From 8690f1f92e26b374172d33e47f3f7852ab178d09 Mon Sep 17 00:00:00 2001 From: Sree Revoori <105384008+sree-revoori1@users.noreply.github.com> Date: Wed, 20 Mar 2024 15:24:37 -0700 Subject: [PATCH] Revert "Update DPE to latest CFI revision" This reverts commit ec25bd73eb2a63a57615ca76e416c6a7519ddb00. --- Cargo.lock | 16 ++++++++-------- Cargo.toml | 4 ++-- crypto/Cargo.toml | 4 ++-- crypto/src/openssl.rs | 2 +- dpe/Cargo.toml | 6 +++--- dpe/fuzz/Cargo.lock | 16 ++++++++-------- dpe/src/commands/certify_key.rs | 8 ++++---- dpe/src/commands/derive_context.rs | 6 +++--- dpe/src/commands/destroy_context.rs | 8 ++++---- dpe/src/commands/get_certificate_chain.rs | 4 ++-- dpe/src/commands/initialize_context.rs | 6 +++--- dpe/src/commands/mod.rs | 2 +- dpe/src/commands/rotate_context.rs | 8 ++++---- dpe/src/commands/sign.rs | 8 ++++---- dpe/src/dpe_instance.rs | 8 ++++---- dpe/src/validation.rs | 10 ++++++---- verification/testing/certifyKey.go | 4 ++++ 17 files changed, 63 insertions(+), 57 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 4278158a..d06d109b 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -174,9 +174,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b" [[package]] -name = "caliptra-cfi-derive" +name = "caliptra-cfi-derive-git" version = "0.1.0" -source = "git+https://github.com/chipsalliance/caliptra-cfi.git?rev=25473cebb25f638646091c54b5e337b9a2697f07#25473cebb25f638646091c54b5e337b9a2697f07" +source = "git+https://github.com/chipsalliance/caliptra-cfi.git?rev=a98e499d279e81ae85881991b1e9eee354151189#a98e499d279e81ae85881991b1e9eee354151189" dependencies = [ "paste", "proc-macro2", @@ -185,9 +185,9 @@ dependencies = [ ] [[package]] -name = "caliptra-cfi-lib" +name = "caliptra-cfi-lib-git" version = "0.1.0" -source = "git+https://github.com/chipsalliance/caliptra-cfi.git?rev=25473cebb25f638646091c54b5e337b9a2697f07#25473cebb25f638646091c54b5e337b9a2697f07" +source = "git+https://github.com/chipsalliance/caliptra-cfi.git?rev=a98e499d279e81ae85881991b1e9eee354151189#a98e499d279e81ae85881991b1e9eee354151189" [[package]] name = "cc" @@ -298,8 +298,8 @@ version = "0.1.0" dependencies = [ "arrayvec", "base64ct", - "caliptra-cfi-derive", - "caliptra-cfi-lib", + "caliptra-cfi-derive-git", + "caliptra-cfi-lib-git", "ecdsa", "hkdf", "hmac", @@ -428,8 +428,8 @@ version = "0.1.0" dependencies = [ "asn1", "bitflags", - "caliptra-cfi-derive", - "caliptra-cfi-lib", + "caliptra-cfi-derive-git", + "caliptra-cfi-lib-git", "cfg-if", "cms", "constant_time_eq", diff --git a/Cargo.toml b/Cargo.toml index e177a102..0ead13d4 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -11,7 +11,7 @@ members = [ ] [workspace.dependencies] -caliptra-cfi-lib = { git = "https://github.com/chipsalliance/caliptra-cfi.git", package = "caliptra-cfi-lib", rev = "25473cebb25f638646091c54b5e337b9a2697f07", default-features = false, features = ["cfi", "cfi-counter" ] } -caliptra-cfi-derive = { git = "https://github.com/chipsalliance/caliptra-cfi.git", package = "caliptra-cfi-derive", rev = "25473cebb25f638646091c54b5e337b9a2697f07"} +caliptra-cfi-lib-git = { git = "https://github.com/chipsalliance/caliptra-cfi.git", package = "caliptra-cfi-lib-git", rev = "a98e499d279e81ae85881991b1e9eee354151189", default-features = false, features = ["cfi", "cfi-counter" ] } +caliptra-cfi-derive-git = { git = "https://github.com/chipsalliance/caliptra-cfi.git", package = "caliptra-cfi-derive-git", rev = "a98e499d279e81ae85881991b1e9eee354151189"} zerocopy = "0.6.6" openssl = "0.10.64" diff --git a/crypto/Cargo.toml b/crypto/Cargo.toml index 0b4cdf65..e14f71e8 100644 --- a/crypto/Cargo.toml +++ b/crypto/Cargo.toml @@ -13,8 +13,8 @@ no-cfi = [] [dependencies] arrayvec = { version = "0.7.4", default-features = false, features = ["zeroize"] } -caliptra-cfi-lib = { workspace = true, default-features = false, features = ["cfi", "cfi-counter" ] } -caliptra-cfi-derive.workspace = true +caliptra-cfi-lib-git = { workspace = true, default-features = false, features = ["cfi", "cfi-counter" ] } +caliptra-cfi-derive-git.workspace = true ecdsa = { version = "0.16.9", optional = true, features = ["pem"]} hkdf = { version = "0.12.3", optional = true } hmac = {version="0.12.1", optional = true} diff --git a/crypto/src/openssl.rs b/crypto/src/openssl.rs index 6a83586b..29d27fae 100644 --- a/crypto/src/openssl.rs +++ b/crypto/src/openssl.rs @@ -2,7 +2,7 @@ use crate::{hkdf::*, AlgLen, Crypto, CryptoBuf, CryptoError, Digest, EcdsaPub, Hasher, HmacSig}; #[cfg(not(feature = "no-cfi"))] -use caliptra_cfi_derive::cfi_impl_fn; +use caliptra_cfi_derive_git::cfi_impl_fn; use openssl::{ bn::{BigNum, BigNumContext}, ec::{EcGroup, EcKey, EcPoint}, diff --git a/dpe/Cargo.toml b/dpe/Cargo.toml index e1a59745..4fad35d0 100644 --- a/dpe/Cargo.toml +++ b/dpe/Cargo.toml @@ -26,8 +26,8 @@ no-cfi = ["crypto/no-cfi"] [dependencies] bitflags = "2.4.0" -caliptra-cfi-lib = { workspace = true, default-features = false, features = ["cfi", "cfi-counter" ] } -caliptra-cfi-derive.workspace = true +caliptra-cfi-lib-git = { workspace = true, default-features = false, features = ["cfi", "cfi-counter" ] } +caliptra-cfi-derive-git.workspace = true constant_time_eq = "0.3.0" crypto = {path = "../crypto", default-features = false} platform = {path = "../platform", default-features = false} @@ -38,7 +38,7 @@ cfg-if = "1.0.0" [dev-dependencies] asn1 = "0.13.0" -caliptra-cfi-lib = { workspace = true, features = ["cfi-test"] } +caliptra-cfi-lib-git = { workspace = true, features = ["cfi-test"] } openssl.workspace = true x509-parser = "0.15.1" crypto = {path = "../crypto", features = ["deterministic_rand", "openssl"]} diff --git a/dpe/fuzz/Cargo.lock b/dpe/fuzz/Cargo.lock index c4d8f453..6e136da1 100644 --- a/dpe/fuzz/Cargo.lock +++ b/dpe/fuzz/Cargo.lock @@ -114,9 +114,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "14c189c53d098945499cdfa7ecc63567cf3886b3332b312a5b4585d8d3a6a610" [[package]] -name = "caliptra-cfi-derive" +name = "caliptra-cfi-derive-git" version = "0.1.0" -source = "git+https://github.com/chipsalliance/caliptra-cfi.git?rev=25473cebb25f638646091c54b5e337b9a2697f07#25473cebb25f638646091c54b5e337b9a2697f07" +source = "git+https://github.com/chipsalliance/caliptra-cfi.git?rev=a98e499d279e81ae85881991b1e9eee354151189#a98e499d279e81ae85881991b1e9eee354151189" dependencies = [ "paste", "proc-macro2", @@ -125,9 +125,9 @@ dependencies = [ ] [[package]] -name = "caliptra-cfi-lib" +name = "caliptra-cfi-lib-git" version = "0.1.0" -source = "git+https://github.com/chipsalliance/caliptra-cfi.git?rev=25473cebb25f638646091c54b5e337b9a2697f07#25473cebb25f638646091c54b5e337b9a2697f07" +source = "git+https://github.com/chipsalliance/caliptra-cfi.git?rev=a98e499d279e81ae85881991b1e9eee354151189#a98e499d279e81ae85881991b1e9eee354151189" [[package]] name = "cc" @@ -204,8 +204,8 @@ name = "crypto" version = "0.1.0" dependencies = [ "arrayvec", - "caliptra-cfi-derive", - "caliptra-cfi-lib", + "caliptra-cfi-derive-git", + "caliptra-cfi-lib-git", "hkdf", "openssl", "sha2", @@ -268,8 +268,8 @@ name = "dpe" version = "0.1.0" dependencies = [ "bitflags 2.4.0", - "caliptra-cfi-derive", - "caliptra-cfi-lib", + "caliptra-cfi-derive-git", + "caliptra-cfi-lib-git", "cfg-if", "constant_time_eq", "crypto", diff --git a/dpe/src/commands/certify_key.rs b/dpe/src/commands/certify_key.rs index 71ad6a2e..3ca97c35 100644 --- a/dpe/src/commands/certify_key.rs +++ b/dpe/src/commands/certify_key.rs @@ -10,10 +10,10 @@ use crate::{ }; use bitflags::bitflags; #[cfg(not(feature = "no-cfi"))] -use caliptra_cfi_derive::cfi_impl_fn; -use caliptra_cfi_lib::cfi_launder; +use caliptra_cfi_derive_git::cfi_impl_fn; +use caliptra_cfi_lib_git::cfi_launder; #[cfg(not(feature = "no-cfi"))] -use caliptra_cfi_lib::{cfi_assert, cfi_assert_eq}; +use caliptra_cfi_lib_git::{cfi_assert, cfi_assert_eq}; use cfg_if::cfg_if; use crypto::{Crypto, Hasher}; use platform::{Platform, MAX_ISSUER_NAME_SIZE, MAX_KEY_IDENTIFIER_SIZE}; @@ -277,7 +277,7 @@ mod tests { x509::tests::TcbInfo, DpeProfile, }; - use caliptra_cfi_lib::CfiCounter; + use caliptra_cfi_lib_git::CfiCounter; use cms::{ content_info::{CmsVersion, ContentInfo}, signed_data::{SignedData, SignerIdentifier}, diff --git a/dpe/src/commands/derive_context.rs b/dpe/src/commands/derive_context.rs index 6e79a786..203cb91f 100644 --- a/dpe/src/commands/derive_context.rs +++ b/dpe/src/commands/derive_context.rs @@ -9,9 +9,9 @@ use crate::{ }; use bitflags::bitflags; #[cfg(not(feature = "no-cfi"))] -use caliptra_cfi_derive::cfi_impl_fn; +use caliptra_cfi_derive_git::cfi_impl_fn; #[cfg(not(feature = "no-cfi"))] -use caliptra_cfi_lib::{cfi_assert, cfi_assert_eq}; +use caliptra_cfi_lib_git::{cfi_assert, cfi_assert_eq}; use cfg_if::cfg_if; #[repr(C)] @@ -343,7 +343,7 @@ mod tests { support::Support, MAX_HANDLES, }; - use caliptra_cfi_lib::CfiCounter; + use caliptra_cfi_lib_git::CfiCounter; use crypto::{Crypto, Hasher, OpensslCrypto}; use openssl::x509::X509; use openssl::{bn::BigNum, ecdsa::EcdsaSig}; diff --git a/dpe/src/commands/destroy_context.rs b/dpe/src/commands/destroy_context.rs index e31cbf21..c1e6aec6 100644 --- a/dpe/src/commands/destroy_context.rs +++ b/dpe/src/commands/destroy_context.rs @@ -7,10 +7,10 @@ use crate::{ MAX_HANDLES, }; #[cfg(not(feature = "no-cfi"))] -use caliptra_cfi_derive::cfi_impl_fn; -use caliptra_cfi_lib::cfi_launder; +use caliptra_cfi_derive_git::cfi_impl_fn; +use caliptra_cfi_lib_git::cfi_launder; #[cfg(not(feature = "no-cfi"))] -use caliptra_cfi_lib::{cfi_assert, cfi_assert_eq}; +use caliptra_cfi_lib_git::{cfi_assert, cfi_assert_eq}; #[repr(C)] #[derive(Debug, PartialEq, Eq, zerocopy::FromBytes, zerocopy::AsBytes)] @@ -94,7 +94,7 @@ mod tests { support::{test::SUPPORT, Support}, DPE_PROFILE, }; - use caliptra_cfi_lib::CfiCounter; + use caliptra_cfi_lib_git::CfiCounter; use crypto::OpensslCrypto; use