From d94757f615d56d2fcae1ec450f5e78cb6288ab9c Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Thu, 12 Dec 2024 17:47:31 +0800 Subject: [PATCH] DO NOT MERGE: add multiple JWE algorithms for KBS response This commit supports the following JWE algorithms for KBS response 1. RSA PKCS v1.5 Padding. This algorithm is not recommended but for compability it is still reserved. 2. RSA OAEP. 3. ECDH-ES-A256KW with curve P256. This is recommended as EC algorithms are more fast and safe. Some more unit tests to test the compability is added to make sure the algorithm is implemented as standard. Signed-off-by: Xynnn007 --- Cargo.lock | 660 +++++++++++++++++++++++++++---------------------- Cargo.toml | 5 +- kbs/Cargo.toml | 3 + kbs/src/jwe.rs | 323 ++++++++++++++++++++++-- 4 files changed, 672 insertions(+), 319 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 02fdc601b..c5ccca711 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -66,7 +66,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e01ed3140b2f8d422c68afa1ed2e85d996ea619c988ac834d255db32138655cb" dependencies = [ "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -203,7 +203,7 @@ dependencies = [ "actix-router", "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -271,6 +271,15 @@ dependencies = [ "subtle", ] +[[package]] +name = "aes-kw" +version = "0.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "69fa2b352dcefb5f7f3a5fb840e02665d311d878955380515e4fd50095dd3d8c" +dependencies = [ + "aes", +] + [[package]] name = "ahash" version = "0.7.8" @@ -394,9 +403,9 @@ dependencies = [ [[package]] name = "anyhow" -version = "1.0.93" +version = "1.0.94" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4c95c10ba0b00a02636238b814946408b1322d5ac4760326e6fb8ec956d85775" +checksum = "c1fd03a028ef38ba2276dce7e33fcd6369c158a1bca17946c4b1b701891c1ff7" [[package]] name = "arrayref" @@ -478,7 +487,7 @@ checksum = "c7c24de15d275a1ecfd47a380fb4d5ec9bfe0933f309ed5e705b775596a3574d" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -489,7 +498,7 @@ checksum = "721cae7de5c34fbb2acd27e21e6d2cf7b886dce0c27388d46c4e6c47ea4318dd" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -505,11 +514,11 @@ source = "git+https://github.com/confidential-containers/guest-components.git?re dependencies = [ "anyhow", "async-trait", - "attester", + "attester 0.1.0 (git+https://github.com/confidential-containers/guest-components.git?rev=e6999a3c0fd877dae9e68ea78b8b483062db32b8)", "base64 0.22.1", "config", "const_format", - "crypto", + "crypto 0.1.0 (git+https://github.com/confidential-containers/guest-components.git?rev=e6999a3c0fd877dae9e68ea78b8b483062db32b8)", "kbs-types 0.7.0", "log", "serde", @@ -517,7 +526,7 @@ dependencies = [ "sha2", "strum 0.26.3", "tempfile", - "thiserror 2.0.3", + "thiserror 2.0.7", "tokio", "toml 0.8.19", ] @@ -532,13 +541,13 @@ dependencies = [ "async-trait", "base64 0.22.1", "cfg-if", - "clap 4.5.21", + "clap 4.5.23", "ear 0.3.0", "env_logger 0.10.2", "futures", "hex", "jsonwebtoken", - "kbs-types 0.9.1", + "kbs-types 0.9.1 (git+https://github.com/Xynnn007/kbs-types.git?rev=f56c565)", "lazy_static", "log", "openssl", @@ -569,7 +578,7 @@ dependencies = [ [[package]] name = "attester" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=e6999a3c0fd877dae9e68ea78b8b483062db32b8#e6999a3c0fd877dae9e68ea78b8b483062db32b8" +source = "git+https://github.com/Xynnn007/guest-components.git?rev=e2b642d#e2b642d243ffe405574dee7ee76e0e5ae12db9f4" dependencies = [ "anyhow", "async-trait", @@ -581,7 +590,7 @@ dependencies = [ "hex", "hyper 0.14.31", "hyper-tls 0.5.0", - "kbs-types 0.7.0", + "kbs-types 0.9.1 (git+https://github.com/Xynnn007/kbs-types.git?rev=d6151a8)", "log", "occlum_dcap", "s390_pv", @@ -589,15 +598,34 @@ dependencies = [ "serde", "serde_json", "serde_with", - "sev 3.2.0", + "sev", "sha2", "strum 0.26.3", "tdx-attest-rs", "tempfile", - "thiserror 2.0.3", + "thiserror 2.0.7", "tokio", ] +[[package]] +name = "attester" +version = "0.1.0" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=e6999a3c0fd877dae9e68ea78b8b483062db32b8#e6999a3c0fd877dae9e68ea78b8b483062db32b8" +dependencies = [ + "anyhow", + "async-trait", + "base64 0.22.1", + "hex", + "kbs-types 0.7.0", + "log", + "serde", + "serde_json", + "serde_with", + "sha2", + "strum 0.26.3", + "thiserror 2.0.7", +] + [[package]] name = "atty" version = "0.2.14" @@ -625,7 +653,7 @@ dependencies = [ "axum-core", "bytes", "futures-util", - "http 1.1.0", + "http 1.2.0", "http-body 1.0.1", "http-body-util", "itoa", @@ -637,7 +665,7 @@ dependencies = [ "rustversion", "serde", "sync_wrapper 1.0.2", - "tower 0.5.1", + "tower 0.5.2", "tower-layer", "tower-service", ] @@ -651,7 +679,7 @@ dependencies = [ "async-trait", "bytes", "futures-util", - "http 1.1.0", + "http 1.2.0", "http-body 1.0.1", "http-body-util", "mime", @@ -675,9 +703,9 @@ dependencies = [ "serde", "serde-big-array", "serde_json", - "sev 4.0.0", + "sev", "sha2", - "thiserror 2.0.3", + "thiserror 2.0.7", "tss-esapi", "zerocopy", ] @@ -690,11 +718,11 @@ checksum = "7c16506502dc64f7111f7241ca400f3ee0f54e69dfd1f4be5cef29b96332f22e" dependencies = [ "az-cvm-vtpm", "bincode", - "clap 4.5.21", + "clap 4.5.23", "openssl", "serde", - "sev 4.0.0", - "thiserror 2.0.3", + "sev", + "thiserror 2.0.7", "ureq", ] @@ -709,7 +737,7 @@ dependencies = [ "bincode", "serde", "serde_json", - "thiserror 2.0.3", + "thiserror 2.0.7", "ureq", "zerocopy", ] @@ -819,15 +847,15 @@ dependencies = [ "regex", "rustc-hash 1.1.0", "shlex", - "syn 2.0.87", + "syn 2.0.90", "which", ] [[package]] name = "binstring" -version = "0.1.1" +version = "0.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7e0d60973d9320722cb1206f412740e162a33b8547ea8d6be75d7cff237c7a85" +checksum = "ed79c2a8151273c70956b5e3cdfdc1ff6c1a8b9779ba59c6807d281b32ee2f86" [[package]] name = "bitfield" @@ -929,9 +957,9 @@ checksum = "325918d6fe32f23b19878fe4b34794ae41fc19ddbe53b10571a4874d44ffd39b" [[package]] name = "bytestring" -version = "1.3.1" +version = "1.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "74d80203ea6b29df88012294f62733de21cfeab47f17b41af3a38bc30a03ee72" +checksum = "e465647ae23b2823b0753f50decb2d5a86d2bb2cac04788fafd1f80e45378e5f" dependencies = [ "bytes", ] @@ -957,9 +985,9 @@ dependencies = [ [[package]] name = "cc" -version = "1.2.1" +version = "1.2.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fd9de9f2205d5ef3fd67e685b0df337994ddd4495e2a28d185500d0e1edfea47" +checksum = "9157bbaa6b165880c27a4293a474c91cdcf265cc68cc829bf10be0964a391caf" dependencies = [ "jobserver", "libc", @@ -989,9 +1017,9 @@ checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724" [[package]] name = "chrono" -version = "0.4.38" +version = "0.4.39" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a21f936df1771bf62b77f047b726c4625ff2e8aa607c01ec06e5a05bd8463401" +checksum = "7e36cc9d416881d2e24f9a963be5fb1cd90966419ac844274161d10488b3e825" dependencies = [ "android-tzdata", "iana-time-zone", @@ -1068,7 +1096,7 @@ checksum = "0b023947811758c97c59bf9d1c188fd619ad4718dcaa767947df1cadb14f39f4" dependencies = [ "glob", "libc", - "libloading 0.8.5", + "libloading 0.8.6", ] [[package]] @@ -1088,9 +1116,9 @@ dependencies = [ [[package]] name = "clap" -version = "4.5.21" +version = "4.5.23" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fb3b4b9e5a7c7514dfa52869339ee98b3156b0bfb4e8a77c4ff4babb64b1604f" +checksum = "3135e7ec2ef7b10c6ed8950f0f792ed96ee093fa088608f1c76e569722700c84" dependencies = [ "clap_builder", "clap_derive", @@ -1098,9 +1126,9 @@ dependencies = [ [[package]] name = "clap_builder" -version = "4.5.21" +version = "4.5.23" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b17a95aa67cc7b5ebd32aa5370189aa0d79069ef1c64ce893bd30fb24bff20ec" +checksum = "30582fc632330df2bd26877bde0c1f4470d57c582bbc070376afcd04d8cb4838" dependencies = [ "anstream", "anstyle", @@ -1117,20 +1145,20 @@ dependencies = [ "heck 0.5.0", "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] name = "clap_lex" -version = "0.7.3" +version = "0.7.