From ef838123e9996699db0159f577eb020c7d571f74 Mon Sep 17 00:00:00 2001 From: Nikita Frolov Date: Mon, 12 Jan 2026 17:53:21 +0100 Subject: [PATCH 1/7] chore: use rcgen and rustls-webpki k256-enabled forks from Zama org --- Cargo.lock | 679 +++++++++--------- Cargo.toml | 11 +- core-client/Cargo.toml | 3 + core-client/src/mpc_context.rs | 23 +- .../src/cryptography/attestation/mod.rs | 11 +- core/service/src/util/key_setup/mod.rs | 17 +- core/threshold/src/tls_certs.rs | 146 ++-- 7 files changed, 412 insertions(+), 478 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 6a30290d54..69aa257f7d 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -139,7 +139,7 @@ dependencies = [ "secp256k1", "serde", "serde_json", - "serde_with 3.15.1", + "serde_with 3.16.1", "thiserror 2.0.12", ] @@ -242,7 +242,7 @@ dependencies = [ "derive_more", "either", "serde", - "serde_with 3.15.1", + "serde_with 3.16.1", "sha2", "thiserror 2.0.12", ] @@ -325,8 +325,8 @@ dependencies = [ "const-hex", "derive_more", "foldhash 0.2.0", - "hashbrown 0.16.0", - "indexmap 2.12.0", + "hashbrown 0.16.1", + "indexmap 2.13.0", "itoa", "k256", "keccak-asm", @@ -359,7 +359,7 @@ checksum = "64b728d511962dda67c1bc7ea7c03736ec275ed2cf4c35d9585298ac9ccf3b73" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -390,7 +390,7 @@ dependencies = [ "itertools 0.14.0", "serde", "serde_json", - "serde_with 3.15.1", + "serde_with 3.16.1", "thiserror 2.0.12", ] @@ -447,7 +447,7 @@ dependencies = [ "proc-macro-error2", "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -459,11 +459,11 @@ dependencies = [ "alloy-sol-macro-input", "const-hex", "heck", - "indexmap 2.12.0", + "indexmap 2.13.0", "proc-macro-error2", "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", "syn-solidity", "tiny-keccak", ] @@ -480,7 +480,7 @@ dependencies = [ "macro-string", "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", "syn-solidity", ] @@ -531,7 +531,7 @@ dependencies = [ "darling 0.21.3", "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -581,22 +581,22 @@ dependencies = [ [[package]] name = "anstyle-query" -version = "1.1.4" +version = "1.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9e231f6134f61b71076a3eab506c379d4f36122f2af15a9ff04415ea4c3339e2" +checksum = "40c48f72fd53cd289104fc64099abca73db4166ad86ea0b4341abe65af83dadc" dependencies = [ - "windows-sys 0.60.2", + "windows-sys 0.61.2", ] [[package]] name = "anstyle-wincon" -version = "3.0.10" +version = "3.0.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3e0633414522a32ffaac8ac6cc8f748e090c5717661fddeea04219e2344f5f2a" +checksum = "291e6a250ff86cd4a820112fb8898808a366d8f9f58ce16d1f538353ad55747d" dependencies = [ "anstyle", "once_cell_polyfill", - "windows-sys 0.60.2", + "windows-sys 0.61.2", ] [[package]] @@ -616,9 +616,12 @@ dependencies = [ [[package]] name = "arc-swap" -version = "1.7.1" +version = "1.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "69f7f8c3906b62b754cd5326047894316021dcfe5a194c8ea52bdd94934a3457" +checksum = "51d03449bb8ca2cc2ef70869af31463d1ae5ccc8fa3e334b307203fbf815207e" +dependencies = [ + "rustversion", +] [[package]] name = "ark-bls12-381" @@ -740,7 +743,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "62945a2f7e6de02a31fe400aa489f0e0f5b2502e69f95f853adb82a96c7a6b60" dependencies = [ "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -778,7 +781,7 @@ dependencies = [ "num-traits", "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -840,7 +843,7 @@ checksum = "213888f660fddcca0d257e88e54ac05bca01885f258ccdf695bafd77031bb69d" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -919,7 +922,7 @@ checksum = "3109e49b1e4909e9db6515a30c633684d68cdeaa252f215214cb4fa1a5bfee2c" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", "synstructure", ] @@ -931,7 +934,7 @@ checksum = "7b18050c2cd6fe86c3a76584ef5e0baf286d038cda203eb6223df2cc413565f7" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -1026,16 +1029,16 @@ dependencies = [ "futures-lite", "parking", "polling", - "rustix 1.1.2", + "rustix 1.1.3", "slab", "windows-sys 0.61.2", ] [[package]] name = "async-lock" -version = "3.4.1" +version = "3.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5fd03604047cee9b6ce9de9f70c6cd540a0520c813cbd49bae61f33ab80ed1dc" +checksum = "290f7f2596bd5b78a9fec8088ccd89180d7f9f55b94b0576823bbbdc72ee8311" dependencies = [ "event-listener 5.4.1", "event-listener-strategy", @@ -1088,7 +1091,7 @@ checksum = "c7c24de15d275a1ecfd47a380fb4d5ec9bfe0933f309ed5e705b775596a3574d" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -1105,7 +1108,7 @@ checksum = "9035ad2d096bed7955a320ee7e2230574d28fd3c3a0f186cbea1ff3c7eed5dbb" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -1150,7 +1153,7 @@ dependencies = [ "time", "wasm-bindgen", "webpki", - "x509-parser 0.18.0", + "x509-parser", ] [[package]] @@ -1161,7 +1164,7 @@ checksum = "ffdcb70bdbc4d478427380519163274ac86e52916e10f0a8889adf0f96d3fee7" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -1214,9 +1217,9 @@ dependencies = [ [[package]] name = "aws-lc-rs" -version = "1.14.1" +version = "1.15.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "879b6c89592deb404ba4dc0ae6b58ffd1795c78991cbb5b8bc441c48a070440d" +checksum = "e84ce723ab67259cfeb9877c6a639ee9eb7a27b28123abd71db7f0d5d0cc9d86" dependencies = [ "aws-lc-sys", "untrusted 0.7.1", @@ -1225,11 +1228,10 @@ dependencies = [ [[package]] name = "aws-lc-sys" -version = "0.32.3" +version = "0.36.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "107a4e9d9cab9963e04e84bb8dee0e25f2a987f9a8bad5ed054abd439caa8f8c" +checksum = "43a442ece363113bd4bd4c8b18977a7798dd4d3c3383f34fb61936960e8f4ad8" dependencies = [ - "bindgen", "cc", "cmake", "dunce", @@ -1246,7 +1248,7 @@ dependencies = [ "serde_bytes", "serde_cbor", "serde_repr", - "serde_with 3.15.1", + "serde_with 3.16.1", ] [[package]] @@ -1518,18 +1520,18 @@ dependencies = [ "aws-smithy-runtime-api", "aws-smithy-types", "h2 0.3.27", - "h2 0.4.12", + "h2 0.4.13", "http 0.2.12", "http 1.3.1", "http-body 0.4.6", "hyper 0.14.32", - "hyper 1.7.0", + "hyper 1.8.1", "hyper-rustls 0.24.2", "hyper-rustls 0.27.7", "hyper-util", "pin-project-lite", "rustls 0.21.12", - "rustls 0.23.31", + "rustls 0.23.36", "rustls-native-certs 0.8.3", "rustls-pki-types", "tokio", @@ -1669,7 +1671,7 @@ dependencies = [ "http 1.3.1", "http-body 1.0.1", "http-body-util", - "hyper 1.7.0", + "hyper 1.8.1", "hyper-util", "itoa", "matchit", @@ -1691,9 +1693,9 @@ dependencies = [ [[package]] name = "axum-core" -version = "0.5.5" +version = "0.5.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "59446ce19cd142f8833f856eb31f3eb097812d1479ab224f54d72428ca21ea22" +checksum = "08c78f31d7b1291f7ee735c1c6780ccde7785daae9a9206026862dab7d8792d1" dependencies = [ "bytes", "futures-core", @@ -1790,9 +1792,9 @@ dependencies = [ [[package]] name = "base64ct" -version = "1.8.0" +version = "1.8.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "55248b47b0caf0546f7988906588779981c43bb1bc9d0c44087278f80cdb44ba" +checksum = "2af50177e190e07a26ab74f8b1efbfe2ef87da2116221318cb1c2e82baf7de06" [[package]] name = "bc2wrap" @@ -1831,26 +1833,6 @@ dependencies = [ "virtue", ] -[[package]] -name = "bindgen" -version = "0.72.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "993776b509cfb49c750f11b8f07a46fa23e0a1386ffc01fb1e7d343efc387895" -dependencies = [ - "bitflags 2.9.4", - "cexpr", - "clang-sys", - "itertools 0.13.0", - "log", - "prettyplease", - "proc-macro2", - "quote", - "regex", - "rustc-hash", - "shlex", - "syn 2.0.109", -] - [[package]] name = "bip39" version = "2.2.2" @@ -1879,15 +1861,15 @@ checksum = "5e764a1d40d510daf35e07be9eb06e75770908c27d411ee6c92109c9840eaaf7" [[package]] name = "bitcoin-io" -version = "0.1.3" +version = "0.1.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0b47c4ab7a93edb0c7198c5535ed9b52b63095f4e9b45279c6736cec4b856baf" +checksum = "2dee39a0ee5b4095224a0cfc6bf4cc1baf0f9624b96b367e53b66d974e51d953" [[package]] name = "bitcoin_hashes" -version = "0.14.0" +version = "0.14.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bb18c03d0db0247e147a21a6faafd5a7eb851c743db062de72018b6b7e8e4d16" +checksum = "26ec84b80c482df901772e931a9a681e26a1b9ee2302edeff23cb30328745c8b" dependencies = [ "bitcoin-io", "hex-conservative", @@ -1932,15 +1914,16 @@ dependencies = [ [[package]] name = "blake3" -version = "1.8.2" +version = "1.8.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3888aaa89e4b2a40fca9848e400f6a658a5a3978de7be858e209cafa8be9a4a0" +checksum = "2468ef7d57b3fb7e16b576e8377cdbde2320c60e1491e961d11da40fc4f02a2d" dependencies = [ "arrayref", "arrayvec", "cc", "cfg-if", "constant_time_eq", + "cpufeatures", ] [[package]] @@ -1988,9 +1971,9 @@ dependencies = [ [[package]] name = "borsh" -version = "1.5.7" +version = "1.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ad8646f98db542e39fc66e68a20b2144f6a732636df7c2354e74645faaa433ce" +checksum = "d1da5ab77c1437701eeff7c88d968729e7766172279eab0676857b3d63af7a6f" dependencies = [ "borsh-derive", "cfg_aliases", @@ -1998,15 +1981,15 @@ dependencies = [ [[package]] name = "borsh-derive" -version = "1.5.7" +version = "1.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fdd1d3c0c2f5833f22386f252fe8ed005c7f59fdcddeef025c01b4c3b9fd9ac3" +checksum = "0686c856aa6aac0c4498f936d7d6a02df690f614c03e4d906d1018062b5c5e2c" dependencies = [ "once_cell", "proc-macro-crate", "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -2022,9 +2005,9 @@ dependencies = [ [[package]] name = "bumpalo" -version = "3.19.0" +version = "3.19.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "46c5e41b57b8bba42a04676d81cb89e9ee8e859a1a66f80a5a72e1cb76b34d43" +checksum = "5dd9dc738b7a8311c7ade152424974d8115f2cdad61e8dab8dac9f2362298510" [[package]] name = "byte-slice-cast" @@ -2095,9 +2078,9 @@ dependencies = [ [[package]] name = "cc" -version = "1.2.44" +version = "1.2.52" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "37521ac7aabe3d13122dc382493e20c9416f299d2ccd5b3a5340a2570cdeb0f3" +checksum = "cd4932aefd12402b36c60956a4fe0035421f544799057659ff86f923657aada3" dependencies = [ "find-msvc-tools", "jobserver", @@ -2109,15 +2092,6 @@ dependencies = [ name = "cc-tests-utils" version = "0.13.10-rc.0" -[[package]] -name = "cexpr" -version = "0.6.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6fac387a98bb7c37292057cffc56d62ecb629900026402633ae9160df93a8766" -dependencies = [ - "nom 7.1.3", -] - [[package]] name = "cfg-if" version = "1.0.4" @@ -2181,17 +2155,6 @@ dependencies = [ "inout", ] -[[package]] -name = "clang-sys" -version = "1.8.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0b023947811758c97c59bf9d1c188fd619ad4718dcaa767947df1cadb14f39f4" -dependencies = [ - "glob", - "libc", - "libloading", -] - [[package]] name = "clap" version = "4.5.47" @@ -2223,7 +2186,7 @@ dependencies = [ "heck", "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -2234,9 +2197,9 @@ checksum = "a1d728cc89cf3aee9ff92b05e62b19ee65a02b5702cff7d5a377e32c6ae29d8d" [[package]] name = "cmake" -version = "0.1.54" +version = "0.1.57" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e7caa3f9de89ddbe2c607f4101924c5abec803763ae9534e4f4d7d8f84aa81f0" +checksum = "75443c44cd6b379beb8c5b45d85d0773baf31cce901fe7bb252f4eff3008ef7d" dependencies = [ "cc", ] @@ -2365,9 +2328,9 @@ dependencies = [ [[package]] name = "constant_time_eq" -version = "0.3.1" +version = "0.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7c74b8349d32d297c9134b8c88677813a227df8f779daa29bfc29c183fe3dca6" +checksum = "3d52eff69cd5e647efe296129160853a42795992097e8af39800e1060caeea9b" [[package]] name = "convert_case" @@ -2584,9 +2547,9 @@ dependencies = [ [[package]] name = "crypto-common" -version = "0.1.6" +version = "0.1.