chore: refactor crypto, attestation into crates

Signed-off-by: Richard Zak <richard@profian.com>
enarx · Nov 7, 2022 · b47ca81 · b47ca81
1 parent a589ff4
commit b47ca81
Show file tree

Hide file tree

Showing 30 changed files with 222 additions and 148 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -10,21 +10,13 @@ license = "AGPL-3.0"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-const-oid = { version = "0.9.0", features = ["db"], default-features = false }
+sgx_validation = { path = "crates/sgx_validation" }
+snp_validation = { path = "crates/snp_validation" }
+cryptography = { path = "crates/cryptography" }
 der = { version = "0.6", features = ["std"], default-features = false }
-sec1 = { version = "0.3", features = ["std", "pkcs8"], default-features = false }
-spki = { version = "0.6", default-features = false }
-x509 = { version = "0.1", features = ["std"], package = "x509-cert", default-features = false }
-rustls-pemfile = {version = "1.0.1", default-features = false }
-sha2 = { version = "^0.10.2", default-features = false }
 zeroize = { version = "^1.5.2", features = ["alloc"], default-features = false }
 flagset = { version = "0.4.3", default-features = false}
 sgx = { version = "0.5.0", default-features = false }
-signature = {version = "1.6", default-features = false }
-rsa = {version = "0.7.1", features = ["std"], default-features = false }
-p256 = { version = "0.11", features = ["ecdsa", "std", "pem"], default-features = false }
-p384 = { version = "0.11", features = ["ecdsa", "std", "pem"], default-features = false }
-rand = { version = "0.8", features = ["std"], default-features = false }
 
 tracing-subscriber = { version="^0.3.15", features = ["env-filter", "json", "fmt"], default-features = false }
 tower-http = { version = "^0.3.0", features = ["trace"], default-features = false }
@@ -55,3 +47,11 @@ incremental = false
 codegen-units = 1
 lto = true
 strip = true
+
+[workspace]
+resolver = '2'
+members = [
+    'crates/sgx_validation',
+    'crates/snp_validation',
+    'crates/cryptography',
+]
diff --git a/crates/cryptography/Cargo.toml b/crates/cryptography/Cargo.toml
@@ -0,0 +1,22 @@
+[package]
+name = "cryptography"
+version = "0.2.0"
+edition = "2021"
+license = "AGPL-3.0"
+description = "Cryptography library for Steward"
+
+[dependencies]
+anyhow = { version = "^1.0.55", features = ["std"], default-features = false }
+const-oid = { version = "0.9.0", features = ["db"], default-features = false }
+der = { version = "0.6", features = ["std"], default-features = false }
+rand = { version = "0.8", features = ["std"], default-features = false }
+rsa = {version = "0.7.1", features = ["std"], default-features = false }
+rustls-pemfile = {version = "1.0.1", default-features = false }
+sec1 = { version = "0.3", features = ["std", "pkcs8"], default-features = false }
+sha2 = { version = "^0.10.2", default-features = false }
+signature = {version = "1.6", default-features = false }
+spki = { version = "0.6", default-features = false }
+p256 = { version = "0.11", features = ["ecdsa", "std", "pem"], default-features = false }
+p384 = { version = "0.11", features = ["ecdsa", "std", "pem"], default-features = false }
+x509 = { version = "0.1", features = ["std"], package = "x509-cert", default-features = false }
+zeroize = { version = "^1.5.2", features = ["alloc"], default-features = false }
diff --git a/src/crypto/cert.rs → crates/cryptography/src/ext/cert.rs b/src/crypto/cert.rs → crates/cryptography/src/ext/cert.rs
diff --git a/src/crypto/certreq.rs → crates/cryptography/src/ext/certreq.rs b/src/crypto/certreq.rs → crates/cryptography/src/ext/certreq.rs
diff --git a/src/crypto/mod.rs → crates/cryptography/src/ext/mod.rs b/src/crypto/mod.rs → crates/cryptography/src/ext/mod.rs
diff --git a/src/crypto/pki.rs → crates/cryptography/src/ext/pki.rs b/src/crypto/pki.rs → crates/cryptography/src/ext/pki.rs
diff --git a/src/crypto/spki.rs → crates/cryptography/src/ext/spki.rs b/src/crypto/spki.rs → crates/cryptography/src/ext/spki.rs
diff --git a/crates/cryptography/src/lib.rs b/crates/cryptography/src/lib.rs
@@ -0,0 +1,15 @@
+// SPDX-FileCopyrightText: 2022 Profian Inc. <opensource@profian.com>
+// SPDX-License-Identifier: AGPL-3.0-only
+
+pub mod ext;
+
+pub use const_oid;
+pub use p256;
+pub use p384;
+pub use rand;
+pub use rsa;
+pub use rustls_pemfile;
+pub use sec1;
+pub use sha2;
+pub use signature;
+pub use x509;
diff --git a/crates/sgx_validation/Cargo.toml b/crates/sgx_validation/Cargo.toml
@@ -0,0 +1,15 @@
+[package]
+name = "sgx_validation"
+version = "0.2.0"
+edition = "2021"
+license = "AGPL-3.0"
+description = "Intel SGX Attestation validation library for Steward"
+
+[dependencies]
+cryptography = { path = "../cryptography" }
+anyhow = { version = "^1.0.55", default-features = false }
+der = { version = "0.6", features = ["std"], default-features = false }
+sgx = { version = "0.5.0", default-features = false }
+
+[dev-dependencies]
+testaso = { version = "0.1", default-features = false }
diff --git a/src/ext/sgx/mod.rs → crates/sgx_validation/src/lib.rs b/src/ext/sgx/mod.rs → crates/sgx_validation/src/lib.rs
@@ -3,18 +3,17 @@
 