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "afb84c814227b90d6895e01398aee0d8033c00e7466aca416fb6a8e0eb19d8a7" +checksum = "f46ad14479a25103f283c0f10005961cf086d8dc42205bb44c46ac563475dca6" [[package]] name = "coarsetime" -version = "0.1.34" +version = "0.1.35" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "13b3839cf01bb7960114be3ccf2340f541b6d0c81f8690b007b2b39f750f7e5d" +checksum = "4252bf230cb600c19826a575b31c8c9c84c6f11acfab6dfcad2e941b10b6f8e2" dependencies = [ "libc", "wasix", @@ -1149,6 +1177,15 @@ version = "1.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5b63caa9aa9397e2d9480a9b13673856c78d8ac123288526c37d7839f2a86990" +[[package]] +name = "concat-kdf" +version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2d72c1252426a83be2092dd5884a5f6e3b8e7180f6891b6263d2c21b92ec8816" +dependencies = [ + "digest", +] + [[package]] name = "config" version = "0.13.4" @@ -1182,18 +1219,18 @@ checksum = "373e9fafaa20882876db20562275ff58d50e0caa2590077fe7ce7bef90211d0d" [[package]] name = "const_format" -version = "0.2.33" +version = "0.2.34" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "50c655d81ff1114fb0dcdea9225ea9f0cc712a6f8d189378e82bdf62a473a64b" +checksum = "126f97965c8ad46d6d9163268ff28432e8f6a1196a55578867832e3049df63dd" dependencies = [ "const_format_proc_macros", ] [[package]] name = "const_format_proc_macros" -version = "0.2.33" +version = "0.2.34" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eff1a44b93f47b1bac19a27932f5c591e43d1ba357ee4f61526c8a25603f0eb1" +checksum = "1d57c2eccfb16dbac1f4e61e206105db5820c9d26c3c472bc17c774259ef7744" dependencies = [ "proc-macro2", "quote", @@ -1308,9 +1345,9 @@ dependencies = [ [[package]] name = "crossbeam-utils" -version = "0.8.20" +version = "0.8.21" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "22ec99545bb0ed0ea7bb9b8e1e9122ea386ff8a48c0922e43f36d45ab09e0e80" +checksum = "d0a5c400df2834b80a4c3327b3aad3a4c4cd4de0629063962b03235697506a28" [[package]] name = "crunchy" @@ -1318,6 +1355,25 @@ version = "0.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7a81dae078cea95a014a339291cec439d2f232ebe854a9d672b796c6afafa9b7" +[[package]] +name = "crypto" +version = "0.1.0" +source = "git+https://github.com/Xynnn007/guest-components.git?rev=e2b642d#e2b642d243ffe405574dee7ee76e0e5ae12db9f4" +dependencies = [ + "aes-gcm", + "anyhow", + "base64 0.22.1", + "ctr", + "kbs-types 0.9.1 (git+https://github.com/Xynnn007/kbs-types.git?rev=d6151a8)", + "rand", + "rsa", + "serde", + "serde_json", + "sha2", + "strum 0.26.3", + "zeroize", +] + [[package]] name = "crypto" version = "0.1.0" @@ -1407,9 +1463,9 @@ dependencies = [ [[package]] name = "ct-codecs" -version = "1.1.2" +version = "1.1.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "026ac6ceace6298d2c557ef5ed798894962296469ec7842288ea64674201a2d1" +checksum = "b916ba8ce9e4182696896f015e8a5ae6081b305f74690baa8465e35f5a142ea4" [[package]] name = "ctr" @@ -1559,7 +1615,7 @@ dependencies = [ "proc-macro2", "quote", "rustc_version", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -1612,7 +1668,7 @@ checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -1743,7 +1799,7 @@ checksum = "de0d48a183585823424a4ce1aa132d174a6a81bd540895822eb4c8373a8e49e8" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -1793,12 +1849,12 @@ checksum = "5443807d6dff69373d433ab9ef5378ad8df50ca6298caf15de6e52e24aaf54d5" [[package]] name = "errno" -version = "0.3.9" +version = "0.3.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "534c5cf6194dfab3db3242765c03bbe257cf92f22b38f6bc0c58d59108a820ba" +checksum = "33d852cb9b869c2a9b3df2f71a3074817f01e1844f839a144f5fcef059a4eb5d" dependencies = [ "libc", - "windows-sys 0.52.0", + "windows-sys 0.59.0", ] [[package]] @@ -1944,7 +2000,7 @@ checksum = "162ee34ebcb7c64a8abebc059ce0fee27c2262618d7b60ed8faf72fef13c3650" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -2074,7 +2130,7 @@ dependencies = [ "futures-sink", "futures-util", "http 0.2.12", - "indexmap 2.6.0", + "indexmap 2.7.0", "slab", "tokio", "tokio-util", @@ -2092,8 +2148,8 @@ dependencies = [ "fnv", "futures-core", "futures-sink", - "http 1.1.0", - "indexmap 2.6.0", + "http 1.2.0", + "indexmap 2.7.0", "slab", "tokio", "tokio-util", @@ -2127,9 +2183,9 @@ checksum = "e5274423e17b7c9fc20b6e7e208532f9b19825d82dfd615708b70edd83df41f1" [[package]] name = "hashbrown" -version = "0.15.1" +version = "0.15.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3a9bfc1af68b1726ea47d3d5109de126281def866b33970e10fbab11b5dafab3" +checksum = "bf151400ff0baff5465007dd2f3e717f3fe502074ca563069ce3a6629d07b289" [[package]] name = "heck" @@ -2152,12 +2208,6 @@ dependencies = [ "libc", ] -[[package]] -name = "hermit-abi" -version = "0.3.9" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d231dfb89cfffdbc30e7fc41579ed6066ad03abda9e567ccafae602b97ec5024" - [[package]] name = "hermit-abi" version = "0.4.0" @@ -2190,24 +2240,24 @@ dependencies = [ [[package]] name = "hmac-sha1-compact" -version = "1.1.4" +version = "1.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dff9d405ec732fa3fcde87264e54a32a84956a377b3e3107de96e59b798c84a7" +checksum = "18492c9f6f9a560e0d346369b665ad2bdbc89fa9bceca75796584e79042694c3" [[package]] name = "hmac-sha256" -version = "1.1.7" +version = "1.1.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3688e69b38018fec1557254f64c8dc2cc8ec502890182f395dbb0aa997aa5735" +checksum = "4a8575493d277c9092b988c780c94737fb9fd8651a1001e16bee3eccfc1baedb" dependencies = [ "digest", ] [[package]] name = "hmac-sha512" -version = "1.1.5" +version = "1.1.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e4ce1f4656bae589a3fab938f9f09bf58645b7ed01a2c5f8a3c238e01a4ef78a" +checksum = "b0b3a0f572aa8389d325f5852b9e0a333a15b0f86ecccbb3fdb6e97cd86dc67c" dependencies = [ "digest", ] @@ -2240,9 +2290,9 @@ dependencies = [ [[package]] name = "http" -version = "1.1.0" +version = "1.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "21b9ddb458710bc376481b842f5da65cdf31522de232c1ca8146abce2a358258" +checksum = "f16ca2af56261c99fba8bac40a10251ce8188205a4c448fbb745a2e4daa76fea" dependencies = [ "bytes", "fnv", @@ -2267,7 +2317,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1efedce1fb8e6913f23e0c92de8e62cd5b772a67e7b3946df930a62566c93184" dependencies = [ "bytes", - "http 1.1.0", + "http 1.2.0", ] [[package]] @@ -2278,7 +2328,7 @@ checksum = "793429d76616a256bcb62c2a2ec2bed781c8307e797e2598c50010f2bee2544f" dependencies = [ "bytes", "futures-util", - "http 1.1.0", + "http 1.2.0", "http-body 1.0.1", "pin-project-lite", ] @@ -2335,7 +2385,7 @@ dependencies = [ "futures-channel", "futures-util", "h2 0.4.7", - "http 1.1.0", + "http 1.2.0", "http-body 1.0.1", "httparse", "httpdate", @@ -2367,15 +2417,15 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "08afdbb5c31130e3034af566421053ab03787c640246a446327f550d11bcb333" dependencies = [ "futures-util", - "http 1.1.0", + "http 1.2.0", "hyper 1.5.1", "hyper-util", - "rustls 0.23.17", + "rustls 0.23.20", "rustls-pki-types", "tokio", - "tokio-rustls 0.26.0", + "tokio-rustls 0.26.1", "tower-service", - "webpki-roots 0.26.6", + "webpki-roots 0.26.7", ] [[package]] @@ -2429,7 +2479,7 @@ dependencies = [ "bytes", "futures-channel", "futures-util", - "http 1.1.0", + "http 1.2.0", "http-body 1.0.1", "hyper 1.5.1", "pin-project-lite", @@ -2577,7 +2627,7 @@ checksum = "1ec89e9337638ecdc08744df490b221a7399bf8d164eb52a665454e60e075ad6" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -2625,12 +2675,12 @@ dependencies = [ [[package]] name = "indexmap" -version = "2.6.0" +version = "2.