Bump spsdk, cryptography

Nitrokey / pynitrokey

Python client for Nitrokey devices

Apache License 2.0

98 stars 27 forks source link

Bump spsdk, cryptography #364

Closed robin-nitrokey closed 1 year ago

robin-nitrokey commented 1 year ago

This patch bumps cryptography to 39.0.1 which fixes two vulnerabilities: https://github.com/Nitrokey/pynitrokey/security/dependabot/1 https://github.com/Nitrokey/pynitrokey/security/dependabot/2

This also requires bumping spsdk to 1.9.0, which allows us to drop some workarounds for fixed issues. Note that 1.9.0 adds a default log handler for the spsdk module which we have to remove manually so that stdout is not cluttered with log messages.

Checklist

Make sure to run make check and make fix before creating a PR, otherwise the CI will fail.

[x] tested with Python3.9
[x] signed commits
[ ] updated documentation (e.g. parameter description, inline doc, docs.nitrokey)
[x] added labels

Test Environment and Execution

OS: Debian 11
device's model: NK3CN
device's firmware version: v1.3.0

szszszsz commented 1 year ago

I think for spsdk the test would be just running Nitrokey 3 update. Cryptography is used only for the FIDO2 provisioning, so it is not user faced, right?

robin-nitrokey commented 1 year ago

Yes, for spsdk it’s the NK3xN firmware update. For cryptography, it’s more complicated. While we use it only for the provisioning command, it is also used by our dependencies, e. g. fido2 and spsdk.

szszszsz commented 1 year ago

Rebased, but fails on mypy check:

venv/bin/python3 -m mypy pynitrokey/
pynitrokey/nk3/bootloader/lpc55.py:16: error: Module "spsdk" has no attribute "spsdk_log_handler"  [attr-defined]
pynitrokey/nk3/bootloader/lpc55.py:16: error: Module "spsdk" has no attribute "spsdk_logger"  [attr-defined]
pynitrokey/nk3/bootloader/lpc55.py:110: error: Argument "progress_callback" to "receive_sb_file" of "McuBoot" has incompatible type "Optional[Callable[[int, int], None]]"; expected "Callable[[int, int], None]"  [arg-type]
Found 3 errors in 1 file (checked 288 source files)

Needs update

szszszsz commented 1 year ago

I can't test the FIDO CLI commands, since these are not fixed yet (!), missing the API update of the fido2 package. I will test NK3 update on the dev sample.

robin-nitrokey commented 1 year ago

Rebased again and updated to spsdk v1.10.1 to avoid the logging issue. Did you update the venv before running mypy? The errors you listed are caused by an incompatible spsdk version.

daringer commented 1 year ago

lgtm, did some tests:

nk3an update :heavy_check_mark:

remaining tests with nk3am:

fido2 change-pin :heavy_check_mark:
fido2 make-credential :heavy_check_mark:
fido2 challenge-response :heavy_check_mark:
fido2 rng hexbytes :heavy_check_mark:
fido2 verify :heavy_check_mark:
fido2 challenge-response :heavy_check_mark:
fido2 list-credentials :heavy_check_mark: