diff --git a/Cargo.lock b/Cargo.lock index 47f1bba77..d6ff41c38 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -151,7 +151,7 @@ checksum = "3109e49b1e4909e9db6515a30c633684d68cdeaa252f215214cb4fa1a5bfee2c" dependencies = [ "proc-macro2", "quote", - "syn 2.0.115", + "syn 2.0.116", "synstructure", ] @@ -163,7 +163,7 @@ checksum = "7b18050c2cd6fe86c3a76584ef5e0baf286d038cda203eb6223df2cc413565f7" dependencies = [ "proc-macro2", "quote", - "syn 2.0.115", + "syn 2.0.116", ] [[package]] @@ -199,7 +199,7 @@ checksum = "ddf3728566eefa873833159754f5732fb0951d3649e6e5b891cc70d56dd41673" dependencies = [ "proc-macro2", "quote", - "syn 2.0.115", + "syn 2.0.116", ] [[package]] @@ -237,7 +237,7 @@ checksum = "9035ad2d096bed7955a320ee7e2230574d28fd3c3a0f186cbea1ff3c7eed5dbb" dependencies = [ "proc-macro2", "quote", - "syn 2.0.115", + "syn 2.0.116", ] [[package]] @@ -288,9 +288,9 @@ dependencies = [ [[package]] name = "bitflags" -version = "2.10.0" +version = "2.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "812e12b5285cc515a9c72a5c1d3b6d46a19dac5acfef5265968c166106e31dd3" +checksum = "843867be96c8daad0d758b57df9392b6d8d271134fce549de6ce169ff98a92af" [[package]] name = "bitvec" @@ -549,7 +549,7 @@ name = "c2pa_macros" version = "0.75.21" dependencies = [ "quote", - "syn 2.0.115", + "syn 2.0.116", ] [[package]] @@ -610,16 +610,16 @@ dependencies = [ "quote", "serde", "serde_json", - "syn 2.0.115", + "syn 2.0.116", "tempfile", "toml 0.9.12+spec-1.1.0", ] [[package]] name = "cc" -version = "1.2.55" +version = "1.2.56" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "47b26a0954ae34af09b50f0de26458fa95369a0d478d8236d3f93082b219bd29" +checksum = "aebf35691d1bfb0ac386a69bac2fde4dd276fb618cf8bf4f5318fe285e821bb2" dependencies = [ "find-msvc-tools", "shlex", @@ -699,9 +699,9 @@ dependencies = [ [[package]] name = "clap" -version = "4.5.58" +version = "4.5.59" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "63be97961acde393029492ce0be7a1af7e323e6bae9511ebfac33751be5e6806" +checksum = "c5caf74d17c3aec5495110c34cc3f78644bfa89af6c8993ed4de2790e49b6499" dependencies = [ "clap_builder", "clap_derive", @@ -709,9 +709,9 @@ dependencies = [ [[package]] name = "clap_builder" -version = "4.5.58" +version = "4.5.59" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7f13174bda5dfd69d7e947827e5af4b0f2f94a4a3ee92912fba07a66150f21e2" +checksum = "370daa45065b80218950227371916a1633217ae42b2715b2287b606dcd618e24" dependencies = [ "anstream", "anstyle", @@ -728,7 +728,7 @@ dependencies = [ "heck", "proc-macro2", "quote", - "syn 2.0.115", + "syn 2.0.116", ] [[package]] @@ -878,6 +878,16 @@ dependencies = [ "libc", ] +[[package]] +name = "core-foundation" +version = "0.10.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b2a6cd9ae233e7f62ba4e9353e81a88df7fc8a5987b8d445b4d90c879bd156f6" +dependencies = [ + "core-foundation-sys", + "libc", +] + [[package]] name = "core-foundation-sys" version = "0.8.7" @@ -999,7 +1009,7 @@ checksum = "f46882e17999c6cc590af592290432be3bce0428cb0d5f8b6715e4dc7b383eb3" dependencies = [ "proc-macro2", "quote", - "syn 2.0.115", + "syn 2.0.116", ] [[package]] @@ -1023,7 +1033,7 @@ dependencies = [ "proc-macro2", "quote", "strsim", - "syn 2.0.115", + "syn 2.0.116", ] [[package]] @@ -1034,7 +1044,7 @@ checksum = "d38308df82d1080de0afee5d069fa14b0326a88c14f15c5ccda35b4a6c414c81" dependencies = [ "darling_core", "quote", - "syn 2.0.115", + "syn 2.0.116", ] [[package]] @@ -1115,7 +1125,7 @@ checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0" dependencies = [ "proc-macro2", "quote", - "syn 2.0.115", + "syn 2.0.116", ] [[package]] @@ -1325,7 +1335,7 @@ checksum = "a0aca10fb742cb43f9e7bb8467c91aa9bcb8e3ffbc6a6f7389bb93ffc920577d" dependencies = [ "proc-macro2", "quote", - "syn 2.0.115", + "syn 2.0.116", ] [[package]] @@ -1428,9 +1438,9 @@ checksum = "e6d5a32815ae3f33302d95fdcb2ce17862f8c65363dcfd29360480ba1001fc9c" [[package]] name = "futures-channel" -version = "0.3.31" +version = "0.3.