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "707907fe3c25f5424cce2cb7e1cbcafee6bdbe735ca90ef77c29e84591e5b9da" +checksum = "62f822373a4fe84d4bb149bf54e584a7f4abec90e072ed49cda0edea5b95471f" dependencies = [ "equivalent", - "hashbrown 0.15.1", + "hashbrown 0.15.2", ] [[package]] @@ -2694,9 +2744,9 @@ dependencies = [ [[package]] name = "is_debug" -version = "1.0.1" +version = "1.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "06d198e9919d9822d5f7083ba8530e04de87841eaf21ead9af8f2304efd57c89" +checksum = "e8ea828c9d6638a5bd3d8b14e37502b4d56cae910ccf8a5b7f51c7a0eb1d0508" [[package]] name = "is_terminal_polyfill" @@ -2706,18 +2756,18 @@ checksum = "7943c866cc5cd64cbc25b2e01621d07fa8eb2a1a23160ee81ce38704e97b8ecf" [[package]] name = "itertools" -version = "0.12.1" +version = "0.13.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ba291022dbbd398a455acf126c1e341954079855bc60dfdda641363bd6922569" +checksum = "413ee7dfc52ee1a4949ceeb7dbc8a33f2d6c088194d9f922fb8318faf1f01186" dependencies = [ "either", ] [[package]] name = "itoa" -version = "1.0.13" +version = "1.0.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "540654e97a3f4470a492cd30ff187bc95d89557a903a2bbf112e2fae98104ef2" +checksum = "d75a2a4b1b190afb6f5425f10f6a8f959d2ea0b9c2b1d79553551850539e4674" [[package]] name = "jobserver" @@ -2728,12 +2778,30 @@ dependencies = [ "libc", ] +[[package]] +name = "josekit" +version = "0.10.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a603084e34e151e215d232e401df0d9299bdced264b8054e4888ea614e59bb06" +dependencies = [ + "anyhow", + "base64 0.22.1", + "flate2", + "openssl", + "regex", + "serde", + "serde_json", + "thiserror 1.0.69", + "time", +] + [[package]] name = "js-sys" -version = "0.3.72" +version = "0.3.76" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6a88f1bda2bd75b0452a14784937d796722fdebfe50df998aeb3f0b7603019a9" +checksum = "6717b6b5b077764fb5966237269cb3c64edddde4b14ce42647430a78ced9e7b7" dependencies = [ + "once_cell", "wasm-bindgen", ] @@ -2782,9 +2850,9 @@ dependencies = [ [[package]] name = "jwt-simple" -version = "0.12.10" +version = "0.12.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "50ae7e0018905a795d6f2a60ac32a547490abdd8df509906a8c6171e6d861711" +checksum = "b00e03c08ce71da10a3ad9267b963c03fc4234a56713d87648547b3fdda872a6" dependencies = [ "anyhow", "binstring", @@ -2802,7 +2870,7 @@ dependencies = [ "serde", "serde_json", "superboring", - "thiserror 1.0.69", + "thiserror 2.0.7", "zeroize", ] @@ -2827,25 +2895,29 @@ dependencies = [ "actix-web", "actix-web-httpauth", "aes-gcm", + "aes-kw", "anyhow", "async-trait", "attestation-service", "az-cvm-vtpm", "base64 0.22.1", "cfg-if", - "clap 4.5.21", + "clap 4.5.23", + "concat-kdf", "config", "cryptoki", "derivative", "env_logger 0.10.2", + "josekit", "jsonwebtoken", "jwt-simple", - "kbs-types 0.9.1", + "kbs-types 0.9.1 (git+https://github.com/Xynnn007/kbs-types.git?rev=f56c565)", "kms", "lazy_static", "log", "mobc", "openssl", + "p256", "prost", "rand", "regex", @@ -2873,7 +2945,7 @@ version = "0.1.0" dependencies = [ "anyhow", "base64 0.22.1", - "clap 4.5.21", + "clap 4.5.23", "env_logger 0.10.2", "jwt-simple", "kbs_protocol", @@ -2897,33 +2969,44 @@ dependencies = [ [[package]] name = "kbs-types" version = "0.9.1" -source = "git+https://github.com/virtee/kbs-types.git?rev=a704036#a70403665bfaa61c0984ae05654df0ad72591e96" +source = "git+https://github.com/Xynnn007/kbs-types.git?rev=d6151a8#d6151a8c961050aca95a28de7976097e79d8f9d4" dependencies = [ "base64 0.22.1", "serde", "serde_json", - "thiserror 2.0.3", + "thiserror 2.0.7", +] + +[[package]] +name = "kbs-types" +version = "0.9.1" +source = "git+https://github.com/Xynnn007/kbs-types.git?rev=f56c565#f56c5651f86ea0da43e1db02d13be87ee1363018" +dependencies = [ + "base64 0.22.1", + "serde", + "serde_json", + "thiserror 2.0.7", ] [[package]] name = "kbs_protocol" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=e6999a3c0fd877dae9e68ea78b8b483062db32b8#e6999a3c0fd877dae9e68ea78b8b483062db32b8" +source = "git+https://github.com/Xynnn007/guest-components.git?rev=e2b642d#e2b642d243ffe405574dee7ee76e0e5ae12db9f4" dependencies = [ "anyhow", "async-trait", - "attester", + "attester 0.1.0 (git+https://github.com/Xynnn007/guest-components.git?rev=e2b642d)", "base64 0.22.1", - "crypto", + "crypto 0.1.0 (git+https://github.com/Xynnn007/guest-components.git?rev=e2b642d)", "jwt-simple", - "kbs-types 0.7.0", + "kbs-types 0.9.1 (git+https://github.com/Xynnn007/kbs-types.git?rev=d6151a8)", "log", "reqwest 0.12.9", - "resource_uri", + "resource_uri 0.1.0 (git+https://github.com/Xynnn007/guest-components.git?rev=e2b642d)", "serde", "serde_json", "sha2", - "thiserror 2.0.3", + "thiserror 2.0.7", "tokio", "url", "zeroize", @@ -2947,13 +3030,13 @@ dependencies = [ "prost", "rand", "reqwest 0.12.9", - "resource_uri", + "resource_uri 0.1.0 (git+https://github.com/confidential-containers/guest-components.git?rev=e6999a3c0fd877dae9e68ea78b8b483062db32b8)", "ring", "serde", "serde_json", "sha2", "strum 0.26.3", - "thiserror 2.0.3", + "thiserror 2.0.7", "tokio", "toml 0.8.19", "tonic", @@ -2985,9 +3068,9 @@ checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55" [[package]] name = "libc" -version = "0.2.167" +version = "0.2.168" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "09d6582e104315a817dff97f75133544b2e094ee22447d2acf4a74e189ba06fc" +checksum = "5aaeb2981e0606ca11d79718f8bb01164f1d6ed75080182d3abf017e6d244b6d" [[package]] name = "libgit2-sys" @@ -3013,9 +3096,9 @@ dependencies = [ [[package]] name = "libloading" -version = "0.8.5" +version = "0.8.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4979f22fdb869068da03c9f7528f8297c6fd2606bc3a4affe42e6a823fdb8da4" +checksum = "fc2f4eb4bc735547cfed7c0a4922cbd04a4655978c09b54f1f7b228750664c34" dependencies = [ "cfg-if", "windows-targets 0.52.6", @@ -3063,9 +3146,9 @@ checksum = "78b3ae25bc7c8c38cec158d1f2757ee79e9b3740fbc7ccf0e59e4b08d793fa89" [[package]] name = "litemap" -version = "0.7.3" +version = "0.7.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "643cb0b8d4fcc284004d5fd0d67ccf61dfffadb7f75e1e71bc420f4688a3a704" +checksum = "4ee93343901ab17bd981295f2cf0026d4ad018c7c31ba84549a4ddbb47a45104" [[package]] name = "litrs" @@ -3170,11 +3253,10 @@ dependencies = [ [[package]] name = "mio" -version = "1.0.2" +version = "1.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "80e04d1dcff3aae0704555fe5fee3bcfaf3d1fdf8a7e521d5b9d2b42acb52cec" +checksum = "2886843bf800fba2e3377cff24abf6379b4c4d5c6681eaf9ea5b0d15090450bd" dependencies = [ - "hermit-abi 0.3.9", "libc", "log", "wasi", @@ -3284,7 +3366,7 @@ checksum = "ed3955f1a9c7c0c15e092f9c887db08b1fc683305fdf6eb6684f22555355e202" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -3398,7 +3480,7 @@ checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -3535,7 +3617,7 @@ checksum = "1e401f977ab385c9e4e3ab30627d6f26d00e2c73eef317493c4ec6d468726cf8" dependencies = [ "cfg-if", "libc", - "redox_syscall 0.5.7", + "redox_syscall 0.5.8", "smallvec", "windows-targets 0.52.6", ] @@ -3600,20 +3682,20 @@ checksum = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e" [[package]] name = "pest" -version = "2.7.14" +version = "2.7.