diff --git a/.github/workflows/aa_basic.yml b/.github/workflows/aa_basic.yml index 7e6ba48a3..b1e296628 100644 --- a/.github/workflows/aa_basic.yml +++ b/.github/workflows/aa_basic.yml @@ -8,11 +8,13 @@ on: - 'attestation-agent/**' - '.github/workflows/aa_basic.yml' - 'Cargo.toml' + - 'Cargo.lock' pull_request: paths: - 'attestation-agent/**' - '.github/workflows/aa_basic.yml' - 'Cargo.toml' + - 'Cargo.lock' create: workflow_dispatch: @@ -30,7 +32,7 @@ jobs: - stable steps: - name: Code checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 1 diff --git a/.github/workflows/aa_cc_kbc.yml b/.github/workflows/aa_cc_kbc.yml index 352b48754..4277e22a2 100644 --- a/.github/workflows/aa_cc_kbc.yml +++ b/.github/workflows/aa_cc_kbc.yml @@ -38,7 +38,7 @@ jobs: - cc_kbc_snp steps: - name: Code checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 1 diff --git a/.github/workflows/aa_crypto.yml b/.github/workflows/aa_crypto.yml index 783f764b4..e5214667d 100644 --- a/.github/workflows/aa_crypto.yml +++ b/.github/workflows/aa_crypto.yml @@ -30,7 +30,7 @@ jobs: steps: - name: Code checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 1 diff --git a/.github/workflows/aa_eaa_kbc.yml b/.github/workflows/aa_eaa_kbc.yml index 674ccdcc2..3888d7192 100644 --- a/.github/workflows/aa_eaa_kbc.yml +++ b/.github/workflows/aa_eaa_kbc.yml @@ -1,16 +1,16 @@ name: attestation-agent eaa_kbc tests on: - push: - branches: - - 'main' - paths: - - 'attestation-agent/kbc/eaa_kbc/**' - - '.github/workflows/aa_eaa_kbc.yml' - pull_request: - paths: - - 'attestation-agent/kbc/eaa_kbc/**' - - '.github/workflows/aa_eaa_kbc.yml' + # push: + # branches: + # - 'main' + # paths: + # - 'attestation-agent/kbc/eaa_kbc/**' + # - '.github/workflows/aa_eaa_kbc.yml' + # pull_request: + # paths: + # - 'attestation-agent/kbc/eaa_kbc/**' + # - '.github/workflows/aa_eaa_kbc.yml' create: workflow_dispatch: @@ -31,7 +31,7 @@ jobs: steps: - name: Code checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 1 diff --git a/.github/workflows/aa_occlum_sgx.yml b/.github/workflows/aa_occlum_sgx.yml index b89a3aeb3..6bd21f44f 100644 --- a/.github/workflows/aa_occlum_sgx.yml +++ b/.github/workflows/aa_occlum_sgx.yml @@ -27,7 +27,7 @@ jobs: working-directory: ./attestation-agent steps: - name: Checkout Code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: submodules: true diff --git a/.github/workflows/aa_release.yml b/.github/workflows/aa_release.yml index 2e70a0032..fde26c5ef 100644 --- a/.github/workflows/aa_release.yml +++ b/.github/workflows/aa_release.yml @@ -9,17 +9,17 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Login to Docker Hub - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{github.actor}} password: ${{secrets.GITHUB_TOKEN}} - name: Build and push coco-key-provider - uses: docker/build-push-action@v4 + uses: docker/build-push-action@v5 with: context: . file: ./attestation-agent/docker/Dockerfile.keyprovider diff --git a/.github/workflows/aa_sample_keyprovider.yml b/.github/workflows/aa_sample_keyprovider.yml index d55e5c436..3d4d581c3 100644 --- a/.github/workflows/aa_sample_keyprovider.yml +++ b/.github/workflows/aa_sample_keyprovider.yml @@ -26,7 +26,7 @@ jobs: steps: - name: Code checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 1 diff --git a/.github/workflows/aa_sev_kbc.yml b/.github/workflows/aa_sev_kbc.yml index f18fd893b..667da32ff 100644 --- a/.github/workflows/aa_sev_kbc.yml +++ b/.github/workflows/aa_sev_kbc.yml @@ -30,7 +30,7 @@ jobs: - online_sev_kbc steps: - name: Code checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 1 diff --git a/.github/workflows/api-server-rest-basic.yml b/.github/workflows/api-server-rest-basic.yml index f3bb2ba81..7b71465b7 100644 --- a/.github/workflows/api-server-rest-basic.yml +++ b/.github/workflows/api-server-rest-basic.yml @@ -8,11 +8,13 @@ on: - 'api-server-rest/**' - '.github/workflows/api-server-rest-basic.yml' - 'Cargo.toml' + - 'Cargo.lock' pull_request: paths: - 'api-server-rest/**' - '.github/workflows/api-server-rest-basic.yml' - 'Cargo.toml' + - 'Cargo.lock' create: workflow_dispatch: @@ -30,7 +32,7 @@ jobs: - stable steps: - name: Code checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 1 diff --git a/.github/workflows/cdh_basic.yml b/.github/workflows/cdh_basic.yml new file mode 100644 index 000000000..1271d8f57 --- /dev/null +++ b/.github/workflows/cdh_basic.yml @@ -0,0 +1,80 @@ +name: confidential-data-hub basic build and unit tests + +on: + push: + branches: + - "main" + paths: + - 'confidential-data-hub/**' + - '.github/workflows/cdh_basic.yml' + - 'Cargo.toml' + - 'Cargo.lock' + pull_request: + paths: + - 'confidential-data-hub/**' + - '.github/workflows/cdh_basic.yml' + - 'Cargo.toml' + - 'Cargo.lock' + create: + workflow_dispatch: + +jobs: + basic_ci: + name: Check + defaults: + run: + working-directory: ./confidential-data-hub + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + rust: + - stable + steps: + - name: Code checkout + uses: actions/checkout@v4 + with: + fetch-depth: 1 + + - name: Install Rust toolchain (${{ matrix.rust }}) + uses: actions-rs/toolchain@v1 + with: + profile: minimal + toolchain: ${{ matrix.rust }} + override: true + components: rustfmt, clippy + + - name: Install protoc + run: | + sudo apt-get update && sudo apt-get install -y protobuf-compiler + + - name: Build and install + run: | + make && make install + + - name: Musl build + run: | + make LIBC=musl + + - name: s390x build + run: + make ARCH=s390x + + - name: Run cargo test + uses: actions-rs/cargo@v1 + with: + command: test + args: --features kbs,aliyun,sev,bin -p kms -p confidential-data-hub -p secret -p image + + - name: Run cargo fmt check + uses: actions-rs/cargo@v1 + with: + command: fmt + args: -p kms -p confidential-data-hub -p secret -p image -- --check + + - name: Run rust lint check + uses: actions-rs/cargo@v1 + with: + command: clippy + # We are getting error in generated code due to derive_partial_eq_without_eq check, so ignore it for now + args: -p kms -p confidential-data-hub -p secret -p image -- -D warnings -A clippy::derive-partial-eq-without-eq diff --git a/.github/workflows/image_rs_build.yml b/.github/workflows/image_rs_build.yml index c82e2dec8..305851cc8 100644 --- a/.github/workflows/image_rs_build.yml +++ b/.github/workflows/image_rs_build.yml @@ -6,10 +6,14 @@ on: paths: - 'image-rs/**' - '.github/workflows/image_rs_build.yml' + - 'Cargo.toml' + - 'Cargo.lock' pull_request: paths: - 'image-rs/**' - '.github/workflows/image_rs_build.yml' + - 'Cargo.toml' + - 'Cargo.lock' create: workflow_dispatch: @@ -29,7 +33,7 @@ jobs: - nightly steps: - name: Code checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 1 diff --git a/.github/workflows/links.yml b/.github/workflows/links.yml index f1a29d26e..295890bcc 100644 --- a/.github/workflows/links.yml +++ b/.github/workflows/links.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Restore lychee cache uses: actions/cache@v3 diff --git a/.github/workflows/ocicrypt_rs_build.yml b/.github/workflows/ocicrypt_rs_build.yml index 57919b921..3e3272f0c 100644 --- a/.github/workflows/ocicrypt_rs_build.yml +++ b/.github/workflows/ocicrypt_rs_build.yml @@ -6,10 +6,14 @@ on: paths: - 'ocicrypt-rs/**' - '.github/workflows/ocicrypt_rs_build.yml' + - 'Cargo.toml' + - 'Cargo.lock' pull_request: paths: - 'ocicrypt-rs/**' - '.github/workflows/ocicrypt_rs_build.yml' + - 'Cargo.toml' + - 'Cargo.lock' create: workflow_dispatch: @@ -33,7 +37,7 @@ jobs: steps: - name: Code checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 1 - name: Update cargo home diff --git a/Cargo.lock b/Cargo.lock index e78ea89b0..baab4771f 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -36,13 +36,14 @@ dependencies = [ "cfg-if", "cipher", "cpufeatures", + "zeroize", ] [[package]] name = "aes-gcm" -version = "0.10.2" +version = "0.10.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "209b47e8954a928e1d72e86eca7000ebb6655fe1436d33eefc2201cad027e237" +checksum = "831010a0f742e1209b3bcea8fab6a8e149051ba6099432c8cb2cc117dec3ead1" dependencies = [ "aead", "aes", @@ -54,9 +55,9 @@ dependencies = [ [[package]] name = "aho-corasick" -version = "1.0.5" +version = "1.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0c378d78423fdad8089616f827526ee33c19f2fddbd5de1629152c9593ba4783" +checksum = "b2969dcb958b36655471fc61f7e416fa76033bdd4bfed0678d8fee1e2d07a1f0" dependencies = [ "memchr", ] @@ -102,26 +103,26 @@ dependencies = [ [[package]] name = "anstyle" -version = "1.0.3" +version = "1.0.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b84bf0a05bbb2a83e5eb6fa36bb6e87baa08193c35ff52bbf6b38d8af2890e46" +checksum = "7079075b41f533b8c61d2a4d073c4676e1f8b249ff94a393b0595db304e0dd87" [[package]] name = "anstyle-parse" -version = "0.2.1" +version = "0.2.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "938874ff5980b03a87c5524b3ae5b59cf99b1d6bc836848df7bc5ada9643c333" +checksum = "c75ac65da39e5fe5ab759307499ddad880d724eed2f6ce5b5e8a26f4f387928c" dependencies = [ "utf8parse", ] [[package]] name = "anstyle-query" -version = "1.0.0" +version = "1.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5ca11d4be1bab0c8bc8734a9aa7bf4ee8316d462a08c6ac5052f888fef5b494b" +checksum = "e28923312444cdd728e4738b3f9c9cac739500909bb3d3c94b43551b16517648" dependencies = [ - "windows-sys 0.48.0", + "windows-sys 0.52.0", ] [[package]] @@ -149,7 +150,7 @@ dependencies = [ "clap 4.2.7", "form_urlencoded", "hyper", - "protobuf 3.2.0", + "protobuf 3.3.0", "serde_json", "tokio", "ttrpc", @@ -196,9 +197,9 @@ dependencies = [ [[package]] name = "async-compression" -version = "0.4.3" +version = "0.4.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bb42b2197bf15ccb092b62c74515dbd8b86d0effd934795f6687c93b6e679a2c" +checksum = "bc2d0cfb2a7388d34f590e76686704c494ed7aaceed62ee1ba35cbf363abc2a5" dependencies = [ "flate2", "futures-core", @@ -206,19 +207,19 @@ dependencies = [ "memchr", "pin-project-lite", "tokio", - "zstd 0.12.4", - "zstd-safe 6.0.6", + "zstd 0.13.0", + "zstd-safe 7.0.0", ] [[package]] name = "async-trait" -version = "0.1.73" +version = "0.1.74" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bc00ceb34980c03614e35a3a4e218276a0a824e911d07651cd0d858a51e8c0f0" +checksum = "a66537f1bb974b254c98ed142ff995236e81b9d0fe4db0575f46612cb15eb0f9" dependencies = [ "proc-macro2", "quote", - "syn 2.0.32", + "syn 2.0.41", ] [[package]] @@ -228,15 +229,15 @@ dependencies = [ "anyhow", "async-trait", "attestation_agent", - "base64 0.21.4", + "base64 0.21.5", "cfg-if", "clap 4.2.7", "const_format", - "env_logger 0.10.0", + "env_logger 0.10.1", "lazy_static", "log", "prost 0.11.9", - "protobuf 3.2.0", + "protobuf 3.3.0", "serde", "serde_json", "tokio", @@ -261,7 +262,7 @@ dependencies = [ "serde_json", "strum", "tokio", - "toml 0.8.1", + "toml 0.8.8", "tonic", ] @@ -272,7 +273,7 @@ dependencies = [ "anyhow", "async-trait", "az-snp-vtpm", - "base64 0.21.4", + "base64 0.21.5", "codicon", "csv-rs", "hyper", @@ -352,22 +353,38 @@ dependencies = [ ] [[package]] -name = "az-snp-vtpm" -version = "0.2.3" -source = "git+https://github.com/kinvolk/azure-cvm-tooling?rev=2c2e411#2c2e411dfb6f64fb4ffa4443213c5777de7af30d" +name = "az-cvm-vtpm" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6239da1e7629eabf1ee6bf5e7dd78b532c029e2fc477afe846db201c67325233" dependencies = [ "bincode", - "clap 4.2.7", "jsonwebkey", - "memoffset 0.8.0", + "memoffset 0.9.0", + "openssl", "rsa 0.8.2", "serde", + "serde-big-array", "serde_json", "sev 1.2.1", - "sha2 0.10.7", - "static_assertions", + "sha2 0.10.8", "thiserror", "tss-esapi", + "zerocopy", +] + +[[package]] +name = "az-snp-vtpm" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a26f68465245c4571f5f4a47c5b76bab5cb394f53a3eaa5827a9a794e6556e8d" +dependencies = [ + "az-cvm-vtpm", + "bincode", + "clap 4.2.7", + "serde", + "sev 1.2.1", + "thiserror", "ureq", ] @@ -386,12 +403,6 @@ dependencies = [ "rustc-demangle", ] -[[package]] -name = "base16ct" -version = "0.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "349a06037c7bf932dd7e7d1f653678b2038b9ad46a74102f1fc7bd7872678cce" - [[package]] name = "base16ct" version = "0.2.0" @@ -406,9 +417,9 @@ checksum = "9e1b586273c5702936fe7b7d6896644d8be71e6314cfe09d3167c95f712589e8" [[package]] name = "base64" -version = "0.21.4" +version = "0.21.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9ba43ea6f343b788c8764558649e08df62f86c6ef251fdaeb1ffd010a9ae50a2" +checksum = "35636a1494ede3b646cc98f74f8e62c773a38a659ebc777a2cf26b9b74171df9" [[package]] name = "base64-serde" @@ -416,7 +427,7 @@ version = "0.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ba368df5de76a5bea49aaf0cf1b39ccfbbef176924d1ba5db3e4135216cbe3c7" dependencies = [ - "base64 0.21.4", + "base64 0.21.5", "serde", ] @@ -505,6 +516,12 @@ version = "0.13.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "46afbd2983a5d5a7bd740ccb198caf5b82f45c40c09c0eed36052d91cb92e719" +[[package]] +name = "bitfield" +version = "0.14.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2d7e60934ceec538daadb9d8432424ed043a904d8e0243f3c6446bce549a46ac" + [[package]] name = "bitflags" version = "1.3.2" @@ -513,22 +530,21 @@ checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" [[package]] name = "bitflags" -version = "2.4.0" +version = "2.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b4682ae6287fcf752ecaabbfcc7b6f9b72aa33933dc23a554d853aea8eea8635" +checksum = "327762f6e5a765692301e5bb513e0d9fef63be86bbc14528052b1cd3e6f03e07" [[package]] name = "blake3" -version = "1.4.1" +version = "1.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "199c42ab6972d92c9f8995f086273d25c42fc0f7b2a1fcefba465c1352d25ba5" +checksum = "0231f06152bf547e9c2b5194f247cd97aacf6dcd8b15d8e5ec0663f64580da87" dependencies = [ "arrayref", "arrayvec", "cc", "cfg-if", "constant_time_eq", - "digest 0.10.7", ] [[package]] @@ -576,14 +592,24 @@ checksum = "ed2f2e73fffe9455141e170fb9c1feb0ac521ec7e7dcd47a7cab72a658490fb8" dependencies = [ "chrono", "serde", - "serde_with", + "serde_with 1.14.0", +] + +[[package]] +name = "bstr" +version = "1.8.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "542f33a8835a0884b006a0c3df3dadd99c0c3f296ed26c2fdc8028e01ad6230c" +dependencies = [ + "memchr", + "serde", ] [[package]] name = "buffered-reader" -version = "1.2.0" +version = "1.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "66d3bea5bcc3ecc38fe5388e6bc35e6fe7bd665eb3ae9a44283e15b91ad3867d" +checksum = "2b9b0a25eb06e83579bc985d836e1e3b957a7201301b48538764d2b2e78090d4" dependencies = [ "bzip2", "flate2", @@ -593,15 +619,15 @@ dependencies = [ [[package]] name = "bumpalo" -version = "3.13.0" +version = "3.14.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a3e2c3daef883ecc1b5d58c15adae93470a91d425f3532ba1695849656af3fc1" +checksum = "7f30e7476521f6f8af1a1c4c0b8cc94f0bee37d91763d0ca2665f299b6cd8aec" [[package]] name = "byteorder" -version = "1.4.3" +version = "1.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "14c189c53d098945499cdfa7ecc63567cf3886b3332b312a5b4585d8d3a6a610" +checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b" [[package]] name = "bytes" @@ -630,6 +656,16 @@ dependencies = [ "pkg-config", ] +[[package]] +name = "camellia" +version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3264e2574e9ef2b53ce6f536dea83a69ac0bc600b762d1523ff83fe07230ce30" +dependencies = [ + "byteorder", + "cipher", +] + [[package]] name = "caps" version = "0.5.5" @@ -700,9 +736,9 @@ checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" [[package]] name = "chrono" -version = "0.4.30" +version = "0.4.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "defd4e7873dbddba6c7c91e199c7fcb946abc4a6a4ac3195400bcfb01b5de877" +checksum = "7f2c685bad3eb3d45a01354cedb7d5faa66194d1d58ba6e267a8de788f79db38" dependencies = [ "android-tzdata", "iana-time-zone", @@ -783,7 +819,7 @@ dependencies = [ "heck 0.4.1", "proc-macro2", "quote", - "syn 2.0.32", + "syn 2.0.41", ] [[package]] @@ -814,13 +850,13 @@ dependencies = [ [[package]] name = "coarsetime" -version = "0.1.23" +version = "0.1.33" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a90d114103adbc625300f346d4d09dfb4ab1c4a8df6868435dd903392ecf4354" +checksum = "71367d3385c716342014ad17e3d19f7788ae514885a1f4c24f500260fb365e1a" dependencies = [ "libc", "once_cell", - "wasi 0.11.0+wasi-snapshot-preview1", + "wasi", "wasm-bindgen", ] @@ -830,10 +866,10 @@ version = "0.1.0" dependencies = [ "aes-gcm", "anyhow", - "base64 0.21.4", + "base64 0.21.5", "clap 4.2.7", "ctr", - "env_logger 0.10.0", + "env_logger 0.10.1", "futures", "jwt-simple", "log", @@ -879,15 +915,18 @@ version = "0.1.0" dependencies = [ "anyhow", "async-trait", - "base64 0.21.4", + "base64 0.21.5", "clap 4.2.7", + "image", "kms", "lazy_static", "log", - "protobuf 3.2.0", + "protobuf 3.3.0", "secret", + "serde", "serde_json", "sev 0.1.0", + "storage", "thiserror", "tokio", "ttrpc", @@ -896,15 +935,9 @@ dependencies = [ [[package]] name = "const-oid" -version = "0.7.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e4c78c047431fee22c1a7bb92e00ad095a02a983affe4d8a72e2a2c62c1b94f3" - -[[package]] -name = "const-oid" -version = "0.9.5" +version = "0.9.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "28c122c3980598d243d63d9a704629a2d748d101f278052ff068be5a4423ab6f" +checksum = "c2459377285ad874054d797f3ccebf984978aa39129f6eafde5cdc8315b612f8" [[package]] name = "const_fn" @@ -914,18 +947,18 @@ checksum = "fbdcdcb6d86f71c5e97409ad45898af11cbc995b4ee8112d59095a28d376c935" [[package]] name = "const_format" -version = "0.2.31" +version = "0.2.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c990efc7a285731f9a4378d81aff2f0e85a2c8781a05ef0f8baa8dac54d0ff48" +checksum = "e3a214c7af3d04997541b18d432afaff4c455e79e2029079647e72fc2bd27673" dependencies = [ "const_format_proc_macros", ] [[package]] name = "const_format_proc_macros" -version = "0.2.31" +version = "0.2.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e026b6ce194a874cb9cf32cd5772d1ef9767cc8fcb5765948d74f37a9d8b2bf6" +checksum = "c7f6ff08fd20f4f299298a28e2dfa8a8ba1036e6cd2460ac1de7b425d76f2500" dependencies = [ "proc-macro2", "quote", @@ -968,9 +1001,9 @@ dependencies = [ [[package]] name = "core-foundation" -version = "0.9.3" +version = "0.9.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "194a7a9e6de53fa55116934067c844d9d749312f75c6f6d0980e8c252f8c2146" +checksum = "91e195e091a93c46f7102ec7818a2aa394e1e1771c3ab4825963fa03e45afb8f" dependencies = [ "core-foundation-sys", "libc", @@ -978,15 +1011,15 @@ dependencies = [ [[package]] name = "core-foundation-sys" -version = "0.8.4" +version = "0.8.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e496a50fda8aacccc86d7529e2c1e0892dbd0f898a6b5645b5561b89c3210efa" +checksum = "06ea2b9bc92be3c2baa9334a323ebca2d6f074ff852cd1d7b11064035cd3868f" [[package]] name = "cpufeatures" -version = "0.2.9" +version = "0.2.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a17b76ff3a4162b0b27f354a0c87015ddad39d35f9c0c36607a3bdd175dde1f1" +checksum = "ce420fe07aecd3e67c5f910618fe65e94158f6dcc0adf44e00d69ce2bdfe0fd0" dependencies = [ "libc", ] @@ -1016,9 +1049,9 @@ dependencies = [ [[package]] name = "crossbeam-channel" -version = "0.5.8" +version = "0.5.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a33c2bf77f2df06183c3aa30d1e96c0695a313d4f9c453cc3762a6db39f99200" +checksum = "14c3242926edf34aec4ac3a77108ad4854bffaa2e4ddc1824124ce59231302d5" dependencies = [ "cfg-if", "crossbeam-utils", @@ -1026,9 +1059,9 @@ dependencies = [ [[package]] name = "crossbeam-deque" -version = "0.8.3" +version = "0.8.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ce6fd6f855243022dcecf8702fef0c297d4338e226845fe067f6341ad9fa0cef" +checksum = "fca89a0e215bab21874660c67903c5f143333cab1da83d041c7ded6053774751" dependencies = [ "cfg-if", "crossbeam-epoch", @@ -1037,22 +1070,21 @@ dependencies = [ [[package]] name = "crossbeam-epoch" -version = "0.9.15" +version = "0.9.16" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ae211234986c545741a7dc064309f67ee1e5ad243d0e48335adc0484d960bcc7" +checksum = "2d2fe95351b870527a5d09bf563ed3c97c0cffb87cf1c78a591bf48bb218d9aa" dependencies = [ "autocfg", "cfg-if", "crossbeam-utils", "memoffset 0.9.0", - "scopeguard", ] [[package]] name = "crossbeam-queue" -version = "0.3.8" +version = "0.3.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d1cfb3ea8a53f37c40dea2c7bedcbd88bdfae54f5e2175d6ecaff1c988353add" +checksum = "b9bcf5bdbfdd6030fb4a1c497b5d5fc5921aa2f60d359a17e249c0e6df3de153" dependencies = [ "cfg-if", "crossbeam-utils", @@ -1060,9 +1092,9 @@ dependencies = [ [[package]] name = "crossbeam-utils" -version = "0.8.16" +version = "0.8.17" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5a22b2d63d4d1dc0b7f1b6b2747dd0088008a9be28b6ddf0b1e7d335e3037294" +checksum = "c06d96137f14f244c37f989d9fff8f95e6c18b918e71f36638f8c49112e4c78f" dependencies = [ "cfg-if", ] @@ -1079,75 +1111,79 @@ version = "0.1.0" dependencies = [ "aes-gcm", "anyhow", - "base64 0.21.4", + "base64 0.21.5", "ctr", "kbs-types", "openssl", "rand 0.8.5", - "rsa 0.9.2", + "rsa 0.9.6", "rstest", "serde", "serde_json", - "sha2 0.10.7", + "sha2 0.10.8", "strum", "zeroize", ] [[package]] name = "crypto-bigint" -version = "0.3.2" +version = "0.5.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "03c6a1d5fa1de37e071642dfa44ec552ca5b299adb128fab16138e24b548fd21" +checksum = "0dc92fb57ca44df6db8059111ab3af99a63d5d0f8375d9972e319a379c6bab76" dependencies = [ "generic-array", + "rand_core 0.6.4", "subtle", + "zeroize", ] [[package]] -name = "crypto-bigint" -version = "0.4.9" +name = "crypto-common" +version = "0.1.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ef2b4b23cddf68b89b8f8069890e8c270d54e2d5fe1b143820234805e4cb17ef" +checksum = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3" dependencies = [ "generic-array", "rand_core 0.6.4", - "subtle", - "zeroize", + "typenum", ] [[package]] -name = "crypto-bigint" -version = "0.5.3" +name = "crypto-mac" +version = "0.9.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "740fe28e594155f10cfc383984cbefd529d7396050557148f79cb0f621204124" +checksum = "58bcd97a54c7ca5ce2f6eb16f6bede5b0ab5f0055fedc17d2f0b4466e21671ca" dependencies = [ "generic-array", - "rand_core 0.6.4", "subtle", - "zeroize", ] [[package]] -name = "crypto-common" -version = "0.1.6" +name = "crypto_secretbox" +version = "0.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3" +checksum = "b9d6cf87adf719ddf43a805e92c6870a531aedda35ff640442cbaf8674e141e1" dependencies = [ + "aead", + "cipher", "generic-array", - "rand_core 0.6.4", - "typenum", + "poly1305", + "salsa20", + "subtle", + "zeroize", ] [[package]] name = "csv-rs" version = "0.1.0" -source = "git+https://gitee.com/anolis/csv-rs?rev=05fbacd#05fbacd8ffff3d48bb19319da1c9a84b763d9302" +source = "git+https://gitee.com/anolis/csv-rs?rev=9d8882e#9d8882e005ab0f64f4e3802a37aebfc61bc4fe32" dependencies = [ - "bitfield", + "bitfield 0.13.2", "codicon", "hyper", "hyper-tls", "iocuddle", + "libc", "openssl", "openssl-sys", "rand 0.8.5", @@ -1174,43 +1210,30 @@ dependencies = [ [[package]] name = "curve25519-dalek" -version = "3.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0b9fdf9972b2bd6af2d913799d9ebc165ea4d2e65878e329d9c6b372c4491b61" -dependencies = [ - "byteorder", - "digest 0.9.0", - "rand_core 0.5.1", - "subtle", - "zeroize", -] - -[[package]] -name = "curve25519-dalek" -version = "4.0.0-rc.1" +version = "4.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8d4ba9852b42210c7538b75484f9daa0655e9a3ac04f693747bb0f02cf3cfe16" +checksum = "e89b8c6a2e4b1f45971ad09761aafb85514a84744b67a95e32c3cc1352d1f65c" dependencies = [ "cfg-if", + "cpufeatures", + "curve25519-dalek-derive", "digest 0.10.7", "fiat-crypto", - "packed_simd_2", "platforms", + "rustc_version 0.4.0", "subtle", "zeroize", ] [[package]] -name = "curve25519-dalek-ng" -version = "4.1.1" +name = "curve25519-dalek-derive" +version = "0.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1c359b7249347e46fb28804470d071c921156ad62b3eef5d34e2ba867533dec8" +checksum = "f46882e17999c6cc590af592290432be3bce0428cb0d5f8b6715e4dc7b383eb3" dependencies = [ - "byteorder", - "digest 0.9.0", - "rand_core 0.6.4", - "subtle-ng", - "zeroize", + "proc-macro2", + "quote", + "syn 2.0.41", ] [[package]] @@ -1233,6 +1256,16 @@ dependencies = [ "darling_macro 0.14.4", ] +[[package]] +name = "darling" +version = "0.20.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0209d94da627ab5605dcccf08bb18afa5009cfbef48d8a8b7d7bdbc79be25c5e" +dependencies = [ + "darling_core 0.20.3", + "darling_macro 0.20.3", +] + [[package]] name = "darling_core" version = "0.13.4" @@ -1261,6 +1294,20 @@ dependencies = [ "syn 1.0.109", ] +[[package]] +name = "darling_core" +version = "0.20.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "177e3443818124b357d8e76f53be906d60937f0d3a90773a664fa63fa253e621" +dependencies = [ + "fnv", + "ident_case", + "proc-macro2", + "quote", + "strsim 0.10.0", + "syn 2.0.41", +] + [[package]] name = "darling_macro" version = "0.13.4" @@ -1283,6 +1330,17 @@ dependencies = [ "syn 1.0.109", ] +[[package]] +name = "darling_macro" +version = "0.20.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "836a9bbc7ad63342d6d6e7b815ccab164bc77a2d95d84bc3117a8c0d5c98e2d5" +dependencies = [ + "darling_core 0.20.3", + "quote", + "syn 2.0.41", +] + [[package]] name = "dashmap" version = "5.5.3" @@ -1290,7 +1348,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "978747c1d849a7d2ee5e8adc0159961c48fb7e5db2f06af6723b80123bb53856" dependencies = [ "cfg-if", - "hashbrown 0.14.0", + "hashbrown 0.14.3", "lock_api", "once_cell", "parking_lot_core", @@ -1305,26 +1363,13 @@ dependencies = [ "generic-array", ] -[[package]] -name = "der" -version = "0.5.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6919815d73839e7ad218de758883aae3a257ba6759ce7a9992501efbb53d705c" -dependencies = [ - "const-oid 0.7.1", - "crypto-bigint 0.3.2", - "pem-rfc7468 0.3.1", -] - [[package]] name = "der" version = "0.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f1a467a65c5e759bce6e65eaf91cc29f466cdc57cb65777bd646872a8a1fd4de" dependencies = [ - "const-oid 0.9.5", - "der_derive", - "flagset", + "const-oid", "pem-rfc7468 0.6.0", "zeroize", ] @@ -1335,29 +1380,31 @@ version = "0.7.8" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fffa369a668c8af7dbf8b5e56c9f744fbd399949ed171606040001947de40b1c" dependencies = [ - "const-oid 0.9.5", + "const-oid", + "der_derive", + "flagset", "pem-rfc7468 0.7.0", "zeroize", ] [[package]] name = "der_derive" -version = "0.6.1" +version = "0.7.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8ef71ddb5b3a1f53dee24817c8f70dfa1cb29e804c18d88c228d4bc9c86ee3b9" +checksum = "5fe87ce4529967e0ba1dcf8450bab64d97dfd5010a6256187ffe2e43e6f0e049" dependencies = [ - "proc-macro-error", "proc-macro2", "quote", - "syn 1.0.109", + "syn 2.0.41", ] [[package]] name = "deranged" -version = "0.3.8" +version = "0.3.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f2696e8a945f658fd14dc3b87242e6b80cd0f36ff04ea560fa39082368847946" +checksum = "8eb30d70a07a3b04884d2677f06bec33509dc67ca60d92949e5535352d3191dc" dependencies = [ + "powerfmt", "serde", ] @@ -1420,13 +1467,13 @@ checksum = "75a9fd602a98d192f7662a1f4c4cf6920a1b454c3a9e724f6490cf8e30910114" dependencies = [ "bitflags 1.3.2", "devicemapper-sys", - "env_logger 0.10.0", + "env_logger 0.10.1", "lazy_static", "log", "nix 0.26.4", "rand 0.8.5", "retry", - "semver 1.0.18", + "semver 1.0.20", "serde", ] @@ -1462,7 +1509,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292" dependencies = [ "block-buffer 0.10.4", - "const-oid 0.9.5", + "const-oid", "crypto-common", "subtle", ] @@ -1520,11 +1567,33 @@ dependencies = [ "winapi", ] +[[package]] +name = "doc-comment" +version = "0.3.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fea41bba32d969b513997752735605054bc0dfa92b4c56bf1189f2e174be7a10" + +[[package]] +name = "dsa" +version = "0.6.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d88afbb2443ba68ef8593de497e830b2e276434e1408f85cd760b1107b44ead0" +dependencies = [ + "digest 0.10.7", + "num-bigint-dig", + "num-traits", + "pkcs8 0.10.2", + "rfc6979", + "sha2 0.10.8", + "signature 2.2.0", + "zeroize", +] + [[package]] name = "dyn-clone" -version = "1.0.13" +version = "1.0.16" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bbfc4744c1b8f2a09adc0e55242f60b1af195d88596bd8700be74418c056c555" +checksum = "545b22097d44f8a9581187cdf93de7a71e4722bf51200cfaba810865b49a495d" [[package]] name = "eax" @@ -1550,47 +1619,26 @@ dependencies = [ [[package]] name = "ecdsa" -version = "0.15.1" +version = "0.16.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "12844141594ad74185a926d030f3b605f6a903b4e3fec351f3ea338ac5b7637e" -dependencies = [ - "der 0.6.1", - "elliptic-curve 0.12.3", - "rfc6979 0.3.1", - "signature 2.0.0", -] - -[[package]] -name = "ecdsa" -version = "0.16.8" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a4b1e0c257a9e9f25f90ff76d7a68360ed497ee519c8e428d1825ef0000799d4" +checksum = "ee27f32b5c5292967d2d4a9d7f1e0b0aed2c15daded5a60300e4abb9d8020bca" dependencies = [ "der 0.7.8", "digest 0.10.7", - "elliptic-curve 0.13.5", - "rfc6979 0.4.0", - "signature 2.0.0", - "spki 0.7.2", -] - -[[package]] -name = "ed25519" -version = "1.5.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "91cff35c70bba8a626e3185d8cd48cc11b5437e1a5bcd15b9b5fa3c64b6dfee7" -dependencies = [ - "signature 1.6.4", + "elliptic-curve", + "rfc6979", + "signature 2.2.0", + "spki 0.7.3", ] [[package]] name = "ed25519" -version = "2.1.0" +version = "2.2.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3cf420a7ec85d98495b0c34aa4a58ca117f982ffbece111aeb545160148d7010" +checksum = "115531babc129696a58c64a4fef0a8bf9e9698629fb97e9e40767d235cfbcd53" dependencies = [ - "pkcs8 0.9.0", - "signature 2.0.0", + "pkcs8 0.10.2", + "signature 2.2.0", ] [[package]] @@ -1600,34 +1648,41 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6a3d382e8464107391c8706b4c14b087808ecb909f6c15c34114bc42e53a9e4c" dependencies = [ "ct-codecs", - "getrandom 0.2.10", + "getrandom", ] [[package]] name = "ed25519-dalek" -version = "1.0.1" +version = "2.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c762bae6dcaf24c4c84667b8579785430908723d5c889f469d76a41d59cc7a9d" +checksum = "1f628eaec48bfd21b865dc2950cfa014450c01d2fa2b69a86c2fd5844ec523c0" dependencies = [ - "curve25519-dalek 3.2.0", - "ed25519 1.5.3", - "rand 0.7.3", - "sha2 0.9.9", + "curve25519-dalek", + "ed25519", + "rand_core 0.6.4", + "serde", + "sha2 0.10.8", + "subtle", "zeroize", ] [[package]] -name = "ed25519-dalek" -version = "2.0.0-pre.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7bd577ba9d4bcab443cac60003d8fd32c638e7024a3ec92c200d7af5d2c397ed" +name = "ehsm_client" +version = "0.1.0" +source = "git+https://github.com/intel/ehsm?rev=f84688688e724dfd080c1dc491db3e58415cc5b7#f84688688e724dfd080c1dc491db3e58415cc5b7" dependencies = [ - "curve25519-dalek 4.0.0-rc.1", - "ed25519 2.1.0", - "rand_core 0.6.4", + "anyhow", + "async-trait", + "base64 0.13.1", + "hmac 0.9.0", + "rand 0.3.23", + "reqwest", "serde", - "sha2 0.10.7", - "zeroize", + "serde_derive", + "serde_json", + "sha2 0.9.9", + "tokio", + "url", ] [[package]] @@ -1638,43 +1693,21 @@ checksum = "a26ae43d7bcc3b814de94796a5e736d4029efb0ee900c12e2d54c993ad1a1e07" [[package]] name = "elliptic-curve" -version = "0.12.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e7bb888ab5300a19b8e5bceef25ac745ad065f3c9f7efc6de1b91958110891d3" -dependencies = [ - "base16ct 0.1.1", - "crypto-bigint 0.4.9", - "der 0.6.1", - "digest 0.10.7", - "ff 0.12.1", - "generic-array", - "group 0.12.1", - "hkdf", - "pem-rfc7468 0.6.0", - "pkcs8 0.9.0", - "rand_core 0.6.4", - "sec1 0.3.0", - "subtle", - "zeroize", -] - -[[package]] -name = "elliptic-curve" -version = "0.13.5" +version = "0.13.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "968405c8fdc9b3bf4df0a6638858cc0b52462836ab6b1c87377785dd09cf1c0b" +checksum = "b5e6043086bf7973472e0c7dff2142ea0b680d30e18d9cc40f267efbf222bd47" dependencies = [ - "base16ct 0.2.0", - "crypto-bigint 0.5.3", + "base16ct", + "crypto-bigint", "digest 0.10.7", - "ff 0.13.0", + "ff", "generic-array", - "group 0.13.0", + "group", "hkdf", "pem-rfc7468 0.7.0", "pkcs8 0.10.2", "rand_core 0.6.4", - "sec1 0.7.3", + "sec1", "subtle", "zeroize", ] @@ -1699,22 +1732,22 @@ dependencies = [ [[package]] name = "enumflags2" -version = "0.7.7" +version = "0.7.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c041f5090df68b32bcd905365fd51769c8b9d553fe87fde0b683534f10c01bd2" +checksum = "5998b4f30320c9d93aed72f63af821bfdac50465b75428fce77b48ec482c3939" dependencies = [ "enumflags2_derive", ] [[package]] name = "enumflags2_derive" -version = "0.7.7" +version = "0.7.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5e9a1f9f7d83e59740248a6e14ecf93929ade55027844dfcea78beafccc15745" +checksum = "f95e2801cd355d4a1a3e3953ce6ee5ae9603a5c833455343a8bfe3f44d418246" dependencies = [ "proc-macro2", "quote", - "syn 2.0.32", + "syn 2.0.41", ] [[package]] @@ -1732,9 +1765,9 @@ dependencies = [ [[package]] name = "env_logger" -version = "0.10.0" +version = "0.10.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "85cdab6a89accf66733ad5a1693a4dcced6aeff64602b634530dd73c1f3ee9f0" +checksum = "95b3f3e67048839cb0d0781f445682a35113da7121f7c949db0e2be96a4fbece" dependencies = [ "humantime", "is-terminal", @@ -1762,13 +1795,12 @@ dependencies = [ [[package]] name = "errno" -version = "0.3.3" +version = "0.3.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "136526188508e25c6fef639d7927dfb3e0e3084488bf202267829cf7fc23dbdd" +checksum = "a258e46cdc063eb8519c00b9fc845fc47bcfca4130e2f08e88665ceda8474245" dependencies = [ - "errno-dragonfly", "libc", - "windows-sys 0.48.0", + "windows-sys 0.52.0", ] [[package]] @@ -1783,19 +1815,9 @@ dependencies = [ [[package]] name = "fastrand" -version = "2.0.0" +version = "2.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6999dc1837253364c2ebb0704ba97994bd874e8f195d665c50b7548f6ea92764" - -[[package]] -name = "ff" -version = "0.12.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d013fc25338cc558c5c2cfbad646908fb23591e2404481826742b651c9af7160" -dependencies = [ - "rand_core 0.6.4", - "subtle", -] +checksum = "25cbce373ec4653f1a01a31e8a5e5ec0c622dc27ff9c4e6606eefef5cbbed4a5" [[package]] name = "ff" @@ -1809,20 +1831,20 @@ dependencies = [ [[package]] name = "fiat-crypto" -version = "0.1.20" +version = "0.2.