Bump cryptographic dependencies

- age-plugin 0.4
- bech32 0.9
- p256 0.11
- sha2 0.10
- x509-parser 0.14
- yubikey 0.7
This commit is contained in:
Jack Grigg
2022-12-30 03:49:26 +00:00
parent e78871d6f3
commit f45ff653b8
6 changed files with 279 additions and 227 deletions
+22 -7
View File
@@ -1,10 +1,14 @@
use age_core::{
format::{FileKey, Stanza},
primitives::{aead_encrypt, hkdf},
primitives::aead_encrypt,
secrecy::ExposeSecret,
};
use p256::{ecdh::EphemeralSecret, elliptic_curve::sec1::ToEncodedPoint};
use p256::{
ecdh::EphemeralSecret,
elliptic_curve::sec1::{FromEncodedPoint, ToEncodedPoint},
};
use rand::rngs::OsRng;
use sha2::Sha256;
use crate::{p256::Recipient, STANZA_TAG};
@@ -23,7 +27,11 @@ pub(crate) struct EphemeralKeyBytes(p256::EncodedPoint);
impl EphemeralKeyBytes {
fn from_bytes(bytes: [u8; EPK_BYTES]) -> Option<Self> {
let encoded = p256::EncodedPoint::from_bytes(&bytes).ok()?;
if encoded.is_compressed() && encoded.decompress().is_some() {
if encoded.is_compressed()
&& p256::PublicKey::from_encoded_point(&encoded)
.is_some()
.into()
{
Some(EphemeralKeyBytes(encoded))
} else {
None
@@ -39,9 +47,9 @@ impl EphemeralKeyBytes {
}
pub(crate) fn decompress(&self) -> p256::EncodedPoint {
self.0
.decompress()
.expect("EphemeralKeyBytes is a valid compressed encoding by construction")
// EphemeralKeyBytes is a valid compressed encoding by construction.
let p = p256::PublicKey::from_encoded_point(&self.0).unwrap();
p.to_encoded_point(false)
}
}
@@ -111,7 +119,14 @@ impl RecipientLine {
salt.extend_from_slice(epk_bytes.as_bytes());
salt.extend_from_slice(pk.to_encoded().as_bytes());
let enc_key = hkdf(&salt, STANZA_KEY_LABEL, shared_secret.as_bytes());
let enc_key = {
let mut okm = [0; 32];
shared_secret
.extract::<Sha256>(Some(&salt))
.expand(STANZA_KEY_LABEL, &mut okm)
.expect("okm is the correct length");
okm
};
let encrypted_file_key = {
let mut key = [0; ENCRYPTED_FILE_KEY_BYTES];
+5 -1
View File
@@ -393,7 +393,11 @@ fn main() -> Result<(), Error> {
x509_parser::parse_x509_certificate(key.certificate().as_ref())
.unwrap();
let (name, _) = util::extract_name(&cert, true).unwrap();
let created = cert.validity().not_before.to_rfc2822();
let created = cert
.validity()
.not_before
.to_rfc2822()
.unwrap_or_else(|e| format!("Invalid date: {}", e));
format!("{}, created: {}", name, created)
})
+1 -1
View File
@@ -60,7 +60,7 @@ impl Recipient {
/// This accepts both compressed (as used by the plugin) and uncompressed (as used in
/// the YubiKey certificate) encodings.
fn from_encoded(encoded: &p256::EncodedPoint) -> Option<Self> {
p256::PublicKey::from_encoded_point(encoded).map(Recipient)
Option::from(p256::PublicKey::from_encoded_point(encoded)).map(Recipient)
}
/// Returns the compressed SEC-1 encoding of this recipient.
+9 -2
View File
@@ -122,7 +122,10 @@ impl Metadata {
// https://developers.yubico.com/PIV/Introduction/PIV_attestation.html
let policies = |c: &X509Certificate| {
c.tbs_certificate
.find_extension(&Oid::from(POLICY_EXTENSION_OID).unwrap())
.get_extension_unique(&Oid::from(POLICY_EXTENSION_OID).unwrap())
// If the extension is duplicated, we assume it is invalid.
.ok()
.flatten()
// If the encoded extension doesn't have 2 bytes, we assume it is invalid.
.filter(|policy| policy.value.len() >= 2)
.map(|policy| {
@@ -170,7 +173,11 @@ impl Metadata {
serial: yubikey.serial(),
slot,
name,
created: cert.validity().not_before.to_rfc2822(),
created: cert
.validity()
.not_before
.to_rfc2822()
.unwrap_or_else(|e| format!("Invalid date: {}", e)),
pin_policy,
touch_policy,
})