chore: refactor crypto, attestation into crates

Signed-off-by: Richard Zak <[email protected]>
enarx · Oct 20, 2022 · 4d219ba · 4d219ba
1 parent b8c4dd0
commit 4d219ba
Show file tree

Hide file tree

Showing 29 changed files with 178 additions and 98 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -10,21 +10,12 @@ license = "AGPL-3.0"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-const-oid = { version = "0.9.0", features = ["db"], default-features = false }
+attestation_validation = { path = "crates/attestation_validation" }
+cryptography = { path = "crates/cryptography" }
 der = { version = "0.6", features = ["std"], default-features = false }
-sec1 = { version = "0.3", features = ["std", "pkcs8"], default-features = false }
-spki = { version = "0.6", default-features = false }
-x509 = { version = "0.1", features = ["std"], package = "x509-cert", default-features = false }
-rustls-pemfile = {version = "0.3.0", default-features = false }
-sha2 = { version = "^0.10.2", default-features = false }
 zeroize = { version = "^1.5.2", features = ["alloc"], default-features = false }
 flagset = { version = "0.4.3", default-features = false}
 sgx = { version = "0.5.0", default-features = false }
-signature = {version = "1.6", default-features = false }
-rsa = {version = "0.7.0", features = ["std"], default-features = false }
-p256 = { version = "0.11", features = ["ecdsa", "std", "pem"], default-features = false }
-p384 = { version = "0.11", features = ["ecdsa", "std", "pem"], default-features = false }
-rand = { version = "0.8", features = ["std"], default-features = false }
 
 tracing-subscriber = { version="^0.3.15", features = ["env-filter", "json", "fmt"], default-features = false }
 tower-http = { version = "^0.3.0", features = ["trace"], default-features = false }
@@ -55,3 +46,10 @@ incremental = false
 codegen-units = 1
 lto = true
 strip = true
+
+[workspace]
+resolver = '2'
+members = [
+    'crates/attestation_validation',
+    'crates/cryptography',
+]
diff --git a/crates/attestation_validation/Cargo.toml b/crates/attestation_validation/Cargo.toml
@@ -0,0 +1,16 @@
+[package]
+name = "attestation_validation"
+version = "0.2.0"
+edition = "2021"
+license = "AGPL-3.0"
+description = "Attestation validation library for Steward"
+
+[dependencies]
+cryptography = { path = "../cryptography" }
+anyhow = { version = "^1.0.55", default-features = false }
+der = { version = "0.6", features = ["std"], default-features = false }
+flagset = { version = "0.4.3", default-features = false}
+sgx = { version = "0.5.0", default-features = false }
+
+[dev-dependencies]
+testaso = { version = "0.1", default-features = false }
diff --git a/src/ext/kvm.rs → crates/attestation_validation/src/kvm.rs b/src/ext/kvm.rs → crates/attestation_validation/src/kvm.rs
@@ -2,8 +2,8 @@
 // SPDX-License-Identifier: AGPL-3.0-only
 
 use anyhow::{anyhow, Result};
-use const_oid::ObjectIdentifier;
-use x509::{ext::Extension, request::CertReqInfo};
+use cryptography::const_oid::ObjectIdentifier;
+use cryptography::x509::{ext::Extension, request::CertReqInfo};
 
 use super::ExtVerifier;
 

diff --git a/src/ext/mod.rs → crates/attestation_validation/src/lib.rs b/src/ext/mod.rs → crates/attestation_validation/src/lib.rs
@@ -2,8 +2,8 @@
 // SPDX-License-Identifier: AGPL-3.0-only
 
 use anyhow::Result;
-use const_oid::ObjectIdentifier;
-use x509::{ext::Extension, request::CertReqInfo};
+use cryptography::const_oid::ObjectIdentifier;
+use cryptography::x509::{ext::Extension, request::CertReqInfo};
 
 pub mod kvm;
 pub mod sgx;

diff --git a/src/ext/sgx/mod.rs → crates/attestation_validation/src/sgx/mod.rs b/src/ext/sgx/mod.rs → crates/attestation_validation/src/sgx/mod.rs
@@ -4,17 +4,17 @@
 mod quote;
 
