Merge pull request #9 from Cosmian/bump-deps

Bump deps
Cosmian · Apr 2, 2024 · 84411ce · 84411ce
2 parents 5b9e6c7 + 2566249
commit 84411ce
Show file tree

Hide file tree

Showing 7 changed files with 144 additions and 169 deletions.
diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
@@ -9,151 +9,24 @@ permissions:
   contents: read
 
 jobs:
-  linux:
-    runs-on: ubuntu-20.04
+  python:
     strategy:
+      fail-fast: false
       matrix:
-        target: [x86_64]
-        python-version: ['3.8', '3.9', '3.10', '3.11']
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v4
-        with:
-          python-version: ${{ matrix.python-version }}
-          cache: 'pip'  # caching pip dependencies
-
-      - name: Build wheels
-        uses: PyO3/maturin-action@v1
-        with:
-          target: ${{ matrix.target }}
-          manylinux: manylinux2014
-          container: quay.io/pypa/manylinux2014_x86_64
-          args: --release --out dist -i ${{ matrix.python-version }}
-          sccache: 'true'
-
-      - name: Upload wheels
-        uses: actions/upload-artifact@v3
-        with:
-          name: wheels
-          path: dist
-
-      - name: Install dependencies
-        run: |
-          if [ -f tests/requirements.txt ]; then pip install -r tests/requirements.txt; fi
-          pip install dist/*.whl
-
-      - name: Package metadata
-        id: metadata
-        run: |
-          export PACKAGE_VERSION=$(pip inspect | jq -r '.installed | .[] | select(.metadata.name == "intel-sgx-ra") | .metadata.version')
-          echo "PACKAGE_VERSION=$PACKAGE_VERSION" >> $GITHUB_OUTPUT
-
-      - name: Code format with black
-        run: |
-          python -m black --check $PYTHON_SRC
-
-      - name: Import check with isort
-        run: |
-          python -m isort --check --diff $PYTHON_SRC
-
-      - name: Lint check with pylint
-        run: |
-          python -m pylint $PYTHON_SRC
-
-      - name: Lint check with pycodestyle
-        run: |
-          python -m pycodestyle --max-line-length=90 --ignore=E203,W503 $PYTHON_SRC
-
-      - name: Lint check with pydocstyle
-        run: |
-          python -m pydocstyle $PYTHON_SRC
-
-      - name: Typecheck with MyPy
-        run: |
-          python -m mypy $PYTHON_SRC
-
-      - name: Test with pytest
-        run: |
-          python -m pytest
-
-  macos:
-    runs-on: macos-latest
-    strategy:
-      matrix:
-        target: [x86_64]
-        python-version: ['3.8', '3.9', '3.10', '3.11']
-
-    steps:
-      - uses: actions/checkout@v3
-
-      - uses: actions/setup-python@v4
-        with:
-          python-version: ${{ matrix.python-version }}
-          cache: 'pip'  # caching pip dependencies
-
-      - name: Build wheels
-        uses: PyO3/maturin-action@v1
-        with:
-          target: ${{ matrix.target }}
-          args: --release --out dist -i ${{ matrix.python-version }}
-          sccache: 'true'
-
-      - name: Upload wheels
-        uses: actions/upload-artifact@v3
-        with:
-          name: wheels
-          path: dist
-
-      - name: Install dependencies
-        run: |
-          if [ -f tests/requirements.txt ]; then pip install -r tests/requirements.txt; fi
-          pip install dist/*.whl
-
-      - name: Package metadata
-        id: metadata
-        run: |
-          export PACKAGE_VERSION=$(pip inspect | jq -r '.installed | .[] | select(.metadata.name == "intel-sgx-ra") | .metadata.version')
-          echo "PACKAGE_VERSION=$PACKAGE_VERSION" >> $GITHUB_OUTPUT
-
-      - name: Code format with black
-        run: |
-          python -m black --check $PYTHON_SRC
-
-      - name: Import check with isort
-        run: |
-          python -m isort --check --diff $PYTHON_SRC
-
-      - name: Lint check with pylint
-        run: |
-          python -m pylint $PYTHON_SRC
-
-      - name: Lint check with pycodestyle
-        run: |
-          python -m pycodestyle --max-line-length=90 --ignore=E203,W503 $PYTHON_SRC
-
-      - name: Lint check with pydocstyle
-        run: |
-          python -m pydocstyle $PYTHON_SRC
-
-      - name: Typecheck with MyPy
-        run: |
-          python -m mypy $PYTHON_SRC
-
-      - name: Test with pytest
-        run: |
-          python -m pytest
+        os: [ubuntu-20.04, macos-13]
+    uses: ./.github/workflows/python.yml
+    name: Python CI (${{ matrix.os }})
+    with:
+      os: ${{ matrix.os }}
 
