feat: use wasi-crypto as an optionl wasi feature

Signed-off-by: Richard Zak <richard@profian.com>

.cargo/config

@@ -1,3 +1,11 @@
+[env]
+RUST_BACKTRACE = "1"
+WASMTIME_BACKTRACE_DETAILS = "1"
+
+[build]
+target = "wasm32-wasi"
+
 [target.wasm32-wasi]
 rustflags = ["--cfg", "tokio_unstable"]
-runner = ["enarx", "run", "--wasmcfgfile", "Enarx.toml"]
+# runner = ["./enarx", "run", "--wasmcfgfile", "Enarx.toml"]
+runner = ["/home/rjzak/bin/wasmtime-wasi-crypto", "--wasi-modules", "experimental-wasi-crypto", "--"]

Cargo.toml

@@ -42,6 +42,9 @@ confargs = { version = "^0.1.3", default-features = false }
 [target.'cfg(not(target_os = "wasi"))'.dependencies]
 tokio = { version = "^1.21.2", features = ["rt-multi-thread", "macros"], default-features = false }
 
+[target.'cfg(target_os = "wasi")'.dependencies]
+wasi-crypto-guest = { git = "https://github.com/WebAssembly/wasi-crypto", branch = "main", optional = true }
+
 [dev-dependencies]
 tower = { version = "^0.4.11", features = ["util"], default-features = false }
 axum = { version = "^0.5.17", default-features = false }
@@ -50,6 +53,10 @@ memoffset = { version = "0.7.1", default-features = false }
 rstest = { version = "0.15", default-features = false }
 testaso = { version = "0.1", default-features = false }
 
+[features]
+default = []
+wasi-crypto = ["dep:wasi-crypto-guest"]
+
 [profile.release]
 incremental = false
 codegen-units = 1

rust-toolchain.toml

@@ -1,5 +1,5 @@
 [toolchain]
-channel = "stable"
+channel = "nightly"
 components = [ "rustfmt", "clippy" ]
 profile = "minimal"
 targets = [

src/crypto/hashing.rs

@@ -0,0 +1,51 @@
+// SPDX-FileCopyrightText: 2022 Profian Inc. <opensource@profian.com>
+// SPDX-License-Identifier: AGPL-3.0-only
+
+use anyhow::Result;
+
+#[cfg(all(target_os = "wasi", feature = "wasi-crypto"))]
+use anyhow::anyhow;
+#[cfg(all(target_os = "wasi", feature = "wasi-crypto"))]
+use wasi_crypto_guest::prelude::Hash;
+
+#[cfg(any(not(target_os = "wasi"), not(feature = "wasi-crypto")))]
+use sha2::{Digest, Sha256, Sha384};
+
+#[inline]
+pub fn sha256(data: impl AsRef<[u8]>) -> Result<Vec<u8>> {
+ #[cfg(all(target_os = "wasi", feature = "wasi-crypto"))]
+ return Ok(Hash::hash("SHA-256", data, 32, None).or_else(|_| Err(anyhow!("hash error")))?);
+
+ #[cfg(any(not(target_os = "wasi"), not(feature = "wasi-crypto")))]
+ Ok(Sha256::digest(data).as_slice().to_vec())
+}
+
+#[inline]
+pub fn sha384(data: impl AsRef<[u8]>) -> Result<Vec<u8>> {
+ #[cfg(all(target_os = "wasi", feature = "wasi-crypto"))]
+ return Ok(Hash::hash("SHA-384", data, 48, None).or_else(|_| Err(anyhow!("hash error")))?);
+
+ #[cfg(any(not(target_os = "wasi"), not(feature = "wasi-crypto")))]
+ Ok(Sha384::digest(data).as_slice().to_vec())
+}
+
+#[cfg(all(target_os = "wasi", feature = "wasi-crypto"))]
+#[cfg(test)]
+mod wasi_crypto {
+ use crate::{sha256, sha384};
+ use sha2::Digest;
+
+ const DATA: &[u8] = b"SOME_TEST_DATA";
+
+ #[test]
+ fn test_sha256() {
+ let hash = sha256(DATA).unwrap();
+ assert_eq!(hash, sha2::Sha256::digest(DATA).as_slice());
+ }
+
+ #[test]
+ fn test_sha384() {
+ let hash = sha384(DATA).unwrap();
+ assert_eq!(hash, sha2::Sha384::digest(DATA).as_slice());
+ }
+}