 use super::ExtVerifier;
-use crate::crypto::*;
+use cryptography::ext::*;
 use quote::traits::ParseBytes;
 
 use std::fmt::Debug;
 
 use anyhow::{anyhow, Result};
-use const_oid::ObjectIdentifier;
+use cryptography::const_oid::ObjectIdentifier;
+use cryptography::sha2::{Digest, Sha256};
+use cryptography::x509::{ext::Extension, request::CertReqInfo, Certificate, TbsCertificate};
 use der::{Decode, Encode};
 use sgx::parameters::{Attributes, MiscSelect};
-use sha2::{Digest, Sha256};
-use x509::{ext::Extension, request::CertReqInfo, Certificate, TbsCertificate};
 
 #[derive(Clone, Debug)]
 pub struct Sgx([Certificate<'static>; 1]);
@@ -66,7 +66,7 @@ impl ExtVerifier for Sgx {
 
         // Force certs to have the same key type as the PCK.
         //
-        // A note about this check is in order. We don't want to build crypto
+        // A note about this check is in order. We don't want to build ext
         // algorithm negotiation into this protocol. Not only is it complex
         // but it is also subject to downgrade attacks. For example, if the
         // weakest link in the certificate chain is a P384 key and the

diff --git a/src/ext/sgx/quote.icelake → ...estation_validation/src/sgx/quote.icelake b/src/ext/sgx/quote.icelake → ...estation_validation/src/sgx/quote.icelake
diff --git a/src/ext/sgx/quote.unknown → ...estation_validation/src/sgx/quote.unknown b/src/ext/sgx/quote.unknown → ...estation_validation/src/sgx/quote.unknown
diff --git a/src/ext/sgx/quote/body.rs → ...estation_validation/src/sgx/quote/body.rs b/src/ext/sgx/quote/body.rs → ...estation_validation/src/sgx/quote/body.rs
diff --git a/src/ext/sgx/quote/es256.rs → ...station_validation/src/sgx/quote/es256.rs b/src/ext/sgx/quote/es256.rs → ...station_validation/src/sgx/quote/es256.rs
@@ -3,9 +3,9 @@
 
 use super::{qe::QuotingEnclave, FromBytes, ParseBytes};
 
-use std::array::TryFromSliceError;
-
+use anyhow::anyhow;
 use der::{asn1::UIntRef, Sequence};
+use std::array::TryFromSliceError;
 
 #[derive(Clone, Debug)]
 #[repr(C)]

diff --git a/src/ext/sgx/quote/mod.rs → ...testation_validation/src/sgx/quote/mod.rs b/src/ext/sgx/quote/mod.rs → ...testation_validation/src/sgx/quote/mod.rs
@@ -15,15 +15,16 @@ pub mod es256;
 pub mod qe;
 pub mod traits;
 
-use crate::crypto::TbsCertificateExt;
+use anyhow::anyhow;
 use body::Body;
+use cryptography::ext::TbsCertificateExt;
 use traits::{FromBytes, ParseBytes, Steal};
 
+use cryptography::p256::ecdsa::signature::Verifier;
+use cryptography::sha2::{digest::DynDigest, Sha256};
+use cryptography::x509::TbsCertificate;
 use der::Encode;
-use p256::ecdsa::signature::Verifier;
 use sgx::ReportBody;
-use sha2::{digest::DynDigest, Sha256};
-use x509::TbsCertificate;
 
 pub struct Quote<'a> {
     body: &'a Body,
@@ -71,7 +72,7 @@ impl<'a> Quote<'a> {
 
         // Validate the Attestation Key.
         let mut data = [0u8; 64];
-        let mut hash = <Sha256 as sha2::Digest>::new();
+        let mut hash = <Sha256 as cryptography::sha2::Digest>::new();
         hash.update(self.sign.key.as_ref());
         hash.update(self.sign.iqe.auth.as_ref());
         hash.finalize_into(&mut data[..32])?;
@@ -80,8 +81,8 @@ impl<'a> Quote<'a> {
         }
 
