Merge pull-request #565

cr-tk · cr-tk · commit ba08468c2f94 · 2025-07-31T21:53:42.000+02:00
diff --git a/src/Cargo.lock b/src/Cargo.lock
diff --git a/src/integration/Cargo.toml b/src/integration/Cargo.toml
@@ -15,15 +15,12 @@ qos_hex = { path = "../qos_hex" }
 qos_p256 = { path = "../qos_p256", features = ["mock"] }
 qos_test_primitives = { path = "../qos_test_primitives" }
 
-tokio = { version = "1.38.0", features = ["macros", "rt-multi-thread"], default-features = false }
+tokio = { version = "1.43.1", features = ["macros", "rt-multi-thread"], default-features = false }
 borsh = { version = "1.0", features = ["std", "derive"] , default-features = false}
 nix = { version = "0.26", features = ["socket"], default-features = false }
 rustls = { version = "0.23.5" }
-webpki-roots = { version = "0.26.1" }
+webpki-roots = { version = "1.0.2" }
 
 [dev-dependencies]
-qos_core = { path = "../qos_core", features = ["mock"], default-features = false }
-aws-nitro-enclaves-nsm-api = { version = "0.4", default-features = false }
-rand = "0.8"
+rand = "0.9"
 ureq = { version = "2.9", features = ["json"], default-features = false }
-serde = { version = "1", features = ["derive"] }
diff --git a/src/integration/tests/genesis.rs b/src/integration/tests/genesis.rs
@@ -12,7 +12,7 @@ use qos_crypto::{sha_512, shamir::shares_reconstruct};
 use qos_nsm::nitro::unsafe_attestation_doc_from_der;
 use qos_p256::{P256Pair, P256Public};
 use qos_test_primitives::{ChildWrapper, PathWrapper};
-use rand::{seq::SliceRandom, thread_rng};
+use rand::{seq::SliceRandom, rng};
 
 const DR_KEY_PUBLIC_PATH: &str = "./mock/mock_p256_dr.pub";
 const DR_KEY_PRIVATE_PATH: &str = "./mock/mock_p256_dr.secret.keep";
@@ -197,7 +197,7 @@ async fn genesis_e2e() {
 		.collect();
 
 	// Try recovering from a random permutation
-	decrypted_shares.shuffle(&mut thread_rng());
+	decrypted_shares.shuffle(&mut rng());
 	let master_secret: [u8; qos_p256::MASTER_SEED_LEN] =
 		shares_reconstruct(&decrypted_shares[0..threshold])
 			.unwrap()
diff --git a/src/qos_client/Cargo.toml b/src/qos_client/Cargo.toml
@@ -16,13 +16,14 @@ ureq = { version = "2.9", default-features = false }
 aws-nitro-enclaves-nsm-api = { version = "0.4", default-features = false }
 borsh = { version = "1.0", features = ["std", "derive"] , default-features = false}
 p256 = { version = "0.12.0", default-features = false }
-rand_core = { version = "0.6", default-features = false }
+rand_core = { version = "0.9", features = ["os_rng"], default-features = false }
 zeroize = { version = "1.6", default-features = false }
 rpassword = { version = "7", default-features = false }
 serde_json = { version = "1" }
 
 x509 = { version = "0.2", default-features = false, optional = true }
-yubikey = { version = "*", features = ["untested"], default-features = false, optional = true }
+# As of 7/2025, upgrading this to 0.8.0 is blocked due to dependency conflicts
+yubikey = { version = "0.7", features = ["untested"], default-features = false, optional = true }
 
 [dev-dependencies]
 # We need mock enabled to grab things related to the mock NSM.
diff --git a/src/qos_client/src/yubikey.rs b/src/qos_client/src/yubikey.rs
@@ -7,7 +7,7 @@ use p256::{
 	SecretKey,
 };
 use qos_p256::encrypt::Envelope;
-use rand_core::{OsRng, RngCore};
+use rand_core::{OsRng, TryRngCore};
 use x509::RelativeDistinguishedName;
 use yubikey::{
 	certificate::{Certificate, PublicKeyInfo},
@@ -70,6 +70,9 @@ pub enum YubiKeyError {
 /// Generate a signed certificate with a p256 key for the given `slot`.
 ///
 /// Returns the public key as an uncompressed encoded point.
+///
+/// # Panics
+/// Panics if the `OsRng` is unable to provide data, which shouldn't happen in normal operation.
 pub fn generate_signed_certificate(
 	yubikey: &mut YubiKey,
 	slot: SlotId,
@@ -95,7 +98,9 @@ pub fn generate_signed_certificate(
 
