Skip to content

Commit

Permalink
Rebase and update SDK latest version
Browse files Browse the repository at this point in the history 
This fixes the build issues that cropped up from integrating other
patches into the repo.

Signed-off-by: Petre Eftime <epetre@amazon.com>
  • Loading branch information
Petre Eftime committed Aug 5, 2022
1 parent e6ac0fc commit e3dd6f6
Show file tree
Hide file tree
Showing 4 changed files with 38 additions and 28 deletions.
6 changes: 3 additions & 3 deletions Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,12 +25,12 @@ features = ["derive"]

[dev-dependencies]
hex = "0.4"
tokio = { version = "1.20", features = ["macros"] }
aws-config = "0.46"

[features]
default = ["key_openssl_pkey"]
key_openssl_pkey = ["openssl"]
key_tpm = ["tss-esapi", "openssl"]
key_kms = ["aws-sdk-kms", "tokio"]
key_kms = ["aws-sdk-kms", "tokio", "key_openssl_pkey"]

[dev-dependencies]
tokio = { version = "1.20", features = ["macros"] }
29 changes: 18 additions & 11 deletions src/crypto/kms.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,21 +3,22 @@
use openssl::{
bn::BigNum,
ecdsa::EcdsaSig,
hash::MessageDigest,
pkey::{PKey, Public},
};
use tokio::runtime::Runtime;

use aws_sdk_kms::{
error::{VerifyError, VerifyErrorKind},
model::{MessageType, SigningAlgorithmSpec},
Blob, Client, SdkError,
types::Blob,
types::SdkError,
Client,
};

use crate::{
crypto::{ec_curve_to_parameters, SigningPrivateKey, SigningPublicKey},
crypto::openssl_pkey::ec_curve_to_parameters,
crypto::{MessageDigest, SignatureAlgorithm, SigningPrivateKey, SigningPublicKey},
error::CoseError,
sign::SignatureAlgorithm,
};

/// A reference to an AWS KMS key and client
Expand Down Expand Up @@ -94,7 +95,8 @@ impl KmsKey {
CoseError::UnsupportedError("No public key returned".to_string())
})?;

PKey::public_key_from_der(public_key.as_ref()).map_err(CoseError::SignatureError)?
PKey::public_key_from_der(public_key.as_ref())
.map_err(|e| CoseError::SignatureError(Box::new(e)))?
}
};

Expand Down Expand Up @@ -151,11 +153,16 @@ impl SigningPublicKey for KmsKey {
// Recover the R and S factors from the signature contained in the object
let (bytes_r, bytes_s) = signature.split_at(self.sig_alg.key_length());

let r = BigNum::from_slice(&bytes_r).map_err(CoseError::SignatureError)?;
let s = BigNum::from_slice(&bytes_s).map_err(CoseError::SignatureError)?;
let r =
BigNum::from_slice(&bytes_r).map_err(|e| CoseError::SignatureError(Box::new(e)))?;
let s =
BigNum::from_slice(&bytes_s).map_err(|e| CoseError::SignatureError(Box::new(e)))?;

let sig = EcdsaSig::from_private_components(r, s).map_err(CoseError::SignatureError)?;
let sig = sig.to_der().map_err(CoseError::SignatureError)?;
let sig = EcdsaSig::from_private_components(r, s)
.map_err(|e| CoseError::SignatureError(Box::new(e)))?;
let sig = sig
.to_der()
.map_err(|e| CoseError::SignatureError(Box::new(e)))?;

let request = self
.client
Expand Down Expand Up @@ -203,8 +210,8 @@ impl SigningPrivateKey for KmsKey {
.signature
.ok_or_else(|| CoseError::UnsupportedError("No signature returned".to_string()))?;

let signature =
EcdsaSig::from_der(signature.as_ref()).map_err(CoseError::SignatureError)?;
let signature = EcdsaSig::from_der(signature.as_ref())
.map_err(|e| CoseError::SignatureError(Box::new(e)))?;

let key_length = self.sig_alg.key_length();

Expand Down
6 changes: 3 additions & 3 deletions src/error.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,13 +35,13 @@ pub enum CoseError {
TpmError(tss_esapi::Error),
/// AWS sign error occured
#[cfg(feature = "key_kms")]
AwsSignError(aws_sdk_kms::SdkError<aws_sdk_kms::error::SignError>),
AwsSignError(aws_sdk_kms::types::SdkError<aws_sdk_kms::error::SignError>),
/// AWS verify error occured
#[cfg(feature = "key_kms")]
AwsVerifyError(aws_sdk_kms::SdkError<aws_sdk_kms::error::VerifyError>),
AwsVerifyError(aws_sdk_kms::types::SdkError<aws_sdk_kms::error::VerifyError>),
/// AWS GetPublicKey error occured
#[cfg(all(feature = "key_kms", feature = "key_openssl_pkey"))]
AwsGetPublicKeyError(aws_sdk_kms::SdkError<aws_sdk_kms::error::GetPublicKeyError>),
AwsGetPublicKeyError(aws_sdk_kms::types::SdkError<aws_sdk_kms::error::GetPublicKeyError>),
}

