From efee65444bd85ef9f9ace36538a23d50710b65c4 Mon Sep 17 00:00:00 2001 From: "Daniel.Bloom" Date: Fri, 31 Dec 2021 17:49:29 -0800 Subject: [PATCH 1/5] feat: verify certificates decode cert and tree from header --- Cargo.lock | 224 ++++++++++++++++++++++++++++++++++++++++++---------- Cargo.toml | 8 +- src/main.rs | 153 ++++++++++++++++++++++++++++++++++- 3 files changed, 342 insertions(+), 43 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 9eaa1ea..9838bf0 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -208,7 +208,7 @@ dependencies = [ "libc", "num-integer", "num-traits", - "time", + "time 0.1.44", "winapi", ] @@ -574,9 +574,9 @@ checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70" [[package]] name = "http" -version = "0.2.4" +version = "0.2.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "527e8c9ac747e28542699a951517aa9a6945af506cd1f2e1b53a576c17b6cc11" +checksum = "1323096b05d41827dadeaee54c9981958c0f94e670bc94ed80037d1a7b8b186b" dependencies = [ "bytes", "fnv", @@ -639,10 +639,26 @@ dependencies = [ "futures-util", "hyper", "log", - "rustls", + "rustls 0.19.1", "tokio", - "tokio-rustls", - "webpki", + "tokio-rustls 0.22.0", + "webpki 0.21.4", +] + +[[package]] +name = "hyper-rustls" +version = "0.23.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d87c48c02e0dc5e3b849a2041db3029fd066650f8f717c07bf8ed78ccb895cac" +dependencies = [ + "http", + "hyper", + "log", + "rustls 0.20.2", + "rustls-native-certs", + "tokio", + "tokio-rustls 0.23.1", + "webpki-roots 0.22.1", ] [[package]] @@ -660,9 +676,9 @@ dependencies = [ [[package]] name = "ic-agent" -version = "0.9.0" +version = "0.10.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4b855b45b2117a8834cd3d7088f1359ef3da0dd844893fba843097051c1bb49a" +checksum = "7d578d80723f7435ea8f77349bb68e18620c6db8c4e5180a34e71d2215c0041e" dependencies = [ "async-trait", "base32", @@ -671,6 +687,7 @@ dependencies = [ "garcon", "hex", "http", + "hyper-rustls 0.23.0", "ic-types", "leb128", "mime", @@ -679,14 +696,13 @@ dependencies = [ "rand", "reqwest", "ring", - "rustls", + "rustls 0.20.2", "serde", "serde_bytes", "serde_cbor", "simple_asn1", "thiserror", "url", - "webpki-roots", ] [[package]] @@ -706,9 +722,9 @@ dependencies = [ [[package]] name = "ic-utils" -version = "0.7.0" +version = "0.10.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4128e89ed719c62ffeeaac90aedcf4d13d641c24ba4f4f5c83b022bbf9b8ca77" +checksum = "633d5741e3ec002d824184fa81453bac19bd282a54c83d8730848759a1c50455" dependencies = [ "async-trait", "candid", @@ -726,6 +742,7 @@ name = "icx-proxy" version = "0.7.0" dependencies = [ "anyhow", + "base64", "clap", "clap_derive", "garcon", @@ -734,8 +751,11 @@ dependencies = [ "hyper-tls", "ic-agent", "ic-utils", + "lazy-regex", "serde", + "serde_cbor", "serde_json", + "sha2", "slog", "slog-async", "slog-term", @@ -835,6 +855,29 @@ dependencies = [ "regex", ] +[[package]] +name = "lazy-regex" +version = "2.2.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "919a16773ebf2de27e95fc58460110932e55bb0780e23aa51fa5a6b59c9e2b3d" +dependencies = [ + "lazy-regex-proc_macros", + "once_cell", + "regex", +] + +[[package]] +name = "lazy-regex-proc_macros" +version = "2.2.