refactor(rng): converge ecdsa off legacy rand line

[EffortlessSteven]

Summary

This is the first crypto-edge convergence step on top of #260: move uselesskey-ecdsa off the legacy rand 0.8 / rand_core 0.6 line and onto the current RNG aliases plus the corresponding RustCrypto RC curve stack.

What changed

• switched uselesskey-ecdsa from local legacy RNG deps to:
  • rand_chacha10.workspace
  • rand_core10.workspace
• upgraded the crate's direct curve deps to the current RustCrypto RC line:
  • p256 = 0.14.0-rc.8
  • p384 = 0.14.0-rc.8
  • elliptic-curve = 0.14.0-rc.29
• updated the ECDSA implementation/tests for the RC API changes:
  • Generate::try_generate_from_rng
  • to_sec1_point
• refreshed the root comment so the remaining localized legacy line reflects reality after ECDSA moves

Why

After #260, the legacy RNG line is no longer workspace-scoped. This PR proves one crypto-edge crate can actually converge without drifting deterministic fixture identity.

The important claim here is not just compilation. The existing deterministic regression harness still passes after the dependency move.

Stacked on #260.
Refs #257.

Testing

• cargo test -p uselesskey-ecdsa --all-features
• cargo test -p uselesskey-integration-tests --features determinism-regression --test determinism_regression
• cargo xtask gate

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9f98cb47-02ed-487d-a587-a9dc9e4cef85

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch rng-converge-ecdsa

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request initiates the convergence of cryptographic components by migrating the uselesskey-ecdsa crate off its legacy random number generator (RNG) dependencies. It transitions to the modern RustCrypto RC curve stack and updated RNG aliases, ensuring that the existing deterministic regression harness continues to pass, thereby proving that a crypto-edge crate can converge without altering deterministic fixture identity. This change is a foundational step for broader cryptographic library updates.

Highlights

• RNG Dependency Update: Switched uselesskey-ecdsa from local legacy rand 0.8 / rand_core 0.6 dependencies to rand_chacha10.workspace and rand_core10.workspace.
• RustCrypto Curve Stack Upgrade: Upgraded the crate's direct curve dependencies to the current RustCrypto RC line, specifically p256 = 0.14.0-rc.8, p384 = 0.14.0-rc.8, and elliptic-curve = 0.14.0-rc.29.
• ECDSA API Adaptation: Updated the ECDSA implementation and tests to reflect the new RustCrypto API changes, including Generate::try_generate_from_rng and to_sec1_point.
• Documentation Refresh: Refreshed the root comment in Cargo.toml to accurately reflect the remaining localized legacy RNG lines after the ECDSA changes.

Changelog

• Cargo.lock
  • Updated numerous dependency versions across the project, including crypto-common, digest, fiat-crypto, hmac, pkcs8, rfc6979, sha2, signature, spki, sec1, elliptic-curve, p256, p384, primeorder, rand_chacha, and rand_core.
  • Added new packages such as base16ct, block-buffer, cmov, const-oid, cpubits, crypto-bigint, ctutils, der, hybrid-array, pem-rfc7468, primefield, rustcrypto-ff, and rustcrypto-group to the dependency tree.
• Cargo.toml
  • Updated a comment regarding the localization of direct legacy RNG dependencies, removing uselesskey-ecdsa from the list.
• crates/uselesskey-ecdsa/Cargo.toml
  • Updated the versions of p256, p384, and elliptic-curve to their respective 0.14.0-rc versions.
  • Replaced rand_chacha and rand_core with workspace-defined rand_chacha10.workspace and rand_core10.workspace.
• crates/uselesskey-ecdsa/src/keypair.rs
  • Updated use statements to include elliptic_curve::Generate and changed RNG imports to rand_chacha10 and rand_core10.
  • Modified key generation logic from SigningKey::random to SigningKey::try_generate_from_rng for P-256 and P-384 keys.
  • Changed the method for obtaining public key points from to_encoded_point to to_sec1_point for both P-256 and P-384.
• crates/uselesskey-ecdsa/tests/jwk_private.rs
  • Updated public key encoding in tests from ToEncodedPoint to ToSec1Point for both P-256 and P-384 specifications.

Activity

• No human activity has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request refactors uselesskey-ecdsa to use the current RNG stack, moving it off the legacy rand 0.8 line. The changes involve updating several cryptographic dependencies to their release candidate versions and adapting the code to their new APIs. The changes are well-contained and align with the PR's goal. My review focuses on a maintainability improvement regarding the naming of the updated RNG dependencies, suggesting a more idiomatic approach to improve clarity for future contributors.

[gemini-code-assist]

The dependency names rand_chacha10 and rand_core10 are unconventional and could be confusing for future maintainers, as they don't match the actual crate names on crates.io. It's more idiomatic to use the original crate names, which can be done by aliasing the workspace dependencies here. This improves readability and aligns with common Rust practices.

Applying this suggestion will require updating the corresponding use statements and type paths in src/keypair.rs.

Suggested change

	rand_chacha10.workspace = true
	rand_core10.workspace = true
	rand_chacha = { workspace = true, package = "rand_chacha10" }
	rand_core = { workspace = true, package = "rand_core10" }

[gemini-code-assist]

To align with the suggested change in Cargo.toml of using idiomatic crate names, these use statements should be updated to refer to rand_chacha and rand_core.

Suggested change

	use rand_chacha10::ChaCha20Rng;
	use rand_core10::SeedableRng;
	use rand_chacha::ChaCha20Rng;
	use rand_core::SeedableRng;

[gemini-code-assist]

To align with the suggested change in Cargo.toml of using idiomatic crate names, the type path for the rng parameter should be updated to use rand_core.

Suggested change

	fn generate_p256(spec: EcdsaSpec, rng: &mut impl rand_core10::CryptoRng) -> Inner {
	fn generate_p256(spec: EcdsaSpec, rng: &mut impl rand_core::CryptoRng) -> Inner {

[gemini-code-assist]

To align with the suggested change in Cargo.toml of using idiomatic crate names, the type path for the rng parameter should be updated to use rand_core.

Suggested change

	fn generate_p384(spec: EcdsaSpec, rng: &mut impl rand_core10::CryptoRng) -> Inner {
	fn generate_p384(spec: EcdsaSpec, rng: &mut impl rand_core::CryptoRng) -> Inner {