feat: Move verify_trust into c2pa_crypto
#784
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This helps with tests that are moving into this space shortly which rely on the root certificate bundle matching.
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #784 +/- ##
==========================================
- Coverage 81.05% 80.85% -0.20%
==========================================
Files 114 115 +1
Lines 30989 30940 -49
==========================================
- Hits 25117 25017 -100
- Misses 5872 5923 +51 ☔ View full report in Codecov by Sentry. |
scouten-adobe
changed the title
verify_trust into c2pa_cryptoverify_trust into c2pa_crypto
All has been transferred to c2pa-crypto.
(Now all contained within c2pa-crypto.)
scouten-adobe
commented
Dec 19, 2024
| /// Certificate Profiles]. | ||
| /// | ||
| /// [§14.5.1, Certificate Profiles]: https://c2pa.org/specifications/specifications/2.1/specs/C2PA_Specification.html#_certificate_profiles | ||
| pub fn check_certificate_profile( |
There was a problem hiding this comment.
This is the function formerly known as check_cert in cose_validator.rs.
scouten-adobe
commented
Dec 19, 2024
| @@ -1,36 +1,76 @@ | |||
| -----BEGIN CERTIFICATE----- | |||
There was a problem hiding this comment.
These test fixtures were regenerated to match what was in the c2pa-rs test fixture directory.
In a prior PR, I had generated new ps*** certs and private keys, but that turned out to be unnecessary.
scouten-adobe
commented
Dec 19, 2024
| cert_der: &[u8], | ||
| _signing_time_epoch: Option<i64>, | ||
| ) -> Result<(), CertificateTrustError> { | ||
| // TO DO: Add verification of signing time. |
There was a problem hiding this comment.
May not be relevant since we do this in check_certificate_profile above,
There was a problem hiding this comment.
I think we can remove this comment since we check signing cert in cose_sign
scouten-adobe
commented
Dec 19, 2024
| @@ -136,7 +136,6 @@ image = { version = "0.24.7", default-features = false, features = [ | |||
| "png", | |||
| ], optional = true } | |||
| instant = "0.1.12" | |||
| openssl = { version = "0.10.61", features = ["vendored"], optional = true } | |||
scouten-adobe
commented
Dec 19, 2024
| @@ -106,403 +79,6 @@ fn get_cose_sign1( | |||
| } | |||
| } | |||
|
|
|||
| pub(crate) fn check_cert( | |||
There was a problem hiding this comment.
Moved into c2pa_crypto crate above.
scouten-adobe
commented
Dec 19, 2024
| @@ -288,10 +288,6 @@ pub enum Error { | |||
| #[error("could not acquire OpenSSL FFI mutex")] | |||
| OpenSslMutexError, | |||
|
|
|||
There was a problem hiding this comment.
There are probably more error codes I could remove. Will do that in a subsequent PR.
scouten-adobe
commented
Dec 19, 2024
| { | ||
| let mut salt = vec![0u8; self.salt_len]; |
There was a problem hiding this comment.
@mauricefisher64 check this one especially. Is there something special about openssl's implementation of rand_bytes that we'd want to preserve? LMK and I'll adapt if so.
There was a problem hiding this comment.
The only requirement is it should be a cryptographically random number generator.
|
Fixes #663 |
| ) -> Result<(), CertificateTrustError> { | ||
| // First check to see if the certificate appears on the allowed list of | ||
| // end-entity certificates. | ||
| if ctp.end_entity_cert_ders().any(|der| der == cert_der) { |
There was a problem hiding this comment.
Looks like you removed this behavior:
// check the cert against the allowed list first
let cert_sha256 = hash_sha256(ee_der);
let cert_hash_base64 = base64::encode(&cert_sha256);
if th.get_allowed_list().contains(&cert_hash_base64) {
return Ok(true);
}
This was an optimization we use for the Verify site. Verify only stores the hashes of the der encoded pems. That greatly reduced the size of the payload and speed of lookup that Verify performs.
There was a problem hiding this comment.
Same thing in the wasm case.
There was a problem hiding this comment.
Ah, I wasn't aware of that use case, but I'll add it back.
There was a problem hiding this comment.
If you look at load_allowed_list in the old versions you will see we allow you to use either PEM or DER hashes. Verify uses DER hashes.
There was a problem hiding this comment.
Note this code should go away one day when we stop supporting end-entity certs.
There was a problem hiding this comment.
