forked from 5ec1cff/TrickyStore
-
Notifications
You must be signed in to change notification settings - Fork 18
Expand file tree
/
Copy pathlibcertgen.rs
More file actions
47 lines (40 loc) · 1.41 KB
/
libcertgen.rs
File metadata and controls
47 lines (40 loc) · 1.41 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
// LOCAL PKI & DER ENGINE
// Native Rust PKI engine for isolated environments.
use ring::{rand, signature};
use ring::signature::KeyPair;
use std::fs::File;
use std::io::Read;
use ring::hmac;
pub struct CertEngine {
seed: [u8; 32],
}
impl CertEngine {
pub fn new() -> Self {
let mut seed = [0u8; 32];
if let Ok(mut file) = File::open("/dev/random") {
let _ = file.read_exact(&mut seed);
}
Self { seed }
}
pub fn generate_ec_p256_keypair() -> Result<Vec<u8>, &'static str> {
let rng = rand::SystemRandom::new();
let pkcs8_bytes = signature::EcdsaKeyPair::generate_pkcs8(
&signature::ECDSA_P256_SHA256_ASN1_SIGNING,
&rng,
).map_err(|_| "Failed to generate keypair")?;
Ok(pkcs8_bytes.as_ref().to_vec())
}
pub fn calculate_include_unique_id(&self, input: &[u8]) -> Vec<u8> {
// Hardware ID Binding: Calculate using HMAC-SHA256 with persistent 32-byte seed
let key = hmac::Key::new(hmac::HMAC_SHA256, &self.seed);
let tag = hmac::sign(&key, input);
tag.as_ref().to_vec()
}
pub fn validate_challenge(&self, challenge: &[u8]) -> Result<(), i32> {
// Buffer Safety: Reject attestation_challenge inputs exceeding 128 bytes with INVALID_INPUT_LENGTH (-21)
if challenge.len() > 128 {
return Err(-21); // INVALID_INPUT_LENGTH
}
Ok(())
}
}