From 7ae57d774bd52c0a5b0e90d2597a61eaab1d52e6 Mon Sep 17 00:00:00 2001
From: Magnus Kulke <magnuskulke@microsoft.com>
Date: Mon, 1 Jul 2024 10:51:28 +0200
Subject: [PATCH] deps: replace rsa and sha2 crates with openssl

fixes #51
fixes #46

The rsa crate is being reported in audit jobs due to a timing-related
security issue. The project is not committed to address this in the near
time, since the solution involves switching to a big-num dependency with
worse security characteristics.

We can switch the library to use openssl types also for the attester
code. there is a transitive dependency on openssl already inherited from
the tss2 tpm library, so we don't win much by not importing openssl
elsewehere.

Signed-off-by: Magnus Kulke <magnuskulke@microsoft.com>
---
 az-cvm-vtpm/Cargo.toml             |  6 ++----
 az-cvm-vtpm/az-snp-vtpm/Cargo.toml |  4 ++--
 az-cvm-vtpm/az-tdx-vtpm/Cargo.toml |  4 ++--
 az-cvm-vtpm/src/hcl/mod.rs         |  5 ++---
 az-cvm-vtpm/src/vtpm/mod.rs        | 21 ++++++++++-----------
 az-cvm-vtpm/src/vtpm/verify.rs     |  6 ++----
 6 files changed, 20 insertions(+), 26 deletions(-)

diff --git a/az-cvm-vtpm/Cargo.toml b/az-cvm-vtpm/Cargo.toml
index ed761a6..e6cefd7 100644
--- a/az-cvm-vtpm/Cargo.toml
+++ b/az-cvm-vtpm/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "az-cvm-vtpm"
-version = "0.5.3"
+version = "0.6.0"
 edition = "2021"
 repository = "https://github.com/kinvolk/azure-cvm-tooling/"
 license = "MIT"
@@ -23,19 +23,17 @@ bincode.workspace = true
 jsonwebkey = { version = "0.3.5", features = ["pkcs-convert"] }
 memoffset = "0.9.0"
 openssl = { workspace = true, optional = true }
-rsa = { version = "0.9.6", features = ["pkcs5", "sha2"] }
 serde.workspace = true
 serde_json.workspace = true
 serde-big-array = "0.5.1"
 sev.workspace = true
-sha2 = "0.10.8"
 thiserror.workspace = true
 tss-esapi = "7.4"
 zerocopy.workspace = true
 
 [features]
 default = ["attester", "verifier"]
-attester = []
+attester = ["openssl"]
 verifier = ["openssl", "sev/openssl"]
 
 [workspace.dependencies]
diff --git a/az-cvm-vtpm/az-snp-vtpm/Cargo.toml b/az-cvm-vtpm/az-snp-vtpm/Cargo.toml
index 8ba59ca..3f98afc 100644
--- a/az-cvm-vtpm/az-snp-vtpm/Cargo.toml
+++ b/az-cvm-vtpm/az-snp-vtpm/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "az-snp-vtpm"
-version = "0.5.3"
+version = "0.6.0"
 edition = "2021"
 repository = "https://github.com/kinvolk/azure-cvm-tooling/"
 license = "MIT"
@@ -17,7 +17,7 @@ path = "src/main.rs"
 required-features = ["attester", "verifier"]
 
 [dependencies]
-az-cvm-vtpm = { path = "..", version = "0.5.3" }
+az-cvm-vtpm = { path = "..", version = "0.6.0" }
 bincode.workspace = true
 clap.workspace = true
 openssl = { workspace = true, optional = true }
diff --git a/az-cvm-vtpm/az-tdx-vtpm/Cargo.toml b/az-cvm-vtpm/az-tdx-vtpm/Cargo.toml
index b41d772..a499e26 100644
--- a/az-cvm-vtpm/az-tdx-vtpm/Cargo.toml
+++ b/az-cvm-vtpm/az-tdx-vtpm/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "az-tdx-vtpm"
-version = "0.5.3"
+version = "0.6.0"
 edition = "2021"
 repository = "https://github.com/kinvolk/azure-cvm-tooling/"
 license = "MIT"
@@ -16,7 +16,7 @@ name = "tdx-vtpm"
 path = "src/main.rs"
 