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "879952a81a83930934cbf1786752d6dedc3b1f29e8f8fb2ad1d0a36f377cf442" +checksum = "8b7cafe60d6cf8e62e1b9b2ea516a089c008945bb5a275416789e7db0bc199dc" dependencies = [ "memchr", - "thiserror 1.0.69", + "thiserror 2.0.7", "ucd-trie", ] [[package]] name = "pest_derive" -version = "2.7.14" +version = "2.7.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d214365f632b123a47fd913301e14c946c61d1c183ee245fa76eb752e59a02dd" +checksum = "816518421cfc6887a0d62bf441b6ffb4536fcc926395a69e1a85852d4363f57e" dependencies = [ "pest", "pest_generator", @@ -3621,22 +3703,22 @@ dependencies = [ [[package]] name = "pest_generator" -version = "2.7.14" +version = "2.7.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eb55586734301717aea2ac313f50b2eb8f60d2fc3dc01d190eefa2e625f60c4e" +checksum = "7d1396fd3a870fc7838768d171b4616d5c91f6cc25e377b673d714567d99377b" dependencies = [ "pest", "pest_meta", "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] name = "pest_meta" -version = "2.7.14" +version = "2.7.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b75da2a70cf4d9cb76833c990ac9cd3923c9a8905a8929789ce347c84564d03d" +checksum = "e1e58089ea25d717bfd31fb534e4f3afcc2cc569c70de3e239778991ea3b7dea" dependencies = [ "once_cell", "pest", @@ -3650,7 +3732,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b4c5cc86750666a3ed20bdaf5ca2a0344f9c67674cae0515bec2da16fbaa47db" dependencies = [ "fixedbitset", - "indexmap 2.6.0", + "indexmap 2.7.0", ] [[package]] @@ -3694,7 +3776,7 @@ dependencies = [ "phf_shared", "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -3758,7 +3840,7 @@ checksum = "3c0f5fad0874fc7abcd4d750e76917eaebbecaa2c20bde22e1dbeeba8beb758c" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -3814,9 +3896,9 @@ dependencies = [ [[package]] name = "portable-atomic" -version = "1.9.0" +version = "1.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cc9c68a3f6da06753e9335d63e27f6b9754dd1920d941135b7ea8224f141adb2" +checksum = "280dc24453071f1b63954171985a0b0d30058d287960968b9b2aca264c8d4ee6" [[package]] name = "powerfmt" @@ -3840,7 +3922,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "64d1ec885c64d0457d564db4ec299b2dae3f9c02808b8ad9c3a089c591b18033" dependencies = [ "proc-macro2", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -3878,18 +3960,18 @@ dependencies = [ [[package]] name = "proc-macro2" -version = "1.0.89" +version = "1.0.92" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f139b0662de085916d1fb67d2b4169d1addddda1919e696f3252b740b629986e" +checksum = "37d3544b3f2748c54e147655edb5025752e2303145b5aefb3c3ea2c78b973bb0" dependencies = [ "unicode-ident", ] [[package]] name = "prost" -version = "0.13.3" +version = "0.13.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7b0487d90e047de87f984913713b85c601c05609aad5b0df4b4573fbf69aa13f" +checksum = "2c0fef6c4230e4ccf618a35c59d7ede15dea37de8427500f50aff708806e42ec" dependencies = [ "bytes", "prost-derive", @@ -3897,11 +3979,10 @@ dependencies = [ [[package]] name = "prost-build" -version = "0.13.3" +version = "0.13.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0c1318b19085f08681016926435853bbf7858f9c082d0999b80550ff5d9abe15" +checksum = "d0f3e5beed80eb580c68e2c600937ac2c4eedabdfd5ef1e5b7ea4f3fba84497b" dependencies = [ - "bytes", "heck 0.5.0", "itertools", "log", @@ -3912,28 +3993,28 @@ dependencies = [ "prost", "prost-types", "regex", - "syn 2.0.87", + "syn 2.0.90", "tempfile", ] [[package]] name = "prost-derive" -version = "0.13.3" +version = "0.13.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e9552f850d5f0964a4e4d0bf306459ac29323ddfbae05e35a7c0d35cb0803cc5" +checksum = "157c5a9d7ea5c2ed2d9fb8f495b64759f7816c7eaea54ba3978f0d63000162e3" dependencies = [ "anyhow", "itertools", "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] name = "prost-types" -version = "0.13.3" +version = "0.13.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4759aa0d3a6232fb8dbdb97b61de2c20047c68aca932c7ed76da9d788508d670" +checksum = "cc2f1e56baa61e93533aebc21af4d2134b70f66275e0fcdf3cbe43d77ff7e8fc" dependencies = [ "prost", ] @@ -3964,10 +4045,10 @@ dependencies = [ "pin-project-lite", "quinn-proto", "quinn-udp", - "rustc-hash 2.0.0", - "rustls 0.23.17", + "rustc-hash 2.1.0", + "rustls 0.23.20", "socket2", - "thiserror 2.0.3", + "thiserror 2.0.7", "tokio", "tracing", ] @@ -3982,11 +4063,11 @@ dependencies = [ "getrandom", "rand", "ring", - "rustc-hash 2.0.0", - "rustls 0.23.17", + "rustc-hash 2.1.0", + "rustls 0.23.20", "rustls-pki-types", "slab", - "thiserror 2.0.3", + "thiserror 2.0.7", "tinyvec", "tracing", "web-time", @@ -4074,9 +4155,9 @@ dependencies = [ [[package]] name = "redox_syscall" -version = "0.5.7" +version = "0.5.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9b6dfecf2c74bce2466cabf93f6664d6998a69eb21e39f4207930065b27b771f" +checksum = "03a862b389f93e68874fbf580b9de08dd02facb9a788ebadaf4a3fd33cf58834" dependencies = [ "bitflags 2.6.0", ] @@ -4102,7 +4183,7 @@ dependencies = [ "base64 0.22.1", "cfg-if", "chrono", - "clap 4.5.21", + "clap 4.5.23", "config", "env_logger 0.10.2", "log", @@ -4238,7 +4319,7 @@ dependencies = [ "cookie_store", "futures-core", "futures-util", - "http 1.1.0", + "http 1.2.0", "http-body 1.0.1", "http-body-util", "hyper 1.5.1", @@ -4254,7 +4335,7 @@ dependencies = [ "percent-encoding", "pin-project-lite", "quinn", - "rustls 0.23.17", + "rustls 0.23.20", "rustls-pemfile 2.2.0", "rustls-pki-types", "serde", @@ -4263,16 +4344,27 @@ dependencies = [ "sync_wrapper 1.0.2", "tokio", "tokio-native-tls", - "tokio-rustls 0.26.0", + "tokio-rustls 0.26.1", "tower-service", "url", "wasm-bindgen", "wasm-bindgen-futures", "web-sys", - "webpki-roots 0.26.6", + "webpki-roots 0.26.7", "windows-registry", ] +[[package]] +name = "resource_uri" +version = "0.1.0" +source = "git+https://github.com/Xynnn007/guest-components.git?rev=e2b642d#e2b642d243ffe405574dee7ee76e0e5ae12db9f4" +dependencies = [ + "anyhow", + "serde", + "serde_json", + "url", +] + [[package]] name = "resource_uri" version = "0.1.0" @@ -4322,9 +4414,9 @@ dependencies = [ [[package]] name = "rsa" -version = "0.9.6" +version = "0.9.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5d0e5124fcb30e76a7e79bfee683a2746db83784b86289f6251b54b7950a0dfc" +checksum = "47c75d7c5c6b673e58bf54d8544a9f432e3a925b0e80f7cd3602ab5c50c55519" dependencies = [ "const-oid", "digest", @@ -4366,7 +4458,7 @@ dependencies = [ "regex", "relative-path", "rustc_version", - "syn 2.0.87", + "syn 2.0.90", "unicode-ident", ] @@ -4394,9 +4486,9 @@ checksum = "08d43f7aa6b08d49f382cde6a7982047c3426db949b1424bc4b7ec9ae12c6ce2" [[package]] name = "rustc-hash" -version = "2.0.0" +version = "2.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "583034fd73374156e66797ed8e5b0d5690409c9226b22d87cb7f19821c05d152" +checksum = "c7fb8039b3032c191086b10f11f319a6e99e1e82889c5cc6046f515c9db1d497" [[package]] name = "rustc_version" @@ -4418,15 +4510,15 @@ dependencies = [ [[package]] name = "rustix" -version = "0.38.41" +version = "0.38.42" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d7f649912bc1495e167a6edee79151c84b1bad49748cb4f1f1167f459f6224f6" +checksum = "f93dc38ecbab2eb790ff964bb77fa94faf256fd3e73285fd7ba0903b76bedb85" dependencies = [ "bitflags 2.6.0", "errno", "libc", "linux-raw-sys", - "windows-sys 0.52.0", + "windows-sys 0.59.0", ] [[package]] @@ -4443,9 +4535,9 @@ dependencies = [ [[package]] name = "rustls" -version = "0.23.17" +version = "0.23.20" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7f1a745511c54ba6d4465e8d5dfbd81b45791756de28d4981af70d6dca128f1e" +checksum = "5065c3f250cbd332cd894be57c40fa52387247659b14a2d6041d121547903b1b" dependencies = [ "log", "once_cell", @@ -4476,9 +4568,9 @@ dependencies = [ [[package]] name = "rustls-pki-types" -version = "1.10.0" +version = "1.10.