Skip to content

Commit

Permalink
chore: refactor crypto, attestation into crates
Browse files Browse the repository at this point in the history
Signed-off-by: Richard Zak <[email protected]>
  • Loading branch information
rjzak committed Oct 21, 2022
1 parent a69be40 commit 6380569
Show file tree
Hide file tree
Showing 29 changed files with 179 additions and 99 deletions.
47 changes: 35 additions & 12 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

20 changes: 9 additions & 11 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -10,21 +10,12 @@ license = "AGPL-3.0"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

[dependencies]
const-oid = { version = "0.9.0", features = ["db"], default-features = false }
attestation_validation = { path = "crates/attestation_validation" }
cryptography = { path = "crates/cryptography" }
der = { version = "0.6", features = ["std"], default-features = false }
sec1 = { version = "0.3", features = ["std", "pkcs8"], default-features = false }
spki = { version = "0.6", default-features = false }
x509 = { version = "0.1", features = ["std"], package = "x509-cert", default-features = false }
rustls-pemfile = {version = "1.0.1", default-features = false }
sha2 = { version = "^0.10.2", default-features = false }
zeroize = { version = "^1.5.2", features = ["alloc"], default-features = false }
flagset = { version = "0.4.3", default-features = false}
sgx = { version = "0.5.0", default-features = false }
signature = {version = "1.6", default-features = false }
rsa = {version = "0.7.0", features = ["std"], default-features = false }
p256 = { version = "0.11", features = ["ecdsa", "std", "pem"], default-features = false }
p384 = { version = "0.11", features = ["ecdsa", "std", "pem"], default-features = false }
rand = { version = "0.8", features = ["std"], default-features = false }

tracing-subscriber = { version="^0.3.15", features = ["env-filter", "json", "fmt"], default-features = false }
tower-http = { version = "^0.3.0", features = ["trace"], default-features = false }
Expand Down Expand Up @@ -55,3 +46,10 @@ incremental = false
codegen-units = 1
lto = true
strip = true

[workspace]
resolver = '2'
members = [
'crates/attestation_validation',
'crates/cryptography',
]
16 changes: 16 additions & 0 deletions crates/attestation_validation/Cargo.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
[package]
name = "attestation_validation"
version = "0.2.0"
edition = "2021"
license = "AGPL-3.0"
description = "Attestation validation library for Steward"

[dependencies]
cryptography = { path = "../cryptography" }
anyhow = { version = "^1.0.55", default-features = false }
der = { version = "0.6", features = ["std"], default-features = false }
flagset = { version = "0.4.3", default-features = false}
sgx = { version = "0.5.0", default-features = false }

[dev-dependencies]
testaso = { version = "0.1", default-features = false }
4 changes: 2 additions & 2 deletions src/ext/kvm.rs → crates/attestation_validation/src/kvm.rs
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@
// SPDX-License-Identifier: AGPL-3.0-only

use anyhow::{anyhow, Result};
use const_oid::ObjectIdentifier;
use x509::{ext::Extension, request::CertReqInfo};
use cryptography::const_oid::ObjectIdentifier;
use cryptography::x509::{ext::Extension, request::CertReqInfo};

use super::ExtVerifier;

Expand Down
4 changes: 2 additions & 2 deletions src/ext/mod.rs → crates/attestation_validation/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@
// SPDX-License-Identifier: AGPL-3.0-only

use anyhow::Result;
use const_oid::ObjectIdentifier;
use x509::{ext::Extension, request::CertReqInfo};
use cryptography::const_oid::ObjectIdentifier;
use cryptography::x509::{ext::Extension, request::CertReqInfo};

pub mod kvm;
pub mod sgx;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,17 +4,17 @@
mod quote;

use super::ExtVerifier;
use crate::crypto::*;
use cryptography::ext::*;
use quote::traits::ParseBytes;

use std::fmt::Debug;

use anyhow::{anyhow, Result};
use const_oid::ObjectIdentifier;
use cryptography::const_oid::ObjectIdentifier;
use cryptography::sha2::{Digest, Sha256};
use cryptography::x509::{ext::Extension, request::CertReqInfo, Certificate, TbsCertificate};
use der::{Decode, Encode};
use sgx::parameters::{Attributes, MiscSelect};
use sha2::{Digest, Sha256};
use x509::{ext::Extension, request::CertReqInfo, Certificate, TbsCertificate};

