chore: use rcgen and rustls-webpki k256-enabled forks from Zama org#437
chore: use rcgen and rustls-webpki k256-enabled forks from Zama org#437
Conversation
mkmks
force-pushed
the
chore/upstream-rcgen-k256
branch
5 times, most recently
from
0512a98 to
ce37e4e
Compare
Consolidated Tests Results 2026-03-19 - 16:53:32Test Results
Details
test-reporter: Run #888
🎉 All tests passed!TestsView All Tests
🍂 No flaky tests in this run. Github Test Reporter by CTRF 💚 🔄 This comment has been updated |
dd23
left a comment
dd23
left a comment
There was a problem hiding this comment.
This looks good to me, but I guess for TLS-related code we should have a 2nd pair of eyes as well.
There was a problem hiding this comment.
Pull request overview
This PR successfully migrates TLS-related library forks from a personal GitHub account (mkmks) to the official Zama organization, addressing a critical security concern. The changes also reduce the number of forked dependencies by eliminating patches for rustls, rustls-pki-types, and tokio-rustls, which now use standard versions from crates.io. Additionally, rcgen is updated from 0.14.0 to 0.14.7, requiring API adaptations throughout the codebase.
Changes:
- Migrated rcgen and rustls-webpki forks from mkmks/github to zama-ai/github for better organizational ownership and security
- Removed unnecessary patches for rustls, rustls-pki-types, and tokio-rustls (now using standard crates.io versions)
- Updated rcgen from 0.14.0 to 0.14.7 and adapted code to use the new
IssuerAPI pattern for certificate signing
Reviewed changes
Copilot reviewed 6 out of 7 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| Cargo.toml | Updated patch.crates-io section to point rcgen and rustls-webpki to Zama organization forks; removed rustls, rustls-pki-types, and tokio-rustls patches; bumped rcgen to 0.14.7 and rustls-webpki to 0.103.7 |
| Cargo.lock | Reflects dependency updates with rustls 0.23.36 from crates.io instead of fork; rcgen 0.14.7 and rustls-webpki 0.103.7 from Zama forks; various transitive dependency updates |
| core/threshold/src/tls_certs.rs | Refactored certificate signing to use rcgen 0.14.7 Issuer API; updated create_ca_cert_from_signing_key signature to be generic over SigningKey trait; consolidated and simplified tests |
| core/service/src/util/key_setup/mod.rs | Adapted CA certificate generation to use new Issuer API; moved KeyPair creation before calling create_ca_cert_from_signing_key |
| core/service/src/cryptography/attestation/mod.rs | Updated TLS certificate signing to use Issuer::from_ca_cert_der instead of passing CertificateParams separately |
| core-client/Cargo.toml | Added k256, rcgen, and tokio-rustls dependencies needed for testing infrastructure |
| core-client/src/mpc_context.rs | Updated test context creation to use new rcgen Issuer API pattern |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
I just assigned @dvdplm to have a look as well. I think it would be good he also gets a bit into the TLS code :) |
dvdplm
left a comment
dvdplm
left a comment
There was a problem hiding this comment.
Overall LGTM, left some minor comments and suggestions.
