Remove Symmetric signing.

chipsalliance · Dec 18, 2024 · af0251e · af0251e
1 parent 48ca029
commit af0251e
Show file tree

Hide file tree

Showing 22 changed files with 31 additions and 342 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/ci.sh b/ci.sh
@@ -83,7 +83,8 @@ run_verification_tests dpe_profile_p384_sha384 rustcrypto
 # Build fuzz target
 ( cd dpe/fuzz
   rustup toolchain install nightly-2023-11-16
-  cargo +nightly-2023-11-16 install cargo-fuzz cargo-afl --locked
+  cargo +nightly-2023-11-16 install cargo-fuzz --locked
+  cargo +nightly-2023-11-16 install cargo-afl --version 0.13.2 --locked
   cargo fmt --check
   cargo clippy --features libfuzzer-sys
   cargo clippy --features afl

diff --git a/crypto/Cargo.toml b/crypto/Cargo.toml
@@ -7,7 +7,7 @@ edition = "2021"
 
 [features]
 openssl = ["dep:openssl", "dep:hkdf", "dep:sha2"]
-rustcrypto = ["dep:hkdf", "dep:hmac", "dep:p256", "dep:p384", "dep:rand", "dep:sha2", "dep:base64ct", "dep:ecdsa", "dep:sec1"]
+rustcrypto = ["dep:hkdf", "dep:p256", "dep:p384", "dep:rand", "dep:sha2", "dep:base64ct", "dep:ecdsa", "dep:sec1"]
 deterministic_rand = ["dep:rand"]
 no-cfi = []
 
@@ -17,7 +17,6 @@ caliptra-cfi-lib-git = { workspace = true, default-features = false, features =
 caliptra-cfi-derive-git.workspace = true
 ecdsa = { version = "0.16.9", optional = true, features = ["pem"]}
 hkdf = { version = "0.12.3", optional = true }
-hmac = {version="0.12.1", optional = true}
 openssl = {workspace = true, optional = true}
 p256 = {version= "0.13.2", optional = true}
 p384 = {version= "0.13.0", optional = true}

diff --git a/crypto/src/lib.rs b/crypto/src/lib.rs
@@ -240,24 +240,6 @@ pub trait Crypto {
         priv_key: &Self::PrivKey,
         pub_key: &EcdsaPub,
     ) -> Result<EcdsaSig, CryptoError>;
-
-    /// Sign `digest` with a derived HMAC key from the CDI.
-    ///
-    /// # Arguments
-    ///
-    /// * `algs` - Which length of algorithms to use.
-    /// * `cdi` - CDI from which to derive the signing key
-    /// * `label` - Caller-supplied label to use in symmetric key derivation
-    /// * `info` - Caller-supplied info string to use in symmetric key derivation
-    /// * `digest` - Digest of data to be signed.
-    fn hmac_sign_with_derived(
-        &mut self,
-        algs: AlgLen,
-        cdi: &Self::Cdi,
-        label: &[u8],
-        info: &[u8],
-        digest: &Digest,
-    ) -> Result<HmacSig, CryptoError>;
 }
 #[cfg(test)]
 mod tests {

diff --git a/crypto/src/openssl.rs b/crypto/src/openssl.rs
@@ -1,6 +1,6 @@
 // Licensed under the Apache-2.0 license
 
-use crate::{hkdf::*, AlgLen, Crypto, CryptoBuf, CryptoError, Digest, EcdsaPub, Hasher, HmacSig};
+use crate::{hkdf::*, AlgLen, Crypto, CryptoBuf, CryptoError, Digest, EcdsaPub, Hasher};
 #[cfg(not(feature = "no-cfi"))]
 use caliptra_cfi_derive_git::cfi_impl_fn;
 use openssl::{
@@ -10,8 +10,7 @@ use openssl::{
     error::ErrorStack,
     hash::MessageDigest,
     nid::Nid,
-    pkey::{PKey, Private},
-    sign::Signer,
+    pkey::Private,
 };
 #[cfg(feature = "deterministic_rand")]
 use rand::{rngs::StdRng, RngCore, SeedableRng};
@@ -205,23 +204,4 @@ impl Crypto for OpensslCrypto {
 