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3" +checksum = "78c8292055d1c1df0cce5d180393dc8cce0abec0a7102adb6c7b1eef6016d60a" dependencies = [ "generic-array", "rand_core 0.6.4", @@ -2649,7 +2612,7 @@ dependencies = [ "proc-macro2", "quote", "strsim", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -2664,7 +2627,7 @@ dependencies = [ "quote", "serde", "strsim", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -2675,7 +2638,7 @@ checksum = "fc34b93ccb385b40dc71c6fceac4b2ad23662c7eeb248cf10d529b7e055b6ead" dependencies = [ "darling_core 0.20.11", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -2686,7 +2649,7 @@ checksum = "d38308df82d1080de0afee5d069fa14b0326a88c14f15c5ccda35b4a6c414c81" dependencies = [ "darling_core 0.21.3", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -2705,9 +2668,9 @@ dependencies = [ [[package]] name = "data-encoding" -version = "2.9.0" +version = "2.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2a2330da5de22e8a3cb63252ce2abb30116bf5265e89c0e01bc17015ce30a476" +checksum = "d7a1e2f27636f116493b8b860f5546edb47c8d8f8ea73e1d2a20be88e28d1fea" [[package]] name = "debugid" @@ -2762,7 +2725,7 @@ checksum = "8034092389675178f570469e6c3b0465d3d30b4505c294a6550db47f3c17ad18" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -2803,7 +2766,7 @@ checksum = "bda628edc44c4bb645fbe0f758797143e4e07926f7ebf4e9bdfbd3d2ce621df3" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", "unicode-xid", ] @@ -2842,7 +2805,7 @@ checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -2945,7 +2908,7 @@ dependencies = [ "enum-ordinalize", "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -3025,7 +2988,7 @@ checksum = "8ca9601fb2d62598ee17836250842873a413586e5d7ed88b356e38ddbb0ec631" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -3037,7 +3000,7 @@ dependencies = [ "once_cell", "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -3057,7 +3020,7 @@ checksum = "44f23cf4b44bfce11a86ace86f8a73ffdec849c9fd00a386a53d278bd9e81fb3" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -3068,9 +3031,9 @@ checksum = "877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f" [[package]] name = "erased-serde" -version = "0.4.8" +version = "0.4.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "259d404d09818dec19332e31d94558aeb442fea04c817006456c24b5460bbd4b" +checksum = "89e8918065695684b2b0702da20382d5ae6065cf3327bc2d6436bd49a71ce9f3" dependencies = [ "serde", "serde_core", @@ -3164,9 +3127,9 @@ dependencies = [ [[package]] name = "find-msvc-tools" -version = "0.1.4" +version = "0.1.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "52051878f80a721bb68ebfbc930e07b65ba72f2da88968ea5c06fd6ca3d3a127" +checksum = "f449e6c6c08c865631d4890cfacf252b3d396c9bcc83adb6623cdb02a8336c41" [[package]] name = "findshlibs" @@ -3327,7 +3290,7 @@ checksum = "162ee34ebcb7c64a8abebc059ce0fee27c2262618d7b60ed8faf72fef13c3650" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -3381,7 +3344,7 @@ dependencies = [ "g2poly", "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -3420,23 +3383,24 @@ dependencies = [ [[package]] name = "generator" -version = "0.8.7" +version = "0.8.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "605183a538e3e2a9c1038635cc5c2d194e2ee8fd0d1b66b8349fad7dbacce5a2" +checksum = "52f04ae4152da20c76fe800fa48659201d5cf627c5149ca0b707b69d7eef6cf9" dependencies = [ "cc", "cfg-if", "libc", "log", "rustversion", - "windows", + "windows-link 0.2.1", + "windows-result 0.4.1", ] [[package]] name = "generic-array" -version = "0.14.9" +version = "0.14.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4bb6743198531e02858aeaea5398fcc883e71851fcbcb5a2f773e2fb6cb1edf2" +checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a" dependencies = [ "typenum", "version_check", @@ -3538,7 +3502,7 @@ dependencies = [ "futures-sink", "futures-util", "http 0.2.12", - "indexmap 2.12.0", + "indexmap 2.13.0", "slab", "tokio", "tokio-util", @@ -3547,9 +3511,9 @@ dependencies = [ [[package]] name = "h2" -version = "0.4.12" +version = "0.4.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f3c0b69cfcb4e1b9f1bf2f53f95f766e4661169728ec61cd3fe5a0166f2d1386" +checksum = "2f44da3a8150a6703ed5d34e164b875fd14c2cdab9af1252a9a1020bde2bdc54" dependencies = [ "atomic-waker", "bytes", @@ -3557,7 +3521,7 @@ dependencies = [ "futures-core", "futures-sink", "http 1.3.1", - "indexmap 2.12.0", + "indexmap 2.13.0", "slab", "tokio", "tokio-util", @@ -3608,14 +3572,15 @@ dependencies = [ [[package]] name = "hashbrown" -version = "0.16.0" +version = "0.16.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5419bdc4f6a9207fbeba6d11b604d481addf78ecd10c11ad51e76c2f6482748d" +checksum = "841d1cc9bed7f9236f321df977030373f4a4163ae1a7dbfe1a51a2c1a51d9100" dependencies = [ "allocator-api2", "equivalent", "foldhash 0.2.0", "serde", + "serde_core", ] [[package]] @@ -3650,9 +3615,9 @@ dependencies = [ [[package]] name = "hex-conservative" -version = "0.2.1" +version = "0.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5313b072ce3c597065a808dbf612c4c8e8590bdbf8b579508bf7a762c5eae6cd" +checksum = "fda06d18ac606267c40c04e41b9947729bf8b9efe74bd4e82b61a5f26a510b9f" dependencies = [ "arrayvec", ] @@ -3778,15 +3743,15 @@ dependencies = [ [[package]] name = "hyper" -version = "1.7.0" +version = "1.8.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eb3aa54a13a0dfe7fbe3a59e0c76093041720fdc77b110cc0fc260fafb4dc51e" +checksum = "2ab2d4f250c3d7b1c9fcdff1cece94ea4e2dfbec68614f7b87cb205f24ca9d11" dependencies = [ "atomic-waker", "bytes", "futures-channel", "futures-core", - "h2 0.4.12", + "h2 0.4.13", "http 1.3.1", "http-body 1.0.1", "httparse", @@ -3822,9 +3787,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e3c93eb611681b207e1fe55d5a71ecf91572ec8a6705cdb6857f7d8d5242cf58" dependencies = [ "http 1.3.1", - "hyper 1.7.0", + "hyper 1.8.1", "hyper-util", - "rustls 0.23.31", + "rustls 0.23.36", "rustls-native-certs 0.8.3", "rustls-pki-types", "tokio", @@ -3839,7 +3804,7 @@ version = "0.5.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2b90d566bffbce6a75bd8b09a05aa8c2cb1fabb6cb348f8840c9e4c90a0d83b0" dependencies = [ - "hyper 1.7.0", + "hyper 1.8.1", "hyper-util", "pin-project-lite", "tokio", @@ -3848,9 +3813,9 @@ dependencies = [ [[package]] name = "hyper-util" -version = "0.1.17" +version = "0.1.19" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3c6995591a8f1380fcb4ba966a252a4b29188d51d2b89e3a252f5305be65aea8" +checksum = "727805d60e7938b76b826a6ef209eb70eaa1812794f9424d4a4e2d740662df5f" dependencies = [ "base64 0.22.1", "bytes", @@ -3859,7 +3824,7 @@ dependencies = [ "futures-util", "http 1.3.1", "http-body 1.0.1", - "hyper 1.7.0", + "hyper 1.8.1", "ipnet", "libc", "percent-encoding", @@ -3880,7 +3845,7 @@ dependencies = [ "ipnet", "serde", "serde_json", - "serde_with 3.15.1", + "serde_with 3.16.1", ] [[package]] @@ -3895,7 +3860,7 @@ dependencies = [ "js-sys", "log", "wasm-bindgen", - "windows-core", + "windows-core 0.62.2", ] [[package]] @@ -3955,9 +3920,9 @@ checksum = "7aedcccd01fc5fe81e6b489c15b247b8b0690feb23304303a9e560f37efc560a" [[package]] name = "icu_properties" -version = "2.1.1" +version = "2.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e93fcd3157766c0c8da2f8cff6ce651a31f0810eaa1c51ec363ef790bbb5fb99" +checksum = "020bfc02fe870ec3a66d93e677ccca0562506e5872c650f893269e08615d74ec" dependencies = [ "icu_collections", "icu_locale_core", @@ -3969,9 +3934,9 @@ dependencies = [ [[package]] name = "icu_properties_data" -version = "2.1.1" +version = "2.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "02845b3647bb045f1100ecd6480ff52f34c35f82d9880e029d329c21d1054899" +checksum = "616c294cf8d725c6afcd8f55abc17c56464ef6211f9ed59cccffe534129c77af" [[package]] name = "icu_provider" @@ -4032,7 +3997,7 @@ checksum = "a0eb5a3343abf848c0984fe4604b2b105da9539376e24fc0a3b0007411ae4fd9" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -4048,12 +4013,12 @@ dependencies = [ [[package]] name = "indexmap" -version = "2.12.0" +version = "2.13.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6717a8d2a5a929a1a2eb43a12812498ed141a0bcfb7e8f7844fbdbe4303bba9f" +checksum = "7714e70437a7dc3ac8eb7e6f8df75fd8eb422675fc7678aff7364301092b1017" dependencies = [ "equivalent", - "hashbrown 0.16.0", + "hashbrown 0.16.1", "serde", "serde_core", ] @@ -4065,7 +4030,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "232929e1d75fe899576a3d5c7416ad0d88dbfbb3c3d6aa00873a7408a50ddb88" dependencies = [ "ahash", - "indexmap 2.12.0", + "indexmap 2.13.0", "is-terminal", "itoa", "log", @@ -4114,9 +4079,9 @@ checksum = "469fb0b9cefa57e3ef31275ee7cacb78f2fdca44e4765491884a2b119d4eb130" [[package]] name = "iri-string" -version = "0.7.9" +version = "0.7.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4f867b9d1d896b67beb18518eda36fdb77a32ea590de864f1325b294a6d14397" +checksum = "c91338f0783edbd6195decb37bae672fd3b165faffb89bf7b9e6942f8b1a731a" dependencies = [ "memchr", "serde", @@ -4168,9 +4133,9 @@ dependencies = [ [[package]] name = "itoa" -version = "1.0.15" +version = "1.0.17" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4a5f13b858c8d314ee3e8f639011f7ccefe71f97f96e50151fb991f267928e2c" +checksum = "92ecc6618181def0457392ccd0ee51198e065e016d1d527a7ac1b6dc7c1f09d2" [[package]] name = "jobserver" @@ -4304,7 +4269,7 @@ dependencies = [ "rcgen", "rsa", "rstest", - "rustls-webpki 0.103.4", + "rustls-webpki 0.103.7", "serde", "serde-wasm-bindgen", "serde_json", @@ -4334,7 +4299,7 @@ dependencies = [ "url", "validator", "wasm-bindgen", - "x509-parser 0.18.0", + "x509-parser", "zeroize", ] @@ -4355,11 +4320,13 @@ dependencies = [ "clap", "futures", "hex", + "k256", "kms", "kms-core-client", "kms-grpc", "observability", "rand 0.8.5", + "rcgen", "reqwest", "serde", "serial_test", @@ -4370,6 +4337,7 @@ dependencies = [ "tfhe", "threshold-fhe", "tokio", + "tokio-rustls 0.26.2", "tonic 0.13.1", "tonic-build", "tracing", @@ -4465,19 +4433,9 @@ dependencies = [ [[package]] name = "libc" -version = "0.2.177" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2874a2af47a2325c2001a6e6fad9b16a53b802102b528163885171cf92b15976" - -[[package]] -name = "libloading" -version = "0.8.9" +version = "0.2.180" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d7c4b02199fee7c5d21a5ae7d8cfa79a6ef5bb2fc834d6e9058e89c825efdc55" -dependencies = [ - "cfg-if", - "windows-link 0.2.1", -] +checksum = "bcc35a38544a891a5f7c865aca548a982ccb3b8650a5b06d0fd33a10283c56fc" [[package]] name = "libm" @@ -4514,9 +4472,9 @@ dependencies = [ [[package]] name = "log" -version = "0.4.28" +version = "0.4.29" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "34080505efa8e45a4b816c349525ebe327ceaa8559756f0356cba97ef3bf7432" +checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897" dependencies = [ "value-bag", ] @@ -4540,7 +4498,7 @@ version = "0.16.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a1dc47f592c06f33f8e3aea9591776ec7c9f9e4124778ff8a3c3b87159f7e593" dependencies = [ - "hashbrown 0.16.0", + "hashbrown 0.16.1", ] [[package]] @@ -4557,7 +4515,7 @@ checksum = "1b27834086c65ec3f9387b096d66e99f221cf081c2b738042aa252bcd41204e3" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -4659,9 +4617,9 @@ dependencies = [ [[package]] name = "mio" -version = "1.1.0" +version = "1.