From 6b7babbdfdd4220a91b31c5ed0b6f8bd93824689 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sosth=C3=A8ne=20Gu=C3=A9don?= Date: Fri, 21 Jun 2024 09:15:54 +0200 Subject: [PATCH 1/2] Prepare release 0.2.1 --- CHANGELOG.md | 8 +++++++- Cargo.toml | 2 +- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 59482fc..0ded671 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,7 +9,13 @@ SPDX-License-Identifier: CC0-1.0 [Unreleased]: https://github.com/trussed-dev/trussed-rsa-backend/compare/v0.2.0...HEAD -- +## [v0.2.1][] (2024-06-21) + +[v0.2.1]: https://github.com/trussed-dev/trussed-rsa-backend/compare/v0.2.0...v0.2.1 + +- Fix missing zeros of RSA implementation ([#12][]) + +[#12]: https://github.com/trussed-dev/trussed-rsa-backend/pull/12 ## [v0.2.0][] (2024-03-22) diff --git a/Cargo.toml b/Cargo.toml index 6529a48..6ba5496 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -3,7 +3,7 @@ [package] name = "trussed-rsa-alloc" -version = "0.2.0" +version = "0.2.1" edition = "2021" description = "Trussed backend adding support for the RSA algorithm using an allocator" authors = ["Nitrokey GmbH "] From abf464e56a877da3f0a18cdd63bf58f6cdd81793 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sosth=C3=A8ne=20Gu=C3=A9don?= Date: Fri, 21 Jun 2024 10:24:42 +0200 Subject: [PATCH 2/2] Replace `unwrap` and `expect` calls with `unwrap_or_else(|| panic!())` This allows the error message to be optimized out --- src/lib.rs | 51 ++++++++++++++++++++++++++++----------------------- 1 file changed, 28 insertions(+), 23 deletions(-) diff --git a/src/lib.rs b/src/lib.rs index 6c251db..7088991 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -70,15 +70,17 @@ fn derive_key( let base_key_id = &request.base_key; let priv_key_der = keystore .load_key(key::Secrecy::Secret, Some(kind), base_key_id) - .expect("Failed to load an RSA private key with the given ID") + .unwrap_or_else(|_| panic!("Failed to load an RSA private key with the given ID")) .material; let priv_key = DecodePrivateKey::from_pkcs8_der(&priv_key_der) - .expect("Failed to deserialize an RSA private key from PKCS#8 DER"); + .unwrap_or_else(|_| panic!("Failed to deserialize an RSA private key from PKCS#8 DER")); // Derive and store public key let pub_key_der = RsaPublicKey::from(&priv_key) .to_public_key_der() - .expect("Failed to derive an RSA public key or to serialize it to PKCS#8 DER"); + .unwrap_or_else(|_| { + panic!("Failed to derive an RSA public key or to serialize it to PKCS#8 DER") + }); let pub_key_id = keystore.store_key( request.attributes.persistence, @@ -106,7 +108,7 @@ fn deserialize_pkcs_key( // We store our keys in PKCS#8 DER format let pub_key_der = pub_key .to_public_key_der() - .expect("Failed to serialize an RSA public key to PKCS#8 DER"); + .unwrap_or_else(|_| panic!("Failed to serialize an RSA public key to PKCS#8 DER")); let pub_key_id = keystore.store_key( request.attributes.persistence, @@ -139,7 +141,7 @@ fn deserialize_parts_key( // We store our keys in PKCS#8 DER format let pub_key_der = pub_key .to_public_key_der() - .expect("Failed to serialize an RSA public key to PKCS#8 DER"); + .unwrap_or_else(|_| panic!("Failed to serialize an RSA public key to PKCS#8 DER")); let pub_key_id = keystore.store_key( request.attributes.persistence, @@ -178,13 +180,13 @@ fn serialize_key( // We rely on the fact that we store the keys in the PKCS#8 DER format already let pub_key_der = keystore .load_key(key::Secrecy::Public, Some(kind), &key_id) - .expect("Failed to load an RSA public key with the given ID") + .unwrap_or_else(|_| panic!("Failed to load an RSA public key with the given ID")) .material; let serialized_key = match request.format { KeySerialization::RsaParts => { - let key: RsaPublicKey = - DecodePublicKey::from_public_key_der(&pub_key_der).expect("Failed to parse key"); + let key: RsaPublicKey = DecodePublicKey::from_public_key_der(&pub_key_der) + .unwrap_or_else(|_| panic!