-
Notifications
You must be signed in to change notification settings - Fork 120
Use vendored version of ring in remote attestation #2661
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
6b43367
80f7440
b06addc
87c34d1
a93444a
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -234,11 +234,10 @@ impl KeyNegotiator { | |
) -> anyhow::Result<(EncryptionKey, DecryptionKey)> { | ||
let type_ = self.type_.clone(); | ||
let self_public_key = self.public_key().context("Couldn't get self public key")?; | ||
let (encryption_key, decryption_key) = agreement::agree_ephemeral( | ||
agreement::agree_ephemeral( | ||
self.private_key, | ||
&agreement::UnparsedPublicKey::new(KEY_AGREEMENT_ALGORITHM, peer_public_key), | ||
anyhow!("Couldn't derive session keys"), | ||
|key_material| { | ||
|key_material| -> anyhow::Result<(EncryptionKey, DecryptionKey)> { | ||
Comment on lines
+237
to
+240
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The updated ring version no longer takes an error as a parameter, but instead returns an additional result |
||
let key_material = key_material | ||
.try_into() | ||
.map_err(anyhow::Error::msg) | ||
|
@@ -251,44 +250,54 @@ impl KeyNegotiator { | |
match type_ { | ||
// On the server side `self_public_key` is the server key. | ||
KeyNegotiatorType::Server => { | ||
let encryption_key = Self::key_derivation_function( | ||
key_material, | ||
SERVER_KEY_PURPOSE, | ||
&self_public_key, | ||
&peer_public_key, | ||
let encryption_key = EncryptionKey( | ||
Self::key_derivation_function( | ||
key_material, | ||
SERVER_KEY_PURPOSE, | ||
&self_public_key, | ||
&peer_public_key, | ||
) | ||
.context("Couldn't derive decryption key")?, | ||
); | ||
let decryption_key = Self::key_derivation_function( | ||
key_material, | ||
CLIENT_KEY_PURPOSE, | ||
&self_public_key, | ||
&peer_public_key, | ||
let decryption_key = DecryptionKey( | ||
Self::key_derivation_function( | ||
key_material, | ||
CLIENT_KEY_PURPOSE, | ||
&self_public_key, | ||
&peer_public_key, | ||
) | ||
.context("Couldn't derive encryption key")?, | ||
); | ||
Ok((encryption_key, decryption_key)) | ||
} | ||
// On the client side `peer_public_key` is the server key. | ||
KeyNegotiatorType::Client => { | ||
let encryption_key = Self::key_derivation_function( | ||
key_material, | ||
CLIENT_KEY_PURPOSE, | ||
&peer_public_key, | ||
&self_public_key, | ||
let encryption_key = EncryptionKey( | ||
Self::key_derivation_function( | ||
key_material, | ||
CLIENT_KEY_PURPOSE, | ||
&peer_public_key, | ||
&self_public_key, | ||
) | ||
.context("Couldn't derive decryption key")?, | ||
); | ||
let decryption_key = Self::key_derivation_function( | ||
key_material, | ||
SERVER_KEY_PURPOSE, | ||
&peer_public_key, | ||
&self_public_key, | ||
let decryption_key = DecryptionKey( | ||
Self::key_derivation_function( | ||
key_material, | ||
SERVER_KEY_PURPOSE, | ||
&peer_public_key, | ||
&self_public_key, | ||
) | ||
.context("Couldn't derive encryption key")?, | ||
); | ||
Ok((encryption_key, decryption_key)) | ||
} | ||
} | ||
}, | ||
) | ||
.context("Couldn't agree on session keys")?; | ||
Ok(( | ||
EncryptionKey(encryption_key.context("Couldn't derive encryption key")?), | ||
DecryptionKey(decryption_key.context("Couldn't derive decryption key")?), | ||
)) | ||
.map_err(anyhow::Error::msg) | ||
.context("Couldn't derive session keys")? | ||
.context("Couldn't agree on session keys") | ||
} | ||
|
||
/// Derives a session key from `key_material` using HKDF. | ||
|
@@ -351,8 +360,9 @@ impl Signer { | |
let rng = ring::rand::SystemRandom::new(); | ||
let key_pair_pkcs8 = EcdsaKeyPair::generate_pkcs8(SIGNING_ALGORITHM, &rng) | ||
.map_err(|error| anyhow!("Couldn't generate PKCS#8 key pair: {:?}", error))?; | ||
let key_pair = EcdsaKeyPair::from_pkcs8(SIGNING_ALGORITHM, key_pair_pkcs8.as_ref()) | ||
.map_err(|error| anyhow!("Couldn't parse generated key pair: {:?}", error))?; | ||
let key_pair = | ||
EcdsaKeyPair::from_pkcs8(SIGNING_ALGORITHM, key_pair_pkcs8.as_ref(), &rng) | ||
.map_err(|error| anyhow!("Couldn't parse generated key pair: {:?}", error))?; | ||
|
||
Ok(Self { key_pair }) | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The reason this needed removing is somewhat counterintuitive:
In cargo,
version = "*"
does not in fact mean "any version", but instead "any version that is published on crates.io". We need to remove this (optional) key to truly check any version (in our case our vendored version).