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "69d83b0086dc8ecf3ce9ae2874b2d1290252e2a30720bea58a5c6639b0092873" +checksum = "a69bcab0ad47271a0234d9422b131806bf3968021e5dc9328caf2d4cd58557fc" dependencies = [ "libc", "wasi", @@ -4704,7 +4662,7 @@ dependencies = [ "cfg-if", "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -4814,9 +4772,9 @@ dependencies = [ [[package]] name = "ntapi" -version = "0.4.1" +version = "0.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e8a3895c6391c39d7fe7ebc444a87eb2991b2a0bc718fdabd071eec617fc68e4" +checksum = "c70f219e21142367c70c0b30c6a9e3a14d55b4d12a204d897fbec83a0363f081" dependencies = [ "winapi", ] @@ -4937,9 +4895,9 @@ dependencies = [ [[package]] name = "nybbles" -version = "0.4.6" +version = "0.4.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2c4b5ecbd0beec843101bffe848217f770e8b8da81d8355b7d6e226f2199b3dc" +checksum = "7b5676b5c379cf5b03da1df2b3061c4a4e2aa691086a56ac923e08c143f53f59" dependencies = [ "alloy-rlp", "cfg-if", @@ -5048,9 +5006,9 @@ checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381" [[package]] name = "openssl" -version = "0.10.74" +version = "0.10.75" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "24ad14dd45412269e1a30f52ad8f0664f0f4f4a89ee8fe28c3b3527021ebb654" +checksum = "08838db121398ad17ab8531ce9de97b244589089e290a384c900cb9ff7434328" dependencies = [ "bitflags 2.9.4", "cfg-if", @@ -5069,7 +5027,7 @@ checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -5086,9 +5044,9 @@ checksum = "7c87def4c32ab89d880effc9e097653c8da5d6ef28e6b539d313baaacfbafcbe" [[package]] name = "openssl-sys" -version = "0.9.110" +version = "0.9.111" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0a9f0075ba3c21b09f8e8b2026584b1d18d49388648f2fbbf3c97ea8deced8e2" +checksum = "82cab2d520aa75e3c58898289429321eb788c3106963d0dc886ec7a5f4adc321" dependencies = [ "cc", "libc", @@ -5283,7 +5241,7 @@ dependencies = [ "proc-macro-crate", "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -5378,9 +5336,9 @@ checksum = "9b4f627cb1b25917193a259e49bdad08f671f8d9708acfd5fe0a8c1455d87220" [[package]] name = "pest" -version = "2.8.3" +version = "2.8.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "989e7521a040efde50c3ab6bbadafbe15ab6dc042686926be59ac35d74607df4" +checksum = "2c9eb05c21a464ea704b53158d358a31e6425db2f63a1a7312268b05fe2b75f7" dependencies = [ "memchr", "ucd-trie", @@ -5388,9 +5346,9 @@ dependencies = [ [[package]] name = "pest_derive" -version = "2.8.3" +version = "2.8.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "187da9a3030dbafabbbfb20cb323b976dc7b7ce91fcd84f2f74d6e31d378e2de" +checksum = "68f9dbced329c441fa79d80472764b1a2c7e57123553b8519b36663a2fb234ed" dependencies = [ "pest", "pest_generator", @@ -5398,22 +5356,22 @@ dependencies = [ [[package]] name = "pest_generator" -version = "2.8.3" +version = "2.8.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "49b401d98f5757ebe97a26085998d6c0eecec4995cad6ab7fc30ffdf4b052843" +checksum = "3bb96d5051a78f44f43c8f712d8e810adb0ebf923fc9ed2655a7f66f63ba8ee5" dependencies = [ "pest", "pest_meta", "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] name = "pest_meta" -version = "2.8.3" +version = "2.8.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "72f27a2cfee9f9039c4d86faa5af122a0ac3851441a34865b8a043b46be0065a" +checksum = "602113b5b5e8621770cfd490cfd90b9f84ab29bd2b0e49ad83eb6d186cef2365" dependencies = [ "pest", "sha2", @@ -5426,7 +5384,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3672b37090dbd86368a4145bc067582552b29c27377cad4e0a306c97f9bd7772" dependencies = [ "fixedbitset", - "indexmap 2.12.0", + "indexmap 2.13.0", ] [[package]] @@ -5446,7 +5404,7 @@ checksum = "6e918e4ff8c4549eb882f14b3a4bc8c8bc93de829416eacf579f1207a8fbf861" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -5547,7 +5505,7 @@ dependencies = [ "concurrent-queue", "hermit-abi", "pin-project-lite", - "rustix 1.1.2", + "rustix 1.1.3", "windows-sys 0.61.2", ] @@ -5565,9 +5523,9 @@ dependencies = [ [[package]] name = "portable-atomic" -version = "1.11.1" +version = "1.13.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f84267b20a16ea918e43c6a88433c2d54fa145c92a811b5b047ccbe153674483" +checksum = "f89776e4d69bb58bc6993e99ffa1d11f228b839984854c7daeb5d37f87cbe950" [[package]] name = "portable-atomic-util" @@ -5659,7 +5617,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "479ca8adacdd7ce8f1fb39ce9ecccbfe93a3f1344b3d0d97f20bc0196208f62b" dependencies = [ "proc-macro2", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -5710,7 +5668,7 @@ dependencies = [ "proc-macro-error-attr2", "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -5807,7 +5765,7 @@ dependencies = [ "prost", "prost-types", "regex", - "syn 2.0.109", + "syn 2.0.114", "tempfile", ] @@ -5821,7 +5779,7 @@ dependencies = [ "itertools 0.14.0", "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -5903,7 +5861,7 @@ dependencies = [ "quinn-proto", "quinn-udp", "rustc-hash", - "rustls 0.23.31", + "rustls 0.23.36", "socket2 0.6.1", "thiserror 2.0.12", "tokio", @@ -5923,7 +5881,7 @@ dependencies = [ "rand 0.9.2", "ring", "rustc-hash", - "rustls 0.23.31", + "rustls 0.23.36", "rustls-pki-types", "slab", "thiserror 2.0.12", @@ -5986,7 +5944,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6db2770f06117d490610c7488547d543617b21bfa07796d7a12f6f1bd53850d1" dependencies = [ "rand_chacha 0.9.0", - "rand_core 0.9.3", + "rand_core 0.9.4", "serde", ] @@ -6007,7 +5965,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d3022b5f1df60f26e1ffddd6c66e8aa15de382ae63b3a0c1bfc0e4d3e3f325cb" dependencies = [ "ppv-lite86", - "rand_core 0.9.3", + "rand_core 0.9.4", ] [[package]] @@ -6021,9 +5979,9 @@ dependencies = [ [[package]] name = "rand_core" -version = "0.9.3" +version = "0.9.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "99d9a13982dcf210057a8a78572b2217b667c3beacbf3a0d8b454f6f82837d38" +checksum = "4f1b3bc831f92381018fd9c6350b917c7b21f1eed35a65a51900e0e55a3d7afa" dependencies = [ "getrandom 0.3.4", "serde", @@ -6093,7 +6051,7 @@ dependencies = [ "proc-macro2", "quote", "rayon", - "syn 2.0.109", + "syn 2.0.114", "uuid", ] @@ -6143,14 +6101,14 @@ dependencies = [ [[package]] name = "rcgen" -version = "0.14.0" -source = "git+https://github.com/mkmks/rcgen.git?branch=k256#d3239ab9a4e632c75bea0b09da1389d44b411e13" +version = "0.14.7" +source = "git+https://github.com/zama-ai/rcgen.git?branch=k256#f8582f243899a7eff1a6524b42da60faaec73f15" dependencies = [ "aws-lc-rs", "pem", "rustls-pki-types", "time", - "x509-parser 0.17.0", + "x509-parser", "yasna", ] @@ -6203,7 +6161,7 @@ checksum = "b7186006dcb21920990093f30e3dea63b7d6e977bf1256be20c3563a5db070da" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -6261,7 +6219,7 @@ dependencies = [ "http 1.3.1", "http-body 1.0.1", "http-body-util", - "hyper 1.7.0", + "hyper 1.8.1", "hyper-rustls 0.27.7", "hyper-util", "js-sys", @@ -6269,7 +6227,7 @@ dependencies = [ "percent-encoding", "pin-project-lite", "quinn", - "rustls 0.23.31", + "rustls 0.23.36", "rustls-pki-types", "serde", "serde_json", @@ -6416,7 +6374,7 @@ dependencies = [ "regex", "relative-path", "rustc_version 0.4.1", - "syn 2.0.109", + "syn 2.0.114", "unicode-ident", ] @@ -6519,14 +6477,14 @@ dependencies = [ "errno", "libc", "linux-raw-sys 0.4.15", - "windows-sys 0.52.0", + "windows-sys 0.59.0", ] [[package]] name = "rustix" -version = "1.1.2" +version = "1.1.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cd15f8a2c5551a84d56efdc1cd049089e409ac19a3072d5037a17fd70719ff3e" +checksum = "146c9e247ccc180c1f61615433868c99f3de3ae256a30a43b49f67c2d9171f34" dependencies = [ "bitflags 2.9.4", "errno", @@ -6549,15 +6507,16 @@ dependencies = [ [[package]] name = "rustls" -version = "0.23.31" -source = "git+https://github.com/mkmks/rustls.git?branch=k256#2e446f859fc4488d12f3bdd3c23578320649d02d" +version = "0.23.36" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c665f33d38cea657d9614f766881e4d510e0eda4239891eea56b4cadcf01801b" dependencies = [ "aws-lc-rs", "log", "once_cell", "ring", "rustls-pki-types", - "rustls-webpki 0.103.4", + "rustls-webpki 0.103.7", "subtle", "zeroize", ] @@ -6597,8 +6556,9 @@ dependencies = [ [[package]] name = "rustls-pki-types" -version = "1.12.0" -source = "git+https://github.com/mkmks/pki-types.git?branch=k256#8dd57cb582858019097f5c6c453e98c04e2031d1" +version = "1.14.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "be040f8b0a225e40375822a563fa9524378b9d63112f53e19ffff34df5d33fdd" dependencies = [ "web-time", "zeroize", @@ -6616,8 +6576,8 @@ dependencies = [ [[package]] name = "rustls-webpki" -version = "0.103.4" -source = "git+https://github.com/mkmks/webpki.git?branch=k256#9ae056039fc1929cc7a3fc3036b71e50d82f2fe6" +version = "0.103.7" +source = "git+https://github.com/zama-ai/webpki.git?branch=0.103.7-k256#87e2ef4b55f8769a55c57985906e4e59887a76c2" dependencies = [ "aws-lc-rs", "ring", @@ -6645,9 +6605,9 @@ dependencies = [ [[package]] name = "ryu" -version = "1.0.20" +version = "1.0.22" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "28d3b2b1366ec20994f1fd18c3c594f05c5dd4bc44d8bb0c1c632c8d6829481f" +checksum = "a50f4cf475b65d88e057964e0e9bb1f0aa9bbb2036dc65c64596b42932536984" [[package]] name = "safe_arch" @@ -6699,9 +6659,9 @@ dependencies = [ [[package]] name = "schemars" -version = "1.1.0" +version = "1.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9558e172d4e8533736ba97870c4b2cd63f84b382a3d6eb063da41b91cce17289" +checksum = "54e910108742c57a770f492731f99be216a52fadd361b06c8fb59d74ccc267d2" dependencies = [ "dyn-clone", "ref-cast", @@ -6745,7 +6705,7 @@ checksum = "22f968c5ea23d555e670b449c1c5e7b2fc399fdaec1d304a17cd48e288abc107" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -6836,9 +6796,9 @@ dependencies = [ [[package]] name = "self_cell" -version = "1.2.1" +version = "1.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "16c2f82143577edb4921b71ede051dac62ca3c16084e918bf7b40c96ae10eb33" +checksum = "b12e76d157a900eb52e81bc6e9f3069344290341720e9178cde2407113ac8d89" [[package]] name = "semver" @@ -6934,7 +6894,7 @@ checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -6969,14 +6929,14 @@ checksum = "175ee3e80ae9982737ca543e96133087cbd9a485eecc3bc4de9c1a37b47ea59c" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] name = "serde_spanned" -version = "1.0.3" +version = "1.0.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e24345aa0fe688594e73770a5f6d1b216508b4f93484c0026d521acd30134392" +checksum = "f8bbf91e5a4d6315eee45e704372590b30e260ee83af6639d64557f51b067776" dependencies = [ "serde_core", ] @@ -7011,20 +6971,20 @@ dependencies = [ [[package]] name = "serde_with" -version = "3.15.1" +version = "3.16.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "aa66c845eee442168b2c8134fec70ac50dc20e760769c8ba0ad1319ca1959b04" +checksum = "4fa237f2807440d238e0364a218270b98f767a00d3dada77b1c53ae88940e2e7" dependencies = [ "base64 0.22.1", "chrono", "hex", "indexmap 1.9.3", - "indexmap 2.12.0", + "indexmap 2.13.0", "schemars 0.9.0", - "schemars 1.1.0", + "schemars 1.2.0", "serde_core", "serde_json", - "serde_with_macros 3.15.1", + "serde_with_macros 3.16.1", "time", ] @@ -7037,19 +6997,19 @@ dependencies = [ "darling 0.20.11", "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] name = "serde_with_macros" -version = "3.15.1" +version = "3.16.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b91a903660542fced4e99881aa481bdbaec1634568ee02e0b8bd57c64cb38955" +checksum = "52a8e3ca0ca629121f70ab50f95249e5a6f925cc0f6ffe8256c45b728875706c" dependencies = [ "darling 0.21.3", "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -7094,7 +7054,7 @@ checksum = "5d69265a08751de7844521fd15003ae0a888e035773ba05695c5c759a6f89eef" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -7162,10 +7122,11 @@ checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64" [[package]] name = "signal-hook-registry" -version = "1.4.6" +version = "1.4.