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5fbe6bf0a04af51c07976625d5007e75ed9b8b955befc21c77b3947733496e36" +dependencies = [ + "proc-macro2", + "quote", + "regex", + "syn", +] + [[package]] name = "lazy_static" version = "1.4.0" @@ -843,9 +886,9 @@ checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" [[package]] name = "leb128" -version = "0.2.4" +version = "0.2.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3576a87f2ba00f6f106fdfcd16db1d698d648a26ad8e0573cad8537c3c362d2a" +checksum = "884e2677b40cc8c339eaefcb701c32ef1fd2493d71118dc0ca4b6a736c93bd67" [[package]] name = "libc" @@ -1044,9 +1087,9 @@ checksum = "624a8340c38c1b80fd549087862da4ba43e08858af025b236e509b6649fc13d5" [[package]] name = "openssl" -version = "0.10.36" +version = "0.10.38" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8d9facdb76fec0b73c406f125d44d86fdad818d66fef0531eec9233ca425ff4a" +checksum = "0c7ae222234c30df141154f159066c5093ff73b63204dcda7121eb082fc56a95" dependencies = [ "bitflags", "cfg-if", @@ -1064,9 +1107,9 @@ checksum = "28988d872ab76095a6e6ac88d99b54fd267702734fd7ffe610ca27f533ddb95a" [[package]] name = "openssl-sys" -version = "0.9.66" +version = "0.9.71" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1996d2d305e561b70d1ee0c53f1542833f4e1ac6ce9a6708b6ff2738ca67dc82" +checksum = "7df13d165e607909b363a4757a6f133f8a818a74e9d3a98d09c6128e15fa4c73" dependencies = [ "autocfg", "cc", @@ -1114,9 +1157,9 @@ checksum = "acbf547ad0c65e31259204bd90935776d1c693cec2f4ff7abb7a1bbbd40dfe58" [[package]] name = "pem" -version = "0.8.3" +version = "1.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fd56cbd21fea48d0c440b41cd69c589faacade08c992d9a54e471b79d0fd13eb" +checksum = "06673860db84d02a63942fa69cd9543f2624a5df3aea7f33173048fa7ad5cf1a" dependencies = [ "base64", "once_cell", @@ -1248,6 +1291,15 @@ dependencies = [ "unicode-xid", ] +[[package]] +name = "quickcheck" +version = "1.0.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "588f6378e4dd99458b60ec275b4477add41ce4fa9f64dcba6f15adccb19b50d6" +dependencies = [ + "rand", +] + [[package]] name = "quote" version = "1.0.9" @@ -1356,7 +1408,7 @@ dependencies = [ "http", "http-body", "hyper", - "hyper-rustls", + "hyper-rustls 0.22.1", "hyper-tls", "ipnet", "js-sys", @@ -1366,18 +1418,18 @@ dependencies = [ "native-tls", "percent-encoding", "pin-project-lite", - "rustls", + "rustls 0.19.1", "serde", "serde_json", "serde_urlencoded", "tokio", "tokio-native-tls", - "tokio-rustls", + "tokio-rustls 0.22.0", "url", "wasm-bindgen", "wasm-bindgen-futures", "web-sys", - "webpki-roots", + "webpki-roots 0.21.1", "winreg", ] @@ -1405,8 +1457,41 @@ dependencies = [ "base64", "log", "ring", - "sct", - "webpki", + "sct 0.6.1", + "webpki 0.21.4", +] + +[[package]] +name = "rustls" +version = "0.20.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d37e5e2290f3e040b594b1a9e04377c2c671f1a1cfd9bfdef82106ac1c113f84" +dependencies = [ + "log", + "ring", + "sct 0.7.0", + "webpki 0.22.0", +] + +[[package]] +name = "rustls-native-certs" +version = "0.6.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5ca9ebdfa27d3fc180e42879037b5338ab1c040c06affd00d8338598e7800943" +dependencies = [ + "openssl-probe", + "rustls-pemfile", + "schannel", + "security-framework", +] + +[[package]] +name = "rustls-pemfile" +version = "0.