Upgrade der to version 0.7.9

Signed-off-by: Wei Liu <[email protected]>

src/attestation/Cargo.toml

@@ -7,7 +7,7 @@ edition = "2021"
 
 [dependencies]
 crypto = { path = "../crypto" }
-der = { version = "0.5.1", features = ["oid", "alloc", "derive"] }
+der = { version = "0.7.9", features = ["oid", "alloc", "derive"] }
 spin = "0.9.2"
 tdx-tdcall = { path = "../../deps/td-shim/tdx-tdcall"}
 td-payload = { path = "../../deps/td-shim/td-payload", features = ["tdx"] }

src/attestation/src/root_ca.rs

@@ -3,7 +3,7 @@
 // SPDX-License-Identifier: BSD-2-Clause-Patent
 
 use crypto::x509::Certificate;
-use der::Decodable;
+use der::Decode;
 use spin::Once;
 
 use crate::Error;

src/crypto/Cargo.toml

@@ -7,7 +7,7 @@ edition = "2021"
 
 [dependencies]
 bytes = { version="1", default-features=false }
-der = {version = "0.5.1", features = ["oid", "alloc", "derive"]}
+der = {version = "0.7.9", features = ["oid", "alloc", "derive"]}
 global = { path = "../global" }
 log = "0.4.13"
 ring = { version = "0.17.6" }

src/crypto/fuzz/Cargo.toml

@@ -13,7 +13,7 @@ libfuzzer-sys = {version = "0.4", optional = true }
 afl = {version = "*", optional = true }
 log = "0.4.13"
 arbitrary = "=1.1.3"
-der = {version = "0.5.1", features = ["oid", "alloc", "derive"]}
+der = {version = "0.7.9", features = ["oid", "alloc", "derive"]}
 serde = "=1.0.198"
 
 [dependencies.crypto]

src/crypto/fuzz/fuzz_targets/afl_certchain.rs

@@ -1,6 +1,6 @@
 use crypto::resolve::{get_cert_from_certchain, parse_extensions};
 use crypto::x509::Certificate;
-use der::Decodable;
+use der::Decode;
 
 
 fn main() {

src/crypto/fuzz/fuzz_targets/certchain.rs

@@ -3,7 +3,7 @@ use libfuzzer_sys::fuzz_target;
 
 use crypto::resolve::{get_cert_from_certchain, parse_extensions};
 use crypto::x509::Certificate;
-use der::Decodable;
+use der::Decode;
 
 fuzz_target!(|data: &[u8]| {
     // fuzzed code goes here

src/crypto/src/ek_cert.rs

@@ -3,8 +3,8 @@
 // SPDX-License-Identifier: Apache-2.0
 
 use alloc::vec;
-use der::asn1::{BitString, ObjectIdentifier, OctetString, SetOfVec, Utf8String};
-use der::{Any, Encodable, Tag};
+use der::asn1::{BitStringRef, ObjectIdentifier, OctetStringRef, SetOfVec, Utf8StringRef};
+use der::{AnyRef, Encode, Tag};
 use global::GLOBAL_TPM_DATA;
 use ring::digest;
 use ring::rand::SystemRandom;
@@ -21,10 +21,10 @@ use crate::{
     x509::{AlgorithmIdentifier, X509Error},
 };
 
-const SUBJECT_ALT_NAME: ObjectIdentifier = ObjectIdentifier::new("2.5.29.17");
-const TCG_TPM_MANUFACTURER: ObjectIdentifier = ObjectIdentifier::new("2.23.133.2.1");
-const TCG_TPM_MODEL: ObjectIdentifier = ObjectIdentifier::new("2.23.133.2.2");
-const TCG_TPM_VERSION: ObjectIdentifier = ObjectIdentifier::new("2.23.133.2.3");
+const SUBJECT_ALT_NAME: ObjectIdentifier = ObjectIdentifier::new_unwrap("2.5.29.17");
+const TCG_TPM_MANUFACTURER: ObjectIdentifier = ObjectIdentifier::new_unwrap("2.23.133.2.1");
+const TCG_TPM_MODEL: ObjectIdentifier = ObjectIdentifier::new_unwrap("2.23.133.2.2");
+const TCG_TPM_VERSION: ObjectIdentifier = ObjectIdentifier::new_unwrap("2.23.133.2.3");
 
 pub fn generate_ca_cert(
     td_quote: &[u8],
@@ -41,7 +41,7 @@ pub fn generate_ca_cert(
     // Generate x.509 certificate
     let algorithm = AlgorithmIdentifier {
         algorithm: ID_EC_PUBKEY_OID,
-        parameters: Some(Any::new(Tag::ObjectIdentifier, SECP384R1_OID.as_bytes()).unwrap()),
+        parameters: Some(AnyRef::new(Tag::ObjectIdentifier, SECP384R1_OID.as_bytes()).unwrap()),
     };
 
     let sig_alg = AlgorithmIdentifier {
@@ -52,13 +52,13 @@ pub fn generate_ca_cert(
     // extended key usage
     let eku: alloc::vec::Vec<ObjectIdentifier> = vec![VTPMTD_CA_EXTENDED_KEY_USAGE];
     let eku = eku
-        .to_vec()
+        .to_der()
         .map_err(|e| ResolveError::GenerateCertificate(X509Error::DerEncoding(e)))?;
 