         Ok(super::EcdsaSig { r, s })
     }
-
-    fn hmac_sign_with_derived(
-        &mut self,
-        algs: AlgLen,
-        cdi: &Self::Cdi,
-        label: &[u8],
-        info: &[u8],
-        digest: &Digest,
-    ) -> Result<HmacSig, CryptoError> {
-        let (symmetric_key, _) = self.derive_key_pair(algs, cdi, label, info)?;
-        let hmac_key = PKey::hmac(symmetric_key.bytes()).unwrap();
-
-        let sha_size = Self::get_digest(algs);
-        let mut signer = Signer::new(sha_size, &hmac_key).unwrap();
-        signer.update(digest.bytes()).unwrap();
-        let hmac = signer.sign_to_vec().unwrap();
-
-        Ok(HmacSig::new(&hmac).unwrap())
-    }
 }
diff --git a/crypto/src/rustcrypto.rs b/crypto/src/rustcrypto.rs
@@ -1,11 +1,8 @@
 // Licensed under the Apache-2.0 license
 
-use crate::{
-    hkdf::*, AlgLen, Crypto, CryptoBuf, CryptoError, Digest, EcdsaPub, EcdsaSig, Hasher, HmacSig,
-};
+use crate::{hkdf::*, AlgLen, Crypto, CryptoBuf, CryptoError, Digest, EcdsaPub, EcdsaSig, Hasher};
 use core::ops::Deref;
 use ecdsa::{signature::hazmat::PrehashSigner, Signature};
-use hmac::{Hmac, Mac};
 use p256::NistP256;
 use p384::NistP384;
 use rand::{rngs::StdRng, RngCore, SeedableRng};
@@ -174,27 +171,4 @@ impl Crypto for RustCryptoImpl {
             }
         }
     }
-
-    fn hmac_sign_with_derived(
-        &mut self,
-        algs: AlgLen,
-        cdi: &Self::Cdi,
-        label: &[u8],
-        info: &[u8],
-        digest: &Digest,
-    ) -> Result<HmacSig, CryptoError> {
-        let (symmetric_key, _) = self.derive_key_pair(algs, cdi, label, info)?;
-        match algs {
-            AlgLen::Bit256 => {
-                let mut hmac = Hmac::<Sha256>::new_from_slice(symmetric_key.bytes()).unwrap();
-                Mac::update(&mut hmac, digest.bytes());
-                HmacSig::new(hmac.finalize().into_bytes().as_slice())
-            }
-            AlgLen::Bit384 => {
-                let mut hmac = Hmac::<Sha384>::new_from_slice(symmetric_key.bytes()).unwrap();
-                Mac::update(&mut hmac, digest.bytes());
-                HmacSig::new(hmac.finalize().into_bytes().as_slice())
-            }
-        }
-    }
 }
diff --git a/crypto/src/signer.rs b/crypto/src/signer.rs
@@ -26,9 +26,6 @@ impl EcdsaPub {
     }
 }
 
-/// An HMAC Signature
-pub type HmacSig = CryptoBuf;
-
 /// A common base struct that can be used for all digests, signatures, and keys.
 #[derive(Debug, PartialEq, Eq, ZeroizeOnDrop)]
 pub struct CryptoBuf(ArrayVec<u8, { Self::MAX_SIZE }>);

diff --git a/dpe/Cargo.toml b/dpe/Cargo.toml
@@ -17,7 +17,6 @@ disable_auto_init = []
 disable_rotate_context = []
 disable_x509 = []
 disable_csr = []
-disable_is_symmetric = []
 disable_internal_info = []
 disable_internal_dice = []
 disable_retain_parent_context = []

diff --git a/dpe/src/commands/certify_key.rs b/dpe/src/commands/certify_key.rs
@@ -298,7 +298,6 @@ mod tests {
         dpe_instance::tests::{TestTypes, SIMULATION_HANDLE, TEST_LOCALITIES},
         support::Support,
         x509::tests::TcbInfo,
-        DpeProfile,
     };
     use caliptra_cfi_lib_git::CfiCounter;
     use cms::{
@@ -311,7 +310,6 @@ mod tests {
         bn::BigNum,
         ec::{EcGroup, EcKey},
         ecdsa::EcdsaSig,
-        hash::{Hasher, MessageDigest},
         nid::*,
     };
     use platform::default::DefaultPlatform;

diff --git a/dpe/src/commands/derive_context.rs b/dpe/src/commands/derive_context.rs
@@ -678,7 +678,7 @@ mod tests {
             Ok(Response::Sign(resp)) => (
                 resp.new_context_handle,
                 EcdsaSig::from_private_components(
-                    BigNum::from_slice(&resp.sig_r_or_hmac).unwrap(),
+                    BigNum::from_slice(&resp.sig_r).unwrap(),
                     BigNum::from_slice(&resp.sig_s).unwrap(),
                 )
                 .unwrap(),