src/crypto/mod.rs

@@ -3,10 +3,12 @@
 
 mod cert;
 mod certreq;
+mod hashing;
 mod pki;
 mod spki;
 
 pub use self::cert::TbsCertificateExt;
 pub use self::certreq::{CertReqExt, CertReqInfoExt};
+pub use self::hashing::{sha256, sha384};
 pub use self::pki::PrivateKeyInfoExt;
 pub use self::spki::SubjectPublicKeyInfoExt;

src/crypto/spki.rs

@@ -4,6 +4,8 @@
 use anyhow::{anyhow, Result};
 use const_oid::ObjectIdentifier;
 use der::{asn1::AnyRef, Sequence};
+
+#[cfg(any(not(target_os = "wasi"), not(feature = "wasi-crypto")))]
 use rsa::pkcs1::DecodeRsaPublicKey;
 use spki::{AlgorithmIdentifier, SubjectPublicKeyInfo};
 
@@ -13,6 +15,9 @@ use const_oid::db::rfc5912::{
  SECP_256_R_1 as P256, SECP_384_R_1 as P384,
 };
 
+#[cfg(all(target_os = "wasi", feature = "wasi-crypto"))]
+use wasi_crypto_guest::signatures::{Signature, SignaturePublicKey};
+
 const ES256: (ObjectIdentifier, Option<AnyRef<'static>>) = (ECDSA_WITH_SHA_256, None);
 const ES384: (ObjectIdentifier, Option<AnyRef<'static>>) = (ECDSA_WITH_SHA_384, None);
 
