deps: replace rsa and sha2 crates with openssl

fixes kinvolk#51 fixes kinvolk#46 The rsa crate is being reported in audit jobs due to a timing-related security issue. The project is not committed to address this in the near time, since the solution involves switching to a big-num dependency with worse security characteristics. We can leave it up to the consumer of an attester-only crate to convert the pubkey into a library struct. Signed-off-by: Magnus Kulke <[email protected]>
mkulke · Jul 2, 2024 · 5e677d3 · 5e677d3
1 parent db31c51
commit 5e677d3
Show file tree

Hide file tree

Showing 6 changed files with 35 additions and 26 deletions.
diff --git a/az-cvm-vtpm/Cargo.toml b/az-cvm-vtpm/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "az-cvm-vtpm"
-version = "0.5.3"
+version = "0.6.0"
 edition = "2021"
 repository = "https://github.com/kinvolk/azure-cvm-tooling/"
 license = "MIT"
@@ -23,15 +23,14 @@ bincode.workspace = true
 jsonwebkey = { version = "0.3.5", features = ["pkcs-convert"] }
 memoffset = "0.9.0"
 openssl = { workspace = true, optional = true }
-rsa = { version = "0.9.6", features = ["pkcs5", "sha2"] }
 serde.workspace = true
 serde_json.workspace = true
 serde-big-array = "0.5.1"
 sev.workspace = true
-sha2 = "0.10.8"
 thiserror.workspace = true
 tss-esapi = "7.4"
 zerocopy.workspace = true
+sha2 = "0.10.8"
 
 [features]
 default = ["attester", "verifier"]

diff --git a/az-cvm-vtpm/az-snp-vtpm/Cargo.toml b/az-cvm-vtpm/az-snp-vtpm/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "az-snp-vtpm"
-version = "0.5.3"
+version = "0.6.0"
 edition = "2021"
 repository = "https://github.com/kinvolk/azure-cvm-tooling/"
 license = "MIT"
@@ -17,7 +17,7 @@ path = "src/main.rs"
 required-features = ["attester", "verifier"]
 
 [dependencies]
-az-cvm-vtpm = { path = "..", version = "0.5.3" }
+az-cvm-vtpm = { path = "..", version = "0.6.0" }
 bincode.workspace = true
 clap.workspace = true
 openssl = { workspace = true, optional = true }

diff --git a/az-cvm-vtpm/az-tdx-vtpm/Cargo.toml b/az-cvm-vtpm/az-tdx-vtpm/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "az-tdx-vtpm"
-version = "0.5.3"
+version = "0.6.0"
 edition = "2021"
 repository = "https://github.com/kinvolk/azure-cvm-tooling/"
 license = "MIT"
@@ -16,7 +16,7 @@ name = "tdx-vtpm"
 path = "src/main.rs"
 
 [dependencies]
-az-cvm-vtpm = { path = "..", version = "0.5.3" }
+az-cvm-vtpm = { path = "..", version = "0.6.0" }
 base64-url = "3.0.0"
 bincode.workspace = true
 serde.workspace = true

diff --git a/az-cvm-vtpm/src/hcl/mod.rs b/az-cvm-vtpm/src/hcl/mod.rs
@@ -146,8 +146,7 @@ impl HclReport {
         }
         let mut hasher = Sha256::new();
         hasher.update(self.var_data_slice());
-        let hash = hasher.finalize();
-        hash.into()
+        hasher.finalize().into()
     }
 
     /// Get the slice of the VarData section

diff --git a/az-cvm-vtpm/src/vtpm/mod.rs b/az-cvm-vtpm/src/vtpm/mod.rs
@@ -1,12 +1,9 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.
 
-use rsa::{BigUint, RsaPublicKey};
 use serde::{Deserialize, Serialize};
 use thiserror::Error;
-use tss_esapi::abstraction::nv;
-use tss_esapi::abstraction::pcr;
-use tss_esapi::abstraction::public::DecodedKey;
+use tss_esapi::abstraction::{nv, pcr, public::DecodedKey};
 use tss_esapi::handles::TpmHandle;
 use tss_esapi::interface_types::algorithm::HashingAlgorithm;
 use tss_esapi::interface_types::resource_handles::NvAuth;
@@ -79,12 +76,28 @@ pub enum AKPubError {
     Tpm(#[from] tss_esapi::Error),
     #[error("asn1 der error")]
     WrongKeyType,
-    #[error("rsa error")]
-    OpenSsl(#[from] rsa::errors::Error),
+}
+
+#[derive(Serialize, Deserialize, Debug)]
+pub struct PublicKey {
+    n: Vec<u8>,
+    e: Vec<u8>,
+}
+
+impl PublicKey {
+    /// Get the modulus of the public key as big-endian unsigned bytes
+    pub fn modulus(&self) -> &[u8] {
+        &self.n
+    }
+
+    /// Get the public exponent of the public key as big-endian unsigned bytes
+    pub fn exponent(&self) -> &[u8] {
+        &self.e
+    }
 }
 
 /// Get the AK pub of the vTPM
-pub fn get_ak_pub() -> Result<RsaPublicKey, AKPubError> {
+pub fn get_ak_pub() -> Result<PublicKey, AKPubError> {
     let conf: TctiNameConf = TctiNameConf::Device(DeviceConfig::default());
     let mut context = Context::new(conf)?;
     let tpm_handle: TpmHandle = VTPM_AK_HANDLE.try_into()?;
@@ -96,12 +109,12 @@ pub fn get_ak_pub() -> Result<RsaPublicKey, AKPubError> {
         return Err(AKPubError::WrongKeyType);
     };
 
-    let bytes = rsa_pk.modulus.as_unsigned_bytes_be();
-    let n = BigUint::from_bytes_be(bytes);
-    let bytes = rsa_pk.public_exponent.as_unsigned_bytes_be();
-    let e = BigUint::from_bytes_be(bytes);
-
-    let pkey = RsaPublicKey::new(n, e)?;
+    let bytes_n = rsa_pk.modulus.as_unsigned_bytes_be();
+    let bytes_e = rsa_pk.public_exponent.as_unsigned_bytes_be();
+    let pkey = PublicKey {
+        n: bytes_n.into(),
+        e: bytes_e.into(),
+    };
     Ok(pkey)
 }
 

diff --git a/az-cvm-vtpm/src/vtpm/verify.rs b/az-cvm-vtpm/src/vtpm/verify.rs
@@ -2,10 +2,8 @@
 // Licensed under the MIT License.
 
 use super::{Quote, QuoteError};
-use openssl::hash::MessageDigest;
 use openssl::pkey::{PKey, Public};
-use openssl::sign::Verifier;
-use sha2::{Digest, Sha256};
+use openssl::{hash::MessageDigest, sha::Sha256, sign::Verifier};
 use thiserror::Error;
 use tss_esapi::structures::{Attest, AttestInfo};
 use tss_esapi::traits::UnMarshall;
@@ -79,7 +77,7 @@ impl Quote {
             hasher.update(pcr);
         }
 
-        let digest = hasher.finalize();
+        let digest = hasher.finish();
         if digest[..] != pcr_digest[..] {
             return Err(VerifyError::PcrMismatch);
         }