platform::default::DefaultPlatform; use zerocopy::AsBytes; diff --git a/dpe/src/commands/get_certificate_chain.rs b/dpe/src/commands/get_certificate_chain.rs index 48015dd9..c110e920 100644 --- a/dpe/src/commands/get_certificate_chain.rs +++ b/dpe/src/commands/get_certificate_chain.rs @@ -5,7 +5,7 @@ use crate::{ response::{DpeErrorCode, GetCertificateChainResp, Response, ResponseHdr}, }; #[cfg(not(feature = "no-cfi"))] -use caliptra_cfi_derive::cfi_impl_fn; +use caliptra_cfi_derive_git::cfi_impl_fn; use platform::{Platform, MAX_CHUNK_SIZE}; #[repr(C)] @@ -48,7 +48,7 @@ mod tests { dpe_instance::tests::{TestTypes, TEST_LOCALITIES}, support::test::SUPPORT, }; - use caliptra_cfi_lib::CfiCounter; + use caliptra_cfi_lib_git::CfiCounter; use crypto::OpensslCrypto; use platform::default::DefaultPlatform; use zerocopy::AsBytes; diff --git a/dpe/src/commands/initialize_context.rs b/dpe/src/commands/initialize_context.rs index c3c6b8d7..e460e78a 100644 --- a/dpe/src/commands/initialize_context.rs +++ b/dpe/src/commands/initialize_context.rs @@ -7,9 +7,9 @@ use crate::{ }; use bitflags::bitflags; #[cfg(not(feature = "no-cfi"))] -use caliptra_cfi_derive::cfi_impl_fn; +use caliptra_cfi_derive_git::cfi_impl_fn; #[cfg(not(feature = "no-cfi"))] -use caliptra_cfi_lib::{cfi_assert, cfi_assert_eq}; +use caliptra_cfi_lib_git::{cfi_assert, cfi_assert_eq}; use cfg_if::cfg_if; #[repr(C)] @@ -109,7 +109,7 @@ mod tests { dpe_instance::tests::{TestTypes, TEST_LOCALITIES}, support::Support, }; - use caliptra_cfi_lib::CfiCounter; + use caliptra_cfi_lib_git::CfiCounter; use crypto::OpensslCrypto; use platform::default::DefaultPlatform; use zerocopy::AsBytes; diff --git a/dpe/src/commands/mod.rs b/dpe/src/commands/mod.rs index adc7a068..a22fd9f0 100644 --- a/dpe/src/commands/mod.rs +++ b/dpe/src/commands/mod.rs @@ -165,7 +165,7 @@ impl TryFrom<&[u8]> for CommandHdr { pub mod tests { use super::*; use crate::{DpeProfile, DPE_PROFILE}; - use caliptra_cfi_lib::CfiCounter; + use caliptra_cfi_lib_git::CfiCounter; use zerocopy::AsBytes; #[cfg(feature = "dpe_profile_p256_sha256")] diff --git a/dpe/src/commands/rotate_context.rs b/dpe/src/commands/rotate_context.rs index 74482cdc..f8198dd2 100644 --- a/dpe/src/commands/rotate_context.rs +++ b/dpe/src/commands/rotate_context.rs @@ -7,10 +7,10 @@ use crate::{ }; use bitflags::bitflags; #[cfg(not(feature = "no-cfi"))] -use caliptra_cfi_derive::cfi_impl_fn; -use caliptra_cfi_lib::cfi_launder; +use caliptra_cfi_derive_git::cfi_impl_fn; +use caliptra_cfi_lib_git::cfi_launder; #[cfg(not(feature = "no-cfi"))] -use caliptra_cfi_lib::{cfi_assert, cfi_assert_eq}; +use caliptra_cfi_lib_git::{cfi_assert, cfi_assert_eq}; #[repr(C)] #[derive(Debug, PartialEq, Eq, zerocopy::FromBytes, zerocopy::AsBytes)] @@ -117,7 +117,7 @@ mod tests { }, support::Support, }; - use caliptra_cfi_lib::CfiCounter; + use caliptra_cfi_lib_git::CfiCounter; use crypto::OpensslCrypto; use platform::default::DefaultPlatform; use zerocopy::AsBytes; diff --git a/dpe/src/commands/sign.rs b/dpe/src/commands/sign.rs index 3eeb69d9..0571e207 100644 --- a/dpe/src/commands/sign.rs +++ b/dpe/src/commands/sign.rs @@ -8,10 +8,10 @@ use crate::{ }; use bitflags::bitflags; #[cfg(not(feature = "no-cfi"))] -use caliptra_cfi_derive::cfi_impl_fn; -use caliptra_cfi_lib::cfi_launder; +use