m4sterchain commented on code in PR #221:
URL:
https://github.com/apache/incubator-teaclave-trustzone-sdk/pull/221#discussion_r2278525189
##########
examples/tls_client-rs/ta/src/main.rs:
##########
@@ -64,34 +63,35 @@ fn invoke_command(cmd_id: u32, _params: &mut Parameters) ->
Result<()> {
}
// This code is based on the Rustls example:
-//
https://github.com/rustls/rustls/blob/v/0.21.0/examples/src/bin/simpleclient.rs
+//
https://github.com/rustls/rustls/blob/v/0.23.12/examples/src/bin/simpleclient.rs
// with modifications by Teaclave to demonstrate Rustls usage in the TA.
// Licensed under the Apache License, Version 2.0.
fn tls_client() {
- let mut root_store = RootCertStore::empty();
-
root_store.add_server_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.0.iter().map(|ta|
{
- OwnedTrustAnchor::from_subject_spki_name_constraints(
- ta.subject,
- ta.spki,
- ta.name_constraints,
- )
- }));
- trace_println!("[+] root_store added");
+ // Create our custom providers
+ let crypto_provider = Arc::new(rustls_provider::optee_crypto_provider());
+ let time_provider = Arc::new(rustls_provider::optee_time_provider());
+
+ let root_store = RootCertStore {
+ roots: webpki_roots::TLS_SERVER_ROOTS.into(),
+ };
- let config = rustls::ClientConfig::builder()
- .with_safe_defaults()
+ let mut config =
rustls::ClientConfig::builder_with_details(crypto_provider, time_provider)
+ .with_safe_default_protocol_versions()
+ .expect("inconsistent cipher-suite/versions selected")
.with_root_certificates(root_store)
.with_no_client_auth();
- trace_println!("[+] config created");
- let server_name = "google.com".try_into().unwrap();
+ // Allow using SSLKEYLOGFILE.
+ config.key_log = Arc::new(rustls::KeyLogFile::new());
Review Comment:
In the context of a TA, we should be careful with this. The `KeyLogFile
implementation opens a file based on the SSLKEYLOGFILE environment variable and
writes keys into it`. I don’t think either the environment variable or
file-writing behavior makes sense or is applicable inside a TA, despite that
`If such a file cannot be opened, or cannot be written then this does nothing
but logs errors at warning-level`.
https://docs.rs/rustls/latest/rustls/struct.KeyLogFile.html
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