 	// Create a random serial number
 	let mut serial = [0u8; 20];
-	OsRng.fill_bytes(&mut serial);
+	OsRng.try_fill_bytes(&mut serial).expect(
+		"The OsRng was unable to provide data, which should never happen",
+	);
 
 	// Don't add any extensions
 	let extensions: &[x509::Extension<'_, &[u64]>] = &[];
@@ -117,6 +122,9 @@ pub fn generate_signed_certificate(
 
 /// Import the given `key_data` onto the `yubikey` and create a signed
 /// certificate for the key.
+///
+/// # Panics
+/// Panics if the `OsRng` is unable to provide data, which shouldn't happen in normal operation.
 pub fn import_key_and_generate_signed_certificate(
 	yubikey: &mut YubiKey,
 	key_data: &[u8],
@@ -156,7 +164,9 @@ pub fn import_key_and_generate_signed_certificate(
 
 	// Create a random serial number
 	let mut serial = [0u8; 20];
-	OsRng.fill_bytes(&mut serial);
+	OsRng.try_fill_bytes(&mut serial).expect(
+		"The OsRng was unable to provide data, which should never happen",
+	);
 
 	// Don't add any extensions
 	let extensions: &[x509::Extension<'_, &[u64]>] = &[];
diff --git a/src/qos_core/Cargo.toml b/src/qos_core/Cargo.toml
@@ -26,7 +26,7 @@ qos_test_primitives = { path = "../qos_test_primitives" }
 qos_p256 = { path = "../qos_p256", features = ["mock"] }
 qos_nsm = { path = "../qos_nsm", features = ["mock"], default-features = false }
 rustls = { version = "0.23.5" }
-webpki-roots = { version = "0.26.1" }
+webpki-roots = { version = "1.0.2" }
 
 [features]
 # Support for VSOCK
diff --git a/src/qos_crypto/Cargo.toml b/src/qos_crypto/Cargo.toml
@@ -4,14 +4,14 @@ version = "0.1.0"
 edition = "2021"
 publish = false
 
-# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
-
 [dependencies]
 sha2 = { version = "0.10", default-features = false }
-rand = { version = "0.8", default-features = false, features = ["std", "std_rng"] }
+thiserror = { version = "2.0.12",  features = ["std"], default-features = false }
 vsss-rs = { version = "5.1", default-features = false, features = ["std", "zeroize"] }
+# dependent on rand_core version used in vsss-rs
+rand = { version = "0.8", default-features = false, features = ["std", "std_rng"] }
+# dependent on rand_core version used in vsss-rs
 rand_core = { version = "0.6.4", default-features = false }
-thiserror = "1.0.63"
 
 [dev-dependencies]
 qos_hex = { path = "../qos_hex" }
diff --git a/src/qos_enclave/Cargo.toml b/src/qos_enclave/Cargo.toml
@@ -7,6 +7,9 @@ rust-version = "1.61"
 publish = false
 
 [dependencies]
+# newer versions 1.4.1 and 1.4.2 available
+# as of 7/2025, AWS doesn't have a recent crate version of aws-nitro-enclaves-cli published
+# directly use the git version as a workaround
 nitro-cli = { git = "https://github.com/aws/aws-nitro-enclaves-cli", version = "1.4.0" }
 libc = "0.2.172" # NOTE: nitro-cli requires ^0.2.161
 
diff --git a/src/qos_hex/Cargo.toml b/src/qos_hex/Cargo.toml
@@ -5,7 +5,7 @@ edition = "2021"
 publish = false
 
 [dependencies]
-serde = {version = "1", optional = true, default-features = false }
+serde = { version = "1", optional = true, default-features = false }
 
