From 2621fce4db49a7d78b633b962545f8ec8164a792 Mon Sep 17 00:00:00 2001 From: Adam Spofford Date: Tue, 30 Jan 2024 10:22:09 -0800 Subject: [PATCH] Remove OpenSSL dependency --- .github/workflows/release.yml | 4 +- CONTRIBUTING.md | 2 +- Cargo.lock | 71 +------------------ Cargo.toml | 5 +- README.md | 11 +-- scripts/workflows/provision-linux-build.sh | 2 +- scripts/workflows/provision-windows-build.ps1 | 5 +- src/commands/ckbtc.rs | 8 +-- src/commands/claim_neurons.rs | 24 +++---- src/commands/neuron_stake.rs | 8 +-- 10 files changed, 29 insertions(+), 111 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e7047d64..d320e9a2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,7 +23,7 @@ jobs: cross: true target_file: target/x86_64-unknown-linux-musl/release/quill asset_name: quill-linux-x86_64-musl - features: [static-ssl] + features: [] - os: windows-latest name: windows target_file: target/release/quill.exe @@ -40,7 +40,7 @@ jobs: cross: true target_file: target/arm-unknown-linux-gnueabihf/release/quill asset_name: quill-linux-arm32 - features: [static-ssl, hsm] + features: [hsm] - os: ubuntu-latest name: linux target_file: target/release/quill diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index f8efc90d..7409827b 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -30,4 +30,4 @@ Every change to the command-line interface must contain documentation; we use `c ## Miscellaneous -Quill employs optional Cargo features for different platforms. Ensure your contribution builds (and lints) on all configurations - this can be automated with the [`cargo-hack`](https://github.com/taiki-e/cargo-hack) tool, as `cargo hack clippy --feature-powerset --features static-ssl`. +Quill employs optional Cargo features for different platforms. Ensure your contribution builds (and lints) on all configurations - this can be automated with the [`cargo-hack`](https://github.com/taiki-e/cargo-hack) tool, as `cargo hack clippy --feature-powerset`. diff --git a/Cargo.lock b/Cargo.lock index bde6f44a..687b046a 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1499,21 +1499,6 @@ version = "1.0.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1" -[[package]] -name = "foreign-types" -version = "0.3.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1" -dependencies = [ - "foreign-types-shared", -] - -[[package]] -name = "foreign-types-shared" -version = "0.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b" - [[package]] name = "form_urlencoded" version = "1.2.1" @@ -4040,54 +4025,6 @@ version = "0.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "624a8340c38c1b80fd549087862da4ba43e08858af025b236e509b6649fc13d5" -[[package]] -name = "openssl" -version = "0.10.63" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "15c9d69dd87a29568d4d017cfe8ec518706046a05184e5aea92d0af890b803c8" -dependencies = [ - "bitflags 2.4.2", - "cfg-if", - "foreign-types", - "libc", - "once_cell", - "openssl-macros", - "openssl-sys", -] - -[[package]] -name = "openssl-macros" -version = "0.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" -dependencies = [ - "proc-macro2", - "quote", - "syn 2.0.48", -] - -[[package]] -name = "openssl-src" -version = "300.2.1+3.