From e49016a205effd24045c092945993bc73d25213d Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Mon, 25 Nov 2024 11:06:52 +0800 Subject: [PATCH 1/3] KBS: Update KBS protocol to 0.2.0 to fix JWE Fixes #583. This commit does two things: 1. Fix JWE format to align with RFC 7516. 2. Use more strong algorithm for JWE. Due to RFC 7516, the JWE AEAD Auth Tag should be expcilitly be included inside the `tag` part. Before this commit, the tag is actually included as the suffix of the `ciphertext`. We fix this by expcilitly extract the tag and include it into the jwe body. Also, we fix the AAD calculation logic, s.t. derived from ProtectedHeader which is also specifiled by RFC7516. This should be align with the guest-components side. This commit supports the following JWE algorithms for KBS response: 1. RSA PKCS v1.5 Padding. This algorithm is not recommended but for compability it is still reserved. 2. RSA OAEP. 3. ECDH-ES-A256KW with curve P256. This is recommended as EC algorithms are more fast and safe. which algorithm is used is decided by the TEE public key sent by the client. Some more unit tests to test the compability is added to make sure the algorithm is implemented as standard. Both change will make the kbs_client not able to connect to the KBS. Thus we update the KBS protocol version from 0.1.1 to 0.2.0. Signed-off-by: Xynnn007 --- Cargo.lock | 709 +++++++++++++++------------ Cargo.toml | 5 +- kbs/Cargo.toml | 4 + kbs/docs/kbs_attestation_protocol.md | 17 +- kbs/src/attestation/backend.rs | 4 +- kbs/src/jwe.rs | 388 +++++++++++++-- 6 files changed, 774 insertions(+), 353 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index bd4d0c590..e09e1d689 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1,6 +1,6 @@ # This file is automatically @generated by Cargo. # It is not intended for manual editing. -version = 3 +version = 4 [[package]] name = "actix-codec" @@ -66,7 +66,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e01ed3140b2f8d422c68afa1ed2e85d996ea619c988ac834d255db32138655cb" dependencies = [ "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -203,7 +203,7 @@ dependencies = [ "actix-router", "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -271,6 +271,15 @@ dependencies = [ "subtle", ] +[[package]] +name = "aes-kw" +version = "0.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "69fa2b352dcefb5f7f3a5fb840e02665d311d878955380515e4fd50095dd3d8c" +dependencies = [ + "aes", +] + [[package]] name = "ahash" version = "0.7.8" @@ -394,9 +403,9 @@ dependencies = [ [[package]] name = "anyhow" -version = "1.0.93" +version = "1.0.94" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4c95c10ba0b00a02636238b814946408b1322d5ac4760326e6fb8ec956d85775" +checksum = "c1fd03a028ef38ba2276dce7e33fcd6369c158a1bca17946c4b1b701891c1ff7" [[package]] name = "arrayref" @@ -478,7 +487,7 @@ checksum = "c7c24de15d275a1ecfd47a380fb4d5ec9bfe0933f309ed5e705b775596a3574d" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -489,7 +498,7 @@ checksum = "721cae7de5c34fbb2acd27e21e6d2cf7b886dce0c27388d46c4e6c47ea4318dd" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -505,19 +514,19 @@ source = "git+https://github.com/confidential-containers/guest-components.git?re dependencies = [ "anyhow", "async-trait", - "attester", + "attester 0.1.0 (git+https://github.com/confidential-containers/guest-components.git?rev=e6999a3c0fd877dae9e68ea78b8b483062db32b8)", "base64 0.22.1", "config", "const_format", - "crypto", - "kbs-types", + "crypto 0.1.0 (git+https://github.com/confidential-containers/guest-components.git?rev=e6999a3c0fd877dae9e68ea78b8b483062db32b8)", + "kbs-types 0.7.0", "log", "serde", "serde_json", "sha2", "strum", "tempfile", - "thiserror 2.0.3", + "thiserror 2.0.7", "tokio", "toml 0.8.19", ] @@ -532,13 +541,13 @@ dependencies = [ "async-trait", "base64 0.22.1", "cfg-if", - "clap 4.5.21", + "clap 4.5.23", "ear 0.3.0", "env_logger 0.10.2", "futures", "hex", "jsonwebtoken", - "kbs-types", + "kbs-types 0.9.1", "lazy_static", "log", "openssl", @@ -557,7 +566,7 @@ dependencies = [ "strum", "tempfile", "testing_logger", - "thiserror 2.0.3", + "thiserror 2.0.7", "time", "tokio", "tonic", @@ -570,6 +579,25 @@ dependencies = [ name = "attester" version = "0.1.0" source = "git+https://github.com/confidential-containers/guest-components.git?rev=e6999a3c0fd877dae9e68ea78b8b483062db32b8#e6999a3c0fd877dae9e68ea78b8b483062db32b8" +dependencies = [ + "anyhow", + "async-trait", + "base64 0.22.1", + "hex", + "kbs-types 0.7.0", + "log", + "serde", + "serde_json", + "serde_with", + "sha2", + "strum", + "thiserror 2.0.7", +] + +[[package]] +name = "attester" +version = "0.1.0" +source = "git+https://github.com/Xynnn007/guest-components.git?rev=ff56818#ff5681809df12e0e94c9d4a60f168f69d7f3e6e0" dependencies = [ "anyhow", "async-trait", @@ -579,9 +607,9 @@ dependencies = [ "codicon", "csv-rs", "hex", - "hyper 0.14.31", + "hyper 0.14.32", "hyper-tls 0.5.0", - "kbs-types", + "kbs-types 0.9.1", "log", "occlum_dcap", "s390_pv", @@ -589,12 +617,12 @@ dependencies = [ "serde", "serde_json", "serde_with", - "sev 3.2.0", + "sev", "sha2", "strum", "tdx-attest-rs", "tempfile", - "thiserror 2.0.3", + "thiserror 2.0.7", "tokio", ] @@ -625,7 +653,7 @@ dependencies = [ "axum-core", "bytes", "futures-util", - "http 1.1.0", + "http 1.2.0", "http-body 1.0.1", "http-body-util", "itoa", @@ -637,7 +665,7 @@ dependencies = [ "rustversion", "serde", "sync_wrapper 1.0.2", - "tower 0.5.1", + "tower 0.5.2", "tower-layer", "tower-service", ] @@ -651,7 +679,7 @@ dependencies = [ "async-trait", "bytes", "futures-util", - "http 1.1.0", + "http 1.2.0", "http-body 1.0.1", "http-body-util", "mime", @@ -675,9 +703,9 @@ dependencies = [ "serde", "serde-big-array", "serde_json", - "sev 4.0.0", + "sev", "sha2", - "thiserror 2.0.3", + "thiserror 2.0.7", "tss-esapi", "zerocopy", ] @@ -690,11 +718,11 @@ checksum = "7c16506502dc64f7111f7241ca400f3ee0f54e69dfd1f4be5cef29b96332f22e" dependencies = [ "az-cvm-vtpm", "bincode", - "clap 4.5.21", + "clap 4.5.23", "openssl", "serde", - "sev 4.0.0", - "thiserror 2.0.3", + "sev", + "thiserror 2.0.7", "ureq", ] @@ -709,7 +737,7 @@ dependencies = [ "bincode", "serde", "serde_json", - "thiserror 2.0.3", + "thiserror 2.0.7", "ureq", "zerocopy", ] @@ -819,15 +847,15 @@ dependencies = [ "regex", "rustc-hash 1.1.0", "shlex", - "syn 2.0.87", + "syn 2.0.90", "which", ] [[package]] name = "binstring" -version = "0.1.1" +version = "0.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7e0d60973d9320722cb1206f412740e162a33b8547ea8d6be75d7cff237c7a85" +checksum = "ed79c2a8151273c70956b5e3cdfdc1ff6c1a8b9779ba59c6807d281b32ee2f86" [[package]] name = "bitfield" @@ -929,9 +957,9 @@ checksum = "325918d6fe32f23b19878fe4b34794ae41fc19ddbe53b10571a4874d44ffd39b" [[package]] name = "bytestring" -version = "1.3.1" +version = "1.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "74d80203ea6b29df88012294f62733de21cfeab47f17b41af3a38bc30a03ee72" +checksum = "e465647ae23b2823b0753f50decb2d5a86d2bb2cac04788fafd1f80e45378e5f" dependencies = [ "bytes", ] @@ -957,9 +985,9 @@ dependencies = [ [[package]] name = "cc" -version = "1.2.1" +version = "1.2.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fd9de9f2205d5ef3fd67e685b0df337994ddd4495e2a28d185500d0e1edfea47" +checksum = "9157bbaa6b165880c27a4293a474c91cdcf265cc68cc829bf10be0964a391caf" dependencies = [ "jobserver", "libc", @@ -989,9 +1017,9 @@ checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724" [[package]] name = "chrono" -version = "0.4.38" +version = "0.4.39" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a21f936df1771bf62b77f047b726c4625ff2e8aa607c01ec06e5a05bd8463401" +checksum = "7e36cc9d416881d2e24f9a963be5fb1cd90966419ac844274161d10488b3e825" dependencies = [ "android-tzdata", "iana-time-zone", @@ -1068,7 +1096,7 @@ checksum = "0b023947811758c97c59bf9d1c188fd619ad4718dcaa767947df1cadb14f39f4" dependencies = [ "glob", "libc", - "libloading 0.8.5", + "libloading 0.8.6", ] [[package]] @@ -1088,9 +1116,9 @@ dependencies = [ [[package]] name = "clap" -version = "4.5.21" +version = "4.5.23" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fb3b4b9e5a7c7514dfa52869339ee98b3156b0bfb4e8a77c4ff4babb64b1604f" +checksum = "3135e7ec2ef7b10c6ed8950f0f792ed96ee093fa088608f1c76e569722700c84" dependencies = [ "clap_builder", "clap_derive", @@ -1098,9 +1126,9 @@ dependencies = [ [[package]] name = "clap_builder" -version = "4.5.21" +version = "4.5.23" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b17a95aa67cc7b5ebd32aa5370189aa0d79069ef1c64ce893bd30fb24bff20ec" +checksum = "30582fc632330df2bd26877bde0c1f4470d57c582bbc070376afcd04d8cb4838" dependencies = [ "anstream", "anstyle", @@ -1117,20 +1145,20 @@ dependencies = [ "heck", "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] name = "clap_lex" -version = "0.7.3" +version = "0.7.