Merge branch 'main' into missing_recoverid_two

2025-07-21 07:03:56 +02:00 · 2025-03-03 08:52:32 +01:00 · 2025-03-03 08:52:32 +01:00 · bece17f7bf
commit bece17f7bf
parent a6ea98a096 bce991f77c
6 changed files with 70 additions and 52 deletions
--- a/Cargo.toml
+++ b/Cargo.toml
@ -48,7 +48,7 @@ pgp = "0.15"
 pkcs8 = { version = "0.10" }
 reqwest = { version = "0.12", features = ["json"] }
 rsa = { version = "0.9.6", features = ["sha2", "pem"] }
-rustls = { version = "0.23.20" }
+rustls = { version = "0.23.20", default-features = false, features = ["std", "logging", "tls12", "ring"] }
 secp256k1 = { version = "0.30", features = ["rand", "global-context"] }
 serde = { version = "1", features = ["derive", "rc"] }
 serde_json = "1"
--- a/bin/tee-vault-admin/src/main.rs
+++ b/bin/tee-vault-admin/src/main.rs
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: Apache-2.0
-// Copyright (c) 2023-2024 Matter Labs
+// Copyright (c) 2023-2025 Matter Labs

 //! Server to handle requests to the Vault TEE

@ -9,26 +9,27 @@ mod command;
 mod digest;
 mod sign;

-use actix_web::web::Data;
-use actix_web::{web, App, HttpServer};
+use actix_web::{web, web::Data, App, HttpServer};
 use anyhow::{Context, Result};
 use clap::Parser;
 use command::post_command;
 use digest::get_digest;
 use rustls::ServerConfig;
 use sign::post_sign;
-use std::net::Ipv6Addr;
-use std::sync::Arc;
-use teepot::json::http::{SignRequest, VaultCommandRequest, DIGEST_URL};
-use teepot::server::attestation::{get_quote_and_collateral, VaultAttestationArgs};
-use teepot::server::new_json_cfg;
-use teepot::server::pki::make_self_signed_cert;
-use teepot::sgx::{parse_tcb_levels, EnumSet, TcbLevel};
+use std::{net::Ipv6Addr, sync::Arc};
+use teepot::{
+    json::http::{SignRequest, VaultCommandRequest, DIGEST_URL},
+    server::{
+        attestation::{get_quote_and_collateral, VaultAttestationArgs},
+        new_json_cfg,
+        pki::make_self_signed_cert,
+    },
+    sgx::{parse_tcb_levels, EnumSet, TcbLevel},
+};
 use tracing::{error, info};
 use tracing_actix_web::TracingLogger;
 use tracing_log::LogTracer;
-use tracing_subscriber::Registry;
-use tracing_subscriber::{fmt, prelude::*, EnvFilter};
+use tracing_subscriber::{fmt, prelude::*, EnvFilter, Registry};

 /// Server state
 pub struct ServerState {
@ -70,6 +71,8 @@ async fn main() -> Result<()> {
        // don't return for now, we can still serve requests but we won't be able to attest
    }

+    let _ = rustls::crypto::ring::default_provider().install_default();
+
    // init server config builder with safe defaults
    let config = ServerConfig::builder()
        .with_no_client_auth()
@ -78,8 +81,6 @@ async fn main() -> Result<()> {

    info!("Starting HTTPS server at port {}", args.port);

-    info!("Quote verified! Connection secure!");
-
    let server_state = Arc::new(ServerState {
        report_data,
        vault_attestation: args.attestation,
--- a/bin/tee-vault-unseal/src/main.rs
+++ b/bin/tee-vault-unseal/src/main.rs
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: Apache-2.0
-// Copyright (c) 2023-2024 Matter Labs
+// Copyright (c) 2023-2025 Matter Labs

 //! Server to initialize and unseal the Vault TEE.

@ -9,27 +9,33 @@
 mod init;
 mod unseal;

-use actix_web::rt::time::sleep;
-use actix_web::web::Data;
-use actix_web::{web, App, HttpServer};
+use actix_web::{rt::time::sleep, web, web::Data, App, HttpServer};
 use anyhow::{bail, Context, Result};
 use awc::Client;
 use clap::Parser;
 use init::post_init;
 use rustls::ServerConfig;
-use std::fmt::Debug;
-use std::io::Read;
-use std::net::Ipv6Addr;
-use std::path::PathBuf;
-use std::sync::{Arc, RwLock};
-use std::time::Duration;
-use teepot::client::{AttestationArgs, TeeConnection};
-use teepot::json::http::{Init, Unseal};
-use teepot::json::secrets::AdminConfig;
-use teepot::server::attestation::{get_quote_and_collateral, VaultAttestationArgs};
-use teepot::server::new_json_cfg;
-use teepot::server::pki::make_self_signed_cert;
-use teepot::sgx::{parse_tcb_levels, EnumSet, TcbLevel};
+use std::{
+    fmt::Debug,
+    io::Read,
+    net::Ipv6Addr,
+    path::PathBuf,
+    sync::{Arc, RwLock},
+    time::Duration,
+};
+use teepot::{
+    client::{AttestationArgs, TeeConnection},
+    json::{
+        http::{Init, Unseal},
+        secrets::AdminConfig,
+    },
+    server::{
+        attestation::{get_quote_and_collateral, VaultAttestationArgs},
+        new_json_cfg,
+        pki::make_self_signed_cert,
+    },
+    sgx::{parse_tcb_levels, EnumSet, TcbLevel},
+};
 use tracing::{error, info};
 use tracing_log::LogTracer;
 use tracing_subscriber::{fmt, prelude::*, EnvFilter, Registry};
@ -136,6 +142,8 @@ async fn main() -> Result<()> {

    let (report_data, cert_chain, priv_key) = make_self_signed_cert("CN=localhost", None)?;