Actually, if I read this right, we were already using DERs under the hood here. Which means Verify should be fine. And makes sense since the underlying API only accepts DER-encoded end-entity certs.
So I think this is OK as is. (Happy to change after merging if that's wrong.)
| .parse() | ||
| .map_err(|_| CertificateTrustError::InvalidCertificate)?; | ||
|
|
||
| // Not sure this is needed any more. Leaving this for now, but I think this |
There was a problem hiding this comment.
This is needed since this function could validate C2PA signatures (P1363) or those from certificates which are ASN.1 DER. I don't know if the new code is only used for DER now.
# Conflicts: # internal/crypto/Cargo.toml
… important Failing test case that reflects this requirement. Will add code to support this shortly.
scouten-adobe
commented
Dec 19, 2024
| @@ -28,8 +30,9 @@ pub struct CertificateTrustPolicy { | |||
| /// Trust anchors (root X.509 certificates) in DER format. | |||
| trust_anchor_ders: Vec<Vec<u8>>, | |||
|
|
|||
| /// End-entity certificaters (root X.509 certificates) in DER format. | |||
| end_entity_cert_ders: Vec<Vec<u8>>, | |||
| /// Base-64 encoded SHA-256 has of end-entity certificaters (root X.509 | |||
There was a problem hiding this comment.
Typo: has should be hash
There was a problem hiding this comment.
Will fix after meeting
Closed
Merged
gpeacock
added a commit
that referenced
this pull request
Jan 15, 2025
* Fix Make release script & update readme (contentauth/c2patool#55) * Updates publish workflow to upload binaries to github (contentauth/c2patool#58) Co-authored-by: Jack Farzan <[email protected]> Co-authored-by: Eric Scouten <[email protected]> * chore: Update README.md (contentauth/c2patool#54) * Update README.md Co-authored-by: Rand McKinney <[email protected]> * Add --info option (contentauth/c2patool#65) * reduce release binary size * Add -info option, improve error handling * improve error reporting * chore: Fix publish CI workflow (contentauth/c2patool#67) * chore: Fix a couple more spots where step renaming was missed * chore: Also, we need an admin token to later push back to the repo * chore: Move GitHub release step into repo-prep workflow * chore: Fix tagging step * Prepare 0.3.1 release * chore: Publish from the newly-created commit * Upgrade cpufeatures to non-yanked version (contentauth/c2patool#68) * Prepare 0.3.2 release * Fix name mismatch that caused binary publish to fail * Prepare 0.3.3 release * Put the binary outputs in the correct release * Prepare 0.3.4 release * Fix reference to previous version tag * Prepare 0.3.5 release * chore: Remove changelog history for partial releases * Update Cargo.lock to 0.3.5 * chore: update readme --info (contentauth/c2patool#70) * Update Cargo.lock when publishing crate (contentauth/c2patool#71) * Prepare 0.3.6 release * Fetch remote manifests for --info (contentauth/c2patool#75) * Better message when fail to fetch remote manifest * Add info integration tests * Update sdk to get remote manifest data * info not found integration test * fix manifest size report for remote * Treat a source asset with a manifest store as a default parent (contentauth/c2patool#76) * treat source with claim as default parent ingredient * Prepare 0.3.7 release * Readme updates (contentauth/c2patool#62) authored-by: Rand McKinney <[email protected]> * Fix new Clippy warning in Rust 1.65 (contentauth/c2patool#84) * Build infrastructure improvements (contentauth/c2patool#85) Adapted from https://github.com/adobe/xmp-toolkit-rs * Build crate 3x/week and alert on error * Include recommended fix for CodeCov flakiness * Add notes about warnings in publish workflow * Bump c2pa from 0.13.2 to 0.15.0 (contentauth/c2patool#87) * Prepare 0.3.8 release * allows clients to output manifest report to specified directory (contentauth/c2patool#91) * allows clients to output manifest report to specified directory * appeases clippy * implements feedback * supports `detailed` flag when writing * organizes thumbnails in a directory named for the manifest in which it appears * updates manifest extension to `.json` * accounts for thumbnail title having different extension from thumbnail data * simplifies add extension to ingredient thumbnail file name Co-authored-by: Dylan Ross <[email protected]> * update to c2pa-rs 0.16.0 * Prepare 0.3.9 release * Update for Clippy in Rust 1.67 (contentauth/c2patool#101) * update