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b2a4719bff48cee6b39d12c020eeb490953ad2443b7055bd0b21fca26bd8c28b" +checksum = "c4db69cba1110affc0e9f7bcd48bbf87b3f4fc7c61fc9155afd4c469eb3d6c1b" dependencies = [ + "errno", "libc", ] @@ -7235,7 +7196,7 @@ dependencies = [ "heck", "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -7348,7 +7309,7 @@ dependencies = [ "proc-macro2", "quote", "rustversion", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -7359,9 +7320,9 @@ checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292" [[package]] name = "symbolic-common" -version = "12.16.3" +version = "12.17.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d03f433c9befeea460a01d750e698aa86caf86dcfbd77d552885cd6c89d52f50" +checksum = "b3d8046c5674ab857104bc4559d505f4809b8060d57806e45d49737c97afeb60" dependencies = [ "debugid", "memmap2", @@ -7371,9 +7332,9 @@ dependencies = [ [[package]] name = "symbolic-demangle" -version = "12.16.3" +version = "12.17.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "13d359ef6192db1760a34321ec4f089245ede4342c27e59be99642f12a859de8" +checksum = "1accb6e5c4b0f682de907623912e616b44be1c9e725775155546669dbff720ec" dependencies = [ "cpp_demangle", "rustc-demangle", @@ -7393,9 +7354,9 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.109" +version = "2.0.114" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2f17c7e013e88258aa9543dcbe81aca68a667a9ac37cd69c9fbc07858bfe0e2f" +checksum = "d4d107df263a3013ef9b1879b0df87d706ff80f65a86ea879bd9c31f9b307c2a" dependencies = [ "proc-macro2", "quote", @@ -7411,7 +7372,7 @@ dependencies = [ "paste", "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -7431,7 +7392,7 @@ checksum = "728a70f3dbaf5bab7f0c4b1ac8d7ae5ea60a4b5549c8a5914361c99147a709d2" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -7463,8 +7424,8 @@ dependencies = [ "fastrand", "getrandom 0.3.4", "once_cell", - "rustix 1.1.2", - "windows-sys 0.52.0", + "rustix 1.1.3", + "windows-sys 0.59.0", ] [[package]] @@ -7491,7 +7452,7 @@ checksum = "97e0639209021e54dbe19cafabfc0b5574b078c37358945e6d473eabe39bb974" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -7500,7 +7461,7 @@ version = "0.13.10-rc.0" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -7589,7 +7550,7 @@ checksum = "085ba3a819d9931325c08ff7430864f941c7b05b0b87d1b0086336cea8f658ab" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -7637,7 +7598,7 @@ checksum = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -7648,7 +7609,7 @@ checksum = "7f7cf42b4507d8ea322120659672cf1b9dbb93f8f2d4ecfd6e51350ff5b17a1d" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -7717,7 +7678,7 @@ dependencies = [ "rcgen", "redis", "rstest", - "rustls-webpki 0.103.4", + "rustls-webpki 0.103.7", "serde", "serial_test", "sha2", @@ -7741,7 +7702,7 @@ dependencies = [ "tower-http", "tracing", "tracing-test", - "x509-parser 0.18.0", + "x509-parser", "zeroize", ] @@ -7849,7 +7810,7 @@ checksum = "6e06d43f1345a3bcd39f6a56dbb7dcab2ba47e68e8ac134855e7e2bdbaf8cab8" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -7886,9 +7847,10 @@ dependencies = [ [[package]] name = "tokio-rustls" version = "0.26.2" -source = "git+https://github.com/mkmks/tokio-rustls.git?branch=k256#fc6d96eee433d492dbaa8503cb67239fda89b190" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8e727b36a1a0e8b74c376ac2211e40c2c8af09fb4013c60d910495810f008e9b" dependencies = [ - "rustls 0.23.31", + "rustls 0.23.36", "tokio", ] @@ -7904,9 +7866,9 @@ dependencies = [ [[package]] name = "tokio-stream" -version = "0.1.17" +version = "0.1.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eca58d7bba4a75707817a2c44174253f9236b2d5fbd055602e9d5c07c139a047" +checksum = "32da49809aab5c3bc678af03902d4ccddea2a87d028d86392a4b1560c6906c70" dependencies = [ "futures-core", "pin-project-lite", @@ -7931,9 +7893,9 @@ dependencies = [ [[package]] name = "toml" -version = "0.9.8" +version = "0.9.11+spec-1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f0dc8b1fb61449e27716ec0e1bdf0f6b8f3e8f6b05391e8497b8b6d7804ea6d8" +checksum = "f3afc9a848309fe1aaffaed6e1546a7a14de1f935dc9d89d32afd9a44bab7c46" dependencies = [ "serde_core", "serde_spanned", @@ -7944,20 +7906,20 @@ dependencies = [ [[package]] name = "toml_datetime" -version = "0.7.3" +version = "0.7.5+spec-1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f2cdb639ebbc97961c51720f858597f7f24c4fc295327923af55b74c3c724533" +checksum = "92e1cfed4a3038bc5a127e35a2d360f145e1f4b971b551a2ba5fd7aedf7e1347" dependencies = [ "serde_core", ] [[package]] name = "toml_edit" -version = "0.23.7" +version = "0.23.10+spec-1.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6485ef6d0d9b5d0ec17244ff7eb05310113c3f316f2d14200d4de56b3cb98f8d" +checksum = "84c8b9f757e028cee9fa244aea147aab2a9ec09d5325a9b01e0a49730c2b5269" dependencies = [ - "indexmap 2.12.0", + "indexmap 2.13.0", "toml_datetime", "toml_parser", "winnow", @@ -7965,9 +7927,9 @@ dependencies = [ [[package]] name = "toml_parser" -version = "1.0.4" +version = "1.0.6+spec-1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c0cbe268d35bdb4bb5a56a2de88d0ad0eb70af5384a99d648cd4b3d04039800e" +checksum = "a3198b4b0a8e11f09dd03e133c0280504d0801269e9afa46362ffde1cbeebf44" dependencies = [ "winnow", ] @@ -7984,7 +7946,7 @@ dependencies = [ "http 1.3.1", "http-body 1.0.1", "http-body-util", - "hyper 1.7.0", + "hyper 1.8.1", "hyper-timeout", "hyper-util", "percent-encoding", @@ -8008,11 +7970,11 @@ dependencies = [ "axum", "base64 0.22.1", "bytes", - "h2 0.4.12", + "h2 0.4.13", "http 1.3.1", "http-body 1.0.1", "http-body-util", - "hyper 1.7.0", + "hyper 1.8.1", "hyper-timeout", "hyper-util", "percent-encoding", @@ -8039,7 +8001,7 @@ dependencies = [ "prost-build", "prost-types", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -8062,7 +8024,7 @@ checksum = "e96bedfe5ae00cd370db4029612380c267bc224b2d45f1d35402b6b588e68d7b" dependencies = [ "async-stream", "futures", - "hyper 1.7.0", + "hyper 1.8.1", "hyper-util", "openssl", "schannel", @@ -8104,7 +8066,7 @@ checksum = "ebe5ef63511595f1344e2d5cfa636d973292adc0eec1f0ad45fae9f0851ab1d4" dependencies = [ "futures-core", "futures-util", - "indexmap 2.12.0", + "indexmap 2.13.0", "pin-project-lite", "slab", "sync_wrapper", @@ -8178,7 +8140,7 @@ checksum = "7490cfa5ec963746568740651ac6781f701c9c5ea257c58e057f3ba8cf69e8da" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -8269,7 +8231,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "04659ddb06c87d233c566112c1c9c5b9e98256d9af50ec3bc9c8327f873a7568" dependencies = [ "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -8280,7 +8242,7 @@ checksum = "70977707304198400eb4835a78f6a9f928bf41bba420deb8fdb175cd965d77a7" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -8306,7 +8268,7 @@ checksum = "60d8d828da2a3d759d3519cdf29a5bac49c77d039ad36d0782edadbf9cd5415b" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -8485,7 +8447,7 @@ dependencies = [ "proc-macro-error2", "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -8496,9 +8458,9 @@ checksum = "ba73ea9cf16a25df0c8caa16c51acb937d5712a8429db78a3ee29d5dcacd3a65" [[package]] name = "value-bag" -version = "1.11.1" +version = "1.12.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "943ce29a8a743eb10d6082545d861b24f9d1b160b7d741e0f2cdf726bec909c5" +checksum = "7ba6f5989077681266825251a52748b8c1d8a4ad098cc37e440103d0ea717fc0" [[package]] name = "vcpkg" @@ -8615,7 +8577,7 @@ dependencies = [ "bumpalo", "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", "wasm-bindgen-shared", ] @@ -8660,9 +8622,9 @@ dependencies = [ [[package]] name = "webpki-roots" -version = "1.0.4" +version = "1.0.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b2878ef029c47c6e8cf779119f20fcf52bde7ad42a731b2a304bc221df17571e" +checksum = "12bed680863276c63889429bfd6cab3b99943659923822de1c8a39c49e4d722c" dependencies = [ "rustls-pki-types", ] @@ -8715,7 +8677,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9babd3a767a4c1aef6900409f85f5d53ce2544ccdfaa86dad48c91782c6d6893" dependencies = [ "windows-collections", - "windows-core", + "windows-core 0.61.2", "windows-future", "windows-link 0.1.3", "windows-numerics", @@ -8727,7 +8689,7 @@ version = "0.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3beeceb5e5cfd9eb1d76b381630e82c4241ccd0d27f1a39ed41b2760b255c5e8" dependencies = [ - "windows-core", + "windows-core 0.61.2", ] [[package]] @@ -8739,8 +8701,21 @@ dependencies = [ "windows-implement", "windows-interface", "windows-link 0.1.3", - "windows-result", - "windows-strings", + "windows-result 0.3.4", + "windows-strings 0.4.2", +] + +[[package]] +name = "windows-core" +version = "0.62.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b8e83a14d34d0623b51dce9581199302a221863196a1dde71a7663a4c2be9deb" +dependencies = [ + "windows-implement", + "windows-interface", + "windows-link 0.2.1", + "windows-result 0.4.1", + "windows-strings 0.5.1", ] [[package]] @@ -8749,7 +8724,7 @@ version = "0.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fc6a41e98427b19fe4b73c550f060b59fa592d7d686537eebf9385621bfbad8e" dependencies = [ - "windows-core", + "windows-core 0.61.2", "windows-link 0.1.3", "windows-threading", ] @@ -8762,7 +8737,7 @@ checksum = "053e2e040ab57b9dc951b72c264860db7eb3b0200ba345b4e4c3b14f67855ddf" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -8773,7 +8748,7 @@ checksum = "3f316c4a2570ba26bbec722032c4099d8c8bc095efccdc15688708623367e358" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -8794,7 +8769,7 @@ version = "0.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9150af68066c4c5c07ddc0ce30421554771e528bde427614c61038bc2c92c2b1" dependencies = [ - "windows-core", + "windows-core 0.61.2", "windows-link 0.1.3", ] @@ -8807,6 +8782,15 @@ dependencies = [ "windows-link 0.1.3", ] +[[package]] +name = "windows-result" +version = "0.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7781fa89eaf60850ac3d2da7af8e5242a5ea78d1a11c49bf2910bb5a73853eb5" +dependencies = [ + "windows-link 0.2.1", +] + [[package]] name = "windows-strings" version = "0.4.2" @@ -8816,6 +8800,15 @@ dependencies = [ "windows-link 0.1.3", ] +[[package]] +name = "windows-strings" +version = "0.5.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7837d08f69c77cf6b07689544538e017c1bfcf57e34b4c0ff58e6c2cd3b37091" +dependencies = [ + "windows-link 0.2.1", +] + [[package]] name = "windows-sys" version = "0.52.0" @@ -8825,6 +8818,15 @@ dependencies = [ "windows-targets 0.52.6", ] +[[package]] +name = "windows-sys" +version = "0.59.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1e38bc4d79ed67fd075bcc251a1c39b32a1776bbe92e5bef1f0bf1f8c531853b" +dependencies = [ + "windows-targets 0.52.6", +] + [[package]] name = "windows-sys" version = "0.60.2" @@ -8983,9 +8985,9 @@ checksum = "d6bbff5f0aada427a1e5a6da5f1f98158182f26556f345ac9e04d36d0ebed650" [[package]] name = "winnow" -version = "0.7.13" +version = "0.7.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "21a0236b59786fed61e2a80582dd500fe61f18b5dca67a4a067d0bc9039339cf" +checksum = "5a5364e9d77fcdeeaa6062ced926ee3381faa2ee02d3eb83a5c27a8825540829" dependencies = [ "memchr", ] @@ -9011,24 +9013,6 @@ dependencies = [ "tap", ] -[[package]] -name = "x509-parser" -version = "0.17.