Skip to content

Commit

Permalink
chore: refactor crypto, attestation into crates
Browse files Browse the repository at this point in the history
Signed-off-by: Richard Zak <[email protected]>
  • Loading branch information
rjzak authored and npmccallum committed Nov 7, 2022
1 parent a589ff4 commit b47ca81
Show file tree
Hide file tree
Showing 30 changed files with 222 additions and 148 deletions.
56 changes: 45 additions & 11 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

22 changes: 11 additions & 11 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -10,21 +10,13 @@ license = "AGPL-3.0"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

[dependencies]
const-oid = { version = "0.9.0", features = ["db"], default-features = false }
sgx_validation = { path = "crates/sgx_validation" }
snp_validation = { path = "crates/snp_validation" }
cryptography = { path = "crates/cryptography" }
der = { version = "0.6", features = ["std"], default-features = false }
sec1 = { version = "0.3", features = ["std", "pkcs8"], default-features = false }
spki = { version = "0.6", default-features = false }
x509 = { version = "0.1", features = ["std"], package = "x509-cert", default-features = false }
rustls-pemfile = {version = "1.0.1", default-features = false }
sha2 = { version = "^0.10.2", default-features = false }
zeroize = { version = "^1.5.2", features = ["alloc"], default-features = false }
flagset = { version = "0.4.3", default-features = false}
sgx = { version = "0.5.0", default-features = false }
signature = {version = "1.6", default-features = false }
rsa = {version = "0.7.1", features = ["std"], default-features = false }
p256 = { version = "0.11", features = ["ecdsa", "std", "pem"], default-features = false }
p384 = { version = "0.11", features = ["ecdsa", "std", "pem"], default-features = false }
rand = { version = "0.8", features = ["std"], default-features = false }

tracing-subscriber = { version="^0.3.15", features = ["env-filter", "json", "fmt"], default-features = false }
tower-http = { version = "^0.3.0", features = ["trace"], default-features = false }
Expand Down Expand Up @@ -55,3 +47,11 @@ incremental = false
codegen-units = 1
lto = true
strip = true

[workspace]
resolver = '2'
members = [
'crates/sgx_validation',
'crates/snp_validation',
'crates/cryptography',
]
22 changes: 22 additions & 0 deletions crates/cryptography/Cargo.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
[package]
name = "cryptography"
version = "0.2.0"
edition = "2021"
license = "AGPL-3.0"
description = "Cryptography library for Steward"

[dependencies]
anyhow = { version = "^1.0.55", features = ["std"], default-features = false }
const-oid = { version = "0.9.0", features = ["db"], default-features = false }
der = { version = "0.6", features = ["std"], default-features = false }
rand = { version = "0.8", features = ["std"], default-features = false }
rsa = {version = "0.7.1", features = ["std"], default-features = false }
rustls-pemfile = {version = "1.0.1", default-features = false }
sec1 = { version = "0.3", features = ["std", "pkcs8"], default-features = false }
sha2 = { version = "^0.10.2", default-features = false }
signature = {version = "1.6", default-features = false }
spki = { version = "0.6", default-features = false }
p256 = { version = "0.11", features = ["ecdsa", "std", "pem"], default-features = false }
p384 = { version = "0.11", features = ["ecdsa", "std", "pem"], default-features = false }
x509 = { version = "0.1", features = ["std"], package = "x509-cert", default-features = false }
zeroize = { version = "^1.5.2", features = ["alloc"], default-features = false }
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
15 changes: 15 additions & 0 deletions crates/cryptography/src/lib.rs
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
// SPDX-FileCopyrightText: 2022 Profian Inc. <[email protected]>
// SPDX-License-Identifier: AGPL-3.0-only

pub mod ext;

pub use const_oid;
pub use p256;
pub use p384;
pub use rand;
pub use rsa;
pub use rustls_pemfile;
pub use sec1;
pub use sha2;
pub use signature;
pub use x509;
15 changes: 15 additions & 0 deletions crates/sgx_validation/Cargo.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
[package]
name = "sgx_validation"
version = "0.2.0"
edition = "2021"
license = "AGPL-3.0"
description = "Intel SGX Attestation validation library for Steward"

[dependencies]
cryptography = { path = "../cryptography" }
anyhow = { version = "^1.0.55", default-features = false }
der = { version = "0.6", features = ["std"], default-features = false }
sgx = { version = "0.5.0", default-features = false }

[dev-dependencies]
testaso = { version = "0.1", default-features = false }
18 changes: 7 additions & 11 deletions src/ext/sgx/mod.rs → crates/sgx_validation/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -3,18 +3,17 @@

mod quote;

use super::ExtVerifier;
use crate::crypto::*;
use cryptography::ext::*;
use quote::traits::ParseBytes;

use std::fmt::Debug;

use anyhow::{anyhow, Result};
use const_oid::ObjectIdentifier;
use cryptography::const_oid::ObjectIdentifier;
use cryptography::sha2::{Digest, Sha256};
use cryptography::x509::{ext::Extension, request::CertReqInfo, Certificate, TbsCertificate};
use der::{Decode, Encode};
use sgx::parameters::{Attributes, MiscSelect};
use sha2::{Digest, Sha256};
use x509::{ext::Extension, request::CertReqInfo, Certificate, TbsCertificate};

