Skip to content

Commit

Permalink
Update ring to 0.17
Browse files Browse the repository at this point in the history
This updates the ring dependency to the 0.17.x releases. This also
required updating untrusted to 0.9 due to some public interface usage in
ring.

These updates also change some other function signatures, so minor
tweaks were needed in calling code.

Signed-off-by: Sean McGinnis <[email protected]>
  • Loading branch information
stmcginnis committed Nov 15, 2023
1 parent 6514cbe commit f0085ea
Show file tree
Hide file tree
Showing 6 changed files with 33 additions and 17 deletions.
8 changes: 4 additions & 4 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion tough-kms/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ aws-sdk-rust-rustls = ["aws-config/rustls", "aws-sdk-kms/rustls"]

[dependencies]
tough = { version = "0.15", path = "../tough", features = ["http"] }
ring = { version = "0.16", features = ["std"] }
ring = { version = "0.17", features = ["std"] }
aws-sdk-kms = "0.28"
aws-config = "0.55"
snafu = { version = "0.7", features = ["backtraces-impl-backtrace-crate"] }
Expand Down
4 changes: 2 additions & 2 deletions tough/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ olpc-cjson = { version = "0.1", path = "../olpc-cjson" }
pem = "3"
percent-encoding = "2"
reqwest = { version = "0.11", optional = true, default-features = false, features = ["stream"] }
ring = { version = "0.16", features = ["std"] }
ring = { version = "0.17", features = ["std"] }
serde = { version = "1", features = ["derive"] }
serde_json = "1"
serde_plain = "1"
Expand All @@ -32,7 +32,7 @@ tempfile = "3"
tokio = { version = "1", default-features = false, features = ["io-util", "sync", "fs", "time"] }
tokio-util = { version = "0.7", features = ["io"] }
typed-path = "0.7"
untrusted = "0.7"
untrusted = "0.9"
url = "2"
walkdir = "2"

Expand Down
22 changes: 18 additions & 4 deletions tough/src/schema/spki.rs
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
use super::error::{self, Compat, Result};
use ring::io::der;
use snafu::{OptionExt, ResultExt};
use untrusted::Input;

pub(super) static OID_RSA_ENCRYPTION: &[u64] = &[1, 2, 840, 113_549, 1, 1, 1];
pub(super) static OID_EC_PUBLIC_KEY: &[u64] = &[1, 2, 840, 10_045, 2, 1];
Expand Down Expand Up @@ -67,14 +68,27 @@ pub(super) fn decode(
der::expect_tag_and_get_value(input, der::Tag::Sequence).and_then(
|alg_ident| {
alg_ident.read_all(ring::error::Unspecified, |input| {
if der::expect_tag_and_get_value(input, der::Tag::OID)?
!= untrusted::Input::from(&asn1_encode_oid(algorithm_oid))
let expected_tag_value =
der::expect_tag_and_get_value(input, der::Tag::OID)?;

let asn1_encode = asn1_encode_oid(algorithm_oid);
let algo_encode_oid: Input<'_> =
untrusted::Input::from(&asn1_encode);

// Note: we use "less safe" here but this is OK. With the way we are using the `Input`,
// we don't need to be concerned about it being too large or being parsed multiple times.
if expected_tag_value.as_slice_less_safe()
!= algo_encode_oid.as_slice_less_safe()
{
return Err(ring::error::Unspecified);
}

if let Some(parameters_oid) = parameters_oid {
if der::expect_tag_and_get_value(input, der::Tag::OID)?
!= untrusted::Input::from(&asn1_encode_oid(parameters_oid))
let asn1_encode = asn1_encode_oid(parameters_oid);
let param_encode_oid: Input<'_> =
untrusted::Input::from(&asn1_encode);
if expected_tag_value.as_slice_less_safe()
!= param_encode_oid.as_slice_less_safe()
{
return Err(ring::error::Unspecified);
}
Expand Down
12 changes: 7 additions & 5 deletions tough/src/sign.rs
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ use crate::sign::SignKeyPair::ECDSA;
use crate::sign::SignKeyPair::ED25519;
use crate::sign::SignKeyPair::RSA;
use async_trait::async_trait;
use ring::rand::SecureRandom;
use ring::rand::{self, SecureRandom};
use ring::signature::{EcdsaKeyPair, Ed25519KeyPair, KeyPair, RsaKeyPair};
use snafu::ResultExt;
use std::collections::HashMap;
Expand Down Expand Up @@ -93,7 +93,7 @@ impl Sign for RsaKeyPair {
msg: &[u8],
rng: &(dyn SecureRandom + Sync),
) -> std::result::Result<Vec<u8>, Box<dyn std::error::Error + Send + Sync + 'static>> {
let mut signature = vec![0; self.public_modulus_len()];
let mut signature = vec![0; self.public().modulus_len()];
self.sign(&ring::signature::RSA_PSS_SHA256, rng, msg, &mut signature)
.context(error::SignSnafu)?;
Ok(signature)
Expand Down Expand Up @@ -167,9 +167,11 @@ impl Sign for SignKeyPair {
pub fn parse_keypair(key: &[u8]) -> Result<impl Sign> {
if let Ok(ed25519_key_pair) = Ed25519KeyPair::from_pkcs8(key) {
Ok(SignKeyPair::ED25519(ed25519_key_pair))
} else if let Ok(ecdsa_key_pair) =
EcdsaKeyPair::from_pkcs8(&ring::signature::ECDSA_P256_SHA256_ASN1_SIGNING, key)
{
} else if let Ok(ecdsa_key_pair) = EcdsaKeyPair::from_pkcs8(
&ring::signature::ECDSA_P256_SHA256_ASN1_SIGNING,
key,
&rand::SystemRandom::new(),
) {
Ok(SignKeyPair::ECDSA(ecdsa_key_pair))
} else if let Ok(pem) = pem::parse(key) {
match pem.tag() {
Expand Down
2 changes: 1 addition & 1 deletion tuftool/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ olpc-cjson = { version = "0.1", path = "../olpc-cjson" }
pem = "3"
rayon = "1"
reqwest = { version = "0.11", default-features = false, features = ["rustls-tls"] }
ring = { version = "0.16", features = ["std"] }
ring = { version = "0.17", features = ["std"] }
serde = "1"
serde_json = "1"
simplelog = "0.12"
Expand Down

0 comments on commit f0085ea

Please sign in to comment.