diff --git a/Cargo.lock b/Cargo.lock index d24ffee..bdcf747 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -320,6 +320,7 @@ dependencies = [ "tokio-rustls", "tracing", "tss-esapi", + "ureq", "x509-parser 0.18.1", ] @@ -1952,7 +1953,7 @@ dependencies = [ "tokio", "tokio-rustls", "tower-service", - "webpki-roots", + "webpki-roots 1.0.6", ] [[package]] @@ -3265,7 +3266,7 @@ dependencies = [ "wasm-bindgen", "wasm-bindgen-futures", "web-sys", - "webpki-roots", + "webpki-roots 1.0.6", ] [[package]] @@ -4229,11 +4230,15 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "02d1a66277ed75f640d608235660df48c8e3c19f3b4edb6a263315626cc3c01d" dependencies = [ "base64 0.22.1", + "flate2", "log", "once_cell", + "rustls", + "rustls-pki-types", "serde", "serde_json", "url", + "webpki-roots 0.26.11", ] [[package]] @@ -4456,6 +4461,15 @@ dependencies = [ "wasm-bindgen", ] +[[package]] +name = "webpki-roots" +version = "0.26.11" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "521bc38abb08001b01866da9f51eb7c5d647a19260e00054a8c7fd5f9e57f7a9" +dependencies = [ + "webpki-roots 1.0.6", +] + [[package]] name = "webpki-roots" version = "1.0.6" diff --git a/crates/attestation/Cargo.toml b/crates/attestation/Cargo.toml index 1ff071d..e4ba40d 100644 --- a/crates/attestation/Cargo.toml +++ b/crates/attestation/Cargo.toml @@ -25,6 +25,7 @@ base64 = "0.22.1" reqwest = { version = "0.12.23", default-features = false, features = [ "rustls-tls-webpki-roots-no-provider", ] } +ureq = "2.12.1" tracing = "0.1.41" parity-scale-codec = "3.7.5" num-bigint = "0.4.6" diff --git a/crates/attestation/src/lib.rs b/crates/attestation/src/lib.rs index 5061bb8..109f84d 100644 --- a/crates/attestation/src/lib.rs +++ b/crates/attestation/src/lib.rs @@ -7,6 +7,7 @@ pub mod measurements; use std::{ fmt::{self, Display, Formatter}, + io::Read, net::IpAddr, time::{Duration, SystemTime, UNIX_EPOCH}, }; @@ -53,7 +54,7 @@ impl AttestationExchangeMessage { Err(AttestationError::AttestationTypeNotSupported) } } - _ => { + AttestationType::DcapTdx | AttestationType::GcpTdx | AttestationType::QemuTdx => { #[cfg(any(test, feature = "mock"))] { let quote = tdx_quote::Quote::from_bytes(&self.attestation) @@ -102,7 +103,7 @@ impl AttestationType { } /// Detect what platform we are on by attempting an attestation - pub async fn detect() -> Result { + pub fn detect() -> Result { // First attempt azure, if the feature is present #[cfg(feature = "azure")] { @@ -113,7 +114,7 @@ impl AttestationType { // Otherwise try DCAP quote - this internally checks that the quote provider // is `tdx_guest` if configfs_tsm::create_tdx_quote([0; 64]).is_ok() { - if running_on_gcp().await? { + if running_on_gcp()? { return Ok(AttestationType::GcpTdx); } else { return Ok(AttestationType::DcapTdx); @@ -169,8 +170,8 @@ impl AttestationGenerator { /// Detect what confidential compute platform is present and create the /// appropriate attestation generator - pub async fn detect() -> Result { - Self::new_with_detection(None, None).await + pub fn detect() -> Result { + Self::new_with_detection(None, None) } /// Do not generate attestations @@ -180,7 +181,7 @@ impl AttestationGenerator { /// Create an [AttestationGenerator] detecting the attestation type if /// it is not given - pub async fn new_with_detection( + pub fn new_with_detection( attestation_type_string: Option, attestation_provider_url: Option, ) -> Result { @@ -195,7 +196,7 @@ impl AttestationGenerator { let attestation_type_string = attestation_type_string.unwrap_or_else(|| "auto".to_string()); let attestation_type = if attestation_type_string == "auto" { tracing::info!