Update openssl version (Azure#2437)

heaths · web-flow · commit 28c3cc8c9c7f · 2025-04-11T15:45:32.000-07:00
* Update openssl version Fixes GHSA-4fcv-w3qc-ppgg * Add vcpkg.json * Integrate vcpkg to get OpenSSL on Windows * Use openssl in a test It's the only way to be sure. * Update CONTRIBUTING.md instructions
diff --git a/.gitignore b/.gitignore
@@ -12,6 +12,10 @@ Cargo.lock
 .assets/
 .proxy/
 tests/data/
+review/
+
+# Dependencies.
+vcpkg_installed/
 
 # Editor user customizations.
 .vscode/launch.json
@@ -27,5 +31,3 @@ tests/data/
 
 # Temporary folder to refresh SDK with TypeSpec.
 TempTypeSpecFiles/
-
-review/
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -55,7 +55,8 @@ Since `openssl-sys` supports [vcpkg](https://learn.microsoft.com/vcpkg/), you ca
 2. Run the bootstrap script to download a prebuilt binary:
 
    ```pwsh
-   cd vcpkg; .\bootstrap-vcpkg.bat
+   cd vcpkg
+   .\bootstrap-vcpkg.bat
    ```
 
 3. Set up environment variables:
@@ -67,10 +68,13 @@ Since `openssl-sys` supports [vcpkg](https://learn.microsoft.com/vcpkg/), you ca
 
    To persist these variables for future sessions, remember to set them in the Windows System Environment Variables panel.
 
-4. In the root of this repo, run:
+4. Change directories into the `eng/` folder in this repo and run:
 
    ```pwsh
+   cd eng
    vcpkg install
+
+   $env:OPENSSL_DIR = "$PWD\vcpkg_installed\x64-windows"
    ```
 
 ### Linting
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -93,7 +93,7 @@ hmac = { version = "0.12" }
 litemap = "0.7.4"
 log = "0.4"
 oauth2 = { version = "5.0.0", default-features = false }
-openssl = { version = "0.10.70" }
+openssl = { version = "0.10.72" }
 pin-project = "1.0"
 proc-macro2 = "1.0.86"
 quick-xml = { version = "0.31", features = ["serialize", "serde-types"] }
diff --git a/eng/pipelines/templates/jobs/ci.tests.yml b/eng/pipelines/templates/jobs/ci.tests.yml
@@ -49,6 +49,8 @@ jobs:
     parameters:
       Toolchain: $(RustToolchainName)
 
+  - template: /eng/pipelines/templates/steps/vcpkg.yml
+  
   - template: /eng/common/pipelines/templates/steps/set-default-branch.yml@self
 
   - template: /eng/common/pipelines/templates/steps/save-package-properties.yml@self
diff --git a/eng/pipelines/templates/jobs/live.tests.yml b/eng/pipelines/templates/jobs/live.tests.yml
@@ -66,6 +66,8 @@ jobs:
     parameters:
       Toolchain: $(RustToolchainName)
 
+  - template: /eng/pipelines/templates/steps/vcpkg.yml
+
   - ${{ parameters.PreSteps }}
 
