diff --git a/Cargo.lock b/Cargo.lock index 6b120b4..88fc0c3 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -25,18 +25,67 @@ dependencies = [ [[package]] name = "aho-corasick" -version = "0.7.18" +version = "0.7.20" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1e37cfd5e7657ada45f742d6e99ca5788580b5c529dc78faf11ece6dc702656f" +checksum = "cc936419f96fa211c1b9166887b38e5e40b19958e5b895be7c1f93adec7071ac" dependencies = [ "memchr", ] +[[package]] +name = "anstream" +version = "0.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9e579a7752471abc2a8268df8b20005e3eadd975f585398f17efcfd8d4927371" +dependencies = [ + "anstyle", + "anstyle-parse", + "anstyle-query", + "anstyle-wincon", + "colorchoice", + "is-terminal", + "utf8parse", +] + +[[package]] +name = "anstyle" +version = "1.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "41ed9a86bf92ae6580e0a31281f65a1b1d867c0cc68d5346e2ae128dddfa6a7d" + +[[package]] +name = "anstyle-parse" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e765fd216e48e067936442276d1d57399e37bce53c264d6fefbe298080cb57ee" +dependencies = [ + "utf8parse", +] + +[[package]] +name = "anstyle-query" +version = "1.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5ca11d4be1bab0c8bc8734a9aa7bf4ee8316d462a08c6ac5052f888fef5b494b" +dependencies = [ + "windows-sys", +] + +[[package]] +name = "anstyle-wincon" +version = "1.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4bcd8291a340dd8ac70e18878bc4501dd7b4ff970cfa21c207d36ece51ea88fd" +dependencies = [ + "anstyle", + "windows-sys", +] + [[package]] name = "anyhow" -version = "1.0.51" +version = "1.0.70" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8b26702f315f53b6071259e15dd9d64528213b44d61de1ec926eca7715d62203" +checksum = "7de8ce5e0f9f8d88245311066a578d72b7af3e7088f32783804676302df237e4" [[package]] name = "atty" @@ -51,15 +100,9 @@ dependencies = [ [[package]] name = "autocfg" -version = "1.0.1" +version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cdb031dd78e28731d87d56cc8ffef4a8f36ca26c38fe2de700543e627f8a464a" - -[[package]] -name = "base64" -version = "0.13.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9e1b586273c5702936fe7b7d6896644d8be71e6314cfe09d3167c95f712589e8" +checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa" [[package]] name = "base64ct" @@ -93,19 +136,13 @@ dependencies = [ [[package]] name = "block-buffer" -version = "0.10.3" +version = "0.10.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "69cce20737498f97b993470a6e536b8523f0af7892a4f928cceb1ac5e52ebe7e" +checksum = "3078c7629b62d3f0439517fa394996acacc5cbc91c5a20d8c658e77abd503a71" dependencies = [ "generic-array", ] -[[package]] -name = "bumpalo" -version = "3.12.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0d261e256854913907f67ed06efbc3338dfe6179796deefc1ff763fc1aee5535" - [[package]] name = "byteorder" version = "1.4.3" @@ -125,51 +162,52 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" [[package]] -name = "chrono" -version = "0.4.24" +name = "clap" +version = "4.2.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4e3c5919066adf22df73762e50cffcde3a758f2a848b113b586d1f86728b673b" +checksum = "956ac1f6381d8d82ab4684768f89c0ea3afe66925ceadb4eeb3fc452ffc55d62" dependencies = [ - "num-integer", - "num-traits", + "clap_builder", + "clap_derive", + "once_cell", ] [[package]] -name = "clap" -version = "4.1.8" +name = "clap_builder" +version = "4.2.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c3d7ae14b20b94cb02149ed21a86c423859cbe18dc7ed69845cace50e52b40a5" +checksum = "84080e799e54cff944f4b4a4b0e71630b0e0443b25b985175c7dddc1a859b749" dependencies = [ + "anstream", + "anstyle", "bitflags", - "clap_derive", "clap_lex", - "is-terminal", - "once_cell", "strsim", - "termcolor", ] [[package]] name = "clap_derive" -version = "4.1.8" +version = "4.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "44bec8e5c9d09e439c4335b1af0abaab56dcf3b94999a936e1bb47b9134288f0" +checksum = "3f9644cd56d6b87dbe899ef8b053e331c0637664e9e21a33dfcdc36093f5c5c4" dependencies = [ "heck", - "proc-macro-error", "proc-macro2", "quote", - "syn 1.0.109", + "syn 2.0.15", ] [[package]] name = "clap_lex" -version = "0.3.2" +version = "0.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "350b9cf31731f9957399229e9b2adc51eeabdfbe9d71d9a0552275fd12710d09" -dependencies = [ - "os_str_bytes", -] +checksum = "8a2dd5a6fe8c6e3502f568a6353e5273bbb15193ad9a89e457b9970798efbea1" + +[[package]] +name = "colorchoice" +version = "1.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "acbf1af155f9b9ef647e42cdc158db4b64a1b61f743629225fde6f3e0be2a7c7" [[package]] name = "colored" @@ -190,9 +228,9 @@ checksum = "520fbf3c07483f94e3e3ca9d0cfd913d7718ef2483d2cfd91c0d9e91474ab913" [[package]] name = "cpufeatures" -version = "0.2.1" +version = "0.2.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "95059428f66df56b63431fdb4e1947ed2190586af5c5a8a8b71122bdf5a7f469" +checksum = "280a9f2d8b3a38871a3c8a46fb80db65e5e5ed97da80c4d08bf27fb63e35e181" dependencies = [ "libc", ] @@ -213,47 +251,31 @@ dependencies = [ "typenum", ] -[[package]] -name = "data-encoding" -version = "2.3.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "23d8666cb01533c39dde32bcbab8e227b4ed6679b2c925eba05feabea39508fb" - [[package]] name = "der" -version = "0.6.1" +version = "0.7.