From cd526a6f00653f95c2aa1a7e737ec31d0ffaed62 Mon Sep 17 00:00:00 2001 From: Jiaqi Gao Date: Fri, 6 Sep 2024 00:30:25 -0400 Subject: [PATCH] bump `der` to latest version To remove the use of unmaintained crate `proc-macro-error`. Signed-off-by: Jiaqi Gao --- Cargo.lock | 48 +--- src/attestation/Cargo.toml | 2 +- src/attestation/src/attest.rs | 18 +- src/attestation/src/root_ca.rs | 3 +- src/crypto/Cargo.toml | 2 +- src/crypto/fuzz/Cargo.toml | 2 +- src/crypto/fuzz/fuzz_targets/fuzzlib.rs | 2 +- src/crypto/src/x509.rs | 317 +++++------------------- src/migtd/src/ratls/mod.rs | 26 +- src/migtd/src/ratls/server_client.rs | 17 +- 10 files changed, 115 insertions(+), 322 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index aa836bbd..dfbe8520 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -93,7 +93,7 @@ name = "attestation" version = "0.1.0" dependencies = [ "crypto", - "der 0.5.1", + "der 0.7.9", "policy", "spin 0.9.8", "td-payload", @@ -252,9 +252,9 @@ checksum = "9d6f2aa4d0537bcc1c74df8755072bd31c1ef1a3a1b85a68e8404a8c353b7b8b" [[package]] name = "const-oid" -version = "0.7.1" +version = "0.9.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e4c78c047431fee22c1a7bb92e00ad095a02a983affe4d8a72e2a2c62c1b94f3" +checksum = "c2459377285ad874054d797f3ccebf984978aa39129f6eafde5cdc8315b612f8" [[package]] name = "cpufeatures" @@ -270,7 +270,7 @@ name = "crypto" version = "0.1.0" dependencies = [ "cfg-if", - "der 0.5.1", + "der 0.7.9", "ring", "rust_std_stub", "rustls", @@ -331,12 +331,13 @@ dependencies = [ [[package]] name = "der" -version = "0.5.1" +version = "0.7.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6919815d73839e7ad218de758883aae3a257ba6759ce7a9992501efbb53d705c" +checksum = "f55bf8e7b65898637379c1b74eb1551107c8294ed26d855ceb9fd1a09cfc9bc0" dependencies = [ - "const-oid 0.7.1", - "der_derive 0.5.0", + "const-oid 0.9.6", + "der_derive 0.7.3", + "zeroize", ] [[package]] @@ -353,14 +354,13 @@ dependencies = [ [[package]] name = "der_derive" -version = "0.5.0" +version = "0.7.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3a538f3d2b39aefb242d2d9d91cf188818652b7b40095dcd8964d389bdb984ff" +checksum = "8034092389675178f570469e6c3b0465d3d30b4505c294a6550db47f3c17ad18" dependencies = [ - "proc-macro-error", "proc-macro2", "quote", - "syn 1.0.109", + "syn 2.0.38", ] [[package]] @@ -707,30 +707,6 @@ version = "0.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "439ee305def115ba05938db6eb1644ff94165c5ab5e9420d1c1bcedbba909391" -[[package]] -name = "proc-macro-error" -version = "1.0.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "da25490ff9892aab3fcf7c36f08cfb902dd3e71ca0f9f9517bea02a73a5ce38c" -dependencies = [ - "proc-macro-error-attr", - "proc-macro2", - "quote", - "syn 1.0.109", - "version_check", -] - -[[package]] -name = "proc-macro-error-attr" -version = "1.0.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a1be40180e52ecc98ad80b184934baf3d0d29f979574e439af5a55274b35f869" -dependencies = [ - "proc-macro2", - "quote", - "version_check", -] - [[package]] name = "proc-macro2" version = "1.0.69" diff --git a/src/attestation/Cargo.toml b/src/attestation/Cargo.toml index f9984a58..e855aef7 100644 --- a/src/attestation/Cargo.toml +++ b/src/attestation/Cargo.toml @@ -7,7 +7,7 @@ edition = "2021" [dependencies] crypto = { path = "../crypto" } -der = { version = "0.5.1", features = ["oid", "alloc", "derive"] } +der = { version = "0.7.9", features = ["oid", "alloc", "derive"] } policy = {path = "../policy"} spin = "0.9.2" tdx-tdcall = { path = "../../deps/td-shim/tdx-tdcall"} diff --git a/src/attestation/src/attest.rs b/src/attestation/src/attest.rs index 224f920e..184635fc 100644 --- a/src/attestation/src/attest.rs +++ b/src/attestation/src/attest.rs @@ -8,8 +8,10 @@ use crate::{ }; use alloc::{string::String, vec, vec::Vec}; use core::{alloc::Layout, ffi::c_void, ops::Range}; -use crypto::x509; -use der::{asn1::ObjectIdentifier, Any, Decodable, Decoder}; +use crypto::{ + x509, + x509::{Decode, ObjectIdentifier, OctetStringRef, Reader}, +}; use tdx_tdcall::tdreport::*; const TD_QUOTE_SIZE: usize = 0x2000; @@ -101,11 +103,11 @@ pub fn get_fmspc_from_quote(quote: &[u8]) -> Result<[u8; 6], Error> { #[derive(Clone, Copy, Debug, Eq, PartialEq)] pub struct InnerValue<'a> { pub id: ObjectIdentifier, - pub value: Option>, + pub value: Option>, } -impl<'a> Decodable<'a> for InnerValue<'a> { - fn decode(decoder: &mut Decoder<'a>) -> der::Result { +impl<'a> Decode<'a> for InnerValue<'a> { + fn decode>(decoder: &mut R) -> der::Result { decoder.sequence(|decoder| { let id = decoder.decode()?; let value = decoder.decode()?; @@ -117,8 +119,8 @@ impl<'a> Decodable<'a> for InnerValue<'a> { fn parse_fmspc_from_pck_cert(pck_der: &[u8]) -> Result<[u8; 6], Error> { const PCK_FMSPC_EXTENSION_OID: ObjectIdentifier = - ObjectIdentifier::new("1.2.840.113741.1.13.1"); - const PCK_FMSPC_OID: ObjectIdentifier = ObjectIdentifier::new("1.2.840.113741.1.13.1.4"); + ObjectIdentifier::new_unwrap("1.2.840.113741.1.13.1"); + const PCK_FMSPC_OID: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.2.840.113741.1.13.1.4"); let x509 = x509::Certificate::from_der(pck_der).map_err(|_| Error::InvalidQuote)?; let extensions = x509.tbs_certificate.extensions.ok_or(Error::InvalidQuote)?; @@ -132,8 +134,6 @@ fn parse_fmspc_from_pck_cert(pck_der: &[u8]) -> Result<[u8; 6], Error> { return val .value .ok_or(Error::InvalidQuote)? - .octet_string() - .map_err(|_| Error::InvalidQuote)? .as_bytes() .try_into() .map_err(|_| Error::InvalidQuote); diff --git a/src/attestation/src/root_ca.rs b/src/attestation/src/root_ca.rs index 5a3451ab..5b635494 100644 --- a/src/attestation/src/root_ca.rs +++ b/src/attestation/src/root_ca.rs @@ -2,8 +2,7 @@ // // SPDX-License-Identifier: BSD-2-Clause-Patent -use crypto::x509::Certificate; -use der::Decodable; +use crypto::x509::{Certificate, Decode}; use spin::Once; use crate::Error; diff --git a/src/crypto/Cargo.toml b/src/crypto/Cargo.toml index 4daac36d..d4c0b226 100644 --- a/src/crypto/Cargo.toml +++ b/src/crypto/Cargo.toml @@ -6,7 +6,7 @@ edition = "2021" [dependencies] cfg-if = "1.0" -der = {version = "0.5.1", features = ["oid", "alloc", "derive"]} +der = {version = "0.7.9", features = ["oid", "alloc", "derive"]} pki-types = { package = "rustls-pki-types", version = "1" } rust_std_stub = { path = "../std-support/rust-std-stub" } rustls = { path = "../../deps/rustls/rustls", default-features = false, features = ["no_std"], optional = true } diff --git a/src/crypto/fuzz/Cargo.toml b/src/crypto/fuzz/Cargo.toml index b4c584b7..0001da74 100644 --- a/src/crypto/fuzz/Cargo.toml +++ b/src/crypto/fuzz/Cargo.toml @@ -12,7 +12,7 @@ cargo-fuzz = true libfuzzer-sys = { version = "0.4", optional = true } afl = { version = "*", optional = true } arbitrary = "=1.1.3" -der = { version = "0.5.1", features = ["oid", "alloc"] } +der = { version = "0.7.9", features = ["oid", "alloc"] } serde = "=1.0.198" [dependencies.crypto] diff --git a/src/crypto/fuzz/fuzz_targets/fuzzlib.rs b/src/crypto/fuzz/fuzz_targets/fuzzlib.rs index 5c1bc370..6b7c6fad 100644 --- a/src/crypto/fuzz/fuzz_targets/fuzzlib.rs +++ b/src/crypto/fuzz/fuzz_targets/fuzzlib.rs @@ -3,7 +3,7 @@ // SPDX-License-Identifier: BSD-2-Clause-Patent use crypto::x509; -use der::{Decodable, Error}; +use der::{Decode, Error}; pub fn fuzz_x509(data: &[u8]) -> core::result::Result { x509::Certificate::from_der(data) diff --git a/src/crypto/src/x509.rs b/src/crypto/src/x509.rs index 908f3987..bbd75390 100644 --- a/src/crypto/src/x509.rs +++ b/src/crypto/src/x509.rs @@ -5,13 +5,14 @@ use alloc::vec::Vec; use core::convert::{TryFrom, TryInto}; pub use der::asn1::{ - Any, BitString, GeneralizedTime, ObjectIdentifier, OctetString, PrintableString, SequenceOf, - SetOfVec, UIntBytes, UtcTime, Utf8String, + AnyRef, BitStringRef, GeneralizedTime, ObjectIdentifier, OctetString, OctetStringRef, + PrintableString, PrintableStringRef, SequenceOf, SetOfVec, UintRef, UtcTime, Utf8StringRef, }; pub use der::{ - Choice, Decodable, Decoder, DerOrd, Encodable, Error as DerError, Header, Sequence, Tag, - TagNumber, Tagged, + Choice, Decode, DerOrd, Encode, Error as DerError, Header, Reader, Sequence, Tag, TagNumber, + Tagged, }; +use der::{ErrorKind, TagMode}; pub struct CertificateBuilder<'a>(Certificate<'a>); @@ -43,7 +44,7 @@ impl<'a> CertificateBuilder<'a> { ) -> Result { let subject_public_key_info = SubjectPublicKeyInfo { algorithm, - subject_public_key: BitString::new(0, public_key)?, + subject_public_key: BitStringRef::new(0, public_key)?, }; self.0.tbs_certificate.subject_public_key_info = subject_public_key_info; Ok(self) @@ -64,9 +65,9 @@ impl<'a> CertificateBuilder<'a> { signature: &'a mut Vec, mut signer: impl FnMut(&[u8], &mut Vec), ) -> Result { - let tbs = self.0.tbs_certificate.to_vec()?; + let tbs = self.0.tbs_certificate.to_der()?; signer(tbs.as_slice(), signature); - self.0.signature_value = BitString::new(0, signature)?; + self.0.signature_value = BitStringRef::new(0, signature)?; Ok(self) } @@ -80,11 +81,11 @@ impl<'a> CertificateBuilder<'a> { // tbsCertificate TBSCertificate, // signatureAlgorithm AlgorithmIdentifier, // signatureValue BIT STRING } -#[derive(Clone)] +#[derive(Clone, Sequence)] pub struct Certificate<'a> { pub tbs_certificate: TBSCertificate<'a>, pub signature_algorithm: AlgorithmIdentifier<'a>, - pub signature_value: BitString<'a>, + pub signature_value: BitStringRef<'a>, } impl<'a> Certificate<'a> { @@ -93,23 +94,23 @@ impl<'a> Certificate<'a> { algorithm: AlgorithmIdentifier<'a>, public_key: &'a [u8], ) -> Result { - let version = Version(UIntBytes::new(&[2])?); - let serial_number = UIntBytes::new(&[1])?; + let version = Version(UintRef::new(&[2])?); + let serial_number = UintRef::new(&[1])?; let mut country_name = SetOfVec::new(); - country_name.add(DistinguishedName { - attribute_type: ObjectIdentifier::new("2.5.4.6"), - value: PrintableString::new("XX")?.into(), + country_name.insert(DistinguishedName { + attribute_type: ObjectIdentifier::new("2.5.4.6")?, + value: PrintableStringRef::new("XX")?.into(), })?; let mut locality_name = SetOfVec::new(); - locality_name.add(DistinguishedName { - attribute_type: ObjectIdentifier::new("2.5.4.7"), - value: Utf8String::new("Default City")?.into(), + locality_name.insert(DistinguishedName { + attribute_type: ObjectIdentifier::new("2.5.4.7")?, + value: Utf8StringRef::new("Default City")?.into(), })?; let mut organization_name = SetOfVec::new(); - organization_name.add(DistinguishedName { - attribute_type: ObjectIdentifier::new("2.5.4.10"), - value: Utf8String::new("Default Company Ltd")?.into(), + organization_name.insert(DistinguishedName { + attribute_type: ObjectIdentifier::new("2.5.4.10")?, + value: Utf8StringRef::new("Default Company Ltd")?.into(), })?; let issuer = vec![country_name, locality_name, organization_name]; @@ -127,7 +128,7 @@ impl<'a> Certificate<'a> { let subject_public_key_info = SubjectPublicKeyInfo { algorithm, - subject_public_key: BitString::new(0, public_key)?, + subject_public_key: BitStringRef::new(0, public_key)?, }; let tbs_certificate = TBSCertificate { @@ -143,7 +144,7 @@ impl<'a> Certificate<'a> { extensions: None, }; - let signature_value = BitString::new(0, &[])?; + let signature_value = BitStringRef::new(0, &[])?; Ok(Certificate { tbs_certificate, @@ -157,40 +158,11 @@ impl<'a> Certificate<'a> { } pub fn set_signature(&mut self, signature: &'a [u8]) -> Result<(), DerError> { - self.signature_value = BitString::new(0, signature)?; + self.signature_value = BitStringRef::new(0, signature)?; Ok(()) } } -impl<'a> Decodable<'a> for Certificate<'a> { - fn decode(decoder: &mut Decoder<'a>) -> der::Result { - decoder.sequence(|decoder| { - let tbs_certificate = decoder.decode()?; - let signature_algorithm = decoder.decode()?; - let signature_value = decoder.decode()?; - - Ok(Self { - tbs_certificate, - signature_algorithm, - signature_value, - }) - }) - } -} - -impl<'a> Sequence<'a> for Certificate<'a> { - fn fields(&self, field_encoder: F) -> der::Result - where - F: FnOnce(&[&dyn Encodable]) -> der::Result, - { - field_encoder(&[ - &self.tbs_certificate, - &self.signature_algorithm, - &self.signature_value, - ]) - } -} - // https://datatracker.ietf.org/doc/html/rfc5280#section-4.1 // TBSCertificate ::= SEQUENCE { // version [0] EXPLICIT Version DEFAULT v1, @@ -207,10 +179,10 @@ impl<'a> Sequence<'a> for Certificate<'a> { // extensions [3] EXPLICIT Extensions OPTIONAL // -- If present, version MUST be v3 // } -#[derive(Clone)] +#[derive(Clone, Sequence)] pub struct TBSCertificate<'a> { pub version: Version<'a>, - pub serial_number: UIntBytes<'a>, // ASN.1 INTEGER + pub serial_number: UintRef<'a>, // ASN.1 INTEGER pub signature: AlgorithmIdentifier<'a>, pub issuer: Vec>>, pub validity: Validity, @@ -221,65 +193,21 @@ pub struct TBSCertificate<'a> { pub extensions: Option>, } -impl<'a> Decodable<'a> for TBSCertificate<'a> { - fn decode(decoder: &mut Decoder<'a>) -> der::Result { - decoder.sequence(|decoder| { - let version = decoder.decode()?; - let serial_number = decoder.decode()?; - let signature = decoder.decode()?; - let issuer = decoder.decode()?; - let validity = decoder.decode()?; - let subject = decoder.decode()?; - let subject_public_key_info = decoder.decode()?; - let issuer_unique_id = decoder.decode()?; - let subject_unique_id = decoder.decode()?; - let extensions = decoder.decode()?; - - Ok(Self { - version, - serial_number, - signature, - issuer, - validity, - subject, - subject_public_key_info, - extensions, - issuer_unique_id, - subject_unique_id, - }) - }) - } -} - -impl<'a> Sequence<'a> for