Draft
Conversation
Upgrades all RustCrypto crates to their latest RC versions to unblock ml-dsa 0.1.0-rc.8, which fixes a WASM stack overflow with ML-DSA signatures in Cloudflare Workers. Workspace dependency changes: - der 0.7.10 (patched fork) → 0.8.0 (Tag::RelativeOid now native) - const-oid 0.9.6 → 0.10 - spki 0.7 → 0.8 - pkcs8 (new) 0.11.0-rc.11 - signature 2.2.0 → 3.0.0-rc.10 - sha1 0.10 → 0.11 - sha2 0.10 → 0.11 - digest (new) 0.11 - rand 0.8.5 → 0.10.0 - rand_core 0.6.4 → 0.10.0 - getrandom 0.2 → 0.4 - ed25519-dalek 2.1.1 → 3.0.0-pre.6 - p256 0.13 → 0.14.0-rc.8 - p384 0.13 → 0.14.0-rc.8 - p521 0.13 → 0.14.0-rc.8 - rsa 0.9 → 0.10.0-rc.17 - x509-cert 0.2.5 → 0.3.0-rc.4 - crypto-common (new) 0.2 Add OwnedTbsCertificate and OwnedCertificate to x509_util: - Freely mutable owned representations of the x509-cert types whose fields were made private in x509-cert 0.3 (RustCrypto/formats#1505) - DER encoding/decoding via #[derive(Sequence)] with #[asn1(...)] attributes, matching the pattern used by TbsCertificateLogEntry in bootstrap_mtc_api and the original x509-cert 0.2 structs - Used in static_ct_api (rfc6962.rs) and bootstrap_mtc_api wherever certificate fields need to be mutated before re-encoding Adapt to x509-cert 0.3 API changes (private fields → accessor methods, Validity::new, RelativeDistinguishedName::try_from, etc.) throughout bootstrap_mtc_api, bootstrap_mtc_worker, ct_worker, sct_validator, static_ct_api, and integration_tests. Adapt to rand 0.10 API changes (OsRng→SysRng, thread_rng()→rng(), gen_range→random_range, RngExt, TryRng/TryCryptoRng in doc examples). Adapt is_link_valid in x509_util to the upgraded crates: - verify_rsa bound: sha2::digest::Digest + rsa::pkcs8::AssociatedOid → digest::Digest + const_oid::AssociatedOid (rsa 0.10-rc API) - verify_p521: p521 0.14 makes VerifyingKey a type alias for ecdsa::VerifyingKey<NistP521>, so it now uses the same TryFrom<SubjectPublicKeyInfoRef>/DerSignature pattern as p256/p384
Initial scaffolding for the IETF MTC implementation (draft-ietf-plants-merkle-tree-certs). Copied directly from bootstrap_mtc_api and bootstrap_mtc_worker as a starting point; subsequent commits will remove bootstrap-specific functionality and implement draft-02 behaviour.
lukevalenta
force-pushed
the
lvalenta/ietf-mtc-v2
branch
5 times, most recently
from
40dddb1 to
ca44420
Compare
Removes bootstrap-specific code from ietf_mtc_api and ietf_mtc_worker and replaces it with IETF draft-ietf-plants-merkle-tree-certs-02 functionality: ietf_mtc_api: - AddEntryRequest: replace chain (Vec<Vec<u8>>) with csr (base64url DER) - build_pending_entry: parse PKCS#10 CSR, extract SAN extension - TbsCertificateLogEntry: no outer SEQUENCE wrapper (davidben-10); adds subject_public_key_info_algorithm field (plants-02) - encode_fields/decode_fields: manual DER encoding/decoding without #[derive(Sequence)] - serialize_landmark_relative_cert: renamed from serialize_signatureless_cert - Remove GetRootsResponse, validate_chain, validate_correspondence, etc. ietf_mtc_worker: - Remove ccadb_roots_cron, ct_logs_cron, dev-bootstrap-roots.pem - Remove ROOTS OnceLock, load_roots, sct_validator dep, get-roots route - add_entry: call build_pending_entry with CSR instead of validate_chain - wrangler.jsonc: cleaned up for IETF worker - config.schema.json: remove enable_sct_validation integration_tests (from 53d4845 and cf9e387): - Add IetfMtcClient with CSR-based add_entry - Add make_ietf_mtc_csr fixture using x509-cert RequestBuilder - Add tests/ietf_mtc_api.rs adapted for CSR submission - Add ietf_mtc_api to Cargo.toml READMEs updated for all four MTC crates (from cf9e387).
lukevalenta
force-pushed
the
lvalenta/ietf-mtc-v2
branch
from
ca44420 to
ed97627
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.