Merge pull request #717 from stmcginnis/ringadingding

Update ring to 0.17
awslabs · Nov 15, 2023 · 73a98bd · 73a98bd
2 parents e52daf7 + f0085ea
commit 73a98bd
Show file tree

Hide file tree

Showing 6 changed files with 33 additions and 17 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/tough-kms/Cargo.toml b/tough-kms/Cargo.toml
@@ -16,7 +16,7 @@ aws-sdk-rust-rustls = ["aws-config/rustls", "aws-sdk-kms/rustls"]
 
 [dependencies]
 tough = { version = "0.15", path = "../tough", features = ["http"] }
-ring = { version = "0.16", features = ["std"] }
+ring = { version = "0.17", features = ["std"] }
 aws-sdk-kms = "0.28"
 aws-config = "0.55"
 snafu = { version = "0.7", features = ["backtraces-impl-backtrace-crate"] }

diff --git a/tough/Cargo.toml b/tough/Cargo.toml
@@ -23,7 +23,7 @@ olpc-cjson = { version = "0.1", path = "../olpc-cjson" }
 pem = "3"
 percent-encoding = "2"
 reqwest = { version = "0.11", optional = true, default-features = false, features = ["stream"] }
-ring = { version = "0.16", features = ["std"] }
+ring = { version = "0.17", features = ["std"] }
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 serde_plain = "1"
@@ -32,7 +32,7 @@ tempfile = "3"
 tokio = { version = "1", default-features = false, features = ["io-util", "sync", "fs", "time"] }
 tokio-util = { version = "0.7", features = ["io"] }
 typed-path = "0.7"
-untrusted = "0.7"
+untrusted = "0.9"
 url = "2"
 walkdir = "2"
 

diff --git a/tough/src/schema/spki.rs b/tough/src/schema/spki.rs
@@ -20,6 +20,7 @@
 use super::error::{self, Compat, Result};
 use ring::io::der;
 use snafu::{OptionExt, ResultExt};
+use untrusted::Input;
 
 pub(super) static OID_RSA_ENCRYPTION: &[u64] = &[1, 2, 840, 113_549, 1, 1, 1];
 pub(super) static OID_EC_PUBLIC_KEY: &[u64] = &[1, 2, 840, 10_045, 2, 1];
@@ -67,14 +68,27 @@ pub(super) fn decode(
                     der::expect_tag_and_get_value(input, der::Tag::Sequence).and_then(
                         |alg_ident| {
                             alg_ident.read_all(ring::error::Unspecified, |input| {
-                                if der::expect_tag_and_get_value(input, der::Tag::OID)?
-                                    != untrusted::Input::from(&asn1_encode_oid(algorithm_oid))
+                                let expected_tag_value =
+                                    der::expect_tag_and_get_value(input, der::Tag::OID)?;
+
+                                let asn1_encode = asn1_encode_oid(algorithm_oid);
+                                let algo_encode_oid: Input<'_> =
+                                    untrusted::Input::from(&asn1_encode);
+
+                                // Note: we use "less safe" here but this is OK. With the way we are using the `Input`,
+                                // we don't need to be concerned about it being too large or being parsed multiple times.
+                                if expected_tag_value.as_slice_less_safe()
+                                    != algo_encode_oid.as_slice_less_safe()
                                 {
                                     return Err(ring::error::Unspecified);
                                 }
+
                                 if let Some(parameters_oid) = parameters_oid {
-                                    if der::expect_tag_and_get_value(input, der::Tag::OID)?
-                                        != untrusted::Input::from(&asn1_encode_oid(parameters_oid))
+                                    let asn1_encode = asn1_encode_oid(parameters_oid);
+                                    let param_encode_oid: Input<'_> =
+                                        untrusted::Input::from(&asn1_encode);
+                                    if expected_tag_value.as_slice_less_safe()
+                                        != param_encode_oid.as_slice_less_safe()
                                     {
                                         return Err(ring::error::Unspecified);
                                     }

diff --git a/tough/src/sign.rs b/tough/src/sign.rs
@@ -9,7 +9,7 @@ use crate::sign::SignKeyPair::ECDSA;
 use crate::sign::SignKeyPair::ED25519;
 use crate::sign::SignKeyPair::RSA;
 use async_trait::async_trait;
-use ring::rand::SecureRandom;
+use ring::rand::{self, SecureRandom};
 use ring::signature::{EcdsaKeyPair, Ed25519KeyPair, KeyPair, RsaKeyPair};
 use snafu::ResultExt;
 use std::collections::HashMap;
@@ -93,7 +93,7 @@ impl Sign for RsaKeyPair {
         msg: &[u8],
         rng: &(dyn SecureRandom + Sync),
     ) -> std::result::Result<Vec<u8>, Box<dyn std::error::Error + Send + Sync + 'static>> {
-        let mut signature = vec![0; self.public_modulus_len()];
+        let mut signature = vec![0; self.public().modulus_len()];
         self.sign(&ring::signature::RSA_PSS_SHA256, rng, msg, &mut signature)
             .context(error::SignSnafu)?;
         Ok(signature)
@@ -167,9 +167,11 @@ impl Sign for SignKeyPair {
 pub fn parse_keypair(key: &[u8]) -> Result<impl Sign> {
     if let Ok(ed25519_key_pair) = Ed25519KeyPair::from_pkcs8(key) {
         Ok(SignKeyPair::ED25519(ed25519_key_pair))
-    } else if let Ok(ecdsa_key_pair) =
-        EcdsaKeyPair::from_pkcs8(&ring::signature::ECDSA_P256_SHA256_ASN1_SIGNING, key)
-    {
+    } else if let Ok(ecdsa_key_pair) = EcdsaKeyPair::from_pkcs8(
+        &ring::signature::ECDSA_P256_SHA256_ASN1_SIGNING,
+        key,
+        &rand::SystemRandom::new(),
+    ) {
         Ok(SignKeyPair::ECDSA(ecdsa_key_pair))
     } else if let Ok(pem) = pem::parse(key) {
         match pem.tag() {

diff --git a/tuftool/Cargo.toml b/tuftool/Cargo.toml
@@ -29,7 +29,7 @@ olpc-cjson = { version = "0.1", path = "../olpc-cjson" }
 pem = "3"
 rayon = "1"
 reqwest = { version = "0.11", default-features = false, features = ["rustls-tls"] }
-ring = { version = "0.16", features = ["std"] }
+ring = { version = "0.17", features = ["std"] }
 serde = "1"
 serde_json = "1"
 simplelog = "0.12"