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4569f339c0c402346d4a75a9e39cf8dad310e287eef1ff56d4c68e5067f53460" -dependencies = [ - "asn1-rs", - "data-encoding", - "der-parser", - "lazy_static", - "nom 7.1.3", - "oid-registry", - "ring", - "rusticata-macros", - "thiserror 2.0.12", - "time", -] - [[package]] name = "x509-parser" version = "0.18.0" @@ -9042,6 +9026,7 @@ dependencies = [ "lazy_static", "nom 7.1.3", "oid-registry", + "ring", "rusticata-macros", "thiserror 2.0.12", "time", @@ -9092,28 +9077,28 @@ checksum = "b659052874eb698efe5b9e8cf382204678a0086ebf46982b79d6ca3182927e5d" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", "synstructure", ] [[package]] name = "zerocopy" -version = "0.8.27" +version = "0.8.33" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0894878a5fa3edfd6da3f88c4805f4c8558e2b996227a3d864f47fe11e38282c" +checksum = "668f5168d10b9ee831de31933dc111a459c97ec93225beb307aed970d1372dfd" dependencies = [ "zerocopy-derive", ] [[package]] name = "zerocopy-derive" -version = "0.8.27" +version = "0.8.33" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "88d2b8d9c68ad2b9e4340d7832716a4d21a22a1154777ad56ea55c51a9cf3831" +checksum = "2c7962b26b0a8685668b671ee4b54d007a67d4eaf05fda79ac0ecf41e32270f1" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -9133,7 +9118,7 @@ checksum = "d71e5d6e06ab090c67b5e44993ec16b72dcbaabc526db883a360057678b48502" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", "synstructure", ] @@ -9148,13 +9133,13 @@ dependencies = [ [[package]] name = "zeroize_derive" -version = "1.4.2" +version = "1.4.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ce36e65b0d2999d2aafac989fb249189a141aee1f53c612c1f37d72631959f69" +checksum = "85a5b4158499876c763cb03bc4e49185d3cccbabb15b33c627f7884f43db852e" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] [[package]] @@ -9187,5 +9172,5 @@ checksum = "eadce39539ca5cb3985590102671f2567e659fca9666581ad3411d59207951f3" dependencies = [ "proc-macro2", "quote", - "syn 2.0.109", + "syn 2.0.114", ] diff --git a/Cargo.toml b/Cargo.toml index b2623aad1b..2e15a66740 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -158,12 +158,12 @@ rand = "=0.8.5" # Random number generation - LOW RISK: rust-random, 100M+ downl rasn = "=0.20.2" # ASN.1 encoding/decoding - HIGH RISK: Individual maintainer (XAMPPRocky), security-critical ASN.1 handling rasn-cms = "=0.20.2" # CMS (Cryptographic Message Syntax) - HIGH RISK: Individual maintainer (XAMPPRocky), security-critical rayon = "=1.11.0" # Data parallelism - LOW RISK: rayon-rs team -rcgen = { version = "=0.14.0", default-features = false, features = ["aws_lc_rs", "crypto", "pem", "x509-parser"] } # X.509 certificate generation - MEDIUM RISK: Using custom fork (see patch section), needs verification +rcgen = { version = "=0.14.7", default-features = false, features = ["aws_lc_rs", "crypto", "pem", "x509-parser"] } # X.509 certificate generation - MEDIUM RISK: Using custom fork (see patch section), needs verification redis = { version = "=0.29.5" } # Redis client - LOW RISK: redis-rs team reqwest = { version = "=0.12.22", default-features = false, features = ["json", "rustls-tls"] } # HTTP client - MEDIUM RISK: Reputable individual maintainer (seanmonstar, member of tokio org), 275M+ downloads rsa = { version = "=0.9.10", features = ["sha2", "serde"] } # RSA public key cryptography - LOW RISK: RustCrypto org rstest = "=0.25.0" # Test framework - HIGH RISK: Individual maintainer (la10736), test-only dependency -rustls-webpki = { version = "=0.103.4", features = ["aws-lc-rs"] } # WebPKI X.509 validation - LOW RISK: rustls team +rustls-webpki = { version = "=0.103.7", features = ["aws-lc-rs"] } # WebPKI X.509 validation - LOW RISK: rustls team schemars = "=0.8.22" # JSON Schema generation - HIGH RISK: Individual maintainer (GREsau), despite popularity, 81M+ downloads serde = { version = "1.0.228", features = ["derive", "rc"] } # Serialization framework - MEDIUM RISK: Reputable individual maintainer (dtolnay), 641M downloads serde-wasm-bindgen = { version = "=0.6.5" } # Serde integration for wasm-bindgen - HIGH RISK: Individual maintainer (RReverser), despite 37M+ downloads @@ -245,8 +245,5 @@ lto = "off" [patch.crates-io] # MEDIUM RISK: Using fork instead of upstream - verify changes, consider upstreaming attestation-doc-validation = { git = 'https://github.com/mkmks/attestation-doc-validation.git', branch = 'timestamps' } -rcgen = { git = 'https://github.com/mkmks/rcgen.git', branch = 'k256' } -rustls = { git = 'https://github.com/mkmks/rustls.git', branch = 'k256' } -rustls-pki-types = { git = 'https://github.com/mkmks/pki-types.git', branch = 'k256' } -rustls-webpki = { git = 'https://github.com/mkmks/webpki.git', branch = 'k256' } -tokio-rustls = { git = 'https://github.com/mkmks/tokio-rustls.git', branch = 'k256' } +rcgen = { git = 'https://github.com/zama-ai/rcgen.git', branch = 'k256' } +rustls-webpki = { git = 'https://github.com/zama-ai/webpki.git', branch = '0.103.7-k256' } diff --git a/core-client/Cargo.toml b/core-client/Cargo.toml index 6366e5db83..bc18b7f691 100644 --- a/core-client/Cargo.toml +++ b/core-client/Cargo.toml @@ -60,6 +60,7 @@ bc2wrap.workspace = true bytes.workspace = true clap = { workspace = true, features = ["derive"] } hex.workspace = true +k256.workspace = true kms = { workspace = true, default-features = false, features = [ "non-wasm", "testing", @@ -69,6 +70,7 @@ kms-grpc.workspace = true observability.workspace = true rand = { workspace = true, features = ["std", "std_rng"] } reqwest = { workspace = true, features = ["json", "rustls-tls"] } +rcgen.workspace = true serde = { workspace = true, features = ["derive"] } strum.workspace = true strum_macros.workspace = true @@ -76,6 +78,7 @@ tempfile.workspace = true tfhe.workspace = true threshold-fhe = { workspace = true, features = ["testing"] } tokio = { workspace = true, features = ["rt-multi-thread"] } +tokio-rustls.workspace = true tonic = { workspace = true } tracing = { workspace = true, features = ["log"] } tracing-appender.workspace = true diff --git a/core-client/src/mpc_context.rs b/core-client/src/mpc_context.rs index 54249cc772..ec7148766b 100644 --- a/core-client/src/mpc_context.rs +++ b/core-client/src/mpc_context.rs @@ -1,5 +1,5 @@ -use std::collections::HashMap; - +#[cfg(feature = "testing")] +use k256::pkcs8::EncodePrivateKey; use kms_grpc::{ identifiers::ContextId, kms::v1::{DestroyMpcContextRequest, NewMpcContextRequest}, @@ -11,6 +11,7 @@ use kms_lib::{ engine::context::{NodeInfo, SoftwareVersion}, }; use kms_lib::{consts::SAFE_SER_SIZE_LIMIT, engine::context::ContextInfo}; +use std::collections::HashMap; use tfhe::safe_serialization::safe_deserialize; use tokio::task::JoinSet; use tonic::transport::Channel; @@ -90,14 +91,20 @@ pub async fn create_test_context_info_from_core_config( let sk = signing_keys.get(&role.one_based()).ok_or_else(|| { anyhow::anyhow!("No signing key found for party ID {}", role.one_based()) })?; + #[allow(deprecated)] + let sk_der = sk.sk().to_pkcs8_der()?; + let ca_keypair = rcgen::KeyPair::from_pkcs8_der_and_sign_algo( + &tokio_rustls::rustls::pki_types::PrivatePkcs8KeyDer::from(sk_der.as_bytes()), + &rcgen::PKCS_ECDSA_P256K1_SHA256, + )?; let mpc_identity = identity.mpc_identity(); - let (_ca_cert_ki, ca_cert) = threshold_fhe::tls_certs::create_ca_cert_from_signing_key( - mpc_identity.as_ref(), - true, - #[allow(deprecated)] - sk.sk(), - )?; + let (_ca_cert_ki, ca_cert, _ca_cert_params) = + threshold_fhe::tls_certs::create_ca_cert_from_signing_key( + mpc_identity.as_ref(), + true, + &ca_keypair, + )?; // build the s3 endpoint URL let (s3_endpoint, prefix) = diff --git a/core/service/src/cryptography/attestation/mod.rs b/core/service/src/cryptography/attestation/mod.rs index 44fc6afa4e..5be56acec6 100644 --- a/core/service/src/cryptography/attestation/mod.rs +++ b/core/service/src/cryptography/attestation/mod.rs @@ -10,7 +10,8 @@ use nsm_nitro_enclave_utils::{driver::dev::DevNitro, pcr::Pcrs}; use rcgen::{BasicConstraints, PKCS_ECDSA_P384_SHA384}; use rcgen::{ CertificateParams, CustomExtension, DistinguishedName, DnType, ExtendedKeyUsagePurpose, IsCa, - KeyPair, KeyUsagePurpose, PublicKeyData, PKCS_ECDSA_P256K1_SHA256, PKCS_ECDSA_P256_SHA256, + Issuer, KeyPair, KeyUsagePurpose, PublicKeyData, PKCS_ECDSA_P256K1_SHA256, + PKCS_ECDSA_P256_SHA256, }; use std::{sync::Arc, time::Duration}; use threshold_fhe::networking::tls::extract_subject_from_cert; @@ -23,6 +24,7 @@ use tokio_rustls::rustls::{ sign::{CertifiedKey, SingleCertAndKey}, SignatureScheme, }; + use webpki::{anchor_from_trusted_cert, EndEntityCert, KeyUsage}; use x509_parser::{parse_x509_certificate, pem::Pem}; @@ -184,17 +186,16 @@ pub trait SecurityModule { ca_cert_key_usage.value.key_cert_sign(), "Bad party CA certificate: cannot be used to sign other certificates" ); - #[allow(deprecated)] let sk_der = ca_key.sk().to_pkcs8_der()?; let ca_keypair = KeyPair::from_pkcs8_der_and_sign_algo( &PrivatePkcs8KeyDer::from(sk_der.as_bytes()), &PKCS_ECDSA_P256K1_SHA256, )?; - let ca_cert_params = - CertificateParams::from_ca_cert_der(&ca_cert_pem.contents.as_slice().into())?; + let issuing_ca = + Issuer::from_ca_cert_der(&ca_cert_pem.contents.as_slice().into(), &ca_keypair)?; - let tls_cert = tls_cp.signed_by(&tls_keypair, &ca_cert_params, &ca_keypair)?; + let tls_cert = tls_cp.signed_by(&tls_keypair, &issuing_ca)?; // sanity check EndEntityCert::try_from(tls_cert.der())?.verify_for_usage( &[webpki::aws_lc_rs::ECDSA_P256K1_SHA256], diff --git a/core/service/src/util/key_setup/mod.rs b/core/service/src/util/key_setup/mod.rs index 4d8e069597..cbd6f1b782 100644 --- a/core/service/src/util/key_setup/mod.rs +++ b/core/service/src/util/key_setup/mod.rs @@ -34,6 +34,7 @@ use crate::vault::storage::{ store_versioned_at_request_id, Storage, StorageReader, StorageType, }; use itertools::Itertools; +use k256::pkcs8::EncodePrivateKey; use kms_grpc::rpc_types::{PrivDataType, PubDataType}; use kms_grpc::RequestId; use std::collections::HashMap; @@ -926,12 +927,18 @@ async fn ensure_ca_cert_exists( tls_wildcard: bool, ) -> anyhow::Result<()> { // self-sign a CA certificate with the private signing key - let (ca_cert_ki, ca_cert) = threshold_fhe::tls_certs::create_ca_cert_from_signing_key( - subject.as_str(), - tls_wildcard, - #[allow(deprecated)] - sk.sk(), + #[allow(deprecated)] + let sk_der = sk.sk().to_pkcs8_der()?; + let ca_keypair = rcgen::KeyPair::from_pkcs8_der_and_sign_algo( + &tokio_rustls::rustls::pki_types::PrivatePkcs8KeyDer::from(sk_der.as_bytes()), + &rcgen::PKCS_ECDSA_P256K1_SHA256, )?; + let (ca_cert_ki, ca_cert, _ca_params) = + threshold_fhe::tls_certs::create_ca_cert_from_signing_key( + subject.as_str(), + tls_wildcard, + &ca_keypair, + )?; // Store self-signed CA certificate if let Err(store_err) = store_text_at_request_id( diff --git a/core/threshold/src/tls_certs.rs b/core/threshold/src/tls_certs.rs index 355aba22e8..8ee1b92404 100644 --- a/core/threshold/src/tls_certs.rs +++ b/core/threshold/src/tls_certs.rs @@ -1,15 +1,11 @@ use anyhow::anyhow; use clap::Parser; -use k256::{ecdsa::SigningKey, pkcs8::EncodePrivateKey}; -use rcgen::BasicConstraints::Constrained; use rcgen::{ BasicConstraints, Certificate, CertificateParams, DistinguishedName, DnType, - ExtendedKeyUsagePurpose, IsCa, KeyPair, KeyUsagePurpose, PKCS_ECDSA_P256K1_SHA256, - PKCS_ECDSA_P256_SHA256, + ExtendedKeyUsagePurpose, IsCa, Issuer, KeyPair, KeyUsagePurpose, PKCS_ECDSA_P256_SHA256, }; use std::collections::{HashMap, HashSet}; use std::path::{Path, PathBuf}; -use tokio_rustls::rustls::pki_types::PrivatePkcs8KeyDer; #[derive(clap::ValueEnum, Debug, Clone, Copy)] enum