 mod quote;
 
-use super::ExtVerifier;
-use crate::crypto::*;
+use cryptography::ext::*;
 use quote::traits::ParseBytes;
 
 use std::fmt::Debug;
 
 use anyhow::{anyhow, Result};
-use const_oid::ObjectIdentifier;
+use cryptography::const_oid::ObjectIdentifier;
+use cryptography::sha2::{Digest, Sha256};
+use cryptography::x509::{ext::Extension, request::CertReqInfo, Certificate, TbsCertificate};
 use der::{Decode, Encode};
 use sgx::parameters::{Attributes, MiscSelect};
-use sha2::{Digest, Sha256};
-use x509::{ext::Extension, request::CertReqInfo, Certificate, TbsCertificate};
 
 #[derive(Clone, Debug)]
 pub struct Sgx([Certificate<'static>; 1]);
@@ -27,6 +26,8 @@ impl Default for Sgx {
 
 impl Sgx {
     const ROOT: &'static [u8] = include_bytes!("root.der");
+    pub const OID: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.3.6.1.4.1.58270.1.2");
+    pub const ATT: bool = true;
 
     fn trusted<'c>(&'c self, chain: &'c [Certificate<'c>]) -> Result<&'c TbsCertificate<'c>> {
         let mut signer = &self.0[0].tbs_certificate;
@@ -36,13 +37,8 @@ impl Sgx {
 
         Ok(signer)
     }
-}
-
-impl ExtVerifier for Sgx {
-    const OID: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.3.6.1.4.1.58270.1.2");
-    const ATT: bool = true;
 
-    fn verify(&self, cri: &CertReqInfo<'_>, ext: &Extension<'_>, dbg: bool) -> Result<bool> {
+    pub fn verify(&self, cri: &CertReqInfo<'_>, ext: &Extension<'_>, dbg: bool) -> Result<bool> {
         if ext.critical {
             return Err(anyhow!("sgx extension cannot be critical"));
         }

diff --git a/src/ext/sgx/quote.icelake → crates/sgx_validation/src/quote.icelake b/src/ext/sgx/quote.icelake → crates/sgx_validation/src/quote.icelake
diff --git a/src/ext/sgx/quote.unknown → crates/sgx_validation/src/quote.unknown b/src/ext/sgx/quote.unknown → crates/sgx_validation/src/quote.unknown
diff --git a/src/ext/sgx/quote/body.rs → crates/sgx_validation/src/quote/body.rs b/src/ext/sgx/quote/body.rs → crates/sgx_validation/src/quote/body.rs
diff --git a/src/ext/sgx/quote/es256.rs → crates/sgx_validation/src/quote/es256.rs b/src/ext/sgx/quote/es256.rs → crates/sgx_validation/src/quote/es256.rs
@@ -3,9 +3,9 @@
 
 use super::{qe::QuotingEnclave, FromBytes, ParseBytes};
 
-use std::array::TryFromSliceError;
-
+use anyhow::anyhow;
 use der::{asn1::UIntRef, Sequence};
+use std::array::TryFromSliceError;
 
 #[derive(Clone, Debug)]
 #[repr(C)]

diff --git a/src/ext/sgx/quote/mod.rs → crates/sgx_validation/src/quote/mod.rs b/src/ext/sgx/quote/mod.rs → crates/sgx_validation/src/quote/mod.rs
@@ -15,15 +15,16 @@ pub mod es256;
 pub mod qe;
 pub mod traits;
 