TBSCertificate<'a> { - fn fields(&self, field_encoder: F) -> der::Result - where - F: FnOnce(&[&dyn Encodable]) -> der::Result, - { - field_encoder(&[ - &self.version, - &self.serial_number, - &self.signature, - &self.issuer, - &self.validity, - &self.subject, - &self.subject_public_key_info, - &self.extensions, - ]) - } -} - #[derive(Clone, Debug, Eq, PartialEq)] -pub struct Version<'a>(UIntBytes<'a>); +pub struct Version<'a>(UintRef<'a>); -impl<'a> Decodable<'a> for Version<'a> { - fn decode(decoder: &mut Decoder<'a>) -> der::Result { - let res = decoder.any()?; - Ok(Self(UIntBytes::from_der(res.value())?)) +impl<'a> Decode<'a> for Version<'a> { + fn decode>(decoder: &mut R) -> der::Result { + // let res = decoder.any()?; + let v = decoder + .context_specific(TagNumber::new(0), TagMode::Explicit)? + .ok_or(der::Error::new(ErrorKind::Failed, decoder.position()))?; + // let v = decoder.decode()?; + Ok(Self(v)) } } -impl<'a> Encodable for Version<'a> { +impl<'a> Encode for Version<'a> { fn encoded_len(&self) -> der::Result { let len = self.0.encoded_len()?; let explicit = Header::new( @@ -292,7 +220,7 @@ impl<'a> Encodable for Version<'a> { explicit.encoded_len() + len } - fn encode(&self, encoder: &mut der::Encoder<'_>) -> der::Result<()> { + fn encode(&self, encoder: &mut impl der::Writer) -> der::Result<()> { let len = self.0.encoded_len()?; let explicit = Header::new( der::Tag::ContextSpecific { @@ -324,40 +252,17 @@ impl<'a> Choice<'a> for Version<'a> { } } -#[derive(Clone, Copy, Debug, Eq, PartialEq)] +#[derive(Clone, Copy, Debug, Eq, PartialEq, Sequence)] pub struct AlgorithmIdentifier<'a> { pub algorithm: ObjectIdentifier, - pub parameters: Option>, -} - -impl<'a> Decodable<'a> for AlgorithmIdentifier<'a> { - fn decode(decoder: &mut Decoder<'a>) -> der::Result { - decoder.sequence(|decoder| { - let algorithm = decoder.decode()?; - let parameters = decoder.decode()?; - - Ok(Self { - algorithm, - parameters, - }) - }) - } -} - -impl<'a> Sequence<'a> for AlgorithmIdentifier<'a> { - fn fields(&self, field_encoder: F) -> der::Result - where - F: FnOnce(&[&dyn Encodable]) -> der::Result, - { - field_encoder(&[&self.algorithm, &self.parameters]) - } + pub parameters: Option>, } #[allow(non_snake_case)] -#[derive(Clone, Copy, Debug, Eq, PartialEq, PartialOrd, Ord)] +#[derive(Clone, Copy, Debug, Eq, PartialEq, PartialOrd, Ord, Sequence)] pub struct DistinguishedName<'a> { attribute_type: ObjectIdentifier, - value: Any<'a>, + value: AnyRef<'a>, } impl<'a> DerOrd for DistinguishedName<'a> { @@ -366,29 +271,6 @@ impl<'a> DerOrd for DistinguishedName<'a> { } } -impl<'a> Decodable<'a> for DistinguishedName<'a> { - fn decode(decoder: &mut Decoder<'a>) -> der::Result { - decoder.sequence(|decoder| { - let attribute_type = decoder.decode()?; - let value = decoder.decode()?; - - Ok(Self { - attribute_type, - value, - }) - }) - } -} - -impl<'a> Sequence<'a> for DistinguishedName<'a> { - fn fields(&self, field_encoder: F) -> der::Result - where - F: FnOnce(&[&dyn Encodable]) -> der::Result, - { - field_encoder(&[&self.attribute_type, &self.value]) - } -} - #[derive(Choice, Copy, Clone, Debug, Eq, PartialEq)] pub enum Time { #[asn1(type = "UTCTime")] @@ -409,77 +291,33 @@ impl From for Time { } } -#[derive(Clone, Debug, Eq, PartialEq)] +#[derive(Clone, Debug, Eq, PartialEq, Sequence)] pub