   - template: /eng/common/TestResources/build-test-resource-config.yml
diff --git a/eng/pipelines/templates/steps/vcpkg.yml b/eng/pipelines/templates/steps/vcpkg.yml
@@ -0,0 +1,42 @@
+steps:
+  - pwsh: |
+      Write-Host '##vso[task.setvariable variable=VCPKG_BINARY_SOURCES_SECRET;issecret=true;]clear;x-azblob,https://azuresdkartifacts.blob.core.windows.net/public-vcpkg-container,,read'
+      Write-Host '##vso[task.setvariable variable=X_VCPKG_ASSET_SOURCES_SECRET;issecret=true;]clear;x-azurl,https://azuresdkartifacts.blob.core.windows.net/public-vcpkg-container,,read'
+    displayName: Set vcpkg variables
+
+  - script: vcpkg --version
+    condition: >-
+      and(
+      succeeded(),
+      eq(variables['Agent.OS'], 'Windows_NT')
+      )
+    displayName: vcpkg --version
+
+  - ${{if and(eq(variables['System.TeamProject'], 'internal'), ne(variables['Build.Reason'], 'PullRequest')) }}:
+    - task: AzurePowerShell@5
+      displayName: Set vcpkg write-mode cache
+      inputs:
+        ScriptType: FilePath
+        ScriptPath: eng/scripts/Set-VcpkgWriteModeCache.ps1
+        azureSubscription: Azure SDK Artifacts
+        azurePowerShellVersion: LatestVersion
+        pwsh: true
+      # This step is idempotent and can be run multiple times in cases of
+      # failure and partial execution.
+      retryCountOnTaskFailure: 3
+
+  - pwsh: |
+      vcpkg install
+      Write-Host "##vso[task.setvariable variable=VCPKG_ROOT;]${env:VCPKG_INSTALLATION_ROOT}"
+      Write-Host "##vso[task.setvariable variable=VCPKG_INSTALLED_ROOT;]$PWD\vcpkg_installed"
+      Write-Host "##vso[task.setvariable variable=OPENSSL_DIR;]$PWD\vcpkg_installed\x64-windows"
+    condition: >-
+      and(
+      succeeded(),
+      eq(variables['Agent.OS'], 'Windows_NT')
+      )
+    displayName: vcpkg install
+    workingDirectory: eng/
+    env:
+      VCPKG_BINARY_SOURCES: $(VCPKG_BINARY_SOURCES_SECRET)
+      X_VCPKG_ASSET_SOURCES: $(X_VCPKG_ASSET_SOURCES_SECRET)
diff --git a/eng/scripts/Set-VcpkgWriteModeCache.ps1 b/eng/scripts/Set-VcpkgWriteModeCache.ps1
@@ -0,0 +1,46 @@
+#!/bin/env pwsh
+param(
+  [string] $StorageAccountName = 'azuresdkartifacts',
+  [string] $StorageContainerName = 'public-vcpkg-container'
+)
+
+. "$PSScriptRoot/../common/scripts/Helpers/PSModule-Helpers.ps1"
+
+Write-Host "`$env:PSModulePath = $($env:PSModulePath)"
+
+# Work around double backslash
+if ($IsWindows) {
+  $hostedAgentModulePath = $env:SystemDrive + "\\Modules"
+  $moduleSeperator = ";"
+}
+else {
+  $hostedAgentModulePath = "/usr/share"
+  $moduleSeperator = ":"
+}
+$modulePaths = $env:PSModulePath -split $moduleSeperator
+$modulePaths = $modulePaths.Where({ !$_.StartsWith($hostedAgentModulePath) })
+$AzModuleCachePath = (Get-ChildItem "$hostedAgentModulePath/az_*" -Attributes Directory) -join $moduleSeperator
+if ($AzModuleCachePath -and $env.PSModulePath -notcontains $AzModuleCachePath) {
+  $modulePaths += $AzModuleCachePath
+}
+
+$env:PSModulePath = $modulePaths -join $moduleSeperator
+
+Install-ModuleIfNotInstalled "Az.Storage" "4.3.0" | Import-Module
+
+$ctx = New-AzStorageContext `
+  -StorageAccountName $StorageAccountName `
+  -UseConnectedAccount
+
+$vcpkgBinarySourceSas = New-AzStorageContainerSASToken `
+  -Name $StorageContainerName `
+  -Permission "rwcl" `
+  -Context $ctx `
+  -ExpiryTime (Get-Date).AddHours(1)
+
+Write-Host "Ensure redaction of SAS tokens in logs"
+Write-Host "##vso[task.setvariable variable=VCPKG_BINARY_SAS_TOKEN;issecret=true;]$vcpkgBinarySourceSas"
+
+Write-Host "Setting vcpkg binary cache to read and write"
+Write-Host "##vso[task.setvariable variable=VCPKG_BINARY_SOURCES_SECRET;issecret=true;]clear;x-azblob,https://$StorageAccountName.blob.core.windows.net/$StorageContainerName,$vcpkgBinarySourceSas,readwrite"
+Write-Host "##vso[task.setvariable variable=X_VCPKG_ASSET_SOURCES_SECRET;issecret=true;]clear;x-azurl,https://$StorageAccountName.blob.core.windows.net/$StorageContainerName,$vcpkgBinarySourceSas,readwrite"
diff --git a/eng/vcpkg.json b/eng/vcpkg.json
@@ -0,0 +1,6 @@
+{
+  "name": "azure-sdk-for-rust",
+  "dependencies": [
+    "openssl"
+  ]
+}
diff --git a/sdk/keyvault/azure_security_keyvault_certificates/Cargo.toml b/sdk/keyvault/azure_security_keyvault_certificates/Cargo.toml
@@ -29,6 +29,7 @@ azure_core_test = { workspace = true, features = [
 azure_identity.workspace = true
 azure_security_keyvault_keys = { path = "../azure_security_keyvault_keys" }
 azure_security_keyvault_test = { path = "../azure_security_keyvault_test" }
+openssl.workspace = true
 rand.workspace = true
 tokio.workspace = true
 