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e825f6987101665dea6ec934c09ec6d721de7bc1bf92248e1d5810c8cd636b77" +checksum = "27573eac26f4dd11e2b1916c3fe1baa56407c83c71a773a8ba17ec0bca03b6b7" [[package]] name = "filetime" -version = "0.2.22" +version = "0.2.23" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d4029edd3e734da6fe05b6cd7bd2960760a616bd2ddd0d59a0124746d6272af0" +checksum = "1ee447700ac8aa0b2f2bd7bc4462ad686ba06baa6727ac149a2d6277f0d240fd" dependencies = [ "cfg-if", "libc", - "redox_syscall 0.3.5", - "windows-sys 0.48.0", + "redox_syscall", + "windows-sys 0.52.0", ] [[package]] @@ -1845,9 +1867,9 @@ checksum = "d52a7e408202050813e6f1d9addadcaafef3dca7530c7ddfb005d4081cce6779" [[package]] name = "flate2" -version = "1.0.27" +version = "1.0.28" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c6c98ee8095e9d1dcbf2fcc6d95acccb90d1c81db1e44725c6a984b1dbdfb010" +checksum = "46303f565772937ffe1d394a4fac6f411c6013172fadde9dcdb1e147a086940e" dependencies = [ "crc32fast", "libz-sys", @@ -1887,7 +1909,7 @@ checksum = "1a5c6c585bc94aaf2c7b51dd4c2ba22680844aba4c687be581871a6f518c5742" dependencies = [ "proc-macro2", "quote", - "syn 2.0.32", + "syn 2.0.41", ] [[package]] @@ -1904,9 +1926,9 @@ checksum = "aa9a19cbb55df58761df49b23516a86d432839add4af60fc256da840f66ed35b" [[package]] name = "form_urlencoded" -version = "1.2.0" +version = "1.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a62bc1cf6f830c2ec14a513a9fb124d0a213a629668a4186f329db21fe045652" +checksum = "e13624c2627564efccf4934284bdd98cbaa14e79b0b5a141218e507b3a823456" dependencies = [ "percent-encoding", ] @@ -1917,6 +1939,12 @@ version = "1.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "42703706b716c37f96a77aea830392ad231f44c9e9a67872fa5548707e11b11c" +[[package]] +name = "fuchsia-cprng" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a06f77d526c1a601b7c4cdd98f54b5eaabffc14d5f2f0296febdc7f357c6d3ba" + [[package]] name = "fuse-backend-rs" version = "0.10.5" @@ -1938,9 +1966,9 @@ dependencies = [ [[package]] name = "futures" -version = "0.3.28" +version = "0.3.29" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "23342abe12aba583913b2e62f22225ff9c950774065e4bfb61a19cd9770fec40" +checksum = "da0290714b38af9b4a7b094b8a37086d1b4e61f2df9122c3cad2577669145335" dependencies = [ "futures-channel", "futures-core", @@ -1953,9 +1981,9 @@ dependencies = [ [[package]] name = "futures-channel" -version = "0.3.28" +version = "0.3.29" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "955518d47e09b25bbebc7a18df10b81f0c766eaf4c4f1cccef2fca5f2a4fb5f2" +checksum = "ff4dd66668b557604244583e3e1e1eada8c5c2e96a6d0d6653ede395b78bbacb" dependencies = [ "futures-core", "futures-sink", @@ -1963,15 +1991,15 @@ dependencies = [ [[package]] name = "futures-core" -version = "0.3.28" +version = "0.3.29" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4bca583b7e26f571124fe5b7561d49cb2868d79116cfa0eefce955557c6fee8c" +checksum = "eb1d22c66e66d9d72e1758f0bd7d4fd0bee04cad842ee34587d68c07e45d088c" [[package]] name = "futures-executor" -version = "0.3.28" +version = "0.3.29" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ccecee823288125bd88b4d7f565c9e58e41858e47ab72e8ea2d64e93624386e0" +checksum = "0f4fb8693db0cf099eadcca0efe2a5a22e4550f98ed16aba6c48700da29597bc" dependencies = [ "futures-core", "futures-task", @@ -1980,32 +2008,32 @@ dependencies = [ [[package]] name = "futures-io" -version = "0.3.28" +version = "0.3.29" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4fff74096e71ed47f8e023204cfd0aa1289cd54ae5430a9523be060cdb849964" +checksum = "8bf34a163b5c4c52d0478a4d757da8fb65cabef42ba90515efee0f6f9fa45aaa" [[package]] name = "futures-macro" -version = "0.3.28" +version = "0.3.29" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "89ca545a94061b6365f2c7355b4b32bd20df3ff95f02da9329b34ccc3bd6ee72" +checksum = "53b153fd91e4b0147f4aced87be237c98248656bb01050b96bf3ee89220a8ddb" dependencies = [ "proc-macro2", "quote", - "syn 2.0.32", + "syn 2.0.41", ] [[package]] name = "futures-sink" -version = "0.3.28" +version = "0.3.29" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f43be4fe21a13b9781a69afa4985b0f6ee0e1afab2c6f454a8cf30e2b2237b6e" +checksum = "e36d3378ee38c2a36ad710c5d30c2911d752cb941c00c72dbabfb786a7970817" [[package]] name = "futures-task" -version = "0.3.28" +version = "0.3.29" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "76d3d132be6c0e6aa1534069c705a74a5997a356c0dc2f86a47765e5617c5b65" +checksum = "efd193069b0ddadc69c46389b740bbccdd97203899b48d09c5f7969591d6bae2" [[package]] name = "futures-timer" @@ -2015,9 +2043,9 @@ checksum = "e64b03909df88034c26dc1547e8970b91f98bdb65165d6a4e9110d94263dbb2c" [[package]] name = "futures-util" -version = "0.3.28" +version = "0.3.29" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "26b01e40b772d54cf6c6d721c1d1abd0647a0106a12ecaa1c186273392a69533" +checksum = "a19526d624e703a3179b3d322efec918b6246ea0fa51d41124525f00f1cc8104" dependencies = [ "futures-channel", "futures-core", @@ -2044,27 +2072,14 @@ dependencies = [ [[package]] name = "getrandom" -version = "0.1.16" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8fc3cb4d91f53b50155bdcfd23f6a4c39ae1969c2ae85982b135750cccaf5fce" -dependencies = [ - "cfg-if", - "js-sys", - "libc", - "wasi 0.9.0+wasi-snapshot-preview1", - "wasm-bindgen", -] - -[[package]] -name = "getrandom" -version = "0.2.10" +version = "0.2.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "be4136b2a15dd319360be1c07d9933517ccf0be8f16bf62a3bee4f0d618df427" +checksum = "fe9006bed769170c11f845cf00c7c1e9092aeb3f268e007c3e760ac68008070f" dependencies = [ "cfg-if", "js-sys", "libc", - "wasi 0.11.0+wasi-snapshot-preview1", + "wasi", "wasm-bindgen", ] @@ -2092,9 +2107,9 @@ dependencies = [ [[package]] name = "gimli" -version = "0.28.0" +version = "0.28.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6fb8d784f27acf97159b40fc4db5ecd8aa23b9ad5ef69cdd136d3bc80665f0c0" +checksum = "4271d37baee1b8c7e4b708028c57d816cf9d2434acb33a549475f78c181f6253" [[package]] name = "git2" @@ -2116,14 +2131,16 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d2fabcfbdc87f4758337ca535fb41a6d701b65693ce38287d856d1674551ec9b" [[package]] -name = "group" -version = "0.12.1" +name = "globset" +version = "0.4.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5dfbfb3a6cfbd390d5c9564ab283a0349b9b9fcd46a706c1eb10e0db70bfbac7" +checksum = "57da3b9b5b85bd66f31093f8c408b90a74431672542466497dcbdfdc02034be1" dependencies = [ - "ff 0.12.1", - "rand_core 0.6.4", - "subtle", + "aho-corasick", + "bstr", + "log", + "regex-automata", + "regex-syntax 0.8.2", ] [[package]] @@ -2132,16 +2149,16 @@ version = "0.13.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f0f9ef7462f7c099f518d754361858f86d8a07af53ba9af0fe635bbccb151a63" dependencies = [ - "ff 0.13.0", + "ff", "rand_core 0.6.4", "subtle", ] [[package]] name = "h2" -version = "0.3.21" +version = "0.3.22" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "91fc23aa11be92976ef4729127f1a74adf36d8436f7816b185d18df956790833" +checksum = "4d6250322ef6e60f93f9a2162799302cd6f68f79f6e5d85c8c16f14d1d958178" dependencies = [ "bytes", "fnv", @@ -2149,7 +2166,7 @@ dependencies = [ "futures-sink", "futures-util", "http", - "indexmap 1.9.3", + "indexmap 2.1.0", "slab", "tokio", "tokio-util", @@ -2164,9 +2181,9 @@ checksum = "8a9ee70c43aaf417c914396645a0fa852624801b24ebb7ae78fe8272889ac888" [[package]] name = "hashbrown" -version = "0.14.0" +version = "0.14.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2c6201b9ff9fd90a5a3bac2e56a830d0caa509576f0e503818ee82c181b3437a" +checksum = "290f1a1d9242c78d09ce40a5e87e7554ee637af1351968159f4952f028f75604" [[package]] name = "heck" @@ -2194,9 +2211,9 @@ dependencies = [ [[package]] name = "hermit-abi" -version = "0.3.2" +version = "0.3.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "443144c8cdadd93ebf52ddb4056d257f5b52c04d3c804e657d19eb73fc33668b" +checksum = "d77f7ec81a6d05a3abb01ab6eb7590f6083d08449fe5a1c8b1e620283546ccb7" [[package]] name = "hex" @@ -2206,11 +2223,21 @@ checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70" [[package]] name = "hkdf" -version = "0.12.3" +version = "0.12.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7b5f8eb2ad728638ea2c7d47a21db23b7b58a72ed6a38256b8a1849f15fbbdf7" +dependencies = [ + "hmac 0.12.1", +] + +[[package]] +name = "hmac" +version = "0.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "791a029f6b9fc27657f6f188ec6e5e43f6911f6f878e0dc5501396e09809d437" +checksum = "deae6d9dbb35ec2c502d62b8f7b1c000a0822c3b0794ba36b3149c0a1c840dff" dependencies = [ - "hmac", + "crypto-mac", + "digest 0.9.0", ] [[package]] @@ -2263,9 +2290,9 @@ checksum = "f558a64ac9af88b5ba400d99b579451af0d39c6d360980045b91aac966d705e2" [[package]] name = "http" -version = "0.2.9" +version = "0.2.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bd6effc99afb63425aff9b05836f029929e345a6148a14b7ecd5ab67af944482" +checksum = "8947b1a6fad4393052c7ba1f4cd97bed3e953a95c79c92ad9b051a04611d9fbb" dependencies = [ "bytes", "fnv", @@ -2283,9 +2310,9 @@ dependencies = [ [[package]] name = "http-body" -version = "0.4.5" +version = "0.4.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d5f38f16d184e36f2408a55281cd658ecbd3ca05cce6d6510a176eca393e26d1" +checksum = "7ceab25649e9960c0311ea418d17bee82c0dcec1bd053b5f9a66e265a693bed2" dependencies = [ "bytes", "http", @@ -2327,7 +2354,7 @@ dependencies = [ "httpdate", "itoa", "pin-project-lite", - "socket2 0.4.9", + "socket2 0.4.10", "tokio", "tower-service", "tracing", @@ -2336,9 +2363,9 @@ dependencies = [ [[package]] name = "hyper-rustls" -version = "0.24.1" +version = "0.24.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8d78e1e73ec14cf7375674f74d7dde185c8206fd9dea6fb6295e8a98098aaa97" +checksum = "ec3efd23720e2049821a693cbc7e65ea87c72f1c58ff2f9522ff332b1491e590" dependencies = [ "futures-util", "http", @@ -2375,16 +2402,16 @@ dependencies = [ [[package]] name = "iana-time-zone" -version = "0.1.57" +version = "0.1.58" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2fad5b825842d2b38bd206f3e81d6957625fd7f0a361e345c30e01a0ae2dd613" +checksum = "8326b86b6cff230b97d0d312a6c40a60726df3332e721f72a1b035f451663b20" dependencies = [ "android_system_properties", "core-foundation-sys", "iana-time-zone-haiku", "js-sys", "wasm-bindgen", - "windows", + "windows-core", ] [[package]] @@ -2442,6 +2469,31 @@ dependencies = [ "unicode-normalization", ] +[[package]] +name = "idna" +version = "0.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "634d9b1461af396cad843f47fdba5597a4f9e6ddd4bfb6ff5d85028c25cb12f6" +dependencies = [ + "unicode-bidi", + "unicode-normalization", +] + +[[package]] +name = "image" +version = "0.1.0" +dependencies = [ + "assert-json-diff", + "base64 0.21.5", + "crypto", + "kms", + "resource_uri", + "rstest", + "serde", + "serde_json", + "thiserror", +] + [[package]] name = "image-rs" version = "0.1.0" @@ -2450,7 +2502,7 @@ dependencies = [ "async-compression", "async-trait", "attestation_agent", - "base64 0.21.4", + "base64 0.21.5", "cfg-if", "devicemapper", "dircpy", @@ -2472,7 +2524,7 @@ dependencies = [ "ocicrypt-rs", "openssl", "prost 0.11.9", - "protobuf 3.2.0", + "protobuf 3.3.0", "reqwest", "rstest", "sequoia-openpgp", @@ -2480,7 +2532,7 @@ dependencies = [ "serde_json", "serde_yaml", "serial_test 2.0.0", - "sha2 0.10.7", + "sha2 0.10.8", "sigstore", "strum", "strum_macros", @@ -2488,6 +2540,7 @@ dependencies = [ "tempfile", "test-utils", "tokio", + "tokio-util", "tonic", "tonic-build", "ttrpc", @@ -2505,16 +2558,17 @@ checksum = "bd070e393353796e801d209ad339e89596eb4c8d430d18ede6a1cced8fafbd99" dependencies = [ "autocfg", "hashbrown 0.12.3", + "serde", ] [[package]] name = "indexmap" -version = "2.0.0" +version = "2.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d5477fe2230a79769d8dc68e0eabf5437907c0457a5614a9e8dddb67f65eb65d" +checksum = "d530e1a18b1cb4c484e6e34556a0d948706958449fca0cab753d649f2bce3d1f" dependencies = [ "equivalent", - "hashbrown 0.14.0", + "hashbrown 0.14.3", "serde", ] @@ -2546,9 +2600,9 @@ checksum = "d8972d5be69940353d5347a1344cb375d9b457d6809b428b05bb1ca2fb9ce007" [[package]] name = "ipnet" -version = "2.8.0" +version = "2.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "28b29a3cd74f0f4598934efe3aeba42bae0eb4680554128851ebbecb02af14e6" +checksum = "8f518f335dce6725a761382244631d86cf0ccb2863413590b31338feb467f9c3" [[package]] name = "is-terminal" @@ -2556,7 +2610,7 @@ version = "0.4.9" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "cb0889898416213fab133e1d33a0e5858a48177452750691bde3666d0fdbaf8b" dependencies = [ - "hermit-abi 0.3.2", + "hermit-abi 0.3.3", "rustix", "windows-sys 0.48.0", ] @@ -2578,9 +2632,9 @@ dependencies = [ [[package]] name = "itoa" -version = "1.0.9" +version = "1.0.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "af150ab688ff2122fcef229be89cb50dd66af9e01a4ff320cc137eecc9bacc38" +checksum = "b1a46d1a171d865aa5f83f92695765caa047a9b4cbae2cbf37dbd613a793fd4c" [[package]] name = "jni" @@ -2606,21 +2660,21 @@ checksum = "8eaf4bc02d17cbdd7ff4c7438cafcdf7fb9a4613313ad11b4f8fefe7d3fa0130" [[package]] name = "jobserver" -version = "0.1.26" +version = "0.1.27" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "936cfd212a0155903bcbc060e316fb6cc7cbf2e1907329391ebadc1fe0ce77c2" +checksum = "8c37f63953c4c63420ed5fd3d6d398c719489b9f872b9fa683262f8edd363c7d" dependencies = [ "libc", ] [[package]] name = "josekit" -version = "0.8.3" +version = "0.8.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "33a96c4f2128a6f44ecf7c36df2b03dddf5a07b060a4d5ebc0a81e9821f7c60e" +checksum = "5754487a088f527b1407df470db8e654e4064dccbbe1fe850e0773721e9962b7" dependencies = [ "anyhow", - "base64 0.21.4", + "base64 0.21.5", "flate2", "once_cell", "openssl", @@ -2633,9 +2687,9 @@ dependencies = [ [[package]] name = "js-sys" -version = "0.3.64" +version = "0.3.66" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c5f195fe497f702db0f318b07fdd68edb16955aed830df8363d837542f8f935a" +checksum = "cee9c64da59eae3b50095c18d3e74f8b73c0b86d2792824ff01bbce68ba229ca" dependencies = [ "wasm-bindgen", ] @@ -2676,17 +2730,17 @@ dependencies = [ "base64 0.13.1", "crypto-common", "digest 0.10.7", - "hmac", + "hmac 0.12.1", "serde", "serde_json", - "sha2 0.10.7", + "sha2 0.10.8", ] [[package]] name = "jwt-simple" -version = "0.11.6" +version = "0.11.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "733741e7bcd1532b56c9ba6c698c069f274f3782ad956f0d2c7f31650cedaa1b" +checksum = "357892bb32159d763abdea50733fadcb9a8e1c319a9aa77592db8555d05af83e" dependencies = [ "anyhow", "binstring", @@ -2697,8 +2751,8 @@ dependencies = [ "hmac-sha256", "hmac-sha512", "k256", - "p256 0.13.2", - "p384 0.13.0", + "p256", + "p384", "rand 0.8.5", "rsa 0.7.2", "serde", @@ -2710,16 +2764,16 @@ dependencies = [ [[package]] name = "k256" -version = "0.13.1" +version = "0.13.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cadb76004ed8e97623117f3df85b17aaa6626ab0b0831e6573f104df16cd1bcc" +checksum = "3f01b677d82ef7a676aa37e099defd83a28e15687112cafdd112d60236b6115b" dependencies = [ "cfg-if", - "ecdsa 0.16.8", - "elliptic-curve 0.13.5", + "ecdsa", + "elliptic-curve", "once_cell", - "sha2 0.10.7", - "signature 2.0.0", + "sha2 0.10.8", + "signature 2.2.0", ] [[package]] @@ -2728,7 +2782,7 @@ version = "0.1.0" dependencies = [ "anyhow", "async-trait", - "base64 0.21.4", + "base64 0.21.5", "bincode", "crypto", "foreign-types 0.5.0", @@ -2751,8 +2805,9 @@ dependencies = [ [[package]] name = "kbs-types" -version = "0.4.0" -source = "git+https://github.com/virtee/kbs-types?rev=c90df0e#c90df0eb6575a63df015d7e700e26227e646bd0a" +version = "0.5.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "40d90e19846fb37e6025740825dd10f65320d3e56f8e957b4bba021b85bc79d6" dependencies = [ "serde", "serde_json", @@ -2765,19 +2820,19 @@ dependencies = [ "anyhow", "async-trait", "attester", - "base64 0.21.4", + "base64 0.21.5", "crypto", "jwt-simple", "kbs-types", "log", - "protobuf 3.2.0", + "protobuf 3.3.0", "reqwest", "resource_uri", "rstest", "serde", "serde_json", "serial_test 1.0.0", - "sha2 0.10.7", + "sha2 0.10.8", "tempfile", "testcontainers", "thiserror", @@ -2788,26 +2843,18 @@ dependencies = [ "zeroize", ] -[[package]] -name = "keccak" -version = "0.1.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8f6d5ed8676d904364de097082f4e7d240b571b67989ced0240f08b7f966f940" -dependencies = [ - "cpufeatures", -] - [[package]] name = "kms" version = "0.1.0" dependencies = [ "anyhow", "async-trait", - "base64 0.21.4", + "base64 0.21.5", "bincode", "chrono", "const_format", "crypto", + "ehsm_client", "hex", "kbs_protocol", "lazy_static", @@ -2821,11 +2868,11 @@ dependencies = [ "serde", "serde_json", "sev 0.1.0", - "sha2 0.10.7", + "sha2 0.10.8", "strum", "thiserror", "tokio", - "toml 0.8.1", + "toml 0.8.8", "tonic", "tonic-build", "uuid", @@ -2855,9 +2902,9 @@ dependencies = [ [[package]] name = "lalrpop" -version = "0.19.12" +version = "0.20.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0a1cbf952127589f2851ab2046af368fd20645491bb4b376f04b7f94d7a9837b" +checksum = "da4081d44f4611b66c6dd725e6de3169f9f63905421e8626fcb86b6a898998b8" dependencies = [ "ascii-canvas", "bit-set", @@ -2868,7 +2915,7 @@ dependencies = [ "lalrpop-util", "petgraph 0.6.4", "regex", - "regex-syntax 0.6.29", + "regex-syntax 0.7.5", "string_cache", "term", "tiny-keccak", @@ -2877,9 +2924,9 @@ dependencies = [ [[package]] name = "lalrpop-util" -version = "0.19.12" +version = "0.20.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d3c48237b9604c5a4702de6b824e02006c3214327564636aef27c1028a8fa0ed" +checksum = "3f35c735096c0293d313e8f2a641627472b83d01b937177fe76e5e2708d31e0d" [[package]] name = "lazy_static" @@ -2887,7 +2934,7 @@ version = "1.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" dependencies = [ - "spin", + "spin 0.5.2", ] [[package]] @@ -2898,9 +2945,9 @@ checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55" [[package]] name = "libc" -version = "0.2.147" +version = "0.2.151" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b4668fb0ea861c1df094127ac5f1da3409a82116a4ba74fca2e58ef927159bb3" +checksum = "302d7ab3130588088d277783b1e2d2e10c9e9e4a16dd9050e6ec93fb3e7048f4" [[package]] name = "libgit2-sys" @@ -2926,15 +2973,20 @@ dependencies = [ [[package]] name = "libm" -version = "0.1.4" +version = "0.2.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7fc7aa29613bd6a620df431842069224d8bc9011086b1db4c0e0cd47fa03ec9a" +checksum = "4ec2a862134d2a7d32d7983ddcdd1c4923530833c9f2ea1a44fc5fa473989058" [[package]] -name = "libm" -version = "0.2.7" +name = "libredox" +version = "0.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f7012b1bbb0719e1097c47611d3898568c546d597c2e74d66f6087edd5233ff4" +checksum = "85c833ca1e66078851dba29046874e38f08b2c883700aa29a03ddd3b23814ee8" +dependencies = [ + "bitflags 2.4.1", + "libc", + "redox_syscall", +] [[package]] name = "libz-sys" @@ -2951,15 +3003,15 @@ dependencies = [ [[package]] name = "linux-raw-sys" -version = "0.4.7" +version = "0.4.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1a9bad9f94746442c783ca431b22403b519cd7fbeed0533fdd6328b2f2212128" +checksum = "c4cd1a83af159aa67994778be9070f0ae1bd732942279cabb14f86f986a21456" [[package]] name = "lock_api" -version = "0.4.10" +version = "0.4.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c1cc9717a20b1bb222f333e6a92fd32f7d8a18ddc5a3191a11af45dcbf4dcd16" +checksum = "3c168f8615b12bc01f9c17e2eb0cc07dcae1940121185446edc3744920e8ef45" dependencies = [ "autocfg", "scopeguard", @@ -3018,9 +3070,9 @@ checksum = "2532096657941c2fea9c289d370a250971c689d4f143798ff67113ec042024a5" [[package]] name = "matchit" -version = "0.7.2" +version = "0.7.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ed1202b2a6f884ae56f04cff409ab315c5ce26b5e58d7412e484f01fd52f52ef" +checksum = "0e7465ac9959cc2b1404e8e2367b43684a6d13790fe23056cc8c6c5a6b7bcb94" [[package]] name = "mbox" @@ -3035,18 +3087,19 @@ dependencies = [ [[package]] name = "md-5" -version = "0.10.5" +version = "0.10.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6365506850d44bff6e2fbcb5176cf63650e48bd45ef2fe2665ae1570e0f4b9ca" +checksum = "d89e7ee0cfbedfc4da3340218492196241d89eefb6dab27de5df917a6d2e78cf" dependencies = [ + "cfg-if", "digest 0.10.7", ] [[package]] name = "memchr" -version = "2.6.3" +version = "2.6.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8f232d6ef707e1956a43342693d2a31e72989554d58299d7a88738cc95b0d35c" +checksum = "f665ee40bc4a3c5590afb1e9677db74a508659dfd71e126420da8274909a0167" [[package]] name = "memoffset" @@ -3066,15 +3119,6 @@ dependencies = [ "autocfg", ] -[[package]] -name = "memoffset" -version = "0.8.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d61c719bcfbcf5d62b3a09efa6088de8c54bc0bfcd3ea7ae39fcc186108b8de1" -dependencies = [ - "autocfg", -] - [[package]] name = "memoffset" version = "0.9.0" @@ -3113,13 +3157,13 @@ dependencies = [ [[package]] name = "mio" -version = "0.8.8" +version = "0.8.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "927a765cd3fc26206e66b296465fa9d3e5ab003e651c1b3c060e7956d96b19d2" +checksum = "8f3d0b296e374a4e6f3c7b0a1f5a51d748a0d34c85e7dc48fc3fa9a87657fe09" dependencies = [ "libc", "log", - "wasi 0.11.0+wasi-snapshot-preview1", + "wasi", "windows-sys 0.48.0", ] @@ -3213,25 +3257,24 @@ checksum = "dc84195820f291c7697304f3cbdadd1cb7199c0efc917ff5eafd71225c136151" dependencies = [ "byteorder", "lazy_static", - "libm 0.2.7", + "libm", "num-integer", "num-iter", "num-traits", "rand 0.8.5", - "serde", "smallvec", "zeroize", ] [[package]] name = "num-derive" -version = "0.3.3" +version = "0.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "876a53fff98e03a936a674b29568b0e605f06b29372c2489ff4de23f1949743d" +checksum = "cfb77679af88f8b125209d354a202862602672222e7f2313fdd6dc349bad4712" dependencies = [ "proc-macro2", "quote", - "syn 1.0.109", + "syn 2.0.41", ] [[package]] @@ -3257,12 +3300,12 @@ dependencies = [ [[package]] name = "num-traits" -version = "0.2.16" +version = "0.2.17" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f30b0abd723be7e2ffca1272140fac1a2f084c77ec3e123c192b66af1ee9e6c2" +checksum = "39e3200413f237f41ab11ad6d161bc7239c84dcb631773ccd7de3dfe4b5c267c" dependencies = [ "autocfg", - "libm 0.2.7", + "libm", ] [[package]] @@ -3271,7 +3314,7 @@ version = "1.16.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4161fcb6d602d4d2081af7c3a45852d875a03dd337a6bfdd6e06407b61342a43" dependencies = [ - "hermit-abi 0.3.2", + "hermit-abi 0.3.3", "libc", ] @@ -3350,7 +3393,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4023f15303dbbda47797d07e9acd2045862ce82c7e28cd66f70b09bda5584cbb" dependencies = [ "arc-swap", - "base64 0.21.4", + "base64 0.21.5", "bitflags 1.3.2", "fuse-backend-rs", "hex", @@ -3389,7 +3432,7 @@ dependencies = [ "openssl", "serde", "serde_json", - "sha2 0.10.7", + "sha2 0.10.8", "tokio", "zstd 0.11.2+zstd.1.5.2", ] @@ -3424,11 +3467,12 @@ dependencies = [ [[package]] name = "oci-distribution" -version = "0.9.4" -source = "git+https://github.com/krustlet/oci-distribution.git?rev=f44124c#f44124c3c0875821d0b84a6632bf70b6d6eaf9ef" +version = "0.10.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2a635cabf7a6eb4e5f13e9e82bd9503b7c2461bf277132e38638a935ebd684b4" dependencies = [ + "bytes", "chrono", - "futures", "futures-util", "http", "http-auth", @@ -3439,19 +3483,18 @@ dependencies = [ "reqwest", "serde", "serde_json", - "sha2 0.10.7", + "sha2 0.10.8", "thiserror", "tokio", - "tokio-util", "tracing", "unicase", ] [[package]] name = "oci-spec" -version = "0.6.2" +version = "0.6.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9421b067205c68dc80af7c68599a9c1eb113f975aafeb874cea7f4d5d41ce3fb" +checksum = "8384f8eff13954bafafba991f1910779020456f9694de25e81a13da5b7de6309" dependencies = [ "derive_builder", "getset", @@ -3469,22 +3512,22 @@ dependencies = [ "anyhow", "async-trait", "attestation_agent", - "base64 0.21.4", + "base64 0.21.5", "base64-serde", "cfg-if", "ctr", - "hmac", + "hmac 0.12.1", "josekit", "kbc", "lazy_static", "openssl", "pin-project-lite", "prost 0.11.9", - "protobuf 3.2.0", - "ring", + "protobuf 3.3.0", + "ring 0.16.20", "serde", "serde_json", - "sha2 0.10.7", + "sha2 0.10.8", "tokio", "tonic", "tonic-build", @@ -3514,9 +3557,9 @@ dependencies = [ [[package]] name = "once_cell" -version = "1.18.0" +version = "1.19.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dd8b5dd2ae5ed71462c540258bedcb51965123ad7e7ccf4b9a8cafaa4a63576d" +checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92" [[package]] name = "opaque-debug" @@ -3526,11 +3569,11 @@ checksum = "624a8340c38c1b80fd549087862da4ba43e08858af025b236e509b6649fc13d5" [[package]] name = "openssl" -version = "0.10.57" +version = "0.10.61" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bac25ee399abb46215765b1cb35bc0212377e58a061560d8b29b024fd0430e7c" +checksum = "6b8419dc8cc6d866deb801274bba2e6f8f6108c1bb7fcc10ee5ab864931dbb45" dependencies = [ - "bitflags 2.4.0", + "bitflags 2.4.1", "cfg-if", "foreign-types 0.3.2", "libc", @@ -3547,7 +3590,7 @@ checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" dependencies = [ "proc-macro2", "quote", - "syn 2.0.32", + "syn 2.0.41", ] [[package]] @@ -3558,18 +3601,18 @@ checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf" [[package]] name = "openssl-src" -version = "300.1.3+3.1.2" +version = "300.1.6+3.1.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cd2c101a165fff9935e34def4669595ab1c7847943c42be86e21503e482be107" +checksum = "439fac53e092cd7442a3660c85dde4643ab3b5bd39040912388dcdabf6b88085" dependencies = [ "cc", ] [[package]] name = "openssl-sys" -version = "0.9.93" +version = "0.9.97" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "db4d56a4c0478783083cfafcc42493dd4a981d41669da64b4572a2a089b51b1d" +checksum = "c3eaad34cdd97d81de97964fc7f29e2d104f483840d906ef56daa1912338460b" dependencies = [ "cc", "libc", @@ -3593,48 +3636,24 @@ dependencies = [ "cbc", "cipher", "des", - "getrandom 0.2.10", - "hmac", + "getrandom", + "hmac 0.12.1", "lazy_static", "rc2", "sha1", "yasna 0.5.2", ] -[[package]] -name = "p256" -version = "0.12.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "49c124b3cbce43bcbac68c58ec181d98ed6cc7e6d0aa7c3ba97b2563410b0e55" -dependencies = [ - "ecdsa 0.15.1", - "elliptic-curve 0.12.3", - "primeorder 0.12.1", - "sha2 0.10.7", -] - [[package]] name = "p256" version = "0.13.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c9863ad85fa8f4460f9c48cb909d38a0d689dba1f6f6988a5e3e0d31071bcd4b" dependencies = [ - "ecdsa 0.16.8", - "elliptic-curve 0.13.5", - "primeorder 0.13.2", - "sha2 0.10.7", -] - -[[package]] -name = "p384" -version = "0.12.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "630a4a9b2618348ececfae61a4905f564b817063bf2d66cdfc2ced523fe1d2d4" -dependencies = [ - "ecdsa 0.15.1", - "elliptic-curve 0.12.3", - "primeorder 0.12.1", - "sha2 0.10.7", + "ecdsa", + "elliptic-curve", + "primeorder", + "sha2 0.10.8", ] [[package]] @@ -3643,20 +3662,10 @@ version = "0.13.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "70786f51bcc69f6a4c0360e063a4cac5419ef7c5cd5b3c99ad70f3be5ba79209" dependencies = [ - "ecdsa 0.16.8", - "elliptic-curve 0.13.5", - "primeorder 0.13.2", - "sha2 0.10.7", -] - -[[package]] -name = "packed_simd_2" -version = "0.3.8" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a1914cd452d8fccd6f9db48147b29fd4ae05bea9dc5d9ad578509f72415de282" -dependencies = [ - "cfg-if", - "libm 0.1.4", + "ecdsa", + "elliptic-curve", + "primeorder", + "sha2 0.10.8", ] [[package]] @@ -3671,28 +3680,46 @@ dependencies = [ [[package]] name = "parking_lot_core" -version = "0.9.8" +version = "0.9.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "93f00c865fe7cabf650081affecd3871070f26767e7b2070a3ffae14c654b447" +checksum = "4c42a9226546d68acdd9c0a280d17ce19bfe27a46bf68784e4066115788d008e" dependencies = [ "cfg-if", "libc", - "redox_syscall 0.3.5", + "redox_syscall", "smallvec", "windows-targets 0.48.5", ] [[package]] name = "password-hash" -version = "0.4.2" +version = "0.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7676374caaee8a325c9e7a2ae557f216c5563a171d6997b0ef8a65af35147700" +checksum = "346f04948ba92c43e8469c1ee6736c7563d71012b17d40745260fe106aac2166" dependencies = [ "base64ct", "rand_core 0.6.4", "subtle", ] +[[package]] +name = "path-absolutize" +version = "3.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e4af381fe79fa195b4909485d99f73a80792331df0625188e707854f0b3383f5" +dependencies = [ + "path-dedot", +] + +[[package]] +name = "path-dedot" +version = "3.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "07ba0ad7e047712414213ff67533e6dd477af0a4e1d14fb52343e53d30ea9397" +dependencies = [ + "once_cell", +] + [[package]] name = "pbkdf2" version = "0.11.0" @@ -3702,6 +3729,16 @@ dependencies = [ "digest 0.10.7", ] +[[package]] +name = "pbkdf2" +version = "0.12.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f8ed6a7761f76e3b9f92dfb0a60a6a6477c61024b775147ff0973a02653abaf2" +dependencies = [ + "digest 0.10.7", + "hmac 0.12.1", +] + [[package]] name = "peeking_take_while" version = "0.1.2" @@ -3718,12 +3755,13 @@ dependencies = [ ] [[package]] -name = "pem-rfc7468" -version = "0.3.1" +name = "pem" +version = "3.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "01de5d978f34aa4b2296576379fcc416034702fd94117c56ffd8a1a767cefb30" +checksum = "1b8fcc794035347fb64beda2d3b462595dd2753e3f268d89c5aae77e8cf2c310" dependencies = [ - "base64ct", + "base64 0.21.5", + "serde", ] [[package]] @@ -3746,15 +3784,15 @@ dependencies = [ [[package]] name = "percent-encoding" -version = "2.3.0" +version = "2.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9b2a4787296e9989611394c33f193f676704af1686e70b8f8033ab5ba9a35a94" +checksum = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e" [[package]] name = "pest" -version = "2.7.3" +version = "2.7.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d7a4d085fd991ac8d5b05a147b437791b4260b76326baf0fc60cf7c9c27ecd33" +checksum = "ae9cee2a55a544be8b89dc6848072af97a20f2422603c10865be2a42b580fff5" dependencies = [ "memchr", "thiserror", @@ -3778,7 +3816,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e1d3afd2628e69da2be385eb6f2fd57c8ac7977ceeff6dc166ff1657b0e386a9" dependencies = [ "fixedbitset 0.4.2", - "indexmap 2.0.0", + "indexmap 2.1.0", ] [[package]] @@ -3790,54 +3828,6 @@ dependencies = [ "siphasher", ] -[[package]] -name = "picky" -version = "7.0.0-rc.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "72ac7d98dfb5e53cdea76b70df8d5e8dd7717a2d685a12f54c547e03b5afd76a" -dependencies = [ - "base64 0.13.1", - "digest 0.10.7", - "md-5", - "num-bigint-dig", - "oid", - "p256 0.12.0", - "p384 0.12.0", - "picky-asn1 0.7.2", - "picky-asn1-der 0.4.1", - "picky-asn1-x509 0.9.0", - "rand 0.8.5", - "rsa 0.6.1", - "serde", - "sha-1", - "sha2 0.10.7", - "sha3", - "thiserror", -] - -[[package]] -name = "picky-asn1" -version = "0.3.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "889bbb26c80acf919e89980dfc8e04eb19df272d8a9893ec9b748d3a1675abde" -dependencies = [ - "oid", - "serde", - "serde_bytes", -] - -[[package]] -name = "picky-asn1" -version = "0.7.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6f338f1fd4f3e13e75e986ca29f2a3c62528d88d3cbadf4afdcefb6b087f2d32" -dependencies = [ - "oid", - "serde", - "serde_bytes", - "zeroize", -] - [[package]] name = "picky-asn1" version = "0.8.0" @@ -3849,54 +3839,28 @@ dependencies = [ "serde_bytes", ] -[[package]] -name = "picky-asn1-der" -version = "0.2.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "acbbd5390ab967396cc7473e6e0848684aec7166e657c6088604e07b54a73dbe" -dependencies = [ - "picky-asn1 0.3.3", - "serde", - "serde_bytes", -] - [[package]] name = "picky-asn1-der" version = "0.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5df7873a9e36d42dadb393bea5e211fe83d793c172afad5fb4ec846ec582793f" dependencies = [ - "picky-asn1 0.8.0", + "picky-asn1", "serde", "serde_bytes", ] [[package]] name = "picky-asn1-x509" -version = "0.6.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f3033675030de806aba1d5470949701b7c9f1dbf77e3bb17bd12e5f945e560ba" -dependencies = [ - "base64 0.13.1", - "oid", - "picky-asn1 0.3.3", - "picky-asn1-der 0.2.5", - "serde", -] - -[[package]] -name = "picky-asn1-x509" -version = "0.9.0" +version = "0.12.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fdb51541f90aa99f2fa7191c8daebc224d500cd5963c6ca3e6cede9645a1b2e1" +checksum = "2c5f20f71a68499ff32310f418a6fad8816eac1a2859ed3f0c5c741389dd6208" dependencies = [ - "base64 0.13.1", - "num-bigint-dig", + "base64 0.21.5", "oid", - "picky-asn1 0.7.2", - "picky-asn1-der 0.4.1", + "picky-asn1", + "picky-asn1-der", "serde", - "zeroize", ] [[package]] @@ -3916,7 +3880,7 @@ checksum = "4359fd9c9171ec6e8c62926d6faaf553a8dc3f64e1507e76da7911b4f6a04405" dependencies = [ "proc-macro2", "quote", - "syn 2.0.32", + "syn 2.0.41", ] [[package]] @@ -3931,17 +3895,6 @@ version = "0.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184" -[[package]] -name = "pkcs1" -version = "0.3.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a78f66c04ccc83dd4486fd46c33896f4e17b24a7a3a6400dedc48ed0ddd72320" -dependencies = [ - "der 0.5.1", - "pkcs8 0.8.0", - "zeroize", -] - [[package]] name = "pkcs1" version = "0.4.1" @@ -3962,7 +3915,7 @@ checksum = "c8ffb9f10fa047879315e6625af03c164b16962a5368d724ed16323b68ace47f" dependencies = [ "der 0.7.8", "pkcs8 0.10.2", - "spki 0.7.2", + "spki 0.7.3", ] [[package]] @@ -3974,22 +3927,26 @@ dependencies = [ "aes", "cbc", "der 0.6.1", - "hmac", - "pbkdf2", - "scrypt", - "sha2 0.10.7", + "hmac 0.12.1", + "pbkdf2 0.11.0", + "scrypt 0.10.0", + "sha2 0.10.8", "spki 0.6.0", ] [[package]] -name = "pkcs8" -version = "0.8.0" +name = "pkcs5" +version = "0.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7cabda3fb821068a9a4fab19a683eac3af12edf0f34b94a8be53c4972b8149d0" +checksum = "e847e2c91a18bfa887dd028ec33f2fe6f25db77db3619024764914affe8b69a6" dependencies = [ - "der 0.5.1", - "spki 0.5.4", - "zeroize", + "aes", + "cbc", + "der 0.7.8", + "pbkdf2 0.12.2", + "scrypt 0.11.0", + "sha2 0.10.8", + "spki 0.7.3", ] [[package]] @@ -3999,7 +3956,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9eca2c590a5f85da82668fa685c09ce2888b9430e83299debf1f34b65fd4a4ba" dependencies = [ "der 0.6.1", - "pkcs5", + "pkcs5 0.5.0", "rand_core 0.6.4", "spki 0.6.0", ] @@ -4011,7 +3968,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7" dependencies = [ "der 0.7.8", - "spki 0.7.2", + "pkcs5 0.7.1", + "rand_core 0.6.4", + "spki 0.7.3", ] [[package]] @@ -4022,9 +3981,9 @@ checksum = "26072860ba924cbfa98ea39c8c19b4dd6a4a25423dbdf219c1eca91aa0cf6964" [[package]] name = "platforms" -version = "3.1.2" +version = "3.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4503fa043bf02cee09a9582e9554b4c6403b2ef55e4612e96561d294419429f8" +checksum = "14e6ab3f592e6fb464fc9712d8d6e6912de6473954635fd76a589d832cffcbb0" [[package]] name = "poly1305" @@ -4049,6 +4008,12 @@ dependencies = [ "universal-hash", ] +[[package]] +name = "powerfmt" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "439ee305def115ba05938db6eb1644ff94165c5ab5e9420d1c1bcedbba909391" + [[package]] name = "ppv-lite86" version = "0.2.17" @@ -4073,20 +4038,11 @@ dependencies = [ [[package]] name = "primeorder" -version = "0.12.1" +version = "0.13.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0b54f7131b3dba65a2f414cf5bd25b66d4682e4608610668eae785750ba4c5b2" +checksum = "353e1ca18966c16d9deb1c69278edbc5f194139612772bd9537af60ac231e1e6" dependencies = [ - "elliptic-curve 0.12.3", -] - -[[package]] -name = "primeorder" -version = "0.13.