diff --git a/Cargo.lock b/Cargo.lock index 54554f116..7062ab793 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -179,9 +179,9 @@ checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa" [[package]] name = "aws-nitro-enclaves-cose" -version = "0.4.0" +version = "0.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4e2fe3e862758ef5bb5d89868141ab28781d96347522b60eb6abeaf7f9acd4bc" +checksum = "0705f682b7df79a5841e815364181f35efe0ef953a1363cf8e773d5bd23846a5" dependencies = [ "openssl", "serde", diff --git a/data-formats/Cargo.toml b/data-formats/Cargo.toml index 763a319dd..f2667651d 100644 --- a/data-formats/Cargo.toml +++ b/data-formats/Cargo.toml @@ -17,7 +17,7 @@ serde_cbor = "0.11" serde_repr = "0.1.6" serde_tuple = "0.5" thiserror = "1" -aws-nitro-enclaves-cose = "0.4.0" +aws-nitro-enclaves-cose = "0.5.0" uuid = "1.3" num-traits = "0.2" num-derive = "0.3" diff --git a/data-formats/src/constants/mod.rs b/data-formats/src/constants/mod.rs index 45212d526..90171f311 100644 --- a/data-formats/src/constants/mod.rs +++ b/data-formats/src/constants/mod.rs @@ -111,8 +111,8 @@ const RS384: i16 = -258; #[repr(i16)] #[non_exhaustive] pub enum DeviceSigType { - StSECP256R1 = (aws_nitro_enclaves_cose::sign::SignatureAlgorithm::ES256 as i16), - StSECP384R1 = (aws_nitro_enclaves_cose::sign::SignatureAlgorithm::ES384 as i16), + StSECP256R1 = (aws_nitro_enclaves_cose::crypto::SignatureAlgorithm::ES256 as i16), + StSECP384R1 = (aws_nitro_enclaves_cose::crypto::SignatureAlgorithm::ES384 as i16), StRSA2048 = RS256, StRSA3072 = RS384, StEPID10 = 90, diff --git a/data-formats/src/devicecredential/file.rs b/data-formats/src/devicecredential/file.rs index b895c0e95..0ab146e1c 100644 --- a/data-formats/src/devicecredential/file.rs +++ b/data-formats/src/devicecredential/file.rs @@ -11,7 +11,7 @@ use crate::{ DeviceCredential, ProtocolVersion, }; -use aws_nitro_enclaves_cose::{error::CoseError, sign::SignatureAlgorithm}; +use aws_nitro_enclaves_cose::error::CoseError; use openssl::{pkey::PKey, sign::Signer}; use serde::{Deserialize, Serialize}; use serde_tuple::Serialize_tuple; @@ -249,7 +249,10 @@ impl TpmCoseSigner { public: &tss_esapi::structures::Public, ) -> Result< ( - (SignatureAlgorithm, openssl::hash::MessageDigest), + ( + aws_nitro_enclaves_cose::crypto::SignatureAlgorithm, + aws_nitro_enclaves_cose::crypto::MessageDigest, + ), tss_esapi::interface_types::algorithm::HashingAlgorithm, usize, ), @@ -264,13 +267,13 @@ impl TpmCoseSigner { }; let param_hash_alg = match hash_alg { tss_esapi::interface_types::algorithm::HashingAlgorithm::Sha256 => { - openssl::hash::MessageDigest::sha256() + aws_nitro_enclaves_cose::crypto::MessageDigest::Sha256 } tss_esapi::interface_types::algorithm::HashingAlgorithm::Sha384 => { - openssl::hash::MessageDigest::sha384() + aws_nitro_enclaves_cose::crypto::MessageDigest::Sha384 } tss_esapi::interface_types::algorithm::HashingAlgorithm::Sha512 => { - openssl::hash::MessageDigest::sha512() + aws_nitro_enclaves_cose::crypto::MessageDigest::Sha512 } _ => { return Err(CoseError::UnsupportedError( @@ -280,17 +283,17 @@ impl TpmCoseSigner { }; let (sig_alg, correct_hash_alg, key_length) = match parameters.ecc_curve() { tss_esapi::interface_types::ecc::EccCurve::NistP256 => ( - SignatureAlgorithm::ES256, + aws_nitro_enclaves_cose::crypto::SignatureAlgorithm::ES256, tss_esapi::interface_types::algorithm::HashingAlgorithm::Sha256, 