to cp2pa 0.17.0 (contentauth/c2patool#105) * feat: Add --certs and --tree options (contentauth/c2patool#106) --certs extracts the certificate chain --tree displays a graphic tree view of manifest store structure * Prepare 0.4.0 release * chore: Fix a warning flagged by Clippy in Rust 1.68 (contentauth/c2patool#110) * Leverage new Manifest & Ingredient, add Ingredient creation. (contentauth/c2patool#107) * integration with resource_stores in c2pa_rs 0.17.0 * Add --ingredient option to generate ingredients * Add SignConfig, remove ManifestConfig * struct-op to clap conversion * feat: New ingredient support and c2pa file formats (contentauth/c2patool#111) Update to c2pa-rs 0.19 Adds support for many new formats add ingredient_paths to support ingredients as files or JSON Updates to README and schema Add simple ingredient report injects c2patool claim_generator * Prepare 0.5.0 release * Update expired sample certs (contentauth/c2patool#113) * Update expired sample certs * Remove root cert * chore: Change relative links to absolute to fix doc build (contentauth/c2patool#115) * Update README.md (contentauth/c2patool#118) * chore: Update README.md (contentauth/c2patool#119) * Prepare 0.5.1 release * Ingredient thumbnails, extension cleanup, toolkit update (contentauth/c2patool#120) Thumb and extension fixes fix ingredient thumbnail loading remove manifest preview feature test for similar extensions update c2pa-rs Add svg support * Prepare 0.5.2 release * Parent Ingredient JSON (contentauth/c2patool#123) * Ingredient improvements and fixes * fix bug where ingredient thumbnails were not generated * an ingredient.json file or folder can now be passed on the command line --parent option. * if a folder is passed as an ingredient, the tool will look for an ingredient.json fle in that folder. * fix --parent is no longer relative to the --manifest path * Set correct base path for ingredient_path json files identifiers are relative to ingredient.json location Update integration test * Prepare 0.5.3 release * Update README.md (contentauth/c2patool#124) Add link to c2pa-service-example * c2pa-rs 23.0 + updated test * integrate c2pa 23.0 bump version (contentauth/c2patool#126) * integrate c2pa 23.1 bump version * Prepare 0.5.4 release * feat: update to c2pa-rs 0.24.0 (contentauth/c2patool#127) * Prepare 0.6.0 release * use compress-archive instead of tar (contentauth/c2patool#130) Co-authored-by: Jack Farzan <[email protected]> * Prepare 0.6.1 release * Fix windows release (contentauth/c2patool#132) * Fix windows release Switch from tar/compress to 7z for windows release * Added 7zip note * chore: Update README.md (contentauth/c2patool#131) * Update README.md Made header levels consistent, and some minor grammar, spelling, formatting and punctuation corrections. * update cargo crates to get around build block --------- Co-authored-by: Gavin Peacock <[email protected]> * Updates to c2pa-rs 0.25.1 (contentauth/c2patool#128) * update to c2pa-rs 0.25.1 * chore: Split README into several files in new docs dir (contentauth/c2patool#136) * Split README into several files, cread docs dir * Change link to spec 1.3, make doc links absolute * minor wording edits * Add Docusaurus styling so xrefs to other md pages in repo is not displayed on site * Make link relative not absolute * Update release-notes.md * Fix link in CONTRIBUTING.md to CODE_OF_CONDUCT.md, add README TOC * Move TOC to better location in README --------- Co-authored-by: Rand McKinney <[email protected]> * Fix issue with docusaurus styling and fix broken links (contentauth/c2patool#138) Co-authored-by: Rand McKinney <[email protected]> * chore: Add nightly build process (contentauth/c2patool#139) * chore: Update CI/CD actions (contentauth/c2patool#140) * chore: Update chrono dep to 0.4.28, which satisfies latest nightly c2pa-rs requirement (contentauth/c2patool#141) * Upgrade to c2pa-rs 0.26.0 (contentauth/c2patool#143) (Fixes nightly build issues with openssl.) * chore: Fix link to nightly build docs in README.md (contentauth/c2patool#142) * chore: Apply same rustfmt configuration as c2pa-rs (contentauth/c2patool#145) Replaces contentauth/c2patool#45. * Add Do not train example * update to c2pa 0.27.1 (contentauth/c2patool#146) Adds mp3 Adds PDF read only support update Readme * chore: Fix bugs in publish workflow related to change in GH Actions API (contentauth/c2patool#147) * Prepare 