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5eebeaeb360c87bfb72e84abdb3447159c0eaececf1bef2aecd65a8be949d1c9" +dependencies = [ + "base64", ] [[package]] @@ -1447,6 +1532,16 @@ dependencies = [ "untrusted", ] +[[package]] +name = "sct" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d53dcdb7c9f8158937a7981b48accfd39a43af418591a5d008c7b22b5e1b7ca4" +dependencies = [ + "ring", + "untrusted", +] + [[package]] name = "security-framework" version = "2.3.1" @@ -1556,14 +1651,14 @@ dependencies = [ [[package]] name = "simple_asn1" -version = "0.5.4" +version = "0.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8eb4ea60fb301dc81dfc113df680571045d375ab7345d171c5dc7d7e13107a80" +checksum = "4a762b1c38b9b990c694b9c2f8abe3372ce6a9ceaae6bca39cfc46e054f45745" dependencies = [ - "chrono", "num-bigint", "num-traits", "thiserror", + "time 0.3.5", ] [[package]] @@ -1651,19 +1746,20 @@ checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623" [[package]] name = "strum" -version = "0.21.0" +version = "0.23.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "aaf86bbcfd1fa9670b7a129f64fc0c9fcbbfe4f1bc4210e9e98fe71ffc12cde2" +checksum = "cae14b91c7d11c9a851d3fbc80a963198998c2a64eec840477fa92d8ce9b70bb" [[package]] name = "strum_macros" -version = "0.21.1" +version = "0.23.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d06aaeeee809dbc59eb4556183dd927df67db1540de5be8d3ec0b6636358a5ec" +checksum = "5bb0dc7ee9c15cea6199cde9a127fa16a4c5819af85395457ad72d68edc85a38" dependencies = [ "heck", "proc-macro2", "quote", + "rustversion", "syn", ] @@ -1729,18 +1825,18 @@ dependencies = [ [[package]] name = "thiserror" -version = "1.0.29" +version = "1.0.30" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "602eca064b2d83369e2b2f34b09c70b605402801927c65c11071ac911d299b88" +checksum = "854babe52e4df1653706b98fcfc05843010039b406875930a70e4d9644e5c417" dependencies = [ "thiserror-impl", ] [[package]] name = "thiserror-impl" -version = "1.0.29" +version = "1.0.30" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bad553cc2c78e8de258400763a647e80e6d1b31ee237275d756f6836d204494c" +checksum = "aa32fd3f627f367fe16f893e2597ae3c05020f8bba2666a4e6ea73d377e5714b" dependencies = [ "proc-macro2", "quote", @@ -1767,6 +1863,24 @@ dependencies = [ "winapi", ] +[[package]] +name = "time" +version = "0.3.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "41effe7cfa8af36f439fac33861b66b049edc6f9a32331e2312660529c1c24ad" +dependencies = [ + "itoa", + "libc", + "quickcheck", + "time-macros", +] + +[[package]] +name = "time-macros" +version = "0.2.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "25eb0ca3468fc0acc11828786797f6ef9aa1555e4a211a60d64cc8e4d1be47d6" + [[package]] name = "tiny-keccak" version = "2.0.2" @@ -1838,9 +1952,20 @@ version = "0.22.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "bc6844de72e57df1980054b38be3a9f4702aba4858be64dd700181a8a6d0e1b6" dependencies = [ - "rustls", + "rustls 0.19.1", "tokio", - "webpki", + "webpki 0.21.4", +] + +[[package]] +name = "tokio-rustls" +version = "0.23.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4baa378e417d780beff82bf54ceb0d195193ea6a00c14e22359e7f39456b5689" +dependencies = [ + "rustls 0.20.2", + "tokio", + "webpki 0.22.0", ] [[package]] @@ -2092,13 +2217,32 @@ dependencies = [ "untrusted", ] +[[package]] +name = "webpki" +version = "0.22.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f095d78192e208183081cc07bc5515ef55216397af48b873e5edcd72637fa1bd" +dependencies = [ + "ring", + "untrusted", +] + [[package]] name = "webpki-roots" version = "0.21.