#[derive(Clone, Debug)]
pub struct Sgx([Certificate<'static>; 1]);
Expand Down Expand Up @@ -66,7 +66,7 @@ impl ExtVerifier for Sgx {

// Force certs to have the same key type as the PCK.
//
// A note about this check is in order. We don't want to build crypto
// A note about this check is in order. We don't want to build ext
// algorithm negotiation into this protocol. Not only is it complex
// but it is also subject to downgrade attacks. For example, if the
// weakest link in the certificate chain is a P384 key and the
Expand Down
File renamed without changes.
File renamed without changes.
File renamed without changes.
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@

use super::{qe::QuotingEnclave, FromBytes, ParseBytes};

use std::array::TryFromSliceError;

use anyhow::anyhow;
use der::{asn1::UIntRef, Sequence};
use std::array::TryFromSliceError;

#[derive(Clone, Debug)]
#[repr(C)]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,15 +15,16 @@ pub mod es256;
pub mod qe;
pub mod traits;

use crate::crypto::TbsCertificateExt;
use anyhow::anyhow;
use body::Body;
use cryptography::ext::TbsCertificateExt;
use traits::{FromBytes, ParseBytes, Steal};

use cryptography::p256::ecdsa::signature::Verifier;
use cryptography::sha2::{digest::DynDigest, Sha256};
use cryptography::x509::TbsCertificate;
use der::Encode;
use p256::ecdsa::signature::Verifier;
use sgx::ReportBody;
use sha2::{digest::DynDigest, Sha256};
use x509::TbsCertificate;

pub struct Quote<'a> {
body: &'a Body,
Expand Down Expand Up @@ -71,7 +72,7 @@ impl<'a> Quote<'a> {

// Validate the Attestation Key.
let mut data = [0u8; 64];
let mut hash = <Sha256 as sha2::Digest>::new();
let mut hash = <Sha256 as cryptography::sha2::Digest>::new();
hash.update(self.sign.key.as_ref());
hash.update(self.sign.iqe.auth.as_ref());
hash.finalize_into(&mut data[..32])?;
Expand All @@ -80,8 +81,8 @@ impl<'a> Quote<'a> {
}

// Verify the signature on the enclave report.
let vkey = p256::ecdsa::VerifyingKey::from_sec1_bytes(self.sign.key.sec1())?;
let sig = p256::ecdsa::Signature::from_der(&self.sign.sig.to_vec()?)?;
let vkey = cryptography::p256::ecdsa::VerifyingKey::from_sec1_bytes(self.sign.key.sec1())?;
let sig = cryptography::p256::ecdsa::Signature::from_der(&self.sign.sig.to_vec()?)?;
vkey.verify(self.body.as_ref(), &sig)?;

// Verify the PCE security version.
Expand Down
File renamed without changes.
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@

use super::super::{FromBytes, ParseBytes, Steal};

use anyhow::anyhow;

#[derive(Clone, Debug)]
#[non_exhaustive]
pub enum Data {
Expand All @@ -23,7 +25,7 @@ impl<'a> FromBytes<'a> for Data {
.map_err(|e| anyhow!("invalid certification data: {}", e))?
.replace("-----END CERTIFICATE-----", "-----END CERTIFICATE-----\n");

let mut certs = rustls_pemfile::certs(&mut chain.as_bytes())
let mut certs = cryptography::rustls_pemfile::certs(&mut chain.as_bytes())
.map_err(|e| anyhow!("invalid certification data: {}", e))?;