 [dependencies]
-az-cvm-vtpm = { path = "..", version = "0.5.3" }
+az-cvm-vtpm = { path = "..", version = "0.6.0" }
 base64-url = "3.0.0"
 bincode.workspace = true
 serde.workspace = true
diff --git a/az-cvm-vtpm/src/hcl/mod.rs b/az-cvm-vtpm/src/hcl/mod.rs
index 27fb2ca..55d022f 100644
--- a/az-cvm-vtpm/src/hcl/mod.rs
+++ b/az-cvm-vtpm/src/hcl/mod.rs
@@ -4,10 +4,10 @@
 use crate::tdx::TdReport;
 use jsonwebkey::JsonWebKey;
 use memoffset::offset_of;
+use openssl::sha::Sha256;
 use serde::{Deserialize, Serialize};
 use serde_big_array::BigArray;
 use sev::firmware::guest::AttestationReport as SnpReport;
-use sha2::{Digest, Sha256};
 use std::convert::TryFrom;
 use std::mem::size_of;
 use std::ops::Range;
@@ -146,8 +146,7 @@ impl HclReport {
         }
         let mut hasher = Sha256::new();
         hasher.update(self.var_data_slice());
-        let hash = hasher.finalize();
-        hash.into()
+        hasher.finish()
     }
 
     /// Get the slice of the VarData section
diff --git a/az-cvm-vtpm/src/vtpm/mod.rs b/az-cvm-vtpm/src/vtpm/mod.rs
index 0c90dc1..80f89aa 100644
--- a/az-cvm-vtpm/src/vtpm/mod.rs
+++ b/az-cvm-vtpm/src/vtpm/mod.rs
@@ -1,12 +1,11 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.
 
-use rsa::{BigUint, RsaPublicKey};
+use openssl::error::ErrorStack as OpenSslError;
+use openssl::{bn::BigNum, pkey::Public, rsa::Rsa};
 use serde::{Deserialize, Serialize};
 use thiserror::Error;
-use tss_esapi::abstraction::nv;
-use tss_esapi::abstraction::pcr;
-use tss_esapi::abstraction::public::DecodedKey;
+use tss_esapi::abstraction::{nv, pcr, public::DecodedKey};
 use tss_esapi::handles::TpmHandle;
 use tss_esapi::interface_types::algorithm::HashingAlgorithm;
 use tss_esapi::interface_types::resource_handles::NvAuth;
@@ -80,11 +79,11 @@ pub enum AKPubError {
     #[error("asn1 der error")]
     WrongKeyType,
     #[error("rsa error")]
-    OpenSsl(#[from] rsa::errors::Error),
+    OpenSsl(#[from] OpenSslError),
 }
 
 /// Get the AK pub of the vTPM
-pub fn get_ak_pub() -> Result<RsaPublicKey, AKPubError> {
+pub fn get_ak_pub() -> Result<Rsa<Public>, AKPubError> {
     let conf: TctiNameConf = TctiNameConf::Device(DeviceConfig::default());
     let mut context = Context::new(conf)?;
     let tpm_handle: TpmHandle = VTPM_AK_HANDLE.try_into()?;
@@ -96,12 +95,12 @@ pub fn get_ak_pub() -> Result<RsaPublicKey, AKPubError> {
         return Err(AKPubError::WrongKeyType);
     };
 
-    let bytes = rsa_pk.modulus.as_unsigned_bytes_be();
-    let n = BigUint::from_bytes_be(bytes);
-    let bytes = rsa_pk.public_exponent.as_unsigned_bytes_be();
-    let e = BigUint::from_bytes_be(bytes);
+    let bytes_n = rsa_pk.modulus.as_unsigned_bytes_be();
+    let n = BigNum::from_slice(bytes_n)?;
+    let bytes_e = rsa_pk.public_exponent.as_unsigned_bytes_be();
+    let e = BigNum::from_slice(bytes_e)?;
 
-    let pkey = RsaPublicKey::new(n, e)?;
+    let pkey = Rsa::from_public_components(n, e)?;
     Ok(pkey)
 }
 
diff --git a/az-cvm-vtpm/src/vtpm/verify.rs b/az-cvm-vtpm/src/vtpm/verify.rs
index 454060f..4b50455 100644
--- a/az-cvm-vtpm/src/vtpm/verify.rs
+++ b/az-cvm-vtpm/src/vtpm/verify.rs
@@ -2,10 +2,8 @@
 // Licensed under the MIT License.
 
 use super::{Quote, QuoteError};
-use openssl::hash::MessageDigest;
 use openssl::pkey::{PKey, Public};
-use openssl::sign::Verifier;
-use sha2::{Digest, Sha256};
+use openssl::{hash::MessageDigest, sha::Sha256, sign::Verifier};
 use thiserror::Error;
 use tss_esapi::structures::{Attest, AttestInfo};
 use tss_esapi::traits::UnMarshall;
@@ -79,7 +77,7 @@ impl Quote {
             hasher.update(pcr);
         }
 
-        let digest = hasher.finalize();
+        let digest = hasher.finish();
         if digest[..] != pcr_digest[..] {
             return Err(VerifyError::PcrMismatch);
         }