search

aws / aws-nitro-enclaves-sdk-c

This repo provides a C API for AWS Nitro Enclaves, including a KMS SDK that integrates it with attestation.
Apache License 2.0
99 stars 74 forks source link

Cannot integrate with BoringSSL or AWS-LC(>= version 1.1.0) #113

Closed chihgeorge closed 1 year ago

chihgeorge commented 1 year ago

There is a breaking change on method CBS_get_any_ber_asn1_element which is introduced in aws-lc 1.1.0 and boringSSL. This make them not compatible with SDK. The current SDK only supports aws-lc version 1.0.2.

I'm trying to integrate by applying a patch file as follow:

diff --git a/source/cms.c b/source/cms.c
index 7cb4a85..cdd7380 100644
--- a/source/cms.c
+++ b/source/cms.c
@@ -64,7 +64,7 @@ int aws_cms_parse_enveloped_data(
     size_t tag_size;

     CBS content_type;
-    if (!CBS_get_any_ber_asn1_element(&cms, NULL, &tag, &tag_size, NULL) || /* ASN1_SEQ */
+    if (!CBS_get_any_ber_asn1_element(&cms, NULL, &tag, &tag_size, NULL, NULL) || /* ASN1_SEQ */
         (tag != CBS_ASN1_SEQUENCE) || !CBS_get_asn1(&cms, &content_type, CBS_ASN1_OBJECT)) {
         goto err;
     }
@@ -75,8 +75,8 @@ int aws_cms_parse_enveloped_data(

     /* Validate the version */
     CBS version;
-    if (!CBS_get_any_ber_asn1_element(&cms, NULL, &tag, &tag_size, NULL) || /* ASN1_ENUM */
-        !CBS_get_any_ber_asn1_element(&cms, NULL, &tag, &tag_size, NULL) || (tag != CBS_ASN1_SEQUENCE) || /* ASN1_SEQ */
+    if (!CBS_get_any_ber_asn1_element(&cms, NULL, &tag, &tag_size, NULL, NULL) || /* ASN1_ENUM */
+        !CBS_get_any_ber_asn1_element(&cms, NULL, &tag, &tag_size, NULL, NULL) || (tag != CBS_ASN1_SEQUENCE) || /* ASN1_SEQ */
         !CBS_get_asn1(&cms, &version, CBS_ASN1_INTEGER)) {
         goto err;
     }
@@ -89,7 +89,7 @@ int aws_cms_parse_enveloped_data(
      * See https://tools.ietf.org/html/rfc5652#section-6.1
      */
     CBS enveloped_data;
-    if (!CBS_get_any_ber_asn1_element(&cms, &enveloped_data, &tag, &tag_size, NULL) || tag != CBS_ASN1_SET) {
+    if (!CBS_get_any_ber_asn1_element(&cms, &enveloped_data, &tag, &tag_size, NULL, NULL) || tag != CBS_ASN1_SET) {
         goto err;
     }

@@ -137,7 +137,7 @@ int aws_cms_parse_enveloped_data(
      * See https://tools.ietf.org/html/rfc5652#section-6.1
      */
     CBS encrypted_content_type;
-    if (!CBS_get_any_ber_asn1_element(&cms, NULL, &tag, &tag_size, NULL) || (tag != CBS_ASN1_SEQUENCE) ||
+    if (!CBS_get_any_ber_asn1_element(&cms, NULL, &tag, &tag_size, NULL, NULL) || (tag != CBS_ASN1_SEQUENCE) ||
         !CBS_get_asn1(&cms, &encrypted_content_type, CBS_ASN1_OBJECT)) {
         goto err;
     }
@@ -151,7 +151,7 @@ int aws_cms_parse_enveloped_data(
      * See https://tools.ietf.org/html/rfc5652#section-6.3
      */
     CBS content_encryption_algo, algo, iv_string;
-    if (!CBS_get_any_ber_asn1_element(&cms, &content_encryption_algo, &tag, &tag_size, NULL) ||
+    if (!CBS_get_any_ber_asn1_element(&cms, &content_encryption_algo, &tag, &tag_size, NULL, NULL) ||
         tag != CBS_ASN1_SEQUENCE || !CBS_skip(&content_encryption_algo, tag_size) ||
         !CBS_get_asn1(&content_encryption_algo, &algo, CBS_ASN1_OBJECT) ||
         !CBS_get_asn1(&content_encryption_algo, &iv_string, CBS_ASN1_OCTETSTRING)) {
@@ -191,12 +191,12 @@ int aws_cms_parse_enveloped_data(
         }
     } else {
         /* Indefinite-length explicit scattered OCTETSTRING content. Aggregate them if more than one. */
-        if (!CBS_get_any_ber_asn1_element(&cms, NULL, &tag, &tag_size, NULL)) { /* ASN1_ENUM */
+        if (!CBS_get_any_ber_asn1_element(&cms, NULL, &tag, &tag_size, NULL, NULL)) { /* ASN1_ENUM */
             CBB_cleanup(&encrypted_content);
             goto err;
         }
         /* Consume all the entries in the scattered list */
-        while (CBS_get_any_ber_asn1_element(&cms, &wrapped_encrypted_content, &tag, &tag_size, NULL) == 1 &&
+        while (CBS_get_any_ber_asn1_element(&cms, &wrapped_encrypted_content, &tag, &tag_size, NULL, NULL) == 1 &&
                tag == CBS_ASN1_OCTETSTRING) {
             CBS encrypted_content_part;
             if (!CBS_get_asn1(&wrapped_encrypted_content, &encrypted_content_part, CBS_ASN1_OCTETSTRING) ||

The SDK code can be compilable and built with following version of dependencies:

s2n-tls 1.3.20 aws-c-common 0.8.16 aws-c-sdkutils 0.1.2 aws-c-cal 0.5.27 aws-c-io 0.13.13 aws-c-compression 0.2.14 aws-c-http 0.7.4 aws-c-auth 0.6.22 json-c json-c-0.16-20220414 aws-nitro-enclaves-nsm-api 0.3.0

I haven't verified if there's any runtime issue with these changes, and I also not verify all the SDK features to see if they keep same behaviors. It'd be great if your team can verify and fix any undiscovered issues.

meerd commented 1 year ago

Please see #114 @chihgeorge.

chihgeorge commented 1 year ago

Thank you. I'll give a try on my end to see if it's compatible.