Update Rust crate tough to 0.19.0 (#6974)

oxidecomputer · Nov 8, 2024 · 3f6cd90 · 3f6cd90
1 parent e6dbc7b
commit 3f6cd90
Show file tree

Hide file tree

Showing 10 changed files with 231 additions and 333 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -299,6 +299,7 @@ async-bb8-diesel = "0.2"
 async-trait = "0.1.83"
 atomicwrites = "0.4.4"
 authz-macros = { path = "nexus/authz-macros" }
+aws-lc-rs = "1.10.0"
 backoff = { version = "0.4.0", features = [ "tokio" ] }
 base64 = "0.22.1"
 bcs = "0.1.6"
@@ -618,7 +619,7 @@ tokio-tungstenite = "0.23.1"
 tokio-util = { version = "0.7.12", features = ["io", "io-util"] }
 toml = "0.8.19"
 toml_edit = "0.22.22"
-tough = { version = "0.17.1", features = [ "http" ] }
+tough = { version = "0.19.0", features = [ "http" ] }
 trybuild = "1.0.100"
 tufaceous = { path = "tufaceous" }
 tufaceous-lib = { path = "tufaceous-lib" }
@@ -726,6 +727,8 @@ opt-level = 3
 opt-level = 3
 [profile.dev.package.aes-gcm]
 opt-level = 3
+[profile.dev.package.aws-lc-sys]
+opt-level = 3
 [profile.dev.package.bcrypt-pbkdf]
 opt-level = 3
 [profile.dev.package.blake2]

diff --git a/dev-tools/releng/src/tuf.rs b/dev-tools/releng/src/tuf.rs
@@ -126,7 +126,7 @@ pub(crate) async fn build_tuf_repo(
     let manifest = ArtifactManifest::from_deserialized(&output_dir, manifest)?;
     manifest.verify_all_present()?;
     // Assemble the repo.
-    let keys = vec![Key::generate_ed25519()];
+    let keys = vec![Key::generate_ed25519()?];
     let expiry = Utc::now().with_nanosecond(0).unwrap() + Duration::weeks(1);
     OmicronRepoAssembler::new(
         &logger,

diff --git a/tufaceous-lib/Cargo.toml b/tufaceous-lib/Cargo.toml
@@ -11,6 +11,8 @@ workspace = true
 [dependencies]
 anyhow = { workspace = true, features = ["backtrace"] }
 async-trait.workspace = true
+aws-lc-rs.workspace = true
+base64.workspace = true
 buf-list.workspace = true
 bytes.workspace = true
 camino.workspace = true
@@ -24,9 +26,9 @@ hex.workspace = true
 hubtools.workspace = true
 itertools.workspace = true
 omicron-common.workspace = true
+omicron-workspace-hack.workspace = true
 parse-size.workspace = true
 rand.workspace = true
-ring = { workspace = true, features = ["std"] }
 serde.workspace = true
 serde_json.workspace = true
 serde_path_to_error.workspace = true
@@ -38,7 +40,6 @@ toml.workspace = true
 tough.workspace = true
 url.workspace = true
 zip.workspace = true
-omicron-workspace-hack.workspace = true
 
 [dev-dependencies]
 omicron-test-utils.workspace = true

diff --git a/tufaceous-lib/src/key.rs b/tufaceous-lib/src/key.rs
@@ -1,8 +1,7 @@
 use anyhow::{bail, Result};
-use hex::FromHex;
-use rand::{rngs::OsRng, RngCore};
-use ring::rand::SecureRandom;
-use ring::signature::Ed25519KeyPair;
+use aws_lc_rs::rand::SystemRandom;
+use aws_lc_rs::signature::Ed25519KeyPair;
+use base64::{engine::general_purpose::URL_SAFE, Engine};
 use std::fmt::Display;
 use std::str::FromStr;
 use tough::async_trait;
@@ -15,43 +14,25 @@ pub(crate) fn boxed_keys(keys: Vec<Key>) -> Vec<Box<dyn KeySource>> {
 