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "afb84c814227b90d6895e01398aee0d8033c00e7466aca416fb6a8e0eb19d8a7" +checksum = "f46ad14479a25103f283c0f10005961cf086d8dc42205bb44c46ac563475dca6" [[package]] name = "coarsetime" -version = "0.1.34" +version = "0.1.35" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "13b3839cf01bb7960114be3ccf2340f541b6d0c81f8690b007b2b39f750f7e5d" +checksum = "4252bf230cb600c19826a575b31c8c9c84c6f11acfab6dfcad2e941b10b6f8e2" dependencies = [ "libc", "wasix", @@ -1149,6 +1177,15 @@ version = "1.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5b63caa9aa9397e2d9480a9b13673856c78d8ac123288526c37d7839f2a86990" +[[package]] +name = "concat-kdf" +version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2d72c1252426a83be2092dd5884a5f6e3b8e7180f6891b6263d2c21b92ec8816" +dependencies = [ + "digest", +] + [[package]] name = "config" version = "0.13.4" @@ -1182,18 +1219,18 @@ checksum = "373e9fafaa20882876db20562275ff58d50e0caa2590077fe7ce7bef90211d0d" [[package]] name = "const_format" -version = "0.2.33" +version = "0.2.34" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "50c655d81ff1114fb0dcdea9225ea9f0cc712a6f8d189378e82bdf62a473a64b" +checksum = "126f97965c8ad46d6d9163268ff28432e8f6a1196a55578867832e3049df63dd" dependencies = [ "const_format_proc_macros", ] [[package]] name = "const_format_proc_macros" -version = "0.2.33" +version = "0.2.34" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eff1a44b93f47b1bac19a27932f5c591e43d1ba357ee4f61526c8a25603f0eb1" +checksum = "1d57c2eccfb16dbac1f4e61e206105db5820c9d26c3c472bc17c774259ef7744" dependencies = [ "proc-macro2", "quote", @@ -1308,9 +1345,9 @@ dependencies = [ [[package]] name = "crossbeam-utils" -version = "0.8.20" +version = "0.8.21" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "22ec99545bb0ed0ea7bb9b8e1e9122ea386ff8a48c0922e43f36d45ab09e0e80" +checksum = "d0a5c400df2834b80a4c3327b3aad3a4c4cd4de0629063962b03235697506a28" [[package]] name = "crunchy" @@ -1327,7 +1364,29 @@ dependencies = [ "anyhow", "base64 0.22.1", "ctr", - "kbs-types", + "kbs-types 0.7.0", + "rand", + "rsa", + "serde", + "serde_json", + "sha2", + "strum", + "zeroize", +] + +[[package]] +name = "crypto" +version = "0.1.0" +source = "git+https://github.com/Xynnn007/guest-components.git?rev=ff56818#ff5681809df12e0e94c9d4a60f168f69d7f3e6e0" +dependencies = [ + "aes-gcm", + "aes-kw", + "anyhow", + "base64 0.22.1", + "concat-kdf", + "ctr", + "kbs-types 0.9.1", + "p256", "rand", "rsa", "serde", @@ -1392,7 +1451,7 @@ dependencies = [ "bitflags 1.3.2", "codicon", "dirs", - "hyper 0.14.31", + "hyper 0.14.32", "hyper-tls 0.5.0", "iocuddle", "libc", @@ -1407,9 +1466,9 @@ dependencies = [ [[package]] name = "ct-codecs" -version = "1.1.2" +version = "1.1.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "026ac6ceace6298d2c557ef5ed798894962296469ec7842288ea64674201a2d1" +checksum = "b916ba8ce9e4182696896f015e8a5ae6081b305f74690baa8465e35f5a142ea4" [[package]] name = "ctr" @@ -1559,7 +1618,7 @@ dependencies = [ "proc-macro2", "quote", "rustc_version", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -1612,7 +1671,7 @@ checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -1743,7 +1802,7 @@ checksum = "de0d48a183585823424a4ce1aa132d174a6a81bd540895822eb4c8373a8e49e8" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -1793,12 +1852,12 @@ checksum = "5443807d6dff69373d433ab9ef5378ad8df50ca6298caf15de6e52e24aaf54d5" [[package]] name = "errno" -version = "0.3.9" +version = "0.3.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "534c5cf6194dfab3db3242765c03bbe257cf92f22b38f6bc0c58d59108a820ba" +checksum = "33d852cb9b869c2a9b3df2f71a3074817f01e1844f839a144f5fcef059a4eb5d" dependencies = [ "libc", - "windows-sys 0.52.0", + "windows-sys 0.59.0", ] [[package]] @@ -1944,7 +2003,7 @@ checksum = "162ee34ebcb7c64a8abebc059ce0fee27c2262618d7b60ed8faf72fef13c3650" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -2074,7 +2133,7 @@ dependencies = [ "futures-sink", "futures-util", "http 0.2.12", - "indexmap 2.6.0", + "indexmap 2.7.0", "slab", "tokio", "tokio-util", @@ -2092,8 +2151,8 @@ dependencies = [ "fnv", "futures-core", "futures-sink", - "http 1.1.0", - "indexmap 2.6.0", + "http 1.2.0", + "indexmap 2.7.0", "slab", "tokio", "tokio-util", @@ -2127,9 +2186,9 @@ checksum = "e5274423e17b7c9fc20b6e7e208532f9b19825d82dfd615708b70edd83df41f1" [[package]] name = "hashbrown" -version = "0.15.1" +version = "0.15.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3a9bfc1af68b1726ea47d3d5109de126281def866b33970e10fbab11b5dafab3" +checksum = "bf151400ff0baff5465007dd2f3e717f3fe502074ca563069ce3a6629d07b289" [[package]] name = "heck" @@ -2146,12 +2205,6 @@ dependencies = [ "libc", ] -[[package]] -name = "hermit-abi" -version = "0.3.9" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d231dfb89cfffdbc30e7fc41579ed6066ad03abda9e567ccafae602b97ec5024" - [[package]] name = "hermit-abi" version = "0.4.0" @@ -2184,35 +2237,35 @@ dependencies = [ [[package]] name = "hmac-sha1-compact" -version = "1.1.4" +version = "1.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dff9d405ec732fa3fcde87264e54a32a84956a377b3e3107de96e59b798c84a7" +checksum = "18492c9f6f9a560e0d346369b665ad2bdbc89fa9bceca75796584e79042694c3" [[package]] name = "hmac-sha256" -version = "1.1.7" +version = "1.1.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3688e69b38018fec1557254f64c8dc2cc8ec502890182f395dbb0aa997aa5735" +checksum = "4a8575493d277c9092b988c780c94737fb9fd8651a1001e16bee3eccfc1baedb" dependencies = [ "digest", ] [[package]] name = "hmac-sha512" -version = "1.1.5" +version = "1.1.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e4ce1f4656bae589a3fab938f9f09bf58645b7ed01a2c5f8a3c238e01a4ef78a" +checksum = "b0b3a0f572aa8389d325f5852b9e0a333a15b0f86ecccbb3fdb6e97cd86dc67c" dependencies = [ "digest", ] [[package]] name = "home" -version = "0.5.9" +version = "0.5.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e3d1354bf6b7235cb4a0576c2619fd4ed18183f689b12b006a0ee7329eeff9a5" +checksum = "589533453244b0995c858700322199b2becb13b627df2851f64a2775d024abcf" dependencies = [ - "windows-sys 0.52.0", + "windows-sys 0.59.0", ] [[package]] @@ -2234,9 +2287,9 @@ dependencies = [ [[package]] name = "http" -version = "1.1.0" +version = "1.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "21b9ddb458710bc376481b842f5da65cdf31522de232c1ca8146abce2a358258" +checksum = "f16ca2af56261c99fba8bac40a10251ce8188205a4c448fbb745a2e4daa76fea" dependencies = [ "bytes", "fnv", @@ -2261,7 +2314,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1efedce1fb8e6913f23e0c92de8e62cd5b772a67e7b3946df930a62566c93184" dependencies = [ "bytes", - "http 1.1.0", + "http 1.2.0", ] [[package]] @@ -2272,7 +2325,7 @@ checksum = "793429d76616a256bcb62c2a2ec2bed781c8307e797e2598c50010f2bee2544f" dependencies = [ "bytes", "futures-util", - "http 1.1.0", + "http 1.2.0", "http-body 1.0.1", "pin-project-lite", ] @@ -2297,9 +2350,9 @@ checksum = "9a3a5bfb195931eeb336b2a7b4d761daec841b97f947d34394601737a7bba5e4" [[package]] name = "hyper" -version = "0.14.31" +version = "0.14.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8c08302e8fa335b151b788c775ff56e7a03ae64ff85c548ee820fecb70356e85" +checksum = "41dfc780fdec9373c01bae43289ea34c972e40ee3c9f6b3c8801a35f35586ce7" dependencies = [ "bytes", "futures-channel", @@ -2321,15 +2374,15 @@ dependencies = [ [[package]] name = "hyper" -version = "1.5.1" +version = "1.5.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "97818827ef4f364230e16705d4706e2897df2bb60617d6ca15d598025a3c481f" +checksum = "256fb8d4bd6413123cc9d91832d78325c48ff41677595be797d90f42969beae0" dependencies = [ "bytes", "futures-channel", "futures-util", "h2 0.4.7", - "http 1.1.0", + "http 1.2.0", "http-body 1.0.1", "httparse", "httpdate", @@ -2348,7 +2401,7 @@ checksum = "ec3efd23720e2049821a693cbc7e65ea87c72f1c58ff2f9522ff332b1491e590" dependencies = [ "futures-util", "http 0.2.12", - "hyper 0.14.31", + "hyper 0.14.32", "rustls 0.21.12", "tokio", "tokio-rustls 0.24.1", @@ -2361,15 +2414,15 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "08afdbb5c31130e3034af566421053ab03787c640246a446327f550d11bcb333" dependencies = [ "futures-util", - "http 1.1.0", - "hyper 1.5.1", + "http 1.2.0", + "hyper 1.5.2", "hyper-util", - "rustls 0.23.17", + "rustls 0.23.20", "rustls-pki-types", "tokio", - "tokio-rustls 0.26.0", + "tokio-rustls 0.26.1", "tower-service", - "webpki-roots 0.26.6", + "webpki-roots 0.26.7", ] [[package]] @@ -2378,7 +2431,7 @@ version = "0.5.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2b90d566bffbce6a75bd8b09a05aa8c2cb1fabb6cb348f8840c9e4c90a0d83b0" dependencies = [ - "hyper 1.5.1", + "hyper 1.5.2", "hyper-util", "pin-project-lite", "tokio", @@ -2392,7 +2445,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d6183ddfa99b85da61a140bea0efc93fdf56ceaa041b37d553518030827f9905" dependencies = [ "bytes", - "hyper 0.14.31", + "hyper 0.14.32", "native-tls", "tokio", "tokio-native-tls", @@ -2406,7 +2459,7 @@ checksum = "70206fc6890eaca9fde8a0bf71caa2ddfc9fe045ac9e5c70df101a7dbde866e0" dependencies = [ "bytes", "http-body-util", - "hyper 1.5.1", + "hyper 1.5.2", "hyper-util", "native-tls", "tokio", @@ -2423,9 +2476,9 @@ dependencies = [ "bytes", "futures-channel", "futures-util", - "http 1.1.0", + "http 1.2.0", "http-body 1.0.1", - "hyper 1.5.1", + "hyper 1.5.2", "pin-project-lite", "socket2", "tokio", @@ -2571,7 +2624,7 @@ checksum = "1ec89e9337638ecdc08744df490b221a7399bf8d164eb52a665454e60e075ad6" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -2619,12 +2672,12 @@ dependencies = [ [[package]] name = "indexmap" -version = "2.6.0" +version = "2.