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3c2fcef82c0ec6eefcc179b978446c399b3cdf73c392c35604e399eee6df1ee3" -dependencies = [ - "elliptic-curve 0.13.5", + "elliptic-curve", ] [[package]] @@ -4115,9 +4071,9 @@ dependencies = [ [[package]] name = "proc-macro2" -version = "1.0.66" +version = "1.0.70" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "18fb31db3f9bddb2ea821cde30a9f70117e3f119938b5ee630b7403aa6e2ead9" +checksum = "39278fbbf5fb4f646ce651690877f89d1c5811a3d4acb27700c1cb3cdb78fd3b" dependencies = [ "unicode-ident", ] @@ -4235,9 +4191,9 @@ checksum = "106dd99e98437432fed6519dedecfade6a06a73bb7b2a1e019fdd2bee5778d94" [[package]] name = "protobuf" -version = "3.2.0" +version = "3.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b55bad9126f378a853655831eb7363b7b01b81d19f8cb1218861086ca4a1a61e" +checksum = "b65f4a8ec18723a734e5dc09c173e0abf9690432da5340285d536edcb4dac190" dependencies = [ "once_cell", "protobuf-support", @@ -4255,13 +4211,13 @@ dependencies = [ [[package]] name = "protobuf-codegen" -version = "3.2.0" +version = "3.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0dd418ac3c91caa4032d37cb80ff0d44e2ebe637b2fb243b6234bf89cdac4901" +checksum = "6e85514a216b1c73111d9032e26cc7a5ecb1bb3d4d9539e91fb72a4395060f78" dependencies = [ "anyhow", "once_cell", - "protobuf 3.2.0", + "protobuf 3.3.0", "protobuf-parse", "regex", "tempfile", @@ -4270,14 +4226,14 @@ dependencies = [ [[package]] name = "protobuf-parse" -version = "3.2.0" +version = "3.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9d39b14605eaa1f6a340aec7f320b34064feb26c93aec35d6a9a2272a8ddfa49" +checksum = "77d6fbd6697c9e531873e81cec565a85e226b99a0f10e1acc079be057fe2fcba" dependencies = [ "anyhow", "indexmap 1.9.3", "log", - "protobuf 3.2.0", + "protobuf 3.3.0", "protobuf-support", "tempfile", "thiserror", @@ -4286,9 +4242,9 @@ dependencies = [ [[package]] name = "protobuf-support" -version = "3.2.0" +version = "3.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a5d4d7b8601c814cfb36bcebb79f0e61e45e1e93640cf778837833bbed05c372" +checksum = "6872f4d4f4b98303239a2b5838f5bbbb77b01ffc892d627957f37a22d7cfe69c" dependencies = [ "thiserror", ] @@ -4320,36 +4276,36 @@ dependencies = [ [[package]] name = "rand" -version = "0.7.3" +version = "0.3.23" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6a6b1679d49b24bbfe0c803429aa1874472f50d9b363131f0e89fc356b544d03" +checksum = "64ac302d8f83c0c1974bf758f6b041c6c8ada916fbb44a609158ca8b064cc76c" dependencies = [ - "getrandom 0.1.16", "libc", - "rand_chacha 0.2.2", - "rand_core 0.5.1", - "rand_hc", + "rand 0.4.6", ] [[package]] name = "rand" -version = "0.8.5" +version = "0.4.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404" +checksum = "552840b97013b1a26992c11eac34bdd778e464601a4c2054b5f0bff7c6761293" dependencies = [ + "fuchsia-cprng", "libc", - "rand_chacha 0.3.1", - "rand_core 0.6.4", + "rand_core 0.3.1", + "rdrand", + "winapi", ] [[package]] -name = "rand_chacha" -version = "0.2.2" +name = "rand" +version = "0.8.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f4c8ed856279c9737206bf725bf36935d8666ead7aa69b52be55af369d193402" +checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404" dependencies = [ - "ppv-lite86", - "rand_core 0.5.1", + "libc", + "rand_chacha", + "rand_core 0.6.4", ] [[package]] @@ -4364,29 +4320,26 @@ dependencies = [ [[package]] name = "rand_core" -version = "0.5.1" +version = "0.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "90bde5296fc891b0cef12a6d03ddccc162ce7b2aff54160af9338f8d40df6d19" +checksum = "7a6fdeb83b075e8266dcc8762c22776f6877a63111121f5f8c7411e5be7eed4b" dependencies = [ - "getrandom 0.1.16", + "rand_core 0.4.2", ] [[package]] name = "rand_core" -version = "0.6.4" +version = "0.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c" -dependencies = [ - "getrandom 0.2.10", -] +checksum = "9c33a3c44ca05fa6f1807d8e6743f3824e8509beca625669633be0acbdf509dc" [[package]] -name = "rand_hc" -version = "0.2.0" +name = "rand_core" +version = "0.6.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ca3129af7b92a17112d59ad498c6f81eaf463253766b90396d39ea7a39d6613c" +checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c" dependencies = [ - "rand_core 0.5.1", + "getrandom", ] [[package]] @@ -4397,9 +4350,9 @@ checksum = "f2ff9a1f06a88b01621b7ae906ef0211290d1c8a168a15542486a8f61c0833b9" [[package]] name = "rayon" -version = "1.7.0" +version = "1.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1d2df5196e37bcc87abebc0053e20787d73847bb33134a69841207dd0a47f03b" +checksum = "9c27db03db7734835b3f53954b534c91069375ce6ccaa2e065441e07d9b6cdb1" dependencies = [ "either", "rayon-core", @@ -4407,14 +4360,12 @@ dependencies = [ [[package]] name = "rayon-core" -version = "1.11.0" +version = "1.12.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4b8f95bd6966f5c87776639160a66bd8ab9895d9d4ab01ddba9fc60661aebe8d" +checksum = "5ce3fb6ad83f861aac485e76e1985cd109d9a3713802152be56c3b1f0e0658ed" dependencies = [ - "crossbeam-channel", "crossbeam-deque", "crossbeam-utils", - "num_cpus", ] [[package]] @@ -4427,76 +4378,76 @@ dependencies = [ ] [[package]] -name = "redox_syscall" -version = "0.2.16" +name = "rdrand" +version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fb5a58c1855b4b6819d59012155603f0b22ad30cad752600aadfcb695265519a" +checksum = "678054eb77286b51581ba43620cc911abf02758c91f93f479767aed0f90458b2" dependencies = [ - "bitflags 1.3.2", + "rand_core 0.3.1", ] [[package]] name = "redox_syscall" -version = "0.3.5" +version = "0.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "567664f262709473930a4bf9e51bf2ebf3348f2e748ccc50dea20646858f8f29" +checksum = "4722d768eff46b75989dd134e5c353f0d6296e5aaa3132e776cbdb56be7731aa" dependencies = [ "bitflags 1.3.2", ] [[package]] name = "redox_users" -version = "0.4.3" +version = "0.4.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b033d837a7cf162d7993aded9304e30a83213c648b6e389db233191f891e5c2b" +checksum = "a18479200779601e498ada4e8c1e1f50e3ee19deb0259c25825a98b5603b2cb4" dependencies = [ - "getrandom 0.2.10", - "redox_syscall 0.2.16", + "getrandom", + "libredox", "thiserror", ] [[package]] name = "regex" -version = "1.9.5" +version = "1.10.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "697061221ea1b4a94a624f67d0ae2bfe4e22b8a17b6a192afb11046542cc8c47" +checksum = "380b951a9c5e80ddfd6136919eef32310721aa4aacd4889a8d39124b026ab343" dependencies = [ "aho-corasick", "memchr", "regex-automata", - "regex-syntax 0.7.5", + "regex-syntax 0.8.2", ] [[package]] name = "regex-automata" -version = "0.3.8" +version = "0.4.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c2f401f4955220693b56f8ec66ee9c78abffd8d1c4f23dc41a23839eb88f0795" +checksum = "5f804c7828047e88b2d32e2d7fe5a105da8ee3264f01902f796c8e067dc2483f" dependencies = [ "aho-corasick", "memchr", - "regex-syntax 0.7.5", + "regex-syntax 0.8.2", ] [[package]] name = "regex-syntax" -version = "0.6.29" +version = "0.7.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f162c6dd7b008981e4d40210aca20b4bd0f9b60ca9271061b07f78537722f2e1" +checksum = "dbb5fb1acd8a1a18b3dd5be62d25485eb770e05afb408a9627d14d451bae12da" [[package]] name = "regex-syntax" -version = "0.7.5" +version = "0.8.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dbb5fb1acd8a1a18b3dd5be62d25485eb770e05afb408a9627d14d451bae12da" +checksum = "c08c74e62047bb2de4ff487b251e4a92e24f48745648451635cec7d591162d9f" [[package]] name = "reqwest" -version = "0.11.20" +version = "0.11.22" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3e9ad3fe7488d7e34558a2033d45a0c90b72d97b4f80705666fea71472e2e6a1" +checksum = "046cd98826c46c2ac8ddecae268eb5c2e58628688a5fc7a2643704a73faba95b" dependencies = [ - "base64 0.21.4", + "base64 0.21.5", "bytes", "cookie", "cookie_store", @@ -4522,6 +4473,7 @@ dependencies = [ "serde", "serde_json", "serde_urlencoded", + "system-configuration", "tokio", "tokio-native-tls", "tokio-rustls", @@ -4555,24 +4507,13 @@ dependencies = [ "rand 0.8.5", ] -[[package]] -name = "rfc6979" -version = "0.3.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7743f17af12fa0b03b803ba12cd6a8d9483a587e89c69445e3909655c0b9fabb" -dependencies = [ - "crypto-bigint 0.4.9", - "hmac", - "zeroize", -] - [[package]] name = "rfc6979" version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f8dd2a808d456c4a54e300a23e9f5a67e122c3024119acbfd73e3bf664491cb2" dependencies = [ - "hmac", + "hmac 0.12.1", "subtle", ] @@ -4585,39 +4526,33 @@ dependencies = [ "cc", "libc", "once_cell", - "spin", - "untrusted", + "spin 0.5.2", + "untrusted 0.7.1", "web-sys", "winapi", ] [[package]] -name = "ripemd" -version = "0.1.3" +name = "ring" +version = "0.17.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bd124222d17ad93a644ed9d011a40f4fb64aa54275c08cc216524a9ea82fb09f" +checksum = "688c63d65483050968b2a8937f7995f443e27041a0f7700aa59b0822aedebb74" dependencies = [ - "digest 0.10.7", + "cc", + "getrandom", + "libc", + "spin 0.9.8", + "untrusted 0.9.0", + "windows-sys 0.48.0", ] [[package]] -name = "rsa" -version = "0.6.1" +name = "ripemd" +version = "0.1.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4cf22754c49613d2b3b119f0e5d46e34a2c628a937e3024b8762de4e7d8c710b" +checksum = "bd124222d17ad93a644ed9d011a40f4fb64aa54275c08cc216524a9ea82fb09f" dependencies = [ - "byteorder", "digest 0.10.7", - "num-bigint-dig", - "num-integer", - "num-iter", - "num-traits", - "pkcs1 0.3.3", - "pkcs8 0.8.0", - "rand_core 0.6.4", - "smallvec", - "subtle", - "zeroize", ] [[package]] @@ -4656,30 +4591,28 @@ dependencies = [ "pkcs1 0.4.1", "pkcs8 0.9.0", "rand_core 0.6.4", - "sha2 0.10.7", - "signature 2.0.0", + "sha2 0.10.8", + "signature 2.2.0", "subtle", "zeroize", ] [[package]] name = "rsa" -version = "0.9.2" +version = "0.9.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6ab43bb47d23c1a631b4b680199a45255dce26fa9ab2fa902581f624ff13e6a8" +checksum = "5d0e5124fcb30e76a7e79bfee683a2746db83784b86289f6251b54b7950a0dfc" dependencies = [ - "byteorder", - "const-oid 0.9.5", + "const-oid", "digest 0.10.7", "num-bigint-dig", "num-integer", - "num-iter", "num-traits", "pkcs1 0.7.5", "pkcs8 0.10.2", "rand_core 0.6.4", - "signature 2.0.0", - "spki 0.7.2", + "signature 2.2.0", + "spki 0.7.3", "subtle", "zeroize", ] @@ -4756,51 +4689,68 @@ version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "bfa0f585226d2e68097d4f95d113b15b83a82e819ab25717ec0590d9584ef366" dependencies = [ - "semver 1.0.18", + "semver 1.0.20", ] [[package]] name = "rustix" -version = "0.38.13" +version = "0.38.28" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d7db8590df6dfcd144d22afd1b83b36c21a18d7cbc1dc4bb5295a8712e9eb662" +checksum = "72e572a5e8ca657d7366229cdde4bd14c4eb5499a9573d4d366fe1b599daa316" dependencies = [ - "bitflags 2.4.0", - "errno 0.3.3", + "bitflags 2.4.1", + "errno 0.3.8", "libc", "linux-raw-sys", - "windows-sys 0.48.0", + "windows-sys 0.52.0", ] [[package]] name = "rustls" -version = "0.21.7" +version = "0.21.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cd8d6c9f025a446bc4d18ad9632e69aec8f287aa84499ee335599fabd20c3fd8" +checksum = "f9d5a6813c0759e4609cd494e8e725babae6a2ca7b62a5536a13daaec6fcb7ba" dependencies = [ "log", - "ring", - "rustls-webpki", + "ring 0.17.7", + "rustls-webpki 0.101.7", "sct", ] [[package]] name = "rustls-pemfile" -version = "1.0.3" +version = "1.0.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1c74cae0a4cf6ccbbf5f359f08efdf8ee7e1dc532573bf0db71968cb56b1448c" +dependencies = [ + "base64 0.21.5", +] + +[[package]] +name = "rustls-pki-types" +version = "1.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e7673e0aa20ee4937c6aacfc12bb8341cfbf054cdd21df6bec5fd0629fe9339b" + +[[package]] +name = "rustls-webpki" +version = "0.101.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2d3987094b1d07b653b7dfdc3f70ce9a1da9c51ac18c1b06b662e4f9a0e9f4b2" +checksum = "8b6275d1ee7a1cd780b64aca7726599a1dbc893b1e64144529e55c3c2f745765" dependencies = [ - "base64 0.21.4", + "ring 0.17.7", + "untrusted 0.9.0", ] [[package]] name = "rustls-webpki" -version = "0.101.5" +version = "0.102.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "45a27e3b59326c16e23d30aeb7a36a24cc0d29e71d68ff611cdfb4a01d013bed" +checksum = "de2635c8bc2b88d367767c5de8ea1d8db9af3f6219eba28442242d9ab81d1b89" dependencies = [ - "ring", - "untrusted", + "ring 0.17.7", + "rustls-pki-types", + "untrusted 0.9.0", ] [[package]] @@ -4811,9 +4761,9 @@ checksum = "7ffc183a10b4478d04cbbbfc96d0873219d962dd5accaff2ffbd4ceb7df837f4" [[package]] name = "ryu" -version = "1.0.15" +version = "1.0.16" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1ad4cc8da4ef723ed60bced201181d83791ad433213d8c24efffda1eec85d741" +checksum = "f98d2aa92eebf49b69786be48e4477826b256916e84a57ff2a4f21923b48eb4c" [[package]] name = "salsa20" @@ -4860,35 +4810,32 @@ version = "0.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9f9e24d2b632954ded8ab2ef9fea0a0c769ea56ea98bddbafbad22caeeadf45d" dependencies = [ - "hmac", - "password-hash", - "pbkdf2", + "hmac 0.12.1", + "pbkdf2 0.11.0", "salsa20", - "sha2 0.10.7", + "sha2 0.10.8", ] [[package]] -name = "sct" -version = "0.7.0" +name = "scrypt" +version = "0.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d53dcdb7c9f8158937a7981b48accfd39a43af418591a5d008c7b22b5e1b7ca4" +checksum = "0516a385866c09368f0b5bcd1caff3366aace790fcd46e2bb032697bb172fd1f" dependencies = [ - "ring", - "untrusted", + "password-hash", + "pbkdf2 0.12.2", + "salsa20", + "sha2 0.10.8", ] [[package]] -name = "sec1" -version = "0.3.0" +name = "sct" +version = "0.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3be24c1842290c45df0a7bf069e0c268a747ad05a192f2fd7dcfdbc1cba40928" +checksum = "da046153aa2352493d6cb7da4b6e5c0c057d8a1d0a9aa8560baffdd945acd414" dependencies = [ - "base16ct 0.1.1", - "der 0.6.1", - "generic-array", - "pkcs8 0.9.0", - "subtle", - "zeroize", + "ring 0.17.7", + "untrusted 0.9.0", ] [[package]] @@ -4897,7 +4844,7 @@ version = "0.7.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d3e97a565f76233a6003f9f5c54be1d9c5bdfa3eccfb189469f11ec4901c47dc" dependencies = [ - "base16ct 0.2.0", + "base16ct", "der 0.7.8", "generic-array", "pkcs8 0.10.2", @@ -4911,7 +4858,7 @@ version = "0.1.0" dependencies = [ "assert-json-diff", "async-trait", - "base64 0.21.4", + "base64 0.21.5", "clap 4.2.7", "crypto", "kms", @@ -4959,9 +4906,9 @@ dependencies = [ [[package]] name = "semver" -version = "1.0.18" +version = "1.0.20" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b0293b4b29daaf487284529cc2f5675b8e57c61f70167ba415a463651fd6a918" +checksum = "836fa6a3e1e547f9a2c4040802ec865b5d85f4014efe00555d7090a3dcaa1090" [[package]] name = "semver-parser" @@ -4974,34 +4921,36 @@ dependencies = [ [[package]] name = "sequoia-openpgp" -version = "1.16.0" +version = "1.17.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "30efff3f9930e85b4284e76bbdad741f36412dfb1e370efd0de5866ae1a11dfc" +checksum = "2ea026cf8a70d331c742e3ad7e68fd405d0743ff86630fb4334a1bf8d0e194c7" dependencies = [ "aes", + "aes-gcm", "anyhow", - "base64 0.21.4", + "base64 0.21.5", "block-padding", "blowfish", "buffered-reader", "bzip2", + "camellia", "cast5", "cfb-mode", "chrono", "cipher", "des", "digest 0.10.7", + "dsa", "dyn-clone", "eax", "ecb", - "ecdsa 0.16.8", - "ed25519 1.5.3", - "ed25519-dalek 1.0.1", + "ecdsa", + "ed25519", + "ed25519-dalek", "flate2", - "generic-array", - "getrandom 0.2.10", + "getrandom", "idea", - "idna 0.3.0", + "idna 0.4.0", "lalrpop", "lalrpop-util", "lazy_static", @@ -5010,29 +4959,27 @@ dependencies = [ "memsec", "num-bigint-dig", "once_cell", - "p256 0.13.2", - "rand 0.7.3", + "p256", "rand 0.8.5", "rand_core 0.6.4", "regex", - "regex-syntax 0.6.29", + "regex-syntax 0.8.2", "ripemd", - "rsa 0.9.2", - "sha-1", + "rsa 0.9.6", "sha1collisiondetection", - "sha2 0.10.7", + "sha2 0.10.8", "thiserror", "twofish", "typenum", - "x25519-dalek-ng", + "x25519-dalek", "xxhash-rust", ] [[package]] name = "serde" -version = "1.0.188" +version = "1.0.193" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cf9e0fcba69a370eed61bcf2b728575f726b50b55cba78064753d708ddc7549e" +checksum = "25dd9975e68d0cb5aa1120c288333fc98731bd1dd12f561e468ea4728c042b89" dependencies = [ "serde_derive", ] @@ -5057,32 +5004,52 @@ dependencies = [ [[package]] name = "serde_derive" -version = "1.0.188" +version = "1.0.193" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4eca7ac642d82aa35b60049a6eccb4be6be75e599bd2e9adb5f875a737654af2" +checksum = "43576ca501357b9b071ac53cdc7da8ef0cbd9493d8df094cd821777ea6e894d3" dependencies = [ "proc-macro2", "quote", - "syn 2.0.32", + "syn 2.0.41", ] [[package]] name = "serde_json" -version = "1.0.106" +version = "1.0.108" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2cc66a619ed80bf7a0f6b17dd063a84b88f6dea1813737cf469aef1d081142c2" +checksum = "3d1c7e3eac408d115102c4c24ad393e0821bb3a5df4d506a80f85f7a742a526b" dependencies = [ - "indexmap 2.0.0", + "indexmap 2.1.0", "itoa", "ryu", "serde", ] +[[package]] +name = "serde_plain" +version = "1.0.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9ce1fc6db65a611022b23a0dec6975d63fb80a302cb3388835ff02c097258d50" +dependencies = [ + "serde", +] + +[[package]] +name = "serde_repr" +version = "0.1.17" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3081f5ffbb02284dda55132aa26daecedd7372a42417bbbab6f14ab7d6bb9145" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.41", +] + [[package]] name = "serde_spanned" -version = "0.6.3" +version = "0.6.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "96426c9936fd7a0124915f9185ea1d20aa9445cc9821142f0a73bc9207a2e186" +checksum = "12022b835073e5b11e90a14f86838ceb1c8fb0325b72416845c487ac0fa95e80" dependencies = [ "serde", ] @@ -5106,7 +5073,24 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "678b5a069e50bf00ecd22d0cd8ddf7c236f68581b03db652061ed5eb13a312ff" dependencies = [ "serde", - "serde_with_macros", + "serde_with_macros 1.5.2", +] + +[[package]] +name = "serde_with" +version = "3.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "64cd236ccc1b7a29e7e2739f27c0b2dd199804abc4290e32f59f3b68d6405c23" +dependencies = [ + "base64 0.21.5", + "chrono", + "hex", + "indexmap 1.9.3", + "indexmap 2.1.0", + "serde", + "serde_json", + "serde_with_macros 3.4.0", + "time", ] [[package]] @@ -5121,13 +5105,25 @@ dependencies = [ "syn 1.0.109", ] +[[package]] +name = "serde_with_macros" +version = "3.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "93634eb5f75a2323b16de4748022ac4297f9e76b6dced2be287a099f41b5e788" +dependencies = [ + "darling 0.20.3", + "proc-macro2", + "quote", + "syn 2.0.41", +] + [[package]] name = "serde_yaml" -version = "0.9.25" +version = "0.9.27" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1a49e178e4452f45cb61d0cd8cebc1b0fafd3e41929e996cef79aa3aca91f574" +checksum = "3cc7a1570e38322cfe4154732e5110f887ea57e22b76f4bfd32b5bdd3368666c" dependencies = [ - "indexmap 2.0.0", + "indexmap 2.1.0", "itoa", "ryu", "serde", @@ -5181,7 +5177,7 @@ checksum = "91d129178576168c589c9ec973feedf7d3126c01ac2bf08795109aa35b69fb8f" dependencies = [ "proc-macro2", "quote", - "syn 2.0.32", + "syn 2.0.41", ] [[package]] @@ -5198,13 +5194,14 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7fd749a01c88a51ac718b59fe571177b31e478dfe059267977042477a0531224" dependencies = [ "bincode", - "bitfield", + "bitfield 0.13.2", "bitflags 1.3.2", "codicon", "dirs", "hex", "iocuddle", "kvm-ioctls", + "openssl", "serde", "serde-big-array", "serde_bytes", @@ -5217,17 +5214,6 @@ name = "sgx_types" version = "1.1.5" source = "git+https://github.com/occlum/occlum?tag=v0.29.7#b5a32a8d8a81de2458c2b0d06b07ddce6fd10a44" -[[package]] -name = "sha-1" -version = "0.10.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f5058ada175748e33390e40e872bd0fe59a19f265d0158daa551c5a88a76009c" -dependencies = [ - "cfg-if", - "cpufeatures", - "digest 0.10.7", -] - [[package]] name = "sha1" version = "0.10.6" @@ -5241,11 +5227,12 @@ dependencies = [ [[package]] name = "sha1collisiondetection" -version = "0.2.7" +version = "0.3.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b20793cf8330b2c7da4c438116660fed24e380bcb8a1bcfff2581b5593a0b38e" +checksum = "31c0b86a052106b16741199985c9ec2bf501f619f70c48fa479b44b093ad9a68" dependencies = [ - "digest 0.9.0", + "const-oid", + "digest 0.10.7", "generic-array", ] @@ -5264,25 +5251,15 @@ dependencies = [ [[package]] name = "sha2" -version = "0.10.7" +version = "0.10.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "479fb9d862239e610720565ca91403019f2f00410f1864c5aa7479b950a76ed8" +checksum = "793db75ad2bcafc3ffa7c68b215fee268f537982cd901d132f89c6343f3a3dc8" dependencies = [ "cfg-if", "cpufeatures", "digest 0.10.7", ] -[[package]] -name = "sha3" -version = "0.10.8" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "75872d278a8f37ef87fa0ddbda7802605cb18344497949862c0d4dcb291eba60" -dependencies = [ - "digest 0.10.7", - "keccak", -] - [[package]] name = "shadow-rs" version = "0.23.0" @@ -5323,9 +5300,9 @@ dependencies = [ [[package]] name = "signature" -version = "2.0.0" +version = "2.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8fe458c98333f9c8152221191a77e2a44e8325d0193484af2e9421a53019e57d" +checksum = "77549399552de45a898a580c1b41d445bf730df867cc44e6c0233bbc4b8329de" dependencies = [ "digest 0.10.7", "rand_core 0.6.4", @@ -5333,44 +5310,49 @@ dependencies = [ [[package]] name = "sigstore" -version = "0.6.0" -source = "git+https://github.com/sigstore/sigstore-rs.git?rev=69e8f33#69e8f3310e5ecff7dbe15ae6b45e2edf091aa4db" +version = "0.8.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "62e263c1b57dfbba5efe772af0cbc5acd1da1900c24401c2a34f407980282d43" dependencies = [ "async-trait", - "base64 0.21.4", + "base64 0.21.5", "cfg-if", "chrono", - "const-oid 0.9.5", - "der 0.6.1", + "const-oid", + "crypto_secretbox", "digest 0.10.7", - "ecdsa 0.15.1", - "ed25519 2.1.0", - "ed25519-dalek 2.0.0-pre.0", - "elliptic-curve 0.12.3", - "getrandom 0.2.10", + "ecdsa", + "ed25519", + "ed25519-dalek", + "elliptic-curve", + "getrandom", "lazy_static", "oci-distribution", "olpc-cjson", - "p256 0.12.0", - "p384 0.12.0", - "pem", - "picky", - "pkcs1 0.4.1", - "pkcs8 0.9.0", + "p256", + "p384", + "pem 3.0.3", + "pkcs1 0.7.5", + "pkcs8 0.10.2", "rand 0.8.5", - "rsa 0.8.2", - "scrypt", + "regex", + "rsa 0.9.6", + "rustls-pki-types", + "rustls-webpki 0.102.0", + "scrypt 0.11.0", "serde", "serde_json", - "sha2 0.10.7", - "signature 2.0.0", + "serde_repr", + "serde_with 3.4.0", + "sha2 0.10.8", + "signature 2.2.0", "thiserror", "tokio", + "tough", "tracing", "url", "webbrowser", "x509-cert", - "xsalsa20poly1305", "zeroize", ] @@ -5391,15 +5373,37 @@ dependencies = [ [[package]] name = "smallvec" -version = "1.11.0" +version = "1.11.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "62bb4feee49fdd9f707ef802e22365a35de4b7b299de4763d44bfea899442ff9" +checksum = "4dccd0940a2dcdf68d092b8cbab7dc0ad8fa938bf95787e1b916b0e3d0e8e970" + +[[package]] +name = "snafu" +version = "0.7.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e4de37ad025c587a29e8f3f5605c00f70b98715ef90b9061a815b9e59e9042d6" +dependencies = [ + "doc-comment", + "snafu-derive", +] + +[[package]] +name = "snafu-derive" +version = "0.7.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "990079665f075b699031e9c08fd3ab99be5029b96f3b78dc0709e8f77e4efebf" +dependencies = [ + "heck 0.4.1", + "proc-macro2", + "quote", + "syn 1.0.109", +] [[package]] name = "socket2" -version = "0.4.9" +version = "0.4.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "64a4a911eed85daf18834cfaa86a79b7d266ff93ff5ba14005426219480ed662" +checksum = "9f7916fc008ca5542385b89a3d3ce689953c143e9304a9bf8beec1de48994c0d" dependencies = [ "libc", "winapi", @@ -5407,9 +5411,9 @@ dependencies = [ [[package]] name = "socket2" -version = "0.5.4" +version = "0.5.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4031e820eb552adee9295814c0ced9e5cf38ddf1e8b7d566d6de8e2538ea989e" +checksum = "7b5fac59a5cb5dd637972e5fca70daf0523c9067fcdc4842f053dae04a18f8e9" dependencies = [ "libc", "windows-sys 0.48.0", @@ -5422,14 +5426,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d" [[package]] -name = "spki" -version = "0.5.4" +name = "spin" +version = "0.9.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "44d01ac02a6ccf3e07db148d2be087da624fea0221a16152ed01f0496a6b0a27" -dependencies = [ - "base64ct", - "der 0.5.1", -] +checksum = "6980e8d7511241f8acf4aebddbb1ff938df5eebe98691418c4468d0b72a96a67" [[package]] name = "spki" @@ -5443,9 +5443,9 @@ dependencies = [ [[package]] name = "spki" -version = "0.7.2" +version = "0.7.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9d1e996ef02c474957d681f1b05213dfb0abab947b446a62d37770b23500184a" +checksum = "d91ed6c858b01f942cd56b37a94b3e0a1798290327d1236e4d9cf4eaca44d29d" dependencies = [ "base64ct", "der 0.7.8", @@ -5463,6 +5463,21 @@ version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a2eb9349b6444b326872e140eb1cf5e7c522154d69e7a0ffb0fb81c06b37543f" +[[package]] +name = "storage" +version = "0.1.0" +dependencies = [ + "anyhow", + "base64 0.21.5", + "log", + "rstest", + "secret", + "serde", + "serde_json", + "thiserror", + "tokio", +] + [[package]] name = "string_cache" version = "0.8.7" @@ -5499,15 +5514,15 @@ dependencies = [ [[package]] name = "strum_macros" -version = "0.25.2" +version = "0.25.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ad8d03b598d3d0fff69bf533ee3ef19b8eeb342729596df84bcc7e1f96ec4059" +checksum = "23dc1fa9ac9c169a78ba62f0b841814b7abae11bdd047b9c58f893439e309ea0" dependencies = [ "heck 0.4.1", "proc-macro2", "quote", "rustversion", - "syn 2.0.32", + "syn 2.0.41", ] [[package]] @@ -5516,12 +5531,6 @@ version = "2.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "81cdd64d312baedb58e21336b31bc043b77e01cc99033ce76ef539f78e965ebc" -[[package]] -name = "subtle-ng" -version = "2.5.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "734676eb262c623cec13c3155096e08d1f8f29adce39ba17948b18dad1e54142" - [[package]] name = "syn" version = "1.0.109" @@ -5535,9 +5544,9 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.32" +version = "2.0.41" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "239814284fd6f1a4ffe4ca893952cdd93c224b6a1571c9a9eadd670295c0c9e2" +checksum = "44c8b28c477cc3bf0e7966561e3460130e1255f7a1cf71931075f1c5e7a7e269" dependencies = [ "proc-macro2", "quote", @@ -5550,6 +5559,27 @@ version = "0.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2047c6ded9c721764247e62cd3b03c09ffc529b2ba5b10ec482ae507a4a70160" +[[package]] +name = "system-configuration" +version = "0.5.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ba3a3adc5c275d719af8cb4272ea1c4a6d668a777f37e115f6d11ddbc1c8e0e7" +dependencies = [ + "bitflags 1.3.2", + "core-foundation", + "system-configuration-sys", +] + +[[package]] +name = "system-configuration-sys" +version = "0.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a75fb188eb626b924683e3b95e3a48e63551fcfb51949de2f06a9d91dbee93c9" +dependencies = [ + "core-foundation-sys", + "libc", +] + [[package]] name = "tar" version = "0.4.40" @@ -5563,9 +5593,9 @@ dependencies = [ [[package]] name = "target-lexicon" -version = "0.12.11" +version = "0.12.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9d0e916b1148c8e263850e1ebcbd046f333e0683c724876bb0da63ea4373dc8a" +checksum = "14c39fd04924ca3a864207c66fc2cd7d22d7c016007f9ce846cbb9326331930a" [[package]] name = "tdx-attest-rs" @@ -5585,13 +5615,13 @@ dependencies = [ [[package]] name = "tempfile" -version = "3.8.0" +version = "3.8.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cb94d2f3cc536af71caac6b6fcebf65860b347e7ce0cc9ebe8f70d3e521054ef" +checksum = "7ef1adac450ad7f4b3c28589471ade84f25f731a7a0fe30d71dfa9f60fd808e5" dependencies = [ "cfg-if", "fastrand", - "redox_syscall 0.3.5", + "redox_syscall", "rustix", "windows-sys 0.48.0", ] @@ -5609,9 +5639,9 @@ dependencies = [ [[package]] name = "termcolor" -version = "1.2.0" +version = "1.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "be55cf8942feac5c765c2c993422806843c9a9a45d4d5c407ad6dd2ea95eb9b6" +checksum = "ff1bc3d3f05aff0403e8ac0d92ced918ec05b666a43f83297ccef5bea8a3d449" dependencies = [ "winapi-util", ] @@ -5638,12 +5668,12 @@ dependencies = [ "bollard-stubs", "futures", "hex", - "hmac", + "hmac 0.12.1", "log", "rand 0.8.5", "serde", "serde_json", - "sha2 0.10.7", + "sha2 0.10.8", ] [[package]] @@ -5657,34 +5687,35 @@ dependencies = [ [[package]] name = "thiserror" -version = "1.0.48" +version = "1.0.50" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9d6d7a740b8a666a7e828dd00da9c0dc290dff53154ea77ac109281de90589b7" +checksum = "f9a7210f5c9a7156bb50aa36aed4c95afb51df0df00713949448cf9e97d382d2" dependencies = [ "thiserror-impl", ] [[package]] name = "thiserror-impl" -version = "1.0.48" +version = "1.0.50" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "49922ecae66cc8a249b77e68d1d0623c1b2c514f0060c27cdc68bd62a1219d35" +checksum = "266b2e40bc00e5a6c09c3584011e08b06f123c00362c92b975ba9843aaaa14b8" dependencies = [ "proc-macro2", "quote", - "syn 2.0.32", + "syn 2.0.41", ] [[package]] name = "time" -version = "0.3.28" +version = "0.3.30" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "17f6bb557fd245c28e6411aa56b6403c689ad95061f50e4be16c274e70a17e48" +checksum = "c4a34ab300f2dee6e562c10a046fc05e358b29f9bf92277f30c3c8d82275f6f5" dependencies = [ "deranged", "itoa", "libc", "num_threads", + "powerfmt", "serde", "time-core", "time-macros", @@ -5692,15 +5723,15 @@ dependencies = [ [[package]] name = "time-core" -version = "0.1.1" +version = "0.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7300fbefb4dadc1af235a9cef3737cea692a9d97e1b9cbcd4ebdae6f8868e6fb" +checksum = "ef927ca75afb808a4d64dd374f00a2adf8d0fcff8e7b184af886c3c87ec4a3f3" [[package]] name = "time-macros" -version = "0.2.14" +version = "0.2.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1a942f44339478ef67935ab2bbaec2fb0322496cf3cbe84b261e06ac3814c572" +checksum = "4ad70d68dba9e1f8aceda7aa6711965dfec1cac869f311a51bd08b3a2ccbce20" dependencies = [ "time-core", ] @@ -5731,9 +5762,9 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" [[package]] name = "tokio" -version = "1.32.0" +version = "1.35.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "17ed6077ed6cd6c74735e21f37eb16dc3935f96878b1fe961074089cc80893f9" +checksum = "841d45b238a16291a4e1584e61820b8ae57d696cc5015c459c229ccc6990cc1c" dependencies = [ "backtrace", "bytes", @@ -5743,7 +5774,7 @@ dependencies = [ "parking_lot", "pin-project-lite", "signal-hook-registry", - "socket2 0.5.4", + "socket2 0.5.5", "tokio-macros", "windows-sys 0.48.0", ] @@ -5760,13 +5791,13 @@ dependencies = [ [[package]] name = "tokio-macros" -version = "2.1.0" +version = "2.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "630bdcf245f78637c13ec01ffae6187cca34625e8c63150d424b59e55af2675e" +checksum = "5b8a1e28f2deaa14e508979454cb3a223b10b938b45af148bc0986de36f1923b" dependencies = [ "proc-macro2", "quote", - "syn 2.0.32", + "syn 2.0.41", ] [[package]] @@ -5810,19 +5841,18 @@ dependencies = [ "libc", "scoped-tls", "slab", - "socket2 0.4.9", + "socket2 0.4.10", "tokio", ] [[package]] name = "tokio-util" -version = "0.7.8" +version = "0.7.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "806fe8c2c87eccc8b3267cbae29ed3ab2d0bd37fca70ab622e46aaa9375ddb7d" +checksum = "5419f34732d9eb6ee4c3578b7989078579b7f039cbbb9ca2c4da015749371e15" dependencies = [ "bytes", "futures-core", - "futures-io", "futures-sink", "pin-project-lite", "tokio", @@ -5853,9 +5883,9 @@ dependencies = [ [[package]] name = "toml" -version = "0.8.1" +version = "0.8.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1bc1433177506450fe920e46a4f9812d0c211f5dd556da10e731a0a3dfa151f0" +checksum = "a1a195ec8c9da26928f773888e0742ca3ca1040c6cd859c919c9f59c1954ab35" dependencies = [ "serde", "serde_spanned", @@ -5865,20 +5895,20 @@ dependencies = [ [[package]] name = "toml_datetime" -version = "0.6.3" +version = "0.6.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7cda73e2f1397b1262d6dfdcef8aafae14d1de7748d66822d3bfeeb6d03e5e4b" +checksum = "3550f4e9685620ac18a50ed434eb3aec30db8ba93b0287467bca5826ea25baf1" dependencies = [ "serde", ] [[package]] name = "toml_edit" -version = "0.20.1" +version = "0.21.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ca676d9ba1a322c1b64eb8045a5ec5c0cfb0c9d08e15e9ff622589ad5221c8fe" +checksum = "d34d383cd00a163b4a5b85053df514d45bc330f6de7737edfe0a93311d1eaa03" dependencies = [ - "indexmap 2.0.0", + "indexmap 2.1.0", "serde", "serde_spanned", "toml_datetime", @@ -5893,7 +5923,7 @@ checksum = "3082666a3a6433f7f511c7192923fa1fe07c69332d3c6a2e6bb040b569199d5a" dependencies = [ "async-trait", "axum", - "base64 0.21.4", + "base64 0.21.5", "bytes", "futures-core", "futures-util", @@ -5926,6 +5956,33 @@ dependencies = [ "syn 1.0.109", ] +[[package]] +name = "tough" +version = "0.14.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "eda3efa9005cf9c1966984c3b9a44c3f37b7ed2c95ba338d6ad51bba70e989a0" +dependencies = [ + "chrono", + "dyn-clone", + "globset", + "hex", + "log", + "olpc-cjson", + "path-absolutize", + "pem 1.1.1", + "percent-encoding", + "reqwest", + "ring 0.16.20", + "serde", + "serde_json", + "serde_plain", + "snafu", + "tempfile", + "untrusted 0.7.1", + "url", + "walkdir", +] + [[package]] name = "tower" version = "0.4.13" @@ -5960,11 +6017,10 @@ checksum = "b6bc1c9ce2b5135ac7f93c72918fc37feb872bdc6a5533a8b85eb4b86bfdae52" [[package]] name = "tracing" -version = "0.1.37" +version = "0.1.40" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8ce8c33a8d48bd45d624a6e523445fd21ec13d3653cd51f681abf67418f54eb8" +checksum = "c3523ab5a71916ccf420eebdf5521fcef02141234bbc0b8a49f2fdc4544364ef" dependencies = [ - "cfg-if", "log", "pin-project-lite", "tracing-attributes", @@ -5973,37 +6029,37 @@ dependencies = [ [[package]] name = "tracing-attributes" -version = "0.1.26" +version = "0.1.27" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5f4f31f56159e98206da9efd823404b79b6ef3143b4a7ab76e67b1751b25a4ab" +checksum = "34704c8d6ebcbc939824180af020566b01a7c01f80641264eba0999f6c2b6be7" dependencies = [ "proc-macro2", "quote", - "syn 2.0.32", + "syn 2.0.41", ] [[package]] name = "tracing-core" -version = "0.1.31" +version = "0.1.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0955b8137a1df6f1a2e9a37d8a6656291ff0297c1a97c24e0d8425fe2312f79a" +checksum = "c06d3da6113f116aaee68e4d601191614c9053067f9ab7f6edbcb161237daa54" dependencies = [ "once_cell", ] [[package]] name = "try-lock" -version = "0.2.4" +version = "0.2.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3528ecfd12c466c6f163363caf2d02a71161dd5e1cc6ae7b34207ea2d42d81ed" +checksum = "e421abadd41a4225275504ea4d6566923418b7f05506fbc9c0fe86ba7396114b" [[package]] name = "tss-esapi" -version = "7.2.0" +version = "7.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "891582e26e83f2cbd608b18cbd7ffb921482740524187a2bca20cf44a286547b" +checksum = "de234df360c349f78ecd33f0816ab3842db635732212b5cfad67f2638336864e" dependencies = [ - "bitfield", + "bitfield 0.14.0", "enumflags2", "hostname-validator", "log", @@ -6011,8 +6067,8 @@ dependencies = [ "num-derive", "num-traits", "oid", - "picky-asn1 0.3.3", - "picky-asn1-x509 0.6.1", + "picky-asn1", + "picky-asn1-x509", "regex", "serde", "tss-esapi-sys", @@ -6021,9 +6077,9 @@ dependencies = [ [[package]] name = "tss-esapi-sys" -version = "0.4.0" +version = "0.