 #[derive(Debug, Clone)]
 pub enum Key {
-    Ed25519(
-        // We could store this as a `ring::signature::Ed25519KeyPair`, but that
-        // doesn't impl `Clone`.
-        [u8; 32],
-    ),
+    Ed25519 { pkcs8: Vec<u8> },
 }
 
 impl Key {
-    pub fn generate_ed25519() -> Key {
-        let mut key = [0; 32];
-        OsRng.fill_bytes(&mut key);
-        Key::Ed25519(key)
+    pub fn generate_ed25519() -> Result<Key> {
+        let pkcs8 = Ed25519KeyPair::generate_pkcs8(&SystemRandom::new())?;
+        Ok(Key::Ed25519 { pkcs8: pkcs8.as_ref().to_vec() })
     }
 
-    pub(crate) fn as_sign(&self) -> SignKeyPair {
+    fn as_sign_key_pair(&self) -> Result<SignKeyPair> {
         match self {
-            Key::Ed25519(key) => SignKeyPair::ED25519(
-                Ed25519KeyPair::from_seed_unchecked(key)
-                    .expect("ed25519 key length mismatch"),
-            ),
+            Key::Ed25519 { pkcs8 } => {
+                Ok(SignKeyPair::ED25519(Ed25519KeyPair::from_pkcs8(pkcs8)?))
+            }
         }
     }
-}
 
-#[async_trait]
-impl Sign for Key {
-    fn tuf_key(&self) -> tough::schema::key::Key {
-        self.as_sign().tuf_key()
-    }
-
-    async fn sign(
-        &self,
-        msg: &[u8],
-        rng: &(dyn SecureRandom + Sync),
-    ) -> Result<Vec<u8>, Box<dyn std::error::Error + Send + Sync + 'static>>
-    {
-        self.as_sign().sign(msg, rng).await
+    pub(crate) fn as_tuf_key(&self) -> Result<tough::schema::key::Key> {
+        Ok(self.as_sign_key_pair()?.tuf_key())
     }
 }
 
@@ -61,7 +42,7 @@ impl KeySource for Key {
         &self,
     ) -> Result<Box<dyn Sign>, Box<dyn std::error::Error + Send + Sync + 'static>>
     {
-        Ok(Box::new(self.clone()))
+        Ok(Box::new(self.as_sign_key_pair()?))
     }
 
     async fn write(
@@ -78,7 +59,9 @@ impl FromStr for Key {
 
     fn from_str(s: &str) -> Result<Key> {
         match s.split_once(':') {
-            Some(("ed25519", hex)) => Ok(Key::Ed25519(FromHex::from_hex(hex)?)),
+            Some(("ed25519", base64)) => {
+                Ok(Key::Ed25519 { pkcs8: URL_SAFE.decode(base64)? })
+            }
             Some((kind, _)) => bail!("Invalid key source kind: {}", kind),
             None => bail!("Invalid key source (format is `kind:data`)"),
         }
@@ -88,25 +71,8 @@ impl FromStr for Key {
 impl Display for Key {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
         match self {
-            Key::Ed25519(key) => {
-                write!(f, "ed25519:{}", hex::encode(key))
-            }
-        }
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::Key;
-    use ring::signature::Ed25519KeyPair;
-    use std::str::FromStr;
-
-    #[test]
-    fn test_from_str() {
-        let key = Key::from_str("ed25519:9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60").unwrap();
-        match key {
-            Key::Ed25519(key) => {
-                let _ = Ed25519KeyPair::from_seed_unchecked(&key).unwrap();
+            Key::Ed25519 { pkcs8 } => {
+                write!(f, "ed25519:{}", URL_SAFE.encode(pkcs8))
             }
         }
     }

diff --git a/tufaceous-lib/src/repository.rs b/tufaceous-lib/src/repository.rs
@@ -373,7 +373,7 @@ mod tests {
             &logctx.log,
             tempdir.path(),
             "0.0.0".parse().unwrap(),
-            vec![Key::generate_ed25519()],
+            vec![Key::generate_ed25519().unwrap()],
             Utc::now() + Days::new(1),
         )
         .await