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "16f1201b3c9a7ee8039bcadc17b7e605e2945b27eee7631788c1bd2b0643674b" +checksum = "d2bf47e6ff922db3825eb750c4e2ff784c6ff8fb9e13046ef6a1d1c5401b0b37" dependencies = [ "web-time", ] @@ -4592,7 +4684,7 @@ checksum = "d2ee4885492bb655bfa05d039cd9163eb8fe9f79ddebf00ca23a1637510c2fd2" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -4627,7 +4719,7 @@ checksum = "1db149f81d46d2deba7cd3c50772474707729550221e69588478ebf9ada425ae" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -4638,7 +4730,7 @@ checksum = "7f81c2fde025af7e69b1d1420531c8a8811ca898919db177141a85313b1cb932" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -4705,9 +4797,9 @@ dependencies = [ [[package]] name = "semver" -version = "1.0.23" +version = "1.0.24" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "61697e0a1c7e512e84a621326239844a24d8207b4669b41bc18b32ea5cbf988b" +checksum = "3cb6eb87a131f756572d7fb904f6e7b68633f09cca868c5df1c4b8d1a694bbba" [[package]] name = "serde" @@ -4744,7 +4836,7 @@ checksum = "46f859dbbf73865c6627ed570e78961cd3ac92407a2d117204c49232485da55e" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -4753,6 +4845,7 @@ version = "1.0.133" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c7fceb2473b9166b2294ef05efcb65a3db80803f0b03ef86a5fc88a2b85ee377" dependencies = [ + "indexmap 2.7.0", "itoa", "memchr", "ryu", @@ -4840,30 +4933,6 @@ dependencies = [ "syn 1.0.109", ] -[[package]] -name = "sev" -version = "3.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "35156eab65ff1b63432b5a11a06b770e92120033e2831c7dee064865de5dbbbd" -dependencies = [ - "base64 0.22.1", - "bincode", - "bitfield 0.15.0", - "bitflags 1.3.2", - "byteorder", - "codicon", - "dirs", - "hex", - "iocuddle", - "lazy_static", - "libc", - "serde", - "serde-big-array", - "serde_bytes", - "static_assertions", - "uuid", -] - [[package]] name = "sev" version = "4.0.0" @@ -5015,9 +5084,9 @@ checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" [[package]] name = "socket2" -version = "0.5.7" +version = "0.5.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ce305eb0b4296696835b71df73eb912e0f1ffd2556a501fcede6e0c50349191c" +checksum = "c970269d99b64e60ec3bd6ad27270092a5394c4e309314b18ae3fe575695fbe8" dependencies = [ "libc", "windows-sys 0.52.0", @@ -5097,7 +5166,7 @@ dependencies = [ "proc-macro2", "quote", "rustversion", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -5110,7 +5179,7 @@ dependencies = [ "proc-macro2", "quote", "rustversion", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -5121,9 +5190,9 @@ checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292" [[package]] name = "superboring" -version = "0.1.3" +version = "0.1.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cee25cd9d145d2c1ef92a52720376eeb510c8870dfa0f84edb371901ec6a12ca" +checksum = "515cce34a781d7250b8a65706e0f2a5b99236ea605cb235d4baed6685820478f" dependencies = [ "getrandom", "hmac-sha256", @@ -5145,9 +5214,9 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.87" +version = "2.0.90" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "25aa4ce346d03a6dcd68dd8b4010bcb74e54e62c90c573f394c46eae99aba32d" +checksum = "919d3b74a5dd0ccd15aeb8f93e7006bd9e14c295087c9896a110f490752bcf31" dependencies = [ "proc-macro2", "quote", @@ -5189,7 +5258,7 @@ checksum = "c8af7666ab7b6390ab78131fb5b0fce11d6b7a6951602017c35fa82800708971" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -5286,11 +5355,11 @@ dependencies = [ [[package]] name = "thiserror" -version = "2.0.3" +version = "2.0.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c006c85c7651b3cf2ada4584faa36773bd07bac24acfb39f3c431b36d7e667aa" +checksum = "93605438cbd668185516ab499d589afb7ee1859ea3d5fc8f6b0755e1c7443767" dependencies = [ - "thiserror-impl 2.0.3", + "thiserror-impl 2.0.7", ] [[package]] @@ -5301,18 +5370,18 @@ checksum = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] name = "thiserror-impl" -version = "2.0.3" +version = "2.0.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f077553d607adc1caf65430528a576c757a71ed73944b66ebb58ef2bbd243568" +checksum = "e1d8749b4531af2117677a5fcd12b1348a3fe2b81e36e61ffeac5c4aa3273e36" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -5327,9 +5396,9 @@ dependencies = [ [[package]] name = "time" -version = "0.3.36" +version = "0.3.37" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5dfd88e563464686c916c7e46e623e520ddc6d79fa6641390f2e3fa86e83e885" +checksum = "35e7868883861bd0e56d9ac6efcaaca0d6d5d82a2a7ec8209ff492c07cf37b21" dependencies = [ "deranged", "itoa", @@ -5350,9 +5419,9 @@ checksum = "ef927ca75afb808a4d64dd374f00a2adf8d0fcff8e7b184af886c3c87ec4a3f3" [[package]] name = "time-macros" -version = "0.2.18" +version = "0.2.19" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3f252a68540fde3a3877aeea552b832b40ab9a69e318efd078774a01ddee1ccf" +checksum = "2834e6017e3e5e4b9834939793b282bc03b37a3336245fa820e35e233e2a85de" dependencies = [ "num-conv", "time-core", @@ -5385,9 +5454,9 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" [[package]] name = "tokio" -version = "1.41.1" +version = "1.42.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "22cfb5bee7a6a52939ca9224d6ac897bb669134078daa8735560897f69de4d33" +checksum = "5cec9b21b0450273377fc97bd4c33a8acffc8c996c987a7c5b319a0083707551" dependencies = [ "backtrace", "bytes", @@ -5409,7 +5478,7 @@ checksum = "693d596312e88961bc67d7f1f97af8a70227d9f90c31bba5806eec004978d752" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -5445,20 +5514,19 @@ dependencies = [ [[package]] name = "tokio-rustls" -version = "0.26.0" +version = "0.26.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0c7bc40d0e5a97695bb96e27995cd3a08538541b0a846f65bba7a359f36700d4" +checksum = "5f6d0975eaace0cf0fcadee4e4aaa5da15b5c079146f2cffb67c113be122bf37" dependencies = [ - "rustls 0.23.17", - "rustls-pki-types", + "rustls 0.23.20", "tokio", ] [[package]] name = "tokio-stream" -version = "0.1.16" +version = "0.1.17" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4f4e6ce100d0eb49a2734f8c0812bcd324cf357d21810932c5df6b96ef2b86f1" +checksum = "eca58d7bba4a75707817a2c44174253f9236b2d5fbd055602e9d5c07c139a047" dependencies = [ "futures-core", "pin-project-lite", @@ -5467,9 +5535,9 @@ dependencies = [ [[package]] name = "tokio-util" -version = "0.7.12" +version = "0.7.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "61e7c3654c13bcd040d4a03abee2c75b1d14a37b423cf5a813ceae1cc903ec6a" +checksum = "d7fcaa8d55a2bdd6b83ace262b016eca0d79ee02818c5c1bcdf0305114081078" dependencies = [ "bytes", "futures-core", @@ -5514,7 +5582,7 @@ version = "0.22.22" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4ae48d6208a266e853d946088ed816055e556cc6028c5e8e2b84d9fa5dd7c7f5" dependencies = [ - "indexmap 2.6.0", + "indexmap 2.7.0", "serde", "serde_spanned", "toml_datetime", @@ -5533,7 +5601,7 @@ dependencies = [ "base64 0.22.1", "bytes", "h2 0.4.7", - "http 1.1.0", + "http 1.2.0", "http-body 1.0.1", "http-body-util", "hyper 1.5.1", @@ -5562,7 +5630,7 @@ dependencies = [ "prost-build", "prost-types", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -5587,14 +5655,14 @@ dependencies = [ [[package]] name = "tower" -version = "0.5.1" +version = "0.5.