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e7b8be553262e0924410fe96404830252477f175f228081f21cb0bd87f2ccebe" +checksum = "535cd192581c2ec4d5f82e670b1d3fbba6a23ccce8c85de387642051d7cad5b5" dependencies = [ "pkg-config", "target-lexicon", @@ -6042,8 +6098,8 @@ dependencies = [ "libc", "log", "nix 0.26.4", - "protobuf 3.2.0", - "protobuf-codegen 3.2.0", + "protobuf 3.3.0", + "protobuf-codegen 3.3.0", "thiserror", "tokio", "tokio-vsock", @@ -6057,16 +6113,16 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "94d7f7631d7a9ebed715a47cd4cb6072cbc7ae1d4ec01598971bbec0024340c2" dependencies = [ "protobuf 2.28.0", - "protobuf-codegen 3.2.0", + "protobuf-codegen 3.3.0", "protobuf-support", "ttrpc-compiler", ] [[package]] name = "ttrpc-compiler" -version = "0.6.1" +version = "0.6.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ec3cb5dbf1f0865a34fe3f722290fe776cacb16f50428610b779467b76ddf647" +checksum = "0672eb06e5663ad190c7b93b2973f5d730259859b62e4e3381301a12a7441107" dependencies = [ "derive-new", "prost 0.8.0", @@ -6088,9 +6144,9 @@ dependencies = [ [[package]] name = "typenum" -version = "1.16.0" +version = "1.17.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "497961ef93d974e23eb6f433eb5fe1b7930b659f06d12dec6fc44a8f554c0bba" +checksum = "42ff0bf0c66b8238c6f3b578df37d0b7848e55df8577b3f74f92a69acceeb825" [[package]] name = "tz-rs" @@ -6128,15 +6184,15 @@ dependencies = [ [[package]] name = "unicode-bidi" -version = "0.3.13" +version = "0.3.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "92888ba5573ff080736b3648696b70cafad7d250551175acbaa4e0385b3e1460" +checksum = "6f2528f27a9eb2b21e69c95319b30bd0efd85d09c379741b0f78ea1d86be2416" [[package]] name = "unicode-ident" -version = "1.0.11" +version = "1.0.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "301abaae475aa91687eb82514b328ab47a211a533026cb25fc3e519b86adfc3c" +checksum = "3354b9ac3fae1ff6755cb6db53683adb661634f67557942dea4facebec0fee4b" [[package]] name = "unicode-normalization" @@ -6155,9 +6211,9 @@ checksum = "1dd624098567895118886609431a7c3b8f516e41d30e0643f03d94592a147e36" [[package]] name = "unicode-width" -version = "0.1.10" +version = "0.1.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c0edd1e5b14653f783770bce4a4dabb4a5108a5370a5f5d8cfe8710c361f6c8b" +checksum = "e51733f11c9c4f72aa0c160008246859e340b00807569a0da0e7a1079b27ba85" [[package]] name = "unicode-xid" @@ -6177,9 +6233,9 @@ dependencies = [ [[package]] name = "unsafe-libyaml" -version = "0.2.9" +version = "0.2.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f28467d3e1d3c6586d8f25fa243f544f5800fec42d97032474e17222c2b75cfa" +checksum = "ab4c90930b95a82d00dc9e9ac071b4991924390d46cbd0dfe566148667605e4b" [[package]] name = "untrusted" @@ -6187,13 +6243,19 @@ version = "0.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a" +[[package]] +name = "untrusted" +version = "0.9.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1" + [[package]] name = "ureq" -version = "2.7.1" +version = "2.9.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0b11c96ac7ee530603dcdf68ed1557050f374ce55a5a07193ebf8cbc9f8927e9" +checksum = "f8cdd25c339e200129fe4de81451814e5228c9b771d57378817d6117cc2b3f97" dependencies = [ - "base64 0.21.4", + "base64 0.21.5", "log", "once_cell", "serde", @@ -6203,12 +6265,12 @@ dependencies = [ [[package]] name = "url" -version = "2.4.1" +version = "2.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "143b538f18257fac9cad154828a57c6bf5157e1aa604d4816b5995bf6de87ae5" +checksum = "31e6302e3bb753d46e83516cae55ae196fc0c309407cf11ab35cc51a4c2a4633" dependencies = [ "form_urlencoded", - "idna 0.4.0", + "idna 0.5.0", "percent-encoding", ] @@ -6224,7 +6286,7 @@ version = "3.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d82b1bc5417102a73e8464c686eef947bdfb99fcdfc0a4f228e81afa9526470a" dependencies = [ - "indexmap 2.0.0", + "indexmap 2.1.0", "serde", "serde_json", "utoipa-gen", @@ -6239,16 +6301,16 @@ dependencies = [ "proc-macro-error", "proc-macro2", "quote", - "syn 2.0.32", + "syn 2.0.41", ] [[package]] name = "uuid" -version = "1.4.1" +version = "1.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "79daa5ed5740825c40b389c5e50312b9c86df53fccd33f281df655642b43869d" +checksum = "5e395fcf16a7a3d8127ec99782007af141946b4795001f876d54fb0d55978560" dependencies = [ - "getrandom 0.2.10", + "getrandom", "rand 0.8.5", "serde", ] @@ -6283,9 +6345,9 @@ dependencies = [ [[package]] name = "vmm-sys-util" -version = "0.11.1" +version = "0.11.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dd64fe09d8e880e600c324e7d664760a17f56e9672b7495a86381b49e4f72f46" +checksum = "48b7b084231214f7427041e4220d77dfe726897a6d41fddee450696e66ff2a29" dependencies = [ "bitflags 1.3.2", "libc", @@ -6320,12 +6382,6 @@ dependencies = [ "try-lock", ] -[[package]] -name = "wasi" -version = "0.9.0+wasi-snapshot-preview1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cccddf32554fecc6acb585f82a32a72e28b48f8c4c1883ddfeeeaa96f7d8e519" - [[package]] name = "wasi" version = "0.11.0+wasi-snapshot-preview1" @@ -6334,9 +6390,9 @@ checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423" [[package]] name = "wasm-bindgen" -version = "0.2.87" +version = "0.2.89" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7706a72ab36d8cb1f80ffbf0e071533974a60d0a308d01a5d0375bf60499a342" +checksum = "0ed0d4f68a3015cc185aff4db9506a015f4b96f95303897bfa23f846db54064e" dependencies = [ "cfg-if", "wasm-bindgen-macro", @@ -6344,24 +6400,24 @@ dependencies = [ [[package]] name = "wasm-bindgen-backend" -version = "0.2.87" +version = "0.2.89" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5ef2b6d3c510e9625e5fe6f509ab07d66a760f0885d858736483c32ed7809abd" +checksum = "1b56f625e64f3a1084ded111c4d5f477df9f8c92df113852fa5a374dbda78826" dependencies = [ "bumpalo", "log", "once_cell", "proc-macro2", "quote", - "syn 2.0.32", + "syn 2.0.41", "wasm-bindgen-shared", ] [[package]] name = "wasm-bindgen-futures" -version = "0.4.37" +version = "0.4.39" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c02dbc21516f9f1f04f187958890d7e6026df8d16540b7ad9492bc34a67cea03" +checksum = "ac36a15a220124ac510204aec1c3e5db8a22ab06fd6706d881dc6149f8ed9a12" dependencies = [ "cfg-if", "js-sys", @@ -6371,9 +6427,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro" -version = "0.2.87" +version = "0.2.89" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dee495e55982a3bd48105a7b947fd2a9b4a8ae3010041b9e0faab3f9cd028f1d" +checksum = "0162dbf37223cd2afce98f3d0785506dcb8d266223983e4b5b525859e6e182b2" dependencies = [ "quote", "wasm-bindgen-macro-support", @@ -6381,22 +6437,22 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro-support" -version = "0.2.87" +version = "0.2.89" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "54681b18a46765f095758388f2d0cf16eb8d4169b639ab575a8f5693af210c7b" +checksum = "f0eb82fcb7930ae6219a7ecfd55b217f5f0893484b7a13022ebb2b2bf20b5283" dependencies = [ "proc-macro2", "quote", - "syn 2.0.32", + "syn 2.0.41", "wasm-bindgen-backend", "wasm-bindgen-shared", ] [[package]] name = "wasm-bindgen-shared" -version = "0.2.87" +version = "0.2.89" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ca6ad05a4870b2bf5fe995117d3728437bd27d7cd5f06f13c17443ef369775a1" +checksum = "7ab9b36309365056cd639da3134bf87fa8f3d86008abf99e612384a6eecd459f" [[package]] name = "wasm-streams" @@ -6413,9 +6469,9 @@ dependencies = [ [[package]] name = "web-sys" -version = "0.3.64" +version = "0.3.66" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9b85cbef8c220a6abc02aefd892dfc0fc23afb1c6a426316ec33253a3877249b" +checksum = "50c24a44ec86bb68fbecd1b3efed7e85ea5621b39b35ef2766b66cd984f8010f" dependencies = [ "js-sys", "wasm-bindgen", @@ -6423,9 +6479,9 @@ dependencies = [ [[package]] name = "webbrowser" -version = "0.8.11" +version = "0.8.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b2c79b77f525a2d670cb40619d7d9c673d09e0666f72c591ebd7861f84a87e57" +checksum = "82b2391658b02c27719fc5a0a73d6e696285138e8b12fba9d4baa70451023c71" dependencies = [ "core-foundation", "home", @@ -6440,9 +6496,9 @@ dependencies = [ [[package]] name = "webpki-roots" -version = "0.25.2" +version = "0.25.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "14247bb57be4f377dfb94c72830b8ce8fc6beac03cf4bf7b9732eadd414123fc" +checksum = "1778a42e8b3b90bff8d0f5032bf22250792889a5cdc752aa0020c84abe3aaf10" [[package]] name = "which" @@ -6474,9 +6530,9 @@ checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6" [[package]] name = "winapi-util" -version = "0.1.5" +version = "0.1.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "70ec6ce85bb158151cae5e5c87f95a8e97d2c0c4b001223f33a334e3ce5de178" +checksum = "f29e6f9198ba0d26b4c9f07dbe6f9ed633e1f3d5b8b414090084349e46a52596" dependencies = [ "winapi", ] @@ -6488,10 +6544,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" [[package]] -name = "windows" -version = "0.48.0" +name = "windows-core" +version = "0.51.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e686886bc078bc1b0b600cac0147aadb815089b6e4da64016cbd754b6342700f" +checksum = "f1f8cf84f35d2db49a46868f947758c7a1138116f7fac3bc844f43ade1292e64" dependencies = [ "windows-targets 0.48.5", ] @@ -6514,6 +6570,15 @@ dependencies = [ "windows-targets 0.48.5", ] +[[package]] +name = "windows-sys" +version = "0.52.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d" +dependencies = [ + "windows-targets 0.52.0", +] + [[package]] name = "windows-targets" version = "0.42.2" @@ -6544,6 +6609,21 @@ dependencies = [ "windows_x86_64_msvc 0.48.5", ] +[[package]] +name = "windows-targets" +version = "0.52.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8a18201040b24831fbb9e4eb208f8892e1f50a37feb53cc7ff887feb8f50e7cd" +dependencies = [ + "windows_aarch64_gnullvm 0.52.0", + "windows_aarch64_msvc 0.52.0", + "windows_i686_gnu 0.52.0", + "windows_i686_msvc 0.52.0", + "windows_x86_64_gnu 0.52.0", + "windows_x86_64_gnullvm 0.52.0", + "windows_x86_64_msvc 0.52.0", +] + [[package]] name = "windows_aarch64_gnullvm" version = "0.42.2" @@ -6556,6 +6636,12 @@ version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2b38e32f0abccf9987a4e3079dfb67dcd799fb61361e53e2882c3cbaf0d905d8" +[[package]] +name = "windows_aarch64_gnullvm" +version = "0.52.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cb7764e35d4db8a7921e09562a0304bf2f93e0a51bfccee0bd0bb0b666b015ea" + [[package]] name = "windows_aarch64_msvc" version = "0.42.2" @@ -6568,6 +6654,12 @@ version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "dc35310971f3b2dbbf3f0690a219f40e2d9afcf64f9ab7cc1be722937c26b4bc" +[[package]] +name = "windows_aarch64_msvc" +version = "0.52.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bbaa0368d4f1d2aaefc55b6fcfee13f41544ddf36801e793edbbfd7d7df075ef" + [[package]] name = "windows_i686_gnu" version = "0.42.2" @@ -6580,6 +6672,12 @@ version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a75915e7def60c94dcef72200b9a8e58e5091744960da64ec734a6c6e9b3743e" +[[package]] +name = "windows_i686_gnu" +version = "0.52.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a28637cb1fa3560a16915793afb20081aba2c92ee8af57b4d5f28e4b3e7df313" + [[package]] name = "windows_i686_msvc" version = "0.42.2" @@ -6592,6 +6690,12 @@ version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8f55c233f70c4b27f66c523580f78f1004e8b5a8b659e05a4eb49d4166cca406" +[[package]] +name = "windows_i686_msvc" +version = "0.52.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ffe5e8e31046ce6230cc7215707b816e339ff4d4d67c65dffa206fd0f7aa7b9a" + [[package]] name = "windows_x86_64_gnu" version = "0.42.2" @@ -6604,6 +6708,12 @@ version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "53d40abd2583d23e4718fddf1ebec84dbff8381c07cae67ff7768bbf19c6718e" +[[package]] +name = "windows_x86_64_gnu" +version = "0.52.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3d6fa32db2bc4a2f5abeacf2b69f7992cd09dca97498da74a151a3132c26befd" + [[package]] name = "windows_x86_64_gnullvm" version = "0.42.2" @@ -6616,6 +6726,12 @@ version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0b7b52767868a23d5bab768e390dc5f5c55825b6d30b86c844ff2dc7414044cc" +[[package]] +name = "windows_x86_64_gnullvm" +version = "0.52.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1a657e1e9d3f514745a572a6846d3c7aa7dbe1658c056ed9c3344c4109a6949e" + [[package]] name = "windows_x86_64_msvc" version = "0.42.2" @@ -6628,11 +6744,17 @@ version = "0.48.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ed94fce61571a4006852b7389a063ab983c02eb1bb37b47f8272ce92d06d9538" +[[package]] +name = "windows_x86_64_msvc" +version = "0.52.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "dff9641d1cd4be8d1a070daf9e3773c5f67e78b4d9d42263020c057706765c04" + [[package]] name = "winnow" -version = "0.5.15" +version = "0.5.28" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7c2e3184b9c4e92ad5167ca73039d0c42476302ab603e2fec4487511f38ccefc" +checksum = "6c830786f7720c2fd27a1a0e27a709dbd3c4d009b56d098fc742d4f4eab91fe2" dependencies = [ "memchr", ] @@ -6648,49 +6770,36 @@ dependencies = [ ] [[package]] -name = "x25519-dalek-ng" -version = "1.1.1" +name = "x25519-dalek" +version = "2.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bf7074de8999662970c3c4c8f7f30925028dd8f4ca31ad4c055efa9cdf2ec326" +checksum = "fb66477291e7e8d2b0ff1bcb900bf29489a9692816d79874bea351e7a8b6de96" dependencies = [ - "curve25519-dalek-ng", - "rand 0.8.5", + "curve25519-dalek", "rand_core 0.6.4", "zeroize", ] [[package]] name = "x509-cert" -version = "0.1.1" +version = "0.2.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "99d224a125dec5adda27d0346b9cae9794830279c4f9c27e4ab0b6c408d54012" +checksum = "25eefca1d99701da3a57feb07e5079fc62abba059fc139e98c13bbb250f3ef29" dependencies = [ - "const-oid 0.9.5", - "der 0.6.1", - "flagset", - "spki 0.6.0", + "const-oid", + "der 0.7.8", + "spki 0.7.3", ] [[package]] name = "xattr" -version = "1.0.1" +version = "1.1.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f4686009f71ff3e5c4dbcf1a282d0a44db3f021ba69350cd42086b3e5f1c6985" +checksum = "a7dae5072fe1f8db8f8d29059189ac175196e410e40ba42d5d4684ae2f750995" dependencies = [ "libc", -] - -[[package]] -name = "xsalsa20poly1305" -version = "0.9.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "02a6dad357567f81cd78ee75f7c61f1b30bb2fe4390be8fb7c69e2ac8dffb6c7" -dependencies = [ - "aead", - "poly1305", - "salsa20", - "subtle", - "zeroize", + "linux-raw-sys", + "rustix", ] [[package]] @@ -6714,11 +6823,32 @@ version = "0.5.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e17bb3549cc1321ae1296b9cdc2698e2b6cb1992adfa19a8c72e5b7a738f44cd" +[[package]] +name = "zerocopy" +version = "0.7.31" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1c4061bedbb353041c12f413700357bec76df2c7e2ca8e4df8bac24c6bf68e3d" +dependencies = [ + "byteorder", + "zerocopy-derive", +] + +[[package]] +name = "zerocopy-derive" +version = "0.7.31" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b3c129550b3e6de3fd0ba67ba5c81818f9805e58b8d7fee80a3a59d2c9fc601a" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.41", +] + [[package]] name = "zeroize" -version = "1.6.0" +version = "1.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2a0956f1ba7c7909bfb66c2e9e4124ab6f6482560f6628b5aaeba39207c9aad9" +checksum = "525b4ec142c6b68a2d10f01f7bbf6755599ca3f81ea53b8431b7dd348f5fdb2d" dependencies = [ "zeroize_derive", ] @@ -6731,7 +6861,7 @@ checksum = "ce36e65b0d2999d2aafac989fb249189a141aee1f53c612c1f37d72631959f69" dependencies = [ "proc-macro2", "quote", - "syn 2.0.32", + "syn 2.0.41", ] [[package]] @@ -6752,6 +6882,15 @@ dependencies = [ "zstd-safe 6.0.6", ] +[[package]] +name = "zstd" +version = "0.13.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bffb3309596d527cfcba7dfc6ed6052f1d39dfbd7c867aa2e865e4a449c10110" +dependencies = [ + "zstd-safe 7.0.0", +] + [[package]] name = "zstd-safe" version = "5.0.2+zstd.1.5.2" @@ -6772,13 +6911,21 @@ dependencies = [ "zstd-sys", ] +[[package]] +name = "zstd-safe" +version = "7.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "43747c7422e2924c11144d5229878b98180ef8b06cca4ab5af37afc8a8d8ea3e" +dependencies = [ + "zstd-sys", +] + [[package]] name = "zstd-sys" -version = "2.0.8+zstd.1.5.5" +version = "2.0.9+zstd.1.5.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5556e6ee25d32df2586c098bbfa278803692a20d0ab9565e049480d52707ec8c" +checksum = "9e16efa8a874a0481a574084d34cc26fdb3b99627480f785888deb6386506656" dependencies = [ "cc", - "libc", "pkg-config", ] diff --git a/Cargo.toml b/Cargo.toml index b10de14a4..2b6a788a5 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -14,7 +14,9 @@ members = [ "attestation-agent/test-binaries", "confidential-data-hub/hub", "confidential-data-hub/kms", + "confidential-data-hub/image", "confidential-data-hub/secret", + "confidential-data-hub/storage", "image-rs", "ocicrypt-rs", ] @@ -37,8 +39,7 @@ env_logger = "0.10.0" hex = "0.4.3" hmac = "0.12.1" jwt-simple = "0.11" -# TODO: change it to "0.5", once released. -kbs-types = { git = "https://github.com/virtee/kbs-types", rev = "c90df0e" } +kbs-types = "0.5.1" lazy_static = "1.4.0" log = "0.4.14" openssl = "0.10" @@ -67,6 +68,3 @@ ttrpc-codegen = "0.4.2" url = "2.3.1" uuid = "1" zeroize = "1.5.7" - -[patch.crates-io] -oci-distribution = { git = "https://github.com/krustlet/oci-distribution.git", rev = "f44124c" } diff --git a/Makefile b/Makefile new file mode 100644 index 000000000..39a42a2ef --- /dev/null +++ b/Makefile @@ -0,0 +1,56 @@ +TEE_PLATFORM ?= test +ARCH ?= $(shell uname -m) + +DESTDIR ?= /usr/local/bin + +LIBC ?= musl +KBC ?= +RESOURCE_PROVIDER ?= kbs + +ifeq ($(TEE_PLATFORM), test) + KBC = offline_fs_kbc +else ifeq ($(TEE_PLATFORM), tdx) + LIBC = gnu + KBC = cc_kbc_tdx +else ifeq ($(TEE_PLATFORM), sev) + KBC = online_sev_kbc + RESOURCE_PROVIDER = sev +endif +# TODO: Add support for SNP, Az-snp-vtpm, CCA, CSV + +ifeq ($(ARCH), $(filter $(ARCH), s390x powerpc64le)) + LIBC = gnu +endif + +CDH := confidential-data-hub +AA := attestation-agent +ASR := api-server-rest + +BUILD_DIR := target/$(ARCH)-unknown-linux-$(LIBC)/release + +CDH_BINARY := $(BUILD_DIR)/$(CDH) +AA_BINARY := $(BUILD_DIR)/$(AA) +ASR_BINARY := $(BUILD_DIR)/$(ASR) + +build: $(CDH_BINARY) $(ASR_BINARY) $(AA_BINARY) + @echo guest components built for $(TEE_PLATFORM) succeeded! + +$(CDH_BINARY): + @echo build $(CDH) for $(TEE_PLATFORM) + cd $(CDH) && $(MAKE) RESOURCE_PROVIDER=$(RESOURCE_PROVIDER) LIBC=$(LIBC) + +$(AA_BINARY): + @echo build $(AA) for $(TEE_PLATFORM) + cd $(AA) && $(MAKE) ttrpc=true ARCH=$(ARCH) LIBC=$(LIBC) KBC=$(KBC) + +$(ASR_BINARY): + @echo build $(ASR) for $(TEE_PLATFORM) + cd $(ASR) && $(MAKE) ARCH=$(ARCH) LIBC=$(LIBC) + +install: $(CDH_BINARY) $(ASR_BINARY) $(AA_BINARY) + install -D -m0755 $(CDH_BINARY) $(DESTDIR)/$(CDH) + install -D -m0755 $(AA_BINARY) $(DESTDIR)/$(AA) + install -D -m0755 $(ASR_BINARY) $(DESTDIR)/$(ASR) + +clean: + rm -rf target diff --git a/README.md b/README.md index 0d2c87ecf..5386f4742 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ This repository includes tools and components for confidential container images. -## +## Components [Attestation Agent](attestation-agent) An agent for facilitating attestation protocols. @@ -18,5 +18,22 @@ Rust implementation of the OCI image encryption library. [api-server-rest](api-server-rest) CoCo Restful API server. +[coco-keyprovider](attestation-agent/coco_keyprovider/) +CoCo Keyprovider. Used to encrypt the container images. + +## Build + +A `Makefile` is provided to quickly build Attestation Agent/Api Server Rest/Confidential Data Hub of a given platform. + +```shell +make build TEE_PLATFORM=$(TEE_PLATFORM) +make install DESTDIR=/usr/local/bin +``` + +The `TEE_PLATFORM` parameter can be +- `test`: for test +- `tdx`: for Intel TDX +- `sev`: for AMD SEV + ## License [![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fconfidential-containers%2Fimage-rs.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2Fconfidential-containers%2Fimage-rs?ref=badge_large) diff --git a/api-server-rest/src/aa.rs b/api-server-rest/src/aa.rs index 20fd3ccaa..efda9fd39 100644 --- a/api-server-rest/src/aa.rs +++ b/api-server-rest/src/aa.rs @@ -85,7 +85,8 @@ impl ApiHandler for AAClient { impl AAClient { pub fn new(aa_addr: &str, accepted_method: Vec) -> Result { - let inner = ttrpc::asynchronous::Client::connect(aa_addr)?; + let inner = ttrpc::asynchronous::Client::connect(aa_addr) + .context(format!("ttrpc connect to AA addr: {} failed!", aa_addr))?; let client = AttestationAgentServiceClient::new(inner); Ok(Self { diff --git a/api-server-rest/src/cdh.rs b/api-server-rest/src/cdh.rs index 9ce78f732..cd514ab31 100644 --- a/api-server-rest/src/cdh.rs +++ b/api-server-rest/src/cdh.rs @@ -66,7 +66,8 @@ impl ApiHandler for CDHClient { impl CDHClient { pub fn new(cdh_addr: &str, accepted_method: Vec) -> Result { - let inner = ttrpc::asynchronous::Client::connect(cdh_addr)?; + let inner = ttrpc::asynchronous::Client::connect(cdh_addr) + .context(format!("ttrpc connect to CDH addr: {} failed!", cdh_addr))?; let client = GetResourceServiceClient::new(inner); Ok(Self { diff --git a/api-server-rest/src/ttrpc_proto/attestation_agent.rs b/api-server-rest/src/ttrpc_proto/attestation_agent.rs index 1e067cfdd..274065bc4 100644 --- a/api-server-rest/src/ttrpc_proto/attestation_agent.rs +++ b/api-server-rest/src/ttrpc_proto/attestation_agent.rs @@ -1,4 +1,4 @@ -// This file is generated by rust-protobuf 3.2.0. Do not edit +// This file is generated by rust-protobuf 3.3.0. Do not edit // .proto file is parsed by pure // @generated @@ -23,10 +23,10 @@ /// Generated files are compatible only with the same version /// of protobuf runtime. -const _PROTOBUF_VERSION_CHECK: () = ::protobuf::VERSION_3_2_0; +const _PROTOBUF_VERSION_CHECK: () = ::protobuf::VERSION_3_3_0; -#[derive(PartialEq,Clone,Default,Debug)] // @@protoc_insertion_point(message:attestation_agent.GetEvidenceRequest) +#[derive(PartialEq,Clone,Default,Debug)] pub struct GetEvidenceRequest { // message fields // @@protoc_insertion_point(field:attestation_agent.GetEvidenceRequest.RuntimeData) @@ -147,8 +147,8 @@ impl ::protobuf::reflect::ProtobufValue for GetEvidenceRequest { type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; } -#[derive(PartialEq,Clone,Default,Debug)] // @@protoc_insertion_point(message:attestation_agent.GetEvidenceResponse) +#[derive(PartialEq,Clone,Default,Debug)] pub struct GetEvidenceResponse { // message fields // @@protoc_insertion_point(field:attestation_agent.GetEvidenceResponse.Evidence) @@ -269,8 +269,8 @@ impl ::protobuf::reflect::ProtobufValue for GetEvidenceResponse { type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; } -#[derive(PartialEq,Clone,Default,Debug)] // @@protoc_insertion_point(message:attestation_agent.GetTokenRequest) +#[derive(PartialEq,Clone,Default,Debug)] pub struct GetTokenRequest { // message fields // @@protoc_insertion_point(field:attestation_agent.GetTokenRequest.TokenType) @@ -391,8 +391,8 @@ impl ::protobuf::reflect::ProtobufValue for GetTokenRequest { type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; } -#[derive(PartialEq,Clone,Default,Debug)] // @@protoc_insertion_point(message:attestation_agent.GetTokenResponse) +#[derive(PartialEq,Clone,Default,Debug)] pub struct GetTokenResponse { // message fields // @@protoc_insertion_point(field:attestation_agent.GetTokenResponse.Token) diff --git a/api-server-rest/src/ttrpc_proto/attestation_agent_ttrpc.rs b/api-server-rest/src/ttrpc_proto/attestation_agent_ttrpc.rs index 50483e1ed..60544380d 100644 --- a/api-server-rest/src/ttrpc_proto/attestation_agent_ttrpc.rs +++ b/api-server-rest/src/ttrpc_proto/attestation_agent_ttrpc.rs @@ -1,12 +1,9 @@ -// This file is generated by ttrpc-compiler 0.6.1. Do not edit +// This file is generated by ttrpc-compiler 0.6.2. Do not edit // @generated -// https://github.com/Manishearth/rust-clippy/issues/702 +#![cfg_attr(rustfmt, rustfmt_skip)] #![allow(unknown_lints)] #![allow(clipto_camel_casepy)] - -#![cfg_attr(rustfmt, rustfmt_skip)] - #![allow(box_pointers)] #![allow(dead_code)] #![allow(missing_docs)] @@ -17,6 +14,7 @@ #![allow(unsafe_code)] #![allow(unused_imports)] #![allow(unused_results)] +#![allow(clippy::all)] use protobuf::{CodedInputStream, CodedOutputStream, Message}; use std::collections::HashMap; use std::sync::Arc; diff --git a/api-server-rest/src/ttrpc_proto/confidential_data_hub.rs b/api-server-rest/src/ttrpc_proto/confidential_data_hub.rs index 9d05c4ec4..453081afc 100644 --- a/api-server-rest/src/ttrpc_proto/confidential_data_hub.rs +++ b/api-server-rest/src/ttrpc_proto/confidential_data_hub.rs @@ -1,4 +1,4 @@ -// This file is generated by rust-protobuf 3.2.0. Do not edit +// This file is generated by rust-protobuf 3.3.0. Do not edit // .proto file is parsed by pure // @generated @@ -23,10 +23,10 @@ /// Generated files are compatible only with the same version /// of protobuf runtime. -const _PROTOBUF_VERSION_CHECK: () = ::protobuf::VERSION_3_2_0; +const _PROTOBUF_VERSION_CHECK: () = ::protobuf::VERSION_3_3_0; -#[derive(PartialEq,Clone,Default,Debug)] // @@protoc_insertion_point(message:api.GetResourceRequest) +#[derive(PartialEq,Clone,Default,Debug)] pub struct GetResourceRequest { // message fields // @@protoc_insertion_point(field:api.GetResourceRequest.ResourcePath) @@ -147,8 +147,8 @@ impl ::protobuf::reflect::ProtobufValue for GetResourceRequest { type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; } -#[derive(PartialEq,Clone,Default,Debug)] // @@protoc_insertion_point(message:api.GetResourceResponse) +#[derive(PartialEq,Clone,Default,Debug)] pub struct GetResourceResponse { // message fields // @@protoc_insertion_point(field:api.GetResourceResponse.Resource) diff --git a/api-server-rest/src/ttrpc_proto/confidential_data_hub_ttrpc.rs b/api-server-rest/src/ttrpc_proto/confidential_data_hub_ttrpc.rs index 83b5ab27e..cb05c103c 100644 --- a/api-server-rest/src/ttrpc_proto/confidential_data_hub_ttrpc.rs +++ b/api-server-rest/src/ttrpc_proto/confidential_data_hub_ttrpc.rs @@ -1,12 +1,9 @@ -// This file is generated by ttrpc-compiler 0.6.1. Do not edit +// This file is generated by ttrpc-compiler 0.6.2. Do not edit // @generated -// https://github.com/Manishearth/rust-clippy/issues/702 +#![cfg_attr(rustfmt, rustfmt_skip)] #![allow(unknown_lints)] #![allow(clipto_camel_casepy)] - -#![cfg_attr(rustfmt, rustfmt_skip)] - #![allow(box_pointers)] #![allow(dead_code)] #![allow(missing_docs)] @@ -17,6 +14,7 @@ #![allow(unsafe_code)] #![allow(unused_imports)] #![allow(unused_results)] +#![allow(clippy::all)] use protobuf::{CodedInputStream, CodedOutputStream, Message}; use std::collections::HashMap; use std::sync::Arc; diff --git a/attestation-agent/README.md b/attestation-agent/README.md index c61b14fad..318078f39 100644 --- a/attestation-agent/README.md +++ b/attestation-agent/README.md @@ -113,7 +113,7 @@ List of supported KBC modules: | eaa_kbc | [EAA KBC](kbc/src/eaa_kbc/README.md) | EAA protocol | Alibaba Cloud | | offline_sev_kbc | [Offline SEV KBC](kbc/src/offline_sev_kbc/README.md) | Null | IBM | | online_sev_kbc | [Online SEV KBC](kbc/src/online_sev_kbc/README.md) | simple-kbs | IBM | -| cc_kbc | [CC KBC](kbc/src/cc_kbc/README.md) | [CoCo KBS protocol](https://github.com/confidential-containers/kbs/blob/main/docs/kbs_attestation_protocol.md) | CoCo Community | +| cc_kbc | [CC KBC](kbc/src/cc_kbc/README.md) | [CoCo KBS protocol](https://github.com/confidential-containers/kbs/blob/main/kbs/docs/kbs_attestation_protocol.md) | CoCo Community | ### CC KBC @@ -124,6 +124,7 @@ CC KBC supports different kinds of hardware TEE attesters, now | sgx-attester | Intel SGX DCAP | | snp-attester | AMD SEV-SNP | | az-snp-vtpm-attester| Azure SEV-SNP CVM | +| cca-attester | Arm Confidential Compute Architecture (CCA) | To build cc kbc with all available attesters and install, use ```shell diff --git a/attestation-agent/app/build.rs b/attestation-agent/app/build.rs index a070ee979..f4daf0488 100644 --- a/attestation-agent/app/build.rs +++ b/attestation-agent/app/build.rs @@ -9,9 +9,17 @@ use ttrpc_codegen::{Codegen, Customize, ProtobufCustomize}; fn main() -> std::io::Result<()> { #[cfg(feature = "grpc")] { - tonic_build::compile_protos("../protos/keyprovider.proto")?; - tonic_build::compile_protos("../protos/getresource.proto")?; - tonic_build::compile_protos("../protos/attestation-agent.proto")?; + tonic_build::configure() + .build_server(true) + .protoc_arg("--experimental_allow_proto3_optional") + .compile( + &[ + "../protos/keyprovider.proto", + "../protos/getresource.proto", + "../protos/attestation-agent.proto", + ], + &["../protos"], + )?; } #[cfg(feature = "ttrpc")] diff --git a/attestation-agent/app/src/rpc/attestation/mod.rs b/attestation-agent/app/src/rpc/attestation/mod.rs index b2fbf27ef..2e7e8e2a0 100644 --- a/attestation-agent/app/src/rpc/attestation/mod.rs +++ b/attestation-agent/app/src/rpc/attestation/mod.rs @@ -20,7 +20,10 @@ pub mod grpc { use attestation::attestation_agent_service_server::{ AttestationAgentService, AttestationAgentServiceServer, }; - use attestation::{GetEvidenceRequest, GetEvidenceResponse, GetTokenRequest, GetTokenResponse}; + use attestation::{ + ExtendRuntimeMeasurementRequest, ExtendRuntimeMeasurementResponse, GetEvidenceRequest, + GetEvidenceResponse, GetTokenRequest, GetTokenResponse, + }; use std::net::SocketAddr; use tonic::{transport::Server, Request, Response, Status}; @@ -84,6 +87,35 @@ pub mod grpc { Result::Ok(Response::new(reply)) } + + async fn extend_runtime_measurement( + &self, + request: Request, + ) -> Result, Status> { + let request = request.into_inner(); + + let attestation_agent_mutex_clone = Arc::clone(&ASYNC_ATTESTATION_AGENT); + let mut attestation_agent = attestation_agent_mutex_clone.lock().await; + + debug!("Call AA to extend runtime measurement ..."); + + attestation_agent + .extend_runtime_measurement(request.events, request.register_index) + .await + .map_err(|e| { + error!("Call AA to extend runtime measurement failed: {}", e); + Status::internal(format!( + "[ERROR:{}] AA extend runtime measurement failed: {}", + AGENT_NAME, e + )) + })?; + + debug!("Extend runtime measurement successfully!"); + + let reply = ExtendRuntimeMeasurementResponse {}; + + Result::Ok(Response::new(reply)) + } } pub async fn start_grpc_service(socket: SocketAddr) -> Result<()> { @@ -176,6 +208,34 @@ pub mod ttrpc { ::ttrpc::Result::Ok(reply) } + + async fn extend_runtime_measurement( + &self, + _ctx: &::ttrpc::r#async::TtrpcContext, + req: attestation_agent::ExtendRuntimeMeasurementRequest, + ) -> ::ttrpc::Result { + debug!("Call AA to extend runtime measurement ..."); + + let attestation_agent_mutex_clone = ASYNC_ATTESTATION_AGENT.clone(); + let mut attestation_agent = attestation_agent_mutex_clone.lock().await; + + attestation_agent + .extend_runtime_measurement(req.Events, req.RegisterIndex) + .await + .map_err(|e| { + error!("Call AA to extend runtime measurement failed: {}", e); + let mut error_status = ::ttrpc::proto::Status::new(); + error_status.set_code(Code::INTERNAL); + error_status.set_message(format!( + "[ERROR:{}] AA extend runtime measurement failed: {}", + AGENT_NAME, e + )); + ::ttrpc::Error::RpcStatus(error_status) + })?; + + let reply = attestation_agent::ExtendRuntimeMeasurementResponse::new(); + ::ttrpc::Result::Ok(reply) + } } pub fn start_ttrpc_service() -> Result> { diff --git a/attestation-agent/app/src/rpc/keyprovider/mod.rs b/attestation-agent/app/src/rpc/keyprovider/mod.rs index 146d1eb25..e1c2f0b81 100644 --- a/attestation-agent/app/src/rpc/keyprovider/mod.rs +++ b/attestation-agent/app/src/rpc/keyprovider/mod.rs @@ -322,7 +322,7 @@ fn get_kbc_kbs_pair(kpi: &KeyProviderInput) -> Result<(String, String)> { .ok_or_else(|| anyhow!(ERR_DC_EMPTY))?; if let Some(parameters_list) = dc.parameters.get(AGENT_NAME) { - let value = if let Some(value) = parameters_list.get(0) { + let value = if let Some(value) = parameters_list.first() { value } else { return Err(anyhow!(ERR_DC_EMPTY)); diff --git a/attestation-agent/attester/Cargo.toml b/attestation-agent/attester/Cargo.toml index 91a569f8b..803b4009f 100644 --- a/attestation-agent/attester/Cargo.toml +++ b/attestation-agent/attester/Cargo.toml @@ -8,7 +8,7 @@ edition = "2021" [dependencies] anyhow.workspace = true async-trait.workspace = true -az-snp-vtpm = { git = "https://github.com/kinvolk/azure-cvm-tooling", rev = "2c2e411", default-features = false, features = ["attester"], optional = true } +az-snp-vtpm = { version = "0.4", default-features = false, features = ["attester"], optional = true } base64.workspace = true kbs-types.workspace = true log.workspace = true @@ -20,7 +20,7 @@ sev = { version = "1.2.0", default-features = false, features = ["snp"], optiona strum.workspace = true tdx-attest-rs = { git = "https://github.com/intel/SGXDataCenterAttestationPrimitives", tag = "DCAP_1.16", optional = true } # TODO: change it to "0.1", once released. -csv-rs = { git = "https://gitee.com/anolis/csv-rs", rev = "05fbacd", optional = true } +csv-rs = { git = "https://gitee.com/anolis/csv-rs", rev = "9d8882e", optional = true } codicon = { version = "3.0", optional = true } hyper = { version = "0.14", features = ["full"], optional = true } hyper-tls = { version = "0.5", optional = true } diff --git a/attestation-agent/attester/src/az_snp_vtpm/mod.rs b/attestation-agent/attester/src/az_snp_vtpm/mod.rs index 7144d4a9e..b39781f5e 100644 --- a/attestation-agent/attester/src/az_snp_vtpm/mod.rs +++ b/attestation-agent/attester/src/az_snp_vtpm/mod.rs @@ -4,17 +4,18 @@ // use super::Attester; -use anyhow::*; -use az_snp_vtpm::{imds, vtpm}; +use az_snp_vtpm::{imds, is_snp_cvm, vtpm}; use log::debug; use serde::{Deserialize, Serialize}; pub fn detect_platform() -> bool { - if let Err(err) = vtpm::get_report() { - debug!("Failed to retrieve Azure HCL data from vTPM: {err}"); - return false; + match is_snp_cvm() { + Ok(is_snp) => is_snp, + Err(err) => { + debug!