From 068fce918246c1c2c823f3372e16bd4a3c77f3af Mon Sep 17 00:00:00 2001 From: Sean McGinnis Date: Wed, 15 Nov 2023 15:53:30 +0000 Subject: [PATCH] Update ring to 0.17 This updates the ring dependency to the 0.17.x releases. This also required updating untrusted to 0.9 due to some public interface usage in ring. These updates also change some other function signatures, so minor tweaks were needed in calling code. Signed-off-by: Sean McGinnis --- Cargo.lock | 8 ++++---- tough-kms/Cargo.toml | 2 +- tough/Cargo.toml | 4 ++-- tough/src/schema/spki.rs | 19 +++++++++++++++---- tough/src/sign.rs | 12 +++++++----- tuftool/Cargo.toml | 2 +- 6 files changed, 30 insertions(+), 17 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 584b8149f..6d7808734 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2662,7 +2662,7 @@ dependencies = [ "pem", "percent-encoding", "reqwest", - "ring 0.16.20", + "ring 0.17.5", "serde", "serde_json", "serde_plain", @@ -2672,7 +2672,7 @@ dependencies = [ "tokio-test", "tokio-util 0.7.10", "typed-path", - "untrusted 0.7.1", + "untrusted 0.9.0", "url", "walkdir", ] @@ -2689,7 +2689,7 @@ dependencies = [ "bytes", "http", "pem", - "ring 0.16.20", + "ring 0.17.5", "serde", "serde_json", "snafu", @@ -2831,7 +2831,7 @@ dependencies = [ "pem", "rayon", "reqwest", - "ring 0.16.20", + "ring 0.17.5", "serde", "serde_json", "simplelog", diff --git a/tough-kms/Cargo.toml b/tough-kms/Cargo.toml index 33810b0af..8a3bfa852 100644 --- a/tough-kms/Cargo.toml +++ b/tough-kms/Cargo.toml @@ -16,7 +16,7 @@ aws-sdk-rust-rustls = ["aws-config/rustls", "aws-sdk-kms/rustls"] [dependencies] tough = { version = "0.15", path = "../tough", features = ["http"] } -ring = { version = "0.16", features = ["std"] } +ring = { version = "0.17", features = ["std"] } aws-sdk-kms = "0.28" aws-config = "0.55" snafu = { version = "0.7", features = ["backtraces-impl-backtrace-crate"] } diff --git a/tough/Cargo.toml b/tough/Cargo.toml index d2273ccb3..b48718262 100644 --- a/tough/Cargo.toml +++ b/tough/Cargo.toml @@ -23,7 +23,7 @@ olpc-cjson = { version = "0.1", path = "../olpc-cjson" } pem = "3" percent-encoding = "2" reqwest = { version = "0.11", optional = true, default-features = false, features = ["stream"] } -ring = { version = "0.16", features = ["std"] } +ring = { version = "0.17", features = ["std"] } serde = { version = "1", features = ["derive"] } serde_json = "1" serde_plain = "1" @@ -32,7 +32,7 @@ tempfile = "3" tokio = { version = "1", default-features = false, features = ["io-util", "sync", "fs", "time"] } tokio-util = { version = "0.7", features = ["io"] } typed-path = "0.7" -untrusted = "0.7" +untrusted = "0.9" url = "2" walkdir = "2" diff --git a/tough/src/schema/spki.rs b/tough/src/schema/spki.rs index ff1de1382..91f4a18e7 100644 --- a/tough/src/schema/spki.rs +++ b/tough/src/schema/spki.rs @@ -20,6 +20,7 @@ use super::error::{self, Compat, Result}; use ring::io::der; use snafu::{OptionExt, ResultExt}; +use untrusted::Input; pub(super) static OID_RSA_ENCRYPTION: &[u64] = &[1, 2, 840, 113_549, 