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2dff15bf788c671c1934e366d07e30c1814a8ef514e1af724a602e8a2fbe1b10" +checksum = "07bbe89c50d7a535e539b8c17bc0b49bdb77747034daa8087407d655f3f7cc1d" dependencies = [ "futures-core", "futures-sink", @@ -1438,38 +1448,38 @@ dependencies = [ [[package]] name = "futures-core" -version = "0.3.31" +version = "0.3.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "05f29059c0c2090612e8d742178b0580d2dc940c837851ad723096f87af6663e" +checksum = "7e3450815272ef58cec6d564423f6e755e25379b217b0bc688e295ba24df6b1d" [[package]] name = "futures-io" -version = "0.3.31" +version = "0.3.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9e5c1b78ca4aae1ac06c48a526a655760685149f0d465d21f37abfe57ce075c6" +checksum = "cecba35d7ad927e23624b22ad55235f2239cfa44fd10428eecbeba6d6a717718" [[package]] name = "futures-macro" -version = "0.3.31" +version = "0.3.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "162ee34ebcb7c64a8abebc059ce0fee27c2262618d7b60ed8faf72fef13c3650" +checksum = "e835b70203e41293343137df5c0664546da5745f82ec9b84d40be8336958447b" dependencies = [ "proc-macro2", "quote", - "syn 2.0.115", + "syn 2.0.116", ] [[package]] name = "futures-sink" -version = "0.3.31" +version = "0.3.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e575fab7d1e0dcb8d0c7bcf9a63ee213816ab51902e6d244a95819acacf1d4f7" +checksum = "c39754e157331b013978ec91992bde1ac089843443c49cbc7f46150b0fad0893" [[package]] name = "futures-task" -version = "0.3.31" +version = "0.3.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f90f7dce0722e95104fcb095585910c0977252f286e354b5e3bd38902cd99988" +checksum = "037711b3d59c33004d3856fbdc83b99d4ff37a24768fa1be9ce3538a1cde4393" [[package]] name = "futures-timer" @@ -1479,9 +1489,9 @@ checksum = "f288b0a4f20f9a56b5d1da57e2227c661b7b16168e2f72365f57b63326e29b24" [[package]] name = "futures-util" -version = "0.3.31" +version = "0.3.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9fa08315bb612088cc391249efdc3bc77536f16c91f6cf495e6fbe85b20a4a81" +checksum = "389ca41296e6190b48053de0321d02a77f32f8a5d2461dd38762c0593805c6d6" dependencies = [ "futures-core", "futures-io", @@ -1490,7 +1500,6 @@ dependencies = [ "futures-task", "memchr", "pin-project-lite", - "pin-utils", "slab", ] @@ -2194,7 +2203,7 @@ checksum = "f7946b4325269738f270bb55b3c19ab5c5040525f83fd625259422a9d25d9be5" dependencies = [ "proc-macro2", "quote", - "syn 2.0.115", + "syn 2.0.116", ] [[package]] @@ -2248,9 +2257,9 @@ checksum = "09edd9e8b54e49e587e4f6295a7d29c3ea94d469cb40ab8ca70b288248a81db2" [[package]] name = "libc" -version = "0.2.181" +version = "0.2.182" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "459427e2af2b9c839b132acb702a1c654d95e10f8c326bfc2ad11310e458b1c5" +checksum = "6800badb6cb2082ffd7b6a67e6125bb39f18782f793520caee8cb8846be06112" [[package]] name = "libm" @@ -2423,7 +2432,7 @@ dependencies = [ "cfg-if", "proc-macro2", "quote", - "syn 2.0.115", + "syn 2.0.116", ] [[package]] @@ -2452,9 +2461,9 @@ dependencies = [ [[package]] name = "native-tls" -version = "0.2.15" +version = "0.2.16" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6cdede44f9a69cab2899a2049e2c3bd49bf911a157f6a3353d4a91c61abbce44" +checksum = "9d5d26952a508f321b4d3d2e80e78fc2603eaefcdf0c30783867f19586518bdc" dependencies = [ "libc", "log", @@ -2668,14 +2677,14 @@ checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" dependencies = [ "proc-macro2", "quote", - "syn 2.0.115", + "syn 2.0.116", ] [[package]] name = "openssl-probe" -version = "0.1.6" +version = "0.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d05e27ee213611ffe7d6348b942e8f942b37114c00cc03cec254295a4a17852e" +checksum = "7c87def4c32ab89d880effc9e097653c8da5d6ef28e6b539d313baaacfbafcbe" [[package]] name = "openssl-src" @@ -2900,9 +2909,9 @@ dependencies = [ [[package]] name = "png" -version = "0.18.0" +version = "0.18.