32, ), tss_esapi::interface_types::ecc::EccCurve::NistP384 => ( - SignatureAlgorithm::ES384, + aws_nitro_enclaves_cose::crypto::SignatureAlgorithm::ES384, tss_esapi::interface_types::algorithm::HashingAlgorithm::Sha384, 48, ), tss_esapi::interface_types::ecc::EccCurve::NistP521 => ( - SignatureAlgorithm::ES512, + aws_nitro_enclaves_cose::crypto::SignatureAlgorithm::ES512, tss_esapi::interface_types::algorithm::HashingAlgorithm::Sha512, 66, ), @@ -317,8 +320,9 @@ impl aws_nitro_enclaves_cose::crypto::SigningPublicKey for TpmCoseSigner { &self, ) -> Result< ( - aws_nitro_enclaves_cose::sign::SignatureAlgorithm, - openssl::hash::MessageDigest, + aws_nitro_enclaves_cose::crypto::SignatureAlgorithm, + aws_nitro_enclaves_cose::crypto::MessageDigest, + // openssl::hash::MessageDigest, ), CoseError, > { diff --git a/data-formats/src/types.rs b/data-formats/src/types.rs index ac3f4452c..79f802fcf 100644 --- a/data-formats/src/types.rs +++ b/data-formats/src/types.rs @@ -1791,13 +1791,15 @@ impl COSESign { }) } - pub fn new( + pub fn new( payload: &T, unprotected: Option, sign_key: &dyn SigningPrivateKey, + hash: &H, ) -> Result where T: Serializable, + H: aws_nitro_enclaves_cose::crypto::Hash, { let unprotected = match unprotected { Some(v) => v, @@ -1805,19 +1807,21 @@ impl COSESign { }; let payload = payload.serialize_data()?; - let inner = COSESignInner::new(&payload, &unprotected.into(), sign_key)?; + let inner = COSESignInner::new::(&payload, &unprotected.into(), sign_key)?; Self::new_from_inner(inner) } - pub fn new_with_protected( + pub fn new_with_protected( payload: &T, protected: COSEHeaderMap, unprotected: Option, sign_key: &dyn SigningPrivateKey, + hash: &H, ) -> Result where T: Serializable, + H: aws_nitro_enclaves_cose::crypto::Hash, { let unprotected = match unprotected { Some(v) => v, @@ -1830,13 +1834,16 @@ impl COSESign { protected.insert(1.into(), (sig_alg as i8).into()); let inner = - COSESignInner::new_with_protected(&payload, &protected, &unprotected.into(), sign_key)?; + COSESignInner::new_with_protected::(&payload, &protected, &unprotected.into(), sign_key)?; Self::new_from_inner(inner) } - pub fn verify(&self, sign_key: &dyn SigningPublicKey) -> Result<(), Error> { - if self.cached_inner.verify_signature(sign_key)? { + pub fn verify(&self, sign_key: &dyn SigningPublicKey) -> Result<(), Error> + where + H: aws_nitro_enclaves_cose::crypto::Hash, + { + if self.cached_inner.verify_signature::(sign_key)? { Ok(()) } else { Err(Error::InconsistentValue("Signature verification failed")) @@ -1852,7 +1859,7 @@ impl COSESign { ES: PayloadState, { let claims = eat.to_map(); - Self::new(&claims.0, unprotected, sign_key) + Self::new(&claims.0, unprotected, sign_key, &sign_key.get_parameters()?.0) } pub fn get_payload_unverified(&self) -> Result, Error> diff --git a/http-wrapper/Cargo.toml b/http-wrapper/Cargo.toml index 0be4cd322..82d149366 100644 --- a/http-wrapper/Cargo.toml +++ b/http-wrapper/Cargo.toml @@ -20,7 +20,7 @@ openssl = "0.10.60" fdo-data-formats = { path = "../data-formats", version = "0.4.12" } fdo-store = { path = "../store", version = "0.4.12" } -aws-nitro-enclaves-cose = "0.4.0" +aws-nitro-enclaves-cose = "0.5.0" # Server-side uuid = { version = "1.3", features = ["v4"], optional = true }