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "aabe153544e473b775453675851ecc86863d2a81d786d741f6b76778f2a48940" dependencies = [ - "webpki", + "webpki 0.21.4", +] + +[[package]] +name = "webpki-roots" +version = "0.22.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c475786c6f47219345717a043a37ec04cb4bc185e28853adcc4fa0a947eba630" +dependencies = [ + "webpki 0.22.0", ] [[package]] diff --git a/Cargo.toml b/Cargo.toml index b8a0400..b9d3a59 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -18,17 +18,21 @@ path = "src/main.rs" [dependencies] anyhow = "1.0.34" +base64 = "0.13" clap = "=3.0.0-beta.2" clap_derive = "=3.0.0-beta.2" garcon = { version = "0.2.3", features = ["async"] } hex = "0.4.3" hyper = { version = "0.14.13", features = ["full"] } hyper-tls = "0.5.0" -ic-agent = "0.9" -ic-utils = "0.7" +ic-agent = "0.10" +ic-utils = "0.10" +lazy-regex = "2" tokio = { version = "1.8.1", features = ["full"] } serde = "1.0.115" +serde_cbor = "0.11" serde_json = "1.0.57" +sha2 = "0.9.8" slog = { version = "2.7.0", features = ["max_level_trace"] } slog-async = "2.7.0" slog-term = "2.8.0" diff --git a/src/main.rs b/src/main.rs index 2f3cd8d..7be3a1a 100644 --- a/src/main.rs +++ b/src/main.rs @@ -8,7 +8,10 @@ use hyper::{ Body, Client, Request, Response, Server, StatusCode, Uri, }; use ic_agent::{ - agent::http_transport::ReqwestHttpReplicaV2Transport, export::Principal, Agent, AgentError, + agent::http_transport::ReqwestHttpReplicaV2Transport, + export::Principal, + ic_types::{hash_tree::LookupResult, HashTree}, + lookup_value, Agent, AgentError, Certificate, }; use ic_utils::{ call::SyncCall, @@ -16,6 +19,8 @@ use ic_utils::{ HeaderField, HttpRequestCanister, StreamingCallbackHttpResponse, StreamingStrategy, }, }; +use lazy_regex::regex_captures; +use sha2::{Digest, Sha256}; use slog::Drain; use std::{ convert::Infallible, @@ -242,8 +247,56 @@ async fn forward_request( Err(e) => return Err(e.into()), }; + let mut certificate: Option, ()>> = None; + let mut tree: Option, ()>> = None; + let mut builder = Response::builder().status(StatusCode::from_u16(http_response.status_code)?); for HeaderField(name, value) in http_response.headers { + if name.eq_ignore_ascii_case("IC-CERTIFICATE") { + for field in value.split(',') { + if let Some((_, name, b64_value)) = regex_captures!("^(.*)=:(.*):$", field) { + slog::trace!(logger, ">> certificate {}: {}", name, b64_value); + let bytes = base64::decode(b64_value).map_err(|e| { + slog::warn!(logger, "Unable to decode {} in ic-certificate from base64: {}", name, e); + () + }); + if name == "certificate" { + certificate = Some(match (certificate, bytes) { + (None, bytes) => bytes, + (Some(Ok(certificate)), Ok(bytes)) => { + slog::warn!(logger, "duplicate certificate field: {:?}", bytes); + Ok(certificate) + }, + (Some(Ok(certificate)), Err(_)) => { + slog::warn!(logger, "duplicate certificate field (failed to decode)"); + Ok(certificate) + }, + (Some(Err(_)), bytes) => { + slog::warn!(logger, "duplicate certificate field (failed to decode)"); + bytes + }, + }); + } else if name == "tree" { + tree = Some(match (tree, bytes) { + (None, bytes) => bytes, + (Some(Ok(tree)), Ok(bytes)) => { + slog::warn!(logger, "duplicate tree field: {:?}", bytes); + Ok(tree) + }, + (Some(Ok(tree)), Err(_)) => { + slog::warn!(logger, "duplicate tree field (failed to decode)"); + Ok(tree) + }, + (Some(Err(_)), bytes) => { + slog::warn!