CertFileType { @@ -112,37 +108,20 @@ async fn write_bytes + ?Sized, B: AsRef<[u8]>>( } /// create the keypair and self-signed certificate for the CA identified by the given name -fn create_ca_cert( +fn create_selfsigned_ca_cert( ca_name: &str, - is_ca: &IsCa, wildcard: bool, ) -> anyhow::Result<(KeyPair, Certificate, CertificateParams)> { let keypair = KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256)?; - create_ca_cert_from_keypair(&keypair, ca_name, is_ca, wildcard) - .map(|(cert, params)| (keypair, cert, params)) + create_ca_cert_from_signing_key(ca_name, wildcard, &keypair) + .map(|(_cert_ki, cert, params)| (keypair, cert, params)) } -pub fn create_ca_cert_from_signing_key( +pub fn create_ca_cert_from_signing_key( ca_name: &str, wildcard: bool, - sk: &SigningKey, -) -> anyhow::Result<(Vec, Certificate)> { - let is_ca = IsCa::Ca(BasicConstraints::Constrained(0)); - let sk_der = sk.to_pkcs8_der()?; - let ca_keypair = KeyPair::from_pkcs8_der_and_sign_algo( - &PrivatePkcs8KeyDer::from(sk_der.as_bytes()), - &PKCS_ECDSA_P256K1_SHA256, - )?; - create_ca_cert_from_keypair(&ca_keypair, ca_name, &is_ca, wildcard) - .map(|(cert, params)| (params.key_identifier(&ca_keypair), cert)) -} - -fn create_ca_cert_from_keypair( - keypair: &KeyPair, - ca_name: &str, - is_ca: &IsCa, - wildcard: bool, -) -> anyhow::Result<(Certificate, CertificateParams)> { + sk: &S, +) -> anyhow::Result<(Vec, Certificate, CertificateParams)> { validate_ca_name(ca_name)?; let sans_vec = [ if wildcard { @@ -162,7 +141,7 @@ fn create_ca_cert_from_keypair( cp.distinguished_name = distinguished_name; // set CA cert CA flag - cp.is_ca = *is_ca; + cp.is_ca = IsCa::Ca(BasicConstraints::Constrained(0)); // set self-signed CA cert Key Usage Purposes cp.key_usages = vec![ @@ -173,16 +152,15 @@ fn create_ca_cert_from_keypair( // self-sign cert with CA key tracing::info!("Generating keys and cert for {:?}", cp.subject_alt_names[0]); - let cert = cp.self_signed(keypair)?; - Ok((cert, cp)) + let cert = cp.self_signed(sk)?; + Ok((cp.key_identifier(sk), cert, cp)) } /// create a keypair and certificate for each of the `num_cores`, signed by the given CA -fn create_core_certs( +fn create_core_certs( ca_name: &str, num_cores: usize, - ca_keypair: &KeyPair, - ca_cert_params: &CertificateParams, + issuing_ca: &Issuer, wildcard: bool, ) -> anyhow::Result> { let core_cert_bundle: HashMap = (1..=num_cores) @@ -222,9 +200,7 @@ fn create_core_certs( ]; tracing::info!("Generating keys and cert for {:?}", cp.subject_alt_names[0]); - let core_cert = cp - .signed_by(&core_keypair, ca_cert_params, ca_keypair) - .unwrap(); + let core_cert = cp.signed_by(&core_keypair, issuing_ca).unwrap(); (i, (core_keypair, core_cert)) }) .collect(); @@ -272,21 +248,11 @@ pub async fn entry_point() -> anyhow::Result<()> { HashSet::from_iter(args.group.ca_names.iter().cloned()) }; - // As default, we only use self-signed player certificates, so we must not set the CA flag. - // This is due to `webpki` that only exposes an `EndEntityCert` for verification, which cannot be a CA. - // This limitation can be worked around by using some other method for verifying a certs validity. - let mut is_ca = IsCa::NoCa; - - // if we want to generate core certs, we need to set the CA flag to true - // we only allow to sign core certs directly, without intermediate CAs - if args.num_cores > 0 { - is_ca = IsCa::Ca(Constrained(1)); - } - let mut all_certs = vec![]; for ca_name in ca_set { let (ca_keypair, ca_cert, ca_cert_params) = - create_ca_cert(&ca_name, &is_ca, args.wildcard)?; + create_selfsigned_ca_cert(&ca_name, args.wildcard)?; + let issuing_ca = Issuer::from_params(&ca_cert_params, &ca_keypair); write_certs_and_keys( &args.output_dir, @@ -299,13 +265,8 @@ pub async fn entry_point() -> anyhow::Result<()> { // only generate core certs, if specifically desired (currently not the default) if args.num_cores > 0 { - let core_certs = create_core_certs( - &ca_name, - args.num_cores, - &ca_keypair, - &ca_cert_params, - args.wildcard, - )?; + let core_certs = + create_core_certs(&ca_name, args.num_cores, &issuing_ca, args.wildcard)?; // write all core keypairs and certificates to disk for (core_id, (core_keypair, core_cert)) in core_certs.iter() { @@ -348,16 +309,9 @@ pub async fn entry_point() -> anyhow::Result<()> { #[cfg(test)] mod tests { - use super::{ - create_ca_cert, create_ca_cert_from_signing_key, create_core_certs, validate_ca_name, - }; - use k256::{ecdsa::SigningKey, pkcs8::EncodePrivateKey}; - use rand::rngs::OsRng; - use rcgen::{ - BasicConstraints::Constrained, Certificate, CertificateParams, IsCa, KeyPair, - PKCS_ECDSA_P256K1_SHA256, - }; - use tokio_rustls::rustls::pki_types::{PrivatePkcs8KeyDer, UnixTime}; + use super::{create_core_certs, create_selfsigned_ca_cert, validate_ca_name}; + use rcgen::{Certificate, Issuer}; + use tokio_rustls::rustls::pki_types::UnixTime; use webpki::{anchor_from_trusted_cert, EndEntityCert, KeyUsage}; fn signed_verify(leaf_cert: &Certificate, ca_cert: &Certificate) -> anyhow::Result<()> { @@ -382,11 +336,11 @@ mod tests { #[test] fn test_cert_chain() { let ca_name = "party.kms.zama.ai"; - let is_ca = IsCa::Ca(Constrained(1)); - let (ca_keypair, ca_cert, ca_cert_params) = create_ca_cert(ca_name, &is_ca, false).unwrap(); + let (ca_keypair, ca_cert, ca_cert_params) = + create_selfsigned_ca_cert(ca_name, false).unwrap(); + let issuing_ca = Issuer::from_params(&ca_cert_params, &ca_keypair); - let core_certs = - create_core_certs(ca_name, 2, &ca_keypair, &ca_cert_params, false).unwrap(); + let core_certs = create_core_certs(ca_name, 2, &issuing_ca, false).unwrap(); // check that we can import the CA cert into the trust store let mut root_store = tokio_rustls::rustls::RootCertStore::empty(); @@ -395,7 +349,7 @@ mod tests { // create another CA cert, that did not sign the core certs for negative testing let (_ca_keypair_wrong, ca_cert_wrong, _ca_cert_params_wrong) = - create_ca_cert(ca_name, &is_ca, false).unwrap(); + create_selfsigned_ca_cert(ca_name, false).unwrap(); // check all core certs for c in core_certs { @@ -415,10 +369,9 @@ mod tests { #[test] fn test_ca_cert_selfsigned_verify() { let ca_name = "p1.kms.zama.ai"; - let is_ca = IsCa::NoCa; - let (_ca_keypair, ca_cert, _ca_cert_params) = - create_ca_cert(ca_name, &is_ca, false).unwrap(); + let (ca_keypair, ca_cert, ca_cert_params) = + create_selfsigned_ca_cert(ca_name, false).unwrap(); // check that we can import the CA cert into the trust store let mut root_store = tokio_rustls::rustls::RootCertStore::empty(); @@ -427,42 +380,23 @@ mod tests { // create another CA cert, that did not sign the core certs for negative testing let (_ca_keypair_wrong, ca_cert_wrong, _ca_cert_params_wrong) = - create_ca_cert(ca_name, &is_ca, false).unwrap(); - - let verif = signed_verify(&ca_cert, &ca_cert); - - // check that verification works for self-signed each cert - assert!(verif.is_ok(), "certificate validation failed!"); - - // check that verification does not work for wrong CA cert - let verif = signed_verify(&ca_cert, &ca_cert_wrong); - assert!( - verif.is_err(), - "certificate validation succeeded, but was expected to fail!" - ); - } - - #[test] - fn test_ca_cert_from_signing_key_verify() { - let ca_name = "p1.kms.zama.ai"; - let sk = SigningKey::random(&mut OsRng); - let (_ca_cert_ki, ca_cert) = create_ca_cert_from_signing_key(ca_name, false, &sk).unwrap(); + create_selfsigned_ca_cert(ca_name, false).unwrap(); - let sk_der = sk.to_pkcs8_der().unwrap(); - let ca_keypair = KeyPair::from_pkcs8_der_and_sign_algo( - &PrivatePkcs8KeyDer::from(sk_der.as_bytes()), - &PKCS_ECDSA_P256K1_SHA256, - ) - .unwrap(); - let ca_cert_params = CertificateParams::from_ca_cert_der(ca_cert.der()).unwrap(); - - let core_certs = - create_core_certs(ca_name, 2, &ca_keypair, &ca_cert_params, false).unwrap(); - - for c in core_certs { + let issuing_ca = Issuer::from_params(&ca_cert_params, &ca_keypair); + let core_certs = create_core_certs(ca_name, 2, &issuing_ca, false).unwrap(); + // check that verification works for self-signed CA + for c in core_certs.iter() { let verif = signed_verify(&c.1 .1, &ca_cert); assert!(verif.is_ok(), "certificate validation failed!"); } + // check that verification does not work for wrong CA cert + for c in core_certs { + let verif = signed_verify(&c.1 .1, &ca_cert_wrong); + assert!( + verif.is_err(), + "certificate validation succeeded, but was expected to fail!" + ); + } } #[test] From 1cf8e9603826073804e3f51d06143dda10ad107a Mon Sep 17 00:00:00 2001 From: Nikita Frolov Date: Tue, 3 Mar 2026 16:57:36 +0100 Subject: [PATCH 2/7] review comments --- core-client/src/mpc_context.rs | 12 +++++++---- .../src/cryptography/attestation/mod.rs | 14 +++++++++---- core/service/src/util/key_setup/mod.rs | 14 ++++++++----- core/threshold/src/tls_certs.rs | 20 +++++++++++++------ 4 files changed, 41 insertions(+), 19 deletions(-) diff --git a/core-client/src/mpc_context.rs b/core-client/src/mpc_context.rs index ec7148766b..ea309ed804 100644 --- a/core-client/src/mpc_context.rs +++ b/core-client/src/mpc_context.rs @@ -91,16 +91,20 @@ pub async fn create_test_context_info_from_core_config( let sk = signing_keys.get(&role.one_based()).ok_or_else(|| { anyhow::anyhow!("No signing key found for party ID {}", role.one_based()) })?; - #[allow(deprecated)] - let sk_der = sk.sk().to_pkcs8_der()?; + let sk_der = { + // Will be fixed as part of [#2781](https://github.com/zama-ai/kms-internal/issues/2781). + #[expect(deprecated)] + let ecdsa_sk = sk.sk(); + ecdsa_sk.to_pkcs8_der()? + }; let ca_keypair = rcgen::KeyPair::from_pkcs8_der_and_sign_algo( - &tokio_rustls::rustls::pki_types::PrivatePkcs8KeyDer::from(sk_der.as_bytes()), + &sk_der.as_bytes().into(), &rcgen::PKCS_ECDSA_P256K1_SHA256, )?; let mpc_identity = identity.mpc_identity(); let (_ca_cert_ki, ca_cert, _ca_cert_params) = - threshold_fhe::tls_certs::create_ca_cert_from_signing_key( + threshold_fhe::tls_certs::create_ca_cert_from_ca_keypair( mpc_identity.as_ref(), true, &ca_keypair, diff --git a/core/service/src/cryptography/attestation/mod.rs b/core/service/src/cryptography/attestation/mod.rs index 5be56acec6..c0dc9a0bdb 100644 --- a/core/service/src/cryptography/attestation/mod.rs +++ b/core/service/src/cryptography/attestation/mod.rs @@ -16,10 +16,12 @@ use rcgen::{ use std::{sync::Arc, time::Duration}; use threshold_fhe::networking::tls::extract_subject_from_cert; use tokio::sync::RwLock; +#[cfg(feature = "insecure")] +use tokio_rustls::rustls::pki_types::PrivatePkcs8KeyDer; use tokio_rustls::rustls::{ client::ResolvesClientCert, crypto::CryptoProvider, - pki_types::{PrivateKeyDer, PrivatePkcs8KeyDer, UnixTime}, + pki_types::{PrivateKeyDer, UnixTime}, server::{ClientHello, ResolvesServerCert}, sign::{CertifiedKey, SingleCertAndKey}, SignatureScheme, @@ -186,10 +188,14 @@ pub trait SecurityModule { ca_cert_key_usage.value.key_cert_sign(), "Bad party CA certificate: cannot be used to sign other certificates" ); - #[allow(deprecated)] - let sk_der = ca_key.sk().to_pkcs8_der()?; + let sk_der = { + // Will be fixed as part of [#2781](https://github.com/zama-ai/kms-internal/issues/2781). + #[expect(deprecated)] + let ecdsa_key = ca_key.sk(); + ecdsa_key.to_pkcs8_der()? + }; let ca_keypair = KeyPair::from_pkcs8_der_and_sign_algo( - &PrivatePkcs8KeyDer::from(sk_der.as_bytes()), + &sk_der.as_bytes().into(), &PKCS_ECDSA_P256K1_SHA256, )?; let issuing_ca = diff --git a/core/service/src/util/key_setup/mod.rs b/core/service/src/util/key_setup/mod.rs index cbd6f1b782..df45f81e9c 100644 --- a/core/service/src/util/key_setup/mod.rs +++ b/core/service/src/util/key_setup/mod.rs @@ -927,14 +927,18 @@ async fn ensure_ca_cert_exists( tls_wildcard: bool, ) -> anyhow::Result<()> { // self-sign a CA certificate with the private signing key - #[allow(deprecated)] - let sk_der = sk.sk().to_pkcs8_der()?; + let sk_der = { + // Will be fixed as part of [#2781](https://github.com/zama-ai/kms-internal/issues/2781). + #[expect(deprecated)] + let ecdsa_sk = sk.sk(); + ecdsa_sk.to_pkcs8_der()? + }; let ca_keypair = rcgen::KeyPair::from_pkcs8_der_and_sign_algo( - &tokio_rustls::rustls::pki_types::PrivatePkcs8KeyDer::from(sk_der.as_bytes()), + &sk_der.as_bytes().into(), &rcgen::PKCS_ECDSA_P256K1_SHA256, )?; let (ca_cert_ki, ca_cert, _ca_params) = - threshold_fhe::tls_certs::create_ca_cert_from_signing_key( + threshold_fhe::tls_certs::create_ca_cert_from_ca_keypair( subject.as_str(), tls_wildcard, &ca_keypair, @@ -957,7 +961,7 @@ async fn ensure_ca_cert_exists( } tracing::info!