Cosmian · Manuthor · May 13, 2024 · May 7, 2024
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -3,6 +3,13 @@ on: [push]
 name: Continuous integration
 
 jobs:
+  cargo-deny:
+    name: Security Audit
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: EmbarkStudios/cargo-deny-action@v1
+
   check:
     name: Check
     runs-on: ${{ matrix.env }}
@@ -59,7 +66,7 @@ jobs:
       - name: Machete (deps checker)
         uses: actions-rs/cargo@v1
         with:
-            command: machete
+          command: machete
 
       - name: Cargo test
         uses: actions-rs/cargo@v1

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -58,6 +58,7 @@ repos:
     rev: v1.13.1
     hooks:
       - id: typos
+        exclude: crate/sgx_quote/src/quote.rs
 
   - repo: https://github.com/Lucas-C/pre-commit-hooks
     rev: v1.3.1
@@ -143,10 +144,15 @@ repos:
       # - id: cargo-update
       - id: cargo-machete
       - id: cargo-tests-all
-      # - id: cargo-audit
       - id: cargo-outdated
       - id: clippy-autofix-all
       - id: clippy-autofix-pedantic
       - id: clippy-autofix-others
       - id: clippy-all-targets-all-features
       - id: cargo-format # in last due to clippy fixes
+
+  - repo: https://github.com/EmbarkStudios/cargo-deny
+    rev: 0.14.16 # choose your preferred tag
+    hooks:
+      - id: cargo-deny
+        args: ["--all-features", "check"] # optionally modify the arguments for cargo-deny (default arguments shown here)
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -13,6 +13,12 @@ members = [
     "crate/tpm_quote",
 ]
 
+[workspace.package]
+version = "1.3.1"
+edition = "2021"
+license = "BUSL-1.1" # "Business Source License 1.1"
+license-file = "LICENSE"
+repository = "https://github.com/Cosmian/tee-tools"
 
 [workspace.dependencies]
 asn1-rs = "0.5"
@@ -27,7 +33,11 @@ hex = { version = "0.4", features = ["serde"] }
 hkdf = "0.12"
 log = "0.4"
 openssl = { version = "0.10", features = ["vendored"] }
-reqwest = { version = "0.11", default-features = false, features = ["json", "rustls-tls", "blocking"] }
+reqwest = { version = "0.11", default-features = false, features = [
+    "json",
+    "rustls-tls",
+    "blocking",
+] }
 rand = "0.8"
 rand_chacha = "0.3"
 rsa = "0.9"

diff --git a/LICENSE b/LICENSE
@@ -0,0 +1,62 @@
+License text copyright (c) 2020 MariaDB Corporation Ab, All Rights Reserved.
+"Business Source License" is a trademark of MariaDB Corporation Ab.
+
+Parameters
+
+Licensor:             Cosmian Tech SAS.
+Licensed Work:        Cosmian Tee Tools version 1.3.1 or later.
+                      The Licensed Work is (c) 2024 Cosmian Tech SAS.
+Additional Use Grant: You may use the Licensed Work in production, provided
+                      your total use of does not exceed a total of 4 vCPUS on virtual
+                      machines or 2 physical cores on bare metal machines. This use
+                      does not include offering the Licensed Work to third parties.
+Change Date:          Four years from the date the Licensed Work is published.
+Change License:       MPL 2.0
+
+For information about alternative licensing arrangements for the Licensed Work,
+please contact contact@cosmian.com.
+
+Notice
+
+Business Source License 1.1
+
+Terms
+
+The Licensor hereby grants you the right to copy, modify, create derivative
+works, redistribute, and make non-production use of the Licensed Work. The
+Licensor may make an Additional Use Grant, above, permitting limited production use.
+
+Effective on the Change Date, or the fourth anniversary of the first publicly
+available distribution of a specific version of the Licensed Work under this
+License, whichever comes first, the Licensor hereby grants you rights under
+the terms of the Change License, and the rights granted in the paragraph
+above terminate.
+
+If your use of the Licensed Work does not comply with the requirements
+currently in effect as described in this License, you must purchase a
+commercial license from the Licensor, its affiliated entities, or authorized
+resellers, or you must refrain from using the Licensed Work.
+
+All copies of the original and modified Licensed Work, and derivative works
+of the Licensed Work, are subject to this License. This License applies
+separately for each version of the Licensed Work and the Change Date may vary
+for each version of the Licensed Work released by Licensor.
+
+You must conspicuously display this License on each original or modified copy
+of the Licensed Work. If you receive the Licensed Work in original or
+modified form from a third party, the terms and conditions set forth in this
+License apply to your use of that work.
+
+Any use of the Licensed Work in violation of this License will automatically
+terminate your rights under this License for the current and all other
+versions of the Licensed Work.
+
+This License does not grant you any right in any trademark or logo of
+Licensor or its affiliates (provided that you may use a trademark or logo of
+Licensor as expressly required by this License).
+
+TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON
+AN "AS IS" BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS,
+EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND
+TITLE.
diff --git a/README.md b/README.md
@@ -17,6 +17,6 @@ Also, install `libssl-dev`.
 Then:
 
 ```console
-$ cargo build
-$ cargo test -- --nocapture
+cargo build
+cargo test -- --nocapture
 ```
diff --git a/crate/azure_sev_quote/Cargo.toml b/crate/azure_sev_quote/Cargo.toml
@@ -1,7 +1,9 @@
 [package]
 name = "azure_sev_quote"
-version = "0.1.0"
-edition = "2021"
+version.workspace = true
+edition.workspace = true
+license.workspace = true
+repository.workspace = true
 