     // basic constrains
     let basic_constrains: alloc::vec::Vec<bool> = vec![true];
     let basic_constrains = basic_constrains
-        .to_vec()
+        .to_der()
         .map_err(|e| ResolveError::GenerateCertificate(X509Error::DerEncoding(e)))?;
 
     let x509_certificate = x509::CertificateBuilder::new(
@@ -95,19 +95,19 @@ pub fn generate_ca_cert(
     .build();
 
     x509_certificate
-        .to_vec()
+        .to_der()
         .map_err(|e| ResolveError::GenerateCertificate(X509Error::DerEncoding(e)))
 }
 
 fn gen_auth_key_identifier(ek_pub: &[u8]) -> Result<alloc::vec::Vec<u8>, ResolveError> {
     // authority key identifier
     let ek_pub_sha1 = digest::digest(&digest::SHA1_FOR_LEGACY_USE_ONLY, ek_pub);
-    let pub_sha1 = OctetString::new(ek_pub_sha1.as_ref())
+    let pub_sha1 = OctetStringRef::new(ek_pub_sha1.as_ref())
         .map_err(|e| ResolveError::GenerateCertificate(X509Error::DerEncoding(e)))?;
     let auth_key_identifier: AuthorityKeyIdentifier = AuthorityKeyIdentifier(pub_sha1);
     let auth_key_identifier = vec![auth_key_identifier];
     auth_key_identifier
-        .to_vec()
+        .to_der()
         .map_err(|e| ResolveError::GenerateCertificate(X509Error::DerEncoding(e)))
 }
 
@@ -117,9 +117,9 @@ fn gen_subject_alt_name() -> Result<alloc::vec::Vec<u8>, ResolveError> {
     let mut tcg_tpm_manufaturer = SetOfVec::new();
     let mut manufacturer = alloc::vec::Vec::new();
     manufacturer.extend_from_slice(&tpm2_caps.manufacturer.to_be_bytes());
-    let _ = tcg_tpm_manufaturer.add(DistinguishedName {
+    let _ = tcg_tpm_manufaturer.insert(DistinguishedName {
         attribute_type: TCG_TPM_MANUFACTURER,
-        value: Utf8String::new(manufacturer.as_slice()).unwrap().into(),
+        value: Utf8StringRef::new(manufacturer.as_slice()).unwrap().into(),
     });
 
     let mut tcg_tpm_model = SetOfVec::new();
@@ -128,25 +128,25 @@ fn gen_subject_alt_name() -> Result<alloc::vec::Vec<u8>, ResolveError> {
     model.extend_from_slice(&tpm2_caps.vendor_2.to_be_bytes());
     model.extend_from_slice(&tpm2_caps.vendor_3.to_be_bytes());
     model.extend_from_slice(&tpm2_caps.vendor_4.to_be_bytes());
-    let _ = tcg_tpm_model.add(DistinguishedName {
+    let _ = tcg_tpm_model.insert(DistinguishedName {
         attribute_type: TCG_TPM_MODEL,
-        value: Utf8String::new(model.as_slice()).unwrap().into(),
+        value: Utf8StringRef::new(model.as_slice()).unwrap().into(),
     });
 
     let mut tcg_tpm_version = SetOfVec::new();
     let mut version = alloc::vec::Vec::new();
     version.extend_from_slice(&tpm2_caps.version_1.to_be_bytes());
     version.extend_from_slice(&tpm2_caps.version_2.to_be_bytes());
-    let _ = tcg_tpm_version.add(DistinguishedName {
+    let _ = tcg_tpm_version.insert(DistinguishedName {
         attribute_type: TCG_TPM_VERSION,
-        value: Utf8String::new(version.as_slice()).unwrap().into(),
+        value: Utf8StringRef::new(version.as_slice()).unwrap().into(),
     });
 
     let sub_alt_name = vec![tcg_tpm_manufaturer, tcg_tpm_model, tcg_tpm_version];
     let sub_alt_name: SubjectAltName = SubjectAltName(sub_alt_name);
     let sub_alt_name = vec![sub_alt_name];
     sub_alt_name
-        .to_vec()
+        .to_der()
         .map_err(|e| ResolveError::GenerateCertificate(X509Error::DerEncoding(e)))
 }
 
