diff --git a/Cargo.lock b/Cargo.lock index 584b8149f..6d7808734 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2662,7 +2662,7 @@ dependencies = [ "pem", "percent-encoding", "reqwest", - "ring 0.16.20", + "ring 0.17.5", "serde", "serde_json", "serde_plain", @@ -2672,7 +2672,7 @@ dependencies = [ "tokio-test", "tokio-util 0.7.10", "typed-path", - "untrusted 0.7.1", + "untrusted 0.9.0", "url", "walkdir", ] @@ -2689,7 +2689,7 @@ dependencies = [ "bytes", "http", "pem", - "ring 0.16.20", + "ring 0.17.5", "serde", "serde_json", "snafu", @@ -2831,7 +2831,7 @@ dependencies = [ "pem", "rayon", "reqwest", - "ring 0.16.20", + "ring 0.17.5", "serde", "serde_json", "simplelog", diff --git a/tough-kms/Cargo.toml b/tough-kms/Cargo.toml index 33810b0af..8a3bfa852 100644 --- a/tough-kms/Cargo.toml +++ b/tough-kms/Cargo.toml @@ -16,7 +16,7 @@ aws-sdk-rust-rustls = ["aws-config/rustls", "aws-sdk-kms/rustls"] [dependencies] tough = { version = "0.15", path = "../tough", features = ["http"] } -ring = { version = "0.16", features = ["std"] } +ring = { version = "0.17", features = ["std"] } aws-sdk-kms = "0.28" aws-config = "0.55" snafu = { version = "0.7", features = ["backtraces-impl-backtrace-crate"] } diff --git a/tough/Cargo.toml b/tough/Cargo.toml index d2273ccb3..b48718262 100644 --- a/tough/Cargo.toml +++ b/tough/Cargo.toml @@ -23,7 +23,7 @@ olpc-cjson = { version = "0.1", path = "../olpc-cjson" } pem = "3" percent-encoding = "2" reqwest = { version = "0.11", optional = true, default-features = false, features = ["stream"] } -ring = { version = "0.16", features = ["std"] } +ring = { version = "0.17", features = ["std"] } serde = { version = "1", features = ["derive"] } serde_json = "1" serde_plain = "1" @@ -32,7 +32,7 @@ tempfile = "3" tokio = { version = "1", default-features = false, features = ["io-util", "sync", "fs", "time"] } tokio-util = { version = "0.7", features = ["io"] } typed-path = "0.7" -untrusted = "0.7" +untrusted = "0.9" url = "2" walkdir = "2" diff --git a/tough/src/schema/spki.rs b/tough/src/schema/spki.rs index ff1de1382..91f4a18e7 100644 --- a/tough/src/schema/spki.rs +++ b/tough/src/schema/spki.rs @@ -20,6 +20,7 @@ use super::error::{self, Compat, Result}; use ring::io::der; use snafu::{OptionExt, ResultExt}; +use untrusted::Input; pub(super) static OID_RSA_ENCRYPTION: &[u64] = &[1, 2, 840, 113_549, 1, 1, 1]; pub(super) static OID_EC_PUBLIC_KEY: &[u64] = &[1, 2, 840, 10_045, 2, 1]; @@ -67,14 +68,24 @@ pub(super) fn decode( der::expect_tag_and_get_value(input, der::Tag::Sequence).and_then( |alg_ident| { alg_ident.read_all(ring::error::Unspecified, |input| { - if der::expect_tag_and_get_value(input, der::Tag::OID)? - != untrusted::Input::from(&asn1_encode_oid(algorithm_oid)) + let expected_tag_value = + der::expect_tag_and_get_value(input, der::Tag::OID)?; + + let asn1_encode = asn1_encode_oid(algorithm_oid); + let algo_encode_oid: Input<'_> = + untrusted::Input::from(&asn1_encode); + if expected_tag_value.as_slice_less_safe() + != algo_encode_oid.as_slice_less_safe() { return Err(ring::error::Unspecified); } + if let Some(parameters_oid) = parameters_oid { - if der::expect_tag_and_get_value(input, der::Tag::OID)? - != untrusted::Input::from(&asn1_encode_oid(parameters_oid)) + let asn1_encode = asn1_encode_oid(parameters_oid); + let param_encode_oid: Input<'_> = + untrusted::Input::from(&asn1_encode); + if expected_tag_value.as_slice_less_safe() + != param_encode_oid.as_slice_less_safe() { return Err(ring::error::Unspecified); } diff --git a/tough/src/sign.rs b/tough/src/sign.rs index 6c00585c5..a5bdf521b 100644 --- a/tough/src/sign.rs +++ b/tough/src/sign.rs @@ -9,7 +9,7 @@ use crate::sign::SignKeyPair::ECDSA; use crate::sign::SignKeyPair::ED25519; use crate::sign::SignKeyPair::RSA; use async_trait::async_trait; -use ring::rand::SecureRandom; +use ring::rand::{self, SecureRandom}; use ring::signature::{EcdsaKeyPair, Ed25519KeyPair, KeyPair, RsaKeyPair}; use snafu::ResultExt; use std::collections::HashMap; @@ -93,7 +93,7 @@ impl Sign for RsaKeyPair { msg: &[u8], rng: &(dyn SecureRandom + Sync), ) -> std::result::Result, Box> { - let mut signature = vec![0; self.public_modulus_len()]; + let mut signature = vec![0; self.public().modulus_len()]; self.sign(&ring::signature::RSA_PSS_SHA256, rng, msg, &mut signature) .context(error::SignSnafu)?; Ok(signature) @@ -167,9 +167,11 @@ impl Sign for SignKeyPair { pub fn parse_keypair(key: &[u8]) -> Result { if let Ok(ed25519_key_pair) = Ed25519KeyPair::from_pkcs8(key) { Ok(SignKeyPair::ED25519(ed25519_key_pair)) - } else if let Ok(ecdsa_key_pair) = - EcdsaKeyPair::from_pkcs8(&ring::signature::ECDSA_P256_SHA256_ASN1_SIGNING, key) - { + } else if let Ok(ecdsa_key_pair) = EcdsaKeyPair::from_pkcs8( + &ring::signature::ECDSA_P256_SHA256_ASN1_SIGNING, + key, + &rand::SystemRandom::new(), + ) { Ok(SignKeyPair::ECDSA(ecdsa_key_pair)) } else if let Ok(pem) = pem::parse(key) { match pem.tag() { diff --git a/tuftool/Cargo.toml b/tuftool/Cargo.toml index 2e5ae04c8..fd3c3908e 100644 --- a/tuftool/Cargo.toml +++ b/tuftool/Cargo.toml @@ -29,7 +29,7 @@ olpc-cjson = { version = "0.1", path = "../olpc-cjson" } pem = "3" rayon = "1" reqwest = { version = "0.11", default-features = false, features = ["rustls-tls"] } -ring = { version = "0.16", features = ["std"] } +ring = { version = "0.17", features = ["std"] } serde = "1" serde_json = "1" simplelog = "0.12"