chore: Remove OpenSSL dependency

.github/workflows/release.yml

@@ -23,7 +23,7 @@ jobs:
             cross: true
             target_file: target/x86_64-unknown-linux-musl/release/quill
             asset_name: quill-linux-x86_64-musl
-            features: [static-ssl]
+            features: []
           - os: windows-latest
             name: windows
             target_file: target/release/quill.exe
@@ -40,7 +40,7 @@ jobs:
             cross: true
             target_file: target/arm-unknown-linux-gnueabihf/release/quill
             asset_name: quill-linux-arm32
-            features: [static-ssl, hsm]
+            features: [hsm]
           - os: ubuntu-latest
             name: linux
             target_file: target/release/quill
@@ -78,7 +78,7 @@ jobs:
           command: build
           args: |
             ${{ matrix.target && format('--target {0}', matrix.target) }} 
-            ${{ matrix.features && format('--no-default-features --features {0}', join(matrix.features)) }}
+            ${{ matrix.features && format('--no-default-features --features "{0}"', join(matrix.features)) }}
             --release --locked
 
       - name: Upload binaries to release

CONTRIBUTING.md

@@ -30,4 +30,4 @@ Every change to the command-line interface must contain documentation; we use `c
 
 ## Miscellaneous
 
-Quill employs optional Cargo features for different platforms. Ensure your contribution builds (and lints) on all configurations - this can be automated with the [`cargo-hack`](https://github.com/taiki-e/cargo-hack) tool, as `cargo hack clippy --feature-powerset --features static-ssl`.
+Quill employs optional Cargo features for different platforms. Ensure your contribution builds (and lints) on all configurations - this can be automated with the [`cargo-hack`](https://github.com/taiki-e/cargo-hack) tool, as `cargo hack clippy --feature-powerset`.

Cargo.toml

@@ -49,7 +49,6 @@ ledger-apdu = { version = "0.10", optional = true }
 ledger-transport-hid = { version = "0.10", optional = true }
 num-bigint = "0.4.3"
 once_cell = "1.17.1"
-openssl = "0.10.48"
 pem = "1.0.1"
 qrcodegen = "1.8"
 rand = { version = "0.8.4", features = ["getrandom"] }
@@ -61,6 +60,7 @@ serde = { version = "1.0.130", features = ["derive"] }
 serde_bytes = "0.11.2"
 serde_cbor = "0.11.2"
 serde_json = "1.0.57"
+sha2 = "0.10.8"
 sha3 = "0.10.6"
 tiny-bip39 = "1.0.0"
 tokio = { version = "1.18.5", features = ["full"] }
@@ -71,10 +71,9 @@ shellwords = "1"
 serial_test = "2.0.0"
 
 [features]
-static-ssl = ["openssl/vendored"]
 hsm = ["dep:ic-identity-hsm"]
 ledger = ["dep:hidapi", "dep:ledger-apdu", "dep:ledger-transport-hid"]
-default = ["static-ssl", "hsm", "ledger"]
+default = ["hsm", "ledger"]
 
 [profile.release]
 opt-level = 2

README.md

@@ -126,22 +126,15 @@ cargo build --release --locked
 
 After this, find the binary at `target/release/quill`.
 
-Quill has three optional features, all activated by default:
+Quill has two optional features, all activated by default:
 
-- `static-ssl`, to build OpenSSL from source instead of dynamically linking a preinstalled version (requires a C compiler)
 - `hsm`, to enable PKCS#11 HSM support (requires runtime dynamic linking)
 - `ledger`, to enable Ledger Nano support (requires runtime dynamic linking, and incompatible with armv6)
 
-To build a version of Quill that links OpenSSL dynamically, but retains HSM support, run:
-
-```sh
-cargo build --release --locked --no-default-features --features hsm,ledger
-```
-
 To build a version of Quill compatible with statically-linked-only environments, such as Alpine, run:
 
 ```sh
-cargo build --release --locked --no-default-features --feature static-ssl
+cargo build --release --locked --no-default-features
 ```
 
 ### Building with Docker/Podman

scripts/workflows/provision-linux-build.sh

@@ -12,4 +12,4 @@ if [[ $# = 1 ]]; then # docker
 fi
 
 sudo apt-get update -y
-sudo apt-get install "libudev-dev${arch-}" libssl-dev -y
+sudo apt-get install "libudev-dev${arch-}" -y

scripts/workflows/provision-windows-build.ps1

@@ -1,7 +1,4 @@
 Set-StrictMode -Version 2
 $ErrorActionPreference = 'Stop'
 