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "97baced388464909d42d89643fe4361939af9b7ce7a31ee32a168f832a70f2a0" +checksum = "60769b8b31b2a9f263dae2776c37b1b28ae246943cf719eb6946a1db05128a61" dependencies = [ "bitflags", "crc32fast", @@ -3000,7 +3009,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "479ca8adacdd7ce8f1fb39ce9ecccbfe93a3f1344b3d0d97f20bc0196208f62b" dependencies = [ "proc-macro2", - "syn 2.0.115", + "syn 2.0.116", ] [[package]] @@ -3077,9 +3086,9 @@ checksum = "a993555f31e5a609f617c12db6250dedcac1b0a85076912c436e6fc9b2c8e6a3" [[package]] name = "quick-xml" -version = "0.39.0" +version = "0.39.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f2e3bf4aa9d243beeb01a7b3bc30b77cfe2c44e24ec02d751a7104a53c2c49a1" +checksum = "bd58c6a1fc307e1092aa0bb23d204ca4d1f021764142cd0424dccc84d2d5d106" dependencies = [ "memchr", ] @@ -3291,7 +3300,7 @@ checksum = "90c1c5eb230cb591677030f8a610d10f21e8c3f84274c69e2b4840c74bef94f9" dependencies = [ "proc-macro2", "rasn-derive-impl", - "syn 2.0.115", + "syn 2.0.116", ] [[package]] @@ -3304,7 +3313,7 @@ dependencies = [ "itertools 0.13.0", "proc-macro2", "quote", - "syn 2.0.115", + "syn 2.0.116", "uuid", ] @@ -3387,7 +3396,7 @@ checksum = "b7186006dcb21920990093f30e3dea63b7d6e977bf1256be20c3563a5db070da" dependencies = [ "proc-macro2", "quote", - "syn 2.0.115", + "syn 2.0.116", ] [[package]] @@ -3653,7 +3662,7 @@ dependencies = [ "proc-macro2", "quote", "serde_derive_internals", - "syn 2.0.115", + "syn 2.0.116", ] [[package]] @@ -3678,12 +3687,12 @@ dependencies = [ [[package]] name = "security-framework" -version = "2.11.1" +version = "3.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "897b2245f0b511c87893af39b033e5ca9cce68824c4d7e7630b5a1d339658d02" +checksum = "d17b898a6d6948c3a8ee4372c17cb384f90d2e6e912ef00895b14fd7ab54ec38" dependencies = [ "bitflags", - "core-foundation", + "core-foundation 0.10.1", "core-foundation-sys", "libc", "security-framework-sys", @@ -3691,9 +3700,9 @@ dependencies = [ [[package]] name = "security-framework-sys" -version = "2.15.0" +version = "2.16.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cc1f0cbffaac4852523ce30d8bd3c5cdc873501d96ff467ca09b6767bb8cd5c0" +checksum = "321c8673b092a9a42605034a9879d73cb79101ed5fd117bc9a597b89b4e9e61a" dependencies = [ "core-foundation-sys", "libc", @@ -3762,7 +3771,7 @@ checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79" dependencies = [ "proc-macro2", "quote", - "syn 2.0.115", + "syn 2.0.116", ] [[package]] @@ -3773,7 +3782,7 @@ checksum = "18d26a20a969b9e3fdf2fc2d9f21eda6c40e2de84c9408bb5d3b05d499aae711" dependencies = [ "proc-macro2", "quote", - "syn 2.0.115", + "syn 2.0.116", ] [[package]] @@ -3858,7 +3867,7 @@ dependencies = [ "darling", "proc-macro2", "quote", - "syn 2.0.115", + "syn 2.0.116", ] [[package]] @@ -3961,7 +3970,7 @@ dependencies = [ "heck", "proc-macro2", "quote", - "syn 2.0.115", + "syn 2.0.116", ] [[package]] @@ -4004,7 +4013,7 @@ checksum = "3cc4068497ae43896d41174586dcdc2153a1af2c82856fb308bfaaddc28e5549" dependencies = [ "iref", "quote", - "syn 2.0.115", + "syn 2.0.116", ] [[package]] @@ -4023,7 +4032,7 @@ dependencies = [ "quote", "serde", "sha2", - "syn 2.0.115", + "syn 2.0.116", "thiserror 1.0.69", ] @@ -4079,9 +4088,9 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.115" +version = "2.0.116" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6e614ed320ac28113fa64972c4262d5dbc89deacdfd00c34a3e4cea073243c12" +checksum = "3df424c70518695237746f84cede799c9c58fcb37450d7b23716568cc8bc69cb" dependencies = [ "proc-macro2", "quote", @@ -4105,7 +4114,7 @@ checksum = "728a70f3dbaf5bab7f0c4b1ac8d7ae5ea60a4b5549c8a5914361c99147a709d2" dependencies = [ "proc-macro2", "quote", - "syn 2.0.115", + "syn 2.0.116", ] [[package]] @@ -4115,7 +4124,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a13f3d0daba03132c0aa9767f98351b3488edc2c100cda2d2ec2b04f3d8d3c8b" dependencies = [ "bitflags", - "core-foundation", + "core-foundation 0.9.4", "system-configuration-sys", ] @@ -4189,7 +4198,7 @@ checksum = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1" dependencies = [ "proc-macro2", "quote", - "syn 2.0.115", + "syn 2.0.116", ] [[package]] @@ -4200,7 +4209,7 @@ checksum = "ebc4ee7f67670e9b64d05fa4253e753e016c6c95ff35b89b7941d6b856dec1d5" dependencies = [ "proc-macro2", "quote", - "syn 2.0.115", + "syn 2.0.116", ] [[package]] @@ -4308,7 +4317,7 @@ checksum = "af407857209536a95c8e56f8231ef2c2e2aff839b22e07a1ffcbc617e9db9fa5" dependencies = [ "proc-macro2", "quote", - "syn 2.0.115", + "syn 2.0.116", ] [[package]] @@ -4405,9 +4414,9 @@ dependencies = [ [[package]] name = "toml_parser" -version = "1.0.8+spec-1.1.0" +version = "1.0.9+spec-1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0742ff5ff03ea7e67c8ae6c93cac239e0d9784833362da3f9a9c1da8dfefcbdc" +checksum = "702d4415e08923e7e1ef96cd5727c0dfed80b4d2fa25db9647fe5eb6f7c5a4c4" dependencies = [ "winnow", ] @@ -4489,7 +4498,7 @@ checksum = "7490cfa5ec963746568740651ac6781f701c9c5ea257c58e057f3ba8cf69e8da" dependencies = [ "proc-macro2", "quote", - "syn 2.0.115", + "syn 2.0.116", ] [[package]] @@ -4509,7 +4518,7 @@ checksum = "d856e22ead1fb79b9fc3cec63300086f680924f2f7b0e2701f6835a28b9c4425" dependencies = [ "proc-macro2", "quote", - "syn 2.0.115", + "syn 2.0.116", ] [[package]] @@ -4556,9 +4565,9 @@ checksum = "5c1cb5db39152898a79168971543b1cb5020dff7fe43c8dc468b0885f5e29df5" [[package]] name = "unicode-ident" -version = "1.0.23" +version = "1.0.24" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "537dd038a89878be9b64dd4bd1b260315c1bb94f4d784956b81e27a088d9a09e" +checksum = "e6e4313cd5fcd3dad5cafa179702e2b244f760991f45397d14d4ebf38247da75" [[package]] name = "unicode-normalization" @@ -4659,11 +4668,11 @@ checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821" [[package]] name = "uuid" -version = "1.20.0" +version = "1.21.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ee48d38b119b0cd71fe4141b30f5ba9c7c5d9f4e7a3a8b4a674e4b6ef789976f" +checksum = "b672338555252d43fd2240c714dc444b8c6fb0a5c5335e65a07bba7742735ddb" dependencies = [ - "getrandom 0.3.4", + "getrandom 0.4.1", "js-sys", "serde_core", "wasm-bindgen", @@ -4788,7 +4797,7 @@ dependencies = [ "bumpalo", "proc-macro2", "quote", - "syn 2.0.115", + "syn 2.0.116", "wasm-bindgen-shared", ] @@ -4831,7 +4840,7 @@ checksum = "f579cdd0123ac74b94e1a4a72bd963cf30ebac343f2df347da0b8df24cdebed2" dependencies = [ "proc-macro2", "quote", - "syn 2.0.115", + "syn 2.0.116", ] [[package]] @@ -4939,7 +4948,7 @@ checksum = "053e2e040ab57b9dc951b72c264860db7eb3b0200ba345b4e4c3b14f67855ddf" dependencies = [ "proc-macro2", "quote", - "syn 2.0.115", + "syn 2.0.116", ] [[package]] @@ -4950,7 +4959,7 @@ checksum = "3f316c4a2570ba26bbec722032c4099d8c8bc095efccdc15688708623367e358" dependencies = [ "proc-macro2", "quote", - "syn 2.0.115", + "syn 2.0.116", ] [[package]] @@ -5193,7 +5202,7 @@ dependencies = [ "heck", "indexmap 2.13.0", "prettyplease", - "syn 2.0.115", + "syn 2.0.116", "wasm-metadata", "wit-bindgen-core", "wit-component", @@ -5209,7 +5218,7 @@ dependencies = [ "prettyplease", "proc-macro2", "quote", - "syn 2.0.115", + "syn 2.0.116", "wit-bindgen-core", "wit-bindgen-rust", ] @@ -5281,7 +5290,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "cb142608f932022fa7d155d8ed99649d02c56a50532e71913a5a03c7c4e288d3" dependencies = [ "quote", - "syn 2.0.115", + "syn 2.0.116", ] [[package]] @@ -5345,7 +5354,7 @@ checksum = "b659052874eb698efe5b9e8cf382204678a0086ebf46982b79d6ca3182927e5d" dependencies = [ "proc-macro2", "quote", - "syn 2.0.115", + "syn 2.0.116", "synstructure", ] @@ -5366,7 +5375,7 @@ checksum = "4122cd3169e94605190e77839c9a40d40ed048d305bfdc146e7df40ab0f3e517" dependencies = [ "proc-macro2", "quote", - "syn 2.0.115", + "syn 2.0.116", ] [[package]] @@ -5386,7 +5395,7 @@ checksum = "d71e5d6e06ab090c67b5e44993ec16b72dcbaabc526db883a360057678b48502" dependencies = [ "proc-macro2", "quote", - "syn 2.0.115", + "syn 2.0.116", "synstructure", ] @@ -5407,7 +5416,7 @@ checksum = "85a5b4158499876c763cb03bc4e49185d3cccbabb15b33c627f7884f43db852e" dependencies = [ "proc-macro2", "quote", - "syn 2.0.115", + "syn 2.0.116", ] [[package]] @@ -5440,14 +5449,14 @@ checksum = "eadce39539ca5cb3985590102671f2567e659fca9666581ad3411d59207951f3" dependencies = [ "proc-macro2", "quote", - "syn 2.0.115", + "syn 2.0.116", ] [[package]] name = "zip" -version = "7.4.0" +version = "8.