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "707907fe3c25f5424cce2cb7e1cbcafee6bdbe735ca90ef77c29e84591e5b9da" +checksum = "62f822373a4fe84d4bb149bf54e584a7f4abec90e072ed49cda0edea5b95471f" dependencies = [ "equivalent", - "hashbrown 0.15.1", + "hashbrown 0.15.2", ] [[package]] @@ -2688,9 +2741,9 @@ dependencies = [ [[package]] name = "is_debug" -version = "1.0.1" +version = "1.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "06d198e9919d9822d5f7083ba8530e04de87841eaf21ead9af8f2304efd57c89" +checksum = "e8ea828c9d6638a5bd3d8b14e37502b4d56cae910ccf8a5b7f51c7a0eb1d0508" [[package]] name = "is_terminal_polyfill" @@ -2700,18 +2753,18 @@ checksum = "7943c866cc5cd64cbc25b2e01621d07fa8eb2a1a23160ee81ce38704e97b8ecf" [[package]] name = "itertools" -version = "0.12.1" +version = "0.13.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ba291022dbbd398a455acf126c1e341954079855bc60dfdda641363bd6922569" +checksum = "413ee7dfc52ee1a4949ceeb7dbc8a33f2d6c088194d9f922fb8318faf1f01186" dependencies = [ "either", ] [[package]] name = "itoa" -version = "1.0.13" +version = "1.0.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "540654e97a3f4470a492cd30ff187bc95d89557a903a2bbf112e2fae98104ef2" +checksum = "d75a2a4b1b190afb6f5425f10f6a8f959d2ea0b9c2b1d79553551850539e4674" [[package]] name = "jobserver" @@ -2722,12 +2775,30 @@ dependencies = [ "libc", ] +[[package]] +name = "josekit" +version = "0.10.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a603084e34e151e215d232e401df0d9299bdced264b8054e4888ea614e59bb06" +dependencies = [ + "anyhow", + "base64 0.22.1", + "flate2", + "openssl", + "regex", + "serde", + "serde_json", + "thiserror 1.0.69", + "time", +] + [[package]] name = "js-sys" -version = "0.3.72" +version = "0.3.76" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6a88f1bda2bd75b0452a14784937d796722fdebfe50df998aeb3f0b7603019a9" +checksum = "6717b6b5b077764fb5966237269cb3c64edddde4b14ce42647430a78ced9e7b7" dependencies = [ + "once_cell", "wasm-bindgen", ] @@ -2776,9 +2847,9 @@ dependencies = [ [[package]] name = "jwt-simple" -version = "0.12.10" +version = "0.12.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "50ae7e0018905a795d6f2a60ac32a547490abdd8df509906a8c6171e6d861711" +checksum = "b00e03c08ce71da10a3ad9267b963c03fc4234a56713d87648547b3fdda872a6" dependencies = [ "anyhow", "binstring", @@ -2796,7 +2867,7 @@ dependencies = [ "serde", "serde_json", "superboring", - "thiserror 1.0.69", + "thiserror 2.0.7", "zeroize", ] @@ -2821,25 +2892,29 @@ dependencies = [ "actix-web", "actix-web-httpauth", "aes-gcm", + "aes-kw", "anyhow", "async-trait", "attestation-service", "az-cvm-vtpm", "base64 0.22.1", "cfg-if", - "clap 4.5.21", + "clap 4.5.23", + "concat-kdf", "config", "cryptoki", "derivative", "env_logger 0.10.2", + "josekit", "jsonwebtoken", "jwt-simple", - "kbs-types", + "kbs-types 0.9.1", "kms", "lazy_static", "log", "mobc", "openssl", + "p256", "prost", "rand", "regex", @@ -2853,7 +2928,7 @@ dependencies = [ "serde_json", "strum", "tempfile", - "thiserror 2.0.3", + "thiserror 2.0.7", "time", "tokio", "tonic", @@ -2867,7 +2942,7 @@ version = "0.1.0" dependencies = [ "anyhow", "base64 0.22.1", - "clap 4.5.21", + "clap 4.5.23", "env_logger 0.10.2", "jwt-simple", "kbs_protocol", @@ -2888,25 +2963,36 @@ dependencies = [ "serde_json", ] +[[package]] +name = "kbs-types" +version = "0.9.1" +source = "git+https://github.com/Xynnn007/kbs-types.git?rev=f56c565#f56c5651f86ea0da43e1db02d13be87ee1363018" +dependencies = [ + "base64 0.22.1", + "serde", + "serde_json", + "thiserror 2.0.7", +] + [[package]] name = "kbs_protocol" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=e6999a3c0fd877dae9e68ea78b8b483062db32b8#e6999a3c0fd877dae9e68ea78b8b483062db32b8" +source = "git+https://github.com/Xynnn007/guest-components.git?rev=ff56818#ff5681809df12e0e94c9d4a60f168f69d7f3e6e0" dependencies = [ "anyhow", "async-trait", - "attester", + "attester 0.1.0 (git+https://github.com/Xynnn007/guest-components.git?rev=ff56818)", "base64 0.22.1", - "crypto", + "crypto 0.1.0 (git+https://github.com/Xynnn007/guest-components.git?rev=ff56818)", "jwt-simple", - "kbs-types", + "kbs-types 0.9.1", "log", "reqwest 0.12.9", - "resource_uri", + "resource_uri 0.1.0 (git+https://github.com/Xynnn007/guest-components.git?rev=ff56818)", "serde", "serde_json", "sha2", - "thiserror 2.0.3", + "thiserror 2.0.7", "tokio", "url", "zeroize", @@ -2930,13 +3016,13 @@ dependencies = [ "prost", "rand", "reqwest 0.12.9", - "resource_uri", + "resource_uri 0.1.0 (git+https://github.com/confidential-containers/guest-components.git?rev=e6999a3c0fd877dae9e68ea78b8b483062db32b8)", "ring", "serde", "serde_json", "sha2", "strum", - "thiserror 2.0.3", + "thiserror 2.0.7", "tokio", "toml 0.8.19", "tonic", @@ -2996,12 +3082,12 @@ dependencies = [ [[package]] name = "libloading" -version = "0.8.5" +version = "0.8.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4979f22fdb869068da03c9f7528f8297c6fd2606bc3a4affe42e6a823fdb8da4" +checksum = "fc2f4eb4bc735547cfed7c0a4922cbd04a4655978c09b54f1f7b228750664c34" dependencies = [ "cfg-if", - "windows-targets 0.48.5", + "windows-targets 0.52.6", ] [[package]] @@ -3046,9 +3132,9 @@ checksum = "78b3ae25bc7c8c38cec158d1f2757ee79e9b3740fbc7ccf0e59e4b08d793fa89" [[package]] name = "litemap" -version = "0.7.3" +version = "0.7.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "643cb0b8d4fcc284004d5fd0d67ccf61dfffadb7f75e1e71bc420f4688a3a704" +checksum = "4ee93343901ab17bd981295f2cf0026d4ad018c7c31ba84549a4ddbb47a45104" [[package]] name = "litrs" @@ -3153,11 +3239,10 @@ dependencies = [ [[package]] name = "mio" -version = "1.0.2" +version = "1.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "80e04d1dcff3aae0704555fe5fee3bcfaf3d1fdf8a7e521d5b9d2b42acb52cec" +checksum = "2886843bf800fba2e3377cff24abf6379b4c4d5c6681eaf9ea5b0d15090450bd" dependencies = [ - "hermit-abi 0.3.9", "libc", "log", "wasi", @@ -3267,7 +3352,7 @@ checksum = "ed3955f1a9c7c0c15e092f9c887db08b1fc683305fdf6eb6684f22555355e202" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -3381,7 +3466,7 @@ checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -3518,7 +3603,7 @@ checksum = "1e401f977ab385c9e4e3ab30627d6f26d00e2c73eef317493c4ec6d468726cf8" dependencies = [ "cfg-if", "libc", - "redox_syscall 0.5.7", + "redox_syscall 0.5.8", "smallvec", "windows-targets 0.52.6", ] @@ -3583,20 +3668,20 @@ checksum = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e" [[package]] name = "pest" -version = "2.7.14" +version = "2.7.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "879952a81a83930934cbf1786752d6dedc3b1f29e8f8fb2ad1d0a36f377cf442" +checksum = "8b7cafe60d6cf8e62e1b9b2ea516a089c008945bb5a275416789e7db0bc199dc" dependencies = [ "memchr", - "thiserror 1.0.69", + "thiserror 2.0.7", "ucd-trie", ] [[package]] name = "pest_derive" -version = "2.7.14" +version = "2.7.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d214365f632b123a47fd913301e14c946c61d1c183ee245fa76eb752e59a02dd" +checksum = "816518421cfc6887a0d62bf441b6ffb4536fcc926395a69e1a85852d4363f57e" dependencies = [ "pest", "pest_generator", @@ -3604,22 +3689,22 @@ dependencies = [ [[package]] name = "pest_generator" -version = "2.7.14" +version = "2.7.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eb55586734301717aea2ac313f50b2eb8f60d2fc3dc01d190eefa2e625f60c4e" +checksum = "7d1396fd3a870fc7838768d171b4616d5c91f6cc25e377b673d714567d99377b" dependencies = [ "pest", "pest_meta", "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] name = "pest_meta" -version = "2.7.14" +version = "2.7.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b75da2a70cf4d9cb76833c990ac9cd3923c9a8905a8929789ce347c84564d03d" +checksum = "e1e58089ea25d717bfd31fb534e4f3afcc2cc569c70de3e239778991ea3b7dea" dependencies = [ "once_cell", "pest", @@ -3633,7 +3718,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b4c5cc86750666a3ed20bdaf5ca2a0344f9c67674cae0515bec2da16fbaa47db" dependencies = [ "fixedbitset", - "indexmap 2.6.0", + "indexmap 2.7.0", ] [[package]] @@ -3677,7 +3762,7 @@ dependencies = [ "phf_shared", "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -3741,7 +3826,7 @@ checksum = "3c0f5fad0874fc7abcd4d750e76917eaebbecaa2c20bde22e1dbeeba8beb758c" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -3797,9 +3882,9 @@ dependencies = [ [[package]] name = "portable-atomic" -version = "1.9.0" +version = "1.