diff --git a/tufaceous-lib/src/root.rs b/tufaceous-lib/src/root.rs
@@ -1,12 +1,11 @@
 use crate::key::Key;
 use anyhow::Result;
+use aws_lc_rs::rand::SystemRandom;
 use chrono::{DateTime, Utc};
-use ring::rand::SystemRandom;
 use std::collections::HashMap;
 use std::num::NonZeroU64;
 use tough::editor::signed::SignedRole;
 use tough::schema::{KeyHolder, RoleKeys, RoleType, Root};
-use tough::sign::Sign;
 
 pub(crate) async fn new_root(
     keys: Vec<Key>,
@@ -22,7 +21,7 @@ pub(crate) async fn new_root(
         _extra: HashMap::new(),
     };
     for key in &keys {
-        let key = key.as_sign().tuf_key();
+        let key = key.as_tuf_key()?;
         root.keys.insert(key.key_id()?, key);
     }
     for kind in [

diff --git a/tufaceous/src/dispatch.rs b/tufaceous/src/dispatch.rs
@@ -44,7 +44,7 @@ impl Args {
 
         match self.command {
             Command::Init { system_version, no_generate_key } => {
-                let keys = maybe_generate_keys(self.keys, no_generate_key);
+                let keys = maybe_generate_keys(self.keys, no_generate_key)?;
 
                 let repo = OmicronRepo::initialize(
                     &log,
@@ -161,7 +161,7 @@ impl Args {
                     manifest.verify_all_present()?;
                 }
 
-                let keys = maybe_generate_keys(self.keys, no_generate_key);
+                let keys = maybe_generate_keys(self.keys, no_generate_key)?;
                 let mut assembler = OmicronRepoAssembler::new(
                     &log,
                     manifest,
@@ -245,12 +245,15 @@ enum Command {
     },
 }
 
-fn maybe_generate_keys(keys: Vec<Key>, no_generate_key: bool) -> Vec<Key> {
-    if !no_generate_key && keys.is_empty() {
-        let key = Key::generate_ed25519();
+fn maybe_generate_keys(
+    keys: Vec<Key>,
+    no_generate_key: bool,
+) -> Result<Vec<Key>> {
+    Ok(if !no_generate_key && keys.is_empty() {
+        let key = Key::generate_ed25519()?;
         crate::hint::generated_key(&key);
         vec![key]
     } else {
         keys
-    }
+    })
 }
diff --git a/tufaceous/tests/integration-tests/command_tests.rs b/tufaceous/tests/integration-tests/command_tests.rs
@@ -18,7 +18,7 @@ use tufaceous_lib::{Key, OmicronRepo};
 async fn test_init_and_add() -> Result<()> {
     let logctx = test_setup_log("test_init_and_add");
     let tempdir = tempfile::tempdir().unwrap();
-    let key = Key::generate_ed25519();
+    let key = Key::generate_ed25519()?;
 
     let mut cmd = make_cmd_with_repo(tempdir.path(), &key);
     cmd.args(["init", "0.0.0"]);
@@ -114,7 +114,7 @@ async fn test_init_and_add() -> Result<()> {
 fn test_assemble_fake() -> Result<()> {
     let logctx = test_setup_log("test_assemble_fake");
     let tempdir = tempfile::tempdir().unwrap();
-    let key = Key::generate_ed25519();
+    let key = Key::generate_ed25519()?;
 
     let archive_path = tempdir.path().join("archive.zip");
 