("Doing attestation type detection..."); - AttestationType::detect().await? + AttestationType::detect()? } else { serde_json::from_value(serde_json::Value::String(attestation_type_string))? }; @@ -205,12 +206,12 @@ impl AttestationGenerator { } /// Generate an attestation exchange message with given input data - pub async fn generate_attestation( + pub fn generate_attestation( &self, input_data: [u8; 64], ) -> Result { if let Some(url) = &self.attestation_provider_url { - Self::use_attestation_provider(url, self.attestation_type, input_data).await + Self::use_attestation_provider(url, self.attestation_type, input_data) } else { Ok(AttestationExchangeMessage { attestation_type: self.attestation_type, @@ -240,33 +241,37 @@ impl AttestationGenerator { Err(AttestationError::AttestationTypeNotSupported) } } - _ => dcap::create_dcap_attestation(input_data), + AttestationType::DcapTdx | AttestationType::GcpTdx | AttestationType::QemuTdx => { + dcap::create_dcap_attestation(input_data) + } } } /// Generate an attestation by using an external service for the /// attestation generation - async fn use_attestation_provider( + fn use_attestation_provider( url: &str, attestation_type: AttestationType, input_data: [u8; 64], ) -> Result { let url = format!("{}/attest/{}", url, hex::encode(input_data)); - let response = reqwest::get(url) - .await - .map_err(|err| AttestationError::AttestationProvider(err.to_string()))? - .bytes() - .await + let mut response = ureq::get(&url) + .timeout(Duration::from_millis(1000)) + .call() .map_err(|err| AttestationError::AttestationProvider(err.to_string()))? - .to_vec(); + .into_reader(); + let mut body = Vec::new(); + response + .read_to_end(&mut body) + .map_err(|err| AttestationError::AttestationProvider(err.to_string()))?; // If the response is not already wrapped in an attestation exchange // message, wrap it in one - if let Ok(message) = AttestationExchangeMessage::decode(&mut &response[..]) { + if let Ok(message) = AttestationExchangeMessage::decode(&mut &body[..]) { Ok(message) } else { - Ok(AttestationExchangeMessage { attestation_type, attestation: response }) + Ok(AttestationExchangeMessage { attestation_type, attestation: body }) } } } @@ -352,7 +357,7 @@ impl AttestationVerifier { return Err(AttestationError::AttestationTypeNotSupported); } } - _ => { + AttestationType::DcapTdx | AttestationType::GcpTdx | AttestationType::QemuTdx => { dcap::verify_dcap_attestation( attestation_exchange_message.attestation, expected_input_data, @@ -390,14 +395,13 @@ async fn log_attestation(attestation: &AttestationExchangeMessage) { /// Test whether it looks like we are running on GCP by hitting the metadata /// API -async fn running_on_gcp() -> Result { - let client = reqwest::Client::builder().timeout(Duration::from_millis(200)).build()?; - - let resp = client.get(GCP_METADATA_API).send().await; +fn running_on_gcp() -> Result { + let agent = ureq::AgentBuilder::new().timeout(Duration::from_millis(200)).build(); + let resp = agent.get(GCP_METADATA_API).call(); if let Ok(r) = resp { - return Ok(r.status().is_success() && - r.headers().get("Metadata-Flavor").map(|v| v == "Google").unwrap_or(false)); + return Ok(r.status() == 200 && + r.header("Metadata-Flavor").map(|v| v == "Google").unwrap_or(false)); } Ok(false) @@ -521,19 +525,19 @@ mod tests { addr } - #[tokio::test] - async fn attestation_detection_does_not_panic() { + #[test] + fn attestation_detection_does_not_panic() { // We dont enforce what platform the test is run on, only that the function // does not panic - let _ = AttestationGenerator::new_with_detection(None, None).await; + let _ = AttestationGenerator::new_with_detection(None, None); } - #[tokio::test] - async fn running_on_gcp_check_does_not_panic() { - let _ = running_on_gcp().await; + #[test] + fn running_on_gcp_check_does_not_panic() { + let _ = running_on_gcp(); } - #[tokio::test] + #[tokio::test(flavor = "multi_thread")] async fn attestation_provider_response_is_wrapped_if_needed() { let input_data = [0u8; 64]; @@ -550,7 +554,6 @@ mod tests { AttestationType::GcpTdx, input_data, ) - .await .unwrap(); assert_eq!(decoded.attestation_type, AttestationType::None); assert_eq!(decoded.attestation, vec![1, 2, 3]); @@ -562,7 +565,6 @@ mod tests { AttestationType::DcapTdx, input_data, ) - .await .unwrap(); assert_eq!(wrapped.attestation_type, AttestationType::DcapTdx); assert_eq!(wrapped.attestation, vec![9, 8]); diff --git a/crates/attestation/src/measurements.rs b/crates/attestation/src/measurements.rs index 3484be6..2c1d1cf 100644 --- a/crates/attestation/src/measurements.rs +++ b/crates/attestation/src/measurements.rs @@ -166,6 +166,7 @@ impl MultiMeasurements { let measurements_map: HashMap = serde_json::from_str(input)?; Ok(match attestation_type { + AttestationType::None => Self::NoAttestation, AttestationType::AzureTdx => Self::Azure( measurements_map .into_iter() @@ -179,8 +180,7 @@ impl MultiMeasurements { }) .collect::>()?, ), - AttestationType::None => Self::NoAttestation, - _ => { + AttestationType::DcapTdx | AttestationType::GcpTdx | AttestationType::QemuTdx => { let measurements_map = measurements_map .into_iter() .map(|(k, v)| { @@ -300,7 +300,9 @@ impl MeasurementRecord { measurements: match attestation_type { AttestationType::None => ExpectedMeasurements::NoAttestation, AttestationType::AzureTdx => ExpectedMeasurements::Azure(HashMap::new()), - _ => ExpectedMeasurements::Dcap(HashMap::new()), + AttestationType::DcapTdx | AttestationType::GcpTdx | AttestationType::QemuTdx => { + ExpectedMeasurements::Dcap(HashMap::new()) + } }, } } @@ -513,6 +515,7 @@ impl MeasurementPolicy { if let Some(measurements) = record.measurements { let expected_measurements = match attestation_type { + AttestationType::None => ExpectedMeasurements::NoAttestation, AttestationType::AzureTdx => { let azure_measurements = measurements .iter() @@ -524,8 +527,9 @@ impl MeasurementPolicy { )?; ExpectedMeasurements::Azure(azure_measurements) } - AttestationType::None => ExpectedMeasurements::NoAttestation, - _ => ExpectedMeasurements::Dcap( + AttestationType::DcapTdx | + AttestationType::GcpTdx | + AttestationType::QemuTdx => ExpectedMeasurements::Dcap( measurements .iter() .map(|(index_str, entry)| { diff --git a/crates/attested-tls/src/lib.rs b/crates/attested-tls/src/lib.rs index 254acc0..0036422 100644 --- a/crates/attested-tls/src/lib.rs +++ b/crates/attested-tls/src/lib.rs @@ -12,12 +12,12 @@ pub use attestation::{ AttestationType, AttestationVerifier, }; -pub use ra_tls::cert::CaCert; use ra_tls::{ attestation::{Attestation, AttestationQuote, VersionedAttestation}, cert::CertRequest, - rcgen::{KeyPair, PKCS_ECDSA_P256_SHA256}, + rcgen::KeyPair, }; +pub use ra_tls::{cert::CaCert, rcgen}; use rustls::{ DigitallySignedStruct, DistinguishedName, @@ -88,7 +88,7 @@ struct ResolverState { /// Attestation generator used when renewing certificate attestation_generator: AttestationGenerator, /// Primary DNS name used as certificate subject / common name. - primary_name: String, + subject: String, /// DNS subject alternative names, including the primary name. subject_alt_names: Vec, } @@ -103,7 +103,7 @@ impl fmt::Debug for ResolverState { .field("key_pair_der_len", &self.key_pair_der.len()) .field("certificate_chain_len", &certificate_chain_len) .field("attestation_generator", &self.attestation_generator) - .field("primary_name", &self.primary_name) + .field("subject", &self.subject) .field("subject_alt_names", &self.subject_alt_names) .finish() } @@ -113,29 +113,31 @@ impl AttestedCertificateResolver { /// Create a certificate resolver with a given attestation generator /// A private certificate authority can also be given - otherwise /// certificates will be self signed - pub async fn new( + pub fn new( attestation_generator: AttestationGenerator, + key_pair: &KeyPair, ca: Option, - primary_name: String, + subject: String, subject_alt_names: Vec, certificate_validity_duration: Duration, ) -> Result { Self::new_with_provider( attestation_generator, + key_pair, ca, - primary_name, + subject, subject_alt_names, default_crypto_provider()?, certificate_validity_duration, ) - .await } /// Also provide a crypto provider - pub async fn new_with_provider( + pub fn new_with_provider( attestation_generator: AttestationGenerator, + key_pair: &KeyPair, ca: Option, - primary_name: String, + subject: String, subject_alt_names: Vec, provider: Arc, certificate_validity_duration: Duration, @@ -145,24 +147,20 @@ impl AttestedCertificateResolver { minimum: MIN_CERTIFICATE_VALIDITY_DURATION, }); } - let subject_alt_names = - normalized_subject_alt_names(primary_name.as_str(), subject_alt_names); + let subject_alt_names = normalized_subject_alt_names(subject.as_str(), subject_alt_names); - // Generate keypair - let key_pair = KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256)?; let key_pair_der = key_pair.serialize_der(); - let key = Self::load_signing_key(&key_pair, provider)?; + let key = Self::load_signing_key(key_pair, provider)?; // Generate initial attested certificate let certificate = Self::issue_ra_cert_chain( - &key_pair, + key_pair, ca.as_ref(), - primary_name.as_str(), + subject.as_str(), &subject_alt_names, &attestation_generator, certificate_validity_duration, - ) - .await?; + )?; let state = Arc::new(ResolverState { key, @@ -170,7 +168,7 @@ impl AttestedCertificateResolver { ca: ca.map(Arc::new), key_pair_der, attestation_generator, - primary_name, + subject, subject_alt_names, }); @@ -182,16 +180,16 @@ impl AttestedCertificateResolver { /// Create an attested certificate chain - either self-signed or with /// the provided CA - async fn issue_ra_cert_chain( - key: &KeyPair, + fn issue_ra_cert_chain( + key_pair: &KeyPair, ca: Option<&CaCert>, - primary_name: &str, + subject: &str, subject_alt_names: &[String], attestation_generator: &AttestationGenerator, certificate_validity_duration: Duration, ) -> Result>, AttestedTlsError> { - tracing::debug!("Generating new remote-attested certificate for {primary_name}"); - let pubkey = key.public_key_der(); + tracing::debug!("Generating new remote-attested certificate for {subject}"); + let pubkey = key_pair.public_key_der(); let now = SystemTime::now(); let not_after = now + certificate_validity_duration; @@ -199,14 +197,13 @@ impl AttestedCertificateResolver { pubkey, now, not_after, - primary_name, + subject, attestation_generator, - ) - .await?; + )?; let cert_request = CertRequest::builder() - .key(key) - .subject(primary_name) + .key(key_pair) + .subject(subject) .alt_names(subject_alt_names) .not_before(now) .not_after(not_after) @@ -240,16 +237,15 @@ impl AttestedCertificateResolver { /// Create an attestation, and format it to be used in certificate /// extension - async fn create_attestation_payload( + fn create_attestation_payload( pubkey: Vec, not_before: SystemTime, not_after: SystemTime, - primary_name: &str, + subject: &str, attestation_generator: &AttestationGenerator, ) -> Result { - let report_data = - create_report_data(pubkey, not_before, not_after, primary_name.as_bytes())?; - let attestation = attestation_generator.generate_attestation(report_data).await?; + let report_data = create_report_data(pubkey, not_before, not_after, subject.as_bytes())?; + let attestation = attestation_generator.generate_attestation(report_data)?; Ok(VersionedAttestation::V0 { attestation: Attestation { quote: ra_tls::attestation::AttestationQuote::DstackTdx( @@ -294,13 +290,11 @@ impl AttestedCertificateResolver { next_delay = match Self::issue_ra_cert_chain( &key_pair, current.ca.as_deref(), - current.primary_name.as_str(), + current.subject.as_str(), ¤t.subject_alt_names, ¤t.attestation_generator, certificate_validity_duration, - ) - .await - { + ) { Ok(certificate) => { *current.certificate.write().expect("Certificate lock poisoned") = certificate; @@ -352,9 +346,9 @@ fn default_crypto_provider() -> Result, AttestedTlsError> { } /// Ensures that SAN contains the primary hostname -fn normalized_subject_alt_names(primary_name: &str, subject_alt_names: Vec) -> Vec { +fn normalized_subject_alt_names(subject: &str, subject_alt_names: Vec) -> Vec { let mut normalized = Vec::with_capacity(subject_alt_names.len() + 1); - normalized.push(primary_name.to_string()); + normalized.push(subject.to_string()); for name in subject_alt_names { if !normalized.iter().any(|existing| existing == &name) { @@ -827,7 +821,13 @@ pub enum AttestedTlsError { mod tests { use std::{io::Cursor, sync::Arc}; - use ra_tls::rcgen::{BasicConstraints, CertificateParams, IsCa}; + use ra_tls::rcgen::{ + BasicConstraints, + CertificateParams, + IsCa, + KeyPair, + PKCS_ECDSA_P256_SHA256, + }; use rustls::{ CertificateError, ClientConfig, @@ -861,15 +861,16 @@ mod tests { #[tokio::test(flavor = "multi_thread")] async fn certificate_resolver_creates_initial_certificate() { let provider: Arc = aws_lc_rs::default_provider().into(); + let key_pair = KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256).unwrap(); let resolver = AttestedCertificateResolver::new_with_provider( AttestationGenerator::new(AttestationType::DcapTdx, None).unwrap(), + &key_pair, None, "foo".to_string(), vec![], provider, Duration::from_secs(4), ) - .await .unwrap(); let certificate = resolver.state.certificate.read().unwrap(); @@ -880,15 +881,16 @@ mod tests { #[tokio::test(flavor = "multi_thread")] async fn certificate_resolver_rejects_too_short_validity_duration() { let provider: Arc = aws_lc_rs::default_provider().into(); + let key_pair = KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256).unwrap(); let error = AttestedCertificateResolver::new_with_provider( AttestationGenerator::new(AttestationType::DcapTdx, None).unwrap(), + &key_pair, None, "foo".to_string(), vec![], provider, CERTIFICATE_RENEWAL_RETRY_DELAY * 3, ) - .await .unwrap_err(); assert!(matches!