(logger, "duplicate tree field (failed to decode)"); + bytes + }, + }); + } + } + } + } + builder = builder.header(&name, value); } @@ -304,6 +357,34 @@ async fn forward_request( builder.body(body)? } else { + let body_valid = match (certificate, tree) { + (Some(Ok(certificate)), Some(Ok(tree))) => match validate_body( + &certificate, + &tree, + &canister_id, + &agent, + &uri, + &http_response.body, + logger.clone(), + ) { + Ok(valid) => valid, + Err(e) => { + return Ok(Response::builder() + .status(StatusCode::INTERNAL_SERVER_ERROR) + .body(format!("Certificate validation failed: {}", e).into()) + .unwrap()); + } + }, + (Some(_), _) | (_, Some(_)) => false, + // Canisters don't have to provide certified variables + (None, None) => true, + }; + if !body_valid { + return Ok(Response::builder() + .status(StatusCode::INTERNAL_SERVER_ERROR) + .body("Body does not pass verification".into()) + .unwrap()); + } builder.body(http_response.body.into())? }; @@ -347,6 +428,76 @@ async fn forward_request( Ok(response) } +fn validate_body( + certificate: &[u8], + tree: &[u8], + canister_id: &Principal, + agent: &Agent, + uri: &Uri, + response_body: &[u8], + logger: slog::Logger, +) -> anyhow::Result { + let cert: Certificate = + serde_cbor::from_slice(&certificate).map_err(AgentError::InvalidCborData)?; + let tree: HashTree = serde_cbor::from_slice(&tree).map_err(AgentError::InvalidCborData)?; + + if let Err(e) = agent.verify(&cert) { + slog::trace!(logger, ">> certificate failed verification: {}", e); + return Ok(false); + } + + let certified_data_path = vec![ + "canister".into(), + canister_id.into(), + "certified_data".into(), + ]; + let witness = match lookup_value(&cert, certified_data_path) { + Ok(witness) => witness, + Err(e) => { + slog::trace!( + logger, + ">> Could not find certified data for this canister in the certificate: {}", + e + ); + return Ok(false); + } + }; + let digest = tree.digest(); + + if witness != digest { + slog::trace!( + logger, + ">> witness ({}) did not match digest ({})", + hex::encode(witness), + hex::encode(digest) + ); + + return Ok(false); + } + + let path = ["http_assets".into(), uri.path().into()]; + let tree_sha = match tree.lookup_path(&path) { + LookupResult::Found(v) => v, + _ => match tree.lookup_path(&["http_assets".into(), "/index.html".into()]) { + LookupResult::Found(v) => v, + _ => { + slog::trace!( + logger, + ">> Invalid Tree in the header. Does not contain path {:?}", + path + ); + return Ok(false); + } + }, + }; + + let mut sha256 = Sha256::new(); + sha256.update(response_body); + let body_sha = sha256.finalize(); + + Ok(&body_sha[..] == tree_sha) +} + fn is_hop_header(name: &str) -> bool { name.to_ascii_lowercase() == "connection" || name.to_ascii_lowercase() == "keep-alive" From 9bd89d7dfd5212d2afddec1f21f15fbc9d244dcd Mon Sep 17 00:00:00 2001 From: "Daniel.Bloom" Date: Mon, 10 Jan 2022 23:10:17 -0800 Subject: [PATCH 2/5] Update libraries and toolchain --- Cargo.lock | 48 +++++++++++++++++++++++++++--------------------- Cargo.toml | 4 ++-- rust-toolchain | 2 +- 3 files changed, 30 insertions(+), 24 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 9838bf0..d2749ec 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -150,9 +150,9 @@ checksum = "b700ce4376041dcd0a327fd0097c41095743c4c8af8887265942faf1100bd040" [[package]] name = "candid" -version = "0.7.7" +version = "0.7.