Skip to content

Commit

Permalink
Merge pull request #269 from flavio/update-crypto-deps
Browse files Browse the repository at this point in the history 
Update crypto deps
  • Loading branch information
@flavio
flavio authored May 30, 2023
2 parents 12f67b2 + 7770488 commit 2500875
Show file tree
Hide file tree
Showing 15 changed files with 139 additions and 151 deletions.
18 changes: 8 additions & 10 deletions Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,28 +73,27 @@ cached = { version = "0.42.0", optional = true }
cfg-if = "1.0.0"
chrono = { version = "0.4.23" }
const-oid = "0.9.1"
der = "0.7.5"
digest = { version = "0.10.3", default-features = false }
ecdsa = { version = "0.15", features = ["pkcs8", "digest", "der"] }
ecdsa = { version = "0.16.7", features = ["pkcs8", "digest", "der", "signing"] }
ed25519 = { version = "2.2.1", features = ["alloc"] }
ed25519-dalek = { version = "2.0.0-rc.2", features = ["pkcs8", "rand_core"] }
elliptic-curve = { version = "0.12.2", features = ["arithmetic", "pem"] }
elliptic-curve = { version = "0.13.5", features = ["arithmetic", "pem"] }
lazy_static = "1.4.0"
oci-distribution = { version = "0.9", default-features = false, optional = true }
olpc-cjson = "0.1"
openidconnect = { version = "3.0", default-features = false, features = [
"reqwest",
], optional = true }
p256 = "0.12"
p384 = "0.12"
p256 = "0.13.2"
p384 = "0.13"
webbrowser = "0.8.4"
pem = "1.0.2"
pem = "2.0"
picky = { version = "7.0.0-rc.5", default-features = false, features = [
"x509",
"ec",
] }
pkcs1 = { version = "0.7.5", features = ["std"] }
pkcs8 = { version = "0.9.0", features = [
pkcs8 = { version = "0.10.2", features = [
"pem",
"alloc",
"pkcs5",
Expand All @@ -107,19 +106,18 @@ reqwest = { version = "0.11", default-features = false, features = [
"json",
"multipart",
], optional = true }
rsa = "0.8.2"
rsa = "0.9.2"
scrypt = "0.11.0"
serde = { version = "1.0.136", features = ["derive"] }
serde_json = "1.0.79"
sha2 = { version = "0.10.6", features = ["oid"] }
signature = { version = "2.0" }
spki = { version = "0.7.2", features = ["pem", "std"] }
thiserror = "1.0.30"
tokio = { version = "1.17.0", features = ["rt"] }
tough = { version = "0.13", features = ["http"], optional = true }
tracing = "0.1.31"
url = "2.2.2"
x509-cert = { version = "0.1.1", features = ["pem", "std"] }
x509-cert = { version = "0.2.2", features = ["pem", "std"] }
crypto_secretbox = "0.1.1"
zeroize = "1.5.7"

Expand Down
2 changes: 1 addition & 1 deletion examples/cosign/verify/main.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -349,7 +349,7 @@ fn parse_cert_bundle(bundle_path: &str) -> Result<Vec<sigstore::registry::Certif
.iter()
.map(|pem| sigstore::registry::Certificate {
encoding: sigstore::registry::CertificateEncoding::Der,
data: pem.contents.clone(),
data: pem.contents().to_vec(),
})
.collect())
}
2 changes: 1 addition & 1 deletion examples/fulcio/cert/main.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ async fn main() {

let pems = pem::parse_many(cert.as_ref()).expect("parse pem failed");
for pem in &pems {
let cert = Certificate::from_der(&pem.contents).expect("parse certificate from der");
let cert = Certificate::from_der(pem.contents()).expect("parse certificate from der");

let (_, san) = cert
.tbs_certificate
Expand Down
2 changes: 0 additions & 2 deletions examples/rekor/create_log_entry/main.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -98,10 +98,8 @@ async fn main() {

// The following default values will be used if the user does not input values using cli flags
const HASH: &str = "c7ead87fa5c82d2b17feece1c2ee1bda8e94788f4b208de5057b3617a42b7413";
const URL: &str = "https://raw.githubusercontent.com/jyotsna-penumaka/rekor-rs/rekor-functionality/test_data/data";
const PUBLIC_KEY: &str = "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFeEhUTWRSQk80ZThCcGZ3cG5KMlozT2JMRlVrVQpaUVp6WGxtKzdyd1lZKzhSMUZpRWhmS0JZclZraGpHL2lCUjZac2s3Z01iYWZPOG9FM01lUEVvWU93PT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==";
const SIGNATURE: &str = "MEUCIHWACbBnw+YkJCy2tVQd5i7VH6HgkdVBdP7HRV1IEsDuAiEA19iJNvmkE6We7iZGjHsTkjXV8QhK9iXu0ArUxvJF1N8=";
const KEY_FORMAT: &str = "x509";
const API_VERSION: &str = "0.0.1";

let hash = Hash::new(
Expand Down
2 changes: 0 additions & 2 deletions examples/rekor/search_log_query/main.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,10 +41,8 @@ async fn main() {