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cc12baa6db2b15a140161ce53d72209dacea594230798c24774139b54ecaa980" +checksum = "6e499faf5c6b97a0d086f4a8733de6d47aee2252b8127962439d8d4311a73f72" dependencies = [ "crc32fast", "indexmap 2.13.0", diff --git a/sdk/Cargo.toml b/sdk/Cargo.toml index 90bb0ad1b..a4eea2f41 100644 --- a/sdk/Cargo.toml +++ b/sdk/Cargo.toml @@ -176,7 +176,7 @@ uuid = { version = "1.18.0", features = ["serde", "v4"] } web-time = "1.1" x509-parser = "0.18.0" zeroize = { version = "1.8", features = ["zeroize_derive"] } -zip = { version = "7.4.0", default-features = false } +zip = { version = "8.1.0", default-features = false } # Use the asm feature of sha2 on aarch64 macOS for better performance. This nearly # halves hashing time for large assets (> 50gb mp4, for example). diff --git a/sdk/src/crypto/cose/certificate_trust_policy.rs b/sdk/src/crypto/cose/certificate_trust_policy.rs index b648bba46..099db9681 100644 --- a/sdk/src/crypto/cose/certificate_trust_policy.rs +++ b/sdk/src/crypto/cose/certificate_trust_policy.rs @@ -351,6 +351,11 @@ impl CertificateTrustPolicy { } } + /// Remove the current EKUs + pub fn clear_ekus(&mut self) { + self.additional_ekus.clear(); + } + /// Set whether we only want to use system trust_achors and ignores user_anchors, /// returns last trust_anchors_value pub fn set_trust_anchors_only(&mut self, trust_anchors_only: bool) -> bool { diff --git a/sdk/src/crypto/cose/ocsp.rs b/sdk/src/crypto/cose/ocsp.rs index 23bc1853f..d7026570f 100644 --- a/sdk/src/crypto/cose/ocsp.rs +++ b/sdk/src/crypto/cose/ocsp.rs @@ -28,9 +28,14 @@ use crate::{ log_item, settings::Settings, status_tracker::StatusTracker, - validation_status::{self, SIGNING_CREDENTIAL_NOT_REVOKED, SIGNING_CREDENTIAL_REVOKED}, + validation_status::{ + self, SIGNING_CREDENTIAL_NOT_REVOKED, SIGNING_CREDENTIAL_OCSP_INACCESSIBLE, + SIGNING_CREDENTIAL_REVOKED, + }, }; +const OCSP_OID_STR: &str = "1.3.6.1.5.5.7.3.9"; + /// Given a COSE signature, extract the OCSP data and validate the status of /// that report. #[async_generic(async_signature( @@ -90,14 +95,15 @@ pub fn check_ocsp_status( match get_ocsp_der(sign1) { Some(ocsp_response_der) => { - if _sync { + let mut ocsp_log = StatusTracker::default(); + let result = if _sync { check_stapled_ocsp_response( sign1, &ocsp_response_der, data, ctp, tst_info, - validation_log, + &mut ocsp_log, context.settings(), ) } else { @@ -107,11 +113,49 @@ pub fn check_ocsp_status( data, ctp, tst_info, - validation_log, + &mut ocsp_log, context.settings(), ) .await + }; + + // we only care about OCSP value log info the result is OK + if let Ok(ocsp_response) = result { + if ocsp_log.has_status(validation_status::SIGNING_CREDENTIAL_REVOKED) { + log_item!( + "", + format!( + "signing cert revoked: {}", + ocsp_response.certificate_serial_num + ), + "check_ocsp_status" + ) + .validation_status(SIGNING_CREDENTIAL_REVOKED) + .informational(validation_log); + + return Err(CoseError::CertificateTrustError( + CertificateTrustError::CertificateNotTrusted, + )); + } + + // If certificate is confirmed not revoked, return success + if ocsp_log.has_status(validation_status::SIGNING_CREDENTIAL_NOT_REVOKED) { + log_item!( + "", + format!