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "17c06d715bc063c90124f5bdec5029ed537c564f037fc64617c71a67fe107543" +checksum = "12970d8d0620d2bdb7e81a5b13ed11e41fcdfeba53d61e45b5853afcbf9611fd" dependencies = [ "anyhow", "binread", @@ -281,9 +281,9 @@ dependencies = [ [[package]] name = "crc32fast" -version = "1.2.1" +version = "1.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "81156fece84ab6a9f2afdb109ce3ae577e42b1228441eded99bd77f627953b1a" +checksum = "738c290dfaea84fc1ca15ad9c168d083b05a714e1efddd8edaab678dc28d2836" dependencies = [ "cfg-if", ] @@ -574,13 +574,13 @@ checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70" [[package]] name = "http" -version = "0.2.5" +version = "0.2.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1323096b05d41827dadeaee54c9981958c0f94e670bc94ed80037d1a7b8b186b" +checksum = "31f4c6746584866f0feabcc69893c5b51beef3831656a968ed7ae254cdc4fd03" dependencies = [ "bytes", "fnv", - "itoa", + "itoa 1.0.1", ] [[package]] @@ -621,7 +621,7 @@ dependencies = [ "http-body", "httparse", "httpdate", - "itoa", + "itoa 0.4.7", "pin-project-lite", "socket2", "tokio", @@ -676,9 +676,9 @@ dependencies = [ [[package]] name = "ic-agent" -version = "0.10.1" +version = "0.11.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7d578d80723f7435ea8f77349bb68e18620c6db8c4e5180a34e71d2215c0041e" +checksum = "50649dbe2e37f4f503bfe2bd1d7b1f992496fc65e840972f22f338449bcda01d" dependencies = [ "async-trait", "base32", @@ -707,9 +707,9 @@ dependencies = [ [[package]] name = "ic-types" -version = "0.2.2" +version = "0.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b2c021c11ae1d716f45d783f5764f418a11f12aea1fdc4fc8a2b2242e0dae708" +checksum = "0e78ec6f58886cdc252d6f912dc794211bd6bbc39ddc9dcda434b2dc16c335b3" dependencies = [ "base32", "crc32fast", @@ -722,9 +722,9 @@ dependencies = [ [[package]] name = "ic-utils" -version = "0.10.1" +version = "0.11.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "633d5741e3ec002d824184fa81453bac19bd282a54c83d8730848759a1c50455" +checksum = "7fd19db968e88bf8c0052280e0e75694c14971d0299783f2b0255e52ffe52ec1" dependencies = [ "async-trait", "candid", @@ -814,6 +814,12 @@ version = "0.4.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "dd25036021b0de88a0aff6b850051563c6516d0bf53f8638938edbb9de732736" +[[package]] +name = "itoa" +version = "1.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1aab8fc367588b89dcee83ab0fd66b72b50b72fa1904d7095045ace2b0c81c35" + [[package]] name = "js-sys" version = "0.3.51" @@ -1567,9 +1573,9 @@ dependencies = [ [[package]] name = "serde" -version = "1.0.130" +version = "1.0.133" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f12d06de37cf59146fbdecab66aa99f9fe4f78722e3607577a5375d66bd0c913" +checksum = "97565067517b60e2d1ea8b268e59ce036de907ac523ad83a0475da04e818989a" dependencies = [ "serde_derive", ] @@ -1595,9 +1601,9 @@ dependencies = [ [[package]] name = "serde_derive" -version = "1.0.130" +version = "1.0.133" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d7bc1a1ab1961464eae040d96713baa5a724a8152c1222492465b54322ec508b" +checksum = "ed201699328568d8d08208fdd080e3ff594e6c422e438b6705905da01005d537" dependencies = [ "proc-macro2", "quote", @@ -1610,7 +1616,7 @@ version = "1.0.68" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0f690853975602e1bfe1ccbf50504d67174e3bcf340f23b5ea9992e0587a52d8" dependencies = [ - "itoa", + "itoa 0.4.7", "ryu", "serde", ] @@ -1622,7 +1628,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "edfa57a7f8d9c1d260a549e7224100f6c43d43f9103e06dd8b4095a9b2b43ce9" dependencies = [ "form_urlencoded", - "itoa", + "itoa 0.4.7", "ryu", "serde", ] @@ -1869,7 +1875,7 @@ version = "0.3.