Merge pull request #825 from ginglis13/migrate-ring-aws-lc-rs

Use `aws-lc-rs` in place of `ring`

deny.toml

@@ -74,6 +74,8 @@ skip = [
     { name = "regex-syntax", version = "=0.6" },
     # noxious, used for testing, is using an old version of tokio-util
     { name = "tokio-util", version = "=0.6.10" },
+    # aws-lc-rs uses an older version of untrusted
+    { name = "untrusted", version = "=0.7.1" },
     # tokio and mio are bringing in older versions of windows libraries while other
     # libraries, are bringing in newer versions
     { name = "windows-sys", version = "=0.48" },

tough-kms/Cargo.toml

@@ -15,7 +15,7 @@ aws-sdk-rust-rustls = ["aws-config/rustls", "aws-sdk-kms/rustls"]
 
 [dependencies]
 tough = { version = "0.18", path = "../tough", features = ["http"] }
-ring = { version = "0.17", features = ["std"] }
+aws-lc-rs = { version = "1", features = ["prebuilt-nasm"] }
 aws-sdk-kms = "1"
 aws-config = "1"
 snafu = { version = "0.8", features = ["backtraces-impl-backtrace-crate"] }

tough-kms/src/lib.rs

@@ -22,10 +22,10 @@
 
 mod client;
 pub mod error;
+use aws_lc_rs::digest::{digest, SHA256};
+use aws_lc_rs::rand::SecureRandom;
 use aws_sdk_kms::primitives::Blob;
 use aws_sdk_kms::Client as KmsClient;
-use ring::digest::{digest, SHA256};
-use ring::rand::SecureRandom;
 use snafu::{ensure, OptionExt, ResultExt};
 use std::collections::HashMap;
 use std::fmt;

tough-kms/tests/all_test.rs

@@ -1,9 +1,9 @@
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: MIT OR Apache-2.0
 mod test_utils;
+use aws_lc_rs::rand::SystemRandom;
 use base64::engine::general_purpose::STANDARD as base64_engine;
 use base64::Engine as _;
-use ring::rand::SystemRandom;
 use serde::{Deserialize, Deserializer};
 use std::fs::File;
 use std::io::BufReader;

tough/Cargo.toml

@@ -11,6 +11,7 @@ edition = "2018"
 [dependencies]
 async-recursion = "1"
 async-trait = "0.1"
+aws-lc-rs = { version = "1", features = ["prebuilt-nasm"] }
 bytes = "1"
 chrono = { version = "0.4", default-features = false, features = ["std", "alloc", "serde", "clock"] }
 dyn-clone = "1"
@@ -23,7 +24,6 @@ olpc-cjson = { version = "0.1", path = "../olpc-cjson" }
 pem = "3"
 percent-encoding = "2"
 reqwest = { version = "0.11", optional = true, default-features = false, features = ["stream"] }
-ring = { version = "0.17", features = ["std"] }
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 serde_plain = "1"
@@ -32,7 +32,9 @@ tempfile = "3"
 tokio = { version = "1", default-features = false, features = ["io-util", "sync", "fs", "rt", "time"] }
 tokio-util = { version = "0.7", features = ["io"] }
 typed-path = "0.9"
-untrusted = "0.9"
+# pinned due to aws-lc-rs locked to this version
+# https://github.com/aws/aws-lc-rs/issues/468
+untrusted = "0.7.1"
 url = "2"
 walkdir = "2"
 

tough/src/editor/mod.rs

@@ -23,9 +23,9 @@ use crate::schema::{
 use crate::transport::{IntoVec, Transport};
 use crate::{encode_filename, Limits};
 use crate::{Repository, TargetName};
+use aws_lc_rs::digest::{SHA256, SHA256_OUTPUT_LEN};
+use aws_lc_rs::rand::SystemRandom;
 use chrono::{DateTime, Utc};
-use ring::digest::{SHA256, SHA256_OUTPUT_LEN};
-use ring::rand::SystemRandom;
 use serde_json::Value;
 use snafu::{ensure, OptionExt, ResultExt};
 use std::borrow::Cow;
@@ -113,7 +113,7 @@ impl RepositoryEditor {
         }
 