certs.reverse();
Expand Down
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
21 changes: 10 additions & 11 deletions src/ext/snp/mod.rs → crates/attestation_validation/src/snp/mod.rs
Original file line number Diff line number Diff line change
@@ -1,22 +1,21 @@
// SPDX-FileCopyrightText: 2022 Profian Inc. <[email protected]>
// SPDX-License-Identifier: AGPL-3.0-only

use crate::crypto::*;
use cryptography::ext::*;

use std::{fmt::Debug, mem::size_of};

use anyhow::{anyhow, Context, Result};

use const_oid::db::rfc5912::ECDSA_WITH_SHA_384;
use const_oid::ObjectIdentifier;
use cryptography::const_oid::db::rfc5912::ECDSA_WITH_SHA_384;
use cryptography::const_oid::ObjectIdentifier;
use cryptography::sec1::pkcs8::AlgorithmIdentifier;
use cryptography::sha2::{Digest, Sha384};
use cryptography::x509::ext::Extension;
use cryptography::x509::{request::CertReqInfo, Certificate};
use cryptography::x509::{PkiPath, TbsCertificate};
use der::asn1::UIntRef;
use der::{Decode, Encode, Sequence};
use flagset::{flags, FlagSet};
use sec1::pkcs8::AlgorithmIdentifier;
use sha2::Digest;
use x509::ext::Extension;
use x509::{request::CertReqInfo, Certificate};
use x509::{PkiPath, TbsCertificate};

use super::ExtVerifier;

Expand Down Expand Up @@ -254,7 +253,7 @@ impl ExtVerifier for Snp {

// Force certs to have the same key type as the VCEK.
//
// A note about this check is in order. We don't want to build crypto
// A note about this check is in order. We don't want to build ext
// algorithm negotiation into this protocol. Not only is it complex
// but it is also subject to downgrade attacks. For example, if the
// weakest link in the certificate chain is a P384 key and the
Expand Down Expand Up @@ -374,7 +373,7 @@ impl ExtVerifier for Snp {

if !dbg {
// Validate that the certification request came from an SNP VM.
let hash = sha2::Sha384::digest(&cri.public_key.to_vec()?);
let hash = Sha384::digest(&cri.public_key.to_vec()?);
if hash.as_slice() != &report.body.report_data[..hash.as_slice().len()] {
return Err(anyhow!("snp report.report_data is invalid"));
}
Expand Down
22 changes: 22 additions & 0 deletions crates/cryptography/Cargo.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
[package]
name = "cryptography"
version = "0.2.0"
edition = "2021"
license = "AGPL-3.0"
description = "Cryptography library for Steward"

[dependencies]
anyhow = { version = "^1.0.55", features = ["std"], default-features = false }
const-oid = { version = "0.9.0", features = ["db"], default-features = false }
der = { version = "0.6", features = ["std"], default-features = false }
rand = { version = "0.8", features = ["std"], default-features = false }
rsa = {version = "0.7.0", features = ["std"], default-features = false }
rustls-pemfile = {version = "1.0.1", default-features = false }
sec1 = { version = "0.3", features = ["std", "pkcs8"], default-features = false }
sha2 = { version = "^0.10.2", default-features = false }
signature = {version = "1.6", default-features = false }
spki = { version = "0.6", default-features = false }
p256 = { version = "0.11", features = ["ecdsa", "std", "pem"], default-features = false }
p384 = { version = "0.11", features = ["ecdsa", "std", "pem"], default-features = false }
x509 = { version = "0.1", features = ["std"], package = "x509-cert", default-features = false }
zeroize = { version = "^1.5.2", features = ["alloc"], default-features = false }
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
15 changes: 15 additions & 0 deletions crates/cryptography/src/lib.rs
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
// SPDX-FileCopyrightText: 2022 Profian Inc. <[email protected]>
// SPDX-License-Identifier: AGPL-3.0-only

pub mod ext;

pub use const_oid;
pub use p256;
pub use p384;
pub use rand;
pub use rsa;
pub use rustls_pemfile;
pub use sec1;
pub use sha2;
pub use signature;
pub use x509;
Loading

0 comments on commit 6380569

Please sign in to comment.