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "41effe7cfa8af36f439fac33861b66b049edc6f9a32331e2312660529c1c24ad" dependencies = [ - "itoa", + "itoa 0.4.7", "libc", "quickcheck", "time-macros", diff --git a/Cargo.toml b/Cargo.toml index b9d3a59..9fdb5ed 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -25,8 +25,8 @@ garcon = { version = "0.2.3", features = ["async"] } hex = "0.4.3" hyper = { version = "0.14.13", features = ["full"] } hyper-tls = "0.5.0" -ic-agent = "0.10" -ic-utils = "0.10" +ic-agent = "0.11" +ic-utils = "0.11" lazy-regex = "2" tokio = { version = "1.8.1", features = ["full"] } serde = "1.0.115" diff --git a/rust-toolchain b/rust-toolchain index 154cb93..094d6ad 100644 --- a/rust-toolchain +++ b/rust-toolchain @@ -1 +1 @@ -1.52.1 +1.55.0 From 8416eb89fe29ea302526b3914b4322f6251ae20c Mon Sep 17 00:00:00 2001 From: "Daniel.Bloom" Date: Mon, 10 Jan 2022 23:12:51 -0800 Subject: [PATCH 3/5] bump sha --- Cargo.lock | 48 ++++++++++++++++++++++++++++++++++++++++++++---- Cargo.toml | 2 +- 2 files changed, 45 insertions(+), 5 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index d2749ec..c7cdef3 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -130,6 +130,15 @@ dependencies = [ "generic-array", ] +[[package]] +name = "block-buffer" +version = "0.10.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f1d36a02058e76b040de25a4464ba1c80935655595b661505c8b39b664828b95" +dependencies = [ + "generic-array", +] + [[package]] name = "bumpalo" version = "3.7.0" @@ -314,6 +323,15 @@ version = "0.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7a81dae078cea95a014a339291cec439d2f232ebe854a9d672b796c6afafa9b7" +[[package]] +name = "crypto-common" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "683d6b536309245c849479fba3da410962a43ed8e51c26b729208ec0ac2798d0" +dependencies = [ + "generic-array", +] + [[package]] name = "derivative" version = "2.2.0" @@ -340,6 +358,17 @@ dependencies = [ "generic-array", ] +[[package]] +name = "digest" +version = "0.10.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b697d66081d42af4fba142d56918a3cb21dc8eb63372c6b85d14f44fb9c5979b" +dependencies = [ + "block-buffer 0.10.0", + "crypto-common", + "generic-array", +] + [[package]] name = "dirs-next" version = "2.0.0" @@ -716,7 +745,7 @@ dependencies = [ "hex", "serde", "serde_bytes", - "sha2", + "sha2 0.9.8", "thiserror", ] @@ -755,7 +784,7 @@ dependencies = [ "serde", "serde_cbor", "serde_json", - "sha2", + "sha2 0.10.1", "slog", "slog-async", "slog-term", @@ -1639,13 +1668,24 @@ version = "0.9.8" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b69f9a4c9740d74c5baa3fd2e547f9525fa8088a8a958e0ca2409a514e33f5fa" dependencies = [ - "block-buffer", + "block-buffer 0.9.0", "cfg-if", "cpufeatures", - "digest", + "digest 0.9.0", "opaque-debug", ] +[[package]] +name = "sha2" +version = "0.10.