PKU2U: RSA signature generation fix

src/crypto.rs

@@ -36,13 +36,13 @@ pub fn compute_md5_channel_bindings_hash(channel_bindings: &ChannelBindings) ->
     let mut context = Md5::new();
     let mut result = [0x00; HASH_SIZE];
 
-    context.update(&channel_bindings.initiator_addr_type.to_be_bytes());
-    context.update(&channel_bindings.initiator.len().to_be_bytes());
+    context.update(channel_bindings.initiator_addr_type.to_be_bytes());
+    context.update(channel_bindings.initiator.len().to_be_bytes());
 
-    context.update(&channel_bindings.acceptor_addr_type.to_be_bytes());
-    context.update(&channel_bindings.acceptor.len().to_be_bytes());
+    context.update(channel_bindings.acceptor_addr_type.to_be_bytes());
+    context.update(channel_bindings.acceptor.len().to_be_bytes());
 
-    context.update(&channel_bindings.application_data.len().to_be_bytes());
+    context.update(channel_bindings.application_data.len().to_be_bytes());
     context.update(&channel_bindings.application_data);
 
     result.clone_from_slice(&context.finalize());

src/krb.rs

@@ -5,7 +5,7 @@ use std::io::{BufRead, BufReader};
 use std::path::Path;
 
 fn can_skip_line(line: &str) -> bool {
-    if let Some(first_char) = line.chars().nth(0) {
+    if let Some(first_char) = line.chars().next() {
         match first_char {
             '#' => true, // comment line
             ';' => true, // comment line
@@ -17,24 +17,23 @@ fn can_skip_line(line: &str) -> bool {
 }
 
 fn is_section_line(line: &str) -> bool {
-    if line.trim().len() == 0 {
+    if line.trim().is_empty() {
         return false;
     }
 
-    if line.starts_with("[") && line.ends_with("]") {
+    if line.starts_with('[') && line.ends_with(']') {
         return true;
     }
 
     false
 }
 
 fn get_section_name(line: &str) -> Option<String> {
-    if line.trim().len() > 0 {
-        if line.starts_with("[") && line.ends_with("]") {
-            return Some(line[1..line.len() - 1].to_string());
-        }
+    if !line.trim().is_empty() && line.starts_with('[') && line.ends_with(']') {
+        Some(line[1..line.len() - 1].to_string())
+    } else {
+        None
     }
-    None
 }
 
 fn try_read_line(reader: &mut impl BufRead, line: &mut String) -> bool {
@@ -98,9 +97,9 @@ impl Krb5Conf {
     fn current_path(&mut self, name: Option<String>) -> String {
         let mut current_path = self.path.clone();
         if let Some(name) = name {
-            current_path.push(name.to_owned());
+            current_path.push(name);
         }
-        return current_path.join("|");
+        current_path.join("|")
     }
 
     fn parse_from_reader(&mut self, reader: &mut impl BufRead) {
@@ -118,19 +117,19 @@ impl Krb5Conf {
 
     fn add_value(&mut self, key: &str, val: &str) {
         let path = self.current_path(Some(key.to_string()));
-        self.values.push((path.to_owned(), val.to_owned()));
+        self.values.push((path, val.to_owned()));
     }
 
     fn read_values(&mut self, reader: &mut impl BufRead, line: &mut String) {
-        if let Some((lhs, _)) = line.split_once("=") {
+        if let Some((lhs, _)) = line.split_once('=') {
             self.enter_group(lhs.trim());
 
             while try_read_line(reader, line) {
-                if can_skip_line(&line) {
+                if can_skip_line(line) {
                     continue;
                 }
 
-                if line.ends_with("}") {
+                if line.ends_with('}') {
                     break;
                 }
 
