Fix kms (#68)

* fix key_kms feature

aws_config and aws_sdk_kms no longer matched, causing for this feature
to not compile. This patch bring the aws_sdk_kms to latest version,
which works with the latest aws_config.

Signed-off-by: Petre Eftime <[email protected]>

* build key_kms feature and tests

Unfortunately tests require AWS creds, so skip running the tests, but at
least make sure that the feature still compiles correctly.

Signed-off-by: Petre Eftime <[email protected]>

* update rust version

AWS SDK and time crate no longer compile with 1.58 and need minimum
1.67.

Signed-off-by: Petre Eftime <[email protected]>

* update checkout action to v4

Fix warnings about deprecated node versions for checkout v2.

Signed-off-by: Petre Eftime <[email protected]>

---------

Signed-off-by: Petre Eftime <[email protected]>

.github/workflows/ci.yml

@@ -18,22 +18,25 @@ jobs:
         runs-on: ubuntu-latest
         strategy:
             matrix:
-                rust: [1.58.1, stable, nightly]
+                rust: [1.67, stable, nightly]
                 key_feature_set:
                   - key_openssl_pkey
+                  - key_kms
         steps:
-        - uses: actions/checkout@v2
+        - uses: actions/checkout@v4
         - uses: dtolnay/rust-toolchain@master
           with:
               toolchain: ${{matrix.rust}}
-        - run: cargo test --all --no-default-features --features ${{ matrix.key_feature_set }}
+        - run: |
+            cargo test --all --no-default-features --features ${{ matrix.key_feature_set }} \
+                -- --skip sign::tests::kms # Requires AWS creds, skip them
 
     test_fedora:
         name: Test on Fedora
         runs-on: ubuntu-latest
         container: fedora:latest
         steps:
-        - uses: actions/checkout@v2
+        - uses: actions/checkout@v4
         - name: Install dependencies
           run: |
               dnf install -y \
@@ -65,7 +68,7 @@ jobs:
         name: Clippy
         runs-on: ubuntu-latest
         steps:
-        - uses: actions/checkout@v2
+        - uses: actions/checkout@v4
         - uses: dtolnay/rust-toolchain@stable
         - run: rustup component add clippy
         - run: cargo clippy --all
@@ -74,7 +77,7 @@ jobs:
         name: Rustfmt
         runs-on: ubuntu-latest
         steps:
-        - uses: actions/checkout@v2
+        - uses: actions/checkout@v4
         - uses: dtolnay/rust-toolchain@stable
         - run: rustup component add rustfmt
         - run: cargo fmt --all -- --check

Cargo.toml

@@ -8,7 +8,7 @@ keywords = ["COSE"]
 categories = ["cryptography"]
 repository = "https://github.com/awslabs/aws-nitro-enclaves-cose"
 description = "This library aims to provide a safe Rust implementation of COSE, with COSE Sign1 currently implemented."
-rust-version = "1.58"
+rust-version = "1.67"
 
 [dependencies]
 serde_cbor = { version="0.11", features = ["tags"] }
@@ -17,8 +17,8 @@ serde_bytes = { version = "0.11", features = ["std"] }
 serde_with = { version = "1.5", default_features = false }
 openssl = { version = "0.10", optional = true }
 tss-esapi = { version = "6.1", optional = true }
-aws-config = { version = "0.54", optional = true }
-aws-sdk-kms = { version = "0.16", optional = true }
+aws-config = { version = "0.56", optional = true }
+aws-sdk-kms = { version = "0.31", optional = true }
 tokio = { version = "1.20", features = ["rt", "macros"], optional = true }
 
 [dependencies.serde]

README.md

@@ -6,7 +6,7 @@
 [crates.io]: https://crates.io/crates/aws-nitro-enclaves-cose
 [docs]: https://img.shields.io/docsrs/aws-nitro-enclaves-cose
 [docs.rs]: https://docs.rs/aws-nitro-enclaves-cose
-[msrv]: https://img.shields.io/badge/MSRV-1.58.1-blue
+[msrv]: https://img.shields.io/badge/MSRV-1.67.1-blue
 
 ## COSE for AWS Nitro Enclaves
 

src/crypto/kms.rs

@@ -7,11 +7,7 @@ use openssl::{
 };
 
 use aws_sdk_kms::{
-    error::{VerifyError, VerifyErrorKind},
-    model::{MessageType, SigningAlgorithmSpec},
-    types::Blob,
-    types::SdkError,
-    Client,
+    error::SdkError, primitives::Blob, types::MessageType, types::SigningAlgorithmSpec, Client,
 };
 
 use crate::{
@@ -166,14 +162,9 @@ impl SigningPublicKey for KmsKey {
 
             match reply {
                 Ok(v) => Ok(v.signature_valid),
-                Err(SdkError::ServiceError {
-                    err:
-                        VerifyError {
-                            kind: VerifyErrorKind::KmsInvalidSignatureException(_),
-                            ..
-                        },
-                    ..
-                }) => Ok(false),
+                Err(SdkError::ServiceError(e)) if e.err().is_kms_invalid_signature_exception() => {
+                    Ok(false)
+                }
                 Err(e) => Err(CoseError::AwsVerifyError(e)),
             }
         }

src/error.rs

@@ -5,6 +5,12 @@ use std::fmt;
 
 use serde_cbor::Error as CborError;
 
+#[cfg(feature = "key_kms")]
+use aws_sdk_kms::{
+    error::SdkError, operation::get_public_key::GetPublicKeyError, operation::sign::SignError,
+    operation::verify::VerifyError,
+};
+
 #[derive(Debug)]
 /// Aggregation of all error types returned by this library
 pub enum CoseError {
@@ -35,13 +41,13 @@ pub enum CoseError {
     TpmError(tss_esapi::Error),
     /// AWS sign error occured
     #[cfg(feature = "key_kms")]
-    AwsSignError(aws_sdk_kms::types::SdkError<aws_sdk_kms::error::SignError>),
+    AwsSignError(SdkError<SignError>),
     /// AWS verify error occured
     #[cfg(feature = "key_kms")]
-    AwsVerifyError(aws_sdk_kms::types::SdkError<aws_sdk_kms::error::VerifyError>),
+    AwsVerifyError(SdkError<VerifyError>),
     /// AWS GetPublicKey error occured
     #[cfg(all(feature = "key_kms", feature = "key_openssl_pkey"))]
-    AwsGetPublicKeyError(aws_sdk_kms::types::SdkError<aws_sdk_kms::error::GetPublicKeyError>),
+    AwsGetPublicKeyError(SdkError<GetPublicKeyError>),
 }
 
 impl fmt::Display for CoseError {