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cc9c68a3f6da06753e9335d63e27f6b9754dd1920d941135b7ea8224f141adb2" +checksum = "280dc24453071f1b63954171985a0b0d30058d287960968b9b2aca264c8d4ee6" [[package]] name = "powerfmt" @@ -3823,7 +3908,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "64d1ec885c64d0457d564db4ec299b2dae3f9c02808b8ad9c3a089c591b18033" dependencies = [ "proc-macro2", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -3861,18 +3946,18 @@ dependencies = [ [[package]] name = "proc-macro2" -version = "1.0.89" +version = "1.0.92" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f139b0662de085916d1fb67d2b4169d1addddda1919e696f3252b740b629986e" +checksum = "37d3544b3f2748c54e147655edb5025752e2303145b5aefb3c3ea2c78b973bb0" dependencies = [ "unicode-ident", ] [[package]] name = "prost" -version = "0.13.3" +version = "0.13.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7b0487d90e047de87f984913713b85c601c05609aad5b0df4b4573fbf69aa13f" +checksum = "2c0fef6c4230e4ccf618a35c59d7ede15dea37de8427500f50aff708806e42ec" dependencies = [ "bytes", "prost-derive", @@ -3880,11 +3965,10 @@ dependencies = [ [[package]] name = "prost-build" -version = "0.13.3" +version = "0.13.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0c1318b19085f08681016926435853bbf7858f9c082d0999b80550ff5d9abe15" +checksum = "d0f3e5beed80eb580c68e2c600937ac2c4eedabdfd5ef1e5b7ea4f3fba84497b" dependencies = [ - "bytes", "heck", "itertools", "log", @@ -3895,28 +3979,28 @@ dependencies = [ "prost", "prost-types", "regex", - "syn 2.0.87", + "syn 2.0.90", "tempfile", ] [[package]] name = "prost-derive" -version = "0.13.3" +version = "0.13.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e9552f850d5f0964a4e4d0bf306459ac29323ddfbae05e35a7c0d35cb0803cc5" +checksum = "157c5a9d7ea5c2ed2d9fb8f495b64759f7816c7eaea54ba3978f0d63000162e3" dependencies = [ "anyhow", "itertools", "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] name = "prost-types" -version = "0.13.3" +version = "0.13.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4759aa0d3a6232fb8dbdb97b61de2c20047c68aca932c7ed76da9d788508d670" +checksum = "cc2f1e56baa61e93533aebc21af4d2134b70f66275e0fcdf3cbe43d77ff7e8fc" dependencies = [ "prost", ] @@ -3947,10 +4031,10 @@ dependencies = [ "pin-project-lite", "quinn-proto", "quinn-udp", - "rustc-hash 2.0.0", - "rustls 0.23.17", + "rustc-hash 2.1.0", + "rustls 0.23.20", "socket2", - "thiserror 2.0.3", + "thiserror 2.0.7", "tokio", "tracing", ] @@ -3965,11 +4049,11 @@ dependencies = [ "getrandom", "rand", "ring", - "rustc-hash 2.0.0", - "rustls 0.23.17", + "rustc-hash 2.1.0", + "rustls 0.23.20", "rustls-pki-types", "slab", - "thiserror 2.0.3", + "thiserror 2.0.7", "tinyvec", "tracing", "web-time", @@ -4057,9 +4141,9 @@ dependencies = [ [[package]] name = "redox_syscall" -version = "0.5.7" +version = "0.5.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9b6dfecf2c74bce2466cabf93f6664d6998a69eb21e39f4207930065b27b771f" +checksum = "03a862b389f93e68874fbf580b9de08dd02facb9a788ebadaf4a3fd33cf58834" dependencies = [ "bitflags 2.6.0", ] @@ -4085,7 +4169,7 @@ dependencies = [ "base64 0.22.1", "cfg-if", "chrono", - "clap 4.5.21", + "clap 4.5.23", "config", "env_logger 0.10.2", "log", @@ -4179,7 +4263,7 @@ dependencies = [ "h2 0.3.26", "http 0.2.12", "http-body 0.4.6", - "hyper 0.14.31", + "hyper 0.14.32", "hyper-rustls 0.24.2", "hyper-tls 0.5.0", "ipnet", @@ -4221,10 +4305,10 @@ dependencies = [ "cookie_store", "futures-core", "futures-util", - "http 1.1.0", + "http 1.2.0", "http-body 1.0.1", "http-body-util", - "hyper 1.5.1", + "hyper 1.5.2", "hyper-rustls 0.27.3", "hyper-tls 0.6.0", "hyper-util", @@ -4237,7 +4321,7 @@ dependencies = [ "percent-encoding", "pin-project-lite", "quinn", - "rustls 0.23.17", + "rustls 0.23.20", "rustls-pemfile 2.2.0", "rustls-pki-types", "serde", @@ -4246,13 +4330,13 @@ dependencies = [ "sync_wrapper 1.0.2", "tokio", "tokio-native-tls", - "tokio-rustls 0.26.0", + "tokio-rustls 0.26.1", "tower-service", "url", "wasm-bindgen", "wasm-bindgen-futures", "web-sys", - "webpki-roots 0.26.6", + "webpki-roots 0.26.7", "windows-registry", ] @@ -4267,6 +4351,17 @@ dependencies = [ "url", ] +[[package]] +name = "resource_uri" +version = "0.1.0" +source = "git+https://github.com/Xynnn007/guest-components.git?rev=ff56818#ff5681809df12e0e94c9d4a60f168f69d7f3e6e0" +dependencies = [ + "anyhow", + "serde", + "serde_json", + "url", +] + [[package]] name = "rfc6979" version = "0.4.0" @@ -4305,9 +4400,9 @@ dependencies = [ [[package]] name = "rsa" -version = "0.9.6" +version = "0.9.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5d0e5124fcb30e76a7e79bfee683a2746db83784b86289f6251b54b7950a0dfc" +checksum = "47c75d7c5c6b673e58bf54d8544a9f432e3a925b0e80f7cd3602ab5c50c55519" dependencies = [ "const-oid", "digest", @@ -4349,7 +4444,7 @@ dependencies = [ "regex", "relative-path", "rustc_version", - "syn 2.0.87", + "syn 2.0.90", "unicode-ident", ] @@ -4377,9 +4472,9 @@ checksum = "08d43f7aa6b08d49f382cde6a7982047c3426db949b1424bc4b7ec9ae12c6ce2" [[package]] name = "rustc-hash" -version = "2.0.0" +version = "2.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "583034fd73374156e66797ed8e5b0d5690409c9226b22d87cb7f19821c05d152" +checksum = "c7fb8039b3032c191086b10f11f319a6e99e1e82889c5cc6046f515c9db1d497" [[package]] name = "rustc_version" @@ -4401,15 +4496,15 @@ dependencies = [ [[package]] name = "rustix" -version = "0.38.41" +version = "0.38.42" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d7f649912bc1495e167a6edee79151c84b1bad49748cb4f1f1167f459f6224f6" +checksum = "f93dc38ecbab2eb790ff964bb77fa94faf256fd3e73285fd7ba0903b76bedb85" dependencies = [ "bitflags 2.6.0", "errno", "libc", "linux-raw-sys", - "windows-sys 0.52.0", + "windows-sys 0.59.0", ] [[package]] @@ -4426,9 +4521,9 @@ dependencies = [ [[package]] name = "rustls" -version = "0.23.17" +version = "0.23.20" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7f1a745511c54ba6d4465e8d5dfbd81b45791756de28d4981af70d6dca128f1e" +checksum = "5065c3f250cbd332cd894be57c40fa52387247659b14a2d6041d121547903b1b" dependencies = [ "log", "once_cell", @@ -4459,9 +4554,9 @@ dependencies = [ [[package]] name = "rustls-pki-types" -version = "1.10.0" +version = "1.10.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "16f1201b3c9a7ee8039bcadc17b7e605e2945b27eee7631788c1bd2b0643674b" +checksum = "d2bf47e6ff922db3825eb750c4e2ff784c6ff8fb9e13046ef6a1d1c5401b0b37" dependencies = [ "web-time", ] @@ -4542,9 +4637,9 @@ dependencies = [ [[package]] name = "scc" -version = "2.2.5" +version = "2.2.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "66b202022bb57c049555430e11fc22fea12909276a80a4c3d368da36ac1d88ed" +checksum = "94b13f8ea6177672c49d12ed964cca44836f59621981b04a3e26b87e675181de" dependencies = [ "sdd", ] @@ -4575,7 +4670,7 @@ checksum = "d2ee4885492bb655bfa05d039cd9163eb8fe9f79ddebf00ca23a1637510c2fd2" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -4610,7 +4705,7 @@ checksum = "1db149f81d46d2deba7cd3c50772474707729550221e69588478ebf9ada425ae" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -4621,7 +4716,7 @@ checksum = "7f81c2fde025af7e69b1d1420531c8a8811ca898919db177141a85313b1cb932" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -4636,9 +4731,9 @@ dependencies = [ [[package]] name = "sdd" -version = "3.0.4" +version = "3.0.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "49c1eeaf4b6a87c7479688c6d52b9f1153cedd3c489300564f932b065c6eab95" +checksum = "478f121bb72bbf63c52c93011ea1791dca40140dfe13f8336c4c5ac952c33aa9" [[package]] name = "sec1" @@ -4688,9 +4783,9 @@ dependencies = [ [[package]] name = "semver" -version = "1.0.23" +version = "1.0.24" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "61697e0a1c7e512e84a621326239844a24d8207b4669b41bc18b32ea5cbf988b" +checksum = "3cb6eb87a131f756572d7fb904f6e7b68633f09cca868c5df1c4b8d1a694bbba" [[package]] name = "serde" @@ -4727,7 +4822,7 @@ checksum = "46f859dbbf73865c6627ed570e78961cd3ac92407a2d117204c49232485da55e" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -4736,6 +4831,7 @@ version = "1.0.133" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c7fceb2473b9166b2294ef05efcb65a3db80803f0b03ef86a5fc88a2b85ee377" dependencies = [ + "indexmap 2.7.0", "itoa", "memchr", "ryu", @@ -4823,30 +4919,6 @@ dependencies = [ "syn 1.0.109", ] -[[package]] -name = "sev" -version = "3.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "35156eab65ff1b63432b5a11a06b770e92120033e2831c7dee064865de5dbbbd" -dependencies = [ - "base64 0.22.1", - "bincode", - "bitfield 0.15.0", - "bitflags 1.3.2", - "byteorder", - "codicon", - "dirs", - "hex", - "iocuddle", - "lazy_static", - "libc", - "serde", - "serde-big-array", - "serde_bytes", - "static_assertions", - "uuid", -] - [[package]] name = "sev" version = "4.0.0" @@ -4998,9 +5070,9 @@ checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" [[package]] name = "socket2" -version = "0.5.7" +version = "0.5.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ce305eb0b4296696835b71df73eb912e0f1ffd2556a501fcede6e0c50349191c" +checksum = "c970269d99b64e60ec3bd6ad27270092a5394c4e309314b18ae3fe575695fbe8" dependencies = [ "libc", "windows-sys 0.52.0", @@ -5071,7 +5143,7 @@ dependencies = [ "proc-macro2", "quote", "rustversion", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -5082,9 +5154,9 @@ checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292" [[package]] name = "superboring" -version = "0.1.3" +version = "0.1.