-
Notifications
You must be signed in to change notification settings - Fork 10
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore: refactor crypto, attestation into crates
Signed-off-by: Richard Zak <[email protected]>
- Loading branch information
Showing
29 changed files
with
179 additions
and
99 deletions.
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
[package] | ||
name = "attestation_validation" | ||
version = "0.2.0" | ||
edition = "2021" | ||
license = "AGPL-3.0" | ||
description = "Attestation validation library for Steward" | ||
|
||
[dependencies] | ||
cryptography = { path = "../cryptography" } | ||
anyhow = { version = "^1.0.55", default-features = false } | ||
der = { version = "0.6", features = ["std"], default-features = false } | ||
flagset = { version = "0.4.3", default-features = false} | ||
sgx = { version = "0.5.0", default-features = false } | ||
|
||
[dev-dependencies] | ||
testaso = { version = "0.1", default-features = false } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,22 +1,21 @@ | ||
// SPDX-FileCopyrightText: 2022 Profian Inc. <[email protected]> | ||
// SPDX-License-Identifier: AGPL-3.0-only | ||
|
||
use crate::crypto::*; | ||
use cryptography::ext::*; | ||
|
||
use std::{fmt::Debug, mem::size_of}; | ||
|
||
use anyhow::{anyhow, Context, Result}; | ||
|
||
use const_oid::db::rfc5912::ECDSA_WITH_SHA_384; | ||
use const_oid::ObjectIdentifier; | ||
use cryptography::const_oid::db::rfc5912::ECDSA_WITH_SHA_384; | ||
use cryptography::const_oid::ObjectIdentifier; | ||
use cryptography::sec1::pkcs8::AlgorithmIdentifier; | ||
use cryptography::sha2::{Digest, Sha384}; | ||
use cryptography::x509::ext::Extension; | ||
use cryptography::x509::{request::CertReqInfo, Certificate}; | ||
use cryptography::x509::{PkiPath, TbsCertificate}; | ||
use der::asn1::UIntRef; | ||
use der::{Decode, Encode, Sequence}; | ||
use flagset::{flags, FlagSet}; | ||
use sec1::pkcs8::AlgorithmIdentifier; | ||
use sha2::Digest; | ||
use x509::ext::Extension; | ||
use x509::{request::CertReqInfo, Certificate}; | ||
use x509::{PkiPath, TbsCertificate}; | ||
|
||
use super::ExtVerifier; | ||
|
||
|
@@ -254,7 +253,7 @@ impl ExtVerifier for Snp { | |
|
||
// Force certs to have the same key type as the VCEK. | ||
// | ||
// A note about this check is in order. We don't want to build crypto | ||
// A note about this check is in order. We don't want to build ext | ||
// algorithm negotiation into this protocol. Not only is it complex | ||
// but it is also subject to downgrade attacks. For example, if the | ||
// weakest link in the certificate chain is a P384 key and the | ||
|
@@ -374,7 +373,7 @@ impl ExtVerifier for Snp { | |
|
||
if !dbg { | ||
// Validate that the certification request came from an SNP VM. | ||
let hash = sha2::Sha384::digest(&cri.public_key.to_vec()?); | ||
let hash = Sha384::digest(&cri.public_key.to_vec()?); | ||
if hash.as_slice() != &report.body.report_data[..hash.as_slice().len()] { | ||
return Err(anyhow!("snp report.report_data is invalid")); | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
[package] | ||
name = "cryptography" | ||
version = "0.2.0" | ||
edition = "2021" | ||
license = "AGPL-3.0" | ||
description = "Cryptography library for Steward" | ||
|
||
[dependencies] | ||
anyhow = { version = "^1.0.55", features = ["std"], default-features = false } | ||
const-oid = { version = "0.9.0", features = ["db"], default-features = false } | ||
der = { version = "0.6", features = ["std"], default-features = false } | ||
rand = { version = "0.8", features = ["std"], default-features = false } | ||
rsa = {version = "0.7.0", features = ["std"], default-features = false } | ||
rustls-pemfile = {version = "1.0.1", default-features = false } | ||
sec1 = { version = "0.3", features = ["std", "pkcs8"], default-features = false } | ||
sha2 = { version = "^0.10.2", default-features = false } | ||
signature = {version = "1.6", default-features = false } | ||
spki = { version = "0.6", default-features = false } | ||
p256 = { version = "0.11", features = ["ecdsa", "std", "pem"], default-features = false } | ||
p384 = { version = "0.11", features = ["ecdsa", "std", "pem"], default-features = false } | ||
x509 = { version = "0.1", features = ["std"], package = "x509-cert", default-features = false } | ||
zeroize = { version = "^1.5.2", features = ["alloc"], default-features = false } |
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
// SPDX-FileCopyrightText: 2022 Profian Inc. <[email protected]> | ||
// SPDX-License-Identifier: AGPL-3.0-only | ||
|
||
pub mod ext; | ||
|
||
pub use const_oid; | ||
pub use p256; | ||
pub use p384; | ||
pub use rand; | ||
pub use rsa; | ||
pub use rustls_pemfile; | ||
pub use sec1; | ||
pub use sha2; | ||
pub use signature; | ||
pub use x509; |
Oops, something went wrong.