1, 1, 1]; pub(super) static OID_EC_PUBLIC_KEY: &[u64] = &[1, 2, 840, 10_045, 2, 1]; @@ -67,14 +68,24 @@ pub(super) fn decode( der::expect_tag_and_get_value(input, der::Tag::Sequence).and_then( |alg_ident| { alg_ident.read_all(ring::error::Unspecified, |input| { - if der::expect_tag_and_get_value(input, der::Tag::OID)? - != untrusted::Input::from(&asn1_encode_oid(algorithm_oid)) + let expected_tag_value = + der::expect_tag_and_get_value(input, der::Tag::OID)?; + + let asn1_encode = asn1_encode_oid(algorithm_oid); + let algo_encode_oid: Input<'_> = + untrusted::Input::from(&asn1_encode); + if expected_tag_value.as_slice_less_safe() + != algo_encode_oid.as_slice_less_safe() { return Err(ring::error::Unspecified); } + if let Some(parameters_oid) = parameters_oid { - if der::expect_tag_and_get_value(input, der::Tag::OID)? - != untrusted::Input::from(&asn1_encode_oid(parameters_oid)) + let asn1_encode = asn1_encode_oid(parameters_oid); + let param_encode_oid: Input<'_> = + untrusted::Input::from(&asn1_encode); + if expected_tag_value.as_slice_less_safe() + != param_encode_oid.as_slice_less_safe() { return Err(ring::error::Unspecified); } diff --git a/tough/src/sign.rs b/tough/src/sign.rs index 6c00585c5..a5bdf521b 100644 --- a/tough/src/sign.rs +++ b/tough/src/sign.rs @@ -9,7 +9,7 @@ use crate::sign::SignKeyPair::ECDSA; use crate::sign::SignKeyPair::ED25519; use crate::sign::SignKeyPair::RSA; use async_trait::async_trait; -use ring::rand::SecureRandom; +use ring::rand::{self, SecureRandom}; use ring::signature::{EcdsaKeyPair, Ed25519KeyPair, KeyPair, RsaKeyPair}; use snafu::ResultExt; use std::collections::HashMap; @@ -93,7 +93,7 @@ impl Sign for RsaKeyPair { msg: &[u8], rng: &(dyn SecureRandom + Sync), ) -> std::result::Result, Box> { - let mut signature = vec![0; self.public_modulus_len()]; + let mut signature = vec![0; self.public().modulus_len()]; self.sign(&ring::signature::RSA_PSS_SHA256, rng, msg, &mut signature) .context(error::SignSnafu)?; Ok(signature) @@ -167,9 +167,11 @@ impl Sign for SignKeyPair { pub fn parse_keypair(key: &[u8]) -> Result { if let Ok(ed25519_key_pair) = Ed25519KeyPair::from_pkcs8(key) { Ok(SignKeyPair::ED25519(ed25519_key_pair)) - } else if let Ok(ecdsa_key_pair) = - EcdsaKeyPair::from_pkcs8(&ring::signature::ECDSA_P256_SHA256_ASN1_SIGNING, key) - { + } else if let Ok(ecdsa_key_pair) = EcdsaKeyPair::from_pkcs8( + &ring::signature::ECDSA_P256_SHA256_ASN1_SIGNING, + key, + &rand::SystemRandom::new(), + ) { Ok(SignKeyPair::ECDSA(ecdsa_key_pair)) } else if let Ok(pem) = pem::parse(key) { match pem.tag() { diff --git a/tuftool/Cargo.toml b/tuftool/Cargo.toml index 2e5ae04c8..fd3c3908e 100644 --- a/tuftool/Cargo.toml +++ b/tuftool/Cargo.toml @@ -29,7 +29,7 @@ olpc-cjson = { version = "0.1", path = "../olpc-cjson" } pem = "3" rayon = "1" reqwest = { version = "0.11", default-features = false, features = ["rustls-tls"] } -ring = { version = "0.16", features = ["std"] } +ring = { version = "0.17", features = ["std"] } serde = "1" serde_json = "1" simplelog = "0.12"