( + "signing cert not revoked: {}", + ocsp_response.certificate_serial_num + ), + "check_ocsp_status" + ) + .validation_status(SIGNING_CREDENTIAL_NOT_REVOKED) + .informational(validation_log); + + return Ok(ocsp_response); + } } + // errors mean we don't interpret the value + Ok(OcspResponse::default()) } None => match fetch_policy { @@ -244,6 +288,7 @@ fn process_ocsp_responses( } } } + Ok(OcspResponse::default()) } @@ -315,20 +360,36 @@ fn check_stapled_ocsp_response( }; // If we get a valid response, validate the certs. - if ocsp_data.revoked_at.is_none() { - if let Some(ocsp_certs) = &ocsp_data.ocsp_certs { - // if the OCSP signing cert cannot be validated do not use this response - if check_end_entity_certificate_profile( + if let Some(ocsp_certs) = &ocsp_data.ocsp_certs { + // make sure this is an OCSP signing EKU + let mut new_ctp = ctp.clone(); + new_ctp.clear_ekus(); + new_ctp.add_valid_ekus(OCSP_OID_STR.as_bytes()); // ocsp signing EKU + if check_end_entity_certificate_profile( + &ocsp_certs[0], + &new_ctp, + validation_log, + tst_info.as_ref(), + ) + .is_err() + { + return Ok(OcspResponse::default()); + } + + // validate the trust + if new_ctp + .check_certificate_trust( + ocsp_certs, &ocsp_certs[0], - ctp, - &mut current_validation_log, - tst_info.as_ref(), + signing_time.map(|t| t.timestamp()), ) .is_err() - { - return Ok(OcspResponse::default()); - } + { + return Ok(OcspResponse::default()); } + } else { + // we cannot validate the OCSP response was signed by a valid authorized responder so treat as unknown + return Ok(OcspResponse::default()); } // only append usable OCSP responses to validation_log validation_log.append(¤t_validation_log); @@ -361,6 +422,14 @@ pub(crate) fn fetch_and_check_ocsp_response( }; let Some(ocsp_response_der) = ocsp_der else { + log_item!( + "", + "signing cert not fetched".to_string(), + "fetch_and_check_ocsp_response" + ) + .validation_status(SIGNING_CREDENTIAL_OCSP_INACCESSIBLE) + .informational(validation_log); + return Ok(OcspResponse::default()); }; @@ -387,10 +456,22 @@ pub(crate) fn fetch_and_check_ocsp_response( }; // If we get a valid response validate the certs. - if ocsp_data.revoked_at.is_none() { - if let Some(ocsp_certs) = &ocsp_data.ocsp_certs { - check_end_entity_certificate_profile(&ocsp_certs[0], ctp, validation_log, None)?; + if let Some(ocsp_certs) = &ocsp_data.ocsp_certs { + // make sure this is an OCSP signing EKU + let mut new_ctp = ctp.clone(); + new_ctp.clear_ekus(); + new_ctp.add_valid_ekus(OCSP_OID_STR.as_bytes()); // ocsp signing EKU + + if check_end_entity_certificate_profile(&ocsp_certs[0], &new_ctp, validation_log, None) + .is_err() + { + return Ok(OcspResponse::default()); } + + // no need to check trust here, that is checked during validation + } else { + // OCSP response must be signed by and the cert chain provided + return Ok(OcspResponse::default()); } Ok(ocsp_data) diff --git a/sdk/src/crypto/ocsp/mod.rs b/sdk/src/crypto/ocsp/mod.rs index 05134866d..a34df7b28 100644 --- a/sdk/src/crypto/ocsp/mod.rs +++ b/sdk/src/crypto/ocsp/mod.rs @@ -13,13 +13,17 @@ //! Tools for working with OCSP responses. +use std::str::FromStr; + use chrono::{DateTime, NaiveDateTime, Utc}; use rasn_ocsp::{BasicOcspResponse, CertStatus, OcspResponseStatus}; use rasn_pkix::CrlReason; use thiserror::Error; use crate::{ - crypto::internal::time, log_item, status_tracker::StatusTracker, + crypto::{internal::time, raw_signature::RawSignatureValidationError}, + log_item, + status_tracker::StatusTracker, validation_results::validation_codes, }; @@ -102,9 +106,48 @@ impl OcspResponse { cert_der_vec.push(cert_der); } - if output.ocsp_certs.is_none() { + // make sure the certificate was correctly signed + + // alg used for signature + let Ok(sig_alg) = + bcder::Oid::from_str(&basic_response.signature_algorithm.algorithm.to_string()) + else { + return Ok(output); + }; + + let Some(hash_alg) = + hash_alg_for_sig_alg(&basic_response.signature_algorithm.algorithm) + else { + return Ok(output); + }; + + // grab signature value. + let sig_val = bcder::OctetString::new(bytes::Bytes::copy_from_slice( + basic_response.signature.as_raw_slice(), + )); + + // grab the to be signed data + let Ok(tbs) = rasn::der::encode(&basic_response.tbs_response_data) else { + return Ok(output); + }; + + // grab the signing key + let Ok(signing_key_der) = + rasn::der::encode(&ocsp_certs[0].tbs_certificate.subject_public_key_info) + else { + return Ok(output); + }; + + // if not valid we will not add the cert to list to be checked for trust later + if validate_ocsp_sig(&sig_alg, &hash_alg, &sig_val, &tbs, &signing_key_der).is_ok() { output.ocsp_certs = Some(cert_der_vec); + } else { + // signature failed so don't use + return Ok(OcspResponse::default()); } + } else { + // we cannot validate the OCSP response signature, so treat as unknown + return Ok(OcspResponse::default()); } for single_response in &response_data.responses { @@ -293,6 +336,38 @@ impl OcspResponse { } } +fn validate_ocsp_sig( + sig_alg: &bcder::Oid, + hash_alg: &bcder::Oid, + sig_val: &bcder::OctetString, + tbs: &[u8], + signing_key_der: &[u8], +) -> Result<(), RawSignatureValidationError> { + if let Some(validator) = + crate::crypto::raw_signature::validator_for_sig_and_hash_algs(sig_alg, hash_alg) + { + validator + .validate(&sig_val.to_bytes(), tbs, signing_key_der) + .map_err(|e| RawSignatureValidationError::CryptoLibraryError(e.to_string())) + } else { + Err(RawSignatureValidationError::UnsupportedAlgorithm) + } +} + +/// Return the hash algorithm oid for the given signature algorithm. +fn hash_alg_for_sig_alg(sig_alg: &rasn::types::ObjectIdentifier) -> Option { + match sig_alg.to_string().as_ref() { + "1.2.840.10045.4.3.2" => Some(bcder::Oid::from_str("2.16.840.1.101.3.4.2.1").ok()?), + "1.2.840.10045.4.3.3" => Some(bcder::Oid::from_str("2.16.840.1.101.3.4.2.2").ok()?), + "1.2.840.10045.4.3.4" => Some(bcder::Oid::from_str("2.16.840.1.101.3.4.2.3").ok()?), + "1.2.840.113549.1.1.11" => Some(bcder::Oid::from_str("2.16.840.1.101.3.4.2.1").ok()?), + "1.2.840.113549.1.1.12" => Some(bcder::Oid::from_str("2.16.840.1.101.3.4.2.2").ok()?), + "1.2.840.113549.1.1.13" => Some(bcder::Oid::from_str("2.16.840.1.101.3.4.2.3").ok()?), + "1.3.101.112" => Some(bcder::Oid::from_str("2.16.840.1.101.3.4.2.3").ok()?), + _ => None, + } +} + /// Describes errors that can be identified when parsing an OCSP response. #[derive(Debug, Eq, Error, PartialEq)] #[allow(unused)] // InvalidSystemTime may not exist on all platforms. diff --git a/sdk/src/crypto/raw_signature/oids.rs b/sdk/src/crypto/raw_signature/oids.rs index 2bf14927a..45f6c5097 100644 --- a/sdk/src/crypto/raw_signature/oids.rs +++ b/sdk/src/crypto/raw_signature/oids.rs @@ -41,6 +41,7 @@ pub(crate) const SECP384R1_OID: Oid<'static> = oid!(1.3.132 .0 .34); pub(crate) const PRIME256V1_OID: Oid<'static> = oid!(1.2.840 .10045 .3 .1 .7); pub(crate) const ED25519_OID: Oid<'static> = oid!(1.3.101 .112); +pub(crate) const ED25519_PUBLICKEY_OID: Oid<'static> = oid!(1.3.101 .110); // utility function to make using Oid between crates easier pub(crate) fn ans1_oid_bcder_oid(asn1_oid: &asn1_rs::Oid) -> Option { diff --git a/sdk/src/crypto/raw_signature/openssl/validators/mod.rs b/sdk/src/crypto/raw_signature/openssl/validators/mod.rs index c8addb09b..89526ca0a 100644 --- a/sdk/src/crypto/raw_signature/openssl/validators/mod.rs +++ b/sdk/src/crypto/raw_signature/openssl/validators/mod.rs @@ -47,6 +47,31 @@ pub(crate) fn validator_for_sig_and_hash_algs, U: AsRef<[u8]>>( sig_alg: &Oid, hash_alg: &Oid, ) -> Option> { + // try signature algs first + if sig_alg.as_ref() == ECDSA_WITH_SHA256_OID.as_bytes() { + return Some(Box::new(EcdsaValidator::Es256)); + } + if sig_alg.as_ref() == ECDSA_WITH_SHA384_OID.as_bytes() { + return Some(Box::new(EcdsaValidator::Es384)); + } + if sig_alg.as_ref() == ECDSA_WITH_SHA512_OID.as_bytes() { + return Some(Box::new(EcdsaValidator::Es512)); + } + if sig_alg.as_ref() == SHA256_WITH_RSAENCRYPTION_OID.as_bytes() { + return