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2873938d487c3cfb9aed7546dc9f2711d867c9f90c46b889989a2cb84eba6b4f" +checksum = "d039ad9159c98b70ecfd540b2573b97f7f52c3e8d9f8ad57a24b916a536975f9" dependencies = [ "futures-core", "futures-util", "pin-project-lite", - "sync_wrapper 0.1.2", + "sync_wrapper 1.0.2", "tower-layer", "tower-service", ] @@ -5613,9 +5681,9 @@ checksum = "8df9b6e13f2d32c91b9bd719c00d1958837bc7dec474d94952798cc8e69eeec3" [[package]] name = "tracing" -version = "0.1.40" +version = "0.1.41" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c3523ab5a71916ccf420eebdf5521fcef02141234bbc0b8a49f2fdc4544364ef" +checksum = "784e0ac535deb450455cbfa28a6f0df145ea1bb7ae51b821cf5e7927fdcfbdd0" dependencies = [ "log", "pin-project-lite", @@ -5631,14 +5699,14 @@ checksum = "395ae124c09f9e6918a2310af6038fba074bcf474ac352496d5910dd59a2226d" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] name = "tracing-core" -version = "0.1.32" +version = "0.1.33" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c06d3da6113f116aaee68e4d601191614c9053067f9ab7f6edbcb161237daa54" +checksum = "e672c95779cf947c5311f83787af4fa8fffd12fb27e4993211a84bdfd9610f9c" dependencies = [ "once_cell", "valuable", @@ -5657,9 +5725,9 @@ dependencies = [ [[package]] name = "tracing-subscriber" -version = "0.3.18" +version = "0.3.19" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ad0f048c97dbd9faa9b7df56362b8ebcaa52adb06b498c050d2f4e32f90a7a8b" +checksum = "e8189decb5ac0fa7bc8b96b7cb9b2701d60d48805aca84a238004d665fcc4008" dependencies = [ "nu-ansi-term", "sharded-slab", @@ -5677,9 +5745,9 @@ checksum = "e421abadd41a4225275504ea4d6566923418b7f05506fbc9c0fe86ba7396114b" [[package]] name = "tss-esapi" -version = "7.5.1" +version = "7.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a9ba6594ded739cb539f8ffcd3713f6c21d4525c47314bbc6de15c0cd251aedf" +checksum = "78ea9ccde878b029392ac97b5be1f470173d06ea41d18ad0bb3c92794c16a0f2" dependencies = [ "bitfield 0.14.0", "enumflags2", @@ -5796,26 +5864,26 @@ checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1" [[package]] name = "ureq" -version = "2.10.1" +version = "2.12.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b74fc6b57825be3373f7054754755f03ac3a8f5d70015ccad699ba2029956f4a" +checksum = "02d1a66277ed75f640d608235660df48c8e3c19f3b4edb6a263315626cc3c01d" dependencies = [ "base64 0.22.1", "log", "once_cell", - "rustls 0.23.17", + "rustls 0.23.20", "rustls-pki-types", "serde", "serde_json", "url", - "webpki-roots 0.26.6", + "webpki-roots 0.26.7", ] [[package]] name = "url" -version = "2.5.3" +version = "2.5.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8d157f1b96d14500ffdc1f10ba712e780825526c03d9a49b4d0324b0d9113ada" +checksum = "32f8b686cadd1473f4bd0117a5d28d36b1ade384ea9b5069a1c40aefed7fda60" dependencies = [ "form_urlencoded", "idna", @@ -5906,7 +5974,7 @@ dependencies = [ "intel-tee-quote-verification-rs", "jsonwebkey", "jsonwebtoken", - "kbs-types 0.9.1", + "kbs-types 0.9.1 (git+https://github.com/Xynnn007/kbs-types.git?rev=f56c565)", "log", "openssl", "reqwest 0.12.9", @@ -5917,7 +5985,7 @@ dependencies = [ "serde_json", "serde_with", "serial_test", - "sev 4.0.0", + "sev", "sha2", "shadow-rs", "strum 0.25.0", @@ -5970,9 +6038,9 @@ dependencies = [ [[package]] name = "wasm-bindgen" -version = "0.2.95" +version = "0.2.99" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "128d1e363af62632b8eb57219c8fd7877144af57558fb2ef0368d0087bddeb2e" +checksum = "a474f6281d1d70c17ae7aa6a613c87fce69a127e2624002df63dcb39d6cf6396" dependencies = [ "cfg-if", "once_cell", @@ -5981,36 +6049,36 @@ dependencies = [ [[package]] name = "wasm-bindgen-backend" -version = "0.2.95" +version = "0.2.99" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cb6dd4d3ca0ddffd1dd1c9c04f94b868c37ff5fac97c30b97cff2d74fce3a358" +checksum = "5f89bb38646b4f81674e8f5c3fb81b562be1fd936d84320f3264486418519c79" dependencies = [ "bumpalo", "log", - "once_cell", "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", "wasm-bindgen-shared", ] [[package]] name = "wasm-bindgen-futures" -version = "0.4.45" +version = "0.4.49" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cc7ec4f8827a71586374db3e87abdb5a2bb3a15afed140221307c3ec06b1f63b" +checksum = "38176d9b44ea84e9184eff0bc34cc167ed044f816accfe5922e54d84cf48eca2" dependencies = [ "cfg-if", "js-sys", + "once_cell", "wasm-bindgen", "web-sys", ] [[package]] name = "wasm-bindgen-macro" -version = "0.2.95" +version = "0.2.99" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e79384be7f8f5a9dd5d7167216f022090cf1f9ec128e6e6a482a2cb5c5422c56" +checksum = "2cc6181fd9a7492eef6fef1f33961e3695e4579b9872a6f7c83aee556666d4fe" dependencies = [ "quote", "wasm-bindgen-macro-support", @@ -6018,28 +6086,28 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro-support" -version = "0.2.95" +version = "0.2.99" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "26c6ab57572f7a24a4985830b120de1594465e5d500f24afe89e16b4e833ef68" +checksum = "30d7a95b763d3c45903ed6c81f156801839e5ee968bb07e534c44df0fcd330c2" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", "wasm-bindgen-backend", "wasm-bindgen-shared", ] [[package]] name = "wasm-bindgen-shared" -version = "0.2.95" +version = "0.2.99" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "65fc09f10666a9f147042251e0dda9c18f166ff7de300607007e96bdebc1068d" +checksum = "943aab3fdaaa029a6e0271b35ea10b72b943135afe9bffca82384098ad0e06a6" [[package]] name = "web-sys" -version = "0.3.72" +version = "0.3.76" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f6488b90108c040df0fe62fa815cbdee25124641df01814dd7282749234c6112" +checksum = "04dd7223427d52553d3702c004d3b2fe07c148165faa56313cb00211e31c12bc" dependencies = [ "js-sys", "wasm-bindgen", @@ -6063,9 +6131,9 @@ checksum = "5f20c57d8d7db6d3b86154206ae5d8fba62dd39573114de97c2cb0578251f8e1" [[package]] name = "webpki-roots" -version = "0.26.6" +version = "0.26.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "841c67bff177718f1d4dfefde8d8f0e78f9b6589319ba88312f567fc5841a958" +checksum = "5d642ff16b7e79272ae451b7322067cdc17cadf68c23264be9d94a32319efe7e" dependencies = [ "rustls-pki-types", ] @@ -6104,7 +6172,7 @@ version = "0.1.9" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "cf221c93e13a30d793f7645a0e7762c55d169dbb0a49671918a2319d289b10bb" dependencies = [ - "windows-sys 0.48.0", + "windows-sys 0.59.0", ] [[package]] @@ -6375,9 +6443,9 @@ checksum = "e17bb3549cc1321ae1296b9cdc2698e2b6cb1992adfa19a8c72e5b7a738f44cd" [[package]] name = "yoke" -version = "0.7.4" +version = "0.7.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6c5b1314b079b0930c31e3af543d8ee1757b1951ae1e1565ec704403a7240ca5" +checksum = "120e6aef9aa629e3d4f52dc8cc43a015c7724194c97dfaf45180d2daf2b77f40" dependencies = [ "serde", "stable_deref_trait", @@ -6387,13 +6455,13 @@ dependencies = [ [[package]] name = "yoke-derive" -version = "0.7.4" +version = "0.7.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "28cc31741b18cb6f1d5ff12f5b7523e3d6eb0852bbbad19d73905511d9849b95" +checksum = "2380878cad4ac9aac1e2435f3eb4020e8374b5f13c296cb75b4620ff8e229154" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", "synstructure 0.13.1", ] @@ -6415,27 +6483,27 @@ checksum = "fa4f8080344d4671fb4e831a13ad1e68092748387dfc4f55e356242fae12ce3e" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] name = "zerofrom" -version = "0.1.4" +version = "0.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "91ec111ce797d0e0784a1116d0ddcdbea84322cd79e5d5ad173daeba4f93ab55" +checksum = "cff3ee08c995dee1859d998dea82f7374f2826091dd9cd47def953cae446cd2e" dependencies = [ "zerofrom-derive", ] [[package]] name = "zerofrom-derive" -version = "0.1.4" +version = "0.