diff --git a/Cargo.lock b/Cargo.lock index 07d7fc5ac5..64e2eaca47 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2895,6 +2895,7 @@ dependencies = [ "openmls_basic_credential", "rand", "sha2", + "zeroize", ] [[package]] diff --git a/crypto/src/mls/credential/mod.rs b/crypto/src/mls/credential/mod.rs index d72c1f83c1..38379793c1 100644 --- a/crypto/src/mls/credential/mod.rs +++ b/crypto/src/mls/credential/mod.rs @@ -312,7 +312,7 @@ mod tests { let new_pki_kp = PkiKeypair::rand_unchecked(case.signature_scheme()); let eve_key = CertificatePrivateKey { - value: new_pki_kp.signing_key_bytes(), + value: new_pki_kp.signing_key_bytes().into(), signature_scheme: case.ciphersuite().signature_algorithm(), }; let cb = CertificateBundle { diff --git a/crypto/src/mls/credential/x509.rs b/crypto/src/mls/credential/x509.rs index 4fc5f73c79..7fcf34c612 100644 --- a/crypto/src/mls/credential/x509.rs +++ b/crypto/src/mls/credential/x509.rs @@ -10,19 +10,17 @@ use openmls_x509_credential::CertificateKeyPair; use wire_e2e_identity::prelude::{HashAlgorithm, WireIdentityReader}; #[cfg(test)] use x509_cert::der::Encode; -use zeroize::Zeroize; +use zeroize::Zeroizing; use super::{Error, Result}; #[cfg(test)] use crate::test_utils::x509::X509Certificate; use crate::{ClientId, Credential, CredentialType, MlsError, RecursiveError, e2e_identity::id::WireQualifiedClientId}; -#[derive(core_crypto_macros::Debug, Clone, Zeroize)] -#[zeroize(drop)] +#[derive(core_crypto_macros::Debug, Clone)] pub struct CertificatePrivateKey { #[sensitive] - pub(crate) value: Vec, - #[zeroize(skip)] + pub(crate) value: Zeroizing>, pub(crate) signature_scheme: SignatureScheme, } @@ -210,7 +208,7 @@ impl CertificateBundle { Self { certificate_chain: vec![cert.certificate.to_der().unwrap(), issuer.certificate.to_der().unwrap()], private_key: CertificatePrivateKey { - value: cert.pki_keypair.signing_key_bytes(), + value: cert.pki_keypair.signing_key_bytes().into(), signature_scheme: cert.signature_scheme, }, } diff --git a/crypto/src/mls/session/mod.rs b/crypto/src/mls/session/mod.rs index 662ec5ea48..581cd532aa 100644 --- a/crypto/src/mls/session/mod.rs +++ b/crypto/src/mls/session/mod.rs @@ -18,7 +18,6 @@ pub(crate) use error::{Error, Result}; pub use history_observer::HistoryObserver; use identities::Identities; use key_package::KEYPACKAGE_DEFAULT_LIFETIME; -use log::debug; use mls_crypto_provider::{EntropySeed, MlsCryptoProvider}; use openmls_traits::{OpenMlsCryptoProvider, types::SignatureScheme}; diff --git a/crypto/src/test_utils/mod.rs b/crypto/src/test_utils/mod.rs index 63cefa9f1c..11d2deb407 100644 --- a/crypto/src/test_utils/mod.rs +++ b/crypto/src/test_utils/mod.rs @@ -81,7 +81,6 @@ macro_rules! innermost_source_matches { outcome }}; } -pub(crate) use innermost_source_matches; use crate::{RecursiveError::Test, ephemeral::HistorySecret, test_utils::TestError::ImplementationError}; @@ -208,7 +207,7 @@ impl SessionContext { certificate_chain: vec![cert_der], private_key: crate::mls::credential::x509::CertificatePrivateKey { signature_scheme, - value: actor_cert.pki_keypair.signing_key_bytes(), + value: actor_cert.pki_keypair.signing_key_bytes().into(), }, } } diff --git a/crypto/src/transaction_context/e2e_identity/mod.rs b/crypto/src/transaction_context/e2e_identity/mod.rs index f4bab17d2f..709aadc188 100644 --- a/crypto/src/transaction_context/e2e_identity/mod.rs +++ b/crypto/src/transaction_context/e2e_identity/mod.rs @@ -89,7 +89,7 @@ impl TransactionContext { let crl_new_distribution_points = self.extract_dp_on_init(&certificate_chain[..]).await?; let private_key = CertificatePrivateKey { - value: sk, + value: sk.into(), signature_scheme: cs.signature_algorithm(), }; diff --git a/crypto/src/transaction_context/e2e_identity/rotate.rs b/crypto/src/transaction_context/e2e_identity/rotate.rs index da65f88cd2..08d4914e92 100644 --- a/crypto/src/transaction_context/e2e_identity/rotate.rs +++ b/crypto/src/transaction_context/e2e_identity/rotate.rs @@ -155,7 +155,7 @@ impl TransactionContext { .map_err(RecursiveError::e2e_identity("getting certificate response"))?; let private_key = CertificatePrivateKey { - value: sk, + value: sk.into(), signature_scheme, }; diff --git a/obfuscate/Cargo.toml b/obfuscate/Cargo.toml index 697b2887a2..315db0c3d0 100644 --- a/obfuscate/Cargo.toml +++ b/obfuscate/Cargo.toml @@ -12,6 +12,7 @@ openmls = { workspace = true, optional = true } openmls_basic_credential = { workspace = true, optional = true } rand.workspace = true sha2.workspace = true +zeroize.workspace = true [lints] workspace = true diff --git a/obfuscate/src/lib.rs b/obfuscate/src/lib.rs index 6676376526..8631f1b0c0 100644 --- a/obfuscate/src/lib.rs +++ b/obfuscate/src/lib.rs @@ -1,4 +1,4 @@ -use std::{fmt::Formatter, sync::LazyLock}; +use std::{fmt::Formatter, ops::Deref, sync::LazyLock}; use derive_more::From; use log::kv::{ToValue, Value}; @@ -50,3 +50,12 @@ impl<'a, T: Obfuscate> ToValue for Obfuscated<'a, T> { Value::from_debug(self) } } + +impl Obfuscate for zeroize::Zeroizing +where + T: Obfuscate + zeroize::Zeroize, +{ + fn obfuscate(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result { + self.deref().obfuscate(f) + } +} diff --git a/rust-toolchain.toml b/rust-toolchain.toml index 44d71e452e..5246c9d371 100644 --- a/rust-toolchain.toml +++ b/rust-toolchain.toml @@ -1,5 +1,5 @@ [toolchain] -channel = "nightly-2025-08-24" +channel = "nightly-2025-11-25" components = [ "rust-analyzer", "cargo",