// The following default values will be used if the user does not input values using cli flags
const HASH: &str = "c7ead87fa5c82d2b17feece1c2ee1bda8e94788f4b208de5057b3617a42b7413";
const URL: &str = "https://raw.githubusercontent.com/jyotsna-penumaka/rekor-rs/rekor-functionality/test_data/data";
const PUBLIC_KEY: &str = "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFeEhUTWRSQk80ZThCcGZ3cG5KMlozT2JMRlVrVQpaUVp6WGxtKzdyd1lZKzhSMUZpRWhmS0JZclZraGpHL2lCUjZac2s3Z01iYWZPOG9FM01lUEVvWU93PT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==";
const SIGNATURE: &str = "MEUCIHWACbBnw+YkJCy2tVQd5i7VH6HgkdVBdP7HRV1IEsDuAiEA19iJNvmkE6We7iZGjHsTkjXV8QhK9iXu0ArUxvJF1N8=";
const KEY_FORMAT: &str = "x509";
const API_VERSION: &str = "0.0.1";
const ENTRY_UUIDS: &str = "1377da9d9dbad451a5a8acdd28add750815d34e8205f1b8a35a67b8a27dae9bf";
const LOG_INDEXES: &str = "2922253";
Expand Down
2 changes: 1 addition & 1 deletion src/cosign/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -161,7 +161,7 @@ pub trait CosignCapabilities {
fn verify_blob(cert: &str, signature: &str, blob: &[u8]) -> Result<()> {
let cert = BASE64_STD_ENGINE.decode(cert)?;
let pem = pem::parse(cert)?;
let cert = Certificate::from_der(&pem.contents).map_err(|e| {
let cert = Certificate::from_der(pem.contents()).map_err(|e| {
SigstoreError::PKCS8SpkiError(format!("parse der into cert failed: {e}"))
})?;
let spki = cert.tbs_certificate.subject_public_key_info;
Expand Down
20 changes: 12 additions & 8 deletions src/cosign/signature_layers.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,11 @@
use const_oid::ObjectIdentifier;
use digest::Digest;
use oci_distribution::client::ImageLayer;
use pkcs8::der::Decode;
use serde::Serialize;
use std::convert::TryFrom;
use std::{collections::HashMap, fmt};
use tracing::{debug, info, warn};
use x509_cert::der::DecodePem;
use x509_cert::ext::pkix::name::GeneralName;
use x509_cert::ext::pkix::SubjectAltName;
use x509_cert::Certificate;
Expand Down Expand Up @@ -429,23 +429,27 @@ impl CertificateSignature {
/// Ensures the given certificate can be trusted, then extracts
/// its details and returns them as a `CertificateSignature` object
pub(crate) fn from_certificate(
cert_raw: &[u8],
cert_pem: &[u8],
fulcio_cert_pool: &CertificatePool,
trusted_bundle: &Bundle,
) -> Result<Self> {
let pem = pem::parse(cert_raw)?;
let cert = Certificate::from_der(&pem.contents)
.map_err(|e| SigstoreError::X509Error(format!("parse from der: {e}")))?;
let cert = Certificate::from_pem(cert_pem)
.map_err(|e| SigstoreError::X509Error(format!("parse from pem: {e}")))?;
let integrated_time = trusted_bundle.payload.integrated_time;

// ensure the certificate has been issued by Fulcio
fulcio_cert_pool.verify_pem_cert(cert_raw)?;
fulcio_cert_pool.verify_pem_cert(cert_pem)?;

crypto::certificate::is_trusted(&cert, integrated_time)?;

let subject = CertificateSubject::from_certificate(&cert)?;
let verification_key =
CosignVerificationKey::try_from(&cert.tbs_certificate.subject_public_key_info)?;
CosignVerificationKey::try_from(&cert.tbs_certificate.subject_public_key_info)
.map_err(|e| {
SigstoreError::X509Error(format!(
"cannot extract public key from certificate: {e}"
))
})?;

let issuer = get_cert_extension_by_oid(&cert, SIGSTORE_ISSUER_OID, "Issuer")?;