@@ -164,7 +164,7 @@ pub fn generate_ek_cert(
     // Generate x.509 certificate
     let algorithm = AlgorithmIdentifier {
         algorithm: ID_EC_PUBKEY_OID,
-        parameters: Some(Any::new(Tag::ObjectIdentifier, SECP384R1_OID.as_bytes()).unwrap()),
+        parameters: Some(AnyRef::new(Tag::ObjectIdentifier, SECP384R1_OID.as_bytes()).unwrap()),
     };
 
     let sig_alg = AlgorithmIdentifier {
@@ -175,24 +175,24 @@ pub fn generate_ek_cert(
     // basic constrains
     let basic_constrains: alloc::vec::Vec<bool> = vec![false];
     let basic_constrains = basic_constrains
-        .to_vec()
+        .to_der()
         .map_err(|e| ResolveError::GenerateCertificate(X509Error::DerEncoding(e)))?;
 
     // extended key usage
     let eku: alloc::vec::Vec<ObjectIdentifier> = vec![TCG_EK_CERTIFICATE];
     let eku = eku
-        .to_vec()
+        .to_der()
         .map_err(|e| ResolveError::GenerateCertificate(X509Error::DerEncoding(e)))?;
 
     // authority key identifier
     let auth_key_identifier = gen_auth_key_identifier(ek_pub)?;
 
     // follow ek-credential spec Section 3.2.
     // keyAgreement (4) refers to https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3
-    let ku = BitString::new(0, &[0x08])
+    let ku = BitStringRef::new(0, &[0x08])
         .map_err(|e| ResolveError::GenerateCertificate(X509Error::DerEncoding(e)))?;
     let ku = ku
-        .to_vec()
+        .to_der()
         .map_err(|e| ResolveError::GenerateCertificate(X509Error::DerEncoding(e)))?;
 
     // subject alt name
@@ -228,6 +228,6 @@ pub fn generate_ek_cert(
         .build();
 
     x509_certificate
-        .to_vec()
+        .to_der()
         .map_err(|e| ResolveError::GenerateCertificate(X509Error::DerEncoding(e)))
 }

src/crypto/src/resolve.rs

@@ -8,7 +8,7 @@ use super::x509::{AlgorithmIdentifier, ExtendedKeyUsage, Extensions};
 use crate::x509::Certificate;
 use alloc::vec;
 use der::asn1::ObjectIdentifier;
-use der::{Any, Decodable, Encodable, Tag};
+use der::{AnyRef, Decode, Encode, Tag};
 use ring::digest;
 use ring::pkcs8::Document;
 use ring::rand::SystemRandom;
@@ -17,46 +17,46 @@ use spdmlib::error::{SpdmResult, SPDM_STATUS_INVALID_CERT};
 
 use tdx_tdcall::tdreport::TD_REPORT_SIZE;
 
-pub const BASIC_CONSTRAINTS: ObjectIdentifier = ObjectIdentifier::new("2.5.29.19");
-pub const SUBJECT_KEY_IDENTIFIER: ObjectIdentifier = ObjectIdentifier::new("2.5.29.14");
-pub const KEY_USAGE: ObjectIdentifier = ObjectIdentifier::new("2.5.29.15");
-pub const AUTHORITY_KEY_IDENTIFIER: ObjectIdentifier = ObjectIdentifier::new("2.5.29.35");
-pub const EXTENDED_KEY_USAGE: ObjectIdentifier = ObjectIdentifier::new("2.5.29.37");
+pub const BASIC_CONSTRAINTS: ObjectIdentifier = ObjectIdentifier::new_unwrap("2.5.29.19");
+pub const SUBJECT_KEY_IDENTIFIER: ObjectIdentifier = ObjectIdentifier::new_unwrap("2.5.29.14");
+pub const KEY_USAGE: ObjectIdentifier = ObjectIdentifier::new_unwrap("2.5.29.15");
+pub const AUTHORITY_KEY_IDENTIFIER: ObjectIdentifier = ObjectIdentifier::new_unwrap("2.5.29.35");
+pub const EXTENDED_KEY_USAGE: ObjectIdentifier = ObjectIdentifier::new_unwrap("2.5.29.37");
 