diff --git a/workspace-hack/Cargo.toml b/workspace-hack/Cargo.toml
@@ -21,6 +21,7 @@ workspace = true
 ahash = { version = "0.8.11" }
 aho-corasick = { version = "1.1.3" }
 anyhow = { version = "1.0.92", features = ["backtrace"] }
+aws-lc-rs = { version = "1.10.0", features = ["prebuilt-nasm"] }
 base16ct = { version = "0.2.0", default-features = false, features = ["alloc"] }
 base64 = { version = "0.22.1" }
 base64ct = { version = "1.6.0", default-features = false, features = ["std"] }
@@ -98,8 +99,9 @@ regex = { version = "1.11.0" }
 regex-automata = { version = "0.4.8", default-features = false, features = ["dfa", "hybrid", "meta", "nfa", "perf", "unicode"] }
 regex-syntax = { version = "0.8.5" }
 reqwest = { version = "0.12.8", features = ["blocking", "cookies", "json", "rustls-tls", "stream"] }
-ring = { version = "0.17.8", features = ["std"] }
 rsa = { version = "0.9.6", features = ["serde", "sha2"] }
+rustls = { version = "0.23.14", features = ["ring"] }
+rustls-webpki = { version = "0.102.8", default-features = false, features = ["aws_lc_rs", "ring", "std"] }
 schemars = { version = "0.8.21", features = ["bytes", "chrono", "uuid1"] }
 scopeguard = { version = "1.2.0" }
 semver = { version = "1.0.23", features = ["serde"] }
@@ -137,6 +139,7 @@ zip = { version = "0.6.6", default-features = false, features = ["bzip2", "defla
 ahash = { version = "0.8.11" }
 aho-corasick = { version = "1.1.3" }
 anyhow = { version = "1.0.92", features = ["backtrace"] }
+aws-lc-rs = { version = "1.10.0", features = ["prebuilt-nasm"] }
 base16ct = { version = "0.2.0", default-features = false, features = ["alloc"] }
 base64 = { version = "0.22.1" }
 base64ct = { version = "1.6.0", default-features = false, features = ["std"] }
@@ -215,8 +218,9 @@ regex = { version = "1.11.0" }
 regex-automata = { version = "0.4.8", default-features = false, features = ["dfa", "hybrid", "meta", "nfa", "perf", "unicode"] }
 regex-syntax = { version = "0.8.5" }
 reqwest = { version = "0.12.8", features = ["blocking", "cookies", "json", "rustls-tls", "stream"] }
-ring = { version = "0.17.8", features = ["std"] }
 rsa = { version = "0.9.6", features = ["serde", "sha2"] }
+rustls = { version = "0.23.14", features = ["ring"] }
+rustls-webpki = { version = "0.102.8", default-features = false, features = ["aws_lc_rs", "ring", "std"] }
 schemars = { version = "0.8.21", features = ["bytes", "chrono", "uuid1"] }
 scopeguard = { version = "1.2.0" }
 semver = { version = "1.0.23", features = ["serde"] }
@@ -262,7 +266,6 @@ linux-raw-sys = { version = "0.4.14", default-features = false, features = ["elf
 mio = { version = "1.0.2", features = ["net", "os-ext"] }
 once_cell = { version = "1.20.2" }
 rustix = { version = "0.38.37", features = ["event", "fs", "net", "pipe", "process", "stdio", "system", "termios", "time"] }
-rustls = { version = "0.23.14", default-features = false, features = ["logging", "ring", "std", "tls12"] }
 tokio-rustls = { version = "0.26.0", default-features = false, features = ["logging", "ring", "tls12"] }
 
 [target.x86_64-unknown-linux-gnu.build-dependencies]
@@ -274,7 +277,6 @@ linux-raw-sys = { version = "0.4.14", default-features = false, features = ["elf
 mio = { version = "1.0.2", features = ["net", "os-ext"] }
 once_cell = { version = "1.20.2" }
 rustix = { version = "0.38.37", features = ["event", "fs", "net", "pipe", "process", "stdio", "system", "termios", "time"] }
-rustls = { version = "0.23.14", default-features = false, features = ["logging", "ring", "std", "tls12"] }
 tokio-rustls = { version = "0.26.0", default-features = false, features = ["logging", "ring", "tls12"] }
 