mkmks
force-pushed
the
chore/upstream-rcgen-k256
branch
from
84f3e38 to
b15d10d
Compare
|
There is a security warning regarding Can we update this dependency in this PR while we're at it? |
mkmks
force-pushed
the
chore/upstream-rcgen-k256
branch
from
b15d10d to
9c8a85c
Compare
mkmks
force-pushed
the
chore/upstream-rcgen-k256
branch
from
13ceea7 to
ff137b1
Compare
|
🚀 Preview deployment is deployed in "thresholdWithEnclave" mode You can now port-forward the kms-core to run your tests locally against the preview deployment. Connect to the Tailscale cluster zws-dev: tailscale configure kubeconfig tailscale-operator-zws-dev.diplodocus-boa.ts.netPort-forward the kms-core services to run your tests locally: kubectl port-forward svc/kms-core-1-core-1 -n kms-ci-mkmks-437 50100:50100 & \
kubectl port-forward svc/kms-core-2-core-2 -n kms-ci-mkmks-437 50200:50100 & \
kubectl port-forward svc/kms-core-3-core-3 -n kms-ci-mkmks-437 50300:50100 & \
kubectl port-forward svc/kms-core-4-core-4 -n kms-ci-mkmks-437 50400:50100 &Copy config.toml from core-client to ./core-client/config/client_local_kind_threshold.toml kubectl cp kms-ci-mkmks-437/kms-core-client-0:/app/kms-core-client/config.toml ./core-client/config/client_local_kind_threshold.toml && \
sed -i '' -E 's|address = "(http://)?kms-core-([0-9]+)-[^:]+:50100"|address = "http://localhost:50\200"|' ./core-client/config/client_local_kind_threshold.toml🚀 And launch your tests: cargo nextest run --test kubernetes_test_threshold --profile ci --no-fail-fastYou can connect to the core-client with: kubectl exec kms-core-client-0 -n kms-ci-mkmks-437 -it -- /bin/bashClose your port-forwarding with: pgrep -f "kubectl port-forward" | xargs -n 1 kill |
|
🚀 Preview deployment is deployed in "thresholdWithEnclave" mode You can now port-forward the kms-core to run your tests locally against the preview deployment. Connect to the Tailscale cluster zws-dev: tailscale configure kubeconfig tailscale-operator-zws-dev.diplodocus-boa.ts.netPort-forward the kms-core services to run your tests locally: kubectl port-forward svc/kms-core-1-core-1 -n kms-ci-mkmks-437 50100:50100 & \
kubectl port-forward svc/kms-core-2-core-2 -n kms-ci-mkmks-437 50200:50100 & \
kubectl port-forward svc/kms-core-3-core-3 -n kms-ci-mkmks-437 50300:50100 & \
kubectl port-forward svc/kms-core-4-core-4 -n kms-ci-mkmks-437 50400:50100 &Copy config.toml from core-client to ./core-client/config/client_local_kind_threshold.toml kubectl cp kms-ci-mkmks-437/kms-core-client-0:/app/kms-core-client/config.toml ./core-client/config/client_local_kind_threshold.toml && \
sed -i '' -E 's|address = "(http://)?kms-core-([0-9]+)-[^:]+:50100"|address = "http://localhost:50\200"|' ./core-client/config/client_local_kind_threshold.toml🚀 And launch your tests: cargo nextest run --test kubernetes_test_threshold --profile ci --no-fail-fastYou can connect to the core-client with: kubectl exec kms-core-client-0 -n kms-ci-mkmks-437 -it -- /bin/bashClose your port-forwarding with: pgrep -f "kubectl port-forward" | xargs -n 1 kill |
|
🚀 Preview deployment is deployed in "thresholdWithEnclave" mode You can now port-forward the kms-core to run your tests locally against the preview deployment. Connect to the Tailscale cluster zws-dev: tailscale configure kubeconfig tailscale-operator-zws-dev.diplodocus-boa.ts.netPort-forward the kms-core services to run your tests locally: kubectl port-forward svc/kms-core-1-core-1 -n kms-ci-mkmks-437 50100:50100 & \
kubectl port-forward svc/kms-core-2-core-2 -n kms-ci-mkmks-437 50200:50100 & \
kubectl port-forward svc/kms-core-3-core-3 -n kms-ci-mkmks-437 50300:50100 & \
kubectl port-forward svc/kms-core-4-core-4 -n kms-ci-mkmks-437 50400:50100 &Copy config.toml from core-client to ./core-client/config/client_local_kind_threshold.toml kubectl cp kms-ci-mkmks-437/kms-core-client-0:/app/kms-core-client/config.toml ./core-client/config/client_local_kind_threshold.toml && \
sed -i '' -E 's|address = "(http://)?kms-core-([0-9]+)-[^:]+:50100"|address = "http://localhost:50\200"|' ./core-client/config/client_local_kind_threshold.toml🚀 And launch your tests: cargo nextest run --test kubernetes_test_threshold --profile ci --no-fail-fastYou can connect to the core-client with: kubectl exec kms-core-client-0 -n kms-ci-mkmks-437 -it -- /bin/bashClose your port-forwarding with: pgrep -f "kubectl port-forward" | xargs -n 1 kill |