caliptra_cfi_derive_git::cfi_impl_fn; +use caliptra_cfi_lib_git::cfi_launder; #[cfg(not(feature = "no-cfi"))] -use caliptra_cfi_lib::{cfi_assert, cfi_assert_eq, cfi_assert_ne}; +use caliptra_cfi_lib_git::{cfi_assert, cfi_assert_eq, cfi_assert_ne}; use cfg_if::cfg_if; use crypto::{Crypto, CryptoBuf, Digest, EcdsaSig, HmacSig}; @@ -185,7 +185,7 @@ mod tests { dpe_instance::tests::{TestTypes, RANDOM_HANDLE, SIMULATION_HANDLE, TEST_LOCALITIES}, support::{test::SUPPORT, Support}, }; - use caliptra_cfi_lib::CfiCounter; + use caliptra_cfi_lib_git::CfiCounter; use crypto::OpensslCrypto; use openssl::x509::X509; use openssl::{bn::BigNum, ecdsa::EcdsaSig}; diff --git a/dpe/src/dpe_instance.rs b/dpe/src/dpe_instance.rs index cbdce18f..a469ead1 100644 --- a/dpe/src/dpe_instance.rs +++ b/dpe/src/dpe_instance.rs @@ -13,10 +13,10 @@ use crate::{ U8Bool, DPE_PROFILE, INTERNAL_INPUT_INFO_SIZE, MAX_HANDLES, }; #[cfg(not(feature = "no-cfi"))] -use caliptra_cfi_derive::cfi_impl_fn; -use caliptra_cfi_lib::cfi_launder; +use caliptra_cfi_derive_git::cfi_impl_fn; +use caliptra_cfi_lib_git::cfi_launder; #[cfg(not(feature = "no-cfi"))] -use caliptra_cfi_lib::{cfi_assert, cfi_assert_eq}; +use caliptra_cfi_lib_git::{cfi_assert, cfi_assert_eq}; use cfg_if::cfg_if; use constant_time_eq::constant_time_eq; use crypto::{Crypto, Digest, Hasher}; @@ -519,7 +519,7 @@ pub mod tests { use crate::response::NewHandleResp; use crate::support::test::SUPPORT; use crate::{commands::CommandHdr, CURRENT_PROFILE_MAJOR_VERSION}; - use caliptra_cfi_lib::CfiCounter; + use caliptra_cfi_lib_git::CfiCounter; use crypto::OpensslCrypto; use platform::default::{DefaultPlatform, AUTO_INIT_LOCALITY, TEST_CERT_CHAIN}; use zerocopy::AsBytes; diff --git a/dpe/src/validation.rs b/dpe/src/validation.rs index 1e3a8fe9..3f7ea4a8 100644 --- a/dpe/src/validation.rs +++ b/dpe/src/validation.rs @@ -9,10 +9,12 @@ use crate::{ }; #[cfg(not(feature = "no-cfi"))] -use caliptra_cfi_derive::cfi_impl_fn; -use caliptra_cfi_lib::cfi_launder; +use caliptra_cfi_derive_git::cfi_impl_fn; +use caliptra_cfi_lib_git::cfi_launder; #[cfg(not(feature = "no-cfi"))] -use caliptra_cfi_lib::{cfi_assert, cfi_assert_eq, cfi_assert_le, cfi_assert_lt, cfi_assert_ne}; +use caliptra_cfi_lib_git::{ + cfi_assert, cfi_assert_eq, cfi_assert_le, cfi_assert_lt, cfi_assert_ne, +}; use cfg_if::cfg_if; #[derive(Debug, PartialEq, Eq, Clone, Copy)] @@ -447,7 +449,7 @@ impl<'a> DpeValidator<'a> { #[cfg(test)] pub mod tests { - use caliptra_cfi_lib::CfiCounter; + use caliptra_cfi_lib_git::CfiCounter; use crypto::OpensslCrypto; use platform::default::DefaultPlatform; diff --git a/verification/testing/certifyKey.go b/verification/testing/certifyKey.go index 703e3a72..fc7e6270 100644 --- a/verification/testing/certifyKey.go +++ b/verification/testing/certifyKey.go @@ -491,6 +491,10 @@ func checkCertificateStructure(t *testing.T, certBytes []byte) *x509.Certificate // strictly worse and mixing the two formats does not lend itself well // to fixed-sized X.509 templating. "e_wrong_time_format_pre2050", + // Certs in the Caliptra cert chain fail this lint currently. + // We will need to truncate the serial numbers for those certs and + // then enable this lint. + "e_subject_dn_serial_number_max_length", }, }) if err != nil {