         let mut digest = [0; SHA256_OUTPUT_LEN];
-        digest.copy_from_slice(ring::digest::digest(&SHA256, &root_buf).as_ref());
+        digest.copy_from_slice(aws_lc_rs::digest::digest(&SHA256, &root_buf).as_ref());
 
         let signed_root = SignedRole {
             signed: root,

tough/src/editor/signed.rs

@@ -14,10 +14,10 @@ use crate::schema::{
     Targets, Timestamp,
 };
 use async_trait::async_trait;
+use aws_lc_rs::digest::{digest, SHA256, SHA256_OUTPUT_LEN};
+use aws_lc_rs::rand::SecureRandom;
 use futures::TryStreamExt;
 use olpc_cjson::CanonicalFormatter;
-use ring::digest::{digest, SHA256, SHA256_OUTPUT_LEN};
-use ring::rand::SecureRandom;
 use serde::{Deserialize, Serialize};
 use serde_plain::derive_fromstr_from_deserialize;
 use snafu::{ensure, OptionExt, ResultExt};

tough/src/editor/targets.rs

@@ -17,8 +17,8 @@ use crate::schema::{
 use crate::transport::{IntoVec, Transport};
 use crate::{encode_filename, Limits};
 use crate::{Repository, TargetName};
+use aws_lc_rs::rand::SystemRandom;
 use chrono::{DateTime, Utc};
-use ring::rand::SystemRandom;
 use serde_json::Value;
 use snafu::{OptionExt, ResultExt};
 use std::borrow::Cow;

tough/src/error.rs

@@ -178,7 +178,7 @@ pub enum Error {
 
     #[snafu(display("Private key rejected: {}", source))]
     KeyRejected {
-        source: ring::error::KeyRejected,
+        source: aws_lc_rs::error::KeyRejected,
         backtrace: Backtrace,
     },
 
@@ -378,7 +378,7 @@ pub enum Error {
 
     #[snafu(display("Failed to sign message"))]
     Sign {
-        source: ring::error::Unspecified,
+        source: aws_lc_rs::error::Unspecified,
         backtrace: Backtrace,
     },
 

tough/src/io.rs

@@ -2,9 +2,9 @@
 // SPDX-License-Identifier: MIT OR Apache-2.0
 
 use crate::{error, transport::TransportStream, TransportError};
+use aws_lc_rs::digest::{Context, SHA256};
 use futures::StreamExt;
 use futures_core::Stream;
-use ring::digest::{Context, SHA256};
 use std::{convert::TryInto, path::Path, task::Poll};
 use tokio::fs;
 use url::Url;

tough/src/schema/key.rs

@@ -4,9 +4,9 @@
 
 use crate::schema::decoded::{Decoded, EcdsaFlex, Hex, RsaPem};
 use crate::schema::error::{self, Result};
+use aws_lc_rs::digest::{digest, SHA256};
+use aws_lc_rs::signature::VerificationAlgorithm;
 use olpc_cjson::CanonicalFormatter;
-use ring::digest::{digest, SHA256};
-use ring::signature::VerificationAlgorithm;
 use serde::{Deserialize, Serialize};
 use serde_json::Value;
 use snafu::ResultExt;
@@ -163,33 +163,29 @@ impl Key {
                 keyval,
                 ..
             } => (
-                &ring::signature::ECDSA_P256_SHA256_ASN1,
+                &aws_lc_rs::signature::ECDSA_P256_SHA256_ASN1,
                 untrusted::Input::from(&keyval.public),
             ),
             Key::Ed25519 {
                 scheme: Ed25519Scheme::Ed25519,
                 keyval,
                 ..
             } => (
-                &ring::signature::ED25519,
+                &aws_lc_rs::signature::ED25519,
                 untrusted::Input::from(&keyval.public),
             ),
             Key::Rsa {
                 scheme: RsaScheme::RsassaPssSha256,
                 keyval,
                 ..
             } => (
-                &ring::signature::RSA_PSS_2048_8192_SHA256,
+                &aws_lc_rs::signature::RSA_PSS_2048_8192_SHA256,
                 untrusted::Input::from(&keyval.public),
             ),
         };
 