   release:
     name: Release
     runs-on: ubuntu-latest
     if: "startsWith(github.ref, 'refs/tags/')"
-    needs: [linux, macos]
+    needs: python
     steps:
-      - uses: actions/download-artifact@v3
-        with:
-          name: wheels
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
       - name: Publish to PyPI
         uses: PyO3/maturin-action@v1
         env:

diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml
@@ -0,0 +1,86 @@
+name: Python CI
+
+on:
+  workflow_call:
+    inputs:
+      os:
+        required: true
+        type: string
+
+env:
+  PYTHON_SRC: "src"
+
+permissions:
+  contents: read
+
+jobs:
+  python:
+    runs-on: ${{ inputs.os }}
+    strategy:
+      matrix:
+        target: [x86_64]
+        python-version: ['3.8', '3.9', '3.10', '3.11']
+    name: Python ${{ matrix.python-version }} (${{ matrix.target }})
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: 'pip'  # caching pip dependencies
+
+      - name: Build wheels
+        uses: PyO3/maturin-action@v1
+        with:
+          target: ${{ matrix.target }}
+          manylinux: manylinux2014
+          container: quay.io/pypa/manylinux2014_x86_64
+          args: --release --out dist -i ${{ matrix.python-version }}
+          sccache: 'true'
+
+      - name: Upload wheels
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ inputs.os }}-${{ matrix.python-version }}-${{ matrix.target }}-wheels
+          path: dist
+
+      - name: Install dependencies
+        run: |
+          if [ -f tests/requirements.txt ]; then python -m pip install -r tests/requirements.txt; fi
+          python -m pip install dist/*.whl
+
+      - name: Package metadata
+        id: metadata
+        run: |
+          export PACKAGE_VERSION=$(pip inspect | jq -r '.installed | .[] | select(.metadata.name == "intel-sgx-ra") | .metadata.version')
+          echo "PACKAGE_VERSION=$PACKAGE_VERSION" >> $GITHUB_OUTPUT
+
+      - name: Code format with black
+        run: |
+          python -m black --check $PYTHON_SRC
+
+      - name: Import check with isort
+        run: |
+          python -m isort --check --diff $PYTHON_SRC
+
+      - name: Lint check with pylint
+        run: |
+          python -m pylint $PYTHON_SRC
+
+      - name: Lint check with pycodestyle
+        run: |
+          python -m pycodestyle --max-line-length=90 --ignore=E203,W503 $PYTHON_SRC
+
+      - name: Lint check with pydocstyle
+        run: |
+          python -m pydocstyle $PYTHON_SRC
+
+      - name: Typecheck with MyPy
+        run: |
+          python -m mypy $PYTHON_SRC
+
+      - name: Test with pytest
+        run: |
+          python -m pytest
diff --git a/README.md b/README.md
@@ -14,29 +14,35 @@ $ pip install intel-sgx-ra
 
 ```console
 $ sgx-ra-verify --help
-usage: sgx-ra-verify [-h] [--verbose] [--mrenclave MRENCLAVE] [--mrsigner MRSIGNER] {certificate,quote} ...
+usage: sgx-ra-verify [-h] [--verbose] [--mrenclave HEXDIGEST]
+                     [--mrsigner HEXDIGEST]
+                     (--pccs-url URL | --azure-attestation)
+                     {certificate,quote} ...
 
-Intel SGX DCAP Quote verification
+Intel SGX DCAP quote verification
 
 positional arguments:
   {certificate,quote}   sub-command help
-    certificate         Remote Attestation from X.509 certificate used for RA-TLS
+    certificate         Remote Attestation from RA-TLS X.509 certificate
     quote               Remote Attestation of a raw SGX quote
 
 optional arguments:
   -h, --help            show this help message and exit
   --verbose             Verbose mode
-  --mrenclave MRENCLAVE
+  --mrenclave HEXDIGEST
                         Expected MRENCLAVE value in SGX quote
-  --mrsigner MRSIGNER   Expected MRSIGNER value in SGX quote
+  --mrsigner HEXDIGEST  Expected MRSIGNER value in SGX quote
+  --pccs-url URL        Provisioning Certificate Cache Service URL (Intel
+                        DCAP)
+  --azure-attestation   Microsoft Azure Attestation Service (Azure DCAP)
 $ sgx-ra-utils --help
 usage: sgx-ra-utils [-h] [--verbose] {extract} ...
 
 Intel SGX DCAP Quote tools
 
 positional arguments:
   {extract}   sub-command help