 [features]
-serde =["dep:serde"]
+serde = ["dep:serde"]
diff --git a/src/qos_host/Cargo.toml b/src/qos_host/Cargo.toml
@@ -10,7 +10,7 @@ qos_hex = { path = "../qos_hex", features = ["serde"], default-features = false
 
 # Third party
 axum = { version = "0.6.20", features = ["http1", "tokio", "json"], default-features = false }
-tokio = { version = "1.38.0", features = ["macros", "rt-multi-thread"], default-features = false }
+tokio = { version = "1.43.1", features = ["macros", "rt-multi-thread"], default-features = false }
 borsh = { version = "1.0", features = ["std", "derive"] , default-features = false}
 serde_json = { version = "1" }
 serde = { version = "1", features = ["derive"], default-features = false }
diff --git a/src/qos_net/Cargo.toml b/src/qos_net/Cargo.toml
@@ -19,7 +19,7 @@ hickory-resolver = { version = "0.25.2", features = [
 rand = { version = "0.9.1", features = [
     "thread_rng",
 ], default-features = false, optional = true }
-tokio = { version = "1.38.0", default-features = false }
+tokio = { version = "1.43.1", default-features = false }
 
 [dev-dependencies]
 qos_test_primitives = { path = "../qos_test_primitives" }
@@ -29,7 +29,7 @@ serde_json = { version = "1.0.121", features = [
     "std",
 ], default-features = false }
 rustls = { version = "0.23.5" }
-webpki-roots = { version = "0.26.1" }
+webpki-roots = { version = "1.0.2" }
 
 [features]
 default = ["proxy"]                  # keep this as a default feature ensures we lint by default
diff --git a/src/qos_nsm/Cargo.toml b/src/qos_nsm/Cargo.toml
@@ -6,18 +6,19 @@ publish = false
 
 [dependencies]
 qos_hex = { path = "../qos_hex" }
-borsh = { version = "1.0", features = ["std", "derive"] , default-features = false}
+borsh = { version = "1.5", features = ["std", "derive"] , default-features = false}
 aws-nitro-enclaves-nsm-api = { version = "0.4", features = ["nix"], default-features = false }
 aws-nitro-enclaves-cose = { version = "0.5", default-features = false }
 sha2 = { version = "0.10", default-features = false }
 webpki = { version =  "0.22.4", default-features = false }
 serde_bytes = { version = "0.11", default-features = false }
-p384 = { version = "0.12", features = ["sha384", "ecdsa", "ecdsa-core", "std"], default-features = false }
-x509-cert = { version = "=0.1.0", features = ["pem"], default-features = false }
+# as of 0.12.0, the "ecdsa" feature enables "sha384", some "ecdsa-core", and others
+p384 = { version = "0.13", features = ["ecdsa", "std"], default-features = false }
+x509-cert = { version = "0.2.5", features = ["pem"], default-features = false }
 
 [dev-dependencies]
-hex-literal = "0.4"
-rand = "0.8"
+# 1.0.0 requires Rust edition 2024
+hex-literal = "0.4.0"
 
 [features]
 # Never use in production - support for mock NSM
diff --git a/src/qos_nsm/src/nitro/mod.rs b/src/qos_nsm/src/nitro/mod.rs
@@ -235,8 +235,8 @@ fn verify_certificate_chain(
 	Ok(())
 }
 
-// Check that cose sign1 structure is signed with the key in the end
-// entity certificate.
+/// Check that cose sign1 structure is signed with the key in the end
+/// entity certificate.
 fn verify_cose_sign1_sig(
 	end_entity_certificate: &[u8],
 	cose_sign1: &CoseSign1,
@@ -252,8 +252,22 @@ fn verify_cose_sign1_sig(
 		return Err(AttestError::InvalidEndEntityCert);
 	}
 