 pub const VTPMTD_EXTENDED_KEY_USAGE: ObjectIdentifier =
-    ObjectIdentifier::new("2.16.840.1.113741.1.5.5.2.1");
+    ObjectIdentifier::new_unwrap("2.16.840.1.113741.1.5.5.2.1");
 pub const VTPMTD_CA_EXTENDED_KEY_USAGE: ObjectIdentifier =
-    ObjectIdentifier::new("2.16.840.1.113741.1.5.5.2.5");
+    ObjectIdentifier::new_unwrap("2.16.840.1.113741.1.5.5.2.5");
 pub const EXTNID_VTPMTD_REPORT: ObjectIdentifier =
-    ObjectIdentifier::new("2.16.840.1.113741.1.5.5.2.4");
+    ObjectIdentifier::new_unwrap("2.16.840.1.113741.1.5.5.2.4");
 pub const EXTNID_VTPMTD_QUOTE: ObjectIdentifier =
-    ObjectIdentifier::new("2.16.840.1.113741.1.5.5.2.2");
+    ObjectIdentifier::new_unwrap("2.16.840.1.113741.1.5.5.2.2");
 pub const EXTNID_VTPMTD_EVENT_LOG: ObjectIdentifier =
-    ObjectIdentifier::new("2.16.840.1.113741.1.5.5.2.3");
+    ObjectIdentifier::new_unwrap("2.16.840.1.113741.1.5.5.2.3");
 
 pub const TDVF_EXTENDED_KEY_USAGE: ObjectIdentifier =
-    ObjectIdentifier::new("2.16.840.1.113741.1.5.5.3.1");
+    ObjectIdentifier::new_unwrap("2.16.840.1.113741.1.5.5.3.1");
 pub const EXTNID_TDVF_REPORT: ObjectIdentifier =
-    ObjectIdentifier::new("2.16.840.1.113741.1.5.5.3.4");
+    ObjectIdentifier::new_unwrap("2.16.840.1.113741.1.5.5.3.4");
 pub const EXTNID_TDVF_QUOTE: ObjectIdentifier =
-    ObjectIdentifier::new("2.16.840.1.113741.1.5.5.3.2");
+    ObjectIdentifier::new_unwrap("2.16.840.1.113741.1.5.5.3.2");
 
-pub const SERVER_AUTH: ObjectIdentifier = ObjectIdentifier::new("1.3.6.1.5.5.7.3.1");
-pub const CLIENT_AUTH: ObjectIdentifier = ObjectIdentifier::new("1.3.6.1.5.5.7.3.2");
+pub const SERVER_AUTH: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.3.6.1.5.5.7.3.1");
+pub const CLIENT_AUTH: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.3.6.1.5.5.7.3.2");
 
-pub const TCG_EK_CERTIFICATE: ObjectIdentifier = ObjectIdentifier::new("2.23.133.8.1");
+pub const TCG_EK_CERTIFICATE: ObjectIdentifier = ObjectIdentifier::new_unwrap("2.23.133.8.1");
 
 // As specified in https://datatracker.ietf.org/doc/html/rfc5480#appendix-A
 // id-ecPublicKey OBJECT IDENTIFIER ::= {
 //     iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1
 // }
-pub const ID_EC_PUBKEY_OID: ObjectIdentifier = ObjectIdentifier::new("1.2.840.10045.2.1");
+pub const ID_EC_PUBKEY_OID: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.2.840.10045.2.1");
 // secp384r1 OBJECT IDENTIFIER ::= {
 //     iso(1) identified-organization(3) certicom(132) curve(0) 34
 // }
-pub const SECP384R1_OID: ObjectIdentifier = ObjectIdentifier::new("1.3.132.0.34");
+pub const SECP384R1_OID: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.3.132.0.34");
 
-pub const ID_EC_SIG_OID: ObjectIdentifier = ObjectIdentifier::new("1.2.840.10045.4.3.3");
+pub const ID_EC_SIG_OID: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.2.840.10045.4.3.3");
 
 #[derive(Debug)]
 pub enum ResolveError {
@@ -115,7 +115,7 @@ pub fn generate_certificate(
     // Generate x.509 certificate
     let algorithm = AlgorithmIdentifier {
         algorithm: ID_EC_PUBKEY_OID,
-        parameters: Some(Any::new(Tag::ObjectIdentifier, SECP384R1_OID.as_bytes()).unwrap()),
+        parameters: Some(AnyRef::new(Tag::ObjectIdentifier, SECP384R1_OID.as_bytes()).unwrap()),
     };
 
     let sig_alg = AlgorithmIdentifier {
@@ -125,7 +125,7 @@ pub fn generate_certificate(
 
     let eku = vec![VTPMTD_EXTENDED_KEY_USAGE];
     let eku = eku
-        .to_vec()
+        .to_der()
         .map_err(|e| ResolveError::GenerateCertificate(X509Error::DerEncoding(e)))?;
     let x509_certificate =
         x509::CertificateBuilder::new(sig_alg, algorithm, key_pair.public_key().as_ref(), true)?
@@ -152,7 +152,7 @@ pub fn generate_certificate(
             .build();
 
     x509_certificate
-        .to_vec()
+        .to_der()
         .map_err(|e| ResolveError::GenerateCertificate(X509Error::DerEncoding(e)))
 }