Update ring to 0.17

This updates the ring dependency to the 0.17.x releases. This also required updating untrusted to 0.9 due to some public interface usage in ring. These updates also change some other function signatures, so minor tweaks were needed in calling code. Signed-off-by: Sean McGinnis <[email protected]>
awslabs · Nov 15, 2023 · 068fce9 · 068fce9
1 parent 6514cbe
commit 068fce9
Show file tree

Hide file tree

Showing 6 changed files with 30 additions and 17 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/tough-kms/Cargo.toml b/tough-kms/Cargo.toml
@@ -16,7 +16,7 @@ aws-sdk-rust-rustls = ["aws-config/rustls", "aws-sdk-kms/rustls"]
 
 [dependencies]
 tough = { version = "0.15", path = "../tough", features = ["http"] }
-ring = { version = "0.16", features = ["std"] }
+ring = { version = "0.17", features = ["std"] }
 aws-sdk-kms = "0.28"
 aws-config = "0.55"
 snafu = { version = "0.7", features = ["backtraces-impl-backtrace-crate"] }

diff --git a/tough/Cargo.toml b/tough/Cargo.toml
@@ -23,7 +23,7 @@ olpc-cjson = { version = "0.1", path = "../olpc-cjson" }
 pem = "3"
 percent-encoding = "2"
 reqwest = { version = "0.11", optional = true, default-features = false, features = ["stream"] }
-ring = { version = "0.16", features = ["std"] }
+ring = { version = "0.17", features = ["std"] }
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 serde_plain = "1"
@@ -32,7 +32,7 @@ tempfile = "3"
 tokio = { version = "1", default-features = false, features = ["io-util", "sync", "fs", "time"] }
 tokio-util = { version = "0.7", features = ["io"] }
 typed-path = "0.7"
-untrusted = "0.7"
+untrusted = "0.9"
 url = "2"
 walkdir = "2"
 

diff --git a/tough/src/schema/spki.rs b/tough/src/schema/spki.rs
@@ -20,6 +20,7 @@
 use super::error::{self, Compat, Result};
 use ring::io::der;
 use snafu::{OptionExt, ResultExt};
+use untrusted::Input;
 
 pub(super) static OID_RSA_ENCRYPTION: &[u64] = &[1, 2, 840, 113_549, 1, 1, 1];
 pub(super) static OID_EC_PUBLIC_KEY: &[u64] = &[1, 2, 840, 10_045, 2, 1];
@@ -67,14 +68,24 @@ pub(super) fn decode(
                     der::expect_tag_and_get_value(input, der::Tag::Sequence).and_then(
                         |alg_ident| {
                             alg_ident.read_all(ring::error::Unspecified, |input| {
-                                if der::expect_tag_and_get_value(input, der::Tag::OID)?
-                                    != untrusted::Input::from(&asn1_encode_oid(algorithm_oid))
+                                let expected_tag_value =
+                                    der::expect_tag_and_get_value(input, der::Tag::OID)?;
+
+                                let asn1_encode = asn1_encode_oid(algorithm_oid);
+                                let algo_encode_oid: Input<'_> =
+                                    untrusted::Input::from(&asn1_encode);
+                                if expected_tag_value.as_slice_less_safe()
+                                    != algo_encode_oid.as_slice_less_safe()
                                 {
                                     return Err(ring::error::Unspecified);
                                 }
+
                                 if let Some(parameters_oid) = parameters_oid {
-                                    if der::expect_tag_and_get_value(input, der::Tag::OID)?
-                                        != untrusted::Input::from(&asn1_encode_oid(parameters_oid))
+                                    let asn1_encode = asn1_encode_oid(parameters_oid);
+                                    let param_encode_oid: Input<'_> =
+                                        untrusted::Input::from(&asn1_encode);
+                                    if expected_tag_value.as_slice_less_safe()
+                                        != param_encode_oid.as_slice_less_safe()
                                     {
                                         return Err(ring::error::Unspecified);
                                     }

diff --git a/tough/src/sign.rs b/tough/src/sign.rs
@@ -9,7 +9,7 @@ use crate::sign::SignKeyPair::ECDSA;
 use crate::sign::SignKeyPair::ED25519;
 use crate::sign::SignKeyPair::RSA;
 use async_trait::async_trait;
-use ring::rand::SecureRandom;
+use ring::rand::{self, SecureRandom};
 use ring::signature::{EcdsaKeyPair, Ed25519KeyPair, KeyPair, RsaKeyPair};
 use snafu::ResultExt;
 use std::collections::HashMap;
@@ -93,7 +93,7 @@ impl Sign for RsaKeyPair {
         msg: &[u8],
         rng: &(dyn SecureRandom + Sync),
     ) -> std::result::Result<Vec<u8>, Box<dyn std::error::Error + Send + Sync + 'static>> {
-        let mut signature = vec![0; self.public_modulus_len()];
+        let mut signature = vec![0; self.public().modulus_len()];
         self.sign(&ring::signature::RSA_PSS_SHA256, rng, msg, &mut signature)
             .context(error::SignSnafu)?;
         Ok(signature)
@@ -167,9 +167,11 @@ impl Sign for SignKeyPair {
 pub fn parse_keypair(key: &[u8]) -> Result<impl Sign> {
     if let Ok(ed25519_key_pair) = Ed25519KeyPair::from_pkcs8(key) {
         Ok(SignKeyPair::ED25519(ed25519_key_pair))
-    } else if let Ok(ecdsa_key_pair) =
-        EcdsaKeyPair::from_pkcs8(&ring::signature::ECDSA_P256_SHA256_ASN1_SIGNING, key)
-    {
+    } else if let Ok(ecdsa_key_pair) = EcdsaKeyPair::from_pkcs8(
+        &ring::signature::ECDSA_P256_SHA256_ASN1_SIGNING,
+        key,
+        &rand::SystemRandom::new(),
+    ) {
         Ok(SignKeyPair::ECDSA(ecdsa_key_pair))
     } else if let Ok(pem) = pem::parse(key) {
         match pem.tag() {

diff --git a/tuftool/Cargo.toml b/tuftool/Cargo.toml
@@ -29,7 +29,7 @@ olpc-cjson = { version = "0.1", path = "../olpc-cjson" }
 pem = "3"
 rayon = "1"
 reqwest = { version = "0.11", default-features = false, features = ["rustls-tls"] }
-ring = { version = "0.16", features = ["std"] }
+ring = { version = "0.17", features = ["std"] }
 serde = "1"
 serde_json = "1"
 simplelog = "0.12"