( "Successfully stored CA certificate {} under the handle {} in storage \"{}\"", - hex::encode(ca_cert_ki), + ca_cert_ki, req_id, pub_storage.info() ); diff --git a/core/threshold/src/tls_certs.rs b/core/threshold/src/tls_certs.rs index 8ee1b92404..c6229eb21f 100644 --- a/core/threshold/src/tls_certs.rs +++ b/core/threshold/src/tls_certs.rs @@ -113,15 +113,18 @@ fn create_selfsigned_ca_cert( wildcard: bool, ) -> anyhow::Result<(KeyPair, Certificate, CertificateParams)> { let keypair = KeyPair::generate_for(&PKCS_ECDSA_P256_SHA256)?; - create_ca_cert_from_signing_key(ca_name, wildcard, &keypair) + create_ca_cert_from_ca_keypair(ca_name, wildcard, &keypair) .map(|(_cert_ki, cert, params)| (keypair, cert, params)) } -pub fn create_ca_cert_from_signing_key( +/// Create a self-signed certificate using the supplied keypair. The first +/// element in the returned tuple is the certificate subject key identifier +/// which we currently only use for logging. +pub fn create_ca_cert_from_ca_keypair( ca_name: &str, wildcard: bool, sk: &S, -) -> anyhow::Result<(Vec, Certificate, CertificateParams)> { +) -> anyhow::Result<(String, Certificate, CertificateParams)> { validate_ca_name(ca_name)?; let sans_vec = [ if wildcard { @@ -140,7 +143,10 @@ pub fn create_ca_cert_from_signing_key( // distinguished_name.push(DnType::CommonName, "127.0.0.1".to_string()); // this seems to be needed for local deployment cp.distinguished_name = distinguished_name; - // set CA cert CA flag + // Currently, we expect CA certificates to sign ephemeral TLS certificates + // direcly. So, ensure this certificate can only be used to sign end-user + // certificates, without any intermediate certificates. NB: we might change + // that in the future. cp.is_ca = IsCa::Ca(BasicConstraints::Constrained(0)); // set self-signed CA cert Key Usage Purposes @@ -153,7 +159,7 @@ pub fn create_ca_cert_from_signing_key( // self-sign cert with CA key tracing::info!("Generating keys and cert for {:?}", cp.subject_alt_names[0]); let cert = cp.self_signed(sk)?; - Ok((cp.key_identifier(sk), cert, cp)) + Ok((hex::encode(cp.key_identifier(sk)), cert, cp)) } /// create a keypair and certificate for each of the `num_cores`, signed by the given CA @@ -200,7 +206,9 @@ fn create_core_certs( ]; tracing::info!("Generating keys and cert for {:?}", cp.subject_alt_names[0]); - let core_cert = cp.signed_by(&core_keypair, issuing_ca).unwrap(); + let core_cert = cp + .signed_by(&core_keypair, issuing_ca) + .expect("Should never happen: core certificate generation failed, cannot recover"); (i, (core_keypair, core_cert)) }) .collect(); From ff137b1efa3e70009cbd05c7228fdfbec95fbaeb Mon Sep 17 00:00:00 2001 From: Nikita Frolov Date: Tue, 17 Mar 2026 19:39:46 +0100 Subject: [PATCH 3/7] dependency update --- Cargo.lock | 109 ++++++++++++++++++++++++++++------------------------- Cargo.toml | 13 ++++--- 2 files changed, 65 insertions(+), 57 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 69aa257f7d..6fb75cc1bd 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1185,7 +1185,7 @@ dependencies = [ "aws-sdk-ssooidc", "aws-sdk-sts", "aws-smithy-async", - "aws-smithy-http", + "aws-smithy-http 0.62.6", "aws-smithy-json", "aws-smithy-runtime", "aws-smithy-runtime-api", @@ -1217,9 +1217,9 @@ dependencies = [ [[package]] name = "aws-lc-rs" -version = "1.15.3" +version = "1.16.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e84ce723ab67259cfeb9877c6a639ee9eb7a27b28123abd71db7f0d5d0cc9d86" +checksum = "94bffc006df10ac2a68c83692d734a465f8ee6c5b384d8545a636f81d858f4bf" dependencies = [ "aws-lc-sys", "untrusted 0.7.1", @@ -1228,9 +1228,9 @@ dependencies = [ [[package]] name = "aws-lc-sys" -version = "0.36.0" +version = "0.38.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "43a442ece363113bd4bd4c8b18977a7798dd4d3c3383f34fb61936960e8f4ad8" +checksum = "4321e568ed89bb5a7d291a7f37997c2c0df89809d7b6d12062c81ddb54aa782e" dependencies = [ "cc", "cmake", @@ -1275,7 +1275,7 @@ dependencies = [ "aws-sigv4", "aws-smithy-async", "aws-smithy-eventstream", - "aws-smithy-http", + "aws-smithy-http 0.62.6", "aws-smithy-runtime", "aws-smithy-runtime-api", "aws-smithy-types", @@ -1299,7 +1299,7 @@ dependencies = [ "aws-credential-types", "aws-runtime", "aws-smithy-async", - "aws-smithy-http", + "aws-smithy-http 0.62.6", "aws-smithy-json", "aws-smithy-observability", "aws-smithy-runtime", @@ -1325,7 +1325,7 @@ dependencies = [ "aws-smithy-async", "aws-smithy-checksums", "aws-smithy-eventstream", - "aws-smithy-http", + "aws-smithy-http 0.62.6", "aws-smithy-json", "aws-smithy-observability", "aws-smithy-runtime", @@ -1357,7 +1357,7 @@ dependencies = [ "aws-credential-types", "aws-runtime", "aws-smithy-async", - "aws-smithy-http", + "aws-smithy-http 0.62.6", "aws-smithy-json", "aws-smithy-observability", "aws-smithy-runtime", @@ -1380,7 +1380,7 @@ dependencies = [ "aws-credential-types", "aws-runtime", "aws-smithy-async", - "aws-smithy-http", + "aws-smithy-http 0.62.6", "aws-smithy-json", "aws-smithy-observability", "aws-smithy-runtime", @@ -1403,7 +1403,7 @@ dependencies = [ "aws-credential-types", "aws-runtime", "aws-smithy-async", - "aws-smithy-http", + "aws-smithy-http 0.62.6", "aws-smithy-json", "aws-smithy-observability", "aws-smithy-query", @@ -1426,7 +1426,7 @@ checksum = "69e523e1c4e8e7e8ff219d732988e22bfeae8a1cafdbe6d9eca1546fa080be7c" dependencies = [ "aws-credential-types", "aws-smithy-eventstream", - "aws-smithy-http", + "aws-smithy-http 0.62.6", "aws-smithy-runtime-api", "aws-smithy-types", "bytes", @@ -1448,9 +1448,9 @@ dependencies = [ [[package]] name = "aws-smithy-async" -version = "1.2.7" +version = "1.2.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9ee19095c7c4dda59f1697d028ce704c24b2d33c6718790c7f1d5a3015b4107c" +checksum = "2ffcaf626bdda484571968400c326a244598634dc75fd451325a54ad1a59acfc" dependencies = [ "futures-util", "pin-project-lite", @@ -1463,7 +1463,7 @@ version = "0.63.13" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "23374b9170cbbcc6f5df8dc5ebb9b6c5c28a3c8f599f0e8b8b10eb6f4a5c6e74" dependencies = [ - "aws-smithy-http", + "aws-smithy-http 0.62.6", "aws-smithy-types", "bytes", "crc-fast", @@ -1510,11 +1510,32 @@ dependencies = [ "tracing", ] +[[package]] +name = "aws-smithy-http" +version = "0.63.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ba1ab2dc1c2c3749ead27180d333c42f11be8b0e934058fb4b2258ee8dbe5231" +dependencies = [ + "aws-smithy-runtime-api", + "aws-smithy-types", + "bytes", + "bytes-utils", + "futures-core", + "futures-util", + "http 1.3.1", + "http-body 1.0.1", + "http-body-util", + "percent-encoding", + "pin-project-lite", + "pin-utils", + "tracing", +] + [[package]] name = "aws-smithy-http-client" -version = "1.1.5" +version = "1.1.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "59e62db736db19c488966c8d787f52e6270be565727236fd5579eaa301e7bc4a" +checksum = "6a2f165a7feee6f263028b899d0a181987f4fa7179a6411a32a439fba7c5f769" dependencies = [ "aws-smithy-async", "aws-smithy-runtime-api", @@ -1551,9 +1572,9 @@ dependencies = [ [[package]] name = "aws-smithy-observability" -version = "0.2.0" +version = "0.2.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ef1fcbefc7ece1d70dcce29e490f269695dfca2d2bacdeaf9e5c3f799e4e6a42" +checksum = "a06c2315d173edbf1920da8ba3a7189695827002e4c0fc961973ab1c54abca9c" dependencies = [ "aws-smithy-runtime-api", ] @@ -1570,12 +1591,12 @@ dependencies = [ [[package]] name = "aws-smithy-runtime" -version = "1.9.8" +version = "1.10.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bb5b6167fcdf47399024e81ac08e795180c576a20e4d4ce67949f9a88ae37dc1" +checksum = "028999056d2d2fd58a697232f9eec4a643cf73a71cf327690a7edad1d2af2110" dependencies = [ "aws-smithy-async", - "aws-smithy-http", + "aws-smithy-http 0.63.6", "aws-smithy-http-client", "aws-smithy-observability", "aws-smithy-runtime-api", @@ -1586,6 +1607,7 @@ dependencies = [ "http 1.3.1", "http-body 0.4.6", "http-body 1.0.1", + "http-body-util", "pin-project-lite", "pin-utils", "tokio", @@ -1594,9 +1616,9 @@ dependencies = [ [[package]] name = "aws-smithy-runtime-api" -version = "1.10.0" +version = "1.11.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "efce7aaaf59ad53c5412f14fc19b2d5c6ab2c3ec688d272fd31f76ec12f44fb0" +checksum = "876ab3c9c29791ba4ba02b780a3049e21ec63dabda09268b175272c3733a79e6" dependencies = [ "aws-smithy-async", "aws-smithy-types", @@ -1611,9 +1633,9 @@ dependencies = [ [[package]] name = "aws-smithy-types" -version = "1.3.6" +version = "1.4.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "65f172bcb02424eb94425db8aed1b6d583b5104d4d5ddddf22402c661a320048" +checksum = "d2b1117b3b2bbe166d11199b540ceed0d0f7676e36e7b962b5a437a9971eac75" dependencies = [ "base64-simd", "bytes", @@ -4060,17 +4082,6 @@ dependencies = [ "cfg-if", ] -[[package]] -name = "io-uring" -version = "0.7.11" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fdd7bddefd0a8833b88a4b68f90dae22c7450d11b354198baee3874fd811b344" -dependencies = [ - "bitflags 2.9.4", - "cfg-if", - "libc", -] - [[package]] name = "ipnet" version = "2.11.0" @@ -7784,29 +7795,26 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" [[package]] name = "tokio" -version = "1.46.1" +version = "1.49.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0cc3a2344dafbe23a245241fe8b09735b521110d30fcefbbd5feb1797ca35d17" +checksum = "72a2903cd7736441aac9df9d7688bd0ce48edccaadf181c3b90be801e81d3d86" dependencies = [ - "backtrace", "bytes", - "io-uring", "libc", "mio", "parking_lot", "pin-project-lite", "signal-hook-registry", - "slab", - "socket2 0.5.10", + "socket2 0.6.1", "tokio-macros", - "windows-sys 0.52.0", + "windows-sys 0.61.2", ] [[package]] name = "tokio-macros" -version = "2.5.0" +version = "2.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6e06d43f1345a3bcd39f6a56dbb7dcab2ba47e68e8ac134855e7e2bdbaf8cab8" +checksum = "5c55a2eff8b69ce66c84f85e1da1c233edc36ceb85a2058d11b0d6a3c7e7569c" dependencies = [ "proc-macro2", "quote", @@ -7878,15 +7886,14 @@ dependencies = [ [[package]] name = "tokio-util" -version = "0.7.15" +version = "0.7.