("Failed to retrieve Azure HCL data from vTPM: {}", err); + false + } } - true } #[derive(Debug, Default)] @@ -29,7 +30,7 @@ struct Evidence { #[async_trait::async_trait] impl Attester for AzSnpVtpmAttester { - async fn get_evidence(&self, report_data: Vec) -> Result { + async fn get_evidence(&self, report_data: Vec) -> anyhow::Result { let report = vtpm::get_report()?; let quote = vtpm::get_quote(&report_data)?; let certs = imds::get_certs()?; diff --git a/attestation-agent/attester/src/csv/mod.rs b/attestation-agent/attester/src/csv/mod.rs index b3418a0cf..bdf5a7eed 100644 --- a/attestation-agent/attester/src/csv/mod.rs +++ b/attestation-agent/attester/src/csv/mod.rs @@ -32,6 +32,8 @@ struct CertificateChain { struct CsvEvidence { attestation_report: AttestationReport, cert_chain: CertificateChain, + // Base64 Encoded CSV Serial Number (Used to identify HYGON chip ID) + serial_number: Vec, } #[derive(Debug, Default)] @@ -59,6 +61,7 @@ impl Attester for CsvAttester { let evidence = CsvEvidence { attestation_report, cert_chain: CertificateChain { hsk, cek, pek }, + serial_number: report_signer.sn.to_vec(), }; serde_json::to_string(&evidence).context("Serialize CSV evidence failed") } diff --git a/attestation-agent/attester/src/lib.rs b/attestation-agent/attester/src/lib.rs index b1ade1fb1..acb8f1c1a 100644 --- a/attestation-agent/attester/src/lib.rs +++ b/attestation-agent/attester/src/lib.rs @@ -59,6 +59,16 @@ pub trait Attester { /// The parameter `report_data` will be used as the user input of the /// evidence to avoid reply attack. async fn get_evidence(&self, report_data: Vec) -> Result; + + /// Extend TEE specific dynamic measurement register + /// to enable dynamic measurement capabilities for input data at runtime. + async fn extend_runtime_measurement( + &self, + _events: Vec>, + _register_index: Option, + ) -> Result<()> { + bail!("Unimplemented") + } } // Detect which TEE platform the KBC running environment is. diff --git a/attestation-agent/attester/src/tdx/mod.rs b/attestation-agent/attester/src/tdx/mod.rs index 63db5e991..b5b47e777 100644 --- a/attestation-agent/attester/src/tdx/mod.rs +++ b/attestation-agent/attester/src/tdx/mod.rs @@ -65,6 +65,28 @@ impl Attester for TdxAttester { serde_json::to_string(&evidence) .map_err(|e| anyhow!("Serialize TDX evidence failed: {:?}", e)) } + + async fn extend_runtime_measurement( + &self, + events: Vec>, + _register_index: Option, + ) -> Result<()> { + for event in events { + match tdx_attest_rs::tdx_att_extend(&event) { + tdx_attest_rs::tdx_attest_error_t::TDX_ATTEST_SUCCESS => { + log::debug!("TDX extend runtime measurement succeeded.") + } + error_code => { + bail!( + "TDX Attester: Failed to extend RTMR. Error code: {:?}", + error_code + ); + } + } + } + + Ok(()) + } } #[cfg(test)] diff --git a/attestation-agent/deps/crypto/src/native/mod.rs b/attestation-agent/deps/crypto/src/native/mod.rs index ddec8b890..031f400ce 100644 --- a/attestation-agent/deps/crypto/src/native/mod.rs +++ b/attestation-agent/deps/crypto/src/native/mod.rs @@ -8,8 +8,4 @@ pub mod aes256ctr; pub mod aes256gcm; -pub use aes256ctr::*; -pub use aes256gcm::*; - pub mod rsa; -pub use self::rsa::*; diff --git a/attestation-agent/deps/crypto/src/rust/mod.rs b/attestation-agent/deps/crypto/src/rust/mod.rs index 0f01368b9..aa5393e4c 100644 --- a/attestation-agent/deps/crypto/src/rust/mod.rs +++ b/attestation-agent/deps/crypto/src/rust/mod.rs @@ -8,8 +8,4 @@ pub mod aes256ctr; pub mod aes256gcm; -pub use aes256ctr::*; -pub use aes256gcm::*; - pub mod rsa; -pub use self::rsa::*; diff --git a/attestation-agent/deps/resource_uri/src/lib.rs b/attestation-agent/deps/resource_uri/src/lib.rs index 2366b176a..d12646691 100644 --- a/attestation-agent/deps/resource_uri/src/lib.rs +++ b/attestation-agent/deps/resource_uri/src/lib.rs @@ -16,7 +16,7 @@ const RESOURCE_ID_ERROR_INFO: &str = const SCHEME: &str = "kbs"; /// Resource Id document -#[derive(Clone, Debug, PartialEq)] +#[derive(Clone, Debug, PartialEq, Eq)] pub struct ResourceUri { pub kbs_addr: String, pub repository: String, diff --git a/attestation-agent/docs/KBS_URI.md b/attestation-agent/docs/KBS_URI.md index d14b31966..58064c484 100644 --- a/attestation-agent/docs/KBS_URI.md +++ b/attestation-agent/docs/KBS_URI.md @@ -14,7 +14,7 @@ kbs://:/// where: -- `kbs://`: This is the fixed, custom KBS resource scheme. It indicates that this URI for a [CoCo KBS](https://github.com/confidential-containers/kbs) resource. +- `kbs://`: This is the fixed, custom KBS resource scheme. It indicates that this URI for a [CoCo KBS](https://github.com/confidential-containers/kbs/tree/main/kbs) resource. - `:`: This the KBS host address and port. It is either an IP address or a domain name, and an *optional* TCP/UDP port. Also can be treated as a `confidential resource registry`. - `//`: This is the resource path. Typically, `` would be a user name, `` would be the type of the resource, and `` would help distinguish between different resource instances of the same type. The default value of `` is `default`. @@ -24,7 +24,7 @@ For example: `kbs://example.cckbs.org:8081/alice/decryption-key/1` ### CC-KBC -`CC-KBC` will convert a KBS Resource URI into a [CoCo KBS Resource API](https://github.com/confidential-containers/kbs/blob/main/docs/kbs.yaml#L74) compliant HTTP/HTTPS request. +`CC-KBC` will convert a KBS Resource URI into a [CoCo KBS Resource API](https://github.com/confidential-containers/kbs/blob/main/kbs/docs/kbs.yaml#L100) compliant HTTP/HTTPS request. For example, a KBS Resource URI `kbs://example.cckbs.org/alice/decryption-key/1` will be converted to `http://example.cckbs.org/kbs/v0/resource/alice/decryption-key/1`. ### EAA KBC & Online SEV KBC diff --git a/attestation-agent/kbs_protocol/Cargo.toml b/attestation-agent/kbs_protocol/Cargo.toml index 5af8a48c1..60171537b 100644 --- a/attestation-agent/kbs_protocol/Cargo.toml +++ b/attestation-agent/kbs_protocol/Cargo.toml @@ -21,6 +21,7 @@ serde.workspace = true serde_json.workspace = true sha2.workspace = true thiserror.workspace = true +tokio.workspace = true ttrpc = { workspace = true, optional = true} url.workspace = true zeroize.workspace = true @@ -42,7 +43,7 @@ passport = [] # use a client of attestation-agent to get token for kbs aa_token = ["ttrpc-codegen", "passport", "ttrpc/async", "protobuf"] -background_check = [] +background_check = ["tokio/time"] all-attesters = ["attester/all-attesters"] tdx-attester = ["attester/tdx-attester"] sgx-attester = ["attester/sgx-attester"] diff --git a/attestation-agent/kbs_protocol/src/client/rcar_client.rs b/attestation-agent/kbs_protocol/src/client/rcar_client.rs index 293f30012..c0b1057ea 100644 --- a/attestation-agent/kbs_protocol/src/client/rcar_client.rs +++ b/attestation-agent/kbs_protocol/src/client/rcar_client.rs @@ -3,6 +3,8 @@ // SPDX-License-Identifier: Apache-2.0 // +use std::time::Duration; + use anyhow::{bail, Context}; use async_trait::async_trait; use kbs_types::{Attestation, Challenge, ErrorInformation, Request, Response}; @@ -22,6 +24,13 @@ use crate::{ Error, Result, }; +/// When executing get token, RCAR handshake should retry if failed to +/// make the logic robust. This constant is the max retry times. +const RCAR_MAX_ATTEMPT: i32 = 5; + +/// The interval (seconds) between RCAR handshake retries. +const RCAR_RETRY_TIMEOUT_SECOND: u64 = 1; + #[derive(Deserialize, Debug, Clone)] struct AttestationResponseData { // Attestation token in JWT format @@ -36,14 +45,48 @@ impl KbsClient> { pub async fn get_token(&mut self) -> Result<(Token, TeeKeyPair)> { if let Some(token) = &self.token { if token.check_valid().is_err() { - self.rcar_handshake() - .await - .map_err(|e| Error::RcarHandshake(e.to_string()))?; + let mut retry_times = 1; + loop { + let res = self + .rcar_handshake() + .await + .map_err(|e| Error::RcarHandshake(e.to_string())); + match res { + Ok(_) => break, + Err(e) => { + if retry_times >= RCAR_MAX_ATTEMPT { + return Err(Error::RcarHandshake(format!("Get token failed because of RCAR handshake retried {RCAR_MAX_ATTEMPT} times."))); + } else { + warn!("RCAR handshake failed: {e}, retry {retry_times}..."); + retry_times += 1; + tokio::time::sleep(Duration::from_secs(RCAR_RETRY_TIMEOUT_SECOND)) + .await; + } + } + } + } } } else { - self.rcar_handshake() - .await - .map_err(|e| Error::RcarHandshake(e.to_string()))?; + let mut retry_times = 1; + loop { + let res = self + .rcar_handshake() + .await + .map_err(|e| Error::RcarHandshake(e.to_string())); + match res { + Ok(_) => break, + Err(e) => { + if retry_times >= RCAR_MAX_ATTEMPT { + return Err(Error::RcarHandshake(format!("Get token failed because of RCAR handshake retried {RCAR_MAX_ATTEMPT} times."))); + } else { + warn!("RCAR handshake failed: {e}, retry {retry_times}..."); + retry_times += 1; + tokio::time::sleep(Duration::from_secs(RCAR_RETRY_TIMEOUT_SECOND)) + .await; + } + } + } + } } assert!(self.token.is_some()); @@ -64,10 +107,10 @@ impl KbsClient> { let tee = match &self._tee { ClientTee::Unitialized => { let tee = self.provider.get_tee_type().await?; - self._tee = ClientTee::_Initializated(tee.clone()); + self._tee = ClientTee::_Initializated(tee); tee } - ClientTee::_Initializated(tee) => tee.clone(), + ClientTee::_Initializated(tee) => *tee, }; let request = Request { diff --git a/attestation-agent/kbs_protocol/src/lib.rs b/attestation-agent/kbs_protocol/src/lib.rs index 9db6a71f4..eb4bd6d0b 100644 --- a/attestation-agent/kbs_protocol/src/lib.rs +++ b/attestation-agent/kbs_protocol/src/lib.rs @@ -9,7 +9,7 @@ //! //! ## Protocol //! -//! Please refer to +//! Please refer to //! //! ## Usage //! diff --git a/attestation-agent/kbs_protocol/src/token_provider/aa/attestation_agent.rs b/attestation-agent/kbs_protocol/src/token_provider/aa/attestation_agent.rs index 1d27b2c7d..ff1163576 100644 --- a/attestation-agent/kbs_protocol/src/token_provider/aa/attestation_agent.rs +++ b/attestation-agent/kbs_protocol/src/token_provider/aa/attestation_agent.rs @@ -1,4 +1,4 @@ -// This file is generated by rust-protobuf 3.2.0. Do not edit +// This file is generated by rust-protobuf 3.3.0. Do not edit // .proto file is parsed by pure // @generated @@ -23,10 +23,10 @@ /// Generated files are compatible only with the same version /// of protobuf runtime. -const _PROTOBUF_VERSION_CHECK: () = ::protobuf::VERSION_3_2_0; +const _PROTOBUF_VERSION_CHECK: () = ::protobuf::VERSION_3_3_0; -#[derive(PartialEq,Clone,Default,Debug)] // @@protoc_insertion_point(message:attestation_agent.GetEvidenceRequest) +#[derive(PartialEq,Clone,Default,Debug)] pub struct GetEvidenceRequest { // message fields // @@protoc_insertion_point(field:attestation_agent.GetEvidenceRequest.RuntimeData) @@ -147,8 +147,8 @@ impl ::protobuf::reflect::ProtobufValue for GetEvidenceRequest { type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; } -#[derive(PartialEq,Clone,Default,Debug)] // @@protoc_insertion_point(message:attestation_agent.GetEvidenceResponse) +#[derive(PartialEq,Clone,Default,Debug)] pub struct GetEvidenceResponse { // message fields // @@protoc_insertion_point(field:attestation_agent.GetEvidenceResponse.Evidence) @@ -269,8 +269,8 @@ impl ::protobuf::reflect::ProtobufValue for GetEvidenceResponse { type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; } -#[derive(PartialEq,Clone,Default,Debug)] // @@protoc_insertion_point(message:attestation_agent.GetTokenRequest) +#[derive(PartialEq,Clone,Default,Debug)] pub struct GetTokenRequest { // message fields // @@protoc_insertion_point(field:attestation_agent.GetTokenRequest.TokenType) @@ -391,8 +391,8 @@ impl ::protobuf::reflect::ProtobufValue for GetTokenRequest { type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; } -#[derive(PartialEq,Clone,Default,Debug)] // @@protoc_insertion_point(message:attestation_agent.GetTokenResponse) +#[derive(PartialEq,Clone,Default,Debug)] pub struct GetTokenResponse { // message fields // @@protoc_insertion_point(field:attestation_agent.GetTokenResponse.Token) @@ -513,16 +513,265 @@ impl ::protobuf::reflect::ProtobufValue for GetTokenResponse { type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; } +// @@protoc_insertion_point(message:attestation_agent.ExtendRuntimeMeasurementRequest) +#[derive(PartialEq,Clone,Default,Debug)] +pub struct ExtendRuntimeMeasurementRequest { + // message fields + // @@protoc_insertion_point(field:attestation_agent.ExtendRuntimeMeasurementRequest.Events) + pub Events: ::std::vec::Vec<::std::vec::Vec>, + // @@protoc_insertion_point(field:attestation_agent.ExtendRuntimeMeasurementRequest.RegisterIndex) + pub RegisterIndex: ::std::option::Option, + // special fields + // @@protoc_insertion_point(special_field:attestation_agent.ExtendRuntimeMeasurementRequest.special_fields) + pub special_fields: ::protobuf::SpecialFields, +} + +impl<'a> ::std::default::Default for &'a ExtendRuntimeMeasurementRequest { + fn default() -> &'a ExtendRuntimeMeasurementRequest { + ::default_instance() + } +} + +impl ExtendRuntimeMeasurementRequest { + pub fn new() -> ExtendRuntimeMeasurementRequest { + ::std::default::Default::default() + } + + fn generated_message_descriptor_data() -> ::protobuf::reflect::GeneratedMessageDescriptorData { + let mut fields = ::std::vec::Vec::with_capacity(2); + let mut oneofs = ::std::vec::Vec::with_capacity(0); + fields.push(::protobuf::reflect::rt::v2::make_vec_simpler_accessor::<_, _>( + "Events", + |m: &ExtendRuntimeMeasurementRequest| { &m.Events }, + |m: &mut ExtendRuntimeMeasurementRequest| { &mut m.Events }, + )); + fields.push(::protobuf::reflect::rt::v2::make_option_accessor::<_, _>( + "RegisterIndex", + |m: &ExtendRuntimeMeasurementRequest| { &m.RegisterIndex }, + |m: &mut ExtendRuntimeMeasurementRequest| { &mut m.RegisterIndex }, + )); + ::protobuf::reflect::GeneratedMessageDescriptorData::new_2::( + "ExtendRuntimeMeasurementRequest", + fields, + oneofs, + ) + } +} + +impl ::protobuf::Message for ExtendRuntimeMeasurementRequest { + const NAME: &'static str = "ExtendRuntimeMeasurementRequest"; + + fn is_initialized(&self) -> bool { + true + } + + fn merge_from(&mut self, is: &mut ::protobuf::CodedInputStream<'_>) -> ::protobuf::Result<()> { + while let Some(tag) = is.read_raw_tag_or_eof()? { + match tag { + 10 => { + self.Events.push(is.read_bytes()?); + }, + 16 => { + self.RegisterIndex = ::std::option::Option::Some(is.read_uint64()?); + }, + tag => { + ::protobuf::rt::read_unknown_or_skip_group(tag, is, self.special_fields.mut_unknown_fields())?; + }, + }; + } + ::std::result::Result::Ok(()) + } + + // Compute sizes of nested messages + #[allow(unused_variables)] + fn compute_size(&self) -> u64 { + let mut my_size = 0; + for value in &self.Events { + my_size += ::protobuf::rt::bytes_size(1, &value); + }; + if let Some(v) = self.RegisterIndex { + my_size += ::protobuf::rt::uint64_size(2, v); + } + my_size += ::protobuf::rt::unknown_fields_size(self.special_fields.unknown_fields()); + self.special_fields.cached_size().set(my_size as u32); + my_size + } + + fn write_to_with_cached_sizes(&self, os: &mut ::protobuf::CodedOutputStream<'_>) -> ::protobuf::Result<()> { + for v in &self.Events { + os.write_bytes(1, &v)?; + }; + if let Some(v) = self.RegisterIndex { + os.write_uint64(2, v)?; + } + os.write_unknown_fields(self.special_fields.unknown_fields())?; + ::std::result::Result::Ok(()) + } + + fn special_fields(&self) -> &::protobuf::SpecialFields { + &self.special_fields + } + + fn mut_special_fields(&mut self) -> &mut ::protobuf::SpecialFields { + &mut self.special_fields + } + + fn new() -> ExtendRuntimeMeasurementRequest { + ExtendRuntimeMeasurementRequest::new() + } + + fn clear(&mut self) { + self.Events.clear(); + self.RegisterIndex = ::std::option::Option::None; + self.special_fields.clear(); + } + + fn default_instance() -> &'static ExtendRuntimeMeasurementRequest { + static instance: ExtendRuntimeMeasurementRequest = ExtendRuntimeMeasurementRequest { + Events: ::std::vec::Vec::new(), + RegisterIndex: ::std::option::Option::None, + special_fields: ::protobuf::SpecialFields::new(), + }; + &instance + } +} + +impl ::protobuf::MessageFull for ExtendRuntimeMeasurementRequest { + fn descriptor() -> ::protobuf::reflect::MessageDescriptor { + static descriptor: ::protobuf::rt::Lazy<::protobuf::reflect::MessageDescriptor> = ::protobuf::rt::Lazy::new(); + descriptor.get(|| file_descriptor().message_by_package_relative_name("ExtendRuntimeMeasurementRequest").unwrap()).clone() + } +} + +impl ::std::fmt::Display for ExtendRuntimeMeasurementRequest { + fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> ::std::fmt::Result { + ::protobuf::text_format::fmt(self, f) + } +} + +impl ::protobuf::reflect::ProtobufValue for ExtendRuntimeMeasurementRequest { + type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; +} + +// @@protoc_insertion_point(message:attestation_agent.ExtendRuntimeMeasurementResponse) +#[derive(PartialEq,Clone,Default,Debug)] +pub struct ExtendRuntimeMeasurementResponse { + // special fields + // @@protoc_insertion_point(special_field:attestation_agent.ExtendRuntimeMeasurementResponse.special_fields) + pub special_fields: ::protobuf::SpecialFields, +} + +impl<'a> ::std::default::Default for &'a ExtendRuntimeMeasurementResponse { + fn default() -> &'a ExtendRuntimeMeasurementResponse { + ::default_instance() + } +} + +impl ExtendRuntimeMeasurementResponse { + pub fn new() -> ExtendRuntimeMeasurementResponse { + ::std::default::Default::default() + } + + fn generated_message_descriptor_data() -> ::protobuf::reflect::GeneratedMessageDescriptorData { + let mut fields = ::std::vec::Vec::with_capacity(0); + let mut oneofs = ::std::vec::Vec::with_capacity(0); + ::protobuf::reflect::GeneratedMessageDescriptorData::new_2::( + "ExtendRuntimeMeasurementResponse", + fields, + oneofs, + ) + } +} + +impl ::protobuf::Message for ExtendRuntimeMeasurementResponse { + const NAME: &'static str = "ExtendRuntimeMeasurementResponse"; + + fn is_initialized(&self) -> bool { + true + } + + fn merge_from(&mut self, is: &mut ::protobuf::CodedInputStream<'_>) -> ::protobuf::Result<()> { + while let Some(tag) = is.read_raw_tag_or_eof()? { + match tag { + tag => { + ::protobuf::rt::read_unknown_or_skip_group(tag, is, self.special_fields.mut_unknown_fields())?; + }, + }; + } + ::std::result::Result::Ok(()) + } + + // Compute sizes of nested messages + #[allow(unused_variables)] + fn compute_size(&self) -> u64 { + let mut my_size = 0; + my_size += ::protobuf::rt::unknown_fields_size(self.special_fields.unknown_fields()); + self.special_fields.cached_size().set(my_size as u32); + my_size + } + + fn write_to_with_cached_sizes(&self, os: &mut ::protobuf::CodedOutputStream<'_>) -> ::protobuf::Result<()> { + os.write_unknown_fields(self.special_fields.unknown_fields())?; + ::std::result::Result::Ok(()) + } + + fn special_fields(&self) -> &::protobuf::SpecialFields { + &self.special_fields + } + + fn mut_special_fields(&mut self) -> &mut ::protobuf::SpecialFields { + &mut self.special_fields + } + + fn new() -> ExtendRuntimeMeasurementResponse { + ExtendRuntimeMeasurementResponse::new() + } + + fn clear(&mut self) { + self.special_fields.clear(); + } + + fn default_instance() -> &'static ExtendRuntimeMeasurementResponse { + static instance: ExtendRuntimeMeasurementResponse = ExtendRuntimeMeasurementResponse { + special_fields: ::protobuf::SpecialFields::new(), + }; + &instance + } +} + +impl ::protobuf::MessageFull for ExtendRuntimeMeasurementResponse { + fn descriptor() -> ::protobuf::reflect::MessageDescriptor { + static descriptor: ::protobuf::rt::Lazy<::protobuf::reflect::MessageDescriptor> = ::protobuf::rt::Lazy::new(); + descriptor.get(|| file_descriptor().message_by_package_relative_name("ExtendRuntimeMeasurementResponse").unwrap()).clone() + } +} + +impl ::std::fmt::Display for ExtendRuntimeMeasurementResponse { + fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> ::std::fmt::Result { + ::protobuf::text_format::fmt(self, f) + } +} + +impl ::protobuf::reflect::ProtobufValue for ExtendRuntimeMeasurementResponse { + type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; +} + static file_descriptor_proto_data: &'static [u8] = b"\ \n\x17attestation-agent.proto\x12\x11attestation_agent\"6\n\x12GetEviden\ ceRequest\x12\x20\n\x0bRuntimeData\x18\x01\x20\x01(\x0cR\x0bRuntimeData\ \"1\n\x13GetEvidenceResponse\x12\x1a\n\x08Evidence\x18\x01\x20\x01(\x0cR\ \x08Evidence\"/\n\x0fGetTokenRequest\x12\x1c\n\tTokenType\x18\x01\x20\ \x01(\tR\tTokenType\"(\n\x10GetTokenResponse\x12\x14\n\x05Token\x18\x01\ - \x20\x01(\x0cR\x05Token2\xcc\x01\n\x17AttestationAgentService\x12\\\n\ - \x0bGetEvidence\x12%.attestation_agent.GetEvidenceRequest\x1a&.attestati\ - on_agent.GetEvidenceResponse\x12S\n\x08GetToken\x12\".attestation_agent.\ - GetTokenRequest\x1a#.attestation_agent.GetTokenResponseb\x06proto3\ + \x20\x01(\x0cR\x05Token\"v\n\x1fExtendRuntimeMeasurementRequest\x12\x16\ + \n\x06Events\x18\x01\x20\x03(\x0cR\x06Events\x12)\n\rRegisterIndex\x18\ + \x02\x20\x01(\x04H\0R\rRegisterIndex\x88\x01\x01B\x10\n\x0e_RegisterInde\ + x\"\"\n\x20ExtendRuntimeMeasurementResponse2\xd2\x02\n\x17AttestationAge\ + ntService\x12\\\n\x0bGetEvidence\x12%.attestation_agent.GetEvidenceReque\ + st\x1a&.attestation_agent.GetEvidenceResponse\x12S\n\x08GetToken\x12\".a\ + ttestation_agent.GetTokenRequest\x1a#.attestation_agent.GetTokenResponse\ + \x12\x83\x01\n\x18ExtendRuntimeMeasurement\x122.attestation_agent.Extend\ + RuntimeMeasurementRequest\x1a3.attestation_agent.ExtendRuntimeMeasuremen\ + tResponseb\x06proto3\ "; /// `FileDescriptorProto` object which was a source for this generated file @@ -540,11 +789,13 @@ pub fn file_descriptor() -> &'static ::protobuf::reflect::FileDescriptor { file_descriptor.get(|| { let generated_file_descriptor = generated_file_descriptor_lazy.get(|| { let mut deps = ::std::vec::Vec::with_capacity(0); - let mut messages = ::std::vec::Vec::with_capacity(4); + let mut messages = ::std::vec::Vec::with_capacity(6); messages.push(GetEvidenceRequest::generated_message_descriptor_data()); messages.push(GetEvidenceResponse::generated_message_descriptor_data()); messages.push(GetTokenRequest::generated_message_descriptor_data()); messages.push(GetTokenResponse::generated_message_descriptor_data()); + messages.push(ExtendRuntimeMeasurementRequest::generated_message_descriptor_data()); + messages.push(ExtendRuntimeMeasurementResponse::generated_message_descriptor_data()); let mut enums = ::std::vec::Vec::with_capacity(0); ::protobuf::reflect::GeneratedFileDescriptor::new_generated( file_descriptor_proto(), diff --git a/attestation-agent/kbs_protocol/src/token_provider/aa/attestation_agent_ttrpc.rs b/attestation-agent/kbs_protocol/src/token_provider/aa/attestation_agent_ttrpc.rs index 96a8c394e..5346928d1 100644 --- a/attestation-agent/kbs_protocol/src/token_provider/aa/attestation_agent_ttrpc.rs +++ b/attestation-agent/kbs_protocol/src/token_provider/aa/attestation_agent_ttrpc.rs @@ -1,12 +1,9 @@ -// This file is generated by ttrpc-compiler 0.6.1. Do not edit +// This file is generated by ttrpc-compiler 0.6.2. Do not edit // @generated -// https://github.com/Manishearth/rust-clippy/issues/702 +#![cfg_attr(rustfmt, rustfmt_skip)] #![allow(unknown_lints)] #![allow(clipto_camel_casepy)] - -#![cfg_attr(rustfmt, rustfmt_skip)] - #![allow(box_pointers)] #![allow(dead_code)] #![allow(missing_docs)] @@ -17,6 +14,7 @@ #![allow(unsafe_code)] #![allow(unused_imports)] #![allow(unused_results)] +#![allow(clippy::all)] use protobuf::{CodedInputStream, CodedOutputStream, Message}; use std::collections::HashMap; use std::sync::Arc; @@ -43,6 +41,11 @@ impl AttestationAgentServiceClient { let mut cres = super::attestation_agent::GetTokenResponse::new(); ::ttrpc::async_client_request!(self, ctx, req, "attestation_agent.AttestationAgentService", "GetToken", cres); } + + pub async fn extend_runtime_measurement(&self, ctx: ttrpc::context::Context, req: &super::attestation_agent::ExtendRuntimeMeasurementRequest) -> ::ttrpc::Result { + let mut cres = super::attestation_agent::ExtendRuntimeMeasurementResponse::new(); + ::ttrpc::async_client_request!(self, ctx, req, "attestation_agent.AttestationAgentService", "ExtendRuntimeMeasurement", cres); + } } struct GetEvidenceMethod { @@ -67,6 +70,17 @@ impl ::ttrpc::r#async::MethodHandler for GetTokenMethod { } } +struct ExtendRuntimeMeasurementMethod { + service: Arc>, +} + +#[async_trait] +impl ::ttrpc::r#async::MethodHandler for ExtendRuntimeMeasurementMethod { + async fn handler(&self, ctx: ::ttrpc::r#async::TtrpcContext, req: ::ttrpc::Request) -> ::ttrpc::Result<::ttrpc::Response> { + ::ttrpc::async_request_handler!(self, ctx, req, attestation_agent, ExtendRuntimeMeasurementRequest, extend_runtime_measurement); + } +} + #[async_trait] pub trait AttestationAgentService: Sync { async fn get_evidence(&self, _ctx: &::ttrpc::r#async::TtrpcContext, _: super::attestation_agent::GetEvidenceRequest) -> ::ttrpc::Result { @@ -75,6 +89,9 @@ pub trait AttestationAgentService: Sync { async fn get_token(&self, _ctx: &::ttrpc::r#async::TtrpcContext, _: super::attestation_agent::GetTokenRequest) -> ::ttrpc::Result { Err(::ttrpc::Error::RpcStatus(::ttrpc::get_status(::ttrpc::Code::NOT_FOUND, "/attestation_agent.AttestationAgentService/GetToken is not supported".to_string()))) } + async fn extend_runtime_measurement(&self, _ctx: &::ttrpc::r#async::TtrpcContext, _: super::attestation_agent::ExtendRuntimeMeasurementRequest) -> ::ttrpc::Result { + Err(::ttrpc::Error::RpcStatus(::ttrpc::get_status(::ttrpc::Code::NOT_FOUND, "/attestation_agent.AttestationAgentService/ExtendRuntimeMeasurement is not supported".to_string()))) + } } pub fn create_attestation_agent_service(service: Arc>) -> HashMap { @@ -88,6 +105,9 @@ pub fn create_attestation_agent_service(service: Arc); + methods.insert("ExtendRuntimeMeasurement".to_string(), + Box::new(ExtendRuntimeMeasurementMethod{service: service.clone()}) as Box); + ret.insert("attestation_agent.AttestationAgentService".to_string(), ::ttrpc::r#async::Service{ methods, streams }); ret } diff --git a/attestation-agent/lib/src/lib.rs b/attestation-agent/lib/src/lib.rs index cec73aec0..ff0eda218 100644 --- a/attestation-agent/lib/src/lib.rs +++ b/attestation-agent/lib/src/lib.rs @@ -79,6 +79,13 @@ pub trait AttestationAPIs { /// Get TEE hardware signed evidence that includes the runtime data. async fn get_evidence(&mut self, runtime_data: &[u8]) -> Result>; + + /// Extend runtime measurement register + async fn extend_runtime_measurement( + &mut self, + events: Vec>, + register_index: Option, + ) -> Result<()>; } /// Attestation agent to provide attestation service. @@ -193,4 +200,18 @@ impl AttestationAPIs for AttestationAgent { let evidence = attester.get_evidence(runtime_data.to_vec()).await?; Ok(evidence.into_bytes()) } + + /// Extend runtime measurement register + async fn extend_runtime_measurement( + &mut self, + events: Vec>, + register_index: Option, + ) -> Result<()> { + let tee_type = detect_tee_type().ok_or(anyhow!("no supported tee type found!"))?; + let attester = TryInto::::try_into(tee_type)?; + attester + .extend_runtime_measurement(events, register_index) + .await?; + Ok(()) + } } diff --git a/attestation-agent/lib/src/token.rs b/attestation-agent/lib/src/token.rs index 85ab06a06..0001c57ea 100644 --- a/attestation-agent/lib/src/token.rs +++ b/attestation-agent/lib/src/token.rs @@ -9,7 +9,7 @@ use serde::{Deserialize, Serialize}; use std::path::Path; use tokio::fs; -const PEER_POD_CONFIG_PATH: &str = "/peerpod/daemon.json"; +const PEER_POD_CONFIG_PATH: &str = "/run/peerpod/daemon.json"; #[derive(Serialize)] struct Message { @@ -20,7 +20,7 @@ struct Message { pub(crate) async fn get_kbs_token() -> Result> { let evidence_provider = Box::new(NativeEvidenceProvider::new()?); - // Check for /peerpod/daemon.json to see if we are in a peer pod + // Check for /run/peerpod/daemon.json to see if we are in a peer pod // If so we need to read from the agent-config file, not /proc/cmdline let kbc_params = match Path::new(PEER_POD_CONFIG_PATH).exists() { true => get_kbc_params_from_config_file().await?, diff --git a/attestation-agent/protos/attestation-agent.proto b/attestation-agent/protos/attestation-agent.proto index ec233db14..a6a455464 100644 --- a/attestation-agent/protos/attestation-agent.proto +++ b/attestation-agent/protos/attestation-agent.proto @@ -18,7 +18,15 @@ message GetTokenResponse { bytes Token = 1; } +message ExtendRuntimeMeasurementRequest { + repeated bytes Events = 1; + optional uint64 RegisterIndex = 2; +} + +message ExtendRuntimeMeasurementResponse {} + service AttestationAgentService { rpc GetEvidence(GetEvidenceRequest) returns (GetEvidenceResponse) {}; rpc GetToken(GetTokenRequest) returns (GetTokenResponse) {}; + rpc ExtendRuntimeMeasurement(ExtendRuntimeMeasurementRequest) returns (ExtendRuntimeMeasurementResponse) {}; } diff --git a/confidential-data-hub/Makefile b/confidential-data-hub/Makefile index bc4c215be..82e331126 100644 --- a/confidential-data-hub/Makefile +++ b/confidential-data-hub/Makefile @@ -38,7 +38,10 @@ endif ifdef PROVIDER features += $(PROVIDER) else - features += aliyun + ifneq ($(ARCH), s390x) + $(info INFO: All plugins will be built in by default) + features += aliyun,ehsm + endif endif ifeq ($(LIBC), musl) diff --git a/confidential-data-hub/README.md b/confidential-data-hub/README.md index e15c21eee..2d1b1b1cf 100644 --- a/confidential-data-hub/README.md +++ b/confidential-data-hub/README.md @@ -39,5 +39,6 @@ KMS plugins (flag `PROVIDER`) | Feature name | Note | | ------------------- | ----------------------------------------------------------------- | | aliyun | Use aliyun KMS suites to unseal secrets, etc. | +| ehsm | Use Intel eHSM KMS suites to unseal secrets, etc. | Note: If no `PROVIDER` is given, all features will be enabled. diff --git a/confidential-data-hub/docs/SECURE_STORAGE.md b/confidential-data-hub/docs/SECURE_STORAGE.md new file mode 100644 index 000000000..d93bec0c4 --- /dev/null +++ b/confidential-data-hub/docs/SECURE_STORAGE.md @@ -0,0 +1,13 @@ +# Secure Storage + +## Purpose +The Purpose of this secure storage feature is: +1. Mounting external storage from guest instead of host which would then share it to guest, this is due to performance consideration. +2. The unencrypted data in storage could only be accessed within TEE, that is why we call it secure storage. + +## Architecture +![architecture](./images/secure_storage.png) + +First of all, the sensitive information of external storage is sealed by the key from KBS/KMS, and store in [sealed secret](https://github.com/confidential-containers/guest-components/blob/main/confidential-data-hub/docs/SEALED_SECRET.md). The sensitive information includes access key id/access key secret to storage, the encryption key of the data(such as AI model) stored in the storage, which also means we supported client encryption. +We reuse [direct block device assigned volume feature](https://github.com/kata-containers/kata-containers/blob/main/docs/design/direct-blk-device-assignment.md) to mount external storage from guest directly. CSI plugin, such as [alibaba cloud OSS CSI plugin](https://github.com/kubernetes-sigs/alibaba-cloud-csi-driver/blob/master/docs/oss.md) reads the sensitve information from sealed secret and pass it to kata agent. When secure mount service in CDH receives secure mount request, it calls sealed secret service to unseal the sensitive information mentioned above, this process could be based on remote attestation. If success, the secure mount service would use the unsealed sensitive information to mount the external storage and decrypt the data in storage. + diff --git a/confidential-data-hub/docs/images/secure_storage.png b/confidential-data-hub/docs/images/secure_storage.png new file mode 100644 index 000000000..225d946e9 Binary files /dev/null and b/confidential-data-hub/docs/images/secure_storage.png differ diff --git a/confidential-data-hub/docs/kms-providers/alibaba.md b/confidential-data-hub/docs/kms-providers/alibaba.md index 23b935a75..5613a87f4 100644 --- a/confidential-data-hub/docs/kms-providers/alibaba.md +++ b/confidential-data-hub/docs/kms-providers/alibaba.md @@ -89,7 +89,7 @@ Then, let's # define the parameters KEY_ID=$(cat kms-key-id.txt) KMS_INSTANCE_ID=$(cat kms-instance-id.txt) -CLIENT_KEY_PASSWORD_FILE_PATH=$(pwd)/ClientKeyPassword.txt +CLIENT_KEY_PASSWORD_FILE_PATH=$(pwd)/ClientKeyPassword.json CERT_PATH=$(pwd)/ca.pem CLIENT_KEY_FILE_PATH=$(pwd)/ClientKeyContent.json diff --git a/confidential-data-hub/hub/Cargo.toml b/confidential-data-hub/hub/Cargo.toml index 3d2c28937..923b675fa 100644 --- a/confidential-data-hub/hub/Cargo.toml +++ b/confidential-data-hub/hub/Cargo.toml @@ -15,11 +15,14 @@ anyhow = { workspace = true, optional = true } async-trait.workspace = true base64.workspace = true clap = { workspace = true, features = [ "derive" ], optional = true } +image = { path = "../image", default-features = false } kms = { path = "../kms", default-features = false } lazy_static.workspace = true log.workspace = true protobuf = { workspace = true, optional = true } secret.path = "../secret" +storage.path = "../storage" +serde = { workspace = true, optional = true } serde_json.workspace = true sev = { path = "../../attestation-agent/deps/sev", optional = true } thiserror.workspace = true @@ -33,12 +36,15 @@ ttrpc-codegen = { workspace = true, optional = true } default = ["kbs"] # support aliyun stacks (KMS, ..) -aliyun = ["secret/aliyun"] +aliyun = ["image/aliyun", "secret/aliyun"] # support coco-KBS to provide confidential resources -kbs = ["kms/kbs", "secret/kbs"] +kbs = ["image/kbs", "kms/kbs", "secret/kbs"] # support sev to provide confidential resources -sev = ["kms/sev", "dep:sev", "secret/sev"] +sev = ["image/sev", "kms/sev", "dep:sev", "secret/sev"] -bin = ["anyhow", "clap", "protobuf", "tokio/signal", "ttrpc", "ttrpc-codegen"] +# support eHSM stacks (KMS, ...) +ehsm = ["image/ehsm", "secret/ehsm"] + +bin = ["anyhow", "clap", "protobuf", "serde", "tokio/signal", "ttrpc", "ttrpc-codegen"] diff --git a/confidential-data-hub/hub/protos/api.proto b/confidential-data-hub/hub/protos/api.proto index cba138287..8a8ddaf26 100644 --- a/confidential-data-hub/hub/protos/api.proto +++ b/confidential-data-hub/hub/protos/api.proto @@ -18,6 +18,27 @@ message GetResourceResponse { bytes Resource = 1; } +message KeyProviderKeyWrapProtocolInput { + bytes KeyProviderKeyWrapProtocolInput = 1; +} + +message KeyProviderKeyWrapProtocolOutput { + bytes KeyProviderKeyWrapProtocolOutput = 1; +} + +message SecureMountRequest { + string driver = 1; + repeated string driver_options = 2; + string source = 3; + string fstype = 4; + repeated string options = 5; + string mount_point = 6; +} + +message SecureMountResponse { + string mount_path = 1; +} + service SealedSecretService { rpc UnsealSecret(UnsealSecretInput) returns (UnsealSecretOutput) {}; } @@ -25,3 +46,11 @@ service SealedSecretService { service GetResourceService { rpc GetResource(GetResourceRequest) returns (GetResourceResponse) {}; } + +service KeyProviderService { + rpc UnWrapKey(KeyProviderKeyWrapProtocolInput) returns (KeyProviderKeyWrapProtocolOutput) {}; +} + +service SecureMountService { + rpc SecureMount(SecureMountRequest) returns (SecureMountResponse) {}; +} diff --git a/confidential-data-hub/hub/src/api.rs b/confidential-data-hub/hub/src/api.rs index 3069bff3d..880db037e 100644 --- a/confidential-data-hub/hub/src/api.rs +++ b/confidential-data-hub/hub/src/api.rs @@ -6,6 +6,7 @@ use async_trait::async_trait; use crate::Result; +use storage::volume_type::Storage; /// The APIs of the DataHub. See /// for @@ -26,4 +27,6 @@ pub trait DataHub { /// URI is defined in /// async fn get_resource(&self, uri: String) -> Result>; + + async fn secure_mount(&self, storage: Storage) -> Result; } diff --git a/confidential-data-hub/hub/src/auth/kbs.rs b/confidential-data-hub/hub/src/auth/kbs.rs index e22e5f609..afd95f21e 100644 --- a/confidential-data-hub/hub/src/auth/kbs.rs +++ b/confidential-data-hub/hub/src/auth/kbs.rs @@ -8,12 +8,12 @@ //! //! For the first implementation, it is assumed that all the resource //! ids are from the kernel commandline in the following format: -//! ``` +//! ```shell //! cdh.kbs_resources=::,::... //! ``` //! //! for example -//! ``` +//! ```shell //! cdh.kbs_resources=kbs:///default/key/1::/run/temp1,kbs:///default/key/2::/run/temp2 //! ``` //! diff --git a/confidential-data-hub/hub/src/bin/confidential-data-hub/api.rs b/confidential-data-hub/hub/src/bin/confidential-data-hub/api.rs index a15d51523..302ac804e 100644 --- a/confidential-data-hub/hub/src/bin/confidential-data-hub/api.rs +++ b/confidential-data-hub/hub/src/bin/confidential-data-hub/api.rs @@ -513,16 +513,607 @@ impl ::protobuf::reflect::ProtobufValue for GetResourceResponse { type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; } +#[derive(PartialEq,Clone,Default,Debug)] +// @@protoc_insertion_point(message:api.KeyProviderKeyWrapProtocolInput) +pub struct KeyProviderKeyWrapProtocolInput { + // message fields + // @@protoc_insertion_point(field:api.KeyProviderKeyWrapProtocolInput.KeyProviderKeyWrapProtocolInput) + pub KeyProviderKeyWrapProtocolInput: ::std::vec::Vec, + // special fields + // @@protoc_insertion_point(special_field:api.KeyProviderKeyWrapProtocolInput.special_fields) + pub special_fields: ::protobuf::SpecialFields, +} + +impl<'a> ::std::default::Default for &'a KeyProviderKeyWrapProtocolInput { + fn default() -> &'a KeyProviderKeyWrapProtocolInput { + ::default_instance() + } +} + +impl KeyProviderKeyWrapProtocolInput { + pub fn new() -> KeyProviderKeyWrapProtocolInput { + ::std::default::Default::default() + } + + fn generated_message_descriptor_data() -> ::protobuf::reflect::GeneratedMessageDescriptorData { + let mut fields = ::std::vec::Vec::with_capacity(1); + let mut oneofs = ::std::vec::Vec::with_capacity(0); + fields.push(::protobuf::reflect::rt::v2::make_simpler_field_accessor::<_, _>( + "KeyProviderKeyWrapProtocolInput", + |m: &KeyProviderKeyWrapProtocolInput| { &m.KeyProviderKeyWrapProtocolInput }, + |m: &mut KeyProviderKeyWrapProtocolInput| { &mut m.KeyProviderKeyWrapProtocolInput }, + )); + ::protobuf::reflect::GeneratedMessageDescriptorData::new_2::( + "KeyProviderKeyWrapProtocolInput", + fields, + oneofs, + ) + } +} + +impl ::protobuf::Message for KeyProviderKeyWrapProtocolInput { + const NAME: &'static str = "KeyProviderKeyWrapProtocolInput"; + + fn is_initialized(&self) -> bool { + true + } + + fn merge_from(&mut self, is: &mut ::protobuf::CodedInputStream<'_>) -> ::protobuf::Result<()> { + while let Some(tag) = is.read_raw_tag_or_eof()? { + match tag { + 10 => { + self.KeyProviderKeyWrapProtocolInput = is.read_bytes()?; + }, + tag => { + ::protobuf::rt::read_unknown_or_skip_group(tag, is, self.special_fields.mut_unknown_fields())?; + }, + }; + } + ::std::result::Result::Ok(()) + } + + // Compute sizes of nested messages + #[allow(unused_variables)] + fn compute_size(&self) -> u64 { + let mut my_size = 0; + if !self.KeyProviderKeyWrapProtocolInput.is_empty() { + my_size += ::protobuf::rt::bytes_size(1, &self.KeyProviderKeyWrapProtocolInput); + } + my_size += ::protobuf::rt::unknown_fields_size(self.special_fields.unknown_fields()); + self.special_fields.cached_size().set(my_size as u32); + my_size + } + + fn write_to_with_cached_sizes(&self, os: &mut ::protobuf::CodedOutputStream<'_>) -> ::protobuf::Result<()> { + if !self.KeyProviderKeyWrapProtocolInput.is_empty() { + os.write_bytes(1, &self.KeyProviderKeyWrapProtocolInput)?; + } + os.write_unknown_fields(self.special_fields.unknown_fields())?; + ::std::result::Result::Ok(()) + } + + fn special_fields(&self) -> &::protobuf::SpecialFields { + &self.special_fields + } + + fn mut_special_fields(&mut self) -> &mut ::protobuf::SpecialFields { + &mut self.special_fields + } + + fn new() -> KeyProviderKeyWrapProtocolInput { + KeyProviderKeyWrapProtocolInput::new() + } + + fn clear(&mut self) { + self.KeyProviderKeyWrapProtocolInput.clear(); + self.special_fields.clear(); + } + + fn default_instance() -> &'static KeyProviderKeyWrapProtocolInput { + static instance: KeyProviderKeyWrapProtocolInput = KeyProviderKeyWrapProtocolInput { + KeyProviderKeyWrapProtocolInput: ::std::vec::Vec::new(), + special_fields: ::protobuf::SpecialFields::new(), + }; + &instance + } +} + +impl ::protobuf::MessageFull for KeyProviderKeyWrapProtocolInput { + fn descriptor() -> ::protobuf::reflect::MessageDescriptor { + static descriptor: ::protobuf::rt::Lazy<::protobuf::reflect::MessageDescriptor> = ::protobuf::rt::Lazy::new(); + descriptor.get(|| file_descriptor().message_by_package_relative_name("KeyProviderKeyWrapProtocolInput").unwrap()).clone() + } +} + +impl ::std::fmt::Display for KeyProviderKeyWrapProtocolInput { + fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> ::std::fmt::Result { + ::protobuf::text_format::fmt(self, f) + } +} + +impl ::protobuf::reflect::ProtobufValue for KeyProviderKeyWrapProtocolInput { + type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; +} + +#[derive(PartialEq,Clone,Default,Debug)] +// @@protoc_insertion_point(message:api.KeyProviderKeyWrapProtocolOutput) +pub struct KeyProviderKeyWrapProtocolOutput { + // message fields + // @@protoc_insertion_point(field:api.KeyProviderKeyWrapProtocolOutput.KeyProviderKeyWrapProtocolOutput) + pub KeyProviderKeyWrapProtocolOutput: ::std::vec::Vec, + // special fields + // @@protoc_insertion_point(special_field:api.KeyProviderKeyWrapProtocolOutput.special_fields) + pub special_fields: ::protobuf::SpecialFields, +} + +impl<'a> ::std::default::Default for &'a KeyProviderKeyWrapProtocolOutput { + fn default() -> &'a KeyProviderKeyWrapProtocolOutput { + ::default_instance() + } +} + +impl KeyProviderKeyWrapProtocolOutput { + pub fn new() -> KeyProviderKeyWrapProtocolOutput { + ::std::default::Default::default() + } + + fn generated_message_descriptor_data() -> ::protobuf::reflect::GeneratedMessageDescriptorData { + let mut fields = ::std::vec::Vec::with_capacity(1); + let mut oneofs = ::std::vec::Vec::with_capacity(0); + fields.push(::protobuf::reflect::rt::v2::make_simpler_field_accessor::<_, _>( + "KeyProviderKeyWrapProtocolOutput", + |m: &KeyProviderKeyWrapProtocolOutput| { &m.KeyProviderKeyWrapProtocolOutput }, + |m: &mut KeyProviderKeyWrapProtocolOutput| { &mut m.KeyProviderKeyWrapProtocolOutput }, + )); + ::protobuf::reflect::GeneratedMessageDescriptorData::new_2::( + "KeyProviderKeyWrapProtocolOutput", + fields, + oneofs, + ) + } +} + +impl ::protobuf::Message for KeyProviderKeyWrapProtocolOutput { + const NAME: &'static str = "KeyProviderKeyWrapProtocolOutput"; + + fn is_initialized(&self) -> bool { + true + } + + fn merge_from(&mut self, is: &mut ::protobuf::CodedInputStream<'_>) -> ::protobuf::Result<()> { + while let Some(tag) = is.read_raw_tag_or_eof()? { + match tag { + 10 => { + self.KeyProviderKeyWrapProtocolOutput = is.read_bytes()?; + }, + tag => { + ::protobuf::rt::read_unknown_or_skip_group(tag, is, self.special_fields.mut_unknown_fields())?; + }, + }; + } + ::std::result::Result::Ok(()) + } + + // Compute sizes of nested messages + #[allow(unused_variables)] + fn compute_size(&self) -> u64 { + let mut my_size = 0; + if !self.KeyProviderKeyWrapProtocolOutput.is_empty() { + my_size += ::protobuf::rt::bytes_size(1, &self.KeyProviderKeyWrapProtocolOutput); + } + my_size += ::protobuf::rt::unknown_fields_size(self.special_fields.unknown_fields()); + self.special_fields.cached_size().set(my_size as u32); + my_size + } + + fn write_to_with_cached_sizes(&self, os: &mut ::protobuf::CodedOutputStream<'_>) -> ::protobuf::Result<()> { + if !self.KeyProviderKeyWrapProtocolOutput.is_empty() { + os.write_bytes(1, &self.KeyProviderKeyWrapProtocolOutput)?; + } + os.write_unknown_fields(self.special_fields.unknown_fields())?; + ::std::result::Result::Ok(()) + } + + fn special_fields(&self) -> &::protobuf::SpecialFields { + &self.special_fields + } + + fn mut_special_fields(&mut self) -> &mut ::protobuf::SpecialFields { + &mut self.special_fields + } + + fn new() -> KeyProviderKeyWrapProtocolOutput { + KeyProviderKeyWrapProtocolOutput::new() + } + + fn clear(&mut self) { + self.KeyProviderKeyWrapProtocolOutput.clear(); + self.special_fields.clear(); + } + + fn default_instance() -> &'static KeyProviderKeyWrapProtocolOutput { + static instance: KeyProviderKeyWrapProtocolOutput = KeyProviderKeyWrapProtocolOutput { + KeyProviderKeyWrapProtocolOutput: ::std::vec::Vec::new(), + special_fields: ::protobuf::SpecialFields::new(), + }; + &instance + } +} + +impl ::protobuf::MessageFull for KeyProviderKeyWrapProtocolOutput { + fn descriptor() -> ::protobuf::reflect::MessageDescriptor { + static descriptor: ::protobuf::rt::Lazy<::protobuf::reflect::MessageDescriptor> = ::protobuf::rt::Lazy::new(); + descriptor.get(|| file_descriptor().message_by_package_relative_name("KeyProviderKeyWrapProtocolOutput").unwrap()).clone() + } +} + +impl ::std::fmt::Display for KeyProviderKeyWrapProtocolOutput { + fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> ::std::fmt::Result { + ::protobuf::text_format::fmt(self, f) + } +} + +impl ::protobuf::reflect::ProtobufValue for KeyProviderKeyWrapProtocolOutput { + type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; +} + +#[derive(PartialEq,Clone,Default,Debug)] +// @@protoc_insertion_point(message:api.SecureMountRequest) +pub struct SecureMountRequest { + // message fields + // @@protoc_insertion_point(field:api.SecureMountRequest.driver) + pub driver: ::std::string::String, + // @@protoc_insertion_point(field:api.SecureMountRequest.driver_options) + pub driver_options: ::std::vec::Vec<::std::string::String>, + // @@protoc_insertion_point(field:api.SecureMountRequest.source) + pub source: ::std::string::String, + // @@protoc_insertion_point(field:api.SecureMountRequest.fstype) + pub fstype: ::std::string::String, + // @@protoc_insertion_point(field:api.SecureMountRequest.options) + pub options: ::std::vec::Vec<::std::string::String>, + // @@protoc_insertion_point(field:api.SecureMountRequest.mount_point) + pub mount_point: ::std::string::String, + // special fields + // @@protoc_insertion_point(special_field:api.SecureMountRequest.special_fields) + pub special_fields: ::protobuf::SpecialFields, +} + +impl<'a> ::std::default::Default for &'a SecureMountRequest { + fn default() -> &'a SecureMountRequest { + ::default_instance() + } +} + +impl SecureMountRequest { + pub fn new() -> SecureMountRequest { + ::std::default::Default::default() + } + + fn generated_message_descriptor_data() -> ::protobuf::reflect::GeneratedMessageDescriptorData { + let mut fields = ::std::vec::Vec::with_capacity(6); + let mut oneofs = ::std::vec::Vec::with_capacity(0); + fields.push(::protobuf::reflect::rt::v2::make_simpler_field_accessor::<_, _>( + "driver", + |m: &SecureMountRequest| { &m.driver }, + |m: &mut SecureMountRequest| { &mut m.driver }, + )); + fields.push(::protobuf::reflect::rt::v2::make_vec_simpler_accessor::<_, _>( + "driver_options", + |m: &SecureMountRequest| { &m.driver_options }, + |m: &mut SecureMountRequest| { &mut m.driver_options }, + )); + fields.push(::protobuf::reflect::rt::v2::make_simpler_field_accessor::<_, _>( + "source", + |m: &SecureMountRequest| { &m.source }, + |m: &mut SecureMountRequest| { &mut m.source }, + )); + fields.push(::protobuf::reflect::rt::v2::make_simpler_field_accessor::<_, _>( + "fstype", + |m: &SecureMountRequest| { &m.fstype }, + |m: &mut SecureMountRequest| { &mut m.fstype }, + )); + fields.push(::protobuf::reflect::rt::v2::make_vec_simpler_accessor::<_, _>( + "options", + |m: &SecureMountRequest| { &m.options }, + |m: &mut SecureMountRequest| { &mut m.options }, + )); + fields.push(::protobuf::reflect::rt::v2::make_simpler_field_accessor::<_, _>( + "mount_point", + |m: &SecureMountRequest| { &m.mount_point }, + |m: &mut SecureMountRequest| { &mut m.mount_point }, + )); + ::protobuf::reflect::GeneratedMessageDescriptorData::new_2::( + "SecureMountRequest", + fields, + oneofs, + ) + } +} + +impl ::protobuf::Message for SecureMountRequest { + const NAME: &'static str = "SecureMountRequest"; + + fn is_initialized(&self) -> bool { + true + } + + fn merge_from(&mut self, is: &mut ::protobuf::CodedInputStream<'_>) -> ::protobuf::Result<()> { + while let Some(tag) = is.read_raw_tag_or_eof()? { + match tag { + 10 => { + self.driver = is.read_string()?; + }, + 18 => { + self.driver_options.push(is.read_string()?); + }, + 26 => { + self.source = is.read_string()?; + }, + 34 => { + self.fstype = is.read_string()?; + }, + 42 => { + self.options.push(is.read_string()?); + }, + 50 => { + self.mount_point = is.read_string()?; + }, + tag => { + ::protobuf::rt::read_unknown_or_skip_group(tag, is, self.special_fields.mut_unknown_fields())?; + }, + }; + } + ::std::result::Result::Ok(()) + } + + // Compute sizes of nested messages + #[allow(unused_variables)] + fn compute_size(&self) -> u64 { + let mut my_size = 0; + if !self.driver.is_empty() { + my_size += ::protobuf::rt::string_size(1, &self.driver); + } + for value in &self.driver_options { + my_size += ::protobuf::rt::string_size(2, &value); + }; + if !self.source.is_empty() { + my_size += ::protobuf::rt::string_size(3, &self.source); + } + if !self.fstype.is_empty() { + my_size += ::protobuf::rt::string_size(4, &self.fstype); + } + for value in &self.options { + my_size += ::protobuf::rt::string_size(5, &value); + }; + if !self.mount_point.is_empty() { + my_size += ::protobuf::rt::string_size(6, &self.mount_point); + } + my_size += ::protobuf::rt::unknown_fields_size(self.special_fields.unknown_fields()); + self.special_fields.cached_size().set(my_size as u32); + my_size + } + + fn write_to_with_cached_sizes(&self, os: &mut ::protobuf::CodedOutputStream<'_>) -> ::protobuf::Result<()> { + if !self.driver.is_empty() { + os.write_string(1, &self.driver)?; + } + for v in &self.driver_options { + os.write_string(2, &v)?; + }; + if !self.source.is_empty() { + os.write_string(3, &self.source)?; + } + if !self.fstype.is_empty() { + os.write_string(4, &self.fstype)?; + } + for v in &self.options { + os.write_string(5, &v)?; + }; + if !self.mount_point.is_empty() { + os.write_string(6, &self.mount_point)?; + } + os.write_unknown_fields(self.special_fields.unknown_fields())?; + ::std::result::Result::Ok(()) + } + + fn special_fields(&self) -> &::protobuf::SpecialFields { + &self.special_fields + } + + fn mut_special_fields(&mut self) -> &mut ::protobuf::SpecialFields { + &mut self.special_fields + } + + fn new() -> SecureMountRequest { + SecureMountRequest::new() + } + + fn clear(&mut self) { + self.driver.clear(); + self.driver_options.clear(); + self.source.clear(); + self.fstype.clear(); + self.options.clear(); + self.mount_point.clear(); + self.special_fields.clear(); + } + + fn default_instance() -> &'static SecureMountRequest { + static instance: SecureMountRequest = SecureMountRequest { + driver: ::std::string::String::new(), + driver_options: ::std::vec::Vec::new(), + source: ::std::string::String::new(), + fstype: ::std::string::String::new(), + options: ::std::vec::Vec::new(), + mount_point: ::std::string::String::new(), + special_fields: ::protobuf::SpecialFields::new(), + }; + &instance + } +} + +impl ::protobuf::MessageFull for SecureMountRequest { + fn descriptor() -> ::protobuf::reflect::MessageDescriptor { + static descriptor: ::protobuf::rt::Lazy<::protobuf::reflect::MessageDescriptor> = ::protobuf::rt::Lazy::new(); + descriptor.get(|| file_descriptor().message_by_package_relative_name("SecureMountRequest").unwrap()).clone() + } +} + +impl ::std::fmt::Display for SecureMountRequest { + fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> ::std::fmt::Result { + ::protobuf::text_format::fmt(self, f) + } +} + +impl ::protobuf::reflect::ProtobufValue for SecureMountRequest { + type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; +} + +#[derive(PartialEq,Clone,Default,Debug)] +// @@protoc_insertion_point(message:api.SecureMountResponse) +pub struct SecureMountResponse { + // message fields + // @@protoc_insertion_point(field:api.SecureMountResponse.mount_path) + pub mount_path: ::std::string::String, + // special fields + // @@protoc_insertion_point(special_field:api.SecureMountResponse.special_fields) + pub special_fields: ::protobuf::SpecialFields, +} + +impl<'a> ::std::default::Default for &'a SecureMountResponse { + fn default() -> &'a SecureMountResponse { + ::default_instance() + } +} + +impl SecureMountResponse { + pub fn new() -> SecureMountResponse { + ::std::default::Default::default() + } + + fn generated_message_descriptor_data() -> ::protobuf::reflect::GeneratedMessageDescriptorData { + let mut fields = ::std::vec::Vec::with_capacity(1); + let mut oneofs = ::std::vec::Vec::with_capacity(0); + fields.push(::protobuf::reflect::rt::v2::make_simpler_field_accessor::<_, _>( + "mount_path", + |m: &SecureMountResponse| { &m.mount_path }, + |m: &mut SecureMountResponse| { &mut m.mount_path }, + )); + ::protobuf::reflect::GeneratedMessageDescriptorData::new_2::( + "SecureMountResponse", + fields, + oneofs, + ) + } +} + +impl ::protobuf::Message for SecureMountResponse { + const NAME: &'static str = "SecureMountResponse"; + + fn is_initialized(&self) -> bool { + true + } + + fn merge_from(&mut self, is: &mut ::protobuf::CodedInputStream<'_>) -> ::protobuf::Result<()> { + while let Some(tag) = is.read_raw_tag_or_eof()? { + match tag { + 10 => { + self.mount_path = is.read_string()?; + }, + tag => { + ::protobuf::rt::read_unknown_or_skip_group(tag, is, self.special_fields.mut_unknown_fields())?; + }, + }; + } + ::std::result::Result::Ok(()) + } + + // Compute sizes of nested messages + #[allow(unused_variables)] + fn compute_size(&self) -> u64 { + let mut my_size = 0; + if !self.mount_path.is_empty() { + my_size += ::protobuf::rt::string_size(1, &self.mount_path); + } + my_size += ::protobuf::rt::unknown_fields_size(self.special_fields.unknown_fields()); + self.special_fields.cached_size().set(my_size as u32); + my_size + } + + fn write_to_with_cached_sizes(&self, os: &mut ::protobuf::CodedOutputStream<'_>) -> ::protobuf::Result<()> { + if !self.mount_path.is_empty() { + os.write_string(1, &self.mount_path)?; + } + os.write_unknown_fields(self.special_fields.unknown_fields())?; + ::std::result::Result::Ok(()) + } + + fn special_fields(&self) -> &::protobuf::SpecialFields { + &self.special_fields + } + + fn mut_special_fields(&mut self) -> &mut ::protobuf::SpecialFields { + &mut self.special_fields + } + + fn new() -> SecureMountResponse { + SecureMountResponse::new() + } + + fn clear(&mut self) { + self.mount_path.clear(); + self.special_fields.clear(); + } + + fn default_instance() -> &'static SecureMountResponse { + static instance: SecureMountResponse = SecureMountResponse { + mount_path: ::std::string::String::new(), + special_fields: ::protobuf::SpecialFields::new(), + }; + &instance + } +} + +impl ::protobuf::MessageFull for SecureMountResponse { + fn descriptor() -> ::protobuf::reflect::MessageDescriptor { + static descriptor: ::protobuf::rt::Lazy<::protobuf::reflect::MessageDescriptor> = ::protobuf::rt::Lazy::new(); + descriptor.get(|| file_descriptor().message_by_package_relative_name("SecureMountResponse").unwrap()).clone() + } +} + +impl ::std::fmt::Display for SecureMountResponse { + fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> ::std::fmt::Result { + ::protobuf::text_format::fmt(self, f) + } +} + +impl ::protobuf::reflect::ProtobufValue for SecureMountResponse { + type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; +} + static file_descriptor_proto_data: &'static [u8] = b"\ \n\tapi.proto\x12\x03api\"+\n\x11UnsealSecretInput\x12\x16\n\x06secret\ \x18\x01\x20\x01(\x0cR\x06secret\"2\n\x12UnsealSecretOutput\x12\x1c\n\tp\ laintext\x18\x01\x20\x01(\x0cR\tplaintext\"8\n\x12GetResourceRequest\x12\ \"\n\x0cResourcePath\x18\x01\x20\x01(\tR\x0cResourcePath\"1\n\x13GetReso\ - urceResponse\x12\x1a\n\x08Resource\x18\x01\x20\x01(\x0cR\x08Resource2V\n\ - \x13SealedSecretService\x12?\n\x0cUnsealSecret\x12\x16.api.UnsealSecretI\ - nput\x1a\x17.api.UnsealSecretOutput2V\n\x12GetResourceService\x12@\n\x0b\ - GetResource\x12\x17.api.GetResourceRequest\x1a\x18.api.GetResourceRespon\ - seb\x06proto3\ + urceResponse\x12\x1a\n\x08Resource\x18\x01\x20\x01(\x0cR\x08Resource\"k\ + \n\x1fKeyProviderKeyWrapProtocolInput\x12H\n\x1fKeyProviderKeyWrapProtoc\ + olInput\x18\x01\x20\x01(\x0cR\x1fKeyProviderKeyWrapProtocolInput\"n\n\ + \x20KeyProviderKeyWrapProtocolOutput\x12J\n\x20KeyProviderKeyWrapProtoco\ + lOutput\x18\x01\x20\x01(\x0cR\x20KeyProviderKeyWrapProtocolOutput\"\xbe\ + \x01\n\x12SecureMountRequest\x12\x16\n\x06driver\x18\x01\x20\x01(\tR\x06\ + driver\x12%\n\x0edriver_options\x18\x02\x20\x03(\tR\rdriverOptions\x12\ + \x16\n\x06source\x18\x03\x20\x01(\tR\x06source\x12\x16\n\x06fstype\x18\ + \x04\x20\x01(\tR\x06fstype\x12\x18\n\x07options\x18\x05\x20\x03(\tR\x07o\ + ptions\x12\x1f\n\x0bmount_point\x18\x06\x20\x01(\tR\nmountPoint\"4\n\x13\ + SecureMountResponse\x12\x1d\n\nmount_path\x18\x01\x20\x01(\tR\tmountPath\ + 2V\n\x13SealedSecretService\x12?\n\x0cUnsealSecret\x12\x16.api.UnsealSec\ + retInput\x1a\x17.api.UnsealSecretOutput2V\n\x12GetResourceService\x12@\n\ + \x0bGetResource\x12\x17.api.GetResourceRequest\x1a\x18.api.GetResourceRe\ + sponse2n\n\x12KeyProviderService\x12X\n\tUnWrapKey\x12$.api.KeyProviderK\ + eyWrapProtocolInput\x1a%.api.KeyProviderKeyWrapProtocolOutput2V\n\x12Sec\ + ureMountService\x12@\n\x0bSecureMount\x12\x17.api.SecureMountRequest\x1a\ + \x18.api.SecureMountResponseb\x06proto3\ "; /// `FileDescriptorProto` object which was a source for this generated file @@ -540,11 +1131,15 @@ pub fn file_descriptor() -> &'static ::protobuf::reflect::FileDescriptor { file_descriptor.get(|| { let generated_file_descriptor = generated_file_descriptor_lazy.get(|| { let mut deps = ::std::vec::Vec::with_capacity(0); - let mut messages = ::std::vec::Vec::with_capacity(4); + let mut messages = ::std::vec::Vec::with_capacity(8); messages.push(UnsealSecretInput::generated_message_descriptor_data()); messages.push(UnsealSecretOutput::generated_message_descriptor_data()); messages.push(GetResourceRequest::generated_message_descriptor_data()); messages.push(GetResourceResponse::generated_message_descriptor_data()); + messages.push(KeyProviderKeyWrapProtocolInput::generated_message_descriptor_data()); + messages.push(KeyProviderKeyWrapProtocolOutput::generated_message_descriptor_data()); + messages.push(SecureMountRequest::generated_message_descriptor_data()); + messages.push(SecureMountResponse::generated_message_descriptor_data()); let mut enums = ::std::vec::Vec::with_capacity(0); ::protobuf::reflect::GeneratedFileDescriptor::new_generated( file_descriptor_proto(), diff --git a/confidential-data-hub/hub/src/bin/confidential-data-hub/api_ttrpc.rs b/confidential-data-hub/hub/src/bin/confidential-data-hub/api_ttrpc.rs index 95f1e5b2b..47b16b330 100644 --- a/confidential-data-hub/hub/src/bin/confidential-data-hub/api_ttrpc.rs +++ b/confidential-data-hub/hub/src/bin/confidential-data-hub/api_ttrpc.rs @@ -117,3 +117,99 @@ pub fn create_get_resource_service(service: Arc Self { + KeyProviderServiceClient { + client, + } + } + + pub async fn un_wrap_key(&self, ctx: ttrpc::context::Context, req: &super::api::KeyProviderKeyWrapProtocolInput) -> ::ttrpc::Result { + let mut cres = super::api::KeyProviderKeyWrapProtocolOutput::new(); + ::ttrpc::async_client_request!(self, ctx, req, "api.KeyProviderService", "UnWrapKey", cres); + } +} + +struct UnWrapKeyMethod { + service: Arc>, +} + +#[async_trait] +impl ::ttrpc::r#async::MethodHandler for UnWrapKeyMethod { + async fn handler(&self, ctx: ::ttrpc::r#async::TtrpcContext, req: ::ttrpc::Request) -> ::ttrpc::Result<::ttrpc::Response> { + ::ttrpc::async_request_handler!(self, ctx, req, api, KeyProviderKeyWrapProtocolInput, un_wrap_key); + } +} + +#[async_trait] +pub trait KeyProviderService: Sync { + async fn un_wrap_key(&self, _ctx: &::ttrpc::r#async::TtrpcContext, _: super::api::KeyProviderKeyWrapProtocolInput) -> ::ttrpc::Result { + Err(::ttrpc::Error::RpcStatus(::ttrpc::get_status(::ttrpc::Code::NOT_FOUND, "/api.KeyProviderService/UnWrapKey is not supported".to_string()))) + } +} + +pub fn create_key_provider_service(service: Arc>) -> HashMap { + let mut ret = HashMap::new(); + let mut methods = HashMap::new(); + let streams = HashMap::new(); + + methods.insert("UnWrapKey".to_string(), + Box::new(UnWrapKeyMethod{service: service.clone()}) as Box); + + ret.insert("api.KeyProviderService".to_string(), ::ttrpc::r#async::Service{ methods, streams }); + ret +} + +#[derive(Clone)] +pub struct SecureMountServiceClient { + client: ::ttrpc::r#async::Client, +} + +impl SecureMountServiceClient { + pub fn new(client: ::ttrpc::r#async::Client) -> Self { + SecureMountServiceClient { + client, + } + } + + pub async fn secure_mount(&self, ctx: ttrpc::context::Context, req: &super::api::SecureMountRequest) -> ::ttrpc::Result { + let mut cres = super::api::SecureMountResponse::new(); + ::ttrpc::async_client_request!(self, ctx, req, "api.SecureMountService", "SecureMount", cres); + } +} + +struct SecureMountMethod { + service: Arc>, +} + +#[async_trait] +impl ::ttrpc::r#async::MethodHandler for SecureMountMethod { + async fn handler(&self, ctx: ::ttrpc::r#async::TtrpcContext, req: ::ttrpc::Request) -> ::ttrpc::Result<::ttrpc::Response> { + ::ttrpc::async_request_handler!(self, ctx, req, api, SecureMountRequest, secure_mount); + } +} + +#[async_trait] +pub trait SecureMountService: Sync { + async fn secure_mount(&self, _ctx: &::ttrpc::r#async::TtrpcContext, _: super::api::SecureMountRequest) -> ::ttrpc::Result { + Err(::ttrpc::Error::RpcStatus(::ttrpc::get_status(::ttrpc::Code::NOT_FOUND, "/api.SecureMountService/SecureMount is not supported".to_string()))) + } +} + +pub fn create_secure_mount_service(service: Arc>) -> HashMap { + let mut ret = HashMap::new(); + let mut methods = HashMap::new(); + let streams = HashMap::new(); + + methods.insert("SecureMount".to_string(), + Box::new(SecureMountMethod{service: service.clone()}) as Box); + + ret.insert("api.SecureMountService".to_string(), ::ttrpc::r#async::Service{ methods, streams }); + ret +} diff --git a/confidential-data-hub/hub/src/bin/confidential-data-hub/main.rs b/confidential-data-hub/hub/src/bin/confidential-data-hub/main.rs index 1702ee48c..6455b98b1 100644 --- a/confidential-data-hub/hub/src/bin/confidential-data-hub/main.rs +++ b/confidential-data-hub/hub/src/bin/confidential-data-hub/main.rs @@ -6,7 +6,10 @@ use std::{path::Path, sync::Arc}; use anyhow::{Context, Result}; -use api_ttrpc::create_sealed_secret_service; +use api_ttrpc::{ + create_get_resource_service, create_key_provider_service, create_sealed_secret_service, + create_secure_mount_service, +}; use clap::Parser; use log::info; use server::Server; @@ -16,8 +19,6 @@ use tokio::{ }; use ttrpc::r#async::Server as TtrpcServer; -use crate::api_ttrpc::create_get_resource_service; - mod api; mod api_ttrpc; mod server; @@ -57,11 +58,15 @@ async fn main() -> Result<()> { let sealed_secret_service = ttrpc_service!(create_sealed_secret_service); let get_resource_service = ttrpc_service!(create_get_resource_service); + let key_provider_service = ttrpc_service!(create_key_provider_service); + let secure_mount_service = ttrpc_service!(create_secure_mount_service); let mut server = TtrpcServer::new() .bind(&cli.socket) .context("cannot bind cdh ttrpc service")? .register_service(sealed_secret_service) - .register_service(get_resource_service); + .register_service(get_resource_service) + .register_service(secure_mount_service) + .register_service(key_provider_service); server.start().await?; diff --git a/confidential-data-hub/hub/src/bin/confidential-data-hub/server.rs b/confidential-data-hub/hub/src/bin/confidential-data-hub/server.rs deleted file mode 100644 index 336df1ecf..000000000 --- a/confidential-data-hub/hub/src/bin/confidential-data-hub/server.rs +++ /dev/null @@ -1,90 +0,0 @@ -// Copyright (c) 2023 Alibaba Cloud -// -// SPDX-License-Identifier: Apache-2.0 -// - -use std::sync::Arc; - -use anyhow::Result; -use async_trait::async_trait; -use confidential_data_hub::{hub::Hub, DataHub}; -use lazy_static::lazy_static; -use log::debug; -use tokio::sync::RwLock; -use ttrpc::{asynchronous::TtrpcContext, Code, Error, Status}; - -use crate::{ - api::{GetResourceRequest, GetResourceResponse, UnsealSecretInput, UnsealSecretOutput}, - api_ttrpc::{GetResourceService, SealedSecretService}, -}; - -lazy_static! { - static ref HUB: Arc>> = Arc::new(RwLock::new(None)); -} - -pub struct Server; - -impl Server { - async fn init() -> Result<()> { - let mut writer = HUB.write().await; - if writer.is_none() { - let hub = Hub::new().await?; - *writer = Some(hub); - } - - Ok(()) - } - - pub async fn new() -> Result { - Self::init().await?; - Ok(Self) - } -} - -#[async_trait] -impl SealedSecretService for Server { - async fn unseal_secret( - &self, - _ctx: &TtrpcContext, - input: UnsealSecretInput, - ) -> ::ttrpc::Result { - debug!("get new UnsealSecret request"); - let reader = HUB.read().await; - let reader = reader.as_ref().expect("must be initialized"); - let plaintext = reader.unseal_secret(input.secret).await.map_err(|e| { - let mut status = Status::new(); - status.set_code(Code::INTERNAL); - status.set_message(format!("[CDH] [ERROR]: Unseal Secret failed: {e}")); - Error::RpcStatus(status) - })?; - - let mut reply = UnsealSecretOutput::new(); - reply.plaintext = plaintext; - debug!("send back plaintext of the sealed secret"); - Ok(reply) - } -} - -#[async_trait] -impl GetResourceService for Server { - async fn get_resource( - &self, - _ctx: &TtrpcContext, - req: GetResourceRequest, - ) -> ::ttrpc::Result { - debug!("get new GetResource request"); - let reader = HUB.read().await; - let reader = reader.as_ref().expect("must be initialized"); - let resource = reader.get_resource(req.ResourcePath).await.map_err(|e| { - let mut status = Status::new(); - status.set_code(Code::INTERNAL); - status.set_message(format!("[CDH] [ERROR]: Get Resource failed: {e}")); - Error::RpcStatus(status) - })?; - - let mut reply = GetResourceResponse::new(); - reply.Resource = resource; - debug!("send back the resource"); - Ok(reply) - } -} diff --git a/confidential-data-hub/hub/src/bin/confidential-data-hub/server/message.rs b/confidential-data-hub/hub/src/bin/confidential-data-hub/server/message.rs new file mode 100644 index 000000000..196450ea0 --- /dev/null +++ b/confidential-data-hub/hub/src/bin/confidential-data-hub/server/message.rs @@ -0,0 +1,89 @@ +// Copyright (c) 2023 Alibaba Cloud +// +// SPDX-License-Identifier: Apache-2.0 +// + +use anyhow::*; +use base64::Engine; +use serde::{Deserialize, Serialize}; +use std::collections::HashMap; +use std::str; +use std::vec::Vec; + +const ANNOTATION_KEY_NAME: &str = "attestation-agent"; + +#[derive(Serialize, Deserialize, Debug, PartialEq, Default, Clone)] +pub struct KeyProviderInput { + // Operation is either "keywrap" or "keyunwrap" + // attestation-agent can only handle the case of "keyunwrap" + op: String, + // For attestation-agent, keywrapparams should be empty. + pub keywrapparams: KeyWrapParams, + pub keyunwrapparams: KeyUnwrapParams, +} + +impl KeyProviderInput { + pub fn get_annotation(&self) -> Result> { + let annotation_base64 = self + .keyunwrapparams + .dc + .as_ref() + .and_then(|dc| dc.parameters.get(ANNOTATION_KEY_NAME)) + .and_then(|paras| paras.get(0)) + .ok_or_else(|| anyhow!("Illegal UnwrapKey request: no AnnotationPacket given."))?; + + let engine = base64::engine::general_purpose::STANDARD; + let annotation = engine.decode(annotation_base64)?; + Ok(annotation) + } +} + +#[derive(Serialize, Deserialize, Debug, PartialEq, Default, Clone)] +pub struct KeyWrapParams { + // For attestation-agent, ec is null + pub ec: Option, + // For attestation-agent, optsdata is null + pub optsdata: Option, +} + +#[derive(Serialize, Deserialize, Debug, PartialEq, Clone, Default)] +pub struct Ec { + #[serde(rename = "Parameters")] + pub parameters: HashMap>, + #[serde(rename = "DecryptConfig")] + pub decrypt_config: Dc, +} + +#[derive(Serialize, Deserialize, Debug, PartialEq, Default, Clone)] +pub struct KeyUnwrapParams { + pub dc: Option, + pub annotation: Option, +} + +#[derive(Serialize, Deserialize, Debug, PartialEq, Clone, Default)] +pub struct Dc { + // Name is expected to be "attestation-agent". + // Values are expected to be base-64 encoded. + #[serde(rename = "Parameters")] + pub parameters: HashMap>, +} + +#[derive(Serialize, Deserialize, Debug)] +pub struct KeyWrapOutput { + pub keywrapresults: KeyWrapResults, +} + +#[derive(Serialize, Deserialize, Debug)] +pub struct KeyWrapResults { + pub annotation: Vec, +} + +#[derive(Serialize, Deserialize, Debug)] +pub struct KeyUnwrapOutput { + pub keyunwrapresults: KeyUnwrapResults, +} + +#[derive(Serialize, Deserialize, Debug)] +pub struct KeyUnwrapResults { + pub optsdata: Vec, +} diff --git a/confidential-data-hub/hub/src/bin/confidential-data-hub/server/mod.rs b/confidential-data-hub/hub/src/bin/confidential-data-hub/server/mod.rs new file mode 100644 index 000000000..501f0850f --- /dev/null +++ b/confidential-data-hub/hub/src/bin/confidential-data-hub/server/mod.rs @@ -0,0 +1,187 @@ +// Copyright (c) 2023 Alibaba Cloud +// +// SPDX-License-Identifier: Apache-2.0 +// + +use std::sync::Arc; + +use anyhow::Result; +use async_trait::async_trait; +use confidential_data_hub::{hub::Hub, DataHub}; +use lazy_static::lazy_static; +use log::debug; +use storage::volume_type::Storage; +use tokio::sync::RwLock; +use ttrpc::{asynchronous::TtrpcContext, Code, Error, Status}; + +use crate::{ + api::{ + GetResourceRequest, GetResourceResponse, KeyProviderKeyWrapProtocolInput, + KeyProviderKeyWrapProtocolOutput, SecureMountRequest, SecureMountResponse, + UnsealSecretInput, UnsealSecretOutput, + }, + api_ttrpc::{GetResourceService, KeyProviderService, SealedSecretService, SecureMountService}, + server::message::{KeyProviderInput, KeyUnwrapOutput, KeyUnwrapResults}, +}; + +lazy_static! { + static ref HUB: Arc>> = Arc::new(RwLock::new(None)); +} + +mod message; + +pub struct Server; + +impl Server { + async fn init() -> Result<()> { + let mut writer = HUB.write().await; + if writer.is_none() { + let hub = Hub::new().await?; + *writer = Some(hub); + } + + Ok(()) + } + + pub async fn new() -> Result { + Self::init().await?; + Ok(Self) + } +} + +#[async_trait] +impl SealedSecretService for Server { + async fn unseal_secret( + &self, + _ctx: &TtrpcContext, + input: UnsealSecretInput, + ) -> ::ttrpc::Result { + debug!