struct Validity { not_before: Time, not_after: Time, } -impl Decodable<'_> for Validity { - fn decode(decoder: &mut Decoder) -> der::Result { - decoder.sequence(|decoder| { - let not_before = decoder.decode()?; - let not_after = decoder.decode()?; - - Ok(Self { - not_before, - not_after, - }) - }) - } -} - -impl Sequence<'_> for Validity { - fn fields(&self, field_encoder: F) -> der::Result - where - F: FnOnce(&[&dyn Encodable]) -> der::Result, - { - field_encoder(&[&self.not_before, &self.not_after]) - } -} - -#[derive(Clone, Copy, Debug, Eq, PartialEq)] +#[derive(Clone, Copy, Debug, Eq, PartialEq, Sequence)] pub struct SubjectPublicKeyInfo<'a> { pub algorithm: AlgorithmIdentifier<'a>, - pub subject_public_key: BitString<'a>, -} - -#[allow(non_snake_case)] -impl<'a> Decodable<'a> for SubjectPublicKeyInfo<'a> { - fn decode(decoder: &mut Decoder<'a>) -> der::Result { - decoder.sequence(|decoder| { - let algorithm = decoder.decode()?; - let subject_public_key = decoder.decode()?; - - Ok(Self { - algorithm, - subject_public_key, - }) - }) - } -} - -impl<'a> Sequence<'a> for SubjectPublicKeyInfo<'a> { - fn fields(&self, field_encoder: F) -> der::Result - where - F: FnOnce(&[&dyn Encodable]) -> der::Result, - { - field_encoder(&[&self.algorithm, &self.subject_public_key]) - } + pub subject_public_key: BitStringRef<'a>, } #[derive(Clone)] -pub struct UniqueIdentifier<'a, const N: u8>(BitString<'a>); +pub struct UniqueIdentifier<'a, const N: u8>(BitStringRef<'a>); -impl<'a, const N: u8> Decodable<'a> for UniqueIdentifier<'a, N> { - fn decode(decoder: &mut Decoder<'a>) -> der::Result { - let res = decoder.any()?; - let uid = BitString::from_der(res.value())?; - Ok(Self(uid)) +impl<'a, const N: u8> Decode<'a> for UniqueIdentifier<'a, N> { + fn decode>(decoder: &mut R) -> der::Result { + let id = decoder + .context_specific(TagNumber::new(N), TagMode::Explicit)? + .ok_or(der::Error::new(ErrorKind::Failed, decoder.position()))?; + // let id = decoder.decode()?; + // let uid = BitStringRef::from_der(res.value())?; + Ok(Self(id)) } } -impl<'a, const N: u8> Encodable for UniqueIdentifier<'a, N> { +impl<'a, const N: u8> Encode for UniqueIdentifier<'a, N> { fn encoded_len(&self) -> der::Result { let len = self.0.encoded_len()?; let explicit = Header::new( @@ -492,7 +330,7 @@ impl<'a, const N: u8> Encodable for UniqueIdentifier<'a, N> { explicit.encoded_len() + len } - fn encode(&self, encoder: &mut der::Encoder<'_>) -> der::Result<()> { + fn encode(&self, encoder: &mut impl der::Writer) -> der::Result<()> { let len = self.0.encoded_len()?; let explicit = Header::new( Tag::ContextSpecific { @@ -533,14 +371,16 @@ impl<'a> Extensions<'a> { } } -impl<'a> Decodable<'a> for Extensions<'a> { - fn decode(decoder: &mut Decoder<'a>) -> der::Result { - let res = decoder.any()?; - Ok(Self(Vec::from_der(res.value())?)) +impl<'a> Decode<'a> for Extensions<'a> { + fn decode>(decoder: &mut R) -> der::Result { + let ext = decoder + .context_specific(TagNumber::new(3), TagMode::Explicit)? + .ok_or(der::Error::new(ErrorKind::Failed, decoder.position()))?; + Ok(Self(ext)) } } -impl<'a> Encodable for Extensions<'a> { +impl<'a> Encode for Extensions<'a> { fn encoded_len(&self) -> der::Result { let len = self.0.encoded_len()?; let explicit = Header::new( @@ -553,7 +393,7 @@ impl<'a> Encodable for Extensions<'a> { explicit.encoded_len() + len } - fn encode(&self, encoder: &mut der::Encoder<'_>) -> der::Result<()> { + fn encode(&self, encoder: &mut impl der::Writer) -> der::Result<()> { let len = self.0.encoded_len()?; let explicit = Header::new( Tag::ContextSpecific { @@ -585,11 +425,11 @@ impl<'a> Choice<'a> for Extensions<'a> { } } -#[derive(Clone, Copy, Debug, Eq, PartialEq)] +#[derive(Clone, Copy, Debug, Eq, PartialEq, Sequence)] pub struct Extension<'a> { pub extn_id: ObjectIdentifier, pub critical: Option, // ASN.1 BOOLEAN. - pub extn_value: Option>, + pub extn_value: Option>, } impl<'a> Extension<'a> { @@ -599,7 +439,7 @@ impl<'a> Extension<'a> { extn_value: Option<&'a [u8]>, ) -> Result { let extn_value = if let Some(extn_value) = extn_value { - Some(OctetString::new(extn_value)?) + Some(OctetStringRef::new(extn_value)?) } else { None }; @@ -612,29 +452,4 @@ impl<'a> Extension<'a> { } } -impl<'a> Decodable<'a> for Extension<'a> { - fn decode(decoder: &mut Decoder<'a>) -> der::Result { - decoder.sequence(|decoder| { - let extn_id = decoder.decode()?; - let critical = decoder.decode()?; - let extn_value = decoder.decode()?; - - Ok(Self { - extn_id, - critical, - extn_value, - }) - }) - } -} - -impl<'a> Sequence<'a> for Extension<'a> { - fn fields(&self, field_encoder: F) -> der::Result - where - F: FnOnce(&[&dyn Encodable]) -> der::Result, - { - field_encoder(&[&self.extn_id, &self.critical, &self.extn_value]) - } -} - pub type ExtendedKeyUsage = Vec; diff --git a/src/migtd/src/ratls/mod.rs b/src/migtd/src/ratls/mod.rs index b8f6d792..7f9cd875 100644 --- a/src/migtd/src/ratls/mod.rs +++ b/src/migtd/src/ratls/mod.rs @@ -40,30 +40,30 @@ impl From for RatlsError { } } -pub const BASIC_CONSTRAINTS: ObjectIdentifier = ObjectIdentifier::new("2.5.29.19"); -pub const SUBJECT_KEY_IDENTIFIER: ObjectIdentifier = ObjectIdentifier::new("2.5.29.14"); -pub const AUTHORITY_KEY_IDENTIFIER: ObjectIdentifier = ObjectIdentifier::new("2.5.29.35"); -pub const EXTENDED_KEY_USAGE: ObjectIdentifier = ObjectIdentifier::new("2.5.29.37"); +pub const BASIC_CONSTRAINTS: ObjectIdentifier = ObjectIdentifier::new_unwrap("2.5.29.19"); +pub const SUBJECT_KEY_IDENTIFIER: ObjectIdentifier = ObjectIdentifier::new_unwrap("2.5.29.14"); +pub const AUTHORITY_KEY_IDENTIFIER: ObjectIdentifier = ObjectIdentifier::new_unwrap("2.5.29.35"); +pub const EXTENDED_KEY_USAGE: ObjectIdentifier = ObjectIdentifier::new_unwrap("2.5.29.37"); pub const MIGTD_EXTENDED_KEY_USAGE: ObjectIdentifier = - ObjectIdentifier::new("1.2.840.113741.1.5.5.1.1"); + ObjectIdentifier::new_unwrap("1.2.840.113741.1.5.5.1.1"); pub const EXTNID_MIGTD_QUOTE_REPORT: ObjectIdentifier = - ObjectIdentifier::new("1.2.840.113741.1.5.5.1.2"); + ObjectIdentifier::new_unwrap("1.2.840.113741.1.5.5.1.2"); pub const EXTNID_MIGTD_EVENT_LOG: ObjectIdentifier = - ObjectIdentifier::new("1.2.840.113741.1.5.5.1.3"); + ObjectIdentifier::new_unwrap("1.2.840.113741.1.5.5.1.3"); // As specified in https://datatracker.ietf.org/doc/html/rfc5480#appendix-A // id-ecPublicKey OBJECT IDENTIFIER ::= { // iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 // } -pub const ID_EC_PUBKEY_OID: ObjectIdentifier = ObjectIdentifier::new("1.2.840.10045.2.1"); +pub const ID_EC_PUBKEY_OID: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.2.840.10045.2.1"); // secp384r1 OBJECT IDENTIFIER ::= { // iso(1) identified-organization(3) certicom(132) curve(0) 34 // } -pub const