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3fe476c29791a5ca0d1273c697e96085bbabbbea2ef7afd5617e78a4b40332d3" -dependencies = [ - "cc", -] - -[[package]] -name = "openssl-sys" -version = "0.9.99" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "22e1bf214306098e4832460f797824c05d25aacdf896f64a985fb0fd992454ae" -dependencies = [ - "cc", - "libc", - "openssl-src", - "pkg-config", - "vcpkg", -] - [[package]] name = "os_str_bytes" version = "6.6.1" @@ -4603,7 +4540,6 @@ dependencies = [ "ledger-transport-hid", "num-bigint 0.4.4", "once_cell", - "openssl", "pem 1.1.1", "qrcodegen", "rand", @@ -4615,6 +4551,7 @@ dependencies = [ "serde_cbor", "serde_json", "serial_test", + "sha2 0.10.8", "sha3", "shellwords", "simple_asn1", @@ -5943,12 +5880,6 @@ version = "1.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f00cc9702ca12d3c81455259621e676d0f7251cec66a21e98fe2e9a37db93b2a" -[[package]] -name = "vcpkg" -version = "0.2.15" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426" - [[package]] name = "version_check" version = "0.9.4" diff --git a/Cargo.toml b/Cargo.toml index c25531c8..52ec9c3e 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -49,7 +49,6 @@ ledger-apdu = { version = "0.10", optional = true } ledger-transport-hid = { version = "0.10", optional = true } num-bigint = "0.4.3" once_cell = "1.17.1" -openssl = "0.10.48" pem = "1.0.1" qrcodegen = "1.8" rand = { version = "0.8.4", features = ["getrandom"] } @@ -61,6 +60,7 @@ serde = { version = "1.0.130", features = ["derive"] } serde_bytes = "0.11.2" serde_cbor = "0.11.2" serde_json = "1.0.57" +sha2 = "0.10.8" sha3 = "0.10.6" tiny-bip39 = "1.0.0" tokio = { version = "1.18.5", features = ["full"] } @@ -71,10 +71,9 @@ shellwords = "1" serial_test = "2.0.0" [features] -static-ssl = ["openssl/vendored"] hsm = ["dep:ic-identity-hsm"] ledger = ["dep:hidapi", "dep:ledger-apdu", "dep:ledger-transport-hid"] -default = ["static-ssl", "hsm", "ledger"] +default = ["hsm", "ledger"] [profile.release] opt-level = 2 diff --git a/README.md b/README.md index d8aefeb6..6d2a984a 100644 --- a/README.md +++ b/README.md @@ -126,22 +126,15 @@ cargo build --release --locked After this, find the binary at `target/release/quill`. -Quill has three optional features, all activated by default: +Quill has two optional features, all activated by default: -- `static-ssl`, to build OpenSSL from source instead of dynamically linking a preinstalled version (requires a C compiler) - `hsm`, to enable PKCS#11 HSM support (requires runtime dynamic linking) - `ledger`, to enable Ledger Nano support (requires runtime dynamic linking, and incompatible with armv6) -To build a version of Quill that links OpenSSL dynamically, but retains HSM support, run: - -```sh -cargo build --release --locked --no-default-features --features hsm,ledger -``` - To build a version of Quill compatible with statically-linked-only environments, such as Alpine, run: ```sh -cargo build --release --locked --no-default-features --feature static-ssl +cargo build --release --locked --no-default-features ``` ### Building with Docker/Podman diff --git a/scripts/workflows/provision-linux-build.sh b/scripts/workflows/provision-linux-build.sh index 20ca6664..9ede377c 100755 --- a/scripts/workflows/provision-linux-build.sh +++ b/scripts/workflows/provision-linux-build.sh @@ -12,4 +12,4 @@ if [[ $# = 1 ]]; then # docker fi sudo apt-get update -y -sudo apt-get install "libudev-dev${arch-}" libssl-dev -y +sudo apt-get install "libudev-dev${arch-}" -y diff --git a/scripts/workflows/provision-windows-build.ps1 b/scripts/workflows/provision-windows-build.ps1 index e280a203..12508285 100755 --- a/scripts/workflows/provision-windows-build.ps1 +++ b/scripts/workflows/provision-windows-build.ps1 @@ -1,7 +1,4 @@ Set-StrictMode -Version 2 $ErrorActionPreference = 'Stop' -vcpkg integrate install -vcpkg install openssl:x64-windows-static-md -'OPENSSL_DIR=C:\vcpkg\installed\x64-windows-static-md' >> $env:GITHUB_ENV -'OPENSSL_STATIC=Yes' >> $env:GITHUB_ENV +# nothing for now diff --git a/src/commands/ckbtc.rs b/src/commands/ckbtc.rs index 1967c3b9..68587131 100644 --- a/src/commands/ckbtc.rs +++ b/src/commands/ckbtc.rs @@ -4,8 +4,8 @@ use anyhow::bail; use candid::{Nat, Principal}; use clap::Subcommand; use icrc_ledger_types::icrc1::account::Account; -use openssl::sha::Sha256; use rust_decimal::Decimal; +use sha2::{Digest, Sha256}; use crate::lib::{ckbtc_minter_canister_id, AnyhowResult, AuthInfo}; @@ -83,13 +83,13 @@ impl FromStr for Btc { fn ckbtc_withdrawal_address(user: &Principal, testnet: bool) -> Account { const DOMAIN: &str = "ckbtc"; let mut hasher = Sha256::new(); - hasher.update(&[DOMAIN.len() as u8]); + hasher.update([DOMAIN.len() as u8]); hasher.update(DOMAIN.as_bytes()); hasher.update(user.as_slice()); - hasher.update(&[0; 8]); + hasher.update([0; 8]); Account { owner: ckbtc_minter_canister_id(testnet), - subaccount: Some(hasher.finish()), + subaccount: Some(hasher.finalize().into()), } } diff --git a/src/commands/claim_neurons.rs b/src/commands/claim_neurons.rs index 9828e73b..3253ff8e 100644 --- a/src/commands/claim_neurons.rs +++ b/src/commands/claim_neurons.rs @@ -5,11 +5,10 @@ use crate::lib::{ signing::{sign_ingress_with_request_status_query, IngressWithRequestId}, AnyhowResult, AuthInfo, ROLE_NNS_GTC, }; -use anyhow::anyhow; +use anyhow::{anyhow, Context}; use candid::Encode; use clap::Parser; -use openssl::bn::BigNumContext; -use openssl::ec::{EcKey, PointConversionForm}; +use k256::{elliptic_curve::sec1::ToEncodedPoint, SecretKey}; /// Claim seed neurons from the Genesis Token Canister. #[derive(Parser)] @@ -17,16 +16,15 @@ pub struct ClaimNeuronOpts; pub fn exec(auth: &AuthInfo) -> AnyhowResult> { if let AuthInfo::PemFile(pem) = auth { - let private_key = EcKey::private_key_from_pem(pem.as_bytes())?; - let group = private_key.group(); - let public_key = EcKey::from_public_key(group, private_key.public_key())?; - let mut context = BigNumContext::new()?; - let bytes = public_key.public_key().to_bytes( - public_key.group(), - PointConversionForm::UNCOMPRESSED, - &mut context, - )?; - let sig = Encode!(&hex::encode(bytes))?; + let keyinfo = pem::parse_many(pem)? + .into_iter() + .find(|p| p.tag == "EC PRIVATE KEY") + .context("Pem file did not contain sec1 key")?; + let point = SecretKey::from_sec1_der(&keyinfo.contents) + .map_err(|e| anyhow!("could not load pem file: {e}"))? + .public_key() + .to_encoded_point(false); + let sig = Encode!(&hex::encode(point.as_bytes()))?; Ok(vec![sign_ingress_with_request_status_query( auth, diff --git a/src/commands/neuron_stake.rs b/src/commands/neuron_stake.rs index f3f6c461..42d70df1 100644 --- a/src/commands/neuron_stake.rs +++ b/src/commands/neuron_stake.rs @@ -14,6 +14,7 @@ use candid::{CandidType, Encode, Principal}; use clap::Parser; use ic_nns_constants::GOVERNANCE_CANISTER_ID; use icp_ledger::{AccountIdentifier, Subaccount, Tokens}; +use sha2::{Digest, Sha256}; #[derive(CandidType)] pub struct ClaimOrRefreshNeuronFromAccount { @@ -103,13 +104,12 @@ pub fn exec(auth: &AuthInfo, opts: StakeOpts) -> AnyhowResult Subaccount { - use openssl::sha::Sha256; let mut data = Sha256::new(); - data.update(&[0x0c]); + data.update([0x0c]); data.update(b"neuron-stake"); data.update(controller.as_slice()); - data.update(&nonce.to_be_bytes()); - Subaccount(data.finish()) + data.update(nonce.to_be_bytes()); + Subaccount(data.finalize().into()) } fn convert_name_to_nonce(name: &str) -> u64 {