-use crate::crypto::TbsCertificateExt;
+use anyhow::anyhow;
 use body::Body;
+use cryptography::ext::TbsCertificateExt;
 use traits::{FromBytes, ParseBytes, Steal};
 
+use cryptography::p256::ecdsa::signature::Verifier;
+use cryptography::sha2::{digest::DynDigest, Sha256};
+use cryptography::x509::TbsCertificate;
 use der::Encode;
-use p256::ecdsa::signature::Verifier;
 use sgx::ReportBody;
-use sha2::{digest::DynDigest, Sha256};
-use x509::TbsCertificate;
 
 pub struct Quote<'a> {
     body: &'a Body,
@@ -71,7 +72,7 @@ impl<'a> Quote<'a> {
 
         // Validate the Attestation Key.
         let mut data = [0u8; 64];
-        let mut hash = <Sha256 as sha2::Digest>::new();
+        let mut hash = <Sha256 as cryptography::sha2::Digest>::new();
         hash.update(self.sign.key.as_ref());
         hash.update(self.sign.iqe.auth.as_ref());
         hash.finalize_into(&mut data[..32])?;
@@ -80,8 +81,8 @@ impl<'a> Quote<'a> {
         }
 
         // Verify the signature on the enclave report.
-        let vkey = p256::ecdsa::VerifyingKey::from_sec1_bytes(self.sign.key.sec1())?;
-        let sig = p256::ecdsa::Signature::from_der(&self.sign.sig.to_vec()?)?;
+        let vkey = cryptography::p256::ecdsa::VerifyingKey::from_sec1_bytes(self.sign.key.sec1())?;
+        let sig = cryptography::p256::ecdsa::Signature::from_der(&self.sign.sig.to_vec()?)?;
         vkey.verify(self.body.as_ref(), &sig)?;
 
         // Verify the PCE security version.

diff --git a/src/ext/sgx/quote/qe/auth.rs → crates/sgx_validation/src/quote/qe/auth.rs b/src/ext/sgx/quote/qe/auth.rs → crates/sgx_validation/src/quote/qe/auth.rs
diff --git a/src/ext/sgx/quote/qe/cert.rs → crates/sgx_validation/src/quote/qe/cert.rs b/src/ext/sgx/quote/qe/cert.rs → crates/sgx_validation/src/quote/qe/cert.rs
@@ -3,6 +3,8 @@
 
 use super::super::{FromBytes, ParseBytes, Steal};
 
+use anyhow::anyhow;
+
 #[derive(Clone, Debug)]
 #[non_exhaustive]
 pub enum Data {
@@ -23,7 +25,7 @@ impl<'a> FromBytes<'a> for Data {
                     .map_err(|e| anyhow!("invalid certification data: {}", e))?
                     .replace("-----END CERTIFICATE-----", "-----END CERTIFICATE-----\n");
 
-                let mut certs = rustls_pemfile::certs(&mut chain.as_bytes())
+                let mut certs = cryptography::rustls_pemfile::certs(&mut chain.as_bytes())
                     .map_err(|e| anyhow!("invalid certification data: {}", e))?;
 
                 certs.reverse();

diff --git a/src/ext/sgx/quote/qe/mod.rs → crates/sgx_validation/src/quote/qe/mod.rs b/src/ext/sgx/quote/qe/mod.rs → crates/sgx_validation/src/quote/qe/mod.rs
diff --git a/src/ext/sgx/quote/traits.rs → crates/sgx_validation/src/quote/traits.rs b/src/ext/sgx/quote/traits.rs → crates/sgx_validation/src/quote/traits.rs
diff --git a/src/ext/sgx/root.der → crates/sgx_validation/src/root.der b/src/ext/sgx/root.der → crates/sgx_validation/src/root.der
diff --git a/crates/snp_validation/Cargo.toml b/crates/snp_validation/Cargo.toml
@@ -0,0 +1,15 @@
+[package]
+name = "snp_validation"
+version = "0.2.0"
+edition = "2021"
+license = "AGPL-3.0"
+description = "AMD SEV-SNP Attestation validation library for Steward"
+
+[dependencies]
+cryptography = { path = "../cryptography" }
+anyhow = { version = "^1.0.55", default-features = false }
+der = { version = "0.6", features = ["std"], default-features = false }
+flagset = { version = "0.4.3", default-features = false}
+
+[dev-dependencies]
+testaso = { version = "0.1", default-features = false }
diff --git a/src/ext/snp/genoa.pkipath → crates/snp_validation/src/genoa.pkipath b/src/ext/snp/genoa.pkipath → crates/snp_validation/src/genoa.pkipath