-	let pub_key =
-		ee_cert.tbs_certificate.subject_public_key_info.subject_public_key;
+	// The ASN.1 format of certificates wraps the `subject_public_key` as BIT STRING type,
+	// which can optionally have 1 to 7 bits in the last octet marked as unused but still sent on the wire
+	// The `der` crate doesn't have an automatic conversion (masking) function if unused_bits() > 0,
+	// and the raw_bytes() data of those bits can be non-zero (!)
+	//
+	// Since we expect the wrapped inner data to be of OCTET STRING type and unused_bits() == 0,
+	// we can use `as_bytes()` which returns `None` if the underlying BitString has unused bits
+	// and treat that case as a decode failure
+	let pub_key = ee_cert
+		.tbs_certificate
+		.subject_public_key_info
+		.subject_public_key
+		.as_bytes()
+		.ok_or(AttestError::FailedDecodeKeyFromCert)?;
+
+	// Decode the public key from `Elliptic-Curve-Point-to-Octet-String`
 	let key = PublicKey::from_sec1_bytes(pub_key)
 		.map_err(|_| AttestError::FailedDecodeKeyFromCert)?;
 	let key_wrapped = P384PubKey(key);
@@ -262,6 +276,7 @@ fn verify_cose_sign1_sig(
 	let is_valid_sig = cose_sign1
 		.verify_signature::<Sha2>(&key_wrapped)
 		.map_err(|_| AttestError::InvalidCOSESign1Signature)?;
+
 	if is_valid_sig {
 		Ok(())
 	} else {
@@ -363,7 +378,7 @@ mod test {
 			"55c6aa815a31741bc37f0ffddea73af2397bad640816ef22bfb689efc1b6cc68
 		2a73f7e5a657248e3abad500e46d5afc"
 		);
-		let private = p384::SecretKey::from_be_bytes(&secret).unwrap();
+		let private = p384::SecretKey::from_slice(&secret).unwrap();
 		let public = private.public_key();
 
 		(P384PrivateKey(private), P384PubKey(public))
@@ -412,7 +427,8 @@ mod test {
 		);
 
 		// Rejects incorrect key
-		let random_private = SecretKey::random(rand::rngs::OsRng);
+		let random_private =
+			SecretKey::random(&mut p384::elliptic_curve::rand_core::OsRng);
 		let random_public = random_private.public_key();
 
 		assert!(cose_doc
diff --git a/src/qos_p256/Cargo.toml b/src/qos_p256/Cargo.toml
@@ -8,14 +8,16 @@ publish = false
 qos_hex = { path = "../qos_hex" }
 
 borsh = { version = "1.0", features = ["std", "derive"] , default-features = false}
+# version related to p256 crate
 rand_core = { version = "0.6.4", default-features = false }
 
 sha2 = { version = "0.10", default-features = false }
-p256 = { version = "0.12.0", features = ["ecdh", "ecdsa", "ecdsa-core", "std"], default-features = false }
+# as of 0.12.0, the "ecdsa" feature enables "sha384", some "ecdsa-core", and others
+p256 = { version = "0.12.0", features = ["ecdh", "ecdsa", "std"], default-features = false }
 aes-gcm = { version = "0.10.3", features = ["aes", "alloc"], default-features = false }
 hmac = { version = "0.12", default-features = false }
 hkdf = { version = "0.12", default-features = false }
-zeroize = { version = "1.6", features = ["derive"], default-features = false }
+zeroize = { version = "1.8", features = ["derive"], default-features = false }
 
 [dev-dependencies]
 qos_test_primitives = { path = "../qos_test_primitives" }
diff --git a/src/qos_test_primitives/Cargo.toml b/src/qos_test_primitives/Cargo.toml
@@ -5,4 +5,4 @@ edition = "2021"
 publish = false
 
 [dependencies]
-rand = "0.8"
+rand = "0.9"
diff --git a/src/qos_test_primitives/src/lib.rs b/src/qos_test_primitives/src/lib.rs
@@ -83,9 +83,9 @@ impl<'a> Deref for PathWrapper<'a> {
 /// Get a bind-able TCP port on the local system.
 #[must_use]
 pub fn find_free_port() -> Option<u16> {
-	let mut rng = rand::thread_rng();
+	let mut rng = rand::rng();
 	for _ in 0..MAX_PORT_SEARCH_ATTEMPTS {
-		let port = rng.gen_range(SERVER_PORT_RANGE);
+		let port = rng.random_range(SERVER_PORT_RANGE);
 		if port_is_available(port) {
 			return Some(port);
 		}
