Merge pull request #141 from matter-labs/use-secp256k1-instead-of-k256

Replace secp256k1 with k256 crate
2025-07-21 15:13:56 +02:00 · 2024-07-01 15:58:56 +02:00 · 2024-07-01 15:58:56 +02:00 · a8ddca7344
commit a8ddca7344
parent be6aa0c96d 78ed60b094
5 changed files with 31 additions and 12 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -2308,6 +2308,25 @@ dependencies = [
 "zeroize",
 ]

+[[package]]
+name = "secp256k1"
+version = "0.29.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0e0cc0f1cf93f4969faf3ea1c7d8a9faed25918d96affa959720823dfe86d4f3"
+dependencies = [
+ "rand",
+ "secp256k1-sys",
+]
+
+[[package]]
+name = "secp256k1-sys"
+version = "0.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1433bd67156263443f14d603720b082dd3121779323fce20cba2aa07b874bc1b"
+dependencies = [
+ "cc",
+]
+
 [[package]]
 name = "semver"
 version = "1.0.23"
@ -2538,8 +2557,8 @@ name = "tee-key-preexec"
 version = "0.1.2-alpha.1"
 dependencies = [
 "anyhow",
- "k256",
 "rand",
+ "secp256k1",
 "teepot",
 "tracing",
 "tracing-log",
--- a/Cargo.toml
+++ b/Cargo.toml
@ -34,7 +34,7 @@ getrandom = "0.2.14"
 hex = { version = "0.4.3", features = ["std"], default-features = false }
 intel-tee-quote-verification-rs = { package = "teepot-tee-quote-verification-rs", path = "crates/teepot-tee-quote-verification-rs", version = "0.2.3-alpha.1" }
 intel-tee-quote-verification-sys = { version = "0.2.1" }
-k256 = "0.13"
+secp256k1 = { version = "0.29", features = ["rand-std"] }
 log = "0.4"
 num-integer = "0.1.46"
 num-traits = "0.2.18"
--- a/bin/tee-key-preexec/Cargo.toml
+++ b/bin/tee-key-preexec/Cargo.toml
@ -10,8 +10,8 @@ repository.workspace = true

 [dependencies]
 anyhow.workspace = true
-k256.workspace = true
 rand.workspace = true
+secp256k1.workspace = true
 teepot.workspace = true
 tracing.workspace = true
 tracing-log.workspace = true
--- a/bin/tee-key-preexec/src/main.rs
+++ b/bin/tee-key-preexec/src/main.rs
@ -7,8 +7,7 @@
 #![deny(clippy::all)]

 use anyhow::{Context, Result};
-use k256::ecdsa::SigningKey;
-use k256::pkcs8::{EncodePrivateKey, LineEnding};
+use secp256k1::{rand, Keypair, PublicKey, Secp256k1, SecretKey};

 use std::env;
 use std::os::unix::process::CommandExt;
@ -38,10 +37,12 @@ fn main_with_error() -> Result<()> {
    }

    let mut rng = rand::thread_rng();
-    let signing_key = SigningKey::random(&mut rng);
-    let verifying_key_bytes = signing_key.verifying_key().to_sec1_bytes();
-    let signing_key_string = signing_key.to_pkcs8_pem(LineEnding::LF)?;
-    let tee_type = match get_quote(&verifying_key_bytes) {
+    let secp = Secp256k1::new();
+    let keypair = Keypair::new(&secp, &mut rng);
+    let signing_key = SecretKey::from_keypair(&keypair);
+    let verifying_key = PublicKey::from_keypair(&keypair);
+    let verifying_key_bytes = verifying_key.serialize();
+    let tee_type = match get_quote(verifying_key_bytes.as_ref()) {
        Ok(quote) => {
            // save quote to file
            std::fs::write(TEE_QUOTE_FILE, quote)?;
@ -56,7 +57,7 @@ fn main_with_error() -> Result<()> {

    let err = Command::new(&args[1])
        .args(&args[2..])
-        .env("TEE_SIGNING_KEY", signing_key_string)
+        .env("TEE_SIGNING_KEY", signing_key.display_secret().to_string())
        .env("TEE_QUOTE_FILE", TEE_QUOTE_FILE)
        .env("TEE_TYPE", tee_type)
        .exec();
--- a/deny.toml
+++ b/deny.toml
@ -29,11 +29,10 @@ allow = [
  "Unlicense",
  "MPL-2.0",
  "Unicode-DFS-2016",
-  #  "CC0-1.0", # not yet seen
  "BSD-2-Clause",
  "BSD-3-Clause",
  "OpenSSL",
-  "Unicode-3.0",
+  "CC0-1.0",
 ]
 deny = []
 allow-osi-fsf-free = "neither"