@@ -140,14 +139,12 @@ impl Krb5Conf {
     }
 
     fn read_value(&mut self, reader: &mut impl BufRead, line: &mut String) {
-        if line.contains("{") {
+        if line.contains('{') {
             self.read_values(reader, line);
         } else if let Some(section_name) = get_section_name(line) {
             self.enter_section(section_name.as_str());
-        } else {
-            if let Some((lhs, rhs)) = line.split_once("=") {
-                self.add_value(lhs.trim(), rhs.trim());
-            }
+        } else if let Some((lhs, rhs)) = line.split_once('=') {
+            self.add_value(lhs.trim(), rhs.trim());
         }
     }
 
@@ -156,11 +153,11 @@ impl Krb5Conf {
         self.enter_section(&name);
 
         while try_read_line(reader, line) {
-            if can_skip_line(&line) {
+            if can_skip_line(line) {
                 continue;
             }
 
-            if line.chars().nth(0).unwrap() == '[' {
+            if line.starts_with('[') {
                 break;
             }
 

src/sspi/internal/credssp.rs

@@ -392,6 +392,7 @@ impl<C: CredentialsProxy<AuthenticationData = AuthIdentity>> CredSspServer<C> {
         })
     }
 
+    #[allow(clippy::result_large_err)]
     pub fn process(&mut self, mut ts_request: TsRequest) -> Result<ServerState, ServerError> {
         if self.context.is_none() {
             self.context = match &self.context_config {

src/sspi/pku2u/cert_utils/win_extraction.rs

@@ -92,7 +92,7 @@ fn decode_private_key(mut buffer: impl Read) -> Result<PrivateKey> {
         &BigUint::from_bytes_be(&modulus),
         &BigUint::from_bytes_be(&public_exp),
         &BigUint::from_bytes_be(&private_exp),
-        &vec![BigUint::from_bytes_be(&prime1), BigUint::from_bytes_be(&prime2)],
+        &[BigUint::from_bytes_be(&prime1), BigUint::from_bytes_be(&prime2)],
     )
     .map_err(|err| {
         Error::new(

src/sspi/pku2u/generators.rs

@@ -149,13 +149,8 @@ pub fn generate_signer_info(p2p_cert: &Certificate, digest: Vec<u8>, private_key
 
     let encoded_signed_attributes = picky_asn1_der::to_vec(&signed_attributes)?;
 
-    let mut sha1 = Sha1::new();
-    sha1.update(&encoded_signed_attributes);
-
-    let hashed_signed_attributes = sha1.finalize().to_vec();
-
     let signature = SignatureAlgorithm::RsaPkcs1v15(HashAlgorithm::SHA1)
-        .sign(&hashed_signed_attributes, private_key)
+        .sign(&encoded_signed_attributes, private_key)
         .map_err(|err| {
             Error::new(
                 ErrorKind::InternalError,

src/sspi/pku2u/validate.rs

@@ -3,7 +3,6 @@ use picky::key::PublicKey as RsaPublicKey;
 use picky::signature::SignatureAlgorithm;
 use picky_asn1::wrapper::Asn1SetOf;
 use picky_asn1_x509::signed_data::SignedData;
-use sha1::{Digest, Sha1};
 
 use crate::{Error, ErrorKind, Result};
 
@@ -16,12 +15,9 @@ pub fn validate_signed_data(signed_data: &SignedData, rsa_public_key: &RsaPublic
         .ok_or_else(|| Error::new(ErrorKind::InvalidToken, "Missing signers_infos in signed data".into()))?;
 
     let signed_attributes = Asn1SetOf::from(signer_info.signed_attrs.0 .0 .0.clone());
-
-    let mut sha1 = Sha1::new();
-    sha1.update(&picky_asn1_der::to_vec(&signed_attributes)?);
-    let hashed_signed_attributes = sha1.finalize().to_vec();
+    let encoded_signed_attributes = picky_asn1_der::to_vec(&signed_attributes)?;
 
     SignatureAlgorithm::RsaPkcs1v15(HashAlgorithm::SHA1)
-        .verify(rsa_public_key, &hashed_signed_attributes, &signer_info.signature.0 .0)
+        .verify(rsa_public_key, &encoded_signed_attributes, &signer_info.signature.0 .0)
         .map_err(|_| Error::new(ErrorKind::InvalidToken, "Invalid signed data signature".into()))
 }