Expand Down Expand Up @@ -506,7 +510,7 @@ fn get_cert_extension_by_oid(
.iter()
.find(|ext| ext.extn_id == ext_oid)
.map(|ext| {
String::from_utf8(ext.extn_value.to_vec()).map_err(|_| {
String::from_utf8(ext.extn_value.clone().into_bytes()).map_err(|_| {
SigstoreError::X509Error(format!(
"Certificate's extension Sigstore {ext_oid_name} is not UTF8 compatible"
))
Expand Down
2 changes: 1 addition & 1 deletion src/cosign/verification_constraint/certificate_verifier.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ impl CertificateVerifier {
cert_chain: Option<&[crate::registry::Certificate]>,
) -> Result<Self> {
let pem = pem::parse(cert_bytes)?;
Self::from_der(&pem.contents, require_rekor_bundle, cert_chain)
Self::from_der(pem.contents(), require_rekor_bundle, cert_chain)
}

/// Create a new instance of `CertificateVerifier` using the DER encoded
Expand Down
16 changes: 8 additions & 8 deletions src/crypto/certificate.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ mod tests {
let issued_cert = generate_certificate(Some(&ca_data), CertGenerationOptions::default())?;
let issued_cert_pem = issued_cert.cert.to_pem()?;
let pem = pem::parse(issued_cert_pem)?;
let cert = x509_cert::Certificate::from_der(&pem.contents)?;
let cert = x509_cert::Certificate::from_der(pem.contents())?;
assert!(verify_key_usages(&cert).is_ok());

Ok(())
Expand All @@ -154,7 +154,7 @@ mod tests {
)?;
let issued_cert_pem = issued_cert.cert.to_pem()?;
let pem = pem::parse(issued_cert_pem)?;
let cert = x509_cert::Certificate::from_der(&pem.contents)?;
let cert = x509_cert::Certificate::from_der(pem.contents())?;

let err = verify_key_usages(&cert).expect_err("Was supposed to return an error");
let found = match err {
Expand All @@ -179,7 +179,7 @@ mod tests {
)?;
let issued_cert_pem = issued_cert.cert.to_pem()?;
let pem = pem::parse(issued_cert_pem)?;
let cert = x509_cert::Certificate::from_der(&pem.contents)?;
let cert = x509_cert::Certificate::from_der(pem.contents())?;

let err = verify_key_usages(&cert).expect_err("Was supposed to return an error");
let found = match err {
Expand All @@ -205,7 +205,7 @@ mod tests {
)?;
let issued_cert_pem = issued_cert.cert.to_pem()?;
let pem = pem::parse(issued_cert_pem)?;
let cert = x509_cert::Certificate::from_der(&pem.contents)?;
let cert = x509_cert::Certificate::from_der(pem.contents())?;

let error = verify_has_san(&cert).expect_err("Didn't get an error");
let found = match error {
Expand All @@ -224,7 +224,7 @@ mod tests {
let issued_cert = generate_certificate(Some(&ca_data), CertGenerationOptions::default())?;
let issued_cert_pem = issued_cert.cert.to_pem()?;
let pem = pem::parse(issued_cert_pem)?;
let cert = x509_cert::Certificate::from_der(&pem.contents)?;
let cert = x509_cert::Certificate::from_der(pem.contents())?;

assert!(verify_validity(&cert).is_ok());

Expand All @@ -245,7 +245,7 @@ mod tests {
)?;
let issued_cert_pem = issued_cert.cert.to_pem()?;
let pem = pem::parse(issued_cert_pem)?;
let cert = x509_cert::Certificate::from_der(&pem.contents)?;
let cert = x509_cert::Certificate::from_der(pem.contents())?;

let err = verify_validity(&cert).expect_err("Was expecting an error");
let found = match err {
Expand Down Expand Up @@ -273,7 +273,7 @@ mod tests {
)?;
let issued_cert_pem = issued_cert.cert.to_pem()?;
let pem = pem::parse(issued_cert_pem)?;
let cert = x509_cert::Certificate::from_der(&pem.contents)?;
let cert = x509_cert::Certificate::from_der(pem.contents())?;

assert!(verify_expiration(&cert, integrated_time.timestamp(),).is_ok());

Expand All @@ -296,7 +296,7 @@ mod tests {
)?;
let issued_cert_pem = issued_cert.cert.to_pem().unwrap();
let pem = pem::parse(issued_cert_pem)?;
let cert = x509_cert::Certificate::from_der(&pem.contents)?;
let cert = x509_cert::Certificate::from_der(pem.contents())?;

let err = verify_expiration(&cert, integrated_time.timestamp())
.expect_err("Was expecting an error");
Expand Down
Loading

0 comments on commit 2500875

Please sign in to comment.