+    let _ = rustls::crypto::ring::default_provider().install_default();
+
    // init server config builder with safe defaults
    let config = ServerConfig::builder()
        .with_no_client_auth()
--- a/bin/vault-admin/README.md
+++ b/bin/vault-admin/README.md
@ -9,7 +9,7 @@
 Verified signature for `81A312C59D679D930FA9E8B06D728F29A2DBABF8`

 ❯ RUST_LOG=info cargo run -p vault-admin -- \
-  send \
+  command \
   --sgx-mrsigner c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d \
   --sgx-allowed-tcb-levels SwHardeningNeeded \
   --server https://127.0.0.1:8444 \
--- a/bin/vault-admin/src/main.rs
+++ b/bin/vault-admin/src/main.rs
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: Apache-2.0
-// Copyright (c) 2023-2024 Matter Labs
+// Copyright (c) 2023-2025 Matter Labs

 use anyhow::{anyhow, bail, Context, Result};
 use clap::{Args, Parser, Subcommand};
@ -117,8 +117,6 @@ async fn main() -> Result<()> {
        &args.log_level,
    )?)?;

-    info!("Quote verified! Connection secure!");
-
    match args.cmd {
        SubCommands::Command(args) => send_commands(args).await?,
        SubCommands::SignTee(args) => send_sig_request(args).await?,
--- a/crates/teepot/src/client/mod.rs
+++ b/crates/teepot/src/client/mod.rs
@ -1,5 +1,5 @@
 // SPDX-License-Identifier: Apache-2.0
-// Copyright (c) 2023-2024 Matter Labs
+// Copyright (c) 2023-2025 Matter Labs

 //! Helper functions for CLI clients to verify Intel SGX enclaves and other TEEs.

@ -8,29 +8,36 @@

 pub mod vault;

-pub use crate::quote::verify_quote_with_collateral;
-pub use crate::quote::QuoteVerificationResult;
-use crate::quote::Report;
-use crate::server::pki::{RaTlsCollateralExtension, RaTlsQuoteExtension};
-use crate::sgx::Quote;
-pub use crate::sgx::{parse_tcb_levels, sgx_ql_qv_result_t, EnumSet, TcbLevel};
+use crate::{
+    quote::Report,
+    server::pki::{RaTlsCollateralExtension, RaTlsQuoteExtension},
+    sgx::Quote,
+};
+pub use crate::{
+    quote::{verify_quote_with_collateral, QuoteVerificationResult},
+    sgx::{parse_tcb_levels, sgx_ql_qv_result_t, EnumSet, TcbLevel},
+};
 use actix_web::http::header;
 use anyhow::Result;
 use awc::{Client, Connector};
 use clap::Args;
 use const_oid::AssociatedOid;
 use intel_tee_quote_verification_rs::Collateral;
-use rustls::client::danger::{HandshakeSignatureValid, ServerCertVerifier};
-use rustls::client::WebPkiServerVerifier;
-use rustls::pki_types::{CertificateDer, ServerName, UnixTime};
-use rustls::{ClientConfig, DigitallySignedStruct, Error, SignatureScheme};
+use rustls::{
+    client::{
+        danger::{HandshakeSignatureValid, ServerCertVerifier},
+        WebPkiServerVerifier,
+    },
+    pki_types::{CertificateDer, ServerName, UnixTime},
+    ClientConfig, DigitallySignedStruct, Error, SignatureScheme,
+};
 use sha2::{Digest, Sha256};
-use std::sync::Arc;
-use std::time;
-use std::time::Duration;
+use std::{sync::Arc, time, time::Duration};
 use tracing::{debug, error, info, trace, warn};
-use x509_cert::der::{Decode as _, Encode as _};
-use x509_cert::Certificate;
+use x509_cert::{
+    der::{Decode as _, Encode as _},
+    Certificate,
+};

 /// Options and arguments needed to attest a TEE
 #[derive(Args, Debug, Clone)]
@ -63,6 +70,8 @@ impl TeeConnection {
    /// This will verify the attestation report and check that the enclave
    /// is running the expected code.
    pub fn new(args: &AttestationArgs) -> Self {
+        let _ = rustls::crypto::ring::default_provider().install_default();
+
        let tls_config = Arc::new(
            ClientConfig::builder()
                .dangerous()
@ -260,6 +269,8 @@ impl TeeConnection {
                    }
                }

+                info!("Quote verified! Connection secure!");
+
                Ok(rustls::client::danger::ServerCertVerified::assertion())
            }