Add KMS support to crypto pseudo-Node (#1846)

Just tink-awskms support for the moment.
project-oak · Feb 5, 2021 · 7fef98d · 7fef98d
1 parent 244bb10
commit 7fef98d
Show file tree

Hide file tree

Showing 26 changed files with 1,624 additions and 177 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -20,6 +20,7 @@ jobs:
           - run-cargo-udeps
           - build-server --server-variant=base
           - build-server --server-variant=logless
+          - build-server --server-variant=kms
           - run-tests
           - run-tests-tsan
           - run-examples --application-variant=rust

diff --git a/Dockerfile b/Dockerfile
@@ -262,6 +262,25 @@ RUN chmod +x ${install_dir}/rust-analyzer
 # its own home folder.
 ENV CARGO_HOME ""
 
+# Build a statically-linked version of OpenSSL with musl
+ENV OPENSSL_DIR /musl
+RUN mkdir ${OPENSSL_DIR}
+
+RUN ln -s /usr/include/x86_64-linux-gnu/asm /usr/include/x86_64-linux-musl/asm
+RUN ln -s /usr/include/asm-generic /usr/include/x86_64-linux-musl/asm-generic
+RUN ln -s /usr/include/linux /usr/include/x86_64-linux-musl/linux
+
+ARG openssl_dir=/usr/local/openssl
+RUN mkdir --parents ${openssl_dir}
+RUN curl --location https://github.com/openssl/openssl/archive/OpenSSL_1_1_1f.tar.gz | tar --extract --gzip --directory=${openssl_dir}/
+WORKDIR ${openssl_dir}/openssl-OpenSSL_1_1_1f
+RUN CC="musl-gcc -fPIE -pie" ./Configure no-shared no-async --prefix=/musl --openssldir="${OPENSSL_DIR}/ssl" linux-x86_64
+RUN make depend && make -j"$(nproc)"&& make install_sw install_ssldirs
+
+# Allow the build to find statically built OpenSSL.
+ENV PKG_CONFIG_ALLOW_CROSS 1
+ENV OPENSSL_STATIC 1
+
 # Placeholder args that are expected to be passed in at image build time.
 # See https://code.visualstudio.com/docs/remote/containers-advanced#_creating-a-nonroot-user
 ARG USERNAME=user-name-goes-here

diff --git a/examples/deny.toml b/examples/deny.toml
@@ -16,6 +16,10 @@ notice = "deny"
 ignore = [
   # TODO(#1267): Remove when mio no longer depends on net2.
   "RUSTSEC-2020-0016",
+  # TODO: Remove when rusoto-* no longer depends on dirs.
+  "RUSTSEC-2020-0053",
+  # TODO: Remove when rusoto-* no longer depends on stdweb (via time).
+  "RUSTSEC-2020-0056"
 ]
 
 # Deny multiple versions unless explicitly skipped.

diff --git a/experimental/deny.toml b/experimental/deny.toml
@@ -13,6 +13,8 @@ notice = "deny"
 ignore = [
   # TODO(#1267): Remove when mio no longer depends on net2.
   "RUSTSEC-2020-0016",
+  # TODO: Remove when rusoto-* no longer depends on dirs.
+  "RUSTSEC-2020-0053",
 ]
 
 # Deny multiple versions unless explicitly skipped.