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0ea7b4a3637ea8669cedf0f1fd5c286a17f3de97b8dd5a70a6c167a1730e63a5" +checksum = "595eed982f7d355beb85837f651fa22e90b3c044842dc7f2c2842c086f295808" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", "synstructure 0.13.1", ] @@ -6456,7 +6524,7 @@ checksum = "ce36e65b0d2999d2aafac989fb249189a141aee1f53c612c1f37d72631959f69" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -6478,7 +6546,7 @@ checksum = "6eafa6dfb17584ea3e2bd6e76e0cc15ad7af12b09abdd1ca55961bed9b1063c6" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] diff --git a/Cargo.toml b/Cargo.toml index a90282580..3bbc9a5f7 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -32,11 +32,12 @@ hex = "0.4.3" jwt-simple = { version = "0.12", default-features = false, features = [ "pure-rust", ] } -kbs_protocol = { git = "https://github.com/confidential-containers/guest-components.git", rev = "e6999a3c0fd877dae9e68ea78b8b483062db32b8", default-features = false } -kbs-types = { git = "https://github.com/virtee/kbs-types.git", rev = "a704036" } +kbs_protocol = { git = "https://github.com/Xynnn007/guest-components.git", rev = "e2b642d", default-features = false } +kbs-types = { git = "https://github.com/Xynnn007/kbs-types.git", rev = "f56c565" } kms = { git = "https://github.com/confidential-containers/guest-components.git", rev = "e6999a3c0fd877dae9e68ea78b8b483062db32b8", default-features = false } jsonwebtoken = { version = "9", default-features = false } log = "0.4.17" +p256 = "0.13.2" prost = "0.13" regorus = { version = "0.2.6", default-features = false, features = [ "regex", diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml index 92035f32e..7753cbebc 100644 --- a/kbs/Cargo.toml +++ b/kbs/Cargo.toml @@ -37,12 +37,14 @@ pkcs11 = ["cryptoki"] actix-web = { workspace = true, features = ["openssl"] } actix-web-httpauth.workspace = true aes-gcm = "0.10.1" +aes-kw = "0.2.1" anyhow.workspace = true async-trait.workspace = true base64.workspace = true cfg-if.workspace = true clap = { workspace = true, features = ["derive", "env"] } config.workspace = true +concat-kdf = "0.1.0" cryptoki = { version = "0.7.0", optional = true } env_logger.workspace = true jsonwebtoken = { workspace = true, default-features = false } @@ -52,6 +54,7 @@ kms = { workspace = true, default-features = false } lazy_static = "1.4.0" log.workspace = true mobc = { version = "0.8.5", optional = true } +p256 = { workspace = true, features = ["ecdh"] } prost = { workspace = true, optional = true } rand = "0.8.5" regex = "1.11.1" diff --git a/kbs/src/jwe.rs b/kbs/src/jwe.rs index f57502644..0971f5556 100644 --- a/kbs/src/jwe.rs +++ b/kbs/src/jwe.rs @@ -2,28 +2,96 @@ // Licensed under the Apache License, Version 2.0, see LICENSE for details. // SPDX-License-Identifier: Apache-2.0 -use std::collections::BTreeMap; +use core::{clone::Clone, convert::TryInto}; -use aes_gcm::{aead::AeadMutInPlace, Aes256Gcm, KeyInit, Nonce}; +use aes_gcm::{ + aead::{generic_array::GenericArray, AeadMutInPlace}, + Aes256Gcm, KeyInit, Nonce, +}; +use aes_kw::{Kek, KekAes256}; use anyhow::{anyhow, bail, Context, Result}; use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine}; use kbs_types::{ProtectedHeader, Response, TeePubKey}; +use log::warn; +use p256::{ + ecdh::EphemeralSecret, elliptic_curve::sec1::FromEncodedPoint, EncodedPoint, PublicKey, +}; use rand::{rngs::OsRng, Rng}; -use rsa::{BigUint, Pkcs1v15Encrypt, RsaPublicKey}; +use rsa::{sha2::Sha256, BigUint, Oaep, Pkcs1v15Encrypt, RsaPublicKey}; +use serde_json::{json, Map}; -// TODO: Use RSA-OEAP rather than PKCS1v15 -const RSA_ALGORITHM: &str = "RSA1_5"; +/// RSA PKCS#1 v1.5 +const RSA1_5_ALGORITHM: &str = "RSA1_5"; + +/// RSAES OAEP using SHA-256 and MGF1 with SHA-256 +const RSA_OAEP256_ALGORITHM: &str = "RSA-OAEP-256"; + +/// ECDH-ES using Concat KDF and CEK wrapped with "A256KW" +const ECDH_ES_A256KW: &str = "ECDH-ES+A256KW"; + +/// The elliptic curve key type +const EC_KTY: &str = "EC"; + +/// The elliptic curve name of p256. +const P256_CURVE: &str = "P-256"; + +/// AES 256 GCM const AES_GCM_256_ALGORITHM: &str = "A256GCM"; -pub fn jwe(tee_pub_key: TeePubKey, mut payload_data: Vec) -> Result { - let TeePubKey::RSA { alg, k_mod, k_exp } = tee_pub_key else { - bail!("Only RSA key is support for TEE pub key") +/// AES 256 GCM Key length in bits +const AES_GCM_256_KEY_BITS: u32 = 256; + +/// Use RSAv1.5 to encrypt the payload data. +/// Warning: This algorithm is deprecated per +/// +#[deprecated(note = "This algorithm is no longer recommended.")] +fn rsa_1v15(k_mod: String, k_exp: String, mut payload_data: Vec) -> Result { + warn!("Get JWE request using deprecated kcs#1 v1.5 encryption, which has potential security issues."); + let mut rng = rand::thread_rng(); + + let aes_sym_key = Aes256Gcm::generate_key(&mut OsRng); + let mut cipher = Aes256Gcm::new(&aes_sym_key); + let iv = rng.gen::<[u8; 12]>(); + let nonce = Nonce::from_slice(&iv); + let protected = ProtectedHeader { + alg: RSA1_5_ALGORITHM.to_string(), + enc: AES_GCM_256_ALGORITHM.to_string(), + other_fields: Map::new(), }; - if alg != *RSA_ALGORITHM { - bail!("algorithm is not {RSA_ALGORITHM} but {alg}"); - } + let aad = protected.generate_aad().context("Generate JWE AAD")?; + + let tag = cipher + .encrypt_in_place_detached(nonce, &aad, &mut payload_data) + .map_err(|e| anyhow!("AES encrypt Resource payload failed: {e}"))?; + + let k_mod = URL_SAFE_NO_PAD + .decode(k_mod) + .context("base64 decode k_mod failed")?; + let n = BigUint::from_bytes_be(&k_mod); + let k_exp = URL_SAFE_NO_PAD + .decode(k_exp) + .context("base64 decode k_exp failed")?; + let e = BigUint::from_bytes_be(&k_exp); + + let rsa_pub_key = + RsaPublicKey::new(n, e).context("Building RSA key from modulus and exponent failed")?; + let encrypted_key = rsa_pub_key + .encrypt(&mut rng, Pkcs1v15Encrypt, aes_sym_key.as_slice()) + .context("RSA encrypt sym key failed")?; + Ok(Response { + protected, + encrypted_key, + iv: iv.into(), + ciphertext: payload_data, + aad: None, + tag: tag.to_vec(), + }) +} + +/// Use RSA-OAEP SHA-256 to encrypt the payload data. +fn rsa_oaep256(k_mod: String, k_exp: String, mut payload_data: Vec) -> Result { let mut rng = rand::thread_rng(); let aes_sym_key = Aes256Gcm::generate_key(&mut OsRng); @@ -31,9 +99,9 @@ pub fn jwe(tee_pub_key: TeePubKey, mut payload_data: Vec) -> Result(); let nonce = Nonce::from_slice(&iv); let protected = ProtectedHeader { - alg: RSA_ALGORITHM.to_string(), + alg: RSA_OAEP256_ALGORITHM.to_string(), enc: AES_GCM_256_ALGORITHM.to_string(), - other_fields: BTreeMap::new(), + other_fields: Map::new(), }; let aad = protected.generate_aad().context("Generate JWE AAD")?; @@ -53,8 +121,9 @@ pub fn jwe(tee_pub_key: TeePubKey, mut payload_data: Vec) -> Result(); let encrypted_key = rsa_pub_key - .encrypt(&mut rng, Pkcs1v15Encrypt, aes_sym_key.as_slice()) + .encrypt(&mut rng, padding, aes_sym_key.as_slice()) .context("RSA encrypt sym key failed")?; Ok(Response { @@ -67,19 +136,145 @@ pub fn jwe(tee_pub_key: TeePubKey, mut payload_data: Vec) -> Result) -> Result { + let mut rng = rand::thread_rng(); + + // 1. Generate a random CEK + let cek = Aes256Gcm::generate_key(&mut rng); + + // 2. Wrap the CEK and generate ProtectedHeader + let x: [u8; 32] = URL_SAFE_NO_PAD + .decode(x) + .context("base64 decode x failed")? + .try_into() + .map_err(|_| anyhow!("invalid bytes length of coordinates X"))?; + let y: [u8; 32] = URL_SAFE_NO_PAD + .decode(y) + .context("base64 decode y failed")? + .try_into() + .map_err(|_| anyhow!