[Feature]: Support for wasi-crypto

[rjzak]

Is there an existing issue for this?

• I have searched the existing issues
• Connect Steward certs [Feature]: Wasi-Crypto access to cert from Steward #2131

Description

Support the wasi-crypto extension for Wasi in exec-wasmtime, allowing for Steward to run in the Keep enarx/steward#26.

Acceptance Criteria

No response

Suggestions for a technical implementation

A blocking problem is the current wasi-crypto implementation uses old versions for zeroize, rsa, and sha2 crates. The zeroize version isn't compatible with the Drawbridge crates used. However, upgrading zeroize breaks rsa, and upgrading rsa breaks the wasi-crypto code which uses code from sha2.

--> crates/wasi-crypto/spec/implementations/hostcalls/rust/src/signatures/rsa.rs:221:13
    |
221 |             ::rsa::PaddingScheme::new_pss::<Sha512, _>(SecureRandom::new())
    |             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ the trait `digest::FixedOutputReset` is not implemented for `Sha512`

Upgrading both sha2 and rsa causes several variations of:

error[E0277]: the trait bound `CoreWrapper<CtVariableCoreWrapper<Sha512VarCore, sha2::digest::typenum::UInt<sha2::digest::typenum::UInt<sha2::digest::typenum::UInt<sha2::digest::typenum::UInt<sha2::digest::typenum::UInt<sha2::digest::typenum::UInt<sha2::digest::typenum::UInt<UTerm, B1>, B0>, B0>, B0>, B0>, B0>, B0>>>: FixedOutputDirty` is not satisfied
  --> crates/wasi-crypto/spec/implementations/hostcalls/rust/src/symmetric/hmac_sha2.rs:14:12
   |
14 |     Sha512(Hmac<Sha512>),
   |            ^^^^^^^^^^^^ the trait `FixedOutputDirty` is not implemented for `CoreWrapper<CtVariableCoreWrapper<Sha512VarCore, sha2::digest::typenum::UInt<sha2::digest::typenum::UInt<sha2::digest::typenum::UInt<sha2::digest::typenum::UInt<sha2::digest::typenum::UInt<sha2::digest::typenum::UInt<sha2::digest::typenum::UInt<UTerm, B1>, B0>, B0>, B0>, B0>, B0>, B0>>>`
   |
   = help: the following other types implement trait `FixedOutputDirty`:
             Sha512
             sha2::sha256::Sha224
             sha2::sha256::Sha256
             sha2::sha512::Sha384
             sha2::sha512::Sha512Trunc224
             sha2::sha512::Sha512Trunc256
   = note: required because of the requirements on the impl of `curve25519_dalek::digest::FixedOutput` for `CoreWrapper<CtVariableCoreWrapper<Sha512VarCore, sha2::digest::typenum::UInt<sha2::digest::typenum::UInt<sha2::digest::typenum::UInt<sha2::digest::typenum::UInt<sha2::digest::typenum::UInt<sha2::digest::typenum::UInt<sha2::digest::typenum::UInt<UTerm, B1>, B0>, B0>, B0>, B0>, B0>, B0>>>`
note: required by a bound in `Hmac`
  --> /home/rjzak/.cargo/registry/src/github.com-1ecc6299db9ec823/hmac-0.11.0/src/lib.rs:82:30
   |
82 |     D: Update + BlockInput + FixedOutput + Reset + Default + Clone,
   |                              ^^^^^^^^^^^ required by this bound in `Hmac`

Updating rsa or sha2 will need significant rework of the wasi-crypto code.

[bstrie]

Don't bother updating wasi-crypto, the real solution to this is just to convince rsa to issue a point release which removes the unnecessary upper bound on its zeroize dependency. Tony's on vacation presently, so it might not happen immediately, but once he gets back I'm confident we can convince him that it's worth making a point release for this. In the meantime don't worry about trying to upgrade anything or downgrade anything.

[dpal]

We are going to get back to it some day.