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cee25cd9d145d2c1ef92a52720376eeb510c8870dfa0f84edb371901ec6a12ca" +checksum = "515cce34a781d7250b8a65706e0f2a5b99236ea605cb235d4baed6685820478f" dependencies = [ "getrandom", "hmac-sha256", @@ -5106,9 +5178,9 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.87" +version = "2.0.90" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "25aa4ce346d03a6dcd68dd8b4010bcb74e54e62c90c573f394c46eae99aba32d" +checksum = "919d3b74a5dd0ccd15aeb8f93e7006bd9e14c295087c9896a110f490752bcf31" dependencies = [ "proc-macro2", "quote", @@ -5150,7 +5222,7 @@ checksum = "c8af7666ab7b6390ab78131fb5b0fce11d6b7a6951602017c35fa82800708971" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -5247,11 +5319,11 @@ dependencies = [ [[package]] name = "thiserror" -version = "2.0.3" +version = "2.0.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c006c85c7651b3cf2ada4584faa36773bd07bac24acfb39f3c431b36d7e667aa" +checksum = "93605438cbd668185516ab499d589afb7ee1859ea3d5fc8f6b0755e1c7443767" dependencies = [ - "thiserror-impl 2.0.3", + "thiserror-impl 2.0.7", ] [[package]] @@ -5262,18 +5334,18 @@ checksum = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] name = "thiserror-impl" -version = "2.0.3" +version = "2.0.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f077553d607adc1caf65430528a576c757a71ed73944b66ebb58ef2bbd243568" +checksum = "e1d8749b4531af2117677a5fcd12b1348a3fe2b81e36e61ffeac5c4aa3273e36" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -5288,9 +5360,9 @@ dependencies = [ [[package]] name = "time" -version = "0.3.36" +version = "0.3.37" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5dfd88e563464686c916c7e46e623e520ddc6d79fa6641390f2e3fa86e83e885" +checksum = "35e7868883861bd0e56d9ac6efcaaca0d6d5d82a2a7ec8209ff492c07cf37b21" dependencies = [ "deranged", "itoa", @@ -5311,9 +5383,9 @@ checksum = "ef927ca75afb808a4d64dd374f00a2adf8d0fcff8e7b184af886c3c87ec4a3f3" [[package]] name = "time-macros" -version = "0.2.18" +version = "0.2.19" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3f252a68540fde3a3877aeea552b832b40ab9a69e318efd078774a01ddee1ccf" +checksum = "2834e6017e3e5e4b9834939793b282bc03b37a3336245fa820e35e233e2a85de" dependencies = [ "num-conv", "time-core", @@ -5346,9 +5418,9 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" [[package]] name = "tokio" -version = "1.41.1" +version = "1.42.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "22cfb5bee7a6a52939ca9224d6ac897bb669134078daa8735560897f69de4d33" +checksum = "5cec9b21b0450273377fc97bd4c33a8acffc8c996c987a7c5b319a0083707551" dependencies = [ "backtrace", "bytes", @@ -5370,7 +5442,7 @@ checksum = "693d596312e88961bc67d7f1f97af8a70227d9f90c31bba5806eec004978d752" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -5406,20 +5478,19 @@ dependencies = [ [[package]] name = "tokio-rustls" -version = "0.26.0" +version = "0.26.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0c7bc40d0e5a97695bb96e27995cd3a08538541b0a846f65bba7a359f36700d4" +checksum = "5f6d0975eaace0cf0fcadee4e4aaa5da15b5c079146f2cffb67c113be122bf37" dependencies = [ - "rustls 0.23.17", - "rustls-pki-types", + "rustls 0.23.20", "tokio", ] [[package]] name = "tokio-stream" -version = "0.1.16" +version = "0.1.17" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4f4e6ce100d0eb49a2734f8c0812bcd324cf357d21810932c5df6b96ef2b86f1" +checksum = "eca58d7bba4a75707817a2c44174253f9236b2d5fbd055602e9d5c07c139a047" dependencies = [ "futures-core", "pin-project-lite", @@ -5428,9 +5499,9 @@ dependencies = [ [[package]] name = "tokio-util" -version = "0.7.12" +version = "0.7.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "61e7c3654c13bcd040d4a03abee2c75b1d14a37b423cf5a813ceae1cc903ec6a" +checksum = "d7fcaa8d55a2bdd6b83ace262b016eca0d79ee02818c5c1bcdf0305114081078" dependencies = [ "bytes", "futures-core", @@ -5475,7 +5546,7 @@ version = "0.22.22" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4ae48d6208a266e853d946088ed816055e556cc6028c5e8e2b84d9fa5dd7c7f5" dependencies = [ - "indexmap 2.6.0", + "indexmap 2.7.0", "serde", "serde_spanned", "toml_datetime", @@ -5494,10 +5565,10 @@ dependencies = [ "base64 0.22.1", "bytes", "h2 0.4.7", - "http 1.1.0", + "http 1.2.0", "http-body 1.0.1", "http-body-util", - "hyper 1.5.1", + "hyper 1.5.2", "hyper-timeout", "hyper-util", "percent-encoding", @@ -5523,7 +5594,7 @@ dependencies = [ "prost-build", "prost-types", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -5548,14 +5619,14 @@ dependencies = [ [[package]] name = "tower" -version = "0.5.1" +version = "0.5.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2873938d487c3cfb9aed7546dc9f2711d867c9f90c46b889989a2cb84eba6b4f" +checksum = "d039ad9159c98b70ecfd540b2573b97f7f52c3e8d9f8ad57a24b916a536975f9" dependencies = [ "futures-core", "futures-util", "pin-project-lite", - "sync_wrapper 0.1.2", + "sync_wrapper 1.0.2", "tower-layer", "tower-service", ] @@ -5574,9 +5645,9 @@ checksum = "8df9b6e13f2d32c91b9bd719c00d1958837bc7dec474d94952798cc8e69eeec3" [[package]] name = "tracing" -version = "0.1.40" +version = "0.1.41" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c3523ab5a71916ccf420eebdf5521fcef02141234bbc0b8a49f2fdc4544364ef" +checksum = "784e0ac535deb450455cbfa28a6f0df145ea1bb7ae51b821cf5e7927fdcfbdd0" dependencies = [ "log", "pin-project-lite", @@ -5592,14 +5663,14 @@ checksum = "395ae124c09f9e6918a2310af6038fba074bcf474ac352496d5910dd59a2226d" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] name = "tracing-core" -version = "0.1.32" +version = "0.1.33" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c06d3da6113f116aaee68e4d601191614c9053067f9ab7f6edbcb161237daa54" +checksum = "e672c95779cf947c5311f83787af4fa8fffd12fb27e4993211a84bdfd9610f9c" dependencies = [ "once_cell", "valuable", @@ -5618,9 +5689,9 @@ dependencies = [ [[package]] name = "tracing-subscriber" -version = "0.3.18" +version = "0.3.19" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ad0f048c97dbd9faa9b7df56362b8ebcaa52adb06b498c050d2f4e32f90a7a8b" +checksum = "e8189decb5ac0fa7bc8b96b7cb9b2701d60d48805aca84a238004d665fcc4008" dependencies = [ "nu-ansi-term", "sharded-slab", @@ -5638,9 +5709,9 @@ checksum = "e421abadd41a4225275504ea4d6566923418b7f05506fbc9c0fe86ba7396114b" [[package]] name = "tss-esapi" -version = "7.5.1" +version = "7.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a9ba6594ded739cb539f8ffcd3713f6c21d4525c47314bbc6de15c0cd251aedf" +checksum = "78ea9ccde878b029392ac97b5be1f470173d06ea41d18ad0bb3c92794c16a0f2" dependencies = [ "bitfield 0.14.0", "enumflags2", @@ -5757,26 +5828,26 @@ checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1" [[package]] name = "ureq" -version = "2.10.1" +version = "2.12.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b74fc6b57825be3373f7054754755f03ac3a8f5d70015ccad699ba2029956f4a" +checksum = "02d1a66277ed75f640d608235660df48c8e3c19f3b4edb6a263315626cc3c01d" dependencies = [ "base64 0.22.1", "log", "once_cell", - "rustls 0.23.17", + "rustls 0.23.20", "rustls-pki-types", "serde", "serde_json", "url", - "webpki-roots 0.26.6", + "webpki-roots 0.26.7", ] [[package]] name = "url" -version = "2.5.3" +version = "2.5.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8d157f1b96d14500ffdc1f10ba712e780825526c03d9a49b4d0324b0d9113ada" +checksum = "32f8b686cadd1473f4bd0117a5d28d36b1ade384ea9b5069a1c40aefed7fda60" dependencies = [ "form_urlencoded", "idna", @@ -5867,7 +5938,7 @@ dependencies = [ "intel-tee-quote-verification-rs", "jsonwebkey", "jsonwebtoken", - "kbs-types", + "kbs-types 0.9.1", "log", "openssl", "reqwest 0.12.9", @@ -5878,11 +5949,11 @@ dependencies = [ "serde_json", "serde_with", "serial_test", - "sev 4.0.0", + "sev", "sha2", "shadow-rs", "strum", - "thiserror 2.0.3", + "thiserror 2.0.7", "tokio", "tonic-build", "veraison-apiclient", @@ -5931,9 +6002,9 @@ dependencies = [ [[package]] name = "wasm-bindgen" -version = "0.2.95" +version = "0.2.99" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "128d1e363af62632b8eb57219c8fd7877144af57558fb2ef0368d0087bddeb2e" +checksum = "a474f6281d1d70c17ae7aa6a613c87fce69a127e2624002df63dcb39d6cf6396" dependencies = [ "cfg-if", "once_cell", @@ -5942,36 +6013,36 @@ dependencies = [ [[package]] name = "wasm-bindgen-backend" -version = "0.2.95" +version = "0.2.99" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cb6dd4d3ca0ddffd1dd1c9c04f94b868c37ff5fac97c30b97cff2d74fce3a358" +checksum = "5f89bb38646b4f81674e8f5c3fb81b562be1fd936d84320f3264486418519c79" dependencies = [ "bumpalo", "log", - "once_cell", "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", "wasm-bindgen-shared", ] [[package]] name = "wasm-bindgen-futures" -version = "0.4.45" +version = "0.4.49" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cc7ec4f8827a71586374db3e87abdb5a2bb3a15afed140221307c3ec06b1f63b" +checksum = "38176d9b44ea84e9184eff0bc34cc167ed044f816accfe5922e54d84cf48eca2" dependencies = [ "cfg-if", "js-sys", + "once_cell", "wasm-bindgen", "web-sys", ] [[package]] name = "wasm-bindgen-macro" -version = "0.2.95" +version = "0.2.99" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e79384be7f8f5a9dd5d7167216f022090cf1f9ec128e6e6a482a2cb5c5422c56" +checksum = "2cc6181fd9a7492eef6fef1f33961e3695e4579b9872a6f7c83aee556666d4fe" dependencies = [ "quote", "wasm-bindgen-macro-support", @@ -5979,28 +6050,28 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro-support" -version = "0.2.95" +version = "0.2.99" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "26c6ab57572f7a24a4985830b120de1594465e5d500f24afe89e16b4e833ef68" +checksum = "30d7a95b763d3c45903ed6c81f156801839e5ee968bb07e534c44df0fcd330c2" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", "wasm-bindgen-backend", "wasm-bindgen-shared", ] [[package]] name = "wasm-bindgen-shared" -version = "0.2.95" +version = "0.2.99" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "65fc09f10666a9f147042251e0dda9c18f166ff7de300607007e96bdebc1068d" +checksum = "943aab3fdaaa029a6e0271b35ea10b72b943135afe9bffca82384098ad0e06a6" [[package]] name = "web-sys" -version = "0.3.72" +version = "0.3.76" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f6488b90108c040df0fe62fa815cbdee25124641df01814dd7282749234c6112" +checksum = "04dd7223427d52553d3702c004d3b2fe07c148165faa56313cb00211e31c12bc" dependencies = [ "js-sys", "wasm-bindgen", @@ -6024,9 +6095,9 @@ checksum = "5f20c57d8d7db6d3b86154206ae5d8fba62dd39573114de97c2cb0578251f8e1" [[package]] name = "webpki-roots" -version = "0.26.6" +version = "0.26.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "841c67bff177718f1d4dfefde8d8f0e78f9b6589319ba88312f567fc5841a958" +checksum = "5d642ff16b7e79272ae451b7322067cdc17cadf68c23264be9d94a32319efe7e" dependencies = [ "rustls-pki-types", ] @@ -6065,7 +6136,7 @@ version = "0.1.9" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "cf221c93e13a30d793f7645a0e7762c55d169dbb0a49671918a2319d289b10bb" dependencies = [ - "windows-sys 0.48.0", + "windows-sys 0.59.0", ] [[package]] @@ -6336,9 +6407,9 @@ checksum = "e17bb3549cc1321ae1296b9cdc2698e2b6cb1992adfa19a8c72e5b7a738f44cd" [[package]] name = "yoke" -version = "0.7.4" +version = "0.7.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6c5b1314b079b0930c31e3af543d8ee1757b1951ae1e1565ec704403a7240ca5" +checksum = "120e6aef9aa629e3d4f52dc8cc43a015c7724194c97dfaf45180d2daf2b77f40" dependencies = [ "serde", "stable_deref_trait", @@ -6348,13 +6419,13 @@ dependencies = [ [[package]] name = "yoke-derive" -version = "0.7.4" +version = "0.7.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "28cc31741b18cb6f1d5ff12f5b7523e3d6eb0852bbbad19d73905511d9849b95" +checksum = "2380878cad4ac9aac1e2435f3eb4020e8374b5f13c296cb75b4620ff8e229154" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", "synstructure 0.13.1", ] @@ -6376,27 +6447,27 @@ checksum = "fa4f8080344d4671fb4e831a13ad1e68092748387dfc4f55e356242fae12ce3e" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] name = "zerofrom" -version = "0.1.4" +version = "0.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "91ec111ce797d0e0784a1116d0ddcdbea84322cd79e5d5ad173daeba4f93ab55" +checksum = "cff3ee08c995dee1859d998dea82f7374f2826091dd9cd47def953cae446cd2e" dependencies = [ "zerofrom-derive", ] [[package]] name = "zerofrom-derive" -version = "0.1.4" +version = "0.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0ea7b4a3637ea8669cedf0f1fd5c286a17f3de97b8dd5a70a6c167a1730e63a5" +checksum = "595eed982f7d355beb85837f651fa22e90b3c044842dc7f2c2842c086f295808" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", "synstructure 0.13.1", ] @@ -6417,7 +6488,7 @@ checksum = "ce36e65b0d2999d2aafac989fb249189a141aee1f53c612c1f37d72631959f69" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] @@ -6439,7 +6510,7 @@ checksum = "6eafa6dfb17584ea3e2bd6e76e0cc15ad7af12b09abdd1ca55961bed9b1063c6" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.90", ] [[package]] diff --git a/Cargo.toml b/Cargo.toml index 9c5db45fc..9873d8353 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -32,11 +32,12 @@ hex = "0.4.3" jwt-simple = { version = "0.12", default-features = false, features = [ "pure-rust", ] } -kbs_protocol = { git = "https://github.com/confidential-containers/guest-components.git", rev = "e6999a3c0fd877dae9e68ea78b8b483062db32b8", default-features = false } -kbs-types = "0.7.0" +kbs_protocol = { git = "https://github.com/Xynnn007/guest-components.git", rev = "ff56818", default-features = false } +kbs-types = { git = "https://github.com/Xynnn007/kbs-types.git", rev = "f56c565" } kms = { git = "https://github.com/confidential-containers/guest-components.git", rev = "e6999a3c0fd877dae9e68ea78b8b483062db32b8", default-features = false } jsonwebtoken = { version = "9", default-features = false } log = "0.4.17" +p256 = "0.13.2" prost = "0.13" regorus = { version = "0.2.6", default-features = false, features = [ "regex", diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml index 663dcc03a..7753cbebc 100644 --- a/kbs/Cargo.toml +++ b/kbs/Cargo.toml @@ -37,12 +37,14 @@ pkcs11 = ["cryptoki"] actix-web = { workspace = true, features = ["openssl"] } actix-web-httpauth.workspace = true aes-gcm = "0.10.1" +aes-kw = "0.2.1" anyhow.workspace = true async-trait.workspace = true base64.workspace = true cfg-if.workspace = true clap = { workspace = true, features = ["derive", "env"] } config.workspace = true +concat-kdf = "0.1.0" cryptoki = { version = "0.7.0", optional = true } env_logger.workspace = true jsonwebtoken = { workspace = true, default-features = false } @@ -52,6 +54,7 @@ kms = { workspace = true, default-features = false } lazy_static = "1.4.0" log.workspace = true mobc = { version = "0.8.5", optional = true } +p256 = { workspace = true, features = ["ecdh"] } prost = { workspace = true, optional = true } rand = "0.8.5" regex = "1.11.1" @@ -83,6 +86,7 @@ attestation-service = { path = "../attestation-service", default-features = fals ], optional = true } [dev-dependencies] +josekit = "0.10.0" tempfile.workspace = true rstest.workspace = true diff --git a/kbs/docs/kbs_attestation_protocol.md b/kbs/docs/kbs_attestation_protocol.md index 8a77e84b8..f2f49454f 100644 --- a/kbs/docs/kbs_attestation_protocol.md +++ b/kbs/docs/kbs_attestation_protocol.md @@ -191,6 +191,7 @@ payload that follows the [JSON Web Encryption](https://www.rfc-editor.org/rfc/rf { "protected": "$jose_header", "encrypted_key": "$encrypted_key", + "aad": "$aad", "iv": "$iv", "ciphertext": "$ciphertext", "tag": "$tag" @@ -204,6 +205,7 @@ The above JWE JSON fields are defined as follows: let jose_header_string = format!(r#"{{"alg": "{}","enc": "{}"}}"#, alg, enc); let jose_header = base64_url::encode(&jose_header_string); let encrypted_key = base64_url::encode(enc_kbs_symkey); +let aad = base64_url::encode(additional_authenticated_data); let iv = base64_url::encode(initialization_vector); let ciphertext = base64_url::encode(response_output); @@ -212,13 +214,13 @@ tag = base64_url::encode(authentication_tag); ``` -- `alg` +- `protected.alg` Algorithm used to encrypt the encryption key at `encrypted_key`. Since the key is encrypted using the HW-TEE public key, `alg` must be the same value as described in the [`Attestation`](#attestation)'s `tee-pubkey` field. -- `enc` +- `protected.enc` Encryption algorithm used to encrypt the output of the KBS service API. @@ -227,6 +229,12 @@ Encryption algorithm used to encrypt the output of the KBS service API. The output of the KBS service API. It must be encrypted with the KBS-generated ephemeral key. +- `aad` (Required if AEAD is used) + +An input to an AEAD operation that is integrity protected but not encrypted. +Due to [JSON Web Encryption](https://www.rfc-editor.org/rfc/rfc7516), AAD field +should be calculated by `ASCII(BASE64URL(UTF8(JWE Protected Header)))` + - `iv` The input to a cryptographic primitive is used to provide the initial state. @@ -239,6 +247,11 @@ The encrypted symmetric key is used to encrypt `ciphertext`. This key is encrypted with the HW-TEE's public key, using the algorithm defined in `alg`. +- `tag` + +The authentication tag is used to authenticate the ciphertext. If the algorithm +described by `enc` used does not need it, this field is left blank. + ## Key Format ### Public Key diff --git a/kbs/src/attestation/backend.rs b/kbs/src/attestation/backend.rs index 6e130d0e8..d76374371 100644 --- a/kbs/src/attestation/backend.rs +++ b/kbs/src/attestation/backend.rs @@ -25,8 +25,8 @@ use super::{ }; static KBS_MAJOR_VERSION: u64 = 0; -static KBS_MINOR_VERSION: u64 = 1; -static KBS_PATCH_VERSION: u64 = 1; +static KBS_MINOR_VERSION: u64 = 2; +static KBS_PATCH_VERSION: u64 = 0; lazy_static! { static ref VERSION_REQ: VersionReq = { diff --git a/kbs/src/jwe.rs b/kbs/src/jwe.rs index 44e68d1b1..0e282b90e 100644 --- a/kbs/src/jwe.rs +++ b/kbs/src/jwe.rs @@ -2,34 +2,112 @@ // Licensed under the Apache License, Version 2.0, see LICENSE for details. // SPDX-License-Identifier: Apache-2.0 -use aes_gcm::{aead::Aead, Aes256Gcm, KeyInit, Nonce}; +use