-    extract   Extract Quote from X.509 certificate using RA-TLS
+    extract   Extract Quote from RA-TLS X.509 certificate
 
 optional arguments:
   -h, --help  show this help message and exit

diff --git a/pyproject.toml b/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "maturin"
 
 [project]
 name = "intel-sgx-ra"
-version = "2.1.0"
+version = "2.3.0"
 description = "Intel SGX Remote Attestation verification library"
 authors = [
     {name = "Cosmian Tech", email = "[email protected]"},
@@ -21,19 +21,19 @@ classifiers = [
 ]
 dependencies = [
     "requests>=2.31.0,<3.0.0",
-    "cryptography>=41.0.1,<42.0.0",
-    "authlib>=1.2.0,<2.0.0"
+    "cryptography>=42.0.5,<43.0.0",
+    "authlib>=1.3.0,<2.0.0"
 ]
 
 [project.optional-dependencies]
 tests = [
-    "pylint>=2.17.4,<3.0.0",
-    "pycodestyle>=2.10.0,<3.0.0",
+    "black>=24.3.0,<25.0.0",
+    "isort>=5.13.2,<6.0.0",
+    "pylint>=3.1.0,<4.0.0",
+    "pycodestyle>=2.11.1,<3.0.0",
     "pydocstyle>=6.3.0,<7.0.0",
-    "mypy>=1.3.0,<2.0.0",
-    "black>=23.3.0,<24.0.0",
-    "isort>=5.12.0,<6.0.0",
-    "pytest>=7.3.2,<8.0.0",
+    "mypy>=1.9.0,<2.0.0",
+    "pytest>=8.1.1,<9.0.0",
     "types-requests>=2.31.0,<3.0.0"
 ]
 

diff --git a/src/intel_sgx_ra/attest.py b/src/intel_sgx_ra/attest.py
@@ -2,7 +2,7 @@
 
 import json
 import logging
-from datetime import datetime
+from datetime import datetime, timezone
 from hashlib import sha256
 from typing import Any, Dict, Literal, Optional, Tuple, Union, cast
 
@@ -61,7 +61,7 @@ def verify_pck_chain(
         True if success, raise exception otherwise.
 
     """
-    now: datetime = datetime.utcnow()
+    now: datetime = datetime.now(timezone.utc)
 
     pck_ca_pk, root_ca_pk = (
         cast(ec.EllipticCurvePublicKey, pck_ca_cert.public_key()),
@@ -74,11 +74,11 @@ def verify_pck_chain(
     pck_cert.verify_directly_issued_by(pck_ca_cert)
 
     # Check expiration date of certificates
-    if not root_ca_cert.not_valid_before <= now <= root_ca_cert.not_valid_after:
+    if not root_ca_cert.not_valid_before_utc <= now <= root_ca_cert.not_valid_after_utc:
         raise CertificateError("Intel Root CA certificate has expired")
-    if not pck_ca_cert.not_valid_before <= now <= pck_ca_cert.not_valid_after:
+    if not pck_ca_cert.not_valid_before_utc <= now <= pck_ca_cert.not_valid_after_utc:
         raise CertificateError("Intel PCK CA certificate has expired")
-    if not pck_cert.not_valid_before <= now <= pck_cert.not_valid_after:
+    if not pck_cert.not_valid_before_utc <= now <= pck_cert.not_valid_after_utc:
         raise CertificateError("Intel PCK certificate has expired")
 
     # Check Intel Root CA signed Intel Root CA CRL and not revoked
@@ -149,13 +149,17 @@ def verify_tcb(
     .. [1] https://api.portal.trustedservices.intel.com/documentation#pcs-tcb-info-model-v3
 
     """  # noqa: E501 # pylint: disable=line-too-long
-    now: datetime = datetime.utcnow()
+    now: datetime = datetime.now(timezone.utc)
 
     tcb: Dict[str, Any] = json.loads(tcb_info)
 
+    next_update: datetime = datetime.fromisoformat(
+        # replace zero designator Z for the zero UTC offset (not parsed in Python 3.8)
+        tcb["tcbInfo"]["nextUpdate"].replace("Z", "+00:00")
+    )
     assert tcb["tcbInfo"]["version"] == 3
     assert tcb["tcbInfo"]["id"] == "SGX"
-    assert now < datetime.strptime(tcb["tcbInfo"]["nextUpdate"], "%Y-%m-%dT%H:%M:%SZ")
+    assert now < next_update
 
     root_ca_pk = cast(ec.EllipticCurvePublicKey, root_ca_cert.public_key())
 
@@ -164,9 +168,9 @@ def verify_tcb(
     tcb_cert.verify_directly_issued_by(root_ca_cert)
 
     # Check expiration date of certificates
-    if not root_ca_cert.not_valid_before <= now <= root_ca_cert.not_valid_after:
+    if not root_ca_cert.not_valid_before_utc <= now <= root_ca_cert.not_valid_after_utc:
         raise CertificateError("Intel Root CA certificate has expired")
-    if not tcb_cert.not_valid_before <= now <= tcb_cert.not_valid_after:
+    if not tcb_cert.not_valid_before_utc <= now <= tcb_cert.not_valid_after_utc:
         raise CertificateError("Intel TCB certificate has expired")
 
     try: