awslabs / aws-nitro-enclaves-cose Goto Github PK

Hello,

Following the brief conversation in #34, this issue is a placeholder for implementing an integration with Parsec as a crypto backend.

Outstanding tasks:

• Investigate how the integration would work and if all required primitives are supported in Parsec
• Implement the Parsec backend
• Add some backend-specific tests
• Add some E2E tests in the Parsec repo for ACM for Nitro Enclaves

Let me know if there's anything I missed or that might be relevant.

Required for being able to solve: aws/aws-nitro-enclaves-cli#204.

Can we use the functions provided here to validate an attestation document when implementing an own Attestation service ?

It can be useful if README.md could expand more on the ways this repo can be used/ purpose it seves.

First I request an attestation document like https://github.com/aws/aws-nitro-enclaves-nsm-api/blob/main/nsm-test/src/bin/nsm-check.rs#L344-L360 into the variable document.

Then if I try to parse the document like the following:

        use aws_nitro_enclaves_cose::CoseSign1;

        fn try_get_cose_sign(document: &[u8]) -> Option<CoseSign1> {
		if let Ok(cose) = CoseSign1::from_bytes(document) {
			debug!("CoseSign1 is untagged");
			return Some(cose);
		}
		if let Ok(cose) = CoseSign1::from_bytes_tagged(document) {
			debug!("CoseSign1 is tagged");
			return Some(cose);
		}
		None
	}

if I call try_get_cose_sign the result is None (the same logic worked about 1 year ago)

According to the README.md, this crate intends to provide a reasonably full implementation of COSE.
At this moment, it has a total lack of the Encryption objects or primitives.
It would be great if it could also support that, to become a more complete COSE library.

Starting from serde version 1.0.182, the crate cannot be built anymore:

   Compiling aws-nitro-enclaves-cose v0.5.0 (/home/ec2-user/aws-nitro-enclaves-cose)
error: field must have #[serde(default)] because previous field 2 has #[serde(default)]
  --> /home/ec2-user/aws-nitro-enclaves-cose/src/sign.rs:65:5
   |
65 |     ByteBuf,
   |     ^^^^^^^

error: field must have #[serde(default)] because previous field 2 has #[serde(default)]
  --> /home/ec2-user/aws-nitro-enclaves-cose/src/sign.rs:67:5
   |
67 |     ByteBuf,
   |     ^^^^^^^

error[E0277]: the trait bound `SigStructure: encrypt::_::_serde::Serialize` is not satisfied
  --> /home/ec2-user/aws-nitro-enclaves-cose/src/sign.rs:95:28
   |
95 |         serde_cbor::to_vec(self)
   |         ------------------ ^^^^ the trait `encrypt::_::_serde::Serialize` is not implemented for `SigStructure`
   |         |
   |         required by a bound introduced by this call
   |
   = help: the following other types implement trait `encrypt::_::_serde::Serialize`:
             &'a T
             &'a mut T
             ()
             (T0, T1)
             (T0, T1, T2)
             (T0, T1, T2, T3)
             (T0, T1, T2, T3, T4)
             (T0, T1, T2, T3, T4, T5)
           and 137 others
note: required by a bound in `to_vec`
  --> /home/ec2-user/.cargo/registry/src/index.crates.io-6f17d22bba15001f/serde_cbor-0.11.2/src/ser.rs:22:8
   |
22 |     T: ser::Serialize,
   |        ^^^^^^^^^^^^^^ required by this bound in `to_vec`

For more information about this error, try `rustc --explain E0277`.

Easy to reproduce with a dummy cargo package:

[package]
name = "cose-issue"
version = "0.1.0"
edition = "2021"

# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

[dependencies]
aws-nitro-enclaves-cose = {path="../aws-nitro-enclaves-cose"} # "0.5.0"

serde = "=1.0.181" # does build
# serde = "=1.0.182" # does not build

Looks like there is a single release at crates.io dated "November 12th, 2020"
Could you please release current version as 0.1.1

TYA

Hi, all.
I have tested successfully in nitro enclave according to was developing-applications-linux sample.
But after I added this crate as a dependency of my cargo project and add simple code as follows:

let cose = COSESign1::from_bytes(vec![].as_slice())?;

then I re-compiled to execution file and re-build it into docker image, enclave app run failed to like the following:

Action: Enclave Console
  Subactions:
    Failed to retrieve enclave CID
    Failed to connect to enclave process
    Failed to connect to specific enclave process: Os { code: 2, kind: NotFound, message: "No such file or directory" }
  Root error file: src/enclave_proc_comm.rs
  Root error line: 129

I think this error is caused by the lack of "openssl-dev" library, but even if I add RUN apk add pkgconfig openssl-dev to install the package in docker, the same error occurred.

Can someone tell me how to fix this?

Hey!
According to the RUSTSEC-2021-0127 serde_cbor is no longer maintained and it is advised to use this crates instead:

• ciborium
• minicbpr

Hi,

I wanted to check which crypto backends you're planning to integrate for this project, and whether Parsec could play a role here as an option/alternative. @puiterwijk already has some insight into the project, but a TLDR is that we're building it to be an abstraction over hardware crypto engines/modules in the form of a userspace service, with support for a number of (mainly asymmetric) crypto primitives. The caveat would be that, if the library is aimed at early stages of the boot cycle then Parsec would not be a good fit :)

Let me know what you think, if there is any overlap here that we could work towards.

I'm using "v0.3.0" and got stuck when calling verify_signature, the following is the source code:

use nsm_io::AttestationDoc;
use aws_nitro_enclaves_cose::CoseSign1;
use openssl::x509::X509;

fn verify_attestation_sign(
  doc: &AttestationDoc,
  cose: &CoseSign1,
) {
  let cert = X509::from_der(doc.certificate.as_ref())?;
  let pk = cert.public_key()?;
  if !cose.verify_signature(pk.as_ref())? {
    println!("got an error");
  }
}

I remember this code can work 6 months ago, is the X509 from OpenSSL not supported anymore? Or is there something else I should notice?

as #21 got merged, can you please tag a new release to allow allows signing and verification with more than openssl
PKey(Ref), like a TPM or AWS KMS keys?

/cc @puiterwijk @nullr0ute