core::{clone::Clone, convert::TryInto}; + +use aes_gcm::{ + aead::{generic_array::GenericArray, AeadMutInPlace}, + Aes256Gcm, KeyInit, Nonce, +}; +use aes_kw::{Kek, KekAes256}; use anyhow::{anyhow, bail, Context, Result}; use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine}; -use kbs_types::{Response, TeePubKey}; +use kbs_types::{ProtectedHeader, Response, TeePubKey}; +use log::warn; +use p256::{ + ecdh::EphemeralSecret, elliptic_curve::sec1::FromEncodedPoint, EncodedPoint, PublicKey, +}; use rand::{rngs::OsRng, Rng}; -use rsa::{BigUint, Pkcs1v15Encrypt, RsaPublicKey}; -use serde_json::json; +use rsa::{sha2::Sha256, BigUint, Oaep, Pkcs1v15Encrypt, RsaPublicKey}; +use serde_json::{json, Map}; + +/// RSA PKCS#1 v1.5 +const RSA1_5_ALGORITHM: &str = "RSA1_5"; + +/// RSAES OAEP using SHA-256 and MGF1 with SHA-256 +const RSA_OAEP256_ALGORITHM: &str = "RSA-OAEP-256"; + +/// ECDH-ES using Concat KDF and CEK wrapped with "A256KW" +const ECDH_ES_A256KW: &str = "ECDH-ES+A256KW"; + +/// The elliptic curve key type +const EC_KTY: &str = "EC"; + +/// The elliptic curve name of p256. +const P256_CURVE: &str = "P-256"; -const RSA_ALGORITHM: &str = "RSA1_5"; +/// AES 256 GCM const AES_GCM_256_ALGORITHM: &str = "A256GCM"; -pub fn jwe(tee_pub_key: TeePubKey, payload_data: Vec) -> Result { - let TeePubKey::RSA { alg, k_mod, k_exp } = tee_pub_key else { - bail!("Only RSA key is support for TEE pub key") +/// AES 256 GCM Key length in bits +const AES_GCM_256_KEY_BITS: u32 = 256; + +/// Use RSAv1.5 to encrypt the payload data. +/// Warning: This algorithm is deprecated per +/// +#[deprecated(note = "This algorithm is no longer recommended.")] +fn rsa_1v15(k_mod: String, k_exp: String, mut payload_data: Vec) -> Result { + warn!("Get JWE request using deprecated kcs#1 v1.5 encryption, which has potential security issues."); + let mut rng = rand::thread_rng(); + + let aes_sym_key = Aes256Gcm::generate_key(&mut OsRng); + let mut cipher = Aes256Gcm::new(&aes_sym_key); + let iv = rng.gen::<[u8; 12]>(); + let nonce = Nonce::from_slice(&iv); + let protected = ProtectedHeader { + alg: RSA1_5_ALGORITHM.to_string(), + enc: AES_GCM_256_ALGORITHM.to_string(), + other_fields: Map::new(), }; - if alg != *RSA_ALGORITHM { - bail!("algorithm is not {RSA_ALGORITHM} but {alg}"); - } + let aad = protected.generate_aad().context("Generate JWE AAD")?; + + let tag = cipher + .encrypt_in_place_detached(nonce, &aad, &mut payload_data) + .map_err(|e| anyhow!("AES encrypt Resource payload failed: {e}"))?; + let k_mod = URL_SAFE_NO_PAD + .decode(k_mod) + .context("base64 decode k_mod failed")?; + let n = BigUint::from_bytes_be(&k_mod); + let k_exp = URL_SAFE_NO_PAD + .decode(k_exp) + .context("base64 decode k_exp failed")?; + let e = BigUint::from_bytes_be(&k_exp); + + let rsa_pub_key = + RsaPublicKey::new(n, e).context("Building RSA key from modulus and exponent failed")?; + let encrypted_key = rsa_pub_key + .encrypt(&mut rng, Pkcs1v15Encrypt, aes_sym_key.as_slice()) + .context("RSA encrypt sym key failed")?; + + Ok(Response { + protected, + encrypted_key, + iv: iv.into(), + ciphertext: payload_data, + aad: None, + tag: tag.to_vec(), + }) +} + +/// Use RSA-OAEP SHA-256 to encrypt the payload data. +fn rsa_oaep256(k_mod: String, k_exp: String, mut payload_data: Vec) -> Result { let mut rng = rand::thread_rng(); let aes_sym_key = Aes256Gcm::generate_key(&mut OsRng); - let cipher = Aes256Gcm::new(&aes_sym_key); + let mut cipher = Aes256Gcm::new(&aes_sym_key); let iv = rng.gen::<[u8; 12]>(); let nonce = Nonce::from_slice(&iv); - let encrypted_payload_data = cipher - .encrypt(nonce, payload_data.as_slice()) + let protected = ProtectedHeader { + alg: RSA_OAEP256_ALGORITHM.to_string(), + enc: AES_GCM_256_ALGORITHM.to_string(), + other_fields: Map::new(), + }; + + let aad = protected.generate_aad().context("Generate JWE AAD")?; + + let tag = cipher + .encrypt_in_place_detached(nonce, &aad, &mut payload_data) .map_err(|e| anyhow!("AES encrypt Resource payload failed: {e}"))?; let k_mod = URL_SAFE_NO_PAD @@ -43,23 +121,277 @@ pub fn jwe(tee_pub_key: TeePubKey, payload_data: Vec) -> Result { let rsa_pub_key = RsaPublicKey::new(n, e).context("Building RSA key from modulus and exponent failed")?; - let sym_key: &[u8] = aes_sym_key.as_slice(); - let wrapped_sym_key = rsa_pub_key - .encrypt(&mut rng, Pkcs1v15Encrypt, sym_key) + let padding = Oaep::new::(); + let encrypted_key = rsa_pub_key + .encrypt(&mut rng, padding, aes_sym_key.as_slice()) .context("RSA encrypt sym key failed")?; - let protected_header = json!( - { - "alg": RSA_ALGORITHM.to_string(), - "enc": AES_GCM_256_ALGORITHM.to_string(), - }); + Ok(Response { + protected, + encrypted_key, + iv: iv.into(), + ciphertext: payload_data, + aad: None, + tag: tag.to_vec(), + }) +} + +/// Use ECDH-ES-A256KW to encrypt the payload data. The EC curve is P256. +fn ecdh_es_a256kw_p256(x: String, y: String, mut payload_data: Vec) -> Result { + let mut rng = rand::thread_rng(); + + // 1. Generate a random CEK + let cek = Aes256Gcm::generate_key(&mut rng); + + // 2. Wrap the CEK and generate ProtectedHeader + let x: [u8; 32] = URL_SAFE_NO_PAD + .decode(x) + .context("base64 decode x failed")? + .try_into() + .map_err(|_| anyhow!("invalid bytes length of coordinates X"))?; + let y: [u8; 32] = URL_SAFE_NO_PAD + .decode(y) + .context("base64 decode y failed")? + .try_into() + .map_err(|_| anyhow!("invalid bytes length of coordinates Y"))?; + let client_point = EncodedPoint::from_affine_coordinates( + &GenericArray::from(x), + &GenericArray::from(y), + false, + ); + let public_key = PublicKey::from_encoded_point(&client_point) + .into_option() + .ok_or(anyhow!("invalid TEE public key"))?; + let encrypter_secret = EphemeralSecret::random(&mut rng); + let z = encrypter_secret + .diffie_hellman(&public_key) + .raw_secret_bytes() + .to_vec(); + let mut key_derivation_materials = Vec::new(); + key_derivation_materials.extend_from_slice(&(ECDH_ES_A256KW.len() as u32).to_be_bytes()); + key_derivation_materials.extend_from_slice(ECDH_ES_A256KW.as_bytes()); + key_derivation_materials.extend_from_slice(&(0_u32).to_be_bytes()); + key_derivation_materials.extend_from_slice(&(0_u32).to_be_bytes()); + key_derivation_materials.extend_from_slice(&AES_GCM_256_KEY_BITS.to_be_bytes()); + let mut wrapping_key = vec![0; 32]; + concat_kdf::derive_key_into::( + &z, + &key_derivation_materials, + &mut wrapping_key, + ) + .map_err(|e| anyhow!("failed to do concat KDF: {e:?}"))?; + let wrapping_key: [u8; 32] = wrapping_key + .try_into() + .map_err(|_| anyhow!("invalid bytes length of AES wrapping key"))?; + let wrapping_key: KekAes256 = Kek::new(&GenericArray::from(wrapping_key)); + let mut encrypted_key = vec![0; 40]; + encrypted_key.resize(40, 0); + let cek = cek.to_vec(); + wrapping_key + .wrap(&cek, &mut encrypted_key) + .map_err(|e| anyhow!("failed to do AES wrapping: {e:?}"))?; + + let point = EncodedPoint::from(encrypter_secret.public_key()); + let epk_x = point + .x() + .ok_or(anyhow!("invalid public key: without coordicate X"))?; + let epk_y = point + .y() + .ok_or(anyhow!("invalid public key: without coordicate Y"))?; + let epk_x = URL_SAFE_NO_PAD.encode(epk_x); + let epk_y = URL_SAFE_NO_PAD.encode(epk_y); + let protected = ProtectedHeader { + alg: ECDH_ES_A256KW.to_string(), + enc: AES_GCM_256_ALGORITHM.to_string(), + other_fields: json!({ + "epk": { + "crv": P256_CURVE, + "kty": EC_KTY, + "x": epk_x, + "y": epk_y + } + }) + .as_object() + .unwrap() + .clone(), + }; + + // 3. Encrypt content with CEK + let mut cek_cipher = Aes256Gcm::new(GenericArray::from_slice(&cek)); + + let iv = rand::thread_rng().gen::<[u8; 12]>(); + let nonce = Nonce::from_slice(&iv); + let aad = protected.generate_aad().context("Generate JWE AAD")?; + + let tag = cek_cipher + .encrypt_in_place_detached(nonce, &aad, &mut payload_data) + .map_err(|e| anyhow!("AES encrypt Resource payload failed: {e}"))?; Ok(Response { - protected: serde_json::to_string(&protected_header) - .context("serde protected_header failed")?, - encrypted_key: URL_SAFE_NO_PAD.encode(wrapped_sym_key), - iv: URL_SAFE_NO_PAD.encode(iv), - ciphertext: URL_SAFE_NO_PAD.encode(encrypted_payload_data), - tag: "".to_string(), + protected, + encrypted_key, + iv: iv.into(), + ciphertext: payload_data, + aad: None, + tag: tag.to_vec(), }) } + +pub fn jwe(tee_pub_key: TeePubKey, payload_data: Vec) -> Result { + match tee_pub_key { + TeePubKey::RSA { alg, k_mod, k_exp } => match &alg[..] { + #[allow(deprecated)] + RSA1_5_ALGORITHM => rsa_1v15(k_mod, k_exp, payload_data), + RSA_OAEP256_ALGORITHM => rsa_oaep256(k_mod, k_exp, payload_data), + others => bail!("algorithm {others} is not supported"), + }, + TeePubKey::EC { crv, alg, x, y } => match (&crv[..], &alg[..]) { + (P256_CURVE, ECDH_ES_A256KW) => ecdh_es_a256kw_p256(x, y, payload_data), + (crv, alg) => bail!