0.6.2 release * chore: Doc update for manifest docs (contentauth/c2patool#148) * Make clear that these files etc are in context of c2patool * Clean up example doc file * Clarify tool specific fields * Add tool specific fields to manifest snippet Authored-by: Rand McKinney <[email protected]> * Update to c2pa-rs 0.28.1 * feat: updates to c2pa-rs v0.28.2 (contentauth/c2patool#153) * updates to c2pa-rs v0.28.0 * Bumped to 0.28.1 * Update to c2pa-rs 0.28.2 * Prepare 0.7.0 release * adds version to c2patool artifact names (contentauth/c2patool#158) Co-authored-by: Jack Farzan <[email protected]> * Add trust and verification options to c2pa_tool (contentauth/c2patool#168) * Add trust and verification options to c2pa_tool * fix formatting * Fix typo * Sample files * README clarification and formatting * Make example commands consistent, fix table column width, add xref link, etc --------- Co-authored-by: Rand McKinney <[email protected]> * feat: allow clients to sign with a process outside of c2patool (contentauth/c2patool#169) * allow clients to sign with a process outside of c2patool * builds bins for coverage tests * removes pub key * removes extra println * includes stderr; shows stderr from child process is included in error * adds better docs * improves docs; renames signer-process to signer-path. * adds docs and default value for reserve_size * replaces TODO with proper docs * removes extraneous else --------- Co-authored-by: Dylan Ross <[email protected]> * Prepare 0.8.0 release * use c2pa-rs 0.31.1 for actions.changes support (contentauth/c2patool#170) the actions.changes field will soon be added to the spec, this anticipates that. * Prepare 0.8.1 release * fixed c2patool asset name (contentauth/c2patool#171) Co-authored-by: Jack Farzan <[email protected]> * Prepare 0.8.2 release * feat: Add HTTP source option for trust config (contentauth/c2patool#174) * Add URL support for trust configuration settings * Add file tests * Add URL tests * Integrate with c2pa-rs 0.32.0, various test case fixes. (contentauth/c2patool#175) * Added error message for manifest without output target. Update c2pa-rs and remove xmp_write feature. * Update to c2pa-rs 0.32.0, with various fixes. * Prepare 0.9.0 release * Add better support for cargo-binstall (contentauth/c2patool#177) * Add better support for cargo-binstall * Clarify different installation methods * Update `time` crate so tests pass on latest nightly (1.80) --------- Co-authored-by: Rand McKinney <[email protected]> * Prepare 0.9.1 release * Remove integration tests for now due to extraneous binaries (contentauth/c2patool#178) * Remove integration tests for now due to extraneous binaries * Remove `bin` key * Add comment about defaults * Prepare 0.9.2 release * Remove binary modules (contentauth/c2patool#179) * Prepare 0.9.3 release * Document how to specify an icon (contentauth/c2patool#182) Co-authored-by: Rand McKinney <[email protected]> * Match c2pa-rs minimum toolchain version and test in CI (contentauth/c2patool#188) * Update c2patool (contentauth/c2patool#190) * Prepare 0.9.4 release * added security.md (contentauth/c2patool#196) Co-authored-by: Jack Farzan <[email protected]> * Update to lastest c2pa-rs (contentauth/c2patool#197) * Update c2patool * Update to latest SDK * Prepare 0.9.5 release * chore: Clarify use of test cert/key and general doc edits (contentauth/c2patool#193) * README edits * README edits * Edits per Gavin * Remove example col from table for readability * Add css class to trust options table --------- Co-authored-by: Rand McKinney <[email protected]> * Updates cargo packages and cargo.deny file. (contentauth/c2patool#200) Adds a readme update as well. * chore: Simplify nightly workflow and make it more like the one in c2pa-rs (contentauth/c2patool#144) * chore: Simplify nightly workflow and make it more like the one in c2pa-rs * Restore generation of changelog for nightly builds * Bump env_logger from 0.10.2 to 0.11.4 (contentauth/c2patool#204) * Bump env_logger from 0.10.2 to 0.11.4 Bumps [env_logger](https://github.com/rust-cli/env_logger) from 0.10.2 to 0.11.4. - [Release notes](https://github.com/rust-cli/env_logger/releases) - [Changelog](https://github.com/rust-cli/env_logger/blob/main/CHANGELOG.md) - [Commits](rust-cli/env_logger@v0.10.2...v0.11.4) --- updated-dependencies: - dependency-name: env_logger dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Update