impl fmt::Display for CoseError {
Expand Down
25 changes: 14 additions & 11 deletions src/sign.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1294,7 +1294,10 @@ mod tests {
use std::str::FromStr;

use super::TEXT;
use crate::{crypto::kms::KmsKey, sign::*};
use crate::{
crypto::{kms::KmsKey, Openssl, SignatureAlgorithm},
sign::*,
};

use std::env;

Expand All @@ -1316,16 +1319,16 @@ mod tests {

let mut map = HeaderMap::new();
map.insert(CborValue::Integer(4), CborValue::Bytes(b"11".to_vec()));
let cose_doc1 = CoseSign1::new(TEXT, &map, &kms_key).unwrap();
let cose_doc1 = CoseSign1::new::<Openssl>(TEXT, &map, &kms_key).unwrap();
let tagged_bytes = cose_doc1.as_bytes(true).unwrap();

// Tag 6.18 should be present
assert_eq!(tagged_bytes[0], 6 << 5 | 18);
let cose_doc2 = CoseSign1::from_bytes(&tagged_bytes).unwrap();

assert_eq!(
cose_doc1.get_payload(None).unwrap(),
cose_doc2.get_payload(Some(&kms_key)).unwrap()
cose_doc1.get_payload::<Openssl>(None).unwrap(),
cose_doc2.get_payload::<Openssl>(Some(&kms_key)).unwrap()
);
})
.await
Expand All @@ -1349,15 +1352,15 @@ mod tests {

let mut map = HeaderMap::new();
map.insert(CborValue::Integer(4), CborValue::Bytes(b"11".to_vec()));
let mut cose_doc1 = CoseSign1::new(TEXT, &map, &kms_key).unwrap();
let mut cose_doc1 = CoseSign1::new::<Openssl>(TEXT, &map, &kms_key).unwrap();

// Mangle the signature
cose_doc1.signature[0] ^= 0xff;

let tagged_bytes = cose_doc1.as_bytes(true).unwrap();
let cose_doc2 = CoseSign1::from_bytes(&tagged_bytes).unwrap();

match cose_doc2.get_payload(Some(&kms_key)) {
match cose_doc2.get_payload::<Openssl>(Some(&kms_key)) {
Ok(_) => panic!("Did not fail"),
Err(CoseError::UnverifiedSignature) => {}
Err(e) => {
Expand All @@ -1383,16 +1386,16 @@ mod tests {

let mut map = HeaderMap::new();
map.insert(CborValue::Integer(4), CborValue::Bytes(b"11".to_vec()));
let cose_doc1 = CoseSign1::new(TEXT, &map, &kms_key).unwrap();
let cose_doc1 = CoseSign1::new::<Openssl>(TEXT, &map, &kms_key).unwrap();
let tagged_bytes = cose_doc1.as_bytes(true).unwrap();

// Tag 6.18 should be present
assert_eq!(tagged_bytes[0], 6 << 5 | 18);
let cose_doc2 = CoseSign1::from_bytes(&tagged_bytes).unwrap();

assert_eq!(
cose_doc1.get_payload(None).unwrap(),
cose_doc2.get_payload(Some(&kms_key)).unwrap()
cose_doc1.get_payload::<Openssl>(None).unwrap(),
cose_doc2.get_payload::<Openssl>(Some(&kms_key)).unwrap()
);
})
.await
Expand All @@ -1413,15 +1416,15 @@ mod tests {

let mut map = HeaderMap::new();
map.insert(CborValue::Integer(4), CborValue::Bytes(b"11".to_vec()));
let mut cose_doc1 = CoseSign1::new(TEXT, &map, &kms_key).unwrap();
let mut cose_doc1 = CoseSign1::new::<Openssl>(TEXT, &map, &kms_key).unwrap();

// Mangle the signature
cose_doc1.signature[0] ^= 0xff;

let tagged_bytes = cose_doc1.as_bytes(true).unwrap();
let cose_doc2 = CoseSign1::from_bytes(&tagged_bytes).unwrap();

match cose_doc2.get_payload(Some(&kms_key)) {
match cose_doc2.get_payload::<Openssl>(Some(&kms_key)) {
Ok(_) => panic!("Did not fail"),
Err(CoseError::UnverifiedSignature) => {}
Err(e) => {
Expand Down

0 comments on commit e3dd6f6

Please sign in to comment.