diff --git a/sdk/keyvault/azure_security_keyvault_certificates/tests/certificate_client.rs b/sdk/keyvault/azure_security_keyvault_certificates/tests/certificate_client.rs
@@ -3,7 +3,7 @@
 
 #![cfg_attr(target_arch = "wasm32", allow(unused_imports))]
 
-use azure_core::{base64, http::StatusCode, sleep::sleep, Result};
+use azure_core::{http::StatusCode, sleep::sleep, Result};
 use azure_core_test::{recorded, Recording, TestContext, TestMode, SANITIZE_BODY_NAME};
 use azure_security_keyvault_certificates::{
     models::{
@@ -19,6 +19,7 @@ use azure_security_keyvault_keys::{
 };
 use azure_security_keyvault_test::Retry;
 use futures::TryStreamExt;
+use openssl::sha::sha256;
 use std::{collections::HashMap, sync::LazyLock, time::Duration};
 
 static DEFAULT_POLICY: LazyLock<CertificatePolicy> = LazyLock::new(|| CertificatePolicy {
@@ -298,13 +299,13 @@ async fn sign_jwt_with_ec_certificate(ctx: TestContext) -> Result<()> {
     let key_client = KeyClient::new(&vault_url, recording.credential(), Some(key_options))?;
 
     // cspell:disable
-    const _JWT: &str =
-        "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJoZWF0aHMiLCJuYW1lIjoiSGVhdGggU3Rld2FydCIsImlhdCI6MTc0MzgzMzY5MX0";
-    const DIGEST: &str = "GDOTWbe5x6KXgoykVcqygzMOAsjXcYUoZdzAkJR5a7Y";
+    const JWT: &[u8] =
+        b"eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJoZWF0aHMiLCJuYW1lIjoiSGVhdGggU3Rld2FydCIsImlhdCI6MTc0MzgzMzY5MX0";
+    let digest = sha256(JWT).to_vec();
 
     let body = SignParameters {
         algorithm: Some(SignatureAlgorithm::ES256),
-        value: Some(base64::decode_url_safe(DIGEST)?),
+        value: Some(digest),
     };
     let signature = key_client
         .sign(&name, "", body.try_into()?, None)
diff --git a/sdk/typespec/typespec_macros/tests/data/compilation-tests/Cargo.lock b/sdk/typespec/typespec_macros/tests/data/compilation-tests/Cargo.lock
diff --git a/sdk/typespec/typespec_macros/tests/data/compilation-tests/Cargo.toml b/sdk/typespec/typespec_macros/tests/data/compilation-tests/Cargo.toml
@@ -10,6 +10,7 @@ publish = false
 
 [dependencies]
 litemap = "0.7.4"
+openssl = "0.10.72"
 serde = { version = "1.0", features = ["derive"] }
 typespec_client_core = { path = "../../../../typespec_client_core", features = [
   "derive",
