From f0085ea950b9ac82d26449efb1d57cf10f89f0b7 Mon Sep 17 00:00:00 2001
From: Sean McGinnis <stmcg@amazon.com>
Date: Wed, 15 Nov 2023 15:53:30 +0000
Subject: [PATCH] Update ring to 0.17

This updates the ring dependency to the 0.17.x releases. This also
required updating untrusted to 0.9 due to some public interface usage in
ring.

These updates also change some other function signatures, so minor
tweaks were needed in calling code.

Signed-off-by: Sean McGinnis <stmcg@amazon.com>
---
 Cargo.lock               |  8 ++++----
 tough-kms/Cargo.toml     |  2 +-
 tough/Cargo.toml         |  4 ++--
 tough/src/schema/spki.rs | 22 ++++++++++++++++++----
 tough/src/sign.rs        | 12 +++++++-----
 tuftool/Cargo.toml       |  2 +-
 6 files changed, 33 insertions(+), 17 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 584b8149..6d780873 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2662,7 +2662,7 @@ dependencies = [
  "pem",
  "percent-encoding",
  "reqwest",
- "ring 0.16.20",
+ "ring 0.17.5",
  "serde",
  "serde_json",
  "serde_plain",
@@ -2672,7 +2672,7 @@ dependencies = [
  "tokio-test",
  "tokio-util 0.7.10",
  "typed-path",
- "untrusted 0.7.1",
+ "untrusted 0.9.0",
  "url",
  "walkdir",
 ]
@@ -2689,7 +2689,7 @@ dependencies = [
  "bytes",
  "http",
  "pem",
- "ring 0.16.20",
+ "ring 0.17.5",
  "serde",
  "serde_json",
  "snafu",
@@ -2831,7 +2831,7 @@ dependencies = [
  "pem",
  "rayon",
  "reqwest",
- "ring 0.16.20",
+ "ring 0.17.5",
  "serde",
  "serde_json",
  "simplelog",
diff --git a/tough-kms/Cargo.toml b/tough-kms/Cargo.toml
index 33810b0a..8a3bfa85 100644
--- a/tough-kms/Cargo.toml
+++ b/tough-kms/Cargo.toml
@@ -16,7 +16,7 @@ aws-sdk-rust-rustls = ["aws-config/rustls", "aws-sdk-kms/rustls"]
 
 [dependencies]
 tough = { version = "0.15", path = "../tough", features = ["http"] }
-ring = { version = "0.16", features = ["std"] }
+ring = { version = "0.17", features = ["std"] }
 aws-sdk-kms = "0.28"
 aws-config = "0.55"
 snafu = { version = "0.7", features = ["backtraces-impl-backtrace-crate"] }
diff --git a/tough/Cargo.toml b/tough/Cargo.toml
index d2273ccb..b4871826 100644
--- a/tough/Cargo.toml
+++ b/tough/Cargo.toml
@@ -23,7 +23,7 @@ olpc-cjson = { version = "0.1", path = "../olpc-cjson" }
 pem = "3"
 percent-encoding = "2"
 reqwest = { version = "0.11", optional = true, default-features = false, features = ["stream"] }
-ring = { version = "0.16", features = ["std"] }
+ring = { version = "0.17", features = ["std"] }
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 serde_plain = "1"
@@ -32,7 +32,7 @@ tempfile = "3"
 tokio = { version = "1", default-features = false, features = ["io-util", "sync", "fs", "time"] }
 tokio-util = { version = "0.7", features = ["io"] }
 typed-path = "0.7"
-untrusted = "0.7"
+untrusted = "0.9"
 url = "2"
 walkdir = "2"
 
diff --git a/tough/src/schema/spki.rs b/tough/src/schema/spki.rs
index ff1de138..f38827b8 100644
--- a/tough/src/schema/spki.rs
+++ b/tough/src/schema/spki.rs
@@ -20,6 +20,7 @@
 use super::error::{self, Compat, Result};
 use ring::io::der;
 use snafu::{OptionExt, ResultExt};
+use untrusted::Input;
 