("Failed to parse key")); let e = &key.e().to_bytes_be(); let n = &key.n().to_bytes_be(); RsaPublicParts { e, n }.serialize().map_err(|_err| { @@ -206,12 +208,12 @@ fn generate_key( bits: usize, kind: key::Kind, ) -> Result { - let priv_key = - RsaPrivateKey::new(keystore.rng(), bits).expect("Failed to generate an RSA 2K private key"); + let priv_key = RsaPrivateKey::new(keystore.rng(), bits) + .unwrap_or_else(|_| panic!("Failed to generate an RSA 2K private key")); let priv_key_der = priv_key .to_pkcs8_der() - .expect("Failed to serialize an RSA private key to PKCS#8 DER"); + .unwrap_or_else(|_| panic!("Failed to serialize an RSA private key to PKCS#8 DER")); let priv_key_id = keystore.store_key( request.attributes.persistence, @@ -231,11 +233,11 @@ fn sign( let priv_key_der = keystore .load_key(key::Secrecy::Secret, Some(kind), &key_id) - .expect("Failed to load an RSA private key with the given ID") + .unwrap_or_else(|_| panic!("Failed to load an RSA private key with the given ID")) .material; let priv_key = RsaPrivateKey::from_pkcs8_der(&priv_key_der) - .expect("Failed to deserialize an RSA private key from PKCS#8 DER"); + .unwrap_or_else(|_| panic!("Failed to deserialize an RSA private key from PKCS#8 DER")); // RSA lib takes in a hash value to sign, not raw data. // We assume we get digest into this function, too. @@ -256,7 +258,8 @@ fn sign( error!("Failed to sign message: {:?}", _err); Error::InternalError })?; - let our_signature = Signature::from_slice(&native_signature.to_bytes()).unwrap(); + let our_signature = + Signature::from_slice(&native_signature.to_bytes()).unwrap_or_else(|_| panic!()); Ok(reply::Sign { signature: our_signature, @@ -281,11 +284,11 @@ fn verify( let pub_key_der = keystore .load_key(key::Secrecy::Public, Some(kind), &key_id) - .expect("Failed to load an RSA private key with the given ID") + .unwrap_or_else(|_| panic!("Failed to load an RSA private key with the given ID")) .material; let pub_key = RsaPublicKey::from_public_key_der(&pub_key_der) - .expect("Failed to deserialize an RSA private key from PKCS#8 DER"); + .unwrap_or_else(|_| panic!("Failed to deserialize an RSA private key from PKCS#8 DER")); let verification_ok = pub_key .verify( @@ -310,10 +313,10 @@ fn decrypt( let priv_key_der = keystore .load_key(key::Secrecy::Secret, Some(kind), &key_id) - .expect("Failed to load an RSA private key with the given ID") + .unwrap_or_else(|_| panic!("Failed to load an RSA private key with the given ID")) .material; let priv_key = RsaPrivateKey::from_pkcs8_der(&priv_key_der) - .expect("Failed to deserialize an RSA private key from PKCS#8 DER"); + .unwrap_or_else(|_| panic!("Failed to deserialize an RSA private key from PKCS#8 DER")); let res = priv_key .decrypt(Pkcs1v15Encrypt, &request.message) @@ -341,10 +344,10 @@ fn rsa_raw( ) -> Result, Error> { let priv_key_der = keystore .load_key(key::Secrecy::Secret, Some(kind), &key_id) - .expect("Failed to load an RSA private key with the given ID") + .unwrap_or_else(|_| panic!("Failed to load an RSA private key with the given ID")) .material; let priv_key = RsaPrivateKey::from_pkcs8_der(&priv_key_der) - .expect("Failed to deserialize an RSA private key from PKCS#8 DER"); + .unwrap_or_else(|_| panic!("Failed to deserialize an RSA private key from PKCS#8 DER")); let c = rsa::BigUint::from_bytes_be(plaintext); let res = rsa::hazmat::rsa_decrypt(Some(rng), &priv_key, &c).map_err(|_err| { @@ -356,8 +359,10 @@ fn rsa_raw( let expected_len = bits / 8; assert!(data.len() <= expected_len); let mut bytes = Bytes::new(); - bytes.resize(expected_len - data.len(), 0).unwrap(); - bytes.extend_from_slice(data).unwrap(); + bytes + .resize(expected_len - data.len(), 0) + .unwrap_or_else(|_| panic!()); + bytes.extend_from_slice(data).unwrap_or_else(|_| panic!()); bytes } @@ -417,7 +422,7 @@ fn unsafe_inject_key( let private_key_der = private_key .to_pkcs8_der() - .expect("Failed to serialize an RSA 2K private key to PKCS#8 DER"); + .unwrap_or_else(|_| panic!("Failed to serialize an RSA 2K private key to PKCS#8 DER")); let private_key_id = keystore.store_key( request.attributes.persistence,