@@ -43,6 +48,93 @@ pub trait SubjectPublicKeyInfoExt {
 }
 
 impl<'a> SubjectPublicKeyInfoExt for SubjectPublicKeyInfo<'a> {
+ #[cfg(all(target_os = "wasi", feature = "wasi-crypto"))]
+ fn verify(&self, body: &[u8], algo: AlgorithmIdentifier<'_>, sign: &[u8]) -> Result<()> {
+ let algo_name = match (self.algorithm.oids()?, (algo.oid, algo.parameters)) {
+ ((ECPK, Some(P256)), ES256) => "ECDSA_P256_SHA256",
+ ((ECPK, Some(P384)), ES384) => "ECDSA_P384_SHA384",
+ ((RSA, None), (ID_RSASSA_PSS, Some(p))) => {
+ // Decompose the RSA PSS parameters.
+ let RsaSsaPssParams {
+ hash_algorithm: hash,
+ mask_algorithm: mask,
+ salt_length: salt,
+ trailer_field: tfld,
+ } = p.decode_into().unwrap();
+
+ // Validate the sanity of the mask algorithm.
+ let algo = match (mask.oid, mask.parameters) {
+ (ID_MGF_1, Some(p)) => {
+ let p = p.decode_into::<AlgorithmIdentifier<'_>>()?;
+ match (p.oids()?, salt, tfld) {
+ ((SHA256, None), 32, 1) => Ok(SHA256),
+ ((SHA384, None), 48, 1) => Ok(SHA384),
+ ((SHA512, None), 64, 1) => Ok(SHA512),
+ ((x, y), s, t) => {
+ eprint!(
+ "Unknown RSA hash and components: {:?}, {:?}, salt {}, tfld {}",
+ x, y, s, t
+ );
+ Err(anyhow!("unsupported"))
+ }
+ }
+ }
+ (x, _) => {
+ eprintln!("Unknown RSA OID {:?}", x);
+ Err(anyhow!("unsupported"))
+ }
+ }
+ .map_err(|e| {
+ eprintln!("Some algo error {:?}", e);
+ anyhow!("{:?}", e)
+ })
+ .unwrap();
+
+ match (hash.oids()?, algo) {
+ ((SHA256, None), SHA256) => "RSA_PSS_2048_SHA256",
+ ((SHA384, None), SHA384) => "RSA_PSS_3072_SHA384",
+ ((SHA512, None), SHA512) => "RSA_PSS_4096_SHA512",
+ _ => {
+ eprintln!("Error unknown hash.oids");
+ bail!("unsupported")
+ }
+ }
+ }
+ _ => {
+ eprintln!("Unknown algorithm, should not be here!");
+ bail!("unsupported")
+ }
+ };
+
+ eprintln!("spki.rs verify() algo: {}", algo_name);
+
+ let public_key = SignaturePublicKey::from_raw(algo_name, self.subject_public_key)
+ .map_err(|e| anyhow!("{:?}", e))
+ .unwrap();
+
+ let signature = match algo_name {
+ "ECDSA_P256_SHA256" => {
+ let temp = p256::ecdsa::Signature::from_der(sign)?;
+ temp.to_vec()
+ }
+ "ECDSA_P384_SHA384" => {
+ let temp = p384::ecdsa::Signature::from_der(sign)?;
+ temp.to_vec()
+ }
+ _ => sign.to_vec(),
+ };
+
+ let signature = Signature::from_raw(algo_name, &signature)
+ .map_err(|e| anyhow!("{:?}", e))
+ .unwrap();
+
+ Ok(public_key
+ .signature_verify(body, &signature)
+ .map_err(|e| anyhow!("{:?}", e))
+ .unwrap())
+ }
+
+ #[cfg(any(not(target_os = "wasi"), not(feature = "wasi-crypto")))]
  fn verify(&self, body: &[u8], algo: AlgorithmIdentifier<'_>, sign: &[u8]) -> Result<()> {
  match (self.algorithm.oids()?, (algo.oid, algo.parameters)) {
  ((ECPK, Some(P256)), ES256) => {

src/ext/sgx/mod.rs

@@ -13,7 +13,6 @@ use anyhow::{anyhow, Result};
 use const_oid::ObjectIdentifier;
 use der::{Decode, Encode};
 use sgx::parameters::{Attributes, MiscSelect};
-use sha2::{Digest, Sha256};
 use x509::{ext::Extension, request::CertReqInfo, Certificate, TbsCertificate};
 
 #[derive(Clone, Debug)]
@@ -84,7 +83,7 @@ impl ExtVerifier for Sgx {
 
  if !dbg {
  // TODO: Validate that the certification request came from an SGX enclave.
- let hash = Sha256::digest(&cri.public_key.to_vec()?);
+ let hash = sha256(&cri.public_key.to_vec()?)?;
  if hash.as_slice() != &rpt.reportdata[..hash.as_slice().len()] {
  return Err(anyhow!("sgx report data is invalid"));
  }

src/ext/snp/mod.rs

@@ -13,7 +13,6 @@ use der::asn1::UIntRef;
 use der::{Decode, Encode, Sequence};
 use flagset::{flags, FlagSet};
 use sec1::pkcs8::AlgorithmIdentifier;
-use sha2::Digest;
 use x509::ext::Extension;
 use x509::{request::CertReqInfo, Certificate};
 use x509::{PkiPath, TbsCertificate};
@@ -374,7 +373,7 @@ impl ExtVerifier for Snp {
 
  if !dbg {
  // Validate that the certification request came from an SNP VM.
- let hash = sha2::Sha384::digest(&cri.public_key.to_vec()?);
+ let hash = sha384(&cri.public_key.to_vec()?)?;
  if hash.as_slice() != &report.body.report_data[..hash.as_slice().len()] {
  return Err(anyhow!("snp report.report_data is invalid"));
  }