https://github.com/rust-lang/crates.io-index)", + "base64ct", "der 0.6.1", ] -[[package]] -name = "spki" -version = "0.7.0-pre" -source = "git+https://github.com/RustCrypto/formats#9c3ad4366d7f6132d770fe1ead839fbca295cff9" -dependencies = [ - "base64ct 1.5.3 (git+https://github.com/RustCrypto/formats)", - "der 0.7.0-pre", -] - [[package]] name = "spki" version = "0.7.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9d1e996ef02c474957d681f1b05213dfb0abab947b446a62d37770b23500184a" dependencies = [ - "base64ct 1.5.3 (registry+https://github.com/rust-lang/crates.io-index)", + "base64ct", "der 0.7.6", ] @@ -1867,24 +1805,13 @@ version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1a515f5799fe4961cb532f983ce2b23082366b898e52ffbce459c86f67c8378a" -[[package]] -name = "x509-cert" -version = "0.2.0-pre" -source = "git+https://github.com/RustCrypto/formats#9c3ad4366d7f6132d770fe1ead839fbca295cff9" -dependencies = [ - "const-oid 0.10.0-pre", - "der 0.7.0-pre", - "flagset", - "spki 0.7.0-pre", -] - [[package]] name = "x509-cert" version = "0.2.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "25eefca1d99701da3a57feb07e5079fc62abba059fc139e98c13bbb250f3ef29" dependencies = [ - "const-oid 0.9.4", + "const-oid", "der 0.7.6", "spki 0.7.2", ] diff --git a/Cargo.toml b/Cargo.toml index 43e227a..d6e53ce 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -15,11 +15,15 @@ chrono = { version = "0.4.26", default-features=false } clap = { version = "4", default-features = false } corncobs = "0.1" derive_more = "0.99" -env_logger = "0.10" -hex = "0.4" +ecdsa = { version = "0.16", default-features = false } +env_logger = { version = "0.10", default-features = false } +hex = { version = "0.4", default-features = false } hubpack = "0.1" log = { version = "0.4", features = ["std"] } +p384 = { version = "0.13", default-features = false } pem = { version = "1", default-features = false } +pem-rfc7468 = { version = "0.7.0", default-features = false } +ring-compat = { version = "0.6", default-features = false } ron = "0.8" rpassword = "7.2.0" salty = { version = "0.2", default-features = false } diff --git a/dice-cert-check/Cargo.toml b/dice-cert-check/Cargo.toml index 370203a..da73ac1 100644 --- a/dice-cert-check/Cargo.toml +++ b/dice-cert-check/Cargo.toml @@ -3,23 +3,16 @@ name = "dice-cert-check" version = "0.1.0" edition = "2021" -# NOTE: We're currently using crates from the main development branch of the -# rust crypto formats git repo. We do this because: -# - const-oid doesn't have the OIDs from RFC 8410 in a release yet -# - the latest x509-cert release has a bug that prevents us from consuming -# PEM encoded certs. This has been fixed on the development branch but -# hasn't made it into a release yet. [dependencies] -anyhow = "1.0.68" -clap = { version = "4.1.4", features = ["derive"] } -const-oid = { git = "https://github.com/RustCrypto/formats" } -ecdsa = "0.16" -env_logger = "0.10.0" -hex = "0.4.3" -log = "0.4.17" -p384 = "0.12.0" -pem-rfc7468 = { git = "https://github.com/RustCrypto/formats" } -ring-compat = { version = "0.6.0", features = ["std"] } -sha2 = "0.10.6" -thiserror = "1.0.38" -x509-cert = { git = "https://github.com/RustCrypto/formats", features = ["pem", "std"] } +anyhow = { workspace = true, default-features = true } +clap = { workspace = true, default-features = true, features = ["derive"] } +const-oid = { version = "0.9.4", features = ["db"] } +env_logger = { workspace = true, default-features = true } +hex = { workspace = true, default-features = true } +log = { workspace = true, default-features = true, features = ["std"] } +p384 = { workspace = true, default-features = true } +pem-rfc7468 = { workspace = true, default-features = true } +ring-compat = { workspace = true, default-features = true, features = ["std"] } +sha2 = { workspace = true, default-features = true } +thiserror = { workspace = true, default-features = true } +x509-cert = { workspace = true, default-features = true, features = ["pem"] } diff --git a/dice-cert-check/src/lib.rs b/dice-cert-check/src/lib.rs index 98d5f41..206944a 100644 --- a/dice-cert-check/src/lib.rs +++ b/dice-cert-check/src/lib.rs @@ -3,10 +3,7 @@ // file, You can obtain one at https://mozilla.org/MPL/2.0/. use const_oid::{ - db::{ - rfc5912::{ECDSA_WITH_SHA_384, ID_EC_PUBLIC_KEY, SECP_384_R_1}, - rfc8410::ID_ED_25519, - }, + db::rfc5912::{ECDSA_WITH_SHA_384, ID_EC_PUBLIC_KEY, SECP_384_R_1}, ObjectIdentifier, }; use hex::ToHex; @@ -18,11 +15,14 @@ use x509_cert::{ der::{ self, asn1::{Any, BitString}, - Encode, Tag, Tagged, + Tag, Tagged, }, spki::{AlgorithmIdentifierOwned, SubjectPublicKeyInfoOwned}, }; +const ID_ED_25519: crate::ObjectIdentifier = + crate::ObjectIdentifier::new_unwrap("1.3.101.112"); + #[derive(thiserror::Error, Debug)] pub enum Error { #[error("Signature is not octet aligned")] @@ -36,7 +36,7 @@ pub enum Error { #[error("Failed to verify signature.")] P384VerificationFail { #[from] - source: ecdsa::Error, + source: p384::ecdsa::Error, }, #[error("Public key is not octet aligned")] UnalignedPublicKey, @@ -90,7 +90,7 @@ impl TryFrom<&Any> for ParameterType { fn try_from(param: &Any) -> result::Result { match param.tag() { Tag::ObjectIdentifier => { - let oid: ObjectIdentifier = param.decode_as()?; + let oid = param.decode_as()?; match oid { SECP_384_R_1 => Ok(ParameterType::P384), _ => Err(Error::UnsupportedParameter), @@ -189,15 +189,12 @@ impl TryFrom<&SubjectPublicKeyInfoOwned> for P384Verifier { return Err(Error::IncompatibleParams); } - use p384::{ecdsa, pkcs8::DecodePublicKey}; + use p384::ecdsa::VerifyingKey; + use x509_cert::der::referenced::OwnedToRef; - // the trait `std::error::Error` is not implemented for - // `p384::pkcs8::spki::Error` - // what feature do I need to enable? - // p384 has std enabled by default ... no clue - let verifying_key = - ecdsa::VerifyingKey::from_public_key_der(&spki.to_vec()?) - .expect("p384 VerifyingKey"); + // do better error handling + let verifying_key = VerifyingKey::try_from(spki.owned_to_ref()) + .expect("p384 VerifyingKey"); Ok(Self { verifying_key }) } } diff --git a/dice-cert-check/src/main.rs b/dice-cert-check/src/main.rs index 094c3fe..5ad7a75 100644 --- a/dice-cert-check/src/main.rs +++ b/dice-cert-check/src/main.rs @@ -118,7 +118,7 @@ fn convert( // this is a bit weird, but there's a reason ... let cert_vec = match encoding { - Encoding::DER => cert.to_vec()?, + Encoding::DER => cert.to_der()?, // If we get the PEM encoded cert by just calling 'to_vec' it will // be preceded by 5 bytes of ... something not PEM. We work around // this by calling 'as_bytes' first. @@ -166,7 +166,7 @@ fn verify(cert_chain: &[Certificate]) -> Result<()> { )?; debug!("Initial signature: {}", signature); - let message = cert_chain[0].tbs_certificate.to_vec()?; + let message = cert_chain[0].tbs_certificate.to_der()?; debug!("Initial message: {}", message.encode_hex::()); _verify(&cert_chain[1..], &message, &signature) @@ -198,7 +198,7 @@ fn _verify( &cert_chain[0].signature_algorithm, &cert_chain[0].signature, )?; - let message = cert_chain[0].tbs_certificate.to_vec()?; + let message = cert_chain[0].tbs_certificate.to_der()?; if cert_chain.len() > 1 { _verify(&cert_chain[1..], &message, &signature) diff --git a/dice-mfg/Cargo.toml b/dice-mfg/Cargo.toml index a4184c9..75b7fb1 100644 --- a/dice-mfg/Cargo.toml +++ b/dice-mfg/Cargo.toml @@ -6,7 +6,7 @@ description = "A command line tool for creating and programming device identitie license = "MPL-2.0" [dependencies] -anyhow.workspace = true +anyhow = { workspace = true, features = ["std"] } chrono = { workspace = true, features = ["clock", "std"] } clap = { workspace = true, features = ["derive", "env"] } const-oid = { version = "0.9.2", features = ["std", "db"] }