From 6f6665ffd9f76fbbed45dca8853270a977ea6428 Mon Sep 17 00:00:00 2001 From: Zeke Mostov Date: Fri, 8 Mar 2024 12:52:14 -0500 Subject: [PATCH 1/2] Update internal docs for qos_p256 create_cipher --- src/qos_p256/src/encrypt.rs | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/src/qos_p256/src/encrypt.rs b/src/qos_p256/src/encrypt.rs index c032facc..5afbeb4d 100644 --- a/src/qos_p256/src/encrypt.rs +++ b/src/qos_p256/src/encrypt.rs @@ -233,12 +233,21 @@ impl P256EncryptPublic { struct SenderPublic<'a>(&'a [u8]); struct ReceiverPublic<'a>(&'a [u8]); +/// This is the input into [`create_cipher`] for creating a shared secret. +/// It provides the option of either a) giving inputs for ECDH or b) providing +/// a shared secret directly. +/// +/// This allows us to avoid duplicating logic for deriving the shared key. enum PrivPubOrSharedSecret<'a> { +/// Inputs for using Diffie–Hellman to create a shared secret. +/// Note that this is not a classical private & public keypair. +/// Instead, the public key represents the remote party of the ECDH operation. PrivPub { private: &'a SecretKey, public: &'a PublicKey }, + /// This will be used as is as a shared secret. SharedSecret { shared_secret: &'a [u8] }, } -// Helper function to create the `Aes256Gcm` cypher. +/// Helper function to create the `Aes256Gcm` cipher. fn create_cipher( shared_secret: &PrivPubOrSharedSecret, ephemeral_sender_public: &SenderPublic, @@ -275,8 +284,8 @@ fn create_cipher( .map_err(|_| P256Error::FailedToCreateAes256GcmCipher) } -// Helper function to create the additional associated data (AAD). The data is -// of the form +/// Helper function to create the additional associated data (AAD). The data is +/// of the form /// `sender_public||sender_public_len||receiver_public||receiver_public_len`. /// /// Note that we append the length to each field as per NIST specs here: . See section 5.8.2. From 9dfc33433debcf6fec8f4c7fdd0470b0829ebbe1 Mon Sep 17 00:00:00 2001 From: Zeke Mostov Date: Wed, 8 May 2024 19:34:52 -0400 Subject: [PATCH 2/2] cargo fmt --- src/qos_nsm/src/nitro/mod.rs | 8 ++++---- src/qos_p256/src/encrypt.rs | 7 ++++--- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/src/qos_nsm/src/nitro/mod.rs b/src/qos_nsm/src/nitro/mod.rs index 12526e28..be7fb093 100644 --- a/src/qos_nsm/src/nitro/mod.rs +++ b/src/qos_nsm/src/nitro/mod.rs @@ -27,15 +27,15 @@ static AWS_NITRO_CERT_SIG_ALG: &[&webpki::SignatureAlgorithm] = &[&webpki::ECDSA_P384_SHA384]; /// AWS Nitro root CA certificate. -/// -/// The root certificate can be downloaded from -/// , +/// +/// The root certificate can be downloaded from +/// , /// and it can be verified using the following SHA256 checksum: /// `8cf60e2b2efca96c6a9e71e851d00c1b6991cc09eadbe64a6a1d1b1eb9faff7c`. /// This official hash checksum is over the AWS-provided zip file. /// For context and additional verification details, see /// . -/// +/// /// The `aws_root_cert.pem` contents hash as follows via SHA256: /// `6eb9688305e4bbca67f44b59c29a0661ae930f09b5945b5d1d9ae01125c8d6c0`. pub const AWS_ROOT_CERT_PEM: &[u8] = diff --git a/src/qos_p256/src/encrypt.rs b/src/qos_p256/src/encrypt.rs index 5afbeb4d..bfbb666c 100644 --- a/src/qos_p256/src/encrypt.rs +++ b/src/qos_p256/src/encrypt.rs @@ -239,9 +239,10 @@ struct ReceiverPublic<'a>(&'a [u8]); /// /// This allows us to avoid duplicating logic for deriving the shared key. enum PrivPubOrSharedSecret<'a> { -/// Inputs for using Diffie–Hellman to create a shared secret. -/// Note that this is not a classical private & public keypair. -/// Instead, the public key represents the remote party of the ECDH operation. + /// Inputs for using Diffie–Hellman to create a shared secret. + /// Note that this is not a classical private & public keypair. + /// Instead, the public key represents the remote party of the ECDH + /// operation. PrivPub { private: &'a SecretKey, public: &'a PublicKey }, /// This will be used as is as a shared secret. SharedSecret { shared_secret: &'a [u8] },