Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump spsdk, cryptography #364

Merged
merged 1 commit into from
Jun 27, 2023
Merged

Bump spsdk, cryptography #364

merged 1 commit into from
Jun 27, 2023

Conversation

robin-nitrokey
Copy link
Member

This patch bumps cryptography to 39.0.1 which fixes two vulnerabilities:
https://github.com/Nitrokey/pynitrokey/security/dependabot/1
https://github.com/Nitrokey/pynitrokey/security/dependabot/2

This also requires bumping spsdk to 1.9.0, which allows us to drop some workarounds for fixed issues. Note that 1.9.0 adds a default log handler for the spsdk module which we have to remove manually so that stdout is not cluttered with log messages.

Checklist

Make sure to run make check and make fix before creating a PR, otherwise the CI will fail.

  • tested with Python3.9
  • signed commits
  • updated documentation (e.g. parameter description, inline doc, docs.nitrokey)
  • added labels

Test Environment and Execution

  • OS: Debian 11
  • device's model: NK3CN
  • device's firmware version: v1.3.0

@szszszsz
Copy link
Member

I think for spsdk the test would be just running Nitrokey 3 update.
Cryptography is used only for the FIDO2 provisioning, so it is not user faced, right?

@robin-nitrokey
Copy link
Member Author

Yes, for spsdk it’s the NK3xN firmware update. For cryptography, it’s more complicated. While we use it only for the provisioning command, it is also used by our dependencies, e. g. fido2 and spsdk.

@szszszsz
Copy link
Member

Rebased, but fails on mypy check:

venv/bin/python3 -m mypy pynitrokey/
pynitrokey/nk3/bootloader/lpc55.py:16: error: Module "spsdk" has no attribute "spsdk_log_handler"  [attr-defined]
pynitrokey/nk3/bootloader/lpc55.py:16: error: Module "spsdk" has no attribute "spsdk_logger"  [attr-defined]
pynitrokey/nk3/bootloader/lpc55.py:110: error: Argument "progress_callback" to "receive_sb_file" of "McuBoot" has incompatible type "Optional[Callable[[int, int], None]]"; expected "Callable[[int, int], None]"  [arg-type]
Found 3 errors in 1 file (checked 288 source files)

Needs update

szszszsz
szszszsz requested changes May 10, 2023
View reviewed changes
Copy link
Member

@szszszsz szszszsz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to deal with mypy errors.

@szszszsz
Copy link
Member

I can't test the FIDO CLI commands, since these are not fixed yet (!), missing the API update of the fido2 package.
I will test NK3 update on the dev sample.

@szszszsz szszszsz mentioned this pull request May 12, 2023
Open
@robin-nitrokey robin-nitrokey mentioned this pull request May 15, 2023
Closed
@robin-nitrokey
Bump spsdk, cryptography
25dc4f1 
This patch bumps cryptography to 39.0.1 which fixes two vulnerabilities:
    https://github.com/Nitrokey/pynitrokey/security/dependabot/1
    https://github.com/Nitrokey/pynitrokey/security/dependabot/2

This also requires bumping spsdk, which allows us to drop some
workarounds for fixed issues.
@robin-nitrokey
Copy link
Member Author

Rebased again and updated to spsdk v1.10.1 to avoid the logging issue. Did you update the venv before running mypy? The errors you listed are caused by an incompatible spsdk version.

@daringer
Copy link
Collaborator

daringer commented Jun 27, 2023
edited
Loading

lgtm, did some tests:

  • nk3an update ✔️

remaining tests with nk3am:

  • fido2 change-pin ✔️
  • fido2 make-credential ✔️
  • fido2 challenge-response ✔️
  • fido2 rng hexbytes ✔️
  • fido2 verify ✔️
  • fido2 challenge-response ✔️
  • fido2 list-credentials ✔️

@robin-nitrokey robin-nitrokey merged commit 8740c68 into master Jun 27, 2023
10 checks passed
@robin-nitrokey robin-nitrokey deleted the cryptography branch June 27, 2023 16:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@daringer daringer daringer approved these changes

@szszszsz szszszsz szszszsz approved these changes

@sosthene-nitrokey sosthene-nitrokey Awaiting requested review from sosthene-nitrokey

Assignees
No one assigned
Labels
maintanance
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@robin-nitrokey @szszszsz @daringer