("curve {crv} and algorithm {alg} is not supported"), + }, + } +} + +#[cfg(test)] +mod tests { + use core::assert_eq; + + use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine}; + use josekit::jwe::{ + alg::{ecdh_es::EcdhEsJweAlgorithm::EcdhEsA256kw, rsaes::RsaesJweAlgorithm::RsaOaep256}, + JweContext, JweHeader, JweHeaderSet, + }; + use kbs_types::TeePubKey; + use openssl::rsa::Rsa; + use p256::{pkcs8::EncodePrivateKey, EncodedPoint, SecretKey}; + + use crate::jwe::{ + AES_GCM_256_ALGORITHM, ECDH_ES_A256KW, P256_CURVE, RSA1_5_ALGORITHM, RSA_OAEP256_ALGORITHM, + }; + + use super::jwe; + + #[allow(deprecated)] + #[test] + fn jwe_rsav15_compatibility() { + let test_data = b"this is a test data"; + + // Generate a 4096-bit RSA key pair + let rsa_key = Rsa::generate(4096).unwrap(); + let k_mod = URL_SAFE_NO_PAD.encode(rsa_key.n().to_vec()); + let k_exp = URL_SAFE_NO_PAD.encode(rsa_key.e().to_vec()); + let tee_key = TeePubKey::RSA { + alg: RSA1_5_ALGORITHM.into(), + k_mod, + k_exp, + }; + + // Generate a JWE response + let response = jwe(tee_key, test_data.to_vec()).unwrap(); + let response_string = serde_json::to_string(&response).unwrap(); + + // Decrypt with josekit crate + let decrypter = josekit::jwe::alg::rsaes::RsaesJweAlgorithm::Rsa1_5 + .decrypter_from_pem(rsa_key.private_key_to_pem().unwrap()) + .unwrap(); + let mut header = JweHeader::new(); + header.set_token_type("JWT"); + header.set_content_encryption(AES_GCM_256_ALGORITHM); + let context = JweContext::new(); + let (decrypted_data, header) = context + .deserialize_json(&response_string, &decrypter) + .unwrap(); + assert_eq!(decrypted_data, test_data); + + let mut jwe_header = JweHeader::new(); + jwe_header + .set_claim("alg", Some(RSA1_5_ALGORITHM.into())) + .unwrap(); + jwe_header + .set_claim("enc", Some(AES_GCM_256_ALGORITHM.into())) + .unwrap(); + assert_eq!(header, jwe_header); + } + + #[test] + fn jwe_rsa_oaep_compatibility() { + let test_data = b"this is a test data"; + + // Generate a 4096-bit RSA key pair + let rsa_key = Rsa::generate(4096).unwrap(); + let k_mod = URL_SAFE_NO_PAD.encode(rsa_key.n().to_vec()); + let k_exp = URL_SAFE_NO_PAD.encode(rsa_key.e().to_vec()); + let tee_key = TeePubKey::RSA { + alg: RSA_OAEP256_ALGORITHM.into(), + k_mod, + k_exp, + }; + + // Generate a JWE response + let response = jwe(tee_key, test_data.to_vec()).unwrap(); + let response_string = serde_json::to_string(&response).unwrap(); + + // Decrypt with josekit crate + let decrypter = RsaOaep256 + .decrypter_from_pem(rsa_key.private_key_to_pem().unwrap()) + .unwrap(); + let mut header = JweHeader::new(); + header.set_token_type("JWT"); + header.set_content_encryption(AES_GCM_256_ALGORITHM); + let context = JweContext::new(); + let (decrypted_data, header) = context + .deserialize_json(&response_string, &decrypter) + .unwrap(); + assert_eq!(decrypted_data, test_data); + + let mut jwe_header = JweHeader::new(); + jwe_header + .set_claim("alg", Some(RSA_OAEP256_ALGORITHM.into())) + .unwrap(); + jwe_header + .set_claim("enc", Some(AES_GCM_256_ALGORITHM.into())) + .unwrap(); + assert_eq!(header, jwe_header); + } + + #[test] + fn jwe_ec_compatibility() { + let test_data = b"this is a test data"; + + // Generate a EC key pair + let mut rng = rand::thread_rng(); + let private_key = SecretKey::random(&mut rng); + let point = EncodedPoint::from(private_key.public_key()); + let x = point.x().unwrap(); + let y = point.y().unwrap(); + let x = URL_SAFE_NO_PAD.encode(x); + let y = URL_SAFE_NO_PAD.encode(y); + + let tee_key = TeePubKey::EC { + crv: P256_CURVE.into(), + alg: ECDH_ES_A256KW.into(), + x, + y, + }; + + // Generate a JWE response + let response = jwe(tee_key, test_data.to_vec()).unwrap(); + let response_string = serde_json::to_string(&response).unwrap(); + + let mut header = JweHeaderSet::new(); + header.set_algorithm("ECDH-ES+A256KW", true); + header.set_content_encryption("A256GCM", true); + + // Decrypt JWE with JOSEkit crate + let private_key = private_key + .to_pkcs8_pem(rsa::pkcs8::LineEnding::LF) + .unwrap(); + let decrypter = EcdhEsA256kw.decrypter_from_pem(&private_key).unwrap(); + + let context = JweContext::new(); + let (decrypted_data, _) = context + .deserialize_json(&response_string, &decrypter) + .unwrap(); + assert_eq!(decrypted_data, test_data); + } +} From 767f1469427fbd7207d29dcaa83ae694f7a2ccdb Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Thu, 12 Dec 2024 19:35:54 +0800 Subject: [PATCH 2/3] ci: update rust toolchain to 1.83.0 Some dependencies like home@0.5.11 requires a rust toolchain version over 1.81.0. Thus we update this to 1.83.0 to track the latest rust toolchain. This commit also fixes lint error introduced by new version of rust toolchain. Signed-off-by: Xynnn007 --- .github/workflows/as-e2e.yml | 2 +- .github/workflows/as-rust.yml | 2 +- .github/workflows/kbs-docker-e2e.yml | 2 +- .github/workflows/kbs-e2e.yml | 2 +- .github/workflows/kbs-rust.yml | 2 +- .github/workflows/push-kbs-client-to-ghcr.yml | 2 +- kbs/src/attestation/session.rs | 2 +- rvps/src/extractors/mod.rs | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/as-e2e.yml b/.github/workflows/as-e2e.yml index 1ba4b9cdd..d9afd26b2 100644 --- a/.github/workflows/as-e2e.yml +++ b/.github/workflows/as-e2e.yml @@ -28,7 +28,7 @@ jobs: name: TEE=${{ matrix.restful_tee_enum }} Generate Evidence Dynamically=${{ matrix.generate_evidence }} runs-on: ${{ matrix.runner }} env: - RUSTC_VERSION: 1.76.0 + RUSTC_VERSION: 1.83.0 GRPC_TEE_ENUM: ${{ matrix.grpc_tee_enum }} RESTFUL_TEE_ENUM: ${{ matrix.restful_tee_enum }} steps: diff --git a/.github/workflows/as-rust.yml b/.github/workflows/as-rust.yml index 3235d38d0..a6791a6f7 100644 --- a/.github/workflows/as-rust.yml +++ b/.github/workflows/as-rust.yml @@ -24,7 +24,7 @@ jobs: name: Check runs-on: ubuntu-22.04 env: - RUSTC_VERSION: 1.76.0 + RUSTC_VERSION: 1.83.0 steps: - name: Code checkout uses: actions/checkout@v4 diff --git a/.github/workflows/kbs-docker-e2e.yml b/.github/workflows/kbs-docker-e2e.yml index 3d75f6f9c..849e6ead1 100644 --- a/.github/workflows/kbs-docker-e2e.yml +++ b/.github/workflows/kbs-docker-e2e.yml @@ -13,7 +13,7 @@ jobs: e2e-test: runs-on: ubuntu-latest env: - RUSTC_VERSION: 1.76.0 + RUSTC_VERSION: 1.83.0 steps: - name: Checkout KBS uses: actions/checkout@v4 diff --git a/.github/workflows/kbs-e2e.yml b/.github/workflows/kbs-e2e.yml index 5d03733fc..4c5882739 100644 --- a/.github/workflows/kbs-e2e.yml +++ b/.github/workflows/kbs-e2e.yml @@ -24,7 +24,7 @@ jobs: build-binaries: runs-on: ubuntu-22.04 env: - RUSTC_VERSION: 1.76.0 + RUSTC_VERSION: 1.83.0 steps: - name: Download artifacts uses: actions/download-artifact@v4 diff --git a/.github/workflows/kbs-rust.yml b/.github/workflows/kbs-rust.yml index eacd5a6aa..61b65770a 100644 --- a/.github/workflows/kbs-rust.yml +++ b/.github/workflows/kbs-rust.yml @@ -23,7 +23,7 @@ jobs: strategy: fail-fast: false env: - RUSTC_VERSION: 1.76.0 + RUSTC_VERSION: 1.83.0 runs-on: ubuntu-22.04 steps: diff --git a/.github/workflows/push-kbs-client-to-ghcr.yml b/.github/workflows/push-kbs-client-to-ghcr.yml index 22d5c28d1..a78bb26bb 100644 --- a/.github/workflows/push-kbs-client-to-ghcr.yml +++ b/.github/workflows/push-kbs-client-to-ghcr.yml @@ -14,7 +14,7 @@ jobs: - x86_64 - s390x env: - RUSTC_VERSION: 1.76.0 + RUSTC_VERSION: 1.83.0 runs-on: ${{ matrix.arch == 'x86_64' && 'ubuntu-22.04' || 's390x' }} permissions: contents: read diff --git a/kbs/src/attestation/session.rs b/kbs/src/attestation/session.rs index 22cde081f..ef3b9ec14 100644 --- a/kbs/src/attestation/session.rs +++ b/kbs/src/attestation/session.rs @@ -80,7 +80,7 @@ impl SessionStatus { impl_member!(timeout, OffsetDateTime); pub fn is_expired(&self) -> bool { - return *self.timeout() < OffsetDateTime::now_utc(); + *self.timeout() < OffsetDateTime::now_utc() } pub fn attest(&mut self, token: String) { diff --git a/rvps/src/extractors/mod.rs b/rvps/src/extractors/mod.rs index 04677692e..ea6c764d1 100644 --- a/rvps/src/extractors/mod.rs +++ b/rvps/src/extractors/mod.rs @@ -22,7 +22,7 @@ use super::{Message, ReferenceValue}; /// reference value (degest, s.t. hash value and name of the artifact) /// from the provenance. If the verification fails, no reference value /// will be extracted. - +/// /// `Extractors` defines the interfaces of Extractors. pub trait Extractors { /// Process the message, e.g. verifying From 4ca60d827657c95cc310107e6f5685074e63d0d7 Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Tue, 17 Dec 2024 13:04:08 +0800 Subject: [PATCH 3/3] ci: remove duplicated KBS test case KBS Build with default feature and KBS build with built-in CoCo AS feature are the same, thus we delete the duplicated one and add more information. Signed-off-by: Xynnn007 --- .github/workflows/kbs-rust.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/kbs-rust.yml b/.github/workflows/kbs-rust.yml index 61b65770a..0d6aa1b30 100644 --- a/.github/workflows/kbs-rust.yml +++ b/.github/workflows/kbs-rust.yml @@ -52,11 +52,7 @@ jobs: sudo apt-get update sudo apt-get install -y libtdx-attest-dev libsgx-dcap-quote-verify-dev - - name: KBS Build [Default] - working-directory: kbs - run: make - - - name: KBS Build [Built-in CoCo AS] + - name: KBS Build [Default/Built-in CoCo AS] working-directory: kbs run: make