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f1a467a65c5e759bce6e65eaf91cc29f466cdc57cb65777bd646872a8a1fd4de" +checksum = "82b10af9f9f9f2134a42d3f8aa74658660f2e0234b0eb81bd171df8aa32779ed" dependencies = [ "const-oid", + "der_derive", + "flagset", "pem-rfc7468", "zeroize", ] [[package]] -name = "der-oid-macro" -version = "0.5.0" +name = "der_derive" +version = "0.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c73af209b6a5dc8ca7cbaba720732304792cddc933cfea3d74509c2b1ef2f436" +checksum = "63898447d5453a504531990fb79708be1087effb2da9b2704f54dbdf8b6890e4" dependencies = [ - "num-bigint", - "num-traits", + "proc-macro-error", + "proc-macro2", + "quote", "syn 1.0.109", ] -[[package]] -name = "der-parser" -version = "6.0.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4cddf120f700b411b2b02ebeb7f04dc0b7c8835909a6c2f52bf72ed0dd3433b2" -dependencies = [ - "der-oid-macro", - "nom", - "num-bigint", - "num-traits", - "rusticata-macros", -] - [[package]] name = "digest" version = "0.10.6" @@ -278,13 +300,13 @@ dependencies = [ [[package]] name = "errno" -version = "0.2.8" +version = "0.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f639046355ee4f37944e44f60642c6f3a7efa3cf6b78c78a0d989a8ce6c396a1" +checksum = "4bcfec3a70f97c962c307b2d2c56e358cf1d00b558d74262b5f929ee8cc7e73a" dependencies = [ "errno-dragonfly", "libc", - "winapi", + "windows-sys", ] [[package]] @@ -297,6 +319,12 @@ dependencies = [ "libc", ] +[[package]] +name = "flagset" +version = "0.4.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cda653ca797810c02f7ca4b804b40b8b95ae046eb989d356bce17919a8c25499" + [[package]] name = "funty" version = "2.0.0" @@ -305,9 +333,9 @@ checksum = "e6d5a32815ae3f33302d95fdcb2ce17862f8c65363dcfd29360480ba1001fc9c" [[package]] name = "generic-array" -version = "0.14.6" +version = "0.14.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bff49e947297f3312447abdca79f45f4738097cc82b06e72054d2223f601f1b9" +checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a" dependencies = [ "typenum", "version_check", @@ -315,9 +343,9 @@ dependencies = [ [[package]] name = "getrandom" -version = "0.2.8" +version = "0.2.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c05aeb6a22b8f62540c194aac980f2115af067bfe15a0734d7277a768d396b31" +checksum = "c85e1d9ab2eadba7e5040d4e09cbd6d072b76a557ad64e797c2cb9d4da21d7e4" dependencies = [ "cfg-if", "libc", @@ -332,9 +360,9 @@ checksum = "8a9ee70c43aaf417c914396645a0fa852624801b24ebb7ae78fe8272889ac888" [[package]] name = "heck" -version = "0.4.0" +version = "0.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2540771e65fc8cb83cd6e8a237f70c319bd5c29f78ed1084ba5d50eeac86f7f9" +checksum = "95505c38b4572b2d910cecb0281560f54b440a19336cbbcb27bf6ce6adc6f5a8" [[package]] name = "hermit-abi" @@ -369,19 +397,20 @@ dependencies = [ [[package]] name = "io-lifetimes" -version = "1.0.6" +version = "1.0.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cfa919a82ea574332e2de6e74b4c36e74d41982b335080fa59d4ef31be20fdf3" +checksum = "9c66c74d2ae7e79a5a8f7ac924adbe38ee42a859c6539ad869eb51f0b52dc220" dependencies = [ + "hermit-abi 0.3.1", "libc", "windows-sys", ] [[package]] name = "is-terminal" -version = "0.4.4" +version = "0.4.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "21b6b32576413a8e69b90e952e4a026476040d81017b80445deda5f2d3921857" +checksum = "adcf93614601c8129ddf72e2d5633df827ba6551541c6d8c59520a371475be1f" dependencies = [ "hermit-abi 0.3.1", "io-lifetimes", @@ -389,15 +418,6 @@ dependencies = [ "windows-sys", ] -[[package]] -name = "js-sys" -version = "0.3.61" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "445dde2150c55e483f3d8416706b97ec8e8237c307e5b7b4b8dd15e6af2a0730" -dependencies = [ - "wasm-bindgen", -] - [[package]] name = "lazy_static" version = "1.4.0" @@ -409,21 +429,21 @@ dependencies = [ [[package]] name = "libc" -version = "0.2.140" +version = "0.2.141" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "99227334921fae1a979cf0bfdfcc6b3e5ce376ef57e16fb6fb3ea2ed6095f80c" +checksum = "3304a64d199bb964be99741b7a14d26972741915b3649639149b2479bb46f4b5" [[package]] name = "libm" -version = "0.2.1" +version = "0.2.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c7d73b3f436185384286bd8098d17ec07c9a7d2388a6599f824d8502b529702a" +checksum = "348108ab3fba42ec82ff6e9564fc4ca0247bdccdc68dd8af9764bbc79c3c8ffb" [[package]] name = "linux-raw-sys" -version = "0.1.4" +version = "0.3.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f051f77a7c8e6957c0696eac88f26b0117e54f52d3fc682ab19397a8812846a4" +checksum = "3f508063cc7bb32987c71511216bd5a32be15bccb6a80b52df8b9d7f01fc3aa2" [[package]] name = "log" @@ -469,17 +489,20 @@ version = "0.2.2" dependencies = [ "byteorder", "clap", + "const-oid", "crc-any", + "der", "env_logger", "hex", "log", "lpc55_areas", "packed_struct", + "pem-rfc7468", "rsa", "serde", "sha2", "thiserror", - "x509-parser", + "x509-cert", ] [[package]] @@ -489,11 +512,14 @@ dependencies = [ "anyhow", "clap", "colored", + "der", "env_logger", "log", "lpc55_areas", "lpc55_sign", + "pem-rfc7468", "toml", + "x509-cert", ] [[package]] @@ -516,48 +542,21 @@ dependencies = [ [[package]] name = "memchr" -version = "2.4.1" +version = "2.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "308cc39be01b73d0d18f82a0e7b2a3df85245f84af96fdddc5d202d27e47b86a" - -[[package]] -name = "minimal-lexical" -version = "0.2.