diff --git a/az-cvm-vtpm/Cargo.toml b/az-cvm-vtpm/Cargo.toml index ed761a6..9ed035b 100644 --- a/az-cvm-vtpm/Cargo.toml +++ b/az-cvm-vtpm/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "az-cvm-vtpm" -version = "0.5.3" +version = "0.6.0" edition = "2021" repository = "https://github.com/kinvolk/azure-cvm-tooling/" license = "MIT" @@ -23,15 +23,14 @@ bincode.workspace = true jsonwebkey = { version = "0.3.5", features = ["pkcs-convert"] } memoffset = "0.9.0" openssl = { workspace = true, optional = true } -rsa = { version = "0.9.6", features = ["pkcs5", "sha2"] } serde.workspace = true serde_json.workspace = true serde-big-array = "0.5.1" sev.workspace = true -sha2 = "0.10.8" thiserror.workspace = true tss-esapi = "7.4" zerocopy.workspace = true +sha2 = "0.10.8" [features] default = ["attester", "verifier"] diff --git a/az-cvm-vtpm/az-snp-vtpm/Cargo.toml b/az-cvm-vtpm/az-snp-vtpm/Cargo.toml index 8ba59ca..3f98afc 100644 --- a/az-cvm-vtpm/az-snp-vtpm/Cargo.toml +++ b/az-cvm-vtpm/az-snp-vtpm/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "az-snp-vtpm" -version = "0.5.3" +version = "0.6.0" edition = "2021" repository = "https://github.com/kinvolk/azure-cvm-tooling/" license = "MIT" @@ -17,7 +17,7 @@ path = "src/main.rs" required-features = ["attester", "verifier"] [dependencies] -az-cvm-vtpm = { path = "..", version = "0.5.3" } +az-cvm-vtpm = { path = "..", version = "0.6.0" } bincode.workspace = true clap.workspace = true openssl = { workspace = true, optional = true } diff --git a/az-cvm-vtpm/az-tdx-vtpm/Cargo.toml b/az-cvm-vtpm/az-tdx-vtpm/Cargo.toml index b41d772..a499e26 100644 --- a/az-cvm-vtpm/az-tdx-vtpm/Cargo.toml +++ b/az-cvm-vtpm/az-tdx-vtpm/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "az-tdx-vtpm" -version = "0.5.3" +version = "0.6.0" edition = "2021" repository = "https://github.com/kinvolk/azure-cvm-tooling/" license = "MIT" @@ -16,7 +16,7 @@ name = "tdx-vtpm" path = "src/main.rs" [dependencies] -az-cvm-vtpm = { path = "..", version = "0.5.3" } +az-cvm-vtpm = { path = "..", version = "0.6.0" } base64-url = "3.0.0" bincode.workspace = true serde.workspace = true diff --git a/az-cvm-vtpm/src/hcl/mod.rs b/az-cvm-vtpm/src/hcl/mod.rs index 27fb2ca..e206535 100644 --- a/az-cvm-vtpm/src/hcl/mod.rs +++ b/az-cvm-vtpm/src/hcl/mod.rs @@ -146,8 +146,7 @@ impl HclReport { } let mut hasher = Sha256::new(); hasher.update(self.var_data_slice()); - let hash = hasher.finalize(); - hash.into() + hasher.finalize().into() } /// Get the slice of the VarData section diff --git a/az-cvm-vtpm/src/vtpm/mod.rs b/az-cvm-vtpm/src/vtpm/mod.rs index 0c90dc1..40df097 100644 --- a/az-cvm-vtpm/src/vtpm/mod.rs +++ b/az-cvm-vtpm/src/vtpm/mod.rs @@ -1,12 +1,9 @@ // Copyright (c) Microsoft Corporation. // Licensed under the MIT License. -use rsa::{BigUint, RsaPublicKey}; use serde::{Deserialize, Serialize}; use thiserror::Error; -use tss_esapi::abstraction::nv; -use tss_esapi::abstraction::pcr; -use tss_esapi::abstraction::public::DecodedKey; +use tss_esapi::abstraction::{nv, pcr, public::DecodedKey}; use tss_esapi::handles::TpmHandle; use tss_esapi::interface_types::algorithm::HashingAlgorithm; use tss_esapi::interface_types::resource_handles::NvAuth; @@ -79,12 +76,28 @@ pub enum AKPubError { Tpm(#[from] tss_esapi::Error), #[error("asn1 der error")] WrongKeyType, - #[error("rsa error")] - OpenSsl(#[from] rsa::errors::Error), +} + +#[derive(Serialize, Deserialize, Debug)] +pub struct PublicKey { + n: Vec, + e: Vec, +} + +impl PublicKey { + /// Get the modulus of the public key as big-endian unsigned bytes + pub fn modulus(&self) -> &[u8] { + &self.n + } + + /// Get the public exponent of the public key as big-endian unsigned bytes + pub fn exponent(&self) -> &[u8] { + &self.e + } } /// Get the AK pub of the vTPM -pub fn get_ak_pub() -> Result { +pub fn get_ak_pub() -> Result { let conf: TctiNameConf = TctiNameConf::Device(DeviceConfig::default()); let mut context = Context::new(conf)?; let tpm_handle: TpmHandle = VTPM_AK_HANDLE.try_into()?; @@ -96,12 +109,12 @@ pub fn get_ak_pub() -> Result { return Err(AKPubError::WrongKeyType); }; - let bytes = rsa_pk.modulus.as_unsigned_bytes_be(); - let n = BigUint::from_bytes_be(bytes); - let bytes = rsa_pk.public_exponent.as_unsigned_bytes_be(); - let e = BigUint::from_bytes_be(bytes); - - let pkey = RsaPublicKey::new(n, e)?; + let bytes_n = rsa_pk.modulus.as_unsigned_bytes_be(); + let bytes_e = rsa_pk.public_exponent.as_unsigned_bytes_be(); + let pkey = PublicKey { + n: bytes_n.into(), + e: bytes_e.into(), + }; Ok(pkey) } diff --git a/az-cvm-vtpm/src/vtpm/verify.rs b/az-cvm-vtpm/src/vtpm/verify.rs index 454060f..4b50455 100644 --- a/az-cvm-vtpm/src/vtpm/verify.rs +++ b/az-cvm-vtpm/src/vtpm/verify.rs @@ -2,10 +2,8 @@ // Licensed under the MIT License. use super::{Quote, QuoteError}; -use openssl::hash::MessageDigest; use openssl::pkey::{PKey, Public}; -use openssl::sign::Verifier; -use sha2::{Digest, Sha256}; +use openssl::{hash::MessageDigest, sha::Sha256, sign::Verifier}; use thiserror::Error; use tss_esapi::structures::{Attest, AttestInfo}; use tss_esapi::traits::UnMarshall; @@ -79,7 +77,7 @@ impl Quote { hasher.update(pcr); } - let digest = hasher.finalize(); + let digest = hasher.finish(); if digest[..] != pcr_digest[..] { return Err(VerifyError::PcrMismatch); }