-        alg.verify(
-            public_key,
-            untrusted::Input::from(msg),
-            untrusted::Input::from(signature),
-        )
-        .is_ok()
+        alg.verify_sig(public_key.as_slice_less_safe(), msg, signature)
+            .is_ok()
     }
 }
 
@@ -207,7 +203,7 @@ impl FromStr for Key {
                 _extra: HashMap::new(),
             })
         } else if let Ok(public) = serde_plain::from_str::<Decoded<Hex>>(s) {
-            if public.len() == ring::signature::ED25519_PUBLIC_KEY_LEN {
+            if public.len() == aws_lc_rs::signature::ED25519_PUBLIC_KEY_LEN {
                 Ok(Key::Ed25519 {
                     keyval: Ed25519Key {
                         public,

tough/src/schema/mod.rs

@@ -17,11 +17,11 @@ use crate::schema::key::Key;
 use crate::sign::Sign;
 pub use crate::transport::{FilesystemTransport, Transport};
 use crate::{encode_filename, TargetName};
+use aws_lc_rs::digest::{digest, Context, SHA256};
 use chrono::{DateTime, Utc};
 use globset::{Glob, GlobMatcher};
 use hex::ToHex;
 use olpc_cjson::CanonicalFormatter;
-use ring::digest::{digest, Context, SHA256};
 use serde::de::Error as SerdeDeError;
 use serde::{Deserialize, Deserializer, Serialize, Serializer};
 use serde_json::Value;

tough/src/schema/spki.rs

@@ -18,7 +18,7 @@
 //! [2]: https://docs.rs/ring/0.14.6/ring/signature/index.html#signing-and-verifying-with-rsa-pkcs1-15-padding
 
 use super::error::{self, Compat, Result};
-use ring::io::der;
+use aws_lc_rs::io::der;
 use snafu::{OptionExt, ResultExt};
 use untrusted::Input;
 
@@ -62,12 +62,12 @@ pub(super) fn decode(
         .map_err(Compat)
         .context(error::PemDecodeSnafu)?;
     Ok(untrusted::Input::from(pem.contents())
-        .read_all(ring::error::Unspecified, |input| {
+        .read_all(aws_lc_rs::error::Unspecified, |input| {
             der::expect_tag_and_get_value(input, der::Tag::Sequence).and_then(|spki| {
-                spki.read_all(ring::error::Unspecified, |input| {
+                spki.read_all(aws_lc_rs::error::Unspecified, |input| {
                     der::expect_tag_and_get_value(input, der::Tag::Sequence).and_then(
                         |alg_ident| {
-                            alg_ident.read_all(ring::error::Unspecified, |input| {
+                            alg_ident.read_all(aws_lc_rs::error::Unspecified, |input| {
                                 let expected_tag_value =
                                     der::expect_tag_and_get_value(input, der::Tag::OID)?;
 
@@ -80,7 +80,7 @@ pub(super) fn decode(
                                 if expected_tag_value.as_slice_less_safe()
                                     != algo_encode_oid.as_slice_less_safe()
                                 {
-                                    return Err(ring::error::Unspecified);
+                                    return Err(aws_lc_rs::error::Unspecified);
                                 }
 
                                 if let Some(parameters_oid) = parameters_oid {
@@ -92,7 +92,7 @@ pub(super) fn decode(
                                     if expected_tag_value.as_slice_less_safe()
                                         != param_encode_oid.as_slice_less_safe()
                                     {
-                                        return Err(ring::error::Unspecified);
+                                        return Err(aws_lc_rs::error::Unspecified);
                                     }
                                 } else {
                                     der::expect_tag_and_get_value(input, der::Tag::Null)?;