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a" +checksum = "2dffe52ecf27772e601905b7522cb4ef790d2cc203488bbd0e2fe85fcb74566d" [[package]] name = "nix" -version = "0.24.2" +version = "0.24.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "195cdbc1741b8134346d515b3a56a1c94b0912758009cfd53f99ea0f57b065fc" +checksum = "fa52e972a9a719cecb6864fb88568781eb706bac2cd1d4f04a648542dbf78069" dependencies = [ "bitflags", "cfg-if", "libc", ] -[[package]] -name = "nom" -version = "7.1.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d273983c5a657a70a3e8f2a01329822f3b8c8172b73826411a55751e404a0a4a" -dependencies = [ - "memchr", - "minimal-lexical", -] - -[[package]] -name = "num-bigint" -version = "0.4.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f93ab6289c7b344a8a9f60f88d80aa20032336fe78da341afc91c8a2341fc75f" -dependencies = [ - "autocfg", - "num-integer", - "num-traits", -] - [[package]] name = "num-bigint-dig" version = "0.8.2" @@ -588,9 +587,9 @@ dependencies = [ [[package]] name = "num-integer" -version = "0.1.44" +version = "0.1.45" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d2cc698a63b549a70bc047073d2949cce27cd1c7b0a4a862d08a8031bc2801db" +checksum = "225d3389fb3509a24c93f5c29eb6bde2586b98d9f016636dff58d7c6f7569cd9" dependencies = [ "autocfg", "num-traits", @@ -598,9 +597,9 @@ dependencies = [ [[package]] name = "num-iter" -version = "0.1.42" +version = "0.1.43" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b2021c8337a54d21aca0d59a92577a029af9431cb59b909b03252b9c164fad59" +checksum = "7d03e6c028c5dc5cac6e2dec0efda81fc887605bb3d884578bb6d6bf7514e252" dependencies = [ "autocfg", "num-integer", @@ -617,27 +616,12 @@ dependencies = [ "libm", ] -[[package]] -name = "oid-registry" -version = "0.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fe554cb2393bc784fd678c82c84cc0599c31ceadc7f03a594911f822cb8d1815" -dependencies = [ - "der-parser", -] - [[package]] name = "once_cell" version = "1.17.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b7e5500299e16ebb147ae15a00a942af264cf3688f47923b8fc2cd5858f23ad3" -[[package]] -name = "os_str_bytes" -version = "6.0.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8e22443d1643a904602595ba1cd8f7d896afe56d26712531c5ff73a15b2fbf64" - [[package]] name = "packed_struct" version = "0.10.1" @@ -671,18 +655,18 @@ dependencies = [ [[package]] name = "pem-rfc7468" -version = "0.6.0" +version = "0.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "24d159833a9105500e0398934e205e0773f0b27529557134ecfc51c27646adac" +checksum = "88b39c9bfcfc231068454382784bb460aae594343fb030d46e9f50a645418412" dependencies = [ "base64ct", ] [[package]] name = "pkcs1" -version = "0.4.1" +version = "0.7.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eff33bdbdfc54cc98a2eca766ebdec3e1b8fb7387523d5c9c9a2891da856f719" +checksum = "4a80397ccad3b40508254eee787bcd28ba48cb82710de5b33cc40c5b2c21bde9" dependencies = [ "der", "pkcs8", @@ -692,9 +676,9 @@ dependencies = [ [[package]] name = "pkcs8" -version = "0.9.0" +version = "0.10.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9eca2c590a5f85da82668fa685c09ce2888b9430e83299debf1f34b65fd4a4ba" +checksum = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7" dependencies = [ "der", "spki", @@ -702,9 +686,9 @@ dependencies = [ [[package]] name = "ppv-lite86" -version = "0.2.15" +version = "0.2.17" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ed0cfbc8191465bed66e1718596ee0b0b35d5ee1f41c5df2189d0fe8bde535ba" +checksum = "5b40af805b3121feab8a3c29f04d8ad262fa8e0561883e7653e024ae4479e6de" [[package]] name = "proc-macro-error" @@ -756,13 +740,12 @@ checksum = "dc33ff2d4973d518d823d61aa239014831e521c75da58e3df4840d3f47749d09" [[package]] name = "rand" -version = "0.8.4" +version = "0.8.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2e7573632e6454cf6b99d7aac4ccca54be06da05aca2ef7423d22d27d4d4bcd8" +checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404" dependencies = [ "rand_chacha", "rand_core", - "rand_hc", ] [[package]] @@ -784,20 +767,11 @@ dependencies = [ "getrandom", ] -[[package]] -name = "rand_hc" -version = "0.3.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d51e9f596de227fda2ea6c84607f5558e196eeaf43c986b724ba4fb8fdf497e7" -dependencies = [ - "rand_core", -] - [[package]] name = "regex" -version = "1.6.0" +version = "1.7.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4c4eb3267174b8c6c2f654116623910a0fef09c4753f8dd83db29c48a0df988b" +checksum = "8b1f693b24f6ac912f4893ef08244d70b6067480d2f1a46e950c9691e6749d1d" dependencies = [ "aho-corasick", "memchr", @@ -806,32 +780,18 @@ dependencies = [ [[package]] name = "regex-syntax" -version = "0.6.27" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a3f87b73ce11b1619a3c6332f45341e0047173771e8b8b73f87bfeefb7b56244" - -[[package]] -name = "ring" -version = "0.16.20" +version = "0.6.29" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3053cf52e236a3ed746dfc745aa9cacf1b791d846bdaf412f60a8d7d6e17c8fc" -dependencies = [ - "cc", - "libc", - "once_cell", - "spin", - "untrusted", - "web-sys", - "winapi", -] +checksum = "f162c6dd7b008981e4d40210aca20b4bd0f9b60ca9271061b07f78537722f2e1" [[package]] name = "rsa" -version = "0.8.2" +version = "0.9.0-pre.