         // Verify the signature on the enclave report.
-        let vkey = p256::ecdsa::VerifyingKey::from_sec1_bytes(self.sign.key.sec1())?;
-        let sig = p256::ecdsa::Signature::from_der(&self.sign.sig.to_vec()?)?;
+        let vkey = cryptography::p256::ecdsa::VerifyingKey::from_sec1_bytes(self.sign.key.sec1())?;
+        let sig = cryptography::p256::ecdsa::Signature::from_der(&self.sign.sig.to_vec()?)?;
         vkey.verify(self.body.as_ref(), &sig)?;
 
         // Verify the PCE security version.

diff --git a/src/ext/sgx/quote/qe/auth.rs → ...ation_validation/src/sgx/quote/qe/auth.rs b/src/ext/sgx/quote/qe/auth.rs → ...ation_validation/src/sgx/quote/qe/auth.rs
diff --git a/src/ext/sgx/quote/qe/cert.rs → ...ation_validation/src/sgx/quote/qe/cert.rs b/src/ext/sgx/quote/qe/cert.rs → ...ation_validation/src/sgx/quote/qe/cert.rs
@@ -3,6 +3,8 @@
 
 use super::super::{FromBytes, ParseBytes, Steal};
 
+use anyhow::anyhow;
+
 #[derive(Clone, Debug)]
 #[non_exhaustive]
 pub enum Data {
@@ -23,7 +25,7 @@ impl<'a> FromBytes<'a> for Data {
                     .map_err(|e| anyhow!("invalid certification data: {}", e))?
                     .replace("-----END CERTIFICATE-----", "-----END CERTIFICATE-----\n");
 
-                let mut certs = rustls_pemfile::certs(&mut chain.as_bytes())
+                let mut certs = cryptography::rustls_pemfile::certs(&mut chain.as_bytes())
                     .map_err(|e| anyhow!("invalid certification data: {}", e))?;
 
                 certs.reverse();

diff --git a/src/ext/sgx/quote/qe/mod.rs → ...tation_validation/src/sgx/quote/qe/mod.rs b/src/ext/sgx/quote/qe/mod.rs → ...tation_validation/src/sgx/quote/qe/mod.rs
diff --git a/src/ext/sgx/quote/traits.rs → ...tation_validation/src/sgx/quote/traits.rs b/src/ext/sgx/quote/traits.rs → ...tation_validation/src/sgx/quote/traits.rs
diff --git a/src/ext/sgx/root.der → ...s/attestation_validation/src/sgx/root.der b/src/ext/sgx/root.der → ...s/attestation_validation/src/sgx/root.der
diff --git a/src/ext/snp/genoa.pkipath → ...estation_validation/src/snp/genoa.pkipath b/src/ext/snp/genoa.pkipath → ...estation_validation/src/snp/genoa.pkipath
diff --git a/src/ext/snp/milan.pkipath → ...estation_validation/src/snp/milan.pkipath b/src/ext/snp/milan.pkipath → ...estation_validation/src/snp/milan.pkipath
diff --git a/src/ext/snp/milan.rprt → ...attestation_validation/src/snp/milan.rprt b/src/ext/snp/milan.rprt → ...attestation_validation/src/snp/milan.rprt
diff --git a/src/ext/snp/milan.vcek → ...attestation_validation/src/snp/milan.vcek b/src/ext/snp/milan.vcek → ...attestation_validation/src/snp/milan.vcek
diff --git a/src/ext/snp/mod.rs → crates/attestation_validation/src/snp/mod.rs b/src/ext/snp/mod.rs → crates/attestation_validation/src/snp/mod.rs
@@ -1,22 +1,21 @@
 // SPDX-FileCopyrightText: 2022 Profian Inc. <[email protected]>
 // SPDX-License-Identifier: AGPL-3.0-only
 
-use crate::crypto::*;
+use cryptography::ext::*;
 
 use std::{fmt::Debug, mem::size_of};
 
 use anyhow::{anyhow, Context, Result};
-
-use const_oid::db::rfc5912::ECDSA_WITH_SHA_384;
-use const_oid::ObjectIdentifier;
+use cryptography::const_oid::db::rfc5912::ECDSA_WITH_SHA_384;
+use cryptography::const_oid::ObjectIdentifier;
+use cryptography::sec1::pkcs8::AlgorithmIdentifier;
+use cryptography::sha2::{Digest, Sha384};
+use cryptography::x509::ext::Extension;
+use cryptography::x509::{request::CertReqInfo, Certificate};
+use cryptography::x509::{PkiPath, TbsCertificate};
 use der::asn1::UIntRef;
 use der::{Decode, Encode, Sequence};
 use flagset::{flags, FlagSet};
-use sec1::pkcs8::AlgorithmIdentifier;
-use sha2::Digest;
-use x509::ext::Extension;
-use x509::{request::CertReqInfo, Certificate};
-use x509::{PkiPath, TbsCertificate};
 
 use super::ExtVerifier;
 