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "99c3bd8169c58782adad9290a9af5939994036b76187f7b4f0e6de91dbbfc0ec" +dependencies = [ + "cfg-if", + "cpufeatures", + "digest 0.10.1", +] + [[package]] name = "signal-hook-registry" version = "1.4.0" diff --git a/Cargo.toml b/Cargo.toml index 9fdb5ed..766bc90 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -32,7 +32,7 @@ tokio = { version = "1.8.1", features = ["full"] } serde = "1.0.115" serde_cbor = "0.11" serde_json = "1.0.57" -sha2 = "0.9.8" +sha2 = "0.10.1" slog = { version = "2.7.0", features = ["max_level_trace"] } slog-async = "2.7.0" slog-term = "2.8.0" From 4930a4517d7e53df9c4dee6092d611ef139cfaec Mon Sep 17 00:00:00 2001 From: "Daniel.Bloom" Date: Mon, 10 Jan 2022 23:16:46 -0800 Subject: [PATCH 4/5] fmt --- src/main.rs | 29 ++++++++++++++++++++--------- 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/src/main.rs b/src/main.rs index d38e794..9371443 100644 --- a/src/main.rs +++ b/src/main.rs @@ -289,7 +289,12 @@ async fn forward_request( if let Some((_, name, b64_value)) = regex_captures!("^(.*)=:(.*):$", field) { slog::trace!(logger, ">> certificate {}: {}", name, b64_value); let bytes = base64::decode(b64_value).map_err(|e| { - slog::warn!(logger, "Unable to decode {} in ic-certificate from base64: {}", name, e); + slog::warn!( + logger, + "Unable to decode {} in ic-certificate from base64: {}", + name, + e + ); () }); if name == "certificate" { @@ -298,15 +303,21 @@ async fn forward_request( (Some(Ok(certificate)), Ok(bytes)) => { slog::warn!(logger, "duplicate certificate field: {:?}", bytes); Ok(certificate) - }, + } (Some(Ok(certificate)), Err(_)) => { - slog::warn!(logger, "duplicate certificate field (failed to decode)"); + slog::warn!( + logger, + "duplicate certificate field (failed to decode)" + ); Ok(certificate) - }, + } (Some(Err(_)), bytes) => { - slog::warn!(logger, "duplicate certificate field (failed to decode)"); + slog::warn!( + logger, + "duplicate certificate field (failed to decode)" + ); bytes - }, + } }); } else if name == "tree" { tree = Some(match (tree, bytes) { @@ -314,15 +325,15 @@ async fn forward_request( (Some(Ok(tree)), Ok(bytes)) => { slog::warn!(logger, "duplicate tree field: {:?}", bytes); Ok(tree) - }, + } (Some(Ok(tree)), Err(_)) => { slog::warn!(logger, "duplicate tree field (failed to decode)"); Ok(tree) - }, + } (Some(Err(_)), bytes) => { slog::warn!(logger, "duplicate tree field (failed to decode)"); bytes - }, + } }); } } From a1560d5742828751cb19ea94fc67a1d707bd50ec Mon Sep 17 00:00:00 2001 From: "Daniel.Bloom" Date: Tue, 11 Jan 2022 09:33:11 -0800 Subject: [PATCH 5/5] clippy --- src/main.rs | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/main.rs b/src/main.rs index 9371443..b8a8f04 100644 --- a/src/main.rs +++ b/src/main.rs @@ -295,7 +295,6 @@ async fn forward_request( name, e ); - () }); if name == "certificate" { certificate = Some(match (certificate, bytes) { @@ -481,8 +480,8 @@ fn validate_body( logger: slog::Logger, ) -> anyhow::Result { let cert: Certificate = - serde_cbor::from_slice(&certificate).map_err(AgentError::InvalidCborData)?; - let tree: HashTree = serde_cbor::from_slice(&tree).map_err(AgentError::InvalidCborData)?; + serde_cbor::from_slice(certificate).map_err(AgentError::InvalidCborData)?; + let tree: HashTree = serde_cbor::from_slice(tree).map_err(AgentError::InvalidCborData)?; if let Err(e) = agent.verify(&cert) { slog::trace!(logger, ">> certificate failed verification: {}", e);