tough/src/sign.rs

@@ -9,8 +9,8 @@ use crate::sign::SignKeyPair::ECDSA;
 use crate::sign::SignKeyPair::ED25519;
 use crate::sign::SignKeyPair::RSA;
 use async_trait::async_trait;
-use ring::rand::{self, SecureRandom};
-use ring::signature::{EcdsaKeyPair, Ed25519KeyPair, KeyPair, RsaKeyPair};
+use aws_lc_rs::rand::SecureRandom;
+use aws_lc_rs::signature::{EcdsaKeyPair, Ed25519KeyPair, KeyPair, RsaKeyPair};
 use snafu::ResultExt;
 use std::collections::HashMap;
 use std::error::Error;
@@ -93,9 +93,14 @@ impl Sign for RsaKeyPair {
         msg: &[u8],
         rng: &(dyn SecureRandom + Sync),
     ) -> std::result::Result<Vec<u8>, Box<dyn std::error::Error + Send + Sync + 'static>> {
-        let mut signature = vec![0; self.public().modulus_len()];
-        self.sign(&ring::signature::RSA_PSS_SHA256, rng, msg, &mut signature)
-            .context(error::SignSnafu)?;
+        let mut signature = vec![0; self.public_modulus_len()];
+        self.sign(
+            &aws_lc_rs::signature::RSA_PSS_SHA256,
+            rng,
+            msg,
+            &mut signature,
+        )
+        .context(error::SignSnafu)?;
         Ok(signature)
     }
 }
@@ -167,11 +172,9 @@ impl Sign for SignKeyPair {
 pub fn parse_keypair(key: &[u8]) -> Result<impl Sign> {
     if let Ok(ed25519_key_pair) = Ed25519KeyPair::from_pkcs8(key) {
         Ok(SignKeyPair::ED25519(ed25519_key_pair))
-    } else if let Ok(ecdsa_key_pair) = EcdsaKeyPair::from_pkcs8(
-        &ring::signature::ECDSA_P256_SHA256_ASN1_SIGNING,
-        key,
-        &rand::SystemRandom::new(),
-    ) {
+    } else if let Ok(ecdsa_key_pair) =
+        EcdsaKeyPair::from_pkcs8(&aws_lc_rs::signature::ECDSA_P256_SHA256_ASN1_SIGNING, key)
+    {
         Ok(SignKeyPair::ECDSA(ecdsa_key_pair))
     } else if let Ok(pem) = pem::parse(key) {
         match pem.tag() {

tough/tests/target_path_safety.rs

@@ -1,8 +1,8 @@
 mod test_utils;
 
+use aws_lc_rs::rand::SystemRandom;
 use chrono::{DateTime, TimeZone, Utc};
 use maplit::hashmap;
-use ring::rand::SystemRandom;
 use std::collections::HashMap;
 use std::num::NonZeroU64;
 use std::path::Path;

tuftool/Cargo.toml

@@ -16,6 +16,7 @@ aws-sdk-rust-rustls = ["aws-config/rustls", "aws-sdk-ssm/rustls", "aws-sdk-kms/r
 
 [dependencies]
 aws-config = "1"
+aws-lc-rs = { version = "1", features = ["prebuilt-nasm"] }
 aws-sdk-kms = "1"
 aws-sdk-ssm = "1"
 chrono = { version = "0.4", default-features = false, features = ["alloc", "std", "clock"] }
@@ -27,7 +28,6 @@ maplit = "1"
 olpc-cjson = { version = "0.1", path = "../olpc-cjson" }
 rayon = "1"
 reqwest = { version = "0.11", default-features = false, features = ["rustls-tls-native-roots"] }
-ring = { version = "0.17", features = ["std"] }
 serde = "1"
 serde_json = "1"
 simplelog = "0.12"

tuftool/src/root.rs

@@ -5,11 +5,11 @@ use crate::datetime::parse_datetime;
 use crate::error::{self, Result};
 use crate::source::parse_key_source;
 use crate::{load_file, write_file};
+use aws_lc_rs::rand::SystemRandom;
 use chrono::{DateTime, Timelike, Utc};
 use clap::Parser;
 use log::warn;
 use maplit::hashmap;
-use ring::rand::SystemRandom;
 use snafu::{ensure, OptionExt, ResultExt};
 use std::collections::HashMap;
 use std::io::Write;