Bump cryptographic dependencies
- age-plugin 0.4 - bech32 0.9 - p256 0.11 - sha2 0.10 - x509-parser 0.14 - yubikey 0.7
This commit is contained in:
+22
-7
@@ -1,10 +1,14 @@
|
||||
use age_core::{
|
||||
format::{FileKey, Stanza},
|
||||
primitives::{aead_encrypt, hkdf},
|
||||
primitives::aead_encrypt,
|
||||
secrecy::ExposeSecret,
|
||||
};
|
||||
use p256::{ecdh::EphemeralSecret, elliptic_curve::sec1::ToEncodedPoint};
|
||||
use p256::{
|
||||
ecdh::EphemeralSecret,
|
||||
elliptic_curve::sec1::{FromEncodedPoint, ToEncodedPoint},
|
||||
};
|
||||
use rand::rngs::OsRng;
|
||||
use sha2::Sha256;
|
||||
|
||||
use crate::{p256::Recipient, STANZA_TAG};
|
||||
|
||||
@@ -23,7 +27,11 @@ pub(crate) struct EphemeralKeyBytes(p256::EncodedPoint);
|
||||
impl EphemeralKeyBytes {
|
||||
fn from_bytes(bytes: [u8; EPK_BYTES]) -> Option<Self> {
|
||||
let encoded = p256::EncodedPoint::from_bytes(&bytes).ok()?;
|
||||
if encoded.is_compressed() && encoded.decompress().is_some() {
|
||||
if encoded.is_compressed()
|
||||
&& p256::PublicKey::from_encoded_point(&encoded)
|
||||
.is_some()
|
||||
.into()
|
||||
{
|
||||
Some(EphemeralKeyBytes(encoded))
|
||||
} else {
|
||||
None
|
||||
@@ -39,9 +47,9 @@ impl EphemeralKeyBytes {
|
||||
}
|
||||
|
||||
pub(crate) fn decompress(&self) -> p256::EncodedPoint {
|
||||
self.0
|
||||
.decompress()
|
||||
.expect("EphemeralKeyBytes is a valid compressed encoding by construction")
|
||||
// EphemeralKeyBytes is a valid compressed encoding by construction.
|
||||
let p = p256::PublicKey::from_encoded_point(&self.0).unwrap();
|
||||
p.to_encoded_point(false)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -111,7 +119,14 @@ impl RecipientLine {
|
||||
salt.extend_from_slice(epk_bytes.as_bytes());
|
||||
salt.extend_from_slice(pk.to_encoded().as_bytes());
|
||||
|
||||
let enc_key = hkdf(&salt, STANZA_KEY_LABEL, shared_secret.as_bytes());
|
||||
let enc_key = {
|
||||
let mut okm = [0; 32];
|
||||
shared_secret
|
||||
.extract::<Sha256>(Some(&salt))
|
||||
.expand(STANZA_KEY_LABEL, &mut okm)
|
||||
.expect("okm is the correct length");
|
||||
okm
|
||||
};
|
||||
|
||||
let encrypted_file_key = {
|
||||
let mut key = [0; ENCRYPTED_FILE_KEY_BYTES];
|
||||
|
||||
+5
-1
@@ -393,7 +393,11 @@ fn main() -> Result<(), Error> {
|
||||
x509_parser::parse_x509_certificate(key.certificate().as_ref())
|
||||
.unwrap();
|
||||
let (name, _) = util::extract_name(&cert, true).unwrap();
|
||||
let created = cert.validity().not_before.to_rfc2822();
|
||||
let created = cert
|
||||
.validity()
|
||||
.not_before
|
||||
.to_rfc2822()
|
||||
.unwrap_or_else(|e| format!("Invalid date: {}", e));
|
||||
|
||||
format!("{}, created: {}", name, created)
|
||||
})
|
||||
|
||||
+1
-1
@@ -60,7 +60,7 @@ impl Recipient {
|
||||
/// This accepts both compressed (as used by the plugin) and uncompressed (as used in
|
||||
/// the YubiKey certificate) encodings.
|
||||
fn from_encoded(encoded: &p256::EncodedPoint) -> Option<Self> {
|
||||
p256::PublicKey::from_encoded_point(encoded).map(Recipient)
|
||||
Option::from(p256::PublicKey::from_encoded_point(encoded)).map(Recipient)
|
||||
}
|
||||
|
||||
/// Returns the compressed SEC-1 encoding of this recipient.
|
||||
|
||||
+9
-2
@@ -122,7 +122,10 @@ impl Metadata {
|
||||
// https://developers.yubico.com/PIV/Introduction/PIV_attestation.html
|
||||
let policies = |c: &X509Certificate| {
|
||||
c.tbs_certificate
|
||||
.find_extension(&Oid::from(POLICY_EXTENSION_OID).unwrap())
|
||||
.get_extension_unique(&Oid::from(POLICY_EXTENSION_OID).unwrap())
|
||||
// If the extension is duplicated, we assume it is invalid.
|
||||
.ok()
|
||||
.flatten()
|
||||
// If the encoded extension doesn't have 2 bytes, we assume it is invalid.
|
||||
.filter(|policy| policy.value.len() >= 2)
|
||||
.map(|policy| {
|
||||
@@ -170,7 +173,11 @@ impl Metadata {
|
||||
serial: yubikey.serial(),
|
||||
slot,
|
||||
name,
|
||||
created: cert.validity().not_before.to_rfc2822(),
|
||||
created: cert
|
||||
.validity()
|
||||
.not_before
|
||||
.to_rfc2822()
|
||||
.unwrap_or_else(|e| format!("Invalid date: {}", e)),
|
||||
pin_policy,
|
||||
touch_policy,
|
||||
})
|
||||
|
||||
Reference in New Issue
Block a user