-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pull Request for the wrapper class of Team TechShield (USB-Dongles) #8
Conversation
Co-authored-by: Eisberch <[email protected]>
Co-authored-by: Eisberch <[email protected]>
Co-authored-by: Eisberch <[email protected]>
Co-authored-by: Eisberch <[email protected]>
main, bzw. Demo-App - unfertig
std = [] | ||
tpm = [] | ||
win = ["tpm", "windows"] | ||
yubi = ["hsm", "yubikey"] | ||
|
||
[dependencies] | ||
yubikey = { version = "0.8.0", optional = true, features = ["untested"] } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please be aware that yubikey 0.8.0 depends ons rsa 0.9.6:
Crate: rsa
Version: 0.9.6
Title: Marvin Attack: potential key recovery through timing sidechannels
Date: 2023-11-22
ID: RUSTSEC-2023-0071
URL: https://rustsec.org/advisories/RUSTSEC-2023-0071
Severity: 5.9 (medium)
Solution: No fixed upgrade is available!
I don't see any update available for RSA to address this yet. In security, when you cannot update a vulnerability, then you need to perform a risk assessment, and propose mitigations, where possible. See RustCrypto/RSA#19 (comment). Are there any steps users can take to protect themselves against this? If so, please document your recommendations - perhaps in your readme.
src/hsm/yubikey/key_handle.rs
Outdated
match key_algo { | ||
AsymmetricEncryption::Rsa(KeyBits::Bits1024) => { | ||
algorithm_id = AlgorithmId::Rsa1024; | ||
vec_data = apply_pkcs1v15_padding(&vec_data, 128); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please replace magic values with constants.
src/hsm/yubikey/key_handle.rs
Outdated
} | ||
AsymmetricEncryption::Rsa(KeyBits::Bits2048) => { | ||
algorithm_id = AlgorithmId::Rsa2048; | ||
vec_data = apply_pkcs1v15_padding(&vec_data, 256); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please replace magic values with constants.
} | ||
} | ||
// Hier muesste die Pin Eingabe und die Managementkey Eingabe implementiert werden. Ist aktuell hardcoded. | ||
self.pin = "123456".to_string(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hardcoded pins should be avoided. Please see if you can find a more elegant way to manage the pin.
All functions should work in this branch, the code is ready to be pentested.