1 similar comment
|
🚀 Preview deployment is deployed in "thresholdWithEnclave" mode You can now port-forward the kms-core to run your tests locally against the preview deployment. Connect to the Tailscale cluster zws-dev: tailscale configure kubeconfig tailscale-operator-zws-dev.diplodocus-boa.ts.netPort-forward the kms-core services to run your tests locally: kubectl port-forward svc/kms-core-1-core-1 -n kms-ci-mkmks-437 50100:50100 & \
kubectl port-forward svc/kms-core-2-core-2 -n kms-ci-mkmks-437 50200:50100 & \
kubectl port-forward svc/kms-core-3-core-3 -n kms-ci-mkmks-437 50300:50100 & \
kubectl port-forward svc/kms-core-4-core-4 -n kms-ci-mkmks-437 50400:50100 &Copy config.toml from core-client to ./core-client/config/client_local_kind_threshold.toml kubectl cp kms-ci-mkmks-437/kms-core-client-0:/app/kms-core-client/config.toml ./core-client/config/client_local_kind_threshold.toml && \
sed -i '' -E 's|address = "(http://)?kms-core-([0-9]+)-[^:]+:50100"|address = "http://localhost:50\200"|' ./core-client/config/client_local_kind_threshold.toml🚀 And launch your tests: cargo nextest run --test kubernetes_test_threshold --profile ci --no-fail-fastYou can connect to the core-client with: kubectl exec kms-core-client-0 -n kms-ci-mkmks-437 -it -- /bin/bashClose your port-forwarding with: pgrep -f "kubectl port-forward" | xargs -n 1 kill |
mkmks
force-pushed
the
chore/upstream-rcgen-k256
branch
from
e021e74 to
2295f46
Compare
|
🚀 Preview deployment is deployed in "thresholdWithEnclave" mode You can now port-forward the kms-core to run your tests locally against the preview deployment. Connect to the Tailscale cluster zws-dev: tailscale configure kubeconfig tailscale-operator-zws-dev.diplodocus-boa.ts.netPort-forward the kms-core services to run your tests locally: kubectl port-forward svc/kms-core-1-core-1 -n kms-ci-mkmks-437 50100:50100 & \
kubectl port-forward svc/kms-core-2-core-2 -n kms-ci-mkmks-437 50200:50100 & \
kubectl port-forward svc/kms-core-3-core-3 -n kms-ci-mkmks-437 50300:50100 & \
kubectl port-forward svc/kms-core-4-core-4 -n kms-ci-mkmks-437 50400:50100 &Copy config.toml from core-client to ./core-client/config/client_local_kind_threshold.toml kubectl cp kms-ci-mkmks-437/kms-core-client-0:/app/kms-core-client/config.toml ./core-client/config/client_local_kind_threshold.toml && \
sed -i '' -E 's|address = "(http://)?kms-core-([0-9]+)-[^:]+:50100"|address = "http://localhost:50\200"|' ./core-client/config/client_local_kind_threshold.toml🚀 And launch your tests: cargo nextest run --test kubernetes_test_threshold --profile ci --no-fail-fastYou can connect to the core-client with: kubectl exec kms-core-client-0 -n kms-ci-mkmks-437 -it -- /bin/bashClose your port-forwarding with: pgrep -f "kubectl port-forward" | xargs -n 1 kill |
Description of changes
KMS nodes sign the CA certificates (that are used to issue ephemeral mTLS certificates) with their ECDSA+secp256k1 signing keys.
rustlsdoesn't support the secp256k1 curve out of the box (although the underlyingaws_lc_rslibrary does), and we had to fork thercgenandrustls-webpkito enable it.Initially, the forks were hosted under my (@mkmks) Github account because the whole idea was experimental and not certain to go to production. Now, that mTLS with core signing key-derived identities is in production, and fork upstreaming run into obstacles, a better practice would be to host the forks under the Zama Github organisation.
This PR does exactly that.
NB: The
rustls-webpkiversion is stabilized at 0.103.7 in the fork because its 0.104 release has breaking architectural changes. These changes aren't final, so it wouldn't make a lot of sense to attempt to rebase our secp256k1-related changes on top of them.NB2: The
rcgenversion is bumped to 0.14.7, and there were some API changes in the 0.14 branch (surprisingly) that required some minor changes on the KMS side.Issue ticket number and link
Closes #240
PR Checklist
I attest that all checked items are satisfied. Any deviation is clearly justified above.
chore: ...).TODO(#issue).unwrap/expect/paniconly in tests or for invariant bugs (documented if present).devopslabel + infra notified + infra-team reviewer assigned.!and affected teams notified.Zeroize+ZeroizeOnDropimplemented.unsafe; if unavoidable: minimal, justified, documented, and test/fuzz covered.