(error, AttestedTlsError::InvalidCertificateValidityDuration { .. })); @@ -898,15 +900,16 @@ mod tests { async fn server_and_client_configs_complete_a_handshake() { let provider: Arc = aws_lc_rs::default_provider().into(); let server_name = "foo"; + let key_pair = KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256).unwrap(); let resolver = AttestedCertificateResolver::new_with_provider( AttestationGenerator::new(AttestationType::DcapTdx, None).unwrap(), + &key_pair, None, server_name.to_string(), vec![], provider.clone(), Duration::from_secs(4), ) - .await .unwrap(); let verifier = AttestedCertificateVerifier::new_with_provider( @@ -948,19 +951,20 @@ mod tests { #[tokio::test(flavor = "multi_thread")] async fn ca_signed_server_and_client_configs_complete_a_handshake() { let provider: Arc = aws_lc_rs::default_provider().into(); + let key_pair = KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256).unwrap(); let server_name = "foo"; let ca = test_ca(); let ca_cert = CertificateDer::from_pem_slice(ca.pem_cert.as_bytes()).unwrap(); let resolver = AttestedCertificateResolver::new_with_provider( AttestationGenerator::new(AttestationType::DcapTdx, None).unwrap(), + &key_pair, Some(ca), server_name.to_string(), vec![], provider.clone(), Duration::from_secs(4), ) - .await .unwrap(); let certificate_chain = resolver.state.certificate.read().unwrap().clone(); @@ -1010,15 +1014,16 @@ mod tests { #[tokio::test(flavor = "multi_thread")] async fn certificate_is_renewed_before_expiry() { let provider: Arc = aws_lc_rs::default_provider().into(); + let key_pair = KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256).unwrap(); let resolver = AttestedCertificateResolver::new_with_provider( AttestationGenerator::new(AttestationType::DcapTdx, None).unwrap(), + &key_pair, None, "foo".to_string(), vec![], provider, Duration::from_secs(4), ) - .await .unwrap(); let initial_certificate = resolver.state.certificate.read().unwrap().first().unwrap().clone(); @@ -1034,28 +1039,29 @@ mod tests { #[tokio::test(flavor = "multi_thread")] async fn server_and_client_configs_complete_a_mutual_auth_handshake() { let provider: Arc = aws_lc_rs::default_provider().into(); + let key_pair = KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256).unwrap(); let server_name = "foo"; let server_resolver = AttestedCertificateResolver::new_with_provider( AttestationGenerator::new(AttestationType::DcapTdx, None).unwrap(), + &key_pair, None, server_name.to_string(), vec![], provider.clone(), Duration::from_secs(4), ) - .await .unwrap(); let client_resolver = AttestedCertificateResolver::new_with_provider( AttestationGenerator::new(AttestationType::DcapTdx, None).unwrap(), + &key_pair, None, "client".to_string(), vec![], provider.clone(), Duration::from_secs(4), ) - .await .unwrap(); let server_verifier = AttestedCertificateVerifier::new_with_provider( @@ -1104,17 +1110,18 @@ mod tests { #[tokio::test(flavor = "multi_thread")] async fn alternate_san_completes_a_handshake() { let provider: Arc = aws_lc_rs::default_provider().into(); - let primary_name = "foo"; + let key_pair = KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256).unwrap(); + let subject = "foo"; let alternate_name = "bar"; let resolver = AttestedCertificateResolver::new_with_provider( AttestationGenerator::new(AttestationType::DcapTdx, None).unwrap(), + &key_pair, None, - primary_name.to_string(), - vec![alternate_name.to_string(), primary_name.to_string()], + subject.to_string(), + vec![alternate_name.to_string(), subject.to_string()], provider.clone(), Duration::from_secs(4), ) - .await .unwrap(); let verifier = AttestedCertificateVerifier::new_with_provider( None, @@ -1198,15 +1205,16 @@ mod tests { #[tokio::test(flavor = "multi_thread")] async fn self_signed_attested_certificate_with_wrong_name_is_rejected() { let provider: Arc = aws_lc_rs::default_provider().into(); + let key_pair = KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256).unwrap(); let resolver = AttestedCertificateResolver::new_with_provider( AttestationGenerator::new(AttestationType::DcapTdx, None).unwrap(), + &key_pair, None, "foo".to_string(), vec![], provider.clone(), Duration::from_secs(4), ) - .await .unwrap(); let verifier = AttestedCertificateVerifier::new_with_provider( None, @@ -1232,15 +1240,16 @@ mod tests { #[tokio::test(flavor = "multi_thread")] async fn certificate_binding_changes_when_identity_changes() { let provider: Arc = aws_lc_rs::default_provider().into(); + let key_pair = KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256).unwrap(); let resolver = AttestedCertificateResolver::new_with_provider( AttestationGenerator::new(AttestationType::DcapTdx, None).unwrap(), + &key_pair, None, "foo".to_string(), vec![], provider.clone(), Duration::from_secs(4), ) - .await .unwrap(); let original_cert = resolver.state.certificate.read().unwrap().first().unwrap().clone(); let (original_report_data, original_not_after) = @@ -1273,15 +1282,16 @@ mod tests { #[tokio::test(flavor = "multi_thread")] async fn attestation_rejection_returns_application_verification_failure() { let provider: Arc = aws_lc_rs::default_provider().into(); + let key_pair = KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256).unwrap(); let resolver = AttestedCertificateResolver::new_with_provider( AttestationGenerator::new(AttestationType::DcapTdx, None).unwrap(), + &key_pair, None, "foo".to_string(), vec![], provider.clone(), Duration::from_secs(4), ) - .await .unwrap(); let verifier = AttestedCertificateVerifier::new_with_provider( None, @@ -1307,15 +1317,16 @@ mod tests { #[tokio::test(flavor = "multi_thread")] async fn verifier_reuses_trusted_certificate_cache() { let provider: Arc = aws_lc_rs::default_provider().into(); + let key_pair = KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256).unwrap(); let resolver = AttestedCertificateResolver::new_with_provider( AttestationGenerator::new(AttestationType::DcapTdx, None).unwrap(), + &key_pair, None, "foo".to_string(), vec![], provider.clone(), Duration::from_secs(4), ) - .await .unwrap(); let mut verifier = AttestedCertificateVerifier::new_with_provider( None, diff --git a/crates/attested-tls/tests/nested_tls.rs b/crates/attested-tls/tests/nested_tls.rs index 5d916e5..10e2165 100644 --- a/crates/attested-tls/tests/nested_tls.rs +++ b/crates/attested-tls/tests/nested_tls.rs @@ -18,7 +18,7 @@ use tokio::io::{AsyncReadExt, AsyncWriteExt, duplex}; async fn nested_tls_uses_attested_tls_for_inner_session() { let provider: Arc = aws_lc_rs::default_provider().into(); let (outer_server, outer_client) = plain_tls_config_pair(provider.clone()); - let inner_server = attested_server_config("localhost", provider.clone()).await; + let inner_server = attested_server_config("localhost", provider.clone()); let inner_client = attested_client_config(provider.clone()); let acceptor = NestingTlsAcceptor::new(Arc::new(outer_server), Arc::new(inner_server)); @@ -83,16 +83,17 @@ fn plain_tls_config_pair(provider: Arc) -> (ServerConfig, Client /// Create attested server TLS config with mock DCAP attestation and /// self-signed certs -async fn attested_server_config(server_name: &str, provider: Arc) -> ServerConfig { +fn attested_server_config(server_name: &str, provider: Arc) -> ServerConfig { + let key_pair = KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256).unwrap(); let resolver = AttestedCertificateResolver::new_with_provider( AttestationGenerator::new(AttestationType::DcapTdx, None).unwrap(), + &key_pair, None, server_name.to_string(), vec![], provider.clone(), std::time::Duration::from_secs(91), ) - .await .unwrap(); ServerConfig::builder_with_provider(provider)