("get new UnsealSecret request"); + let reader = HUB.read().await; + let reader = reader.as_ref().expect("must be initialized"); + let plaintext = reader.unseal_secret(input.secret).await.map_err(|e| { + let mut status = Status::new(); + status.set_code(Code::INTERNAL); + status.set_message(format!("[CDH] [ERROR]: Unseal Secret failed: {e}")); + Error::RpcStatus(status) + })?; + + let mut reply = UnsealSecretOutput::new(); + reply.plaintext = plaintext; + debug!("send back plaintext of the sealed secret"); + Ok(reply) + } +} + +#[async_trait] +impl GetResourceService for Server { + async fn get_resource( + &self, + _ctx: &TtrpcContext, + req: GetResourceRequest, + ) -> ::ttrpc::Result { + debug!("get new GetResource request"); + let reader = HUB.read().await; + let reader = reader.as_ref().expect("must be initialized"); + let resource = reader.get_resource(req.ResourcePath).await.map_err(|e| { + let mut status = Status::new(); + status.set_code(Code::INTERNAL); + status.set_message(format!("[CDH] [ERROR]: Get Resource failed: {e}")); + Error::RpcStatus(status) + })?; + + let mut reply = GetResourceResponse::new(); + reply.Resource = resource; + debug!("send back the resource"); + Ok(reply) + } +} + +#[async_trait] +impl KeyProviderService for Server { + async fn un_wrap_key( + &self, + _ctx: &TtrpcContext, + req: KeyProviderKeyWrapProtocolInput, + ) -> ::ttrpc::Result { + debug!("get new UnWrapKey request"); + let reader = HUB.read().await; + let reader = reader.as_ref().expect("must be initialized"); + let key_provider_input: KeyProviderInput = + serde_json::from_slice(&req.KeyProviderKeyWrapProtocolInput[..]).map_err(|e| { + let mut status = Status::new(); + status.set_code(Code::INTERNAL); + status.set_message(format!("[ERROR] UnwrapKey Parse request failed: {e}")); + Error::RpcStatus(status) + })?; + + let annotation_packet = key_provider_input.get_annotation().map_err(|e| { + let mut status = Status::new(); + status.set_code(Code::INTERNAL); + status.set_message(format!("[ERROR] UnwrapKey Parse request failed: {e}")); + Error::RpcStatus(status) + })?; + + debug!("Call CDH to Unwrap Key..."); + let decrypted_optsdata = reader.unwrap_key(&annotation_packet).await.map_err(|e| { + let mut status = Status::new(); + status.set_code(Code::INTERNAL); + status.set_message(format!("[CDH] [ERROR]: UnwrapKey failed: {e}")); + Error::RpcStatus(status) + })?; + + let mut reply = KeyProviderKeyWrapProtocolOutput::new(); + + // Construct output structure and serialize it as the return value of gRPC + let output_struct = KeyUnwrapOutput { + keyunwrapresults: KeyUnwrapResults { + optsdata: decrypted_optsdata, + }, + }; + + let lek = serde_json::to_vec(&output_struct).map_err(|e| { + let mut status = Status::new(); + status.set_code(Code::INTERNAL); + status.set_message(format!( + "[CDH] [ERROR]: UnwrapKey serialize response failed: {e}" + )); + Error::RpcStatus(status) + })?; + + reply.KeyProviderKeyWrapProtocolOutput = lek; + debug!("send back the resource"); + Ok(reply) + } +} + +#[async_trait] +impl SecureMountService for Server { + async fn secure_mount( + &self, + _ctx: &TtrpcContext, + req: SecureMountRequest, + ) -> ::ttrpc::Result { + debug!("get new Secure mount request"); + let reader = HUB.read().await; + let reader = reader.as_ref().expect("must be initialized"); + let storage = Storage { + driver: req.driver, + driver_options: req.driver_options, + source: req.source, + fstype: req.fstype, + options: req.options, + mount_point: req.mount_point, + }; + let resource = reader.secure_mount(storage).await.map_err(|e| { + let mut status = Status::new(); + status.set_code(Code::INTERNAL); + status.set_message(format!("[CDH] [ERROR]: secure mount failed: {e}")); + Error::RpcStatus(status) + })?; + + let mut reply = SecureMountResponse::new(); + reply.mount_path = resource; + debug!("send back the resource"); + Ok(reply) + } +} diff --git a/confidential-data-hub/hub/src/error.rs b/confidential-data-hub/hub/src/error.rs index f2c06c58e..07abc2bf2 100644 --- a/confidential-data-hub/hub/src/error.rs +++ b/confidential-data-hub/hub/src/error.rs @@ -12,9 +12,15 @@ pub enum Error { #[error("get resource failed: {0}")] GetResource(String), + #[error("decrypt image (unwrap key) failed: {0}")] + ImageDecryption(String), + #[error("init Hub failed: {0}")] InitializationFailed(String), #[error("unseal secret failed: {0}")] UnsealSecret(String), + + #[error("secure mount failed: {0}")] + SecureMount(String), } diff --git a/confidential-data-hub/hub/src/hub.rs b/confidential-data-hub/hub/src/hub.rs index 61ad8c0e2..a6e95f2d1 100644 --- a/confidential-data-hub/hub/src/hub.rs +++ b/confidential-data-hub/hub/src/hub.rs @@ -5,8 +5,10 @@ use async_trait::async_trait; use base64::{engine::general_purpose::STANDARD, Engine}; +use image::AnnotationPacket; use kms::{Annotations, ProviderSettings}; use secret::secret::Secret; +use storage::volume_type::Storage; use crate::{DataHub, Error, Result}; @@ -49,8 +51,14 @@ impl DataHub for Hub { Ok(res) } - async fn unwrap_key(&self, _annotation: &[u8]) -> Result> { - todo!() + async fn unwrap_key(&self, annotation_packet: &[u8]) -> Result> { + let annotation_packet: AnnotationPacket = serde_json::from_slice(annotation_packet) + .map_err(|e| Error::ImageDecryption(format!("illegal AnnotationPacket format: {e}")))?; + let lek = annotation_packet + .unwrap_key() + .await + .map_err(|e| Error::ImageDecryption(format!("unwrap key failed: {e}")))?; + Ok(lek) } async fn get_resource(&self, uri: String) -> Result> { @@ -66,4 +74,12 @@ impl DataHub for Hub { .map_err(|e| Error::GetResource(format!("get rersource failed: {e}")))?; Ok(res) } + + async fn secure_mount(&self, storage: Storage) -> Result { + let res = storage + .mount() + .await + .map_err(|e| Error::SecureMount(e.to_string()))?; + Ok(res) + } } diff --git a/confidential-data-hub/image/Cargo.toml b/confidential-data-hub/image/Cargo.toml new file mode 100644 index 000000000..434765df4 --- /dev/null +++ b/confidential-data-hub/image/Cargo.toml @@ -0,0 +1,29 @@ +[package] +name = "image" +version = "0.1.0" +authors = ["The Confidential Container Authors"] +edition = "2021" + +# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html + +[dependencies] +base64.workspace = true +crypto.path = "../../attestation-agent/deps/crypto" +kms = { path = "../kms", default-features = false } +resource_uri = { path = "../../attestation-agent/deps/resource_uri", optional = true } +serde.workspace = true +serde_json.workspace = true +thiserror.workspace = true + +[dev-dependencies] +assert-json-diff.workspace = true +rstest.workspace = true + +[features] +default = [] + +# legacy AnnotationPacket format, s.t. legacy encrypted image format relies on `kbs` feature +kbs = ["kms/kbs", "resource_uri"] +aliyun = ["kms/aliyun"] +sev = ["kms/sev"] +ehsm = ["kms/ehsm"] diff --git a/confidential-data-hub/image/src/annotation_packet/mod.rs b/confidential-data-hub/image/src/annotation_packet/mod.rs new file mode 100644 index 000000000..de5317ad1 --- /dev/null +++ b/confidential-data-hub/image/src/annotation_packet/mod.rs @@ -0,0 +1,21 @@ +// Copyright (c) 2023 Alibaba Cloud +// +// SPDX-License-Identifier: Apache-2.0 +// + +#[cfg(feature = "kbs")] +pub mod v1; +pub mod v2; + +pub use v2::AnnotationPacketV2 as AnnotationPacket; + +#[cfg(test)] +mod tests { + use super::AnnotationPacket; + + #[test] + fn compatiblity_with_old_packets() { + let v1_raw = include_str!("../../test/v1.json"); + let _: AnnotationPacket = serde_json::from_str(v1_raw).expect("unable to parse V1 with V2"); + } +} diff --git a/confidential-data-hub/image/src/annotation_packet/v1.rs b/confidential-data-hub/image/src/annotation_packet/v1.rs new file mode 100644 index 000000000..69bbecd13 --- /dev/null +++ b/confidential-data-hub/image/src/annotation_packet/v1.rs @@ -0,0 +1,61 @@ +// Copyright (c) 2023 Alibaba Cloud +// +// SPDX-License-Identifier: Apache-2.0 +// + +use base64::{engine::general_purpose::STANDARD, Engine}; +use crypto::WrapType; +use kms::{plugins::VaultProvider, Annotations, ProviderSettings}; +use serde::{Deserialize, Serialize}; + +use resource_uri::ResourceUri; + +use crate::{Error, Result}; + +/// `AnnotationPacket` is what a encrypted image layer's +/// `org.opencontainers.image.enc.keys.provider.attestation-agent` +/// annotation should contain when it is encrypted by CoCo's +/// encryption modules. Please refer to issue +/// +#[derive(Serialize, Deserialize, Eq, PartialEq, Debug, Clone)] +pub struct AnnotationPacket { + // Key ID to manage multiple keys + pub kid: ResourceUri, + // Encrypted key to unwrap (base64-encoded) + pub wrapped_data: String, + // Initialisation vector (base64-encoded) + pub iv: String, + // Wrap type to specify encryption algorithm and mode + pub wrap_type: String, +} + +impl AnnotationPacket { + pub(crate) async fn unwrap_key(&self) -> Result> { + let wrap_type = WrapType::try_from(&self.wrap_type[..]) + .map_err(|e| Error::UnwrapAnnotationV1Failed(format!("parse WrapType failed: {e}")))?; + let mut kbs_client = + kms::new_getter(VaultProvider::Kbs.as_ref(), ProviderSettings::default()) + .await + .map_err(|e| Error::UnwrapAnnotationV1Failed(format!("create kbc failed: {e}")))?; + let name = self.kid.whole_uri(); + let kek = kbs_client + .get_secret(&name, &Annotations::default()) + .await + .map_err(|e| Error::UnwrapAnnotationV1Failed(format!("get KEK failed: {e}")))?; + + let lek = crypto::decrypt( + kek.into(), + STANDARD.decode(&self.wrapped_data).map_err(|e| { + Error::UnwrapAnnotationV1Failed(format!("base64 decode `wrapped_data` failed: {e}")) + })?, + STANDARD.decode(&self.iv).map_err(|e| { + Error::UnwrapAnnotationV1Failed(format!("base64 decode `iv` failed: {e}")) + })?, + wrap_type, + ) + .map_err(|e| { + Error::UnwrapAnnotationV1Failed(format!("decrypt LEK using KEK failed: {e}")) + })?; + Ok(lek) + } +} diff --git a/confidential-data-hub/image/src/annotation_packet/v2.rs b/confidential-data-hub/image/src/annotation_packet/v2.rs new file mode 100644 index 000000000..35e36b9d7 --- /dev/null +++ b/confidential-data-hub/image/src/annotation_packet/v2.rs @@ -0,0 +1,140 @@ +// Copyright (c) 2023 Alibaba Cloud +// +// SPDX-License-Identifier: Apache-2.0 +// + +//! This is a new version of [`AnnotationPacket`] which is compatible with +//! the previous version. + +use base64::{engine::general_purpose::STANDARD, Engine}; +use kms::{plugins::VaultProvider, Annotations, ProviderSettings}; +use serde::{Deserialize, Serialize}; +use serde_json::Map; + +use crate::{Error, Result}; + +const DEFAULT_VERSION: &str = "0.1.0"; + +/// New version format of AnnotationPacket +#[derive(Serialize, Deserialize, Eq, PartialEq, Debug, Clone)] +pub struct AnnotationPacketV2 { + /// Version of the AnnotationPacket + #[serde(default = "default_version")] + pub version: String, + + /// Key ID to manage multiple keys. If provider is `kbs`, this field + /// should be a [`ResourceUri`] + pub kid: String, + + /// Encrypted key to unwrap (base64-encoded) + pub wrapped_data: String, + + /// The way to decrypt this LEK, s.t. provider of the KEK. + #[serde(default = "default_provider")] + pub provider: String, + + /// Initialisation vector (base64-encoded). Only used when + /// provider is `"kbs"` + #[serde(skip_serializing_if = "Option::is_none")] + pub iv: Option, + + /// Wrap type to specify encryption algorithm and mode. Only used when + /// provider is `"kbs"` + #[serde(skip_serializing_if = "Option::is_none")] + pub wrap_type: Option, + + /// extra information to create a client + #[serde(default = "Map::default")] + pub provider_settings: ProviderSettings, + + /// KMS specific fields to locate the Key inside KMS + #[serde(default = "Map::default")] + pub annotations: Annotations, +} + +fn default_version() -> String { + DEFAULT_VERSION.to_string() +} + +fn default_provider() -> String { + VaultProvider::Kbs.as_ref().to_string() +} + +#[cfg(feature = "kbs")] +impl TryInto for AnnotationPacketV2 { + type Error = Error; + + fn try_into(self) -> std::result::Result { + if self.version != DEFAULT_VERSION { + return Err(Error::ConvertAnnotationPacketFailed(format!( + "`version` must be {DEFAULT_VERSION}." + ))); + } + + if self.provider != VaultProvider::Kbs.as_ref() { + return Err(Error::ConvertAnnotationPacketFailed(String::from( + "Provider must be `kbs`.", + ))); + } + + if self.wrap_type.is_none() { + return Err(Error::ConvertAnnotationPacketFailed(String::from( + "no `WrapType` given.", + ))); + } + + if self.iv.is_none() { + return Err(Error::ConvertAnnotationPacketFailed(String::from( + "no `iv` given.", + ))); + } + + let kid = resource_uri::ResourceUri::try_from(&self.kid[..]).map_err(|e| { + Error::ConvertAnnotationPacketFailed(format!("illegal ResourceUri in `kid` field: {e}")) + })?; + + let annotation_packet = super::v1::AnnotationPacket { + kid, + wrapped_data: self.wrapped_data, + iv: self.iv.expect("must have `iv`"), + wrap_type: self.wrap_type.expect("must have `wrap_type`"), + }; + + Ok(annotation_packet) + } +} + +impl AnnotationPacketV2 { + pub async fn unwrap_key(&self) -> Result> { + let lek = match &self.provider[..] { + #[cfg(feature = "kbs")] + "kbs" => { + let anno_v1: super::v1::AnnotationPacket = self.clone().try_into()?; + anno_v1.unwrap_key().await? + } + kms => { + let mut kms_client = kms::new_decryptor(kms, self.provider_settings.clone()) + .await + .map_err(|e| { + Error::UnwrapAnnotationV2Failed(format!("create KMS client failed: {e}")) + })?; + + kms_client + .decrypt( + &STANDARD.decode(&self.wrapped_data).map_err(|e| { + Error::UnwrapAnnotationV1Failed(format!( + "base64 decode `wrapped_data` failed: {e}" + )) + })?, + &self.kid, + &self.annotations, + ) + .await + .map_err(|e| { + Error::UnwrapAnnotationV2Failed(format!("KMS decryption failed: {e}")) + })? + } + }; + Ok(lek) + } +} diff --git a/confidential-data-hub/image/src/error.rs b/confidential-data-hub/image/src/error.rs new file mode 100644 index 000000000..bb4316bc6 --- /dev/null +++ b/confidential-data-hub/image/src/error.rs @@ -0,0 +1,20 @@ +// Copyright (c) 2023 Alibaba Cloud +// +// SPDX-License-Identifier: Apache-2.0 +// + +use thiserror::Error; + +pub type Result = std::result::Result; + +#[derive(Error, Debug)] +pub enum Error { + #[error("Convert AnnotationPacket failed: {0}")] + ConvertAnnotationPacketFailed(String), + + #[error("unwrap key failed (Annotation V1): {0}")] + UnwrapAnnotationV1Failed(String), + + #[error("unwrap key failed (Annotation V2): {0}")] + UnwrapAnnotationV2Failed(String), +} diff --git a/confidential-data-hub/image/src/lib.rs b/confidential-data-hub/image/src/lib.rs new file mode 100644 index 000000000..1bd4c23e5 --- /dev/null +++ b/confidential-data-hub/image/src/lib.rs @@ -0,0 +1,10 @@ +// Copyright (c) 2023 Alibaba Cloud +// +// SPDX-License-Identifier: Apache-2.0 +// + +pub mod annotation_packet; +pub mod error; + +pub use annotation_packet::AnnotationPacket; +pub use error::*; diff --git a/confidential-data-hub/image/test/v1.json b/confidential-data-hub/image/test/v1.json new file mode 100644 index 000000000..0a5cbed71 --- /dev/null +++ b/confidential-data-hub/image/test/v1.json @@ -0,0 +1,6 @@ +{ + "kid": "kbs:///kbs:///default/key/1", + "wrapped_data": "HRCsBgH/ueLcWlUqP8j8BTREOjQXSNQvjPejbSTQt8Nu4pve07TmkSqRzu2yR7l9WbbZ4O5PChsnjuNLzu6cHvOqVSSCu3aIDYVs8VUPJSO434G+K5sAvsCSJK454VMQEY9zW8y45BrYUYV5jEKSsKvR1iqFkpzcdwI8tjGTpRMlu1gGQ6mA1jgVZKgnK8hcihmgCu24oKPmdd0pMKfiFDbzmsnRw4CS+eRb1Dp3vgLD6hCMz5BV7abaq7VMWP7SKJtJJbpYzqlKiI5i0r1qO8U=", + "iv": "M02S5rumY5JybMLQ", + "wrap_type": "A256GCM" +} \ No newline at end of file diff --git a/confidential-data-hub/kms/Cargo.toml b/confidential-data-hub/kms/Cargo.toml index 9efc6fff6..8e1d3fe22 100644 --- a/confidential-data-hub/kms/Cargo.toml +++ b/confidential-data-hub/kms/Cargo.toml @@ -13,6 +13,7 @@ bincode = { workspace = true, optional = true } chrono = { workspace = true, optional = true } const_format.workspace = true crypto = { path = "../../attestation-agent/deps/crypto", optional = true } +ehsm_client = {git = "https://github.com/intel/ehsm", rev = "f84688688e724dfd080c1dc491db3e58415cc5b7", optional = true } hex = { workspace = true, optional = true } kbs_protocol = { path = "../../attestation-agent/kbs_protocol", default-features = false, features = ["passport", "aa_token", "openssl"], optional = true } lazy_static.workspace = true @@ -44,8 +45,9 @@ anyhow.workspace = true tonic-build.workspace = true [features] -default = ["aliyun", "kbs"] +default = ["aliyun", "kbs", "ehsm"] aliyun = ["chrono", "hex", "openssl", "p12", "prost", "reqwest/rustls-tls", "sha2", "tonic", "yasna"] kbs = ["kbs_protocol"] +ehsm = ["ehsm_client"] sev = ["bincode", "crypto", "dep:sev", "prost", "tonic", "uuid", "zeroize"] diff --git a/confidential-data-hub/kms/src/error.rs b/confidential-data-hub/kms/src/error.rs index 6cf657844..980d352bb 100644 --- a/confidential-data-hub/kms/src/error.rs +++ b/confidential-data-hub/kms/src/error.rs @@ -16,6 +16,10 @@ pub enum Error { #[error("Kbs client error: {0}")] KbsClientError(String), + #[cfg(feature = "ehsm")] + #[error("eHSM-KMS client error: {0}")] + EhsmKmsError(String), + #[error("Unsupported provider: {0}")] UnsupportedProvider(String), } diff --git a/confidential-data-hub/kms/src/plugins/aliyun/client.rs b/confidential-data-hub/kms/src/plugins/aliyun/client.rs index 297b6b22f..28c8d2e70 100644 --- a/confidential-data-hub/kms/src/plugins/aliyun/client.rs +++ b/confidential-data-hub/kms/src/plugins/aliyun/client.rs @@ -224,9 +224,9 @@ impl Decrypter for AliyunKmsClient { } impl AliyunKmsClient { - const API_VERSION: &str = "dkms-gcs-0.2"; - const SIGNATURE_METHOD: &str = "RSA_PKCS1_SHA_256"; - const CONTENT_TYPE: &str = "application/x-protobuf"; + const API_VERSION: &'static str = "dkms-gcs-0.2"; + const SIGNATURE_METHOD: &'static str = "RSA_PKCS1_SHA_256"; + const CONTENT_TYPE: &'static str = "application/x-protobuf"; fn build_headers(&self, api_name: &str, body: &[u8]) -> anyhow::Result { let mut headers = HeaderMap::new(); @@ -317,9 +317,10 @@ mod tests { use crate::{plugins::aliyun::client::AliyunKmsClient, Decrypter, Encrypter}; - #[ignore] #[rstest] + #[ignore] #[case(b"this is a test plaintext")] + #[ignore] #[case(b"this is a another test plaintext")] #[tokio::test] async fn key_lifetime(#[case] plaintext: &[u8]) { diff --git a/confidential-data-hub/kms/src/plugins/ehsm/README.md b/confidential-data-hub/kms/src/plugins/ehsm/README.md new file mode 100644 index 000000000..128c63076 --- /dev/null +++ b/confidential-data-hub/kms/src/plugins/ehsm/README.md @@ -0,0 +1,116 @@ +# eHSM-KMS + +eHSM-KMS is a SGX-based Key Managment Service (KMS) that provides the near-equivalent hardware protection level of cryptographic functionalities including key generation, management inside the SGX enclave. More information about eHSM-KMS can be found [here](https://github.com/intel/ehsm). + +In CDH, we provide the eHSM-KMS client to interact with the eHSM-KMS Server. + +## eHSM-KMS Service + +For eHSM-KMS client to run, you need to set up an eHSM-KMS service in advance. The following method is only a quick start, and you can find more deployment methods (e.g. with Kubernetes) at webpage of eHSM-KMS. + +> Prerequisite: a sgx capable machine + +* Install requirement tools + ``` shell + sudo apt update + + sudo apt install vim autoconf automake build-essential cmake curl debhelper git libcurl4-openssl-dev libprotobuf-dev libssl-dev libtool lsb-release ocaml ocamlbuild protobuf-compiler wget libcurl4 libssl1.1 make g++ fakeroot libelf-dev libncurses-dev flex bison libfdt-dev libncursesw5-dev pkg-config libgtk-3-dev libspice-server-dev libssh-dev python3 python3-pip reprepro unzip libjsoncpp-dev uuid-dev liblog4cplus-1.1-9 liblog4cplus-dev dnsutils + ``` + +* Install SGX SDK + ```shell + wget https://download.01.org/intel-sgx/sgx-linux/2.18/as.ld.objdump.r4.tar.gz + tar -zxf as.ld.objdump.r4.tar.gz + sudo cp external/toolset/{current_distr}/* /usr/local/bin + + wget https://download.01.org/intel-sgx/sgx-dcap/1.15/linux/distro/ubuntu20.04-server/sgx_linux_x64_sdk_2.18.100.3.bin + + #choose to install the sdk into the /opt/intel + chmod a+x ./sgx_linux_x64_sdk_2.18.100.3.bin && sudo ./sgx_linux_x64_sdk_2.18.100.3.bin + + source /opt/intel/sgxsdk/environment + ``` + +* Install DCAP required packages + ```shell + cd /opt/intel + + wget https://download.01.org/intel-sgx/sgx-dcap/1.15/linux/distro/ubuntu20.04-server/sgx_debian_local_repo.tgz + + tar xzf sgx_debian_local_repo.tgz + + echo 'deb [trusted=yes arch=amd64] file:///opt/intel/sgx_debian_local_repo focal main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list + + wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add - + + sudo apt-get update + + sudo apt-get install -y libsgx-enclave-common-dev libsgx-ae-qe3 libsgx-ae-qve libsgx-urts libsgx-dcap-ql libsgx-dcap-default-qpl libsgx-dcap-quote-verify-dev libsgx-dcap-ql-dev libsgx-dcap-default-qpl-dev libsgx-quote-ex-dev libsgx-uae-service libsgx-ra-network libsgx-ra-uefi + ``` + +* Change PCCS server IP + ``` shell + vim /etc/sgx_default_qcnl.conf + ``` + ``` vi + # PCCS server address + PCCS_URL=https://1.2.3.4:8081/sgx/certification/v3/ (your pccs IP) + + # To accept insecure HTTPS certificate, set this option to FALSE + USE_SECURE_CERT=FALSE + ``` + +* Either start eHSM-KMS on a single machine without remote attestation. + ``` + # run eHSM-KMS + ./run_with_single.sh + ``` + +* Or build and run eHSM-KMS with docker-compose: + ```shell + # Download the current stable release (remove the "-x $http_proxy" if you don't behind the proxy) + sudo curl -x $http_proxy -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose + sudo chmod +x /usr/local/bin/docker-compose + sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose + docker-compose --version + # docker-compose version 1.29.2, build 5becea4c + + # Download the ehsm code from github + git clone --recursive https://github.com/intel/ehsm.git ehsm && cd ehsm + vim docker/.env + + # Modify the docker/.env configurations + HOST_IP=1.2.3.4 # MUST modify it to your host IP. + PCCS_URL=https://1.2.3.4:8081 # MUST modify it to your pccs server url. + DKEYSERVER_PORT=8888 # (Optional) the default port of dkeyserver, modify it if you want. + KMS_PORT=9000 # (Optional) the default KMS port, modify it if you want. + TAG_VERSION=main # (Optional) the default code base is using the main latest branch, modify it to specific tag if you want. + + # start to build and run the docker images (couchdb, dkeyserver, dkeycache, ehsm_kms_service) + cd docker && docker-compose up -d + ``` + +* Enrollment of the APPID and APIKey + ```shell + curl -v -k -G "https://:/ehsm?Action=Enroll" + + {"code":200,"message":"successful","result":{"apikey":"xbtXGHwBexb1pgnEz8JZWHLgaSVb1xSk","appid":"56c46c76-60e0-4722-a6ad-408cdd0c62c2"}} + ``` + +* Run the unittest cases + ``` shell + cd test + # run the unit testcases + python3 test_kms_with_cli.py --url https://: + ``` + +Congratulations! eHSM-KMS service should be ready by now. + +# eHSM-KMS Client + +eHSM-KMS client requires a credential file to run. The file name of the credential file is `credential.{your_app_id}.json`. The credential file need to be placed in `/run/confidential-containers/cdh/kms-credential/ehsm/`. And the structure of the credential file is shown in `ehsm/example_credential/` folder. + +To test eHSM-KMS client, run +```bash +cargo test --features ehsm +``` \ No newline at end of file diff --git a/confidential-data-hub/kms/src/plugins/ehsm/annotations.rs b/confidential-data-hub/kms/src/plugins/ehsm/annotations.rs new file mode 100644 index 000000000..41de08109 --- /dev/null +++ b/confidential-data-hub/kms/src/plugins/ehsm/annotations.rs @@ -0,0 +1,13 @@ +// Copyright (c) 2023 Alibaba Cloud +// +// SPDX-License-Identifier: Apache-2.0 +// + +use serde::{Deserialize, Serialize}; + +/// Serialized [`crate::ProviderSettings`] +#[derive(Clone, Debug, Serialize, Deserialize)] +pub struct EhsmProviderSettings { + pub app_id: String, + pub endpoint: String, +} diff --git a/confidential-data-hub/kms/src/plugins/ehsm/client.rs b/confidential-data-hub/kms/src/plugins/ehsm/client.rs new file mode 100644 index 000000000..339b63bd7 --- /dev/null +++ b/confidential-data-hub/kms/src/plugins/ehsm/client.rs @@ -0,0 +1,226 @@ +// Copyright (c) 2023 Alibaba Cloud +// +// SPDX-License-Identifier: Apache-2.0 +// + +use ehsm_client::{api::KMS, client::EHSMClient}; + +use async_trait::async_trait; +use base64::engine::general_purpose::STANDARD; +use base64::Engine; +use const_format::concatcp; +use serde_json::Value; +use tokio::fs; + +use crate::plugins::_IN_GUEST_DEFAULT_KEY_PATH; +use crate::{Annotations, Decrypter, Encrypter, ProviderSettings}; +use crate::{Error, Result}; + +use super::annotations::EhsmProviderSettings; +use super::credential::Credential; + +pub struct EhsmKmsClient { + client: EHSMClient, +} + +const EHSM_IN_GUEST_DEFAULT_KEY_PATH: &str = concatcp!(_IN_GUEST_DEFAULT_KEY_PATH, "/ehsm"); + +impl EhsmKmsClient { + pub fn new(app_id: &str, api_key: &str, endpoint: &str) -> Result { + Ok(Self { + client: EHSMClient { + base_url: endpoint.to_owned(), + appid: app_id.to_owned(), + apikey: api_key.to_owned(), + }, + }) + } + + /// build client with parameters that have been exported to environment. + pub fn new_from_env() -> Result { + Ok(Self { + client: EHSMClient::new(), + }) + } + + /// This new function is used by a in-pod client. The side-effect is to read the + /// [`EHSM_IN_GUEST_DEFAULT_KEY_PATH`] which is the by default path where the credential + /// to access kms is saved. + pub async fn from_provider_settings(provider_settings: &ProviderSettings) -> Result { + let provider_settings: EhsmProviderSettings = + serde_json::from_value(Value::Object(provider_settings.clone())) + .map_err(|e| Error::EhsmKmsError(format!("parse provider setting failed: {e}")))?; + + let credential_path = format!( + "{EHSM_IN_GUEST_DEFAULT_KEY_PATH}/credential_{}.json", + provider_settings.app_id + ); + + let api_key = { + let cred = fs::read_to_string(credential_path) + .await + .map_err(|e| Error::EhsmKmsError(format!("read credential failed: {e}")))?; + let cred: Credential = serde_json::from_str(&cred) + .map_err(|e| Error::EhsmKmsError(format!("serialize credential failed: {e}")))?; + cred.api_key + }; + + Self::new( + &provider_settings.app_id, + &api_key, + &provider_settings.endpoint, + ) + } + + /// Export the [`ProviderSettings`] of the current client. This function is to be used + /// in the encryptor side. The [`ProviderSettings`] will be used to initial a client + /// in the decryptor side. + pub fn export_provider_settings(&self) -> Result { + let provider_settings = EhsmProviderSettings { + app_id: self.client.appid.clone(), + endpoint: self.client.base_url.clone(), + }; + + let provider_settings = serde_json::to_value(provider_settings) + .map_err(|e| Error::EhsmKmsError(format!("serialize ProviderSettings failed: {e}")))? + .as_object() + .expect("must be an object") + .to_owned(); + + Ok(provider_settings) + } +} + +#[async_trait] +impl Encrypter for EhsmKmsClient { + async fn encrypt(&mut self, data: &[u8], key_id: &str) -> Result<(Vec, Annotations)> { + let ciphertext = self + .client + .encrypt(key_id, &STANDARD.encode(data), None) + .await + .map_err(|e| Error::EhsmKmsError(format!("EHSM-KMS encrypt failed: {e}")))?; + + let annotations = Annotations::new(); + + Ok((ciphertext.into(), annotations)) + } +} + +#[async_trait] +impl Decrypter for EhsmKmsClient { + async fn decrypt( + &mut self, + ciphertext: &[u8], + key_id: &str, + _annotations: &Annotations, + ) -> Result> { + let plaintext_b64 = self + .client + .decrypt( + key_id, + std::str::from_utf8(ciphertext).map_err(|e| { + Error::EhsmKmsError(format!("decrypt &[u8] to &str failed: {e}")) + })?, + None, + ) + .await + .map_err(|e| Error::EhsmKmsError(format!("EHSM-KMS decrypt failed: {e}")))?; + let plaintext = STANDARD.decode(plaintext_b64).map_err(|e| { + Error::EhsmKmsError(format!("decode plaintext for decryption failed: {e}")) + })?; + + Ok(plaintext) + } +} + +impl EhsmKmsClient { + pub async fn create_key(&mut self, key_spec: &str) -> Result { + let origin = "EH_INTERNAL_KEY"; + let keyusage = "EH_KEYUSAGE_ENCRYPT_DECRYPT"; + let key_id = self + .client + .create_key(key_spec, origin, keyusage) + .await + .map_err(|e| Error::EhsmKmsError(format!("EHSM-KMS create key failed: {e}")))?; + + Ok(key_id) + } +} + +#[cfg(test)] +mod tests { + use rstest::rstest; + use serde_json::json; + + use crate::{plugins::ehsm::client::EhsmKmsClient, Decrypter, Encrypter}; + + #[ignore] + #[tokio::test] + async fn test_create_key() { + let key_spec = "EH_AES_GCM_256"; + let provider_settings = json!({ + "app_id": "86f0e9fe-****-a224ddee1233", + "endpoint": "https://172.0.0.1:9000", + }); + + // init client at user side + let provider_settings = provider_settings.as_object().unwrap().to_owned(); + let mut client = EhsmKmsClient::from_provider_settings(&provider_settings) + .await + .unwrap(); + + // create key + let key_id = client.create_key(key_spec).await; + + assert!(key_id.is_ok()); + } + + #[rstest] + #[ignore] + #[case(b"this is a test plaintext")] + #[ignore] + #[case(b"this is a another test plaintext")] + #[tokio::test] + async fn key_lifetime(#[case] plaintext: &[u8]) { + let key_spec = "EH_AES_GCM_256"; + let provider_settings = json!({ + "app_id": "86f0e9fe-7f05-4110-9f65-a224ddee1233", + "endpoint": "https://172.16.1.1:9002", + }); + + // init client at user side + let provider_settings = provider_settings.as_object().unwrap().to_owned(); + let mut client = EhsmKmsClient::from_provider_settings(&provider_settings) + .await + .unwrap(); + + // create key + let key_id = client.create_key(key_spec).await.unwrap(); + + let mut encryptor = EhsmKmsClient::from_provider_settings(&provider_settings) + .await + .unwrap(); + + println!("{}", key_id); + + // do encryption + let (ciphertext, secret_settings) = encryptor + .encrypt(plaintext, &key_id) + .await + .expect("encrypt"); + let provider_settings = encryptor.export_provider_settings().unwrap(); + + // init decrypter in a guest + let mut decryptor = EhsmKmsClient::from_provider_settings(&provider_settings) + .await + .unwrap(); + + // do decryption + let decrypted = decryptor + .decrypt(&ciphertext, &key_id, &secret_settings) + .await + .expect("decrypt"); + + assert_eq!(decrypted, plaintext); + } +} diff --git a/confidential-data-hub/kms/src/plugins/ehsm/credential.rs b/confidential-data-hub/kms/src/plugins/ehsm/credential.rs new file mode 100644 index 000000000..707df1cc4 --- /dev/null +++ b/confidential-data-hub/kms/src/plugins/ehsm/credential.rs @@ -0,0 +1,16 @@ +// Copyright (c) 2023 Alibaba Cloud +// +// SPDX-License-Identifier: Apache-2.0 +// + +//! Credentials to access eHSM-KMS + +// use anyhow::*; +use serde::Deserialize; + +#[derive(Deserialize)] +#[serde(rename_all = "PascalCase")] +pub(crate) struct Credential { + pub _app_id: String, + pub api_key: String, +} diff --git a/confidential-data-hub/kms/src/plugins/ehsm/example_credential/credential.4eb1____.json b/confidential-data-hub/kms/src/plugins/ehsm/example_credential/credential.4eb1____.json new file mode 100644 index 000000000..355b8f638 --- /dev/null +++ b/confidential-data-hub/kms/src/plugins/ehsm/example_credential/credential.4eb1____.json @@ -0,0 +1,4 @@ +{ + "AppId": "4eb1****", + "ApiKey": "2LkL****" +} \ No newline at end of file diff --git a/confidential-data-hub/kms/src/plugins/ehsm/mod.rs b/confidential-data-hub/kms/src/plugins/ehsm/mod.rs new file mode 100644 index 000000000..2e85599ce --- /dev/null +++ b/confidential-data-hub/kms/src/plugins/ehsm/mod.rs @@ -0,0 +1,15 @@ +// Copyright (c) 2023 Alibaba Cloud +// +// SPDX-License-Identifier: Apache-2.0 +// + +//! This is a eHSM KMS implementation. +//! +//! eHSM KMS uses eHSM-KMS to support all functions. +//! The project detail can be found here: . + +mod annotations; +mod client; +mod credential; + +pub use client::EhsmKmsClient; diff --git a/confidential-data-hub/kms/src/plugins/kbs/mod.rs b/confidential-data-hub/kms/src/plugins/kbs/mod.rs index 3d20c3c9b..3c7c5e9ec 100644 --- a/confidential-data-hub/kms/src/plugins/kbs/mod.rs +++ b/confidential-data-hub/kms/src/plugins/kbs/mod.rs @@ -25,7 +25,7 @@ use tokio::sync::Mutex; use crate::{Annotations, Error, Getter, Result}; -const PEER_POD_CONFIG_PATH: &str = "/peerpod/daemon.json"; +const PEER_POD_CONFIG_PATH: &str = "/run/peerpod/daemon.json"; enum RealClient { #[cfg(feature = "kbs")] @@ -37,7 +37,7 @@ enum RealClient { impl RealClient { async fn new() -> Result { - // Check for /peerpod/daemon.json to see if we are in a peer pod + // Check for /run/peerpod/daemon.json to see if we are in a peer pod // If so we need to read from the agent-config file, not /proc/cmdline let (kbc, _kbs_host) = match Path::new(PEER_POD_CONFIG_PATH).exists() { true => get_aa_params_from_config_file().await?, diff --git a/confidential-data-hub/kms/src/plugins/mod.rs b/confidential-data-hub/kms/src/plugins/mod.rs index defba9b11..a014433e1 100644 --- a/confidential-data-hub/kms/src/plugins/mod.rs +++ b/confidential-data-hub/kms/src/plugins/mod.rs @@ -14,10 +14,18 @@ pub mod aliyun; pub mod kbs; +#[cfg(feature = "ehsm")] +pub mod ehsm; + #[derive(AsRefStr, EnumString)] pub enum DecryptorProvider { #[cfg(feature = "aliyun")] + #[strum(ascii_case_insensitive)] Aliyun, + + #[strum(ascii_case_insensitive)] + #[cfg(feature = "ehsm")] + Ehsm, } /// Create a new [`Decrypter`] by given provider name and [`ProviderSettings`] @@ -32,6 +40,11 @@ pub async fn new_decryptor( DecryptorProvider::Aliyun => Ok(Box::new( aliyun::AliyunKmsClient::from_provider_settings(&_provider_settings).await?, ) as Box), + + #[cfg(feature = "ehsm")] + DecryptorProvider::Ehsm => Ok(Box::new( + ehsm::EhsmKmsClient::from_provider_settings(&_provider_settings).await?, + ) as Box), } } diff --git a/confidential-data-hub/secret/Cargo.toml b/confidential-data-hub/secret/Cargo.toml index 330362eed..9dcab19ee 100644 --- a/confidential-data-hub/secret/Cargo.toml +++ b/confidential-data-hub/secret/Cargo.toml @@ -35,3 +35,4 @@ cli = ["clap/derive", "rand", "tokio/rt-multi-thread", "tokio/sync", "tokio/macr aliyun = ["kms/aliyun"] kbs = ["kms/kbs"] sev = ["kms/sev"] +ehsm = ["kms/ehsm"] diff --git a/confidential-data-hub/storage/Cargo.toml b/confidential-data-hub/storage/Cargo.toml new file mode 100644 index 000000000..fdcd5b685 --- /dev/null +++ b/confidential-data-hub/storage/Cargo.toml @@ -0,0 +1,27 @@ +[package] +name = "storage" +version = "0.1.0" +edition = "2021" + +# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html + +[dependencies] +serde = "1" +serde_json = "1" +thiserror.workspace = true +tokio = { workspace = true, features = ["fs"] } +anyhow.workspace = true +secret = { path = "../secret" } +base64.workspace = true +log.workspace = true + +[dev-dependencies] +rstest.workspace = true +tokio = { workspace = true, features = ["rt", "macros" ] } + +[build-dependencies] +anyhow.workspace = true + +[features] +default = ["aliyun"] +aliyun = [] diff --git a/confidential-data-hub/storage/src/error.rs b/confidential-data-hub/storage/src/error.rs new file mode 100644 index 000000000..ed29ab401 --- /dev/null +++ b/confidential-data-hub/storage/src/error.rs @@ -0,0 +1,20 @@ +// Copyright (c) 2023 Intel +// +// SPDX-License-Identifier: Apache-2.0 +// + +use thiserror::Error; + +pub type Result = std::result::Result; + +#[derive(Error, Debug)] +pub enum Error { + #[error("secure mount failed: {0}")] + SecureMountFailed(String), + + #[error("file error: {0}")] + FileError(String), + + #[error("unseal secret failed: {0}")] + UnsealSecretFailed(String), +} diff --git a/confidential-data-hub/storage/src/lib.rs b/confidential-data-hub/storage/src/lib.rs new file mode 100644 index 000000000..391985321 --- /dev/null +++ b/confidential-data-hub/storage/src/lib.rs @@ -0,0 +1,9 @@ +// Copyright (c) 2023 Intel +// +// SPDX-License-Identifier: Apache-2.0 +// + +pub mod error; +pub mod volume_type; + +pub use error::*; diff --git a/confidential-data-hub/storage/src/volume_type/alibaba_cloud_oss/mod.rs b/confidential-data-hub/storage/src/volume_type/alibaba_cloud_oss/mod.rs new file mode 100644 index 000000000..aa50157f8 --- /dev/null +++ b/confidential-data-hub/storage/src/volume_type/alibaba_cloud_oss/mod.rs @@ -0,0 +1,6 @@ +// Copyright (c) 2023 Intel +// +// SPDX-License-Identifier: Apache-2.0 +// + +pub mod oss; diff --git a/confidential-data-hub/storage/src/volume_type/alibaba_cloud_oss/oss.rs b/confidential-data-hub/storage/src/volume_type/alibaba_cloud_oss/oss.rs new file mode 100644 index 000000000..42cf891d9 --- /dev/null +++ b/confidential-data-hub/storage/src/volume_type/alibaba_cloud_oss/oss.rs @@ -0,0 +1,166 @@ +// Copyright (c) 2023 Intel +// +// SPDX-License-Identifier: Apache-2.0 +// + +use base64::{engine::general_purpose::STANDARD, Engine}; +use secret::secret::Secret; +use serde::{Deserialize, Serialize}; +use std::fs; +use std::fs::File; +use std::io::Write; +use std::os::unix::fs::PermissionsExt; +use std::process::Command; + +use crate::{Error, Result}; + +const OSSFS_PASSWD_FILE: &str = "/tmp/ossfs_passwd"; +const GOCRYPTFS_PASSWD_FILE: &str = "/tmp/gocryptfs_passwd"; +const OSSFS_BIN: &str = "/usr/local/bin/ossfs"; +const GOCRYPTFS_BIN: &str = "/usr/local/bin/gocryptfs"; + +#[derive(Serialize, Deserialize, PartialEq, Debug)] +pub struct Oss { + #[serde(rename = "akId")] + pub ak_id: String, + #[serde(rename = "akSecret")] + pub ak_secret: String, + #[serde(default)] + pub annotations: String, + pub bucket: String, + #[serde(default)] + pub encrypted: String, + #[serde(rename = "encPasswd", default)] + pub enc_passwd: String, + #[serde(rename = "kmsKeyId", default)] + pub kms_key_id: String, + #[serde(rename = "otherOpts")] + pub other_opts: String, + pub path: String, + pub readonly: String, + #[serde(rename = "targetPath")] + pub target_path: String, + pub url: String, + #[serde(rename = "volumeId")] + pub volume_id: String, +} + +async fn unseal_secret(secret: Vec) -> Result> { + // TODO: verify the jws signature using the key specified by `kid` + // in header. Here we directly get the JWS payload + let payload = secret.split(|c| *c == b'.').nth(1).ok_or_else(|| { + Error::SecureMountFailed("illegal input sealed secret (not a JWS)".into()) + })?; + + let secret_json = STANDARD.decode(payload).map_err(|e| { + Error::SecureMountFailed(format!