-vcpkg integrate install
-vcpkg install openssl:x64-windows-static-md
-'OPENSSL_DIR=C:\vcpkg\installed\x64-windows-static-md' >> $env:GITHUB_ENV
-'OPENSSL_STATIC=Yes' >> $env:GITHUB_ENV
+# nothing for now

src/commands/ckbtc.rs

@@ -4,8 +4,8 @@ use anyhow::bail;
 use candid::{Nat, Principal};
 use clap::Subcommand;
 use icrc_ledger_types::icrc1::account::Account;
-use openssl::sha::Sha256;
 use rust_decimal::Decimal;
+use sha2::{Digest, Sha256};
 
 use crate::lib::{ckbtc_minter_canister_id, AnyhowResult, AuthInfo};
 
@@ -83,13 +83,13 @@ impl FromStr for Btc {
 fn ckbtc_withdrawal_address(user: &Principal, testnet: bool) -> Account {
     const DOMAIN: &str = "ckbtc";
     let mut hasher = Sha256::new();
-    hasher.update(&[DOMAIN.len() as u8]);
+    hasher.update([DOMAIN.len() as u8]);
     hasher.update(DOMAIN.as_bytes());
     hasher.update(user.as_slice());
-    hasher.update(&[0; 8]);
+    hasher.update([0; 8]);
     Account {
         owner: ckbtc_minter_canister_id(testnet),
-        subaccount: Some(hasher.finish()),
+        subaccount: Some(hasher.finalize().into()),
     }
 }
 

src/commands/claim_neurons.rs

@@ -5,28 +5,26 @@ use crate::lib::{
     signing::{sign_ingress_with_request_status_query, IngressWithRequestId},
     AnyhowResult, AuthInfo, ROLE_NNS_GTC,
 };
-use anyhow::anyhow;
+use anyhow::{anyhow, Context};
 use candid::Encode;
 use clap::Parser;
-use openssl::bn::BigNumContext;
-use openssl::ec::{EcKey, PointConversionForm};
+use k256::{elliptic_curve::sec1::ToEncodedPoint, SecretKey};
 
 /// Claim seed neurons from the Genesis Token Canister.
 #[derive(Parser)]
 pub struct ClaimNeuronOpts;
 
 pub fn exec(auth: &AuthInfo) -> AnyhowResult<Vec<IngressWithRequestId>> {
     if let AuthInfo::PemFile(pem) = auth {
-        let private_key = EcKey::private_key_from_pem(pem.as_bytes())?;
-        let group = private_key.group();
-        let public_key = EcKey::from_public_key(group, private_key.public_key())?;
-        let mut context = BigNumContext::new()?;
-        let bytes = public_key.public_key().to_bytes(
-            public_key.group(),
-            PointConversionForm::UNCOMPRESSED,
-            &mut context,
-        )?;
-        let sig = Encode!(&hex::encode(bytes))?;
+        let keyinfo = pem::parse_many(pem)?
+            .into_iter()
+            .find(|p| p.tag == "EC PRIVATE KEY")
+            .context("Pem file did not contain sec1 key")?;
+        let point = SecretKey::from_sec1_der(&keyinfo.contents)
+            .map_err(|e| anyhow!("could not load pem file: {e}"))?
+            .public_key()
+            .to_encoded_point(false);
+        let sig = Encode!(&hex::encode(point.as_bytes()))?;
 
         Ok(vec![sign_ingress_with_request_status_query(
             auth,

src/commands/neuron_stake.rs

@@ -14,6 +14,7 @@ use candid::{CandidType, Encode, Principal};
 use clap::Parser;
 use ic_nns_constants::GOVERNANCE_CANISTER_ID;
 use icp_ledger::{AccountIdentifier, Subaccount, Tokens};
+use sha2::{Digest, Sha256};
 
 #[derive(CandidType)]
 pub struct ClaimOrRefreshNeuronFromAccount {
@@ -103,13 +104,12 @@ pub fn exec(auth: &AuthInfo, opts: StakeOpts) -> AnyhowResult<Vec<IngressWithReq
 // This function _must_ correspond to how the governance canister computes the
 // subaccount.
 fn get_neuron_subaccount(controller: &Principal, nonce: u64) -> Subaccount {
-    use openssl::sha::Sha256;
     let mut data = Sha256::new();
-    data.update(&[0x0c]);
+    data.update([0x0c]);
     data.update(b"neuron-stake");
     data.update(controller.as_slice());
-    data.update(&nonce.to_be_bytes());
-    Subaccount(data.finish())
+    data.update(nonce.to_be_bytes());
+    Subaccount(data.finalize().into())
 }
 
 fn convert_name_to_nonce(name: &str) -> u64 {