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "55a77d189da1fee555ad95b7e50e7457d91c0e089ec68ca69ad2989413bbdab4" +checksum = "65db0998ad35adcaca498b7358992e088ee16cc783fe6fb899da203e113a63e5" dependencies = [ "byteorder", + "const-oid", "digest", "num-bigint-dig", "num-integer", @@ -846,20 +806,11 @@ dependencies = [ "zeroize", ] -[[package]] -name = "rusticata-macros" -version = "4.1.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "faf0c4a6ece9950b9abdb62b1cfcf2a68b3b67a10ba445b3bb85be2a293d0632" -dependencies = [ - "nom", -] - [[package]] name = "rustix" -version = "0.36.9" +version = "0.37.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fd5c6ff11fecd55b40746d1995a02f2eb375bf8c00d192d521ee09f42bef37bc" +checksum = "722529a737f5a942fdbac3a46cee213053196737c5eaa3386d52e85b786f2659" dependencies = [ "bitflags", "errno", @@ -892,7 +843,7 @@ checksum = "291a097c63d8497e00160b166a967a4a79c64f3facdd01cbd7502231688d77df" dependencies = [ "proc-macro2", "quote", - "syn 2.0.14", + "syn 2.0.15", ] [[package]] @@ -932,9 +883,9 @@ dependencies = [ [[package]] name = "signature" -version = "2.0.0" +version = "2.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8fe458c98333f9c8152221191a77e2a44e8325d0193484af2e9421a53019e57d" +checksum = "5e1788eed21689f9cf370582dfc467ef36ed9c707f073528ddafa8d83e3b8500" dependencies = [ "digest", "rand_core", @@ -954,9 +905,9 @@ checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d" [[package]] name = "spki" -version = "0.6.0" +version = "0.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "67cf02bbac7a337dc36e4f5a693db6c21e7863f45070f7064577eb4367a3212b" +checksum = "37a5be806ab6f127c3da44b7378837ebf01dadca8510a0e572460216b228bd0e" dependencies = [ "base64ct", "der", @@ -989,9 +940,9 @@ dependencies = [ [[package]] name = "subtle" -version = "2.4.1" +version = "2.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6bdef32e8150c2a081110b42772ffe7d7c9032b606bc226c8260fd97e0976601" +checksum = "81cdd64d312baedb58e21336b31bc043b77e01cc99033ce76ef539f78e965ebc" [[package]] name = "syn" @@ -1006,9 +957,9 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.14" +version = "2.0.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fcf316d5356ed6847742d036f8a39c3b8435cac10bd528a4bd461928a6ab34d5" +checksum = "a34fcf3e8b60f57e6a14301a2e916d323af98b0ea63c599441eec8558660c822" dependencies = [ "proc-macro2", "quote", @@ -1032,22 +983,22 @@ dependencies = [ [[package]] name = "thiserror" -version = "1.0.30" +version = "1.0.40" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "854babe52e4df1653706b98fcfc05843010039b406875930a70e4d9644e5c417" +checksum = "978c9a314bd8dc99be594bc3c175faaa9794be04a5a5e153caba6915336cebac" dependencies = [ "thiserror-impl", ] [[package]] name = "thiserror-impl" -version = "1.0.30" +version = "1.0.40" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "aa32fd3f627f367fe16f893e2597ae3c05020f8bba2666a4e6ea73d377e5714b" +checksum = "f9456a42c5b0d803c8cd86e73dd7cc9edd429499f37a3550d286d5e86720569f" dependencies = [ "proc-macro2", "quote", - "syn 1.0.109", + "syn 2.0.15", ] [[package]] @@ -1086,9 +1037,9 @@ dependencies = [ [[package]] name = "typenum" -version = "1.14.0" +version = "1.16.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b63708a265f51345575b27fe43f9500ad611579e764c79edbc2037b1121959ec" +checksum = "497961ef93d974e23eb6f433eb5fe1b7930b659f06d12dec6fc44a8f554c0bba" [[package]] name = "unicode-ident" @@ -1097,16 +1048,16 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e5464a87b239f13a63a501f2701565754bae92d243d4bb7eb12f6d57d2269bf4" [[package]] -name = "untrusted" -version = "0.7.1" +name = "utf8parse" +version = "0.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a" +checksum = "711b9620af191e0cdc7468a8d14e709c3dcdb115b36f838e601583af800a370a" [[package]] name = "version_check" -version = "0.9.3" +version = "0.9.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5fecdca9a5291cc2b8dcf7dc02453fee791a280f3743cb0905f8822ae463b3fe" +checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f" [[package]] name = "wasi" @@ -1114,70 +1065,6 @@ version = "0.11.0+wasi-snapshot-preview1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423" -[[package]] -name = "wasm-bindgen" -version = "0.2.84" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "31f8dcbc21f30d9b8f2ea926ecb58f6b91192c17e9d33594b3df58b2007ca53b" -dependencies = [ - "cfg-if", - "wasm-bindgen-macro", -] - -[[package]] -name = "wasm-bindgen-backend" -version = "0.2.84" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "95ce90fd5bcc06af55a641a86428ee4229e44e07033963a2290a8e241607ccb9" -dependencies = [ - "bumpalo", - "log", - "once_cell", - "proc-macro2", - "quote", - "syn 1.0.109", - "wasm-bindgen-shared", -] - -[[package]] -name = "wasm-bindgen-macro" -version = "0.2.84" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4c21f77c0bedc37fd5dc21f897894a5ca01e7bb159884559461862ae90c0b4c5" -dependencies = [ - "quote", - "wasm-bindgen-macro-support", -] - -[[package]] -name = "wasm-bindgen-macro-support" -version = "0.2.84" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2aff81306fcac3c7515ad4e177f521b5c9a15f2b08f4e32d823066102f35a5f6" -dependencies = [ - "proc-macro2", - "quote", - "syn 1.0.109", - "wasm-bindgen-backend", - "wasm-bindgen-shared", -] - -[[package]] -name = "wasm-bindgen-shared" -version = "0.2.84" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0046fef7e28c3804e5e38bfa31ea2a0f73905319b677e57ebe37e49358989b5d" - -[[package]] -name = "web-sys" -version = "0.3.61" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e33b99f4b23ba3eec1a53ac264e35a755f00e966e0065077d6027c0f575b0b97" -dependencies = [ - "js-sys", - "wasm-bindgen", -] - [[package]] name = "winapi" version = "0.3.9" @@ -1211,18 +1098,18 @@ checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" [[package]] name = "windows-sys" -version = "0.45.0" +version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "75283be5efb2831d37ea142365f009c02ec203cd29a3ebecbc093d52315b66d0" +checksum = "677d2418bec65e3338edb076e806bc1ec15693c5d0104683f2efe857f61056a9" dependencies = [ "windows-targets", ] [[package]] name = "windows-targets" -version = "0.42.2" +version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8e5180c00cd44c9b1c88adb3693291f1cd93605ded80c250a75d472756b4d071" +checksum = "7b1eb6f0cd7c80c79759c929114ef071b87354ce476d9d94271031c0497adfd5" dependencies = [ "windows_aarch64_gnullvm", "windows_aarch64_msvc", @@ -1235,45 +1122,45 @@ dependencies = [ [[package]] name = "windows_aarch64_gnullvm" -version = "0.42.2" +version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "597a5118570b68bc08d8d59125332c54f1ba9d9adeedeef5b99b02ba2b0698f8" +checksum = "91ae572e1b79dba883e0d315474df7305d12f569b400fcf90581b06062f7e1bc" [[package]] name = "windows_aarch64_msvc" -version = "0.42.2" +version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e08e8864a60f06ef0d0ff4ba04124db8b0fb3be5776a5cd47641e942e58c4d43" +checksum = "b2ef27e0d7bdfcfc7b868b317c1d32c641a6fe4629c171b8928c7b08d98d7cf3" [[package]] name = "windows_i686_gnu" -version = "0.42.2" +version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c61d927d8da41da96a81f029489353e68739737d3beca43145c8afec9a31a84f" +checksum = "622a1962a7db830d6fd0a69683c80a18fda201879f0f447f065a3b7467daa241" [[package]] name = "windows_i686_msvc" -version = "0.42.2" +version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "44d840b6ec649f480a41c8d80f9c65108b92d89345dd94027bfe06ac444d1060" +checksum = "4542c6e364ce21bf45d69fdd2a8e455fa38d316158cfd43b3ac1c5b1b19f8e00" [[package]] name = "windows_x86_64_gnu" -version = "0.42.2" +version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8de912b8b8feb55c064867cf047dda097f92d51efad5b491dfb98f6bbb70cb36" +checksum = "ca2b8a661f7628cbd23440e50b05d705db3686f894fc9580820623656af974b1" [[package]] name = "windows_x86_64_gnullvm" -version = "0.42.2" +version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "26d41b46a36d453748aedef1486d5c7a85db22e56aff34643984ea85514e94a3" +checksum = "7896dbc1f41e08872e9d5e8f8baa8fdd2677f29468c4e156210174edc7f7b953" [[package]] name = "windows_x86_64_msvc" -version = "0.42.2" +version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9aec5da331524158c6d1a4ac0ab1541149c0b9505fde06423b02f5ef0106b9f0" +checksum = "1a515f5799fe4961cb532f983ce2b23082366b898e52ffbce459c86f67c8378a" [[package]] name = "winnow" @@ -1294,25 +1181,18 @@ dependencies = [ ] [[package]] -name = "x509-parser" -version = "0.12.0" +name = "x509-cert" +version = "0.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ffc90836a84cb72e6934137b1504d0cae304ef5d83904beb0c8d773bbfe256ed" +checksum = "0103e822c47e037cb45b34873a31e33181dc4db3a97123b2ecce49c6d4081bab" dependencies = [ - "base64", - "chrono", - "data-encoding", - "der-parser", - "lazy_static", - "nom", - "oid-registry", - "ring", - "rusticata-macros", - "thiserror", + "const-oid", + "der", + "spki", ] [[package]] name = "zeroize" -version = "1.5.7" +version = "1.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c394b5bd0c6f669e7275d9c20aa90ae064cb22e75a1cad54e1b34088034b149f" +checksum = "2a0956f1ba7c7909bfb66c2e9e4124ab6f6482560f6628b5aaeba39207c9aad9" diff --git a/Cargo.toml b/Cargo.toml index 9b9448f..a1c69f2 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -15,7 +15,9 @@ bitfield = { version = "0.14.0", default-features = false } byteorder = { version = "1.4.3", default-features = false, features = ["std"] } clap = { version = "4", default-features = false, features = ["std", "derive", "default"] } colored = { version = "2.0", default-features = false } +const-oid = { version = "0.9.2", default-features = false } crc-any = { version = "2.4.3", default-features = false } +der = { version = "0.7.3", default-features = false, features = ["std"] } env_logger = { version = "0.10", default-features = false, features = ["auto-color"] } hex = { version = "0.4.3", default-features = false, features = ["std"] } log = { version = "0.4", default-features = false } @@ -23,7 +25,8 @@ num-derive = { version = "0.3.3", default-features = false, features = ["full-sy num-traits = { version = "0.2.15", default-features = false } packed_struct = { version = "0.10.1", default-features = false, features = ["std"] } parse_int = { version = "0.6.0", default-features = false } -rsa = { version = "0.8.1", default-features = false, features = ["std", "pem", "sha2"] } +pem-rfc7468 = { version = "0.7.0", features = ["std"] } +rsa = { version = "0.9.0-pre.0", default-features = false, features = ["std", "pem", "sha2"] } serde = { version = "1", default-features = false, features = ["derive"] } serialport = { git = "https://github.com/jgallagher/serialport-rs", branch = "illumos-support", default-features = false } sha2 = { version = "0.10", default-features = false } @@ -31,7 +34,6 @@ strum = { version = "0.24", default-features = false, features = ["std"] } strum_macros = { version = "0.24", default-features = false } thiserror = { version = "1", default-features = false } toml = { version = "0.7.3", default-features = false } -x509-parser = { version = "0.12.0", default-features = false, features = ["verify"] } - +x509-cert = { version = "0.2.1", default-features = false, features = ["std"] } lpc55_areas = { path = "lpc55_areas", default-features = false } lpc55_sign = { path = "lpc55_sign", default-features = false } diff --git a/lpc55_sign/Cargo.toml b/lpc55_sign/Cargo.toml index 4244264..6189e85 100644 --- a/lpc55_sign/Cargo.toml +++ b/lpc55_sign/Cargo.toml @@ -9,16 +9,19 @@ edition = "2021" byteorder.workspace = true clap = { workspace = true, optional = true } crc-any.workspace = true +const-oid = { workspace = true, features = ["db"]} +der.workspace = true env_logger.workspace = true hex.workspace = true log.workspace = true lpc55_areas.workspace = true packed_struct.workspace = true +pem-rfc7468.workspace = true rsa.workspace = true serde.workspace = true sha2.workspace = true thiserror.workspace = true -x509-parser.workspace = true +x509-cert.workspace = true [features] clap = ["dep:clap"] diff --git a/lpc55_sign/src/cert.rs b/lpc55_sign/src/cert.rs index 214fc4d..b6bb013 100644 --- a/lpc55_sign/src/cert.rs +++ b/lpc55_sign/src/cert.rs @@ -1,17 +1,60 @@ -use x509_parser::{ - certificate::X509Certificate, - oid_registry::{self}, -}; +use crate::Error; +use const_oid; +use der::{Decode as _, Encode as _, Reader as _}; +use rsa::pkcs1::DecodeRsaPublicKey; +use rsa::RsaPublicKey; +use std::path::PathBuf; +use x509_cert::Certificate; -pub fn uses_supported_signature_algorithm(cert: &X509Certificate) -> bool { - cert.signature_algorithm.algorithm == oid_registry::OID_PKCS1_SHA256WITHRSA +/// Read and parse X.509 certificates from DER or PEM encoded files. +pub fn read_certs(paths: &[PathBuf]) -> Result, Error> { + let mut certs = Vec::with_capacity(paths.len()); + for path in paths { + let bytes = std::fs::read(path)?; + let der = if bytes.starts_with("-----BEGIN CERTIFICATE-----\n".as_bytes()) { + let (label, der) = pem_rfc7468::decode_vec(&bytes)?; + if label != "CERTIFICATE" { + return Err(Error::PemLabel(label.to_string())); + } + der + } else { + bytes + }; + let cert = Certificate::from_der(&der)?; + certs.push(cert); + } + Ok(certs) } -pub fn signature_algorithm_name(cert: &X509Certificate) -> String { - let oid_registry = oid_registry::OidRegistry::default().with_crypto(); - if let Some(x) = oid_registry.get(&cert.signature_algorithm.algorithm) { - x.sn().into() - } else { - cert.signature_algorithm.algorithm.to_string() - } +/// `Certificate::from_der` uses a `der::SliceReader`, which returns +/// an error if the slice is larger than the DER message it contains. +/// This is a problem for certs in the LPC55 certificate table, because +/// they are padded to a 4-byte boundary. But we can work around it by +/// manually computing the actual length from the DER header. +pub fn read_from_slice(bytes: &[u8]) -> Result { + let reader = der::SliceReader::new(bytes)?; + let header = reader.peek_header()?; + let length = (header.encoded_len()? + header.length)?.try_into()?; + Ok(Certificate::from_der(&bytes[0..length])?) +} + +/// Extract the RSA public key from a certificate. +pub fn public_key(cert: &Certificate) -> Result { + Ok(RsaPublicKey::from_pkcs1_der( + cert.tbs_certificate + .subject_public_key_info + .subject_public_key + .raw_bytes(), + )?) +} + +pub fn uses_supported_signature_algorithm(cert: &Certificate) -> bool { + cert.signature_algorithm.oid == const_oid::db::rfc5912::SHA_256_WITH_RSA_ENCRYPTION +} + +pub fn signature_algorithm_name(cert: &Certificate) -> String { + const_oid::db::DB + .by_oid(&cert.signature_algorithm.oid) + .map(|x| x.to_string()) + .unwrap_or_else(|| format!("{:?}", cert.signature_algorithm.oid)) } diff --git a/lpc55_sign/src/lib.rs b/lpc55_sign/src/lib.rs index 75ff4d4..f9e289c 100644 --- a/lpc55_sign/src/lib.rs +++ b/lpc55_sign/src/lib.rs @@ -44,8 +44,14 @@ pub enum Error { #[error("struct packing error: {0}")] PackingError(#[from] packed_struct::PackingError), - #[error("x509 parsing error: {0}")] - X509Error(#[from] x509_parser::nom::Err), + #[error("certificate decoding error: {0}")] + DerError(#[from] der::Error), + + #[error("error decoding PEM: {0}")] + Pem(#[from] pem_rfc7468::Error), + + #[error("unexpected PEM label: {0}")] + PemLabel(String), #[error("io error: {0}")] IoError(#[from] std::io::Error), @@ -56,6 +62,12 @@ pub enum Error { #[error("RSA PKCS#8 error: {0}")] RsaPkcs8Error(#[from] rsa::pkcs8::Error), + #[error("RSA signature error: {0}")] + RsaSignatureError(#[from] rsa::signature::Error), + + #[error("SPKI error: {0}")] + SpkiError(#[from] rsa::pkcs8::spki::Error), + #[error("RSA error while signing: {0}")] SigningError(rsa::errors::Error), diff --git a/lpc55_sign/src/signed_image.rs b/lpc55_sign/src/signed_image.rs index 58c3095..3a922ab 100644 --- a/lpc55_sign/src/signed_image.rs +++ b/lpc55_sign/src/signed_image.rs @@ -6,15 +6,13 @@ use std::{convert::TryInto, path::PathBuf}; use crate::{cert, Error}; use byteorder::{ByteOrder, LittleEndian}; +use der::Encode as _; use lpc55_areas::*; use packed_struct::prelude::*; -use rsa::{ - pkcs1::DecodeRsaPrivateKey, pkcs1::DecodeRsaPublicKey, pkcs8::DecodePrivateKey, PublicKeyParts, - RsaPrivateKey, RsaPublicKey, -}; +use rsa::{pkcs1::DecodeRsaPrivateKey, pkcs8::DecodePrivateKey, PublicKeyParts, RsaPrivateKey}; use serde::Deserialize; use sha2::{Digest, Sha256}; -use x509_parser::parse_x509_certificate; +use x509_cert::Certificate; #[derive(Clone, Debug, Deserialize)] #[serde(rename_all = "kebab-case", deny_unknown_fields)] @@ -50,18 +48,22 @@ pub struct DiceArgs { with_dice_inc_sec_epoch: bool, } -fn get_pad(val: usize) -> usize { - match val.checked_rem(4) { - Some(s) if s > 0 => 4 - s, - _ => 0, - } -} +/// One of: +/// - a SHA2-256 of the modulus (`n`) and exponent (`e`) of an RSA public key, +/// - all zeros to indicate a missing root, +/// - a SHA2-256 of four such "hashes". +pub type Hash = [u8; 32]; + +/// Four root certificates, any subset of which may be missing (`None`). +pub type RootCerts = [Option; 4]; -fn pad_roots(mut roots: Vec>) -> Result<[Vec; 4], Error> { +/// Ensure that there are exactly four root certificates. +pub fn pad_roots(roots: Vec) -> Result { if roots.len() > 4 { return Err(Error::TooManyRoots(roots.len())); } - roots.resize_with(4, Vec::new); + let mut roots = roots.into_iter().map(Option::Some).collect::>(); + roots.resize_with(4, || None); Ok(roots.try_into().unwrap()) } @@ -71,10 +73,19 @@ fn pad_roots(mut roots: Vec>) -> Result<[Vec; 4], Error> { /// and the root-key-table hash. pub fn stamp_image( mut image_bytes: Vec, - signing_certs: Vec>, - root_certs: Vec>, + signing_certs: Vec, + root_certs: Vec, execution_address: u32, ) -> Result, Error> { + // Pad to a 4-byte boundary. + fn pad(val: usize) -> usize { + match val.checked_rem(4) { + Some(s) if s > 0 => 4 - s, + _ => 0, + } + } + + // Check the certificates. if signing_certs.is_empty() { return Err(Error::NoSigningCertificate); } @@ -89,10 +100,11 @@ pub fn stamp_image( // of each certificate. let mut cert_table = Vec::new(); for cert in &signing_certs { - let cert_pad = get_pad(cert.len()); - let padded_len = cert.len() + cert_pad; + let cert_bytes = cert.to_der()?; + let cert_pad = pad(cert_bytes.len()); + let padded_len = cert_bytes.len() + cert_pad; cert_table.extend_from_slice(&(padded_len as u32).to_le_bytes()); - cert_table.extend_from_slice(cert); + cert_table.extend_from_slice(&cert_bytes); cert_table.resize(cert_table.len() + cert_pad, 0); } let cert_table_len = cert_table.len(); @@ -103,15 +115,15 @@ pub fn stamp_image( // How many bytes we sign, including image, cert table, and root key hashes. let image_len = image_bytes.len(); - let image_pad = get_pad(image_len); + let image_pad = pad(image_len); let signed_len = image_len + image_pad + cert_header_len + cert_table_len + 4 * 32; cert_header.total_image_len = signed_len .try_into() .map_err(|_| Error::SignedLengthOverflow)?; // Total image length includes the length of the eventual signature. - let (_, leaf) = parse_x509_certificate(signing_certs.last().unwrap())?; - let pub_key = RsaPublicKey::from_pkcs1_der(leaf.public_key().subject_public_key.as_ref())?; + let leaf = signing_certs.last().unwrap(); + let pub_key = cert::public_key(leaf)?; let sig_len = pub_key.n().bits() / 8; let total_len = signed_len + sig_len; @@ -139,7 +151,7 @@ pub fn stamp_image( // goes into the image and _must_ match the hash-of-hashes programmed in // the CMPA! for root in pad_roots(root_certs)? { - image_bytes.extend_from_slice(&root_key_hash(&root)?); + image_bytes.extend_from_slice(&root_key_hash(root.as_ref())?); } Ok(image_bytes) } @@ -164,35 +176,10 @@ pub fn sign_image(binary: &[u8], private_key: &str) -> Result, Error> { Ok(signed) } -pub fn root_key_hash(root: &[u8]) -> Result<[u8; 32], Error> { - if root.is_empty() { - Ok([0; 32]) - } else { - let (_, root_cert) = parse_x509_certificate(root)?; - - if !cert::uses_supported_signature_algorithm(&root_cert) { - return Err(Error::UnsupportedCertificateSignatureAlgorithm { - subject: root_cert.subject().to_string(), - algorithm: cert::signature_algorithm_name(&root_cert), - }); - } - - let root_key = root_cert.public_key().subject_public_key.as_ref(); - let root_key = RsaPublicKey::from_pkcs1_der(root_key)?; - let mut hash = Sha256::new(); - hash.update(&root_key.n().to_bytes_be()); - hash.update(&root_key.e().to_bytes_be()); - Ok(hash.finalize().into()) - } -} - -pub fn required_key_size(root_certs: &[Vec]) -> Result, Error> { +pub fn required_key_size(root_certs: &RootCerts) -> Result, Error> { let mut required_key_size = None; - for cert in root_certs { - let (_, cert) = x509_parser::parse_x509_certificate(cert)?; - let public_key = rsa::RsaPublicKey::from_pkcs1_der( - cert.tbs_certificate.subject_pki.subject_public_key.as_ref(), - )?; + for cert in root_certs.iter().flatten() { + let public_key = cert::public_key(cert)?; let public_key_bits = public_key.size() * 8; if let Some(x) = required_key_size { if x != public_key_bits { @@ -205,10 +192,29 @@ pub fn required_key_size(root_certs: &[Vec]) -> Result, Error> Ok(required_key_size) } -pub fn root_key_table_hash(root_certs: Vec>) -> Result<[u8; 32], Error> { +pub fn root_key_hash(root: Option<&Certificate>) -> Result { + match root { + None => Ok([0; 32]), + Some(root) => { + if !cert::uses_supported_signature_algorithm(root) { + return Err(Error::UnsupportedCertificateSignatureAlgorithm { + subject: root.tbs_certificate.subject.to_string(), + algorithm: cert::signature_algorithm_name(root), + }); + } + let root_key = cert::public_key(root)?; + let mut hash = Sha256::new(); + hash.update(&root_key.n().to_bytes_be()); + hash.update(&root_key.e().to_bytes_be()); + Ok(hash.finalize().into()) + } + } +} + +pub fn root_key_table_hash(root_certs: &RootCerts) -> Result { let mut rkth = Sha256::new(); - for root in pad_roots(root_certs)? { - rkth.update(root_key_hash(&root)?); + for root in root_certs { + rkth.update(root_key_hash(root.as_ref())?); } Ok(rkth.finalize().into()) } diff --git a/lpc55_sign/src/verify.rs b/lpc55_sign/src/verify.rs index af69c99..1a575f6 100644 --- a/lpc55_sign/src/verify.rs +++ b/lpc55_sign/src/verify.rs @@ -3,6 +3,7 @@ // file, You can obtain one at https://mozilla.org/MPL/2.0/. use crate::{cert, Error}; +use der::Encode as _; use hex::ToHex as _; use log::{debug as okay, info, trace, warn}; use lpc55_areas::{ @@ -10,9 +11,14 @@ use lpc55_areas::{ SecBootStatus, TZMImageStatus, TzmImageType, TzmPreset, }; use packed_struct::{EnumCatchAll, PackedStruct}; -use rsa::{pkcs1::DecodeRsaPublicKey, signature::Verifier, PublicKeyParts}; -use sha2::Digest; +use rsa::{ + pkcs1v15::{Signature, VerifyingKey}, + signature::Verifier as _, + PublicKeyParts, RsaPublicKey, +}; +use sha2::{Digest as _, Sha256}; use std::io::Write as _; +use x509_cert::Certificate; macro_rules! error { ($failed:ident, $($arg:tt)*) => { @@ -360,7 +366,7 @@ fn check_signed_image(image: &[u8], cmpa: CMPAPage, cfpa: CFPAPage) -> Result = vec![]; + let mut certs: Vec = vec![]; for i in 0..cert_header.certificate_count { let x509_length = u32::from_le_bytes(image[start..start + 4].try_into().unwrap()); info!( @@ -371,27 +377,21 @@ fn check_signed_image(image: &[u8], cmpa: CMPAPage, cfpa: CFPAPage) -> Result Result Result okay!(" Verified {kind} certificate signature"), Err(e) => { error!( @@ -450,8 +450,7 @@ fn check_signed_image(image: &[u8], cmpa: CMPAPage, cfpa: CFPAPage) -> Result Result Result::new_with_prefix(public_key_rsa); - match verifying_key.verify(&image[..start], &signature) { + trace!("signature length: {}", image.len() - start); + let public_key_rsa = cert::public_key(certs.last().unwrap())?; + let signature = &Signature::try_from(&image[start..]).unwrap(); + match verify_signature(public_key_rsa, &image[..start], signature) { Ok(()) => okay!("Verified image signature against last certificate"), Err(e) => { error!(failed, "Failed to verify signature: {e:?}"); @@ -550,3 +546,22 @@ fn check_plain_image(_image: &[u8]) -> Result { okay!("Nothing to check for plain image"); Ok(false) } + +fn verify_cert_signature( + cert: &Certificate, + public_key: Option, +) -> Result<(), Error> { + let tbs = cert.tbs_certificate.to_der()?; + let public_key = public_key.unwrap_or_else(|| cert::public_key(cert).unwrap()); + let signature = Signature::try_from(cert.signature.raw_bytes()).unwrap(); + verify_signature(public_key, &tbs, &signature) +} + +fn verify_signature( + public_key: RsaPublicKey, + message: &[u8], + signature: &Signature, +) -> Result<(), Error> { + let verifying_key = VerifyingKey::::new(public_key); + Ok(verifying_key.verify(message, signature)?) +} diff --git a/lpc55_sign_bin/Cargo.toml b/lpc55_sign_bin/Cargo.toml index c9702ad..a0ca7f6 100644 --- a/lpc55_sign_bin/Cargo.toml +++ b/lpc55_sign_bin/Cargo.toml @@ -9,11 +9,14 @@ edition = "2021" anyhow.workspace = true clap.workspace = true colored.workspace = true +der.workspace = true env_logger.workspace = true log.workspace = true lpc55_areas.workspace = true lpc55_sign = { workspace = true, features = ["clap"] } +pem-rfc7468.workspace = true toml = { workspace = true, features = ["parse"] } +x509-cert.workspace = true [[bin]] name = "lpc55_sign" diff --git a/lpc55_sign_bin/src/main.rs b/lpc55_sign_bin/src/main.rs index e2d9c3e..b9cf9fd 100644 --- a/lpc55_sign_bin/src/main.rs +++ b/lpc55_sign_bin/src/main.rs @@ -10,8 +10,9 @@ use lpc55_areas::{ BootErrorPin, BootSpeed, CFPAPage, CMPAPage, DebugSettings, DefaultIsp, ROTKeyStatus, }; use lpc55_sign::{ + cert::read_certs, crc_image, - signed_image::{self, CertConfig, DiceArgs}, + signed_image::{self, pad_roots, CertConfig, DiceArgs}, }; use std::io::{Read, Write}; use std::path::PathBuf; @@ -197,7 +198,7 @@ fn main() -> Result<()> { } } let cfg: CertConfig = certs.try_into_config()?; - let root_certs = read_certs(&cfg.root_certs)?; + let root_certs = pad_roots(read_certs(&cfg.root_certs)?)?; let debug_settings = DebugSettings::default(); let required_key_size = signed_image::required_key_size(&root_certs)?; @@ -207,7 +208,7 @@ fn main() -> Result<()> { Some(x) => bail!("Certificates have unsupported {x}-bit public keys"), }; - let rotkh = signed_image::root_key_table_hash(root_certs)?; + let rotkh = signed_image::root_key_table_hash(&root_certs)?; std::fs::write( &dest_cmpa, @@ -324,10 +325,3 @@ fn main() -> Result<()> { Ok(()) } - -fn read_certs(paths: &[PathBuf]) -> Result>> { - Ok(paths - .iter() - .map(std::fs::read) - .collect::>, _>>()?) -}