SECP384R1_OID: ObjectIdentifier = ObjectIdentifier::new("1.3.132.0.34"); -pub const KEY_USAGE_EXTENSION: ObjectIdentifier = ObjectIdentifier::new("2.5.29.15"); -pub const SERVER_AUTH: ObjectIdentifier = ObjectIdentifier::new("1.3.6.1.5.5.7.3.1"); -pub const CLIENT_AUTH: ObjectIdentifier = ObjectIdentifier::new("1.3.6.1.5.5.7.3.2"); -pub const ID_EC_SIG_OID: ObjectIdentifier = ObjectIdentifier::new("1.2.840.10045.4.3.3"); +pub const SECP384R1_OID: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.3.132.0.34"); +pub const KEY_USAGE_EXTENSION: ObjectIdentifier = ObjectIdentifier::new_unwrap("2.5.29.15"); +pub const SERVER_AUTH: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.3.6.1.5.5.7.3.1"); +pub const CLIENT_AUTH: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.3.6.1.5.5.7.3.2"); +pub const ID_EC_SIG_OID: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.2.840.10045.4.3.3"); pub const MIG_POLICY_UNSATISFIED_ERROR: &str = "PolicyUnsatisfiedError"; pub const INVALID_MIG_POLICY_ERROR: &str = "InvalidPolicyError"; diff --git a/src/migtd/src/ratls/server_client.rs b/src/migtd/src/ratls/server_client.rs index 398bc315..f66fd0e5 100644 --- a/src/migtd/src/ratls/server_client.rs +++ b/src/migtd/src/ratls/server_client.rs @@ -8,7 +8,7 @@ use crypto::{ hash::digest_sha384, tls::{SecureChannel, TlsConfig}, x509::{ - AlgorithmIdentifier, Any, BitString, Certificate, CertificateBuilder, Decodable, Encodable, + AlgorithmIdentifier, AnyRef, BitStringRef, Certificate, CertificateBuilder, Decode, Encode, ExtendedKeyUsage, Extension, Extensions, Tag, }, Error as CryptoError, Result as CryptoResult, @@ -47,16 +47,19 @@ pub fn client(stream: T) -> Result> { fn gen_cert(signing_key: &EcdsaPk) -> Result<(Vec, Vec)> { let algorithm = AlgorithmIdentifier { algorithm: ID_EC_PUBKEY_OID, - parameters: Some(Any::new(Tag::ObjectIdentifier, SECP384R1_OID.as_bytes())?), + parameters: Some(AnyRef::new( + Tag::ObjectIdentifier, + SECP384R1_OID.as_bytes(), + )?), }; - let eku = vec![SERVER_AUTH, CLIENT_AUTH, MIGTD_EXTENDED_KEY_USAGE].to_vec()?; + let eku = vec![SERVER_AUTH, CLIENT_AUTH, MIGTD_EXTENDED_KEY_USAGE].to_der()?; let pub_key = signing_key.public_key()?; let sig_alg = AlgorithmIdentifier { algorithm: ID_EC_SIG_OID, parameters: None, }; - let key_usage = BitString::from_bytes(&[0x80])?.to_vec()?; + let key_usage = BitStringRef::from_bytes(&[0x80])?.to_der()?; let quote = gen_quote(&pub_key)?; let event_log = get_event_log().ok_or(RatlsError::InvalidEventlog)?; let mut x509_certificate = CertificateBuilder::new(sig_alg, algorithm, &pub_key)? @@ -85,11 +88,11 @@ fn gen_cert(signing_key: &EcdsaPk) -> Result<(Vec, Vec)> { Some(event_log), )?)? .build(); - let tbs = x509_certificate.tbs_certificate.to_vec()?; + let tbs = x509_certificate.tbs_certificate.to_der()?; let signature = signing_key.sign(&tbs)?; x509_certificate.set_signature(&signature)?; - Ok((x509_certificate.to_vec().map_err(CryptoError::from)?, quote)) + Ok((x509_certificate.to_der().map_err(CryptoError::from)?, quote)) } fn gen_quote(public_key: &[u8]) -> Result> { @@ -225,7 +228,7 @@ fn verify_signature(cert: &Certificate, verified_report: &[u8]) -> CryptoResult< .subject_public_key .as_bytes() .ok_or(CryptoError::ParseCertificate)?; - let tbs = cert.tbs_certificate.to_vec()?; + let tbs = cert.tbs_certificate.to_der()?; let signature = cert .signature_value .as_bytes()