Some(Box::new(RsaLegacyValidator::Rsa256)); + } + if sig_alg.as_ref() == SHA384_WITH_RSAENCRYPTION_OID.as_bytes() { + return Some(Box::new(RsaLegacyValidator::Rsa384)); + } + if sig_alg.as_ref() == SHA512_WITH_RSAENCRYPTION_OID.as_bytes() { + return Some(Box::new(RsaLegacyValidator::Rsa512)); + } + if sig_alg.as_ref() == ED25519_OID.as_bytes() { + return Some(Box::new(Ed25519Validator {})); + } + + // Test for public key algs next + if sig_alg.as_ref() == RSA_OID.as_bytes() { if hash_alg.as_ref() == SHA1_OID.as_bytes() { return Some(Box::new(RsaLegacyValidator::Sha1)); diff --git a/sdk/src/crypto/raw_signature/rust_native/validators/mod.rs b/sdk/src/crypto/raw_signature/rust_native/validators/mod.rs index 455e6ebf5..06c7343b1 100644 --- a/sdk/src/crypto/raw_signature/rust_native/validators/mod.rs +++ b/sdk/src/crypto/raw_signature/rust_native/validators/mod.rs @@ -95,6 +95,31 @@ pub(crate) fn validator_for_sig_and_hash_algs, U: AsRef<[u8]>>( sig_alg: &Oid, hash_alg: &Oid, ) -> Option> { + // try signature algs first + if sig_alg.as_ref() == ECDSA_WITH_SHA256_OID.as_bytes() { + return Some(Box::new(EcdsaValidator::Es256)); + } + if sig_alg.as_ref() == ECDSA_WITH_SHA384_OID.as_bytes() { + return Some(Box::new(EcdsaValidator::Es384)); + } + if sig_alg.as_ref() == ECDSA_WITH_SHA512_OID.as_bytes() { + return Some(Box::new(EcdsaValidator::Es512)); + } + if sig_alg.as_ref() == SHA256_WITH_RSAENCRYPTION_OID.as_bytes() { + return Some(Box::new(RsaLegacyValidator::Rsa256)); + } + if sig_alg.as_ref() == SHA384_WITH_RSAENCRYPTION_OID.as_bytes() { + return Some(Box::new(RsaLegacyValidator::Rsa384)); + } + if sig_alg.as_ref() == SHA512_WITH_RSAENCRYPTION_OID.as_bytes() { + return Some(Box::new(RsaLegacyValidator::Rsa512)); + } + if sig_alg.as_ref() == ED25519_OID.as_bytes() { + return Some(Box::new(Ed25519Validator {})); + } + + // Test for public key algs next + // Handle legacy RSA. if sig_alg.as_ref() == RSA_OID.as_bytes() { if hash_alg.as_ref() == SHA256_OID.as_bytes() { diff --git a/sdk/src/crypto/time_stamp/verify.rs b/sdk/src/crypto/time_stamp/verify.rs index 68a677fab..305ec1396 100644 --- a/sdk/src/crypto/time_stamp/verify.rs +++ b/sdk/src/crypto/time_stamp/verify.rs @@ -26,7 +26,7 @@ use sha2::{Digest as _, Sha256, Sha384, Sha512}; use crate::{ crypto::{ asn1::rfc3161::TstInfo, - cose::CertificateTrustPolicy, + cose::{check_end_entity_certificate_profile, CertificateTrustPolicy}, raw_signature::validator_for_sig_and_hash_algs, time_stamp::{ response::{signed_data_from_time_stamp_response, tst_info_from_signed_data}, @@ -41,6 +41,8 @@ use crate::{ }, }; +const TIMESTAMP_OID_STR: &str = "1.3.6.1.5.5.7.3.8"; + // when signed attributes are present the digest is the DER // encoding of the SignerInfo SignedAttributes fn signed_attributes_digested_content( @@ -531,13 +533,34 @@ pub fn verify_time_stamp( // the certificate must be on the trust list to be considered valid if verify_trust { - // per the spec TSA trust can only be checked against the system trust list not the user trust list let mut adjusted_ctp = ctp.clone(); - adjusted_ctp.set_trust_anchors_only(true); // Order certificates from leaf to root before trust validation let ordered_cert_ders = order_certificates_leaf_to_root(&cert_ders, cert_pos)?; + // make sure this is a timestamping EKU + adjusted_ctp.clear_ekus(); + adjusted_ctp.add_valid_ekus(TIMESTAMP_OID_STR.as_bytes()); // timestamp signing EKU + if check_end_entity_certificate_profile( + &ordered_cert_ders[0], + &adjusted_ctp, + &mut current_validation_log, + Some(&tst), + ) + .is_err() + { + log_item!( + "", + format!("timestamp cert untrusted: {}", &common_name), + "verify_time_stamp" + ) + .validation_status(TIMESTAMP_UNTRUSTED) + .informational(&mut current_validation_log); + + last_err = TimeStampError::Untrusted; + continue; + } + if adjusted_ctp .check_certificate_trust( &ordered_cert_ders[0..],