 [target.x86_64-apple-darwin.dependencies]
@@ -284,7 +286,6 @@ hyper-util = { version = "0.1.9", features = ["full"] }
 mio = { version = "1.0.2", features = ["net", "os-ext"] }
 once_cell = { version = "1.20.2" }
 rustix = { version = "0.38.37", features = ["event", "fs", "net", "pipe", "process", "stdio", "system", "termios", "time"] }
-rustls = { version = "0.23.14", default-features = false, features = ["logging", "ring", "std", "tls12"] }
 tokio-rustls = { version = "0.26.0", default-features = false, features = ["logging", "ring", "tls12"] }
 
 [target.x86_64-apple-darwin.build-dependencies]
@@ -294,7 +295,6 @@ hyper-util = { version = "0.1.9", features = ["full"] }
 mio = { version = "1.0.2", features = ["net", "os-ext"] }
 once_cell = { version = "1.20.2" }
 rustix = { version = "0.38.37", features = ["event", "fs", "net", "pipe", "process", "stdio", "system", "termios", "time"] }
-rustls = { version = "0.23.14", default-features = false, features = ["logging", "ring", "std", "tls12"] }
 tokio-rustls = { version = "0.26.0", default-features = false, features = ["logging", "ring", "tls12"] }
 
 [target.aarch64-apple-darwin.dependencies]
@@ -304,7 +304,6 @@ hyper-util = { version = "0.1.9", features = ["full"] }
 mio = { version = "1.0.2", features = ["net", "os-ext"] }
 once_cell = { version = "1.20.2" }
 rustix = { version = "0.38.37", features = ["event", "fs", "net", "pipe", "process", "stdio", "system", "termios", "time"] }
-rustls = { version = "0.23.14", default-features = false, features = ["logging", "ring", "std", "tls12"] }
 tokio-rustls = { version = "0.26.0", default-features = false, features = ["logging", "ring", "tls12"] }
 
 [target.aarch64-apple-darwin.build-dependencies]
@@ -314,7 +313,6 @@ hyper-util = { version = "0.1.9", features = ["full"] }
 mio = { version = "1.0.2", features = ["net", "os-ext"] }
 once_cell = { version = "1.20.2" }
 rustix = { version = "0.38.37", features = ["event", "fs", "net", "pipe", "process", "stdio", "system", "termios", "time"] }
-rustls = { version = "0.23.14", default-features = false, features = ["logging", "ring", "std", "tls12"] }
 tokio-rustls = { version = "0.26.0", default-features = false, features = ["logging", "ring", "tls12"] }
 
 [target.x86_64-unknown-illumos.dependencies]
@@ -326,7 +324,6 @@ indicatif = { version = "0.17.8", features = ["rayon"] }
 mio = { version = "1.0.2", features = ["net", "os-ext"] }
 once_cell = { version = "1.20.2" }
 rustix = { version = "0.38.37", features = ["event", "fs", "net", "pipe", "process", "stdio", "system", "termios", "time"] }
-rustls = { version = "0.23.14", default-features = false, features = ["logging", "ring", "std", "tls12"] }
 tokio-rustls = { version = "0.26.0", default-features = false, features = ["logging", "ring", "tls12"] }
 toml_edit-cdcf2f9584511fe6 = { package = "toml_edit", version = "0.19.15", features = ["serde"] }
 
@@ -339,7 +336,6 @@ indicatif = { version = "0.17.8", features = ["rayon"] }
 mio = { version = "1.0.2", features = ["net", "os-ext"] }
 once_cell = { version = "1.20.2" }
 rustix = { version = "0.38.37", features = ["event", "fs", "net", "pipe", "process", "stdio", "system", "termios", "time"] }
-rustls = { version = "0.23.14", default-features = false, features = ["logging", "ring", "std", "tls12"] }
 tokio-rustls = { version = "0.26.0", default-features = false, features = ["logging", "ring", "tls12"] }
 toml_edit-cdcf2f9584511fe6 = { package = "toml_edit", version = "0.19.15", features = ["serde"] }