 [dependencies]
 thiserror = "1.0"

diff --git a/crate/azure_sev_quote/src/lib.rs b/crate/azure_sev_quote/src/lib.rs
@@ -9,7 +9,7 @@ use crate::error::Error;
 
 pub mod error;
 
-const AZURE_QUOTE_NVINDEX: u32 = 0x1400001;
+const AZURE_QUOTE_NVINDEX: u32 = 0x0140_0001;
 const AZURE_QUOTE_START_OFFSET: usize = 32;
 const SEV_QUOTE_SIZE: usize = 1184;
 

diff --git a/crate/maa_client/Cargo.toml b/crate/maa_client/Cargo.toml
@@ -1,7 +1,9 @@
 [package]
 name = "maa_client"
-version = "0.1.0"
-edition = "2021"
+version.workspace = true
+edition.workspace = true
+license.workspace = true
+repository.workspace = true
 
 [dependencies]
 base64 = "0.21"
@@ -11,7 +13,7 @@ jose-jws = "0.1"
 jwt-simple = "0.12"
 reqwest = { workspace = true }
 rsa = "0.9"
-serde = {version = "1.0", features = ["derive"] }
+serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 thiserror = { workspace = true }
 x509-cert = "0.2"
diff --git a/crate/maa_client/src/error.rs b/crate/maa_client/src/error.rs
@@ -5,7 +5,7 @@ use thiserror::Error;
 pub enum Error {
     #[error("RequestError: {0}")]
     RequestError(#[from] reqwest::Error),
-    #[error("MaaReponseError: {0}")]
+    #[error("MaaResponseError: {0}")]
     MaaResponseError(String),
     #[error("UnexpectedError: {0}")]
     UnexpectedError(String),

diff --git a/crate/maa_client/src/jwk.rs b/crate/maa_client/src/jwk.rs
@@ -147,6 +147,7 @@ impl MaaJwks {
     /// # Returns
     ///
     /// [`Some(MaaJwk)`] if success, [`None`] otherwise.
+    #[must_use]
     pub fn find(self, kid: &str) -> Option<MaaJwk> {
         self.keys.into_iter().find(|key| key.kid == kid)
     }

diff --git a/crate/maa_client/src/lib.rs b/crate/maa_client/src/lib.rs
@@ -3,7 +3,7 @@ pub mod error;
 pub mod jwk;
 pub mod utils;
 
-use std::{ops::Deref, str::FromStr};
+use std::str::FromStr;
 
 use crate::{
     api::{maa_attest_sgx_enclave, maa_certificates},
@@ -119,7 +119,7 @@ pub fn verify_jws(token: &str, jwks: MaaJwks, nonce: Option<&[u8]>) -> Result<Sg
         return Err(Error::DecodeError("no header found in JWS".to_owned()));
     };
 
-    let Protected { oth, .. } = header.deref();
+    let Protected { oth, .. } = &**header;
     let Unprotected { kid, .. } = oth;
 
     let Some(expected_kid) = kid else {
@@ -148,7 +148,7 @@ pub fn verify_jws(token: &str, jwks: MaaJwks, nonce: Option<&[u8]>) -> Result<Sg
 ///
 /// * `maa_url` - Attestation instance base URI, for example https://mytenant.attest.azure.net.
 /// * `quote` - Raw SGX quote.
-/// * `enclave_held_data` - SHA-256(enclave_held_data) digest expected in REPORT_DATA of SGX quote.
+/// * `enclave_held_data` - SHA-256(enclave_held_data) digest expected in `REPORT_DATA` of SGX quote.
 /// * `mr_enclave` - Expected MRENCLAVE value in SGX quote.
 /// * `mr_signer` - Expected MRSIGNER value in SGX quote.
 ///

diff --git a/crate/pccs_client/Cargo.toml b/crate/pccs_client/Cargo.toml
@@ -1,7 +1,9 @@
 [package]
 name = "pccs_client"
-version = "0.1.0"
-edition = "2021"
+version.workspace = true
+edition.workspace = true
+license.workspace = true
+repository.workspace = true
 
 [dependencies]
 hex = { workspace = true }

diff --git a/crate/pccs_client/src/error.rs b/crate/pccs_client/src/error.rs
@@ -4,7 +4,7 @@ use thiserror::Error;
 pub enum Error {
     #[error("RequestError: {0}")]
     RequestError(#[from] reqwest::Error),
-    #[error("PccsReponseError: {0}")]
+    #[error("PccsResponseError: {0}")]
     PccsResponseError(String),
     #[error("UnexpectedError: {0}")]
     UnexpectedError(String),