#[derive(Clone, Debug)]
pub struct Sgx([Certificate<'static>; 1]);
Expand All @@ -27,6 +26,8 @@ impl Default for Sgx {

impl Sgx {
const ROOT: &'static [u8] = include_bytes!("root.der");
pub const OID: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.3.6.1.4.1.58270.1.2");
pub const ATT: bool = true;

fn trusted<'c>(&'c self, chain: &'c [Certificate<'c>]) -> Result<&'c TbsCertificate<'c>> {
let mut signer = &self.0[0].tbs_certificate;
Expand All @@ -36,13 +37,8 @@ impl Sgx {

Ok(signer)
}
}

impl ExtVerifier for Sgx {
const OID: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.3.6.1.4.1.58270.1.2");
const ATT: bool = true;

fn verify(&self, cri: &CertReqInfo<'_>, ext: &Extension<'_>, dbg: bool) -> Result<bool> {
pub fn verify(&self, cri: &CertReqInfo<'_>, ext: &Extension<'_>, dbg: bool) -> Result<bool> {
if ext.critical {
return Err(anyhow!("sgx extension cannot be critical"));
}
Expand Down
File renamed without changes.
File renamed without changes.
File renamed without changes.
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@

use super::{qe::QuotingEnclave, FromBytes, ParseBytes};

use std::array::TryFromSliceError;

use anyhow::anyhow;
use der::{asn1::UIntRef, Sequence};
use std::array::TryFromSliceError;

#[derive(Clone, Debug)]
#[repr(C)]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,15 +15,16 @@ pub mod es256;
pub mod qe;
pub mod traits;

use crate::crypto::TbsCertificateExt;
use anyhow::anyhow;
use body::Body;
use cryptography::ext::TbsCertificateExt;
use traits::{FromBytes, ParseBytes, Steal};

use cryptography::p256::ecdsa::signature::Verifier;
use cryptography::sha2::{digest::DynDigest, Sha256};
use cryptography::x509::TbsCertificate;
use der::Encode;
use p256::ecdsa::signature::Verifier;
use sgx::ReportBody;
use sha2::{digest::DynDigest, Sha256};
use x509::TbsCertificate;

pub struct Quote<'a> {
body: &'a Body,
Expand Down Expand Up @@ -71,7 +72,7 @@ impl<'a> Quote<'a> {

// Validate the Attestation Key.
let mut data = [0u8; 64];
let mut hash = <Sha256 as sha2::Digest>::new();
let mut hash = <Sha256 as cryptography::sha2::Digest>::new();
hash.update(self.sign.key.as_ref());
hash.update(self.sign.iqe.auth.as_ref());
hash.finalize_into(&mut data[..32])?;
Expand All @@ -80,8 +81,8 @@ impl<'a> Quote<'a> {
}

// Verify the signature on the enclave report.
let vkey = p256::ecdsa::VerifyingKey::from_sec1_bytes(self.sign.key.sec1())?;
let sig = p256::ecdsa::Signature::from_der(&self.sign.sig.to_vec()?)?;
let vkey = cryptography::p256::ecdsa::VerifyingKey::from_sec1_bytes(self.sign.key.sec1())?;
let sig = cryptography::p256::ecdsa::Signature::from_der(&self.sign.sig.to_vec()?)?;
vkey.verify(self.body.as_ref(), &sig)?;

// Verify the PCE security version.
Expand Down
File renamed without changes.
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@

use super::super::{FromBytes, ParseBytes, Steal};

use anyhow::anyhow;

#[derive(Clone, Debug)]
#[non_exhaustive]
pub enum Data {
Expand All @@ -23,7 +25,7 @@ impl<'a> FromBytes<'a> for Data {
.map_err(|e| anyhow!("invalid certification data: {}", e))?
.replace("-----END CERTIFICATE-----", "-----END CERTIFICATE-----\n");

let mut certs = rustls_pemfile::certs(&mut chain.as_bytes())
let mut certs = cryptography::rustls_pemfile::certs(&mut chain.as_bytes())
.map_err(|e| anyhow!("invalid certification data: {}", e))?;

certs.reverse();
Expand Down
File renamed without changes.
File renamed without changes.
File renamed without changes.
15 changes: 15 additions & 0 deletions crates/snp_validation/Cargo.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
[package]
name = "snp_validation"
version = "0.2.0"
edition = "2021"
license = "AGPL-3.0"
description = "AMD SEV-SNP Attestation validation library for Steward"

[dependencies]
cryptography = { path = "../cryptography" }
anyhow = { version = "^1.0.55", default-features = false }
der = { version = "0.6", features = ["std"], default-features = false }
flagset = { version = "0.4.3", default-features = false}

[dev-dependencies]
testaso = { version = "0.1", default-features = false }
File renamed without changes.
Loading

0 comments on commit b47ca81

Please sign in to comment.