 pub(super) static OID_RSA_ENCRYPTION: &[u64] = &[1, 2, 840, 113_549, 1, 1, 1];
 pub(super) static OID_EC_PUBLIC_KEY: &[u64] = &[1, 2, 840, 10_045, 2, 1];
@@ -67,14 +68,27 @@ pub(super) fn decode(
                     der::expect_tag_and_get_value(input, der::Tag::Sequence).and_then(
                         |alg_ident| {
                             alg_ident.read_all(ring::error::Unspecified, |input| {
-                                if der::expect_tag_and_get_value(input, der::Tag::OID)?
-                                    != untrusted::Input::from(&asn1_encode_oid(algorithm_oid))
+                                let expected_tag_value =
+                                    der::expect_tag_and_get_value(input, der::Tag::OID)?;
+
+                                let asn1_encode = asn1_encode_oid(algorithm_oid);
+                                let algo_encode_oid: Input<'_> =
+                                    untrusted::Input::from(&asn1_encode);
+
+                                // Note: we use "less safe" here but this is OK. With the way we are using the `Input`,
+                                // we don't need to be concerned about it being too large or being parsed multiple times.
+                                if expected_tag_value.as_slice_less_safe()
+                                    != algo_encode_oid.as_slice_less_safe()
                                 {
                                     return Err(ring::error::Unspecified);
                                 }
+
                                 if let Some(parameters_oid) = parameters_oid {
-                                    if der::expect_tag_and_get_value(input, der::Tag::OID)?
-                                        != untrusted::Input::from(&asn1_encode_oid(parameters_oid))
+                                    let asn1_encode = asn1_encode_oid(parameters_oid);
+                                    let param_encode_oid: Input<'_> =
+                                        untrusted::Input::from(&asn1_encode);
+                                    if expected_tag_value.as_slice_less_safe()
+                                        != param_encode_oid.as_slice_less_safe()
                                     {
                                         return Err(ring::error::Unspecified);
                                     }
diff --git a/tough/src/sign.rs b/tough/src/sign.rs
index 6c00585c..a5bdf521 100644
--- a/tough/src/sign.rs
+++ b/tough/src/sign.rs
@@ -9,7 +9,7 @@ use crate::sign::SignKeyPair::ECDSA;
 use crate::sign::SignKeyPair::ED25519;
 use crate::sign::SignKeyPair::RSA;
 use async_trait::async_trait;
-use ring::rand::SecureRandom;
+use ring::rand::{self, SecureRandom};
 use ring::signature::{EcdsaKeyPair, Ed25519KeyPair, KeyPair, RsaKeyPair};
 use snafu::ResultExt;
 use std::collections::HashMap;
@@ -93,7 +93,7 @@ impl Sign for RsaKeyPair {
         msg: &[u8],
         rng: &(dyn SecureRandom + Sync),
     ) -> std::result::Result<Vec<u8>, Box<dyn std::error::Error + Send + Sync + 'static>> {
-        let mut signature = vec![0; self.public_modulus_len()];
+        let mut signature = vec![0; self.public().modulus_len()];
         self.sign(&ring::signature::RSA_PSS_SHA256, rng, msg, &mut signature)
             .context(error::SignSnafu)?;
         Ok(signature)
@@ -167,9 +167,11 @@ impl Sign for SignKeyPair {
 pub fn parse_keypair(key: &[u8]) -> Result<impl Sign> {
     if let Ok(ed25519_key_pair) = Ed25519KeyPair::from_pkcs8(key) {
         Ok(SignKeyPair::ED25519(ed25519_key_pair))
-    } else if let Ok(ecdsa_key_pair) =
-        EcdsaKeyPair::from_pkcs8(&ring::signature::ECDSA_P256_SHA256_ASN1_SIGNING, key)
-    {
+    } else if let Ok(ecdsa_key_pair) = EcdsaKeyPair::from_pkcs8(
+        &ring::signature::ECDSA_P256_SHA256_ASN1_SIGNING,
+        key,
+        &rand::SystemRandom::new(),
+    ) {
         Ok(SignKeyPair::ECDSA(ecdsa_key_pair))
     } else if let Ok(pem) = pem::parse(key) {
         match pem.tag() {
diff --git a/tuftool/Cargo.toml b/tuftool/Cargo.toml
index 2e5ae04c..fd3c3908 100644
--- a/tuftool/Cargo.toml
+++ b/tuftool/Cargo.toml
@@ -29,7 +29,7 @@ olpc-cjson = { version = "0.1", path = "../olpc-cjson" }
 pem = "3"
 rayon = "1"
 reqwest = { version = "0.11", default-features = false, features = ["rustls-tls"] }
-ring = { version = "0.16", features = ["std"] }
+ring = { version = "0.17", features = ["std"] }
 serde = "1"
 serde_json = "1"
 simplelog = "0.12"