env_logger, clap, predicates and mockall --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Gavin Peacock <[email protected]> * only run tests/clippy if labeled (contentauth/c2patool#205) Co-authored-by: Jack Farzan <[email protected]> * Pull latest c2pa-rs bug fixes into c2patool (contentauth/c2patool#212) * Pull latest c2pa-rs bug fixes into c2patool Updated help strings around trust and signing * Update c2pa version * Prepare 0.9.6 release * Update security guidance to link to SECURITY.md (contentauth/c2patool#217) Co-authored-by: Rand McKinney <[email protected]> * Remove rust toolchain version lock (contentauth/c2patool#221) * Remove rust toolchain version lock Forcing due to stuck CI * Update to latest c2pa SDK (contentauth/c2patool#222) * Update c2patool * Update to latest SDK * Update to latest c2pa-rs * Prepare 0.9.7 release * Add warning about accessing a private key directly (contentauth/c2patool#218) * Add warning about accessing a private key directly * Update README.md * Update README.md * Update README.md Reword per discussion w Maurice & Gavin --------- authored-by: Rand McKinney <[email protected]> * Initial fragment support (contentauth/c2patool#230) * Initial fragment support * code review fixes * Prepare 0.9.8 release * Remove no-longer-maintained clippy-check action (contentauth/c2patool#238) Also: Configure Dependabot to suggest new action steps when available * chore: Debug which branch we're pulling * Bump actions/checkout from 3 to 4 (contentauth/c2patool#243) Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v3...v4) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Switch back to using `pull_request` instead of `pull_request_target` trigger * chore: Fix current Clippy warnings (contentauth/c2patool#244) * Document fragment subcommand (contentauth/c2patool#236) * Document fragment subcommand * Review comments * add examples * wording * Modify example cmd per Maurice --------- Co-authored-by: Rand McKinney <[email protected]> * Pull in latest bug fixes (contentauth/c2patool#237) * Pull in latest bug fixes * clippy fixes * Test build fix * Clippy fixes. * Try again? --------- Co-authored-by: Eric Scouten <[email protected]> Co-authored-by: Gavin Peacock <[email protected]> * Prepare 0.9.9 release * Update c2ptool to use latest c2pa-rs (contentauth/c2patool#258) * Update c2patool * Update to latest SDK * Update to latest c2pa-rs * update to latest c2pa-rs to get bug fixes * Prepare 0.9.10 release * Merge hardening bug fixes (contentauth/c2patool#260) * Update c2patool * Update to latest SDK * Update to latest c2pa-rs * update to latest c2pa-rs to get bug fixes * Grab hardening bug fixes * Update lock file * Try again --------- Co-authored-by: Eric Scouten <[email protected]> * Prepare 0.9.11 release * chore: Adjust conditions for running CI jobs (contentauth/c2patool#261) * Bump EmbarkStudios/cargo-deny-action from 1 to 2 (contentauth/c2patool#245) Bumps [EmbarkStudios/cargo-deny-action](https://github.com/embarkstudios/cargo-deny-action) from 1 to 2. - [Release notes](https://github.com/embarkstudios/cargo-deny-action/releases) - [Commits](EmbarkStudios/cargo-deny-action@v1...v2) --- updated-dependencies: - dependency-name: EmbarkStudios/cargo-deny-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: Skip CodeCov upload for non-member PRs (contentauth/c2patool#263) (We don't have access to the CodeCov token, which means the upload will likely be rate-limited and fail.) * chore: Debug action context * chore: Retry debug * chore: Don't skip CI jobs for non-pull-request events * chore: Format for consistency with c2pa-rs CI workflow (contentauth/c2patool#265) * chore: Debug CI again * chore: Run all CI jobs when user is dependabot[bot] * Bump codecov/codecov-action from 3 to 4 (contentauth/c2patool#242) Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3 to 4. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@v3...v4) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Fix broken link that was causing os site workflow to fail (contentauth/c2patool#266) * fix: Update c2pa-rs for RegionOfInterest support. (contentauth/c2patool#269) * Prepare 0.9.12 release * enlarged description of c2pa command-line behavior (contentauth/c2patool#285) Signed-off-by: Tim Bray <[email protected]> * chore: uploads sbom as artifact (contentauth/c2patool#293) Co-authored-by: Dylan Ross <[email protected]> * feat: Updates c2patool to use only the new Builder/Reader API (contentauth/c2patool#297) * chore: Update to the 24 Builder API (WIP) * chore: Move tree implementation into tool * Use released c2pa-rs * Adds integration tests for tree and info features. * Add unit test for tree * doc: Update Contributing guide, misc minor edits (contentauth/c2patool#296) * Update CONTRIBUTING.md Add section on PR titles, change headings to sentence case. * Update README.md Remove manual page TOC since GH now provides it automatically. * Consolidate supported formats in c2pa-rs * Update release notes with items from CHANGELOG * Move some content into files in docs dir, add xrefs to manifest info * Missed some xrefs * typo * Reduce set of required PR title prefixes per @gpeacock * clarify conv commits requirements * Retitle cert doc, fix ext links for Docusaurus * chore: ignore warnings for RUSTSEC-2024-0399" (contentauth/c2patool#300) * chore: ignore warnings for RUSTSEC-2024-0399" This does not apply to us. Also ran cargo update. * chore: Adds acceptance of Unicode-3.0 * chore: bump MarcoIeni/release-plz-action from 0.5.83 to 0.5.85 (#700) Bumps [MarcoIeni/release-plz-action](https://github.com/marcoieni/release-plz-action) from 0.5.83 to 0.5.85. - [Release notes](https://github.com/marcoieni/release-plz-action/releases) - [Commits](release-plz/action@v0.5.83...v0.5.85) --- updated-dependencies: - dependency-name: MarcoIeni/release-plz-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Eric Scouten <[email protected]> * chore: Move SHA-256 hash fn into c2pa-crypto (#708) * chore: Move `parse_ec_der_sig` to `c2pa-crypto` (#710) * chore: To do list for c2pa-crypto migration of cose_validator.rs * chore: Remove `cose_validator` dep on `validation_status` (#712) (Codes are actually located now in `c2pa-status-tracker` crate.) * chore: bump codecov/codecov-action from 4 to 5 (#686) Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4 to 5. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@v4...v5) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: Move `fn gt_to_datetime` to `cose_validator.rs` (last place that uses it) (#714) * chore: Move `sigTst` handling into `c2pa-crypto` (#715) * fix: Remove `c2pa::Signer` dependency on `c2pa_crypto::TimeStampProvider` (#718) This causes problems with UniFFI bindings that can't be addressed. * chore: Move `ValidationInfo` to `c2pa-crypto` (#721) * Extract ValidationInfo into c2pa-status-tracker * Move ValidationInfo into c2pa-crypto * Format * Start to merge c2patool binary release process into release-plz workflow * Remove redundant .gitignore file To fix (not urgent): Clean up cli unit test that drops content in old target folder * Fix formatting of cli/CHANGELOG.md * Remove code of conduct, etc., which also appear at workspace root * Merge deny.toml settings * Update repository link in cli/Cargo.toml * Fix README links * Rename Unit tests (libraries) back to Unit tests for consistency * Move profile settings to workspace Cargo.toml * Fix path references for nightly publish * Disable nightly binaries publish for the moment * feat: Add `RawSigner` trait to `c2pa-crypto` (derived from `c2pa::Signer`) (#716) * chore: Update Cargo.lock and remove from .gitignore * update: update zip requirement from 0.6.6 to 2.2.1 in /sdk (#698) * update: update zip requirement from 0.6.6 to 2.2.1 in /sdk --- updated-dependencies: - dependency-name: zip dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> * Update to use zip's new SimpleFileOptions type * Allow PR titles generated by Dependabot * Bump memchr to 2.7.4 * Update Cargo.lock --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Eric Scouten <[email protected]> * fix: Verbose assertions for `is_none()` (#704) * chore: Fix c2patool CI configuration (#759) * chore: bump MarcoIeni/release-plz-action from 0.5.85 to 0.5.86 (#720) Bumps [MarcoIeni/release-plz-action](https://github.com/marcoieni/release-plz-action) from 0.5.85 to 0.5.86. - [Release notes](https://github.com/marcoieni/release-plz-action/releases) - [Commits](release-plz/action@v0.5.85...v0.5.86) --- updated-dependencies: - dependency-name: MarcoIeni/release-plz-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: Adapt for the myriad Dependabot PR title patterns (argh!) * chore: Remove version edit warning in c2patool Cargo.toml * chore: Update cli/CHANGELOG.md