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "66a539a9ad6d5d281510d5bd368c973d636c02dbf8a67300bfb6b950696ad7df" +checksum = "9ae9cec805b01e8fc3fd2fe289f89149a9b66dd16786abd8b19cfa7b48cb0098" dependencies = [ "bytes", "futures-core", "futures-sink", "futures-util", - "hashbrown 0.15.5", "pin-project-lite", "tokio", ] @@ -8110,9 +8117,9 @@ checksum = "8df9b6e13f2d32c91b9bd719c00d1958837bc7dec474d94952798cc8e69eeec3" [[package]] name = "tracing" -version = "0.1.41" +version = "0.1.44" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "784e0ac535deb450455cbfa28a6f0df145ea1bb7ae51b821cf5e7927fdcfbdd0" +checksum = "63e71662fa4b2a2c3a26f570f037eb95bb1f85397f3cd8076caed2f026a6d100" dependencies = [ "log", "pin-project-lite", diff --git a/Cargo.toml b/Cargo.toml index 2e15a66740..9e09738206 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -91,12 +91,13 @@ async-trait = "=0.1.89" # Async trait support - MEDIUM RISK: Reputable individ async_cell = "0.2.2" # Async cell implementation - HIGH RISK: Individual maintainer, very low popularity attestation-doc-validation = { version = "=0.10.0" } # AWS Nitro attestation validation - LOW RISK: Evervault (reputable security company), security-critical but trusted aws-config = { version = "=1.8.12" } # AWS SDK configuration - LOW RISK: Official AWS SDK, actively maintained +aws-lc-rs = { version = "=1.16.1" } # AWS-LC dependency pinned because of an earlier version vulnerability - LOW RISK: Official AWS SDK aws-nitro-enclaves-nsm-api = { version = "=0.4.0" } # AWS Nitro Enclaves NSM API - LOW RISK: Official AWS SDK aws-sdk-kms = { version = "=1.98.0" } # AWS KMS client - LOW RISK: Official AWS SDK for key management aws-sdk-s3 = { version = "=1.120.0" } # AWS S3 client - LOW RISK: Official AWS SDK for object storage -aws-smithy-runtime = { version = "=1.9.8", features = ["client", "connector-hyper-0-14-x"] } # AWS Smithy runtime - LOW RISK: Official AWS runtime library -aws-smithy-runtime-api = { version = "=1.10.0" } # AWS Smithy runtime API - LOW RISK: Official AWS runtime API -aws-smithy-types = { version = "=1.3.6" } # AWS Smithy types - LOW RISK: Official AWS type definitions +aws-smithy-runtime = { version = "=1.10.3", features = ["client", "connector-hyper-0-14-x"] } # AWS Smithy runtime - LOW RISK: Official AWS runtime library +aws-smithy-runtime-api = { version = "=1.11.6" } # AWS Smithy runtime API - LOW RISK: Official AWS runtime API +aws-smithy-types = { version = "=1.4.6" } # AWS Smithy types - LOW RISK: Official AWS type definitions axum = { version = "=0.8.8", features = ["tokio"] } # Web framework - LOW RISK: tokio-rs team, 168M+ downloads, actively maintained backoff = "=0.4.0" # Retry with exponential backoff - HIGH RISK: Individual maintainer (ihrwein), despite 50M+ downloads # WARNING: Bincode beyond 2.0.1 may never be used! Due to actions by the project we consider newer versions compromised @@ -184,16 +185,16 @@ tfhe-csprng = "=0.8.1" # Cryptographically secure PRNG for TFHE - LOW RISK: Zam tfhe-versionable = "=0.7.0" # TFHE versioning support - LOW RISK: Zama tfhe-zk-pok = "=0.8.0" # Zero-knowledge proofs for TFHE - LOW RISK: Zama thiserror = "=2.0.12" # Error derive macro - MEDIUM RISK: Reputable individual maintainer (dtolnay), 545M downloads -tokio = { version = "=1.46.1", features = ["full"] } # Async runtime - LOW RISK: tokio team, industry standard +tokio = { version = "=1.49.0", features = ["full"] } # Async runtime - LOW RISK: tokio team, industry standard tokio-rustls = { version = "=0.26.2", default-features = false, features = ["aws_lc_rs"] } # Async TLS - LOW RISK: rustls team, memory-safe TLS implementation -tokio-util = { version = "=0.7.15", features = ["rt"] } # Tokio utilities - LOW RISK: tokio team +tokio-util = { version = "=0.7.18", features = ["rt"] } # Tokio utilities - LOW RISK: tokio team tonic = "=0.13.1" # gRPC framework - LOW RISK: hyperium team tonic-build = "=0.13.1" # gRPC code generation - LOW RISK: hyperium team tonic-health = "=0.13.1" # gRPC health checking - LOW RISK: hyperium team tonic-tls = "=0.3.0" # TLS support for tonic - LOW RISK: hyperium team tower = "=0.5.3" # Service framework - LOW RISK: tower-rs team tower-http = "=0.6.8" # HTTP middleware - LOW RISK: tower-rs team -tracing = { version = "=0.1.41", features = ["log"] } # Application instrumentation - LOW RISK: tokio-rs team +tracing = { version = "=0.1.44", features = ["log"] } # Application instrumentation - LOW RISK: tokio-rs team tracing-appender = "=0.2.3" # Log file rotation - LOW RISK: tokio-rs team tracing-opentelemetry = "=0.30.0" # OpenTelemetry integration - LOW RISK: tokio-rs team tracing-subscriber = { version = "=0.3.20", features = ["fmt", "std"] } # Tracing subscriber - LOW RISK: tokio-rs team From 92415931492f51711bae9de453df1c11d4093d6e Mon Sep 17 00:00:00 2001 From: Nikita Frolov Date: Wed, 18 Mar 2026 16:28:26 +0100 Subject: [PATCH 4/7] remove 0BSD from denylist --- .cargo/deny.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.cargo/deny.toml b/.cargo/deny.toml index ca5a9a790c..42ae696b21 100644 --- a/.cargo/deny.toml +++ b/.cargo/deny.toml @@ -89,7 +89,7 @@ ignore = [ # See https://spdx.org/licenses/ for list of possible licenses # [possible values: any SPDX 3.11 short identifier (+ optional exception)]. allow = [ - "0BSD", + # "0BSD", no longer used "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", From 567f99f3839b150ae074c45f6929d6284e9c9608 Mon Sep 17 00:00:00 2001 From: Nikita Frolov Date: Wed, 18 Mar 2026 17:18:31 +0100 Subject: [PATCH 5/7] update Cargo.lock --- Cargo.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Cargo.lock b/Cargo.lock index 6fb75cc1bd..1880a31bcd 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -6588,7 +6588,7 @@ dependencies = [ [[package]] name = "rustls-webpki" version = "0.103.7" -source = "git+https://github.com/zama-ai/webpki.git?branch=0.103.7-k256#87e2ef4b55f8769a55c57985906e4e59887a76c2" +source = "git+https://github.com/zama-ai/webpki.git?branch=0.103.7-k256#173cd968166e1429958b24da242cba93700c9ac0" dependencies = [ "aws-lc-rs", "ring", From 25b26e11d8e7ee39acc5bf7858aba8aa0673d5ed Mon Sep 17 00:00:00 2001 From: Nikita Frolov Date: Thu, 19 Mar 2026 12:22:22 +0100 Subject: [PATCH 6/7] log supported TLS algs on cert verification failure --- core/threshold/src/networking/tls.rs | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/core/threshold/src/networking/tls.rs b/core/threshold/src/networking/tls.rs index edb03d7aa1..a6db7a56d4 100644 --- a/core/threshold/src/networking/tls.rs +++ b/core/threshold/src/networking/tls.rs @@ -301,7 +301,11 @@ impl ServerCertVerifier for AttestedVerifier { server_verifier .verify_server_cert(end_entity, intermediates, server_name, ocsp_response, now) .inspect_err(|e| { - tracing::error!("server verifier validation error: {e}"); + tracing::error!( + "server verifier validation error: {}, supported algorithms: {:?}", + e, + &self.supported_algs + ); })?; // check the bundled attestation document and EIF signing certificate #[cfg(feature = "testing")] @@ -396,7 +400,11 @@ impl ClientCertVerifier for AttestedVerifier { client_verifier .verify_client_cert(end_entity, intermediates, now) .inspect_err(|e| { - tracing::error!("client verifier validation error: {e}"); + tracing::error!( + "client verifier validation error: {}, supported algorithms: {:?}", + e, + &self.supported_algs + ); })?; // check the bundled attestation document and EIF signing certificate From 2295f4698cb272ba6852d2bb4ecfbc385365d7c8 Mon Sep 17 00:00:00 2001 From: Nikita Frolov Date: Thu, 19 Mar 2026 16:38:06 +0100 Subject: [PATCH 7/7] updated dependencies again --- Cargo.lock | 27 +++++++++++++-------------- Cargo.toml | 5 +++-- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 1880a31bcd..03440dbc18 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1552,7 +1552,7 @@ dependencies = [ "hyper-util", "pin-project-lite", "rustls 0.21.12", - "rustls 0.23.36", + "rustls 0.23.37", "rustls-native-certs 0.8.3", "rustls-pki-types", "tokio", @@ -3811,7 +3811,7 @@ dependencies = [ "http 1.3.1", "hyper 1.8.1", "hyper-util", - "rustls 0.23.36", + "rustls 0.23.37", "rustls-native-certs 0.8.3", "rustls-pki-types", "tokio", @@ -4280,7 +4280,7 @@ dependencies = [ "rcgen", "rsa", "rstest", - "rustls-webpki 0.103.7", + "rustls-webpki 0.103.9", "serde", "serde-wasm-bindgen", "serde_json", @@ -5872,7 +5872,7 @@ dependencies = [ "quinn-proto", "quinn-udp", "rustc-hash", - "rustls 0.23.36", + "rustls 0.23.37", "socket2 0.6.1", "thiserror 2.0.12", "tokio", @@ -5892,7 +5892,7 @@ dependencies = [ "rand 0.9.2", "ring", "rustc-hash", - "rustls 0.23.36", + "rustls 0.23.37", "rustls-pki-types", "slab", "thiserror 2.0.12", @@ -6238,7 +6238,7 @@ dependencies = [ "percent-encoding", "pin-project-lite", "quinn", - "rustls 0.23.36", + "rustls 0.23.37", "rustls-pki-types", "serde", "serde_json", @@ -6518,16 +6518,15 @@ dependencies = [ [[package]] name = "rustls" -version = "0.23.36" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c665f33d38cea657d9614f766881e4d510e0eda4239891eea56b4cadcf01801b" +version = "0.23.37" +source = "git+https://github.com/zama-ai/rustls.git?branch=rel-0.23-k256#b459952c88fc64c0a1352447cd5e10284670166f" dependencies = [ "aws-lc-rs", "log", "once_cell", "ring", "rustls-pki-types", - "rustls-webpki 0.103.7", + "rustls-webpki 0.103.9", "subtle", "zeroize", ] @@ -6587,8 +6586,8 @@ dependencies = [ [[package]] name = "rustls-webpki" -version = "0.103.7" -source = "git+https://github.com/zama-ai/webpki.git?branch=0.103.7-k256#173cd968166e1429958b24da242cba93700c9ac0" +version = "0.103.9" +source = "git+https://github.com/zama-ai/webpki.git?branch=rel-0.103-k256#0b5ee7b1de0b2d87457c0bf1cc93f8e442f3a3c1" dependencies = [ "aws-lc-rs", "ring", @@ -7689,7 +7688,7 @@ dependencies = [ "rcgen", "redis", "rstest", - "rustls-webpki 0.103.7", + "rustls-webpki 0.103.9", "serde", "serial_test", "sha2", @@ -7858,7 +7857,7 @@ version = "0.26.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8e727b36a1a0e8b74c376ac2211e40c2c8af09fb4013c60d910495810f008e9b" dependencies = [ - "rustls 0.23.36", + "rustls 0.23.37", "tokio", ] diff --git a/Cargo.toml b/Cargo.toml index 9e09738206..624769c75f 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -164,7 +164,7 @@ redis = { version = "=0.29.5" } # Redis client - LOW RISK: redis-rs team reqwest = { version = "=0.12.22", default-features = false, features = ["json", "rustls-tls"] } # HTTP client - MEDIUM RISK: Reputable individual maintainer (seanmonstar, member of tokio org), 275M+ downloads rsa = { version = "=0.9.10", features = ["sha2", "serde"] } # RSA public key cryptography - LOW RISK: RustCrypto org rstest = "=0.25.0" # Test framework - HIGH RISK: Individual maintainer (la10736), test-only dependency -rustls-webpki = { version = "=0.103.7", features = ["aws-lc-rs"] } # WebPKI X.509 validation - LOW RISK: rustls team +rustls-webpki = { version = "=0.103.9", features = ["aws-lc-rs"] } # WebPKI X.509 validation - LOW RISK: rustls team schemars = "=0.8.22" # JSON Schema generation - HIGH RISK: Individual maintainer (GREsau), despite popularity, 81M+ downloads serde = { version = "1.0.228", features = ["derive", "rc"] } # Serialization framework - MEDIUM RISK: Reputable individual maintainer (dtolnay), 641M downloads serde-wasm-bindgen = { version = "=0.6.5" } # Serde integration for wasm-bindgen - HIGH RISK: Individual maintainer (RReverser), despite 37M+ downloads @@ -247,4 +247,5 @@ lto = "off" # MEDIUM RISK: Using fork instead of upstream - verify changes, consider upstreaming attestation-doc-validation = { git = 'https://github.com/mkmks/attestation-doc-validation.git', branch = 'timestamps' } rcgen = { git = 'https://github.com/zama-ai/rcgen.git', branch = 'k256' } -rustls-webpki = { git = 'https://github.com/zama-ai/webpki.git', branch = '0.103.7-k256' } +rustls = { git = 'https://github.com/zama-ai/rustls.git', branch = 'rel-0.23-k256' } +rustls-webpki = { git = 'https://github.com/zama-ai/webpki.git', branch = 'rel-0.103-k256' }