("invalid bytes length of coordinates Y"))?; + let client_point = EncodedPoint::from_affine_coordinates( + &GenericArray::from(x), + &GenericArray::from(y), + false, + ); + let public_key = PublicKey::from_encoded_point(&client_point) + .into_option() + .ok_or(anyhow!("invalid TEE public key"))?; + let encrypter_secret = EphemeralSecret::random(&mut rng); + let z = encrypter_secret + .diffie_hellman(&public_key) + .raw_secret_bytes() + .to_vec(); + let mut key_derivation_materials = Vec::new(); + key_derivation_materials.extend_from_slice(&(ECDH_ES_A256KW.len() as u32).to_be_bytes()); + key_derivation_materials.extend_from_slice(ECDH_ES_A256KW.as_bytes()); + key_derivation_materials.extend_from_slice(&(0 as u32).to_be_bytes()); + key_derivation_materials.extend_from_slice(&(0 as u32).to_be_bytes()); + key_derivation_materials.extend_from_slice(&AES_GCM_256_KEY_BITS.to_be_bytes()); + let mut wrapping_key = Vec::new(); + wrapping_key.resize(32, 0); + concat_kdf::derive_key_into::( + &z, + &key_derivation_materials, + &mut wrapping_key, + ) + .map_err(|e| anyhow!("failed to do concat KDF: {e:?}"))?; + let wrapping_key: [u8; 32] = wrapping_key + .try_into() + .map_err(|_| anyhow!("invalid bytes length of AES wrapping key"))?; + let wrapping_key: KekAes256 = Kek::new(&GenericArray::from(wrapping_key)); + let mut encrypted_key = Vec::new(); + encrypted_key.resize(40, 0); + let cek = cek.to_vec(); + wrapping_key + .wrap(&cek, &mut encrypted_key) + .map_err(|e| anyhow!("failed to do AES wrapping: {e:?}"))?; + + let point = EncodedPoint::from(encrypter_secret.public_key()); + let epk_x = point + .x() + .ok_or(anyhow!("invalid public key: without coordicate X"))?; + let epk_y = point + .y() + .ok_or(anyhow!("invalid public key: without coordicate Y"))?; + let epk_x = URL_SAFE_NO_PAD.encode(epk_x); + let epk_y = URL_SAFE_NO_PAD.encode(epk_y); + let protected = ProtectedHeader { + alg: ECDH_ES_A256KW.to_string(), + enc: AES_GCM_256_ALGORITHM.to_string(), + other_fields: json!({ + "epk": { + "crv": P256_CURVE, + "kty": EC_KTY, + "x": epk_x, + "y": epk_y + } + }) + .as_object() + .unwrap() + .clone(), + }; + + // 3. Encrypt content with CEK + let mut cek_cipher = Aes256Gcm::new(&GenericArray::from_slice(&cek)); + + let iv = rand::thread_rng().gen::<[u8; 12]>(); + let nonce = Nonce::from_slice(&iv); + let aad = protected.generate_aad().context("Generate JWE AAD")?; + + let tag = cek_cipher + .encrypt_in_place_detached(nonce, &aad, &mut payload_data) + .map_err(|e| anyhow!("AES encrypt Resource payload failed: {e}"))?; + + Ok(Response { + protected, + encrypted_key, + iv: iv.into(), + ciphertext: payload_data, + aad: None, + tag: tag.to_vec(), + }) +} + +pub fn jwe(tee_pub_key: TeePubKey, payload_data: Vec) -> Result { + match tee_pub_key { + TeePubKey::RSA { alg, k_mod, k_exp } => match &alg[..] { + #[allow(deprecated)] + RSA1_5_ALGORITHM => rsa_1v15(k_mod, k_exp, payload_data), + RSA_OAEP256_ALGORITHM => rsa_oaep256(k_mod, k_exp, payload_data), + others => bail!("algorithm {others} is not supported"), + }, + TeePubKey::EC { crv, alg, x, y } => match (&crv[..], &alg[..]) { + (P256_CURVE, ECDH_ES_A256KW) => ecdh_es_a256kw_p256(x, y, payload_data), + (crv, alg) => bail!("curve {crv} and algorithm {alg} is not supported"), + }, + } +} + #[cfg(test)] mod tests { use core::assert_eq; use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine}; - use josekit::jwe::{alg::rsaes::RsaesJweAlgorithm::Rsa1_5, JweContext, JweHeader}; + use josekit::jwe::{ + alg::{ecdh_es::EcdhEsJweAlgorithm::EcdhEsA256kw, rsaes::RsaesJweAlgorithm::RsaOaep256}, + JweContext, JweHeader, JweHeaderSet, + }; use kbs_types::TeePubKey; use openssl::rsa::Rsa; + use p256::{pkcs8::EncodePrivateKey, EncodedPoint, SecretKey}; + + use crate::jwe::{ + AES_GCM_256_ALGORITHM, ECDH_ES_A256KW, P256_CURVE, RSA1_5_ALGORITHM, RSA_OAEP256_ALGORITHM, + }; use super::jwe; + #[allow(deprecated)] #[test] - fn jwe_compability() { + fn jwe_rsav15_compability() { let test_data = b"this is a test data"; // Generate a 4096-bit RSA key pair @@ -87,7 +282,7 @@ mod tests { let k_mod = URL_SAFE_NO_PAD.encode(rsa_key.n().to_vec()); let k_exp = URL_SAFE_NO_PAD.encode(rsa_key.e().to_vec()); let tee_key = TeePubKey::RSA { - alg: "RSA1_5".into(), + alg: RSA1_5_ALGORITHM.into(), k_mod, k_exp, }; @@ -97,12 +292,12 @@ mod tests { let response_string = serde_json::to_string(&response).unwrap(); // Decrypt with josekit crate - let decrypter = Rsa1_5 + let decrypter = josekit::jwe::alg::rsaes::RsaesJweAlgorithm::Rsa1_5 .decrypter_from_pem(rsa_key.private_key_to_pem().unwrap()) .unwrap(); let mut header = JweHeader::new(); header.set_token_type("JWT"); - header.set_content_encryption("A256GCM"); + header.set_content_encryption(AES_GCM_256_ALGORITHM); let context = JweContext::new(); let (decrypted_data, header) = context .deserialize_json(&response_string, &decrypter) @@ -110,8 +305,94 @@ mod tests { assert_eq!(decrypted_data, test_data); let mut jwe_header = JweHeader::new(); - jwe_header.set_claim("alg", Some("RSA1_5".into())).unwrap(); - jwe_header.set_claim("enc", Some("A256GCM".into())).unwrap(); + jwe_header + .set_claim("alg", Some(RSA1_5_ALGORITHM.into())) + .unwrap(); + jwe_header + .set_claim("enc", Some(AES_GCM_256_ALGORITHM.into())) + .unwrap(); assert_eq!(header, jwe_header); } + + #[test] + fn jwe_rsa_oaep_compability() { + let test_data = b"this is a test data"; + + // Generate a 4096-bit RSA key pair + let rsa_key = Rsa::generate(4096).unwrap(); + let k_mod = URL_SAFE_NO_PAD.encode(rsa_key.n().to_vec()); + let k_exp = URL_SAFE_NO_PAD.encode(rsa_key.e().to_vec()); + let tee_key = TeePubKey::RSA { + alg: RSA_OAEP256_ALGORITHM.into(), + k_mod, + k_exp, + }; + + // Generate a JWE response + let response = jwe(tee_key, test_data.to_vec()).unwrap(); + let response_string = serde_json::to_string(&response).unwrap(); + + // Decrypt with josekit crate + let decrypter = RsaOaep256 + .decrypter_from_pem(rsa_key.private_key_to_pem().unwrap()) + .unwrap(); + let mut header = JweHeader::new(); + header.set_token_type("JWT"); + header.set_content_encryption(AES_GCM_256_ALGORITHM); + let context = JweContext::new(); + let (decrypted_data, header) = context + .deserialize_json(&response_string, &decrypter) + .unwrap(); + assert_eq!(decrypted_data, test_data); + + let mut jwe_header = JweHeader::new(); + jwe_header + .set_claim("alg", Some(RSA_OAEP256_ALGORITHM.into())) + .unwrap(); + jwe_header + .set_claim("enc", Some(AES_GCM_256_ALGORITHM.into())) + .unwrap(); + assert_eq!(header, jwe_header); + } + + #[test] + fn jwe_ec() { + let test_data = b"this is a test data"; + + // Generate a EC key pair + let mut rng = rand::thread_rng(); + let private_key = SecretKey::random(&mut rng); + let point = EncodedPoint::from(private_key.public_key()); + let x = point.x().unwrap(); + let y = point.y().unwrap(); + let x = URL_SAFE_NO_PAD.encode(x); + let y = URL_SAFE_NO_PAD.encode(y); + + let tee_key = TeePubKey::EC { + crv: P256_CURVE.into(), + alg: ECDH_ES_A256KW.into(), + x, + y, + }; + + // Generate a JWE response + let response = jwe(tee_key, test_data.to_vec()).unwrap(); + let response_string = serde_json::to_string(&response).unwrap(); + + let mut header = JweHeaderSet::new(); + header.set_algorithm("ECDH-ES+A256KW", true); + header.set_content_encryption("A256GCM", true); + + // Decrypt JWE with JOSEkit crate + let private_key = private_key + .to_pkcs8_pem(rsa::pkcs8::LineEnding::LF) + .unwrap(); + let decrypter = EcdhEsA256kw.decrypter_from_pem(&private_key).unwrap(); + + let context = JweContext::new(); + let (decrypted_data, _) = context + .deserialize_json(&response_string, &decrypter) + .unwrap(); + assert_eq!(decrypted_data, test_data); + } }