@@ -254,7 +253,7 @@ impl ExtVerifier for Snp {
 
         // Force certs to have the same key type as the VCEK.
         //
-        // A note about this check is in order. We don't want to build crypto
+        // A note about this check is in order. We don't want to build ext
         // algorithm negotiation into this protocol. Not only is it complex
         // but it is also subject to downgrade attacks. For example, if the
         // weakest link in the certificate chain is a P384 key and the
@@ -374,7 +373,7 @@ impl ExtVerifier for Snp {
 
         if !dbg {
             // Validate that the certification request came from an SNP VM.
-            let hash = sha2::Sha384::digest(&cri.public_key.to_vec()?);
+            let hash = Sha384::digest(&cri.public_key.to_vec()?);
             if hash.as_slice() != &report.body.report_data[..hash.as_slice().len()] {
                 return Err(anyhow!("snp report.report_data is invalid"));
             }

diff --git a/crates/cryptography/Cargo.toml b/crates/cryptography/Cargo.toml
@@ -0,0 +1,22 @@
+[package]
+name = "cryptography"
+version = "0.2.0"
+edition = "2021"
+license = "AGPL-3.0"
+description = "Cryptography library for Steward"
+
+[dependencies]
+anyhow = { version = "^1.0.55", features = ["std"], default-features = false }
+const-oid = { version = "0.9.0", features = ["db"], default-features = false }
+der = { version = "0.6", features = ["std"], default-features = false }
+rand = { version = "0.8", features = ["std"], default-features = false }
+rsa = {version = "0.7.0", features = ["std"], default-features = false }
+rustls-pemfile = {version = "0.3.0", default-features = false }
+sec1 = { version = "0.3", features = ["std", "pkcs8"], default-features = false }
+sha2 = { version = "^0.10.2", default-features = false }
+signature = {version = "1.6", default-features = false }
+spki = { version = "0.6", default-features = false }
+p256 = { version = "0.11", features = ["ecdsa", "std", "pem"], default-features = false }
+p384 = { version = "0.11", features = ["ecdsa", "std", "pem"], default-features = false }
+x509 = { version = "0.1", features = ["std"], package = "x509-cert", default-features = false }
+zeroize = { version = "^1.5.2", features = ["alloc"], default-features = false }
diff --git a/src/crypto/cert.rs → crates/cryptography/src/ext/cert.rs b/src/crypto/cert.rs → crates/cryptography/src/ext/cert.rs
diff --git a/src/crypto/certreq.rs → crates/cryptography/src/ext/certreq.rs b/src/crypto/certreq.rs → crates/cryptography/src/ext/certreq.rs
diff --git a/src/crypto/mod.rs → crates/cryptography/src/ext/mod.rs b/src/crypto/mod.rs → crates/cryptography/src/ext/mod.rs
diff --git a/src/crypto/pki.rs → crates/cryptography/src/ext/pki.rs b/src/crypto/pki.rs → crates/cryptography/src/ext/pki.rs
diff --git a/src/crypto/spki.rs → crates/cryptography/src/ext/spki.rs b/src/crypto/spki.rs → crates/cryptography/src/ext/spki.rs
diff --git a/crates/cryptography/src/lib.rs b/crates/cryptography/src/lib.rs
@@ -0,0 +1,15 @@
+// SPDX-FileCopyrightText: 2022 Profian Inc. <[email protected]>
+// SPDX-License-Identifier: AGPL-3.0-only
+
+pub mod ext;
+
+pub use const_oid;
+pub use p256;
+pub use p384;
+pub use rand;
+pub use rsa;
+pub use rustls_pemfile;
+pub use sec1;
+pub use sha2;
+pub use signature;
+pub use x509;