From cd89d0bf843759763fd1efcc381fcd7a688bff86 Mon Sep 17 00:00:00 2001 From: Philip Tricca Date: Thu, 4 May 2023 18:21:22 -0700 Subject: [PATCH] wip: replace `pem` with `pem-rfc7468` crate --- Cargo.lock | 11 ++++++++++- dice-mfg/Cargo.toml | 2 +- dice-mfg/src/lib.rs | 42 +++++++++++++++++++++++------------------- 3 files changed, 34 insertions(+), 21 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 28a41c1..7eb45f3 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -285,7 +285,7 @@ dependencies = [ "dice-mfg-msgs", "env_logger 0.9.3", "log", - "pem", + "pem-rfc7468 0.7.0", "serialport", "string-error", "tempfile", @@ -725,6 +725,15 @@ dependencies = [ "base64ct 1.5.3 (git+https://github.com/RustCrypto/formats)", ] +[[package]] +name = "pem-rfc7468" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "88b39c9bfcfc231068454382784bb460aae594343fb030d46e9f50a645418412" +dependencies = [ + "base64ct 1.5.3 (registry+https://github.com/rust-lang/crates.io-index)", +] + [[package]] name = "pkcs8" version = "0.9.0" diff --git a/dice-mfg/Cargo.toml b/dice-mfg/Cargo.toml index 9dea45f..68d2102 100644 --- a/dice-mfg/Cargo.toml +++ b/dice-mfg/Cargo.toml @@ -11,7 +11,7 @@ clap = { version = "4", features = ["derive", "env"] } dice-mfg-msgs = { path = "../dice-mfg-msgs" } env_logger = "0.9" log = "0.4" -pem = "1" +pem-rfc7468 = { version = "0.7.0", features = ["alloc", "std"] } serialport = "4" string-error = "0.1" tempfile = "3.3" diff --git a/dice-mfg/src/lib.rs b/dice-mfg/src/lib.rs index fc38362..19a8cb7 100644 --- a/dice-mfg/src/lib.rs +++ b/dice-mfg/src/lib.rs @@ -5,7 +5,7 @@ use anyhow::Result; use dice_mfg_msgs::{MfgMessage, PlatformId, PlatformIdError, SizedBlob}; use log::{info, warn}; - +use pem_rfc7468::LineEnding; use serialport::SerialPort; use std::{ fmt, @@ -28,6 +28,8 @@ pub enum Error { ConfigIncomplete, NoResponse, InvalidPlatformId(PlatformIdError), + CertTooBig, + PemNotCert, } impl std::error::Error for Error {} @@ -58,6 +60,12 @@ impl fmt::Display for Error { Error::InvalidPlatformId(e) => { write!(f, "PlatformId is invalid: {:?}", e) } + Error::CertTooBig => { + write!(f, "Insufficient space to store the provided cert in SizedBlog: see dice-mfg-msgs") + } + Error::PemNotCert => { + write!(f, "PEM provided doesn't have \"CERTIFICATE\" label") + } } } } @@ -172,7 +180,7 @@ impl MfgDriver { /// Send the RoT the cert for the intermediate / signing CA. pub fn set_intermediate_cert(&mut self, cert_in: &PathBuf) -> Result<()> { - let cert = sized_blob_from_pem_path(cert_in)?; + let cert = sized_blob_from_pem_cert_path(cert_in)?; print!("setting Intermediate cert ... "); io::stdout().flush()?; @@ -186,7 +194,7 @@ impl MfgDriver { /// Send the RoT its certified identity. pub fn set_platform_id_cert(&mut self, cert_in: &PathBuf) -> Result<()> { - let cert = sized_blob_from_pem_path(cert_in)?; + let cert = sized_blob_from_pem_cert_path(cert_in)?; print!("setting PlatformId cert ... "); io::stdout().flush()?; @@ -235,12 +243,16 @@ pub fn do_sign_cert( } } -fn sized_blob_from_pem_path(p: &PathBuf) -> Result { +fn sized_blob_from_pem_cert_path(p: &PathBuf) -> Result { let cert = fs::read_to_string(p)?; - let cert = pem::parse(cert)?; + let (label, cert) = pem_rfc7468::decode_vec(cert.as_bytes())?; + + if label != "CERTIFICATE" { + return Err(Error::PemNotCert.into()); + } // Error type doesn't implement std Error - Ok(SizedBlob::try_from(&cert.contents[..]).expect("cert too big")) + Ok(SizedBlob::try_from(cert.as_slice()).map_err(|_| Error::CertTooBig)?) } pub fn sign_cert( @@ -291,19 +303,11 @@ pub fn sign_cert( } pub fn save_csr(mut w: W, csr: SizedBlob) -> Result<()> { - let size = usize::from(csr.size); - - // encode as PEM - let pem = pem::Pem { - tag: String::from("CERTIFICATE REQUEST"), - contents: csr.as_bytes()[..size].to_vec(), - }; - let csr_pem = pem::encode_config( - &pem, - pem::EncodeConfig { - line_ending: pem::LineEnding::LF, - }, - ); + let csr_pem = pem_rfc7468::encode_string( + "CERTIFICATE REQUEST", + LineEnding::LF, + csr.as_bytes(), + )?; Ok(w.write_all(csr_pem.as_bytes())?) }