Merge pull-request #440

tkhq · May 8, 2024 · d4602a0 · d4602a0
2 parents 498594e + 9dfc334
commit d4602a0
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 7 deletions.
diff --git a/src/qos_nsm/src/nitro/mod.rs b/src/qos_nsm/src/nitro/mod.rs
@@ -27,15 +27,15 @@ static AWS_NITRO_CERT_SIG_ALG: &[&webpki::SignatureAlgorithm] =
 	&[&webpki::ECDSA_P384_SHA384];
 
 /// AWS Nitro root CA certificate.
-/// 
-/// The root certificate can be downloaded from 
-/// <https://aws-nitro-enclaves.amazonaws.com/AWS_NitroEnclaves_Root-G1.zip>, 
+///
+/// The root certificate can be downloaded from
+/// <https://aws-nitro-enclaves.amazonaws.com/AWS_NitroEnclaves_Root-G1.zip>,
 /// and it can be verified using the following SHA256 checksum:
 /// `8cf60e2b2efca96c6a9e71e851d00c1b6991cc09eadbe64a6a1d1b1eb9faff7c`.
 /// This official hash checksum is over the AWS-provided zip file.
 /// For context and additional verification details, see
 /// <https://docs.aws.amazon.com/enclaves/latest/user/verify-root.html/>.
-/// 
+///
 /// The `aws_root_cert.pem` contents hash as follows via SHA256:
 /// `6eb9688305e4bbca67f44b59c29a0661ae930f09b5945b5d1d9ae01125c8d6c0`.
 pub const AWS_ROOT_CERT_PEM: &[u8] =

diff --git a/src/qos_p256/src/encrypt.rs b/src/qos_p256/src/encrypt.rs
@@ -233,12 +233,22 @@ impl P256EncryptPublic {
 struct SenderPublic<'a>(&'a [u8]);
 struct ReceiverPublic<'a>(&'a [u8]);
 
+/// This is the input into [`create_cipher`] for creating a shared secret.
+/// It provides the option of either a) giving inputs for ECDH or b) providing
+/// a shared secret directly.
+///
+/// This allows us to avoid duplicating logic for deriving the shared key.
 enum PrivPubOrSharedSecret<'a> {
+	/// Inputs for using Diffie–Hellman to create a shared secret.
+	/// Note that this is not a classical private & public keypair.
+	/// Instead, the public key represents the remote party of the ECDH
+	/// operation.
 	PrivPub { private: &'a SecretKey, public: &'a PublicKey },
+	/// This will be used as is as a shared secret.
 	SharedSecret { shared_secret: &'a [u8] },
 }
 
-// Helper function to create the `Aes256Gcm` cypher.
+/// Helper function to create the `Aes256Gcm` cipher.
 fn create_cipher(
 	shared_secret: &PrivPubOrSharedSecret,
 	ephemeral_sender_public: &SenderPublic,
@@ -275,8 +285,8 @@ fn create_cipher(
 		.map_err(|_| P256Error::FailedToCreateAes256GcmCipher)
 }
 
-// Helper function to create the additional associated data (AAD). The data is
-// of the form
+/// Helper function to create the additional associated data (AAD). The data is
+/// of the form
 /// `sender_public||sender_public_len||receiver_public||receiver_public_len`.
 ///
 /// Note that we append the length to each field as per NIST specs here: <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf/>. See section 5.8.2.