( + "illegal input sealed secret (JWS body is not standard base64 encoded): {e}" + )) + })?; + let secret: Secret = serde_json::from_slice(&secret_json).map_err(|e| { + Error::SecureMountFailed(format!( + "illegal input sealed secret format (json deseralization failed): {e}" + )) + })?; + + let res = secret + .unseal() + .await + .map_err(|e| Error::UnsealSecretFailed(format!("unseal failed: {e}")))?; + Ok(res) +} + +async fn get_plaintext_secret(secret: &str) -> Result { + if secret.starts_with("sealed.") { + let tmp = secret + .strip_prefix("sealed.") + .ok_or(Error::SecureMountFailed( + "strip_prefix \"sealed.\" failed".to_string(), + ))?; + let unsealed = unseal_secret(tmp.into()).await?; + + return String::from_utf8(unsealed) + .map_err(|e| Error::SecureMountFailed(format!("convert to String failed: {e}"))); + } + Err(Error::SecureMountFailed( + "sealed secret format error!".to_string(), + )) +} + +impl Oss { + pub(crate) async fn mount(&self, source: String, mount_point: String) -> Result { + // unseal secret + let plain_ak_id = get_plaintext_secret(&self.ak_id).await?; + let plain_ak_secret = get_plaintext_secret(&self.ak_secret).await?; + + // create ossfs passwd file + let mut ossfs_passwd = File::create(OSSFS_PASSWD_FILE) + .map_err(|e| Error::FileError(format!("create file failed: {e}")))?; + let metadata = ossfs_passwd + .metadata() + .map_err(|e| Error::FileError(format!("create metadata failed: {e}")))?; + let mut permissions = metadata.permissions(); + permissions.set_mode(0o600); + ossfs_passwd + .set_permissions(permissions) + .map_err(|e| Error::FileError(format!("set permissions failed: {e}")))?; + ossfs_passwd + .write_all(format!("{}:{}:{}", self.bucket, plain_ak_id, plain_ak_secret).as_bytes()) + .map_err(|e| Error::FileError(format!("write file failed: {e}")))?; + + // generate parameters for ossfs command, and execute + let mut opts = self + .other_opts + .split_whitespace() + .map(str::to_string) + .collect(); + let s = if self.encrypted == "gocryptfs" { + fs::create_dir_all("/tmp/oss") + .map_err(|e| Error::FileError(format!("create dir failed: {e}")))?; + "/tmp/oss/".to_string() + } else { + source.clone() + }; + let mut parameters = vec![ + format!("{}:{}", self.bucket, self.path), + s.clone(), + format!("-ourl={}", self.url), + format!("-opasswd_file={}", OSSFS_PASSWD_FILE), + ]; + parameters.append(&mut opts); + + Command::new(OSSFS_BIN) + .args(parameters) + .spawn() + .expect("failed to mount oss"); + std::thread::sleep(std::time::Duration::from_secs(3)); + + // decrypt with gocryptfs if needed + if self.encrypted == "gocryptfs" { + // unseal secret + let plain_passwd = get_plaintext_secret(&self.enc_passwd).await?; + + // create gocryptfs passwd file + let mut gocryptfs_passwd = File::create(GOCRYPTFS_PASSWD_FILE) + .map_err(|e| Error::FileError(format!("create file failed: {e}")))?; + gocryptfs_passwd + .write_all(plain_passwd.as_bytes()) + .map_err(|e| Error::FileError(format!("write file failed: {e}")))?; + + // generate parameters for gocryptfs, and execute + let parameters = vec![ + s, + source, + "-passfile".to_string(), + GOCRYPTFS_PASSWD_FILE.to_string(), + "-nosyslog".to_string(), + ]; + Command::new(GOCRYPTFS_BIN) + .args(parameters) + .spawn() + .expect("failed to decrypt oss"); + std::thread::sleep(std::time::Duration::from_secs(3)); + } + Ok(mount_point) + } +} diff --git a/confidential-data-hub/storage/src/volume_type/mod.rs b/confidential-data-hub/storage/src/volume_type/mod.rs new file mode 100644 index 000000000..b0daa76cf --- /dev/null +++ b/confidential-data-hub/storage/src/volume_type/mod.rs @@ -0,0 +1,55 @@ +// Copyright (c) 2023 Intel +// +// SPDX-License-Identifier: Apache-2.0 +// + +#[cfg(feature = "aliyun")] +pub mod alibaba_cloud_oss; + +#[cfg(feature = "aliyun")] +use self::alibaba_cloud_oss::oss::Oss; +use crate::{Error, Result}; +use log::warn; + +#[derive(PartialEq, Clone, Debug)] +pub struct Storage { + pub driver: String, + pub driver_options: Vec, + pub source: String, + pub fstype: String, + pub options: Vec, + pub mount_point: String, +} + +impl Storage { + pub async fn mount(&self) -> Result { + for driver_option in &self.driver_options { + let (volume_type, metadata) = + driver_option + .split_once('=') + .ok_or(Error::SecureMountFailed( + "split by \"=\" failed".to_string(), + ))?; + + match volume_type { + #[cfg(feature = "aliyun")] + "alibaba-cloud-oss" => { + let oss: Oss = serde_json::from_str(metadata).map_err(|e| { + Error::SecureMountFailed(format!( + "illegal mount info format (json deseralization failed): {e}" + )) + })?; + return oss + .mount(self.source.clone(), self.mount_point.clone()) + .await; + } + other => { + warn!("skip mount info with unsupported volume_type: {other}"); + } + }; + } + Err(Error::SecureMountFailed( + "illegal mount info as no expected driver_options".to_string(), + )) + } +} diff --git a/image-rs/.vscode/settings.json b/image-rs/.vscode/settings.json deleted file mode 100644 index 12faa86a7..000000000 --- a/image-rs/.vscode/settings.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "rust-analyzer.linkedProjects": [ - "./Cargo.toml", - "./Cargo.toml", - "./Cargo.toml", - "./Cargo.toml", - "./Cargo.toml" - ] -} \ No newline at end of file diff --git a/image-rs/Cargo.toml b/image-rs/Cargo.toml index d599bad79..a22fce6d8 100644 --- a/image-rs/Cargo.toml +++ b/image-rs/Cargo.toml @@ -27,7 +27,7 @@ libc = "0.2" log = "0.4.14" loopdev = { git = "https://github.com/mdaffin/loopdev", rev = "c9f91e8f0326ce8a3364ac911e81eb32328a5f27"} nix = { version = "0.26", optional = true } -oci-distribution = { git = "https://github.com/krustlet/oci-distribution.git", rev = "f44124c", default-features = false, optional = true } +oci-distribution = { version = "0.10.0", default-features = false, optional = true } oci-spec = "0.6.2" ocicrypt-rs = { path = "../ocicrypt-rs", default-features = false, features = ["async-io"], optional = true } prost = { workspace = true, optional = true } @@ -38,11 +38,12 @@ serde = { workspace = true, features = ["serde_derive", "rc"] } serde_json.workspace = true serde_yaml = { version = "0.9", optional = true } sha2.workspace = true -sigstore = { git = "https://github.com/sigstore/sigstore-rs.git", rev = "69e8f33", default-features = false, optional = true} +sigstore = { version = "0.8.0", default-features = false, optional = true, features = ["tuf"] } strum.workspace = true strum_macros = "0.25" tar = "0.4.37" tokio.workspace = true +tokio-util = "0.7.10" tonic = { workspace = true, optional = true } ttrpc = { workspace = true, features = [ "async" ], optional = true } url = "2.2.2" diff --git a/image-rs/src/image.rs b/image-rs/src/image.rs index 1a747ae42..809ac8184 100644 --- a/image-rs/src/image.rs +++ b/image-rs/src/image.rs @@ -526,7 +526,7 @@ mod tests { // Azure Container Registry "mcr.microsoft.com/hello-world", // Docker container Registry - "docker.io/i386/busybox", + "docker.io/busybox", // Google Container Registry "gcr.io/google-containers/busybox:1.27.2", // JFrog Container Registry diff --git a/image-rs/src/pull.rs b/image-rs/src/pull.rs index b555b233b..5bbb91329 100644 --- a/image-rs/src/pull.rs +++ b/image-rs/src/pull.rs @@ -6,10 +6,12 @@ use anyhow::{anyhow, bail, Result}; use futures_util::stream::{self, StreamExt, TryStreamExt}; use oci_distribution::manifest::{OciDescriptor, OciImageManifest}; use oci_distribution::{secrets::RegistryAuth, Client, Reference}; +use std::collections::BTreeMap; use std::convert::TryFrom; use std::path::{Path, PathBuf}; use std::sync::Arc; use tokio::sync::Mutex; +use tokio_util::io::StreamReader; use crate::decoder::Compression; use crate::decrypt::Decryptor; @@ -77,7 +79,7 @@ impl<'a> PullClient<'a> { let layer_metas = self .async_pull_layers(vec![bootstrap_desc], &[diff_id], decrypt_config, meta_store) .await?; - match layer_metas.get(0) { + match layer_metas.first() { Some(b) => Ok(b.clone()), None => Err(anyhow!("Failed to download this bootstrap layer")), } @@ -92,35 +94,33 @@ impl<'a> PullClient<'a> { decrypt_config: &Option<&str>, meta_store: Arc>, ) -> Result> { - let layer_metas = stream::iter(layer_descs) + let meta_store = &meta_store; + let layer_metas: Vec<(usize, LayerMeta)> = stream::iter(layer_descs) .enumerate() - .map(|(i, layer)| { - let client = &self.client; - let reference = &self.reference; - let ms = meta_store.clone(); - - async move { - let layer_reader = client - .async_pull_blob(reference, &layer.digest) - .await - .map_err(|e| anyhow!("failed to async pull blob {}", e.to_string()))?; - - self.async_handle_layer( - layer, - diff_ids[i].clone(), - decrypt_config, - layer_reader, - ms, - ) + .map(|(i, layer)| async move { + let layer_stream = self + .client + .pull_blob_stream(&self.reference, &layer.digest) .await - .map_err(|e| anyhow!("failed to handle layer: {:?}", e)) - } + .map_err(|e| anyhow!("failed to async pull blob stream {}", e.to_string()))?; + let layer_reader = StreamReader::new(layer_stream); + self.async_handle_layer( + layer, + diff_ids[i].clone(), + decrypt_config, + layer_reader, + meta_store.clone(), + ) + .await + .map_err(|e| anyhow!("failed to handle layer: {:?}", e)) + .map(|layer_meta| (i, layer_meta)) }) .buffer_unordered(self.max_concurrent_download) .try_collect() .await?; - - Ok(layer_metas) + let meta_map: BTreeMap = layer_metas.into_iter().collect(); + let sorted_layer_metas = meta_map.into_values().collect(); + Ok(sorted_layer_metas) } async fn async_handle_layer( @@ -215,6 +215,50 @@ mod tests { use test_utils::{assert_result, assert_retry}; + #[ignore] + #[tokio::test] + async fn image_layer_order() { + let image_url = + "nginx@sha256:9700d098d545f9d2ee0660dfb155fe64f4447720a0a763a93f2cf08997227279"; + let tempdir = tempfile::tempdir().unwrap(); + let image = Reference::try_from(image_url.to_string()).expect("create reference failed"); + let mut client = PullClient::new( + image, + tempdir.path(), + &RegistryAuth::Anonymous, + DEFAULT_MAX_CONCURRENT_DOWNLOAD, + ) + .unwrap(); + let (image_manifest, _image_digest, image_config) = client.pull_manifest().await.unwrap(); + + let image_config = ImageConfiguration::from_reader(image_config.as_bytes()).unwrap(); + let diff_ids = image_config.rootfs().diff_ids(); + + // retry 3 times w/ timeout + for i in 0..3 { + let wait = std::time::Duration::from_secs(i * 2); + tokio::time::sleep(wait).await; + + let result = client + .async_pull_layers( + image_manifest.layers.clone(), + diff_ids, + &None, + Arc::new(Mutex::new(MetaStore::default())), + ) + .await; + if let Ok(layer_metas) = result { + let digests: Vec = layer_metas + .iter() + .map(|l| l.uncompressed_digest.clone()) + .collect(); + assert_eq!(&digests, diff_ids, "hashes should be in same order"); + return; + } + } + panic!("failed to pull layers"); + } + #[tokio::test] async fn test_async_pull_client() { let oci_images = [ diff --git a/image-rs/src/signature/mechanism/cosign/mod.rs b/image-rs/src/signature/mechanism/cosign/mod.rs index cbfd4ee56..e919758e5 100644 --- a/image-rs/src/signature/mechanism/cosign/mod.rs +++ b/image-rs/src/signature/mechanism/cosign/mod.rs @@ -5,7 +5,7 @@ //! Cosign verification -use anyhow::{anyhow, bail, Context, Result}; +use anyhow::{anyhow, bail, Result}; use async_trait::async_trait; use oci_distribution::secrets::RegistryAuth; use serde::{Deserialize, Serialize}; @@ -18,8 +18,9 @@ use sigstore::{ }, crypto::SigningScheme, errors::SigstoreVerifyConstraintsError, - registry::Auth, + registry::{Auth, OciReference}, }; +use std::str::FromStr; use super::SignScheme; use crate::resource; @@ -134,35 +135,17 @@ impl CosignParameters { (Some(_), Some(_)) => bail!("Both keyPath and keyData are specified."), }; - let image_ref = image.reference.whole(); + let image_ref = OciReference::from_str(&image.reference.whole())?; + let auth = &Auth::from(auth); - let auth = auth.clone(); - // Get the signature layers in cosign signature "image"'s manifest - let signature_layers = tokio::task::spawn_blocking(move || -> Result<_> { - let auth = Auth::from(&auth); + let mut client = ClientBuilder::default().build()?; - let mut client = ClientBuilder::default().build()?; + // Get the cosign signature "image"'s uri and the signed image's digest + let (cosign_image, source_image_digest) = client.triangulate(&image_ref, auth).await?; - // Get the cosign signature "image"'s uri and the signed image's digest - // - // We need a runtime here because now `triangulate` is a future - // that cannot be `Send` between threads. Thus we need to create a - // runtime and disable context switch here. - let rt = tokio::runtime::Runtime::new()?; - let (cosign_image, source_image_digest) = - rt.block_on(client.triangulate(&image_ref, &auth))?; - - let layers = rt.block_on(client.trusted_signature_layers( - &auth, - &source_image_digest, - &cosign_image, - ))?; - - Ok(layers) - }) - .await - .context("tokio spawn")? - .context("get signature layers")?; + let signature_layers = client + .trusted_signature_layers(auth, &source_image_digest, &cosign_image) + .await?; // By default, the hashing algorithm is SHA256 let pub_key_verifier = @@ -315,7 +298,7 @@ mod tests { "registry.cn-hangzhou.aliyuncs.com/xynnn/cosign:latest", false, // If verified failed, the pubkey given to verify will be printed. - "[PublicKeyVerifier { key: ECDSA_P256_SHA256_ASN1(VerifyingKey { inner: PublicKey { point: AffinePoint { x: FieldElement(UInt { limbs: [Limb(540873142526201775), Limb(9033147506996235883), Limb(13963524140470157687), Limb(5553333931660335980)] }), y: FieldElement(UInt { limbs: [Limb(310064843663294190), Limb(16768641685016372219), Limb(6660968332548595134), Limb(15802642679658786528)] }), infinity: 0 } } }) }]" + "[PublicKeyVerifier { key: ECDSA_P256_SHA256_ASN1(VerifyingKey { inner: PublicKey { point: AffinePoint { x: FieldElement(0x4D1167C9BBBCDB6CC1C867394D50C1777D5C2FCC46374E6B07819141E8D2CFAF), y: FieldElement(0xDB4E43CA897D2EE05C70836839AF5DBEE8B62EC4B93563FB044D92551FE33EEE), infinity: 0 } } }) }]" )] #[case( &format!("\ @@ -345,7 +328,7 @@ mod tests { "quay.io/kata-containers/confidential-containers:cosign-signed", false, // If verified failed, the pubkey given to verify will be printed. - "[PublicKeyVerifier { key: ECDSA_P256_SHA256_ASN1(VerifyingKey { inner: PublicKey { point: AffinePoint { x: FieldElement(UInt { limbs: [Limb(540873142526201775), Limb(9033147506996235883), Limb(13963524140470157687), Limb(5553333931660335980)] }), y: FieldElement(UInt { limbs: [Limb(310064843663294190), Limb(16768641685016372219), Limb(6660968332548595134), Limb(15802642679658786528)] }), infinity: 0 } } }) }]", + "[PublicKeyVerifier { key: ECDSA_P256_SHA256_ASN1(VerifyingKey { inner: PublicKey { point: AffinePoint { x: FieldElement(0x4D1167C9BBBCDB6CC1C867394D50C1777D5C2FCC46374E6B07819141E8D2CFAF), y: FieldElement(0xDB4E43CA897D2EE05C70836839AF5DBEE8B62EC4B93563FB044D92551FE33EEE), infinity: 0 } } }) }]" )] #[case( &format!("\ diff --git a/image-rs/src/snapshots/occlum/unionfs.rs b/image-rs/src/snapshots/occlum/unionfs.rs index c9e00cc93..f87439ae9 100644 --- a/image-rs/src/snapshots/occlum/unionfs.rs +++ b/image-rs/src/snapshots/occlum/unionfs.rs @@ -321,4 +321,4 @@ mod tests { assert!(occlum_unionfs.mount(layer_path, mnt_path.as_ref()).is_err()); } -} \ No newline at end of file +} diff --git a/image-rs/test_data/offline-fs-kbc/aa-offline_fs_kbc-resources-for-icr.json b/image-rs/test_data/offline-fs-kbc/aa-offline_fs_kbc-resources-for-icr.json index f4e40b731..68d2d253a 100644 --- a/image-rs/test_data/offline-fs-kbc/aa-offline_fs_kbc-resources-for-icr.json +++ b/image-rs/test_data/offline-fs-kbc/aa-offline_fs_kbc-resources-for-icr.json @@ -1,5 +1,5 @@ { - "default/security-policy/test": "ewogICAgImRlZmF1bHQiOiBbCiAgICAgICAgewogICAgICAgICAgICAidHlwZSI6ICJpbnNlY3VyZUFjY2VwdEFueXRoaW5nIgogICAgICAgIH0KICAgIF0sCiAgICAidHJhbnNwb3J0cyI6IHsKICAgICAgICAiZG9ja2VyIjogewogICAgICAgICAgICAidWsuaWNyLmlvL21hdHRhcm5vX2ltYWdlX3B1c2gvYnVzeWJveCI6IFsKICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAidHlwZSI6ICJzaWduZWRCeSIsCiAgICAgICAgICAgICAgICAgICAgImtleVR5cGUiOiAiR1BHS2V5cyIsCiAgICAgICAgICAgICAgICAgICAgImtleVBhdGgiOiAia2JzOi8vL2RlZmF1bHQvZ3BnLXB1YmxpYy1rZXkvdGVzdCIKICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgXSwKICAgICAgICAgICAgInF1YXkuaW8va2F0YS1jb250YWluZXJzL2NvbmZpZGVudGlhbC1jb250YWluZXJzIjogWwogICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICJ0eXBlIjogInNpZ25lZEJ5IiwKICAgICAgICAgICAgICAgICAgICAia2V5VHlwZSI6ICJHUEdLZXlzIiwKICAgICAgICAgICAgICAgICAgICAia2V5UGF0aCI6ICJrYnM6Ly8vZGVmYXVsdC9ncGctcHVibGljLWtleS90ZXN0IgogICAgICAgICAgICAgICAgfQogICAgICAgICAgICBdCiAgICAgICAgfQogICAgfQp9Cg==", + "default/security-policy/test": "ewogICAgImRlZmF1bHQiOiBbCiAgICAgICAgewogICAgICAgICAgICAidHlwZSI6ICJpbnNlY3VyZUFjY2VwdEFueXRoaW5nIgogICAgICAgIH0KICAgIF0sCiAgICAidHJhbnNwb3J0cyI6IHsKICAgICAgICAiZG9ja2VyIjogewogICAgICAgICAgICAidWsuaWNyLmlvL2thdGEtY29udGFpbmVycy9idXN5Ym94IjogWwogICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICJ0eXBlIjogInNpZ25lZEJ5IiwKICAgICAgICAgICAgICAgICAgICAia2V5VHlwZSI6ICJHUEdLZXlzIiwKICAgICAgICAgICAgICAgICAgICAia2V5UGF0aCI6ICJrYnM6Ly8vZGVmYXVsdC9ncGctcHVibGljLWtleS90ZXN0IgogICAgICAgICAgICAgICAgfQogICAgICAgICAgICBdLAogICAgICAgICAgICAicXVheS5pby9rYXRhLWNvbnRhaW5lcnMvY29uZmlkZW50aWFsLWNvbnRhaW5lcnMiOiBbCiAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgInR5cGUiOiAic2lnbmVkQnkiLAogICAgICAgICAgICAgICAgICAgICJrZXlUeXBlIjogIkdQR0tleXMiLAogICAgICAgICAgICAgICAgICAgICJrZXlQYXRoIjogImticzovLy9kZWZhdWx0L2dwZy1wdWJsaWMta2V5L3Rlc3QiCiAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgIF0KICAgICAgICB9CiAgICB9Cn0K", "default/sigstore-config/test": "", "default/gpg-public-key/test": "LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tCgptUUdOQkdUd2MzRUJEQURvbHowcmxwTGRkR2R1SENaZERnSEd1Y1lKeFh0elAwRE9zMkEvOTlKN1lhd3VjcTNSCmhlaHVUcmdRWkhpNCtmM28zU3V4QmUzeFdSc1F5dDRCbDBaVFJ6bmdqdXoyTWFxNzV4M0RNSUYzMElSbzlkcm4KWVg5T0ZGaXJMTTRwT0orY0pJaExJb1EyZXk2YnNwNGdpQnVGYlVYQ255T2dEQSs2cVNZMm5zR1R4TmdSam5wbgpWd28zc2tOaitjS21wUzdEbkpFeGZuL25jZDJrR0pOQXBHa1gzSDR2dXd0dUIrMnhQR21nL1U0QWdSeDZxKzErCm1rZGNIMFFWdW9tQ2FJUTFxRzMybTgxaG8xWTBlWlpMbVUycmVtNThqSkNUU0xEMkVHKzd3WTVDMkRETWlNRG0KSGhhOGoyTjdMUWJmVERwZVd4Z0lxVjlHWUl6cGc1MUtLcW1wVEFDOXkwRFZkbzlYNGlIZDFjYkNUTkFhNGtGQwpNUUkwK1BQT0hhVWRoUzE3S2h6dmwzSm11bTkvMWtyNWdCMmd2ajNXUHdMSzZxMzRZWmExdXVnc1ZkOHpzQ001CjlaWHNFUlhiam5neGpJWUJocUMzV2N3bXprNjRPK0ZjM1JKby80K2x3eFhaNXlTNCtMV25mMDNkblVKdzRIZVoKWldGZUdFdSsvMzNMSlhjQUVRRUFBYlFrVFdGMGRHaGxkeUJCY201dmJHUWdQRzFoZEhSaGNtNXZRSFZyTG1saQpiUzVqYjIwK2lRSFVCQk1CQ2dBK0ZpRUVYYjRnM3Q0azJPcmVyb3d2aGt0NFRPWmhKUFlGQW1Ud2MzRUNHd01GCkNRUENad0FGQ3drSUJ3SUdGUW9KQ0FzQ0JCWUNBd0VDSGdFQ0Y0QUFDZ2tRaGt0NFRPWmhKUGJWend3QXFDZUwKd2hzL3h0ek1uSG9aMk5BZys0TTl5elQ3RVZTOUo3MDgxTmFHdjFBckQvUEtUcTNQcCtXbm5XK2VwMlNxUWkzSgp1cjUrWlNSZ1BDYmpVOFRpVGhFRXU0MzFONEZsZnhCOGdORWNtOXRYTFZLMDJFU2Y5VnloTGZmZ2wrbHRpa1AyCk1DaXBrdmVaUGN3MUtnZVNyUnc2a1FRcXFadEN1dlM2Vm9lbGxSTEdvV0hoaHpGYXRmblpnNDVEZ1k1ZVVxNXYKSmczUHlKSDB4Mkhqa1Z4K0Q3QWRZSDRhT29oNGJhd2JXcHQrRERWZjBoUEJFZEtlR0ZGZEQ4OW1FSExDRnNCOQplTUF2cDU2ZDZxTUV5a0VWQ3dYMnVwQmhzc1RQdDBvdEZheFh2WGNJZXZLL05uOXNlbFozNWZETmVlaDZyMHduCm8rV3VURjBmWXNqN2k2MlZxa0hZZkR1eHhjZ09qY1RLeE5pTVB1eWNSOTJuZUdmVzVkK3FBaDQ5bDRrZVgxU0sKSTVDTi9ITFJwS1NjMUVaRDBVYXZjbjFLOHZ6NHVVRTBBbVM5dVB4OVdJMExoSkZiYlBseGNma2dBVFBhQUtrZQo5ZFc0VGZScVoycHFWQzB3dXdXck1nQVA1blJ0eWNqb1d3U3IxcXY1NDNqSkJEait4aGIwTmFLaUQ1Rnd1UUdOCkJHVHdjM0VCREFEU3I3K2RWcUdkS1R2dDV5Mi9oZzVHYkRKZlh4UUFqM0VnZmNvUXMzUWJkdDBmbVkwb0xGTXkKekpiS1BwTTRhS3dZdXE4YmszQkpMKyszUUZOU0tmd09IVEJBYWZWQWttVk5MU1NkN3hTNm1LTlUxcUZva2x2agp6U0VsRnVhVFhWUmlma01nWkdMS1NubExYOVlUN0xGb2piTGF5OHBEWFFreDFxSjN0SFBURTk5L00xN3J6MTlICkpEdnhkcnRTcXZldkRleVA3OGMvZTFpKzZ1bnEwaU1lUHZlNXN4WVA4RXRmcHJzeEYvQldBaEQ2ZnVHbnBhcXQKZGRSR0FEcnhQaFBrMCtLTGtSM1NxZGdjTGlyRWN5UEpyR3lwdlBDemNmTjZ6OVZOdk55M1BaYWs5UXB0OTBGbQprR2hUM1lCbjZnOFpBdTRZcVMzeEtWcTB6dzhVbXdra2VFTkNydU9rTG41Rk83SnRQdkVjN1J0amtSZW00d2dtCklORXJ4NU9zTzJUM2Z1QktXVklpOGpOdjBQYWowZk9VTHgxSzFtVzFSbVpIMmRHa0xTWmJzYXJxV1gwSW04MjMKeEsvdzFWN3owRXZuNHcraXZUVDUzQ29XMldNNndZTlY1TStFV2FMZjBHVmRCRDhZVlRkdGhwZlZwQjdvM2ZlWgpBelk4TkdHVWtUY0FFUUVBQVlrQnZBUVlBUW9BSmhZaEJGMitJTjdlSk5qcTNxNk1MNFpMZUV6bVlTVDJCUUprCjhITnhBaHNNQlFrRHdtY0FBQW9KRUlaTGVFem1ZU1QyS0NFTUFOY2NLQVJUSWdvcHBHTTBmNktsK2RNQ1cyd2UKcWFCdkNESzhvTUhJdDBMTWpMbDJvMEczZDI2Q0ZpaXVFazJlS0lFWkxDUjhyWFhXK2FBVmxsZHo2RzZMSThUZgpTUTA2c3R5dXROQTFNNmUyY1NxU0FRWWVOYXVwdkRaM0Y3a0M4WnEzeEYzOEZ0ckhHUHRrT0NwS0lxbzJ3THUrCloyTjZzait4cW1lMTA4aWFkc3hXbEc4K0lIR0FuWEtPcjZiOHpULzRGZVdXVCsxcnpDY01nREgwS3BkSkZ6OC8KTEZrQUsvTWYyQWlwUGltUU0rblJvT2grNlhwWExuNjlqSmNXREY4Wmw1YXNyL3pmZUtVWUNEUi9RRGpEblFMdwo3ekdETi81REtPSmNBcmlqN2lyU3FISkhRRW5xaDllOFdWUFJMTzBMcENsa2xwUlhmUk1lSVdJTnNkQVgxeEpWCkZVUUt1dUFoWkVwOWZFWmdlaVFadVZreFlYa0ptTWwrYzg0K2pBSkVjNmRjOVhIUTFxd0lSQUgvOTdScitzYXMKZFNOTUtuSkM1dGdFb0tINWloeklVcnZjV0tTcnNkaHdkcmovSDF6QTN0WmNSN3VLeVp6TEorZ05VeElDTUppeAp3djNVdUkzNUU2QkdCTWlySXcwL3UzbS8rdHZDTkFuWmE4YitjQT09Cj1ocjVvCi0tLS0tRU5EIFBHUCBQVUJMSUMgS0VZIEJMT0NLLS0tLS0K", "default/cosign-public-key/test": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFMWdIR2JmazFBcU93ZUxFTThIZlQwYm1mUUUzYgo5ZmNwL0xVNzVGTWZ4VlpYbU5WdFVwcnNITTF0aHV1aUJLT29mdjhLVjdUckZsNHA4TkpDaVhVa2hBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==", diff --git a/image-rs/tests/signature_verification.rs b/image-rs/tests/signature_verification.rs index 042f20023..2aea36572 100644 --- a/image-rs/tests/signature_verification.rs +++ b/image-rs/tests/signature_verification.rs @@ -92,13 +92,13 @@ const _TESTS_XRSS: [_TestItem; _TEST_ITEMS_XRSS] = [ description: "Deny pulling an unencrypted signed image with no local sigstore and a registry that does not support the X-R-S-S API extension", }, _TestItem { - image_ref: "uk.icr.io/mattarno_image_push/busybox:signed-latest", + image_ref: "uk.icr.io/kata-containers/busybox:signed-latest", allow: true, signing_scheme: SigningName::SimpleSigning, description: "Allow pulling an unencrypted signed image from a protected registry that supports the X-R-S-S API extension with no local sigstore", }, _TestItem { - image_ref: "uk.icr.io/mattarno_image_push/busybox:unsigned-1.35", + image_ref: "uk.icr.io/kata-containers/busybox:unsigned-1.35", allow: false, signing_scheme: SigningName::SimpleSigning, description: "Deny pulling an unencrypted and unsigned image from a protected registry that supports the X-R-S-S API extension with no local sigstore", diff --git a/ocicrypt-rs/src/keywrap/keyprovider.rs b/ocicrypt-rs/src/keywrap/keyprovider.rs index 959a23f1d..3c6d47012 100644 --- a/ocicrypt-rs/src/keywrap/keyprovider.rs +++ b/ocicrypt-rs/src/keywrap/keyprovider.rs @@ -192,7 +192,7 @@ impl KeyProviderKeyWrapProtocolOutput { #[cfg(feature = "keywrap-keyprovider-native")] fn from_native(annotation: &str, dc_config: &DecryptConfig) -> Result { let kbc_kbs_pair = if let Some(list) = dc_config.param.get("attestation-agent") { - list.get(0) + list.first() .ok_or_else(|| anyhow!("keyprovider: empty kbc::kbs pair"))? } else { return Err(anyhow!("keyprovider: not supported attestation agent")); diff --git a/ocicrypt-rs/src/utils/grpc/keyprovider.rs b/ocicrypt-rs/src/utils/grpc/keyprovider.rs index de9394a56..48f669119 100644 --- a/ocicrypt-rs/src/utils/grpc/keyprovider.rs +++ b/ocicrypt-rs/src/utils/grpc/keyprovider.rs @@ -23,7 +23,7 @@ pub mod key_provider_service_client { /// Attempt to create a new client by connecting to a given endpoint. pub async fn connect(dst: D) -> Result where - D: std::convert::TryInto, + D: TryInto, D::Error: Into, { let conn = tonic::transport::Endpoint::new(dst)?.connect().await?; @@ -79,10 +79,26 @@ pub mod key_provider_service_client { self.inner = self.inner.accept_compressed(encoding); self } + /// Limits the maximum size of a decoded message. + /// + /// Default: `4MB` + #[must_use] + pub fn max_decoding_message_size(mut self, limit: usize) -> Self { + self.inner = self.inner.max_decoding_message_size(limit); + self + } + /// Limits the maximum size of an encoded message. + /// + /// Default: `usize::MAX` + #[must_use] + pub fn max_encoding_message_size(mut self, limit: usize) -> Self { + self.inner = self.inner.max_encoding_message_size(limit); + self + } pub async fn wrap_key( &mut self, request: impl tonic::IntoRequest, - ) -> Result< + ) -> std::result::Result< tonic::Response, tonic::Status, > { @@ -99,12 +115,15 @@ pub mod key_provider_service_client { let path = http::uri::PathAndQuery::from_static( "/keyprovider.KeyProviderService/WrapKey", ); - self.inner.unary(request.into_request(), path, codec).await + let mut req = request.into_request(); + req.extensions_mut() + .insert(GrpcMethod::new("keyprovider.KeyProviderService", "WrapKey")); + self.inner.unary(req, path, codec).await } pub async fn un_wrap_key( &mut self, request: impl tonic::IntoRequest, - ) -> Result< + ) -> std::result::Result< tonic::Response, tonic::Status, > { @@ -121,7 +140,10 @@ pub mod key_provider_service_client { let path = http::uri::PathAndQuery::from_static( "/keyprovider.KeyProviderService/UnWrapKey", ); - self.inner.unary(request.into_request(), path, codec).await + let mut req = request.into_request(); + req.extensions_mut() + .insert(GrpcMethod::new("keyprovider.KeyProviderService", "UnWrapKey")); + self.inner.unary(req, path, codec).await } } } @@ -135,14 +157,14 @@ pub mod key_provider_service_server { async fn wrap_key( &self, request: tonic::Request, - ) -> Result< + ) -> std::result::Result< tonic::Response, tonic::Status, >; async fn un_wrap_key( &self, request: tonic::Request, - ) -> Result< + ) -> std::result::Result< tonic::Response, tonic::Status, >; @@ -152,6 +174,8 @@ pub mod key_provider_service_server { inner: _Inner, accept_compression_encodings: EnabledCompressionEncodings, send_compression_encodings: EnabledCompressionEncodings, + max_decoding_message_size: Option, + max_encoding_message_size: Option, } struct _Inner(Arc); impl KeyProviderServiceServer { @@ -164,6 +188,8 @@ pub mod key_provider_service_server { inner, accept_compression_encodings: Default::default(), send_compression_encodings: Default::default(), + max_decoding_message_size: None, + max_encoding_message_size: None, } } pub fn with_interceptor( @@ -187,6 +213,22 @@ pub mod key_provider_service_server { self.send_compression_encodings.enable(encoding); self } + /// Limits the maximum size of a decoded message. + /// + /// Default: `4MB` + #[must_use] + pub fn max_decoding_message_size(mut self, limit: usize) -> Self { + self.max_decoding_message_size = Some(limit); + self + } + /// Limits the maximum size of an encoded message. + /// + /// Default: `usize::MAX` + #[must_use] + pub fn max_encoding_message_size(mut self, limit: usize) -> Self { + self.max_encoding_message_size = Some(limit); + self + } } impl tonic::codegen::Service> for KeyProviderServiceServer where @@ -200,7 +242,7 @@ pub mod key_provider_service_server { fn poll_ready( &mut self, _cx: &mut Context<'_>, - ) -> Poll> { + ) -> Poll> { Poll::Ready(Ok(())) } fn call(&mut self, req: http::Request) -> Self::Future { @@ -224,13 +266,15 @@ pub mod key_provider_service_server { super::KeyProviderKeyWrapProtocolInput, >, ) -> Self::Future { - let inner = self.0.clone(); + let inner = Arc::clone(&self.0); let fut = async move { (*inner).wrap_key(request).await }; Box::pin(fut) } } let accept_compression_encodings = self.accept_compression_encodings; let send_compression_encodings = self.send_compression_encodings; + let max_decoding_message_size = self.max_decoding_message_size; + let max_encoding_message_size = self.max_encoding_message_size; let inner = self.inner.clone(); let fut = async move { let inner = inner.0; @@ -240,6 +284,10 @@ pub mod key_provider_service_server { .apply_compression_config( accept_compression_encodings, send_compression_encodings, + ) + .apply_max_message_size_config( + max_decoding_message_size, + max_encoding_message_size, ); let res = grpc.unary(method, req).await; Ok(res) @@ -264,13 +312,15 @@ pub mod key_provider_service_server { super::KeyProviderKeyWrapProtocolInput, >, ) -> Self::Future { - let inner = self.0.clone(); + let inner = Arc::clone(&self.0); let fut = async move { (*inner).un_wrap_key(request).await }; Box::pin(fut) } } let accept_compression_encodings = self.accept_compression_encodings; let send_compression_encodings = self.send_compression_encodings; + let max_decoding_message_size = self.max_decoding_message_size; + let max_encoding_message_size = self.max_encoding_message_size; let inner = self.inner.clone(); let fut = async move { let inner = inner.0; @@ -280,6 +330,10 @@ pub mod key_provider_service_server { .apply_compression_config( accept_compression_encodings, send_compression_encodings, + ) + .apply_max_message_size_config( + max_decoding_message_size, + max_encoding_message_size, ); let res = grpc.unary(method, req).await; Ok(res) @@ -308,12 +362,14 @@ pub mod key_provider_service_server { inner, accept_compression_encodings: self.accept_compression_encodings, send_compression_encodings: self.send_compression_encodings, + max_decoding_message_size: self.max_decoding_message_size, + max_encoding_message_size: self.max_encoding_message_size, } } } impl Clone for _Inner { fn clone(&self) -> Self { - Self(self.0.clone()) + Self(Arc::clone(&self.0)) } } impl std::fmt::Debug for _Inner { diff --git a/ocicrypt-rs/src/utils/ttrpc/keyprovider.rs b/ocicrypt-rs/src/utils/ttrpc/keyprovider.rs index dc27af072..e2f2131fb 100644 --- a/ocicrypt-rs/src/utils/ttrpc/keyprovider.rs +++ b/ocicrypt-rs/src/utils/ttrpc/keyprovider.rs @@ -1,4 +1,4 @@ -// This file is generated by rust-protobuf 3.2.0. Do not edit +// This file is generated by rust-protobuf 3.3.0. Do not edit // .proto file is parsed by pure // @generated @@ -23,10 +23,10 @@ /// Generated files are compatible only with the same version /// of protobuf runtime. -const _PROTOBUF_VERSION_CHECK: () = ::protobuf::VERSION_3_2_0; +const _PROTOBUF_VERSION_CHECK: () = ::protobuf::VERSION_3_3_0; -#[derive(PartialEq,Clone,Default,Debug)] // @@protoc_insertion_point(message:keyprovider.KeyProviderKeyWrapProtocolInput) +#[derive(PartialEq,Clone,Default,Debug)] pub struct KeyProviderKeyWrapProtocolInput { // message fields // @@protoc_insertion_point(field:keyprovider.KeyProviderKeyWrapProtocolInput.KeyProviderKeyWrapProtocolInput) @@ -147,8 +147,8 @@ impl ::protobuf::reflect::ProtobufValue for KeyProviderKeyWrapProtocolInput { type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage; } -#[derive(PartialEq,Clone,Default,Debug)] // @@protoc_insertion_point(message:keyprovider.KeyProviderKeyWrapProtocolOutput) +#[derive(PartialEq,Clone,Default,Debug)] pub struct KeyProviderKeyWrapProtocolOutput { // message fields // @@protoc_insertion_point(field:keyprovider.KeyProviderKeyWrapProtocolOutput.KeyProviderKeyWrapProtocolOutput) diff --git a/ocicrypt-rs/src/utils/ttrpc/keyprovider_ttrpc.rs b/ocicrypt-rs/src/utils/ttrpc/keyprovider_ttrpc.rs index de01df205..77a6fdc6c 100644 --- a/ocicrypt-rs/src/utils/ttrpc/keyprovider_ttrpc.rs +++ b/ocicrypt-rs/src/utils/ttrpc/keyprovider_ttrpc.rs @@ -1,12 +1,9 @@ -// This file is generated by ttrpc-compiler 0.6.1. Do not edit +// This file is generated by ttrpc-compiler 0.6.2. Do not edit // @generated -// https://github.com/Manishearth/rust-clippy/issues/702 +#![cfg_attr(rustfmt, rustfmt_skip)] #![allow(unknown_lints)] #![allow(clipto_camel_casepy)] - -#![cfg_attr(rustfmt, rustfmt_skip)] - #![allow(box_pointers)] #![allow(dead_code)] #![allow(missing_docs)] @@ -17,6 +14,7 @@ #![allow(unsafe_code)] #![allow(unused_imports)] #![allow(unused_results)] +#![allow(clippy::all)] use protobuf::{CodedInputStream, CodedOutputStream, Message}; use std::collections::HashMap; use std::sync::Arc;