preamble * update: bump mockall requirement from 0.11.2 to 0.13.1 in /sdk (#685) update: update mockall requirement from 0.11.2 to 0.13.1 in /sdk Updates the requirements on [mockall](https://github.com/asomers/mockall) to permit the latest version. - [Changelog](https://github.com/asomers/mockall/blob/master/CHANGELOG.md) - [Commits](asomers/mockall@v0.11.2...v0.13.1) --- updated-dependencies: - dependency-name: mockall dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Eric Scouten <[email protected]> * update: bump asn1-rs from 0.5.2 to 0.6.2 (#724) Bumps [asn1-rs](https://github.com/rusticata/asn1-rs) from 0.5.2 to 0.6.2. - [Release notes](https://github.com/rusticata/asn1-rs/releases) - [Changelog](https://github.com/rusticata/asn1-rs/blob/master/CHANGELOG.md) - [Commits](rusticata/asn1-rs@asn1-rs-0.5.2...asn1-rs-0.6.2) --- updated-dependencies: - dependency-name: asn1-rs dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * update: bump chrono from 0.4.38 to 0.4.39 (#763) Bumps [chrono](https://github.com/chronotope/chrono) from 0.4.38 to 0.4.39. - [Release notes](https://github.com/chronotope/chrono/releases) - [Changelog](https://github.com/chronotope/chrono/blob/main/CHANGELOG.md) - [Commits](chronotope/chrono@v0.4.38...v0.4.39) --- updated-dependencies: - dependency-name: chrono dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: release (#761) * chore: Fix release-plz configuration * chore: Inspect release-plz `releases` output * chore: Rebuild c2patool binary release process * feat: Move `validation_codes` from `c2pa-crypto` to `c2pa-status-tracker` (Actually done in #695, but because I marked that PR as a `chore` it isn't triggering a release of `c2pa-status-tracker`, which is required for other crates to build. Fun times!) * chore: Revert previous release attempt * chore: release (#767) * fix: Compile `c2pa-crypto` with `cargo check` (#768) Also: Revert unpublished Cargo.toml and CHANGELOG files * chore: release (#769) * fix: Binary release process for c2patool * chore: Use `cargo check` to preflight `cargo publish` (i.e. default features only) * fix: No-op change to trigger new c2patool release * chore(c2patool): release v0.10.1 (#772) * fix: Update makefile for c2patool's new location in c2pa-rs workspace * fix: No-op change to trigger new c2patool build * chore(c2patool): release v0.10.2 (#773) * chore: Fix broken CI workflow file * update: bump thiserror from 1.0.69 to 2.0.6 (#770) Bumps [thiserror](https://github.com/dtolnay/thiserror) from 1.0.69 to 2.0.6. - [Release notes](https://github.com/dtolnay/thiserror/releases) - [Commits](dtolnay/thiserror@1.0.69...2.0.6) --- updated-dependencies: - dependency-name: thiserror dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Eric Scouten <[email protected]> * fix: Resolve new Clippy issues (#776) * fix: Possible overflow for TIFF (#760) fix: Possible overflow for tiff * fix: Add support XMP in SVG (#771) * Add XMP support to SVG. Fix some incorrect XMP implmentations * remove print statement * One more unit test * feat: Bump MSRV to 1.81.0 (#781) Required due to version updates in some dependent crates. * fix: JPEG `write_cai` OOB insertion (#762) * fix: jpeg write_cai OOB insertion Malformed jpeg may lead to insertion of CAI data at invalid index Co-authored-by: Eric Scouten <[email protected]> * doc: Post move cleanup (#778) * post move doc cleanup * Doc cleanup for move to c2pa-rs repo * Scouten comments * Add link from changelog to RNs --------- Co-authored-by: Eric Scouten <[email protected]> * fix: Prevent negative length value for SVG object locations (#766) fix: Prevent negative length value for svg object locations * fix: OOB read attempt in jpeg_io asset handler in get_cai_segments function (#719) * fix: OOB read attempt in jpeg_io asset handler in get_cai_segments function * fix: Additional slice OOB read mitigation. * fix: Improve usage of `#[cfg]` directives (#783) --------- Co-authored-by: Kornel <[email protected]> * feat: Introduce `c2pa_crypto::CertificateAcceptancePolicy` (#779) * update: bump rasn from 0.18.0 to 0.22.0 (#727) * update: bump rasn from 0.18.0 to 0.22.0 Bumps [rasn](https://github.com/librasn/rasn) from 0.18.0 to 0.22.0. - [Release notes](https://github.com/librasn/rasn/releases) - [Changelog](https://github.com/librasn/rasn/blob/main/CHANGELOG.md) - [Commits](librasn/rasn@rasn-v0.18.0...rasn-v0.22.0) --- updated-dependencies: - dependency-name: rasn dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Fix up related deps and update for newer rasn APIs * Update MSRV to 1.81.0 --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Eric Scouten <[email protected]> * update: bump thiserror from 2.0.6 to 2.0.8 (#787) Bumps [thiserror](https://github.com/dtolnay/thiserror) from 2.0.6 to 2.0.8. - [Release notes](https://github.com/dtolnay/thiserror/releases) - [Commits](dtolnay/thiserror@2.0.6...2.0.8) --- updated-dependencies: - dependency-name: thiserror dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * update: bump serde-wasm-bindgen from 0.5.0 to 0.6.5 (#786) Bumps [serde-wasm-bindgen](https://github.com/RReverser/serde-wasm-bindgen) from 0.5.0 to 0.6.5. - [Commits](RReverser/serde-wasm-bindgen@v0.5.0...v0.6.5) --- updated-dependencies: - dependency-name: serde-wasm-bindgen dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Eric Scouten <[email protected]> * fix: Obscure glob error message for missing files Users were getting an obscure fragment glob message instead of file not found. "Error: glob patterns only allowed when using "fragment" command" * update: bump jfifdump from 0.5.1 to 0.6.0 (#785) Bumps [jfifdump](https://github.com/vstroebel/jfifdump) from 0.5.1 to 0.6.0. - [Commits](https://github.com/vstroebel/jfifdump/commits) --- updated-dependencies: - dependency-name: jfifdump dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Eric Scouten <[email protected]> * feat: Move `verify_trust` into `c2pa_crypto` (#784) * feat: Move COSE OCSP support into c2pa-crypto (#793) * feat: Move `get_cose_sign1` into `c2pa-crypto` crate (#794) * feat: Move `signing_alg_from_sign1` into `c2pa-crypto` (#795) * feat: Consolidate implementations of `cert_chain_from_sign1` in `c2pa_crypto` (#796) * feat: Introduce `c2pa_crypto::cose::Verifier` (#797) * feat: Introduce `c2pa_crypto::Verifier::verify_trust` (#798) * chore: Move `check_ocsp_response` (the one that uses settings) to `claim.rs` (#799) * feat: Make `AsyncRawSignatureValidator` available on all platforms (#800) (When OpenSSL is used, it's just a wrapper around the synchronous code path.) * feat: Move COSE signature verification into `c2pa_crypto` (#801) * feat: Move COSE timestamp generation into `c2pa_crypto` (#803) * feat: Move COSE signing into `c2pa_crypto` crate (#807) * fix: Bring `claim_v2` changes from #707 into `c2pa_crypto` (#811) * Apply changes from merge commit 13889dd * Introduce `cose::TimeStampStorage` enum * Plumb TimeStampStorage through first layers of SDK * Port `sigTst2` changes from `claim_v2` branch. See 6028853 * Port `sigTst2` validation changes from claim_v2 branch. See 6028853 * Move P1363 format check earlier in validation. See 6028853 * Pick up `claim_v2` changes to ContentInfo parsing. See bfdadc1 * feat: Add new function `c2pa_crypto::cose::signing_time_from_sign1` (#812) (Will allow me to make some other things private.) * feat: Review `c2pa-crypto` crate API (#813) * fix: c2patool upgrades to API change in Ingredient.title() * chore: PR comment cleanup * chore: clippy fixes * feat: Add ingredient_url tracking for status. Adds default support for LogItem * feat: Add ingredient tracking for status --------- Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Tim Bray <[email protected]> Co-authored-by: Gavin Peacock <[email protected]> Co-authored-by: Jack Farzan <[email protected]> Co-authored-by: Jack Farzan <[email protected]> Co-authored-by: Rand McKinney <[email protected]> Co-authored-by: scouten-adobe <[email protected]> Co-authored-by: gpeacock <[email protected]> Co-authored-by: Dylan ross <[email protected]> Co-authored-by: Dylan Ross <[email protected]> Co-authored-by: mauricefisher64 <[email protected]> Co-authored-by: jackfarzan <[email protected]> Co-authored-by: Rand McKinney <[email protected]> Co-authored-by: dyro <[email protected]> Co-authored-by: Dave Kozma <[email protected]> Co-authored-by: dkozma <[email protected]> Co-authored-by: nick <[email protected]> Co-authored-by: mauricefisher64 <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: nick <[email protected]> Co-authored-by: Tim Bray <[email protected]> Co-authored-by: Eli Mensch <[email protected]> Co-authored-by: Kornel <[email protected]> Co-authored-by: Colin D Murphy <[email protected]> Co-authored-by: Kornel <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.