parallaxsecond · baloo · Jan 28, 2025 · Jan 25, 2025 · Oct 10, 2025
diff --git a/.clippy.toml b/.clippy.toml
@@ -1 +1 @@
-msrv = "1.76.0"
+msrv = "1.85.0"
diff --git a/.codespellrc b/.codespellrc
@@ -1,3 +1,3 @@
 [codespell]
 skip = .git,target,Cargo.lock
-ignore-words-list = acsend,crate,keypair,daa,de,ser
+ignore-words-list = acsend,crate,keypair,inout,daa,de,ser
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -31,7 +31,7 @@ jobs:
       - name: Build the container
         run: docker build -t ubuntucontainer tss-esapi/tests/ --file tss-esapi/tests/Dockerfile-ubuntu --target tpm2-tools
       - name: Run the container
-        run: docker run -v $(pwd):/tmp/rust-tss-esapi -w /tmp/rust-tss-esapi/tss-esapi --env RUST_TOOLCHAIN_VERSION=1.76.0 ubuntucontainer /tmp/rust-tss-esapi/tss-esapi/tests/all-ubuntu.sh
+        run: docker run -v $(pwd):/tmp/rust-tss-esapi -w /tmp/rust-tss-esapi/tss-esapi --env RUST_TOOLCHAIN_VERSION=1.85.0 ubuntucontainer /tmp/rust-tss-esapi/tss-esapi/tests/all-ubuntu.sh
   # All in one job as I think it is a big overhead to build and run the Docker
   # container?
   tests-ubuntu:
@@ -118,7 +118,7 @@ jobs:
       - name: Build the container
         run: docker build -t ubuntucontainer tss-esapi/tests/ --file tss-esapi/tests/Dockerfile-ubuntu  --target tpm2-tss
       - name: Check Clippy lints MSRV
-        run: docker run -v $(pwd):/tmp/rust-tss-esapi -w /tmp/rust-tss-esapi/tss-esapi --env RUST_TOOLCHAIN_VERSION=1.76.0 ubuntucontainer /tmp/rust-tss-esapi/tss-esapi/tests/lint-checks.sh
+        run: docker run -v $(pwd):/tmp/rust-tss-esapi -w /tmp/rust-tss-esapi/tss-esapi --env RUST_TOOLCHAIN_VERSION=1.85.0 ubuntucontainer /tmp/rust-tss-esapi/tss-esapi/tests/lint-checks.sh
       - name: Check Clippy lints latest
         run: docker run -v $(pwd):/tmp/rust-tss-esapi -w /tmp/rust-tss-esapi/tss-esapi ubuntucontainer /tmp/rust-tss-esapi/tss-esapi/tests/lint-checks.sh
 

diff --git a/tss-esapi-sys/Cargo.toml b/tss-esapi-sys/Cargo.toml
@@ -11,7 +11,7 @@ license = "Apache-2.0"
 repository = "https://github.com/parallaxsecond/rust-tss-esapi"
 documentation = "https://docs.rs/crate/tss-esapi-sys"
 links = "tss2-esys"
-rust-version = "1.76.0"
+rust-version = "1.85.0"
 
 [build-dependencies]
 bindgen = { version = "0.72.0", optional = true }

diff --git a/tss-esapi/Cargo.toml b/tss-esapi/Cargo.toml
@@ -10,7 +10,7 @@ categories = ["api-bindings", "external-ffi-bindings", "cryptography"]
 license = "Apache-2.0"
 repository = "https://github.com/parallaxsecond/rust-tss-esapi"
 documentation = "https://docs.rs/crate/tss-esapi"
-rust-version = "1.76.0"
+rust-version = "1.85.0"
 
 [[example]]
 name = "hmac"
@@ -32,50 +32,67 @@ num-derive = "0.4.2"
 num-traits = "0.2.12"
 hostname-validator = "1.1.0"
 regex = "1.3.9"
-zeroize = { version = "1.5.7", features = ["zeroize_derive"] }
+zeroize = { version = "1.8.2", features = ["zeroize_derive"] }
 tss-esapi-sys = { path = "../tss-esapi-sys", version = "0.6.0-alpha.1" }
-x509-cert = { version = "0.2.0", optional = true }
-ecdsa = { version = "0.16.9", features = [
+x509-cert = { version = "0.3.0-rc.3", optional = true }
+aes = { version = "0.9.0-rc.2", optional = true }
+byte-strings = { version = "0.3.1", optional = true }
+camellia = { version = "0.2.0-rc.0", optional = true }
+cfb-mode = { version = "0.9.0-rc.1", optional = true }
+cipher = { version = "0.5.0-rc.3", optional = true, default-features = false, features = ["zeroize"] }
+ecdsa = { version = "0.17.0-rc.11", features = [
+    "algorithm",
     "der",
     "hazmat",
-    "arithmetic",
-    "verifying",
 ], optional = true }
-elliptic-curve = { version = "0.13.8", optional = true, features = [
+elliptic-curve = { version = "0.14.0-rc.21", optional = true, features = [
     "alloc",
     "pkcs8",
 ] }
-p192 = { version = "0.13.0", optional = true }
-p224 = { version = "0.13.2", optional = true }
-p256 = { version = "0.13.2", optional = true }
-p384 = { version = "0.13.0", optional = true }
-p521 = { version = "0.13.3", optional = true }
-pkcs8 = { version = "0.10.2", optional = true }
-rsa = { version = "0.9", optional = true }
-sha1 = { version = "0.10.6", optional = true }
-sha2 = { version = "0.10.8", optional = true }
-sha3 = { version = "0.10.8", optional = true }
-sm2 = { version = "0.13.3", optional = true }
-sm3 = { version = "0.4.2", optional = true }
-digest = { version = "0.10.7", optional = true }
-signature = { version = "2.2.0", features = ["std"], optional = true }
+hmac = { version = "0.13.0-rc.2", optional = true }
+p192 = { version = "0.14.0-rc.4", optional = true }
+p224 = { version = "0.14.0-rc.4", optional = true }
+p256 = { version = "0.14.0-rc.4", optional = true }
+p384 = { version = "0.14.0-rc.4", optional = true }
+p521 = { version = "0.14.0-rc.4", optional = true }
+pkcs8 = { version = "0.11.0-rc.7", optional = true }
+rsa = { version = "0.10.0-rc.11", optional = true }
+sha1 = { version = "0.11.0-rc.3", optional = true }
+sha2 = { version = "0.11.0-rc.3", optional = true }
+sha3 = { version = "0.11.0-rc.3", optional = true }
+sm2 = { version = "0.14.0-rc.4", optional = true }
+sm3 = { version = "0.5.0-rc.3", optional = true }
+sm4 = { version = "0.6.0-rc.2", optional = true }
+digest = { version = "0.11.0-rc.4", optional = true }
+signature = { version = "3.0.0-rc.5", features = [
+    "alloc",
+    "digest",
+], optional = true }
+kbkdf = { version = "0.0.1", optional = true }
+one-step-kdf = { version = "0.1.0-rc.0", optional = true }
 cfg-if = "1.0.0"
 strum = { version = "0.26.3", optional = true }
 strum_macros = { version = "0.26.4", optional = true }
 paste = "1.0.14"
-getrandom = "0.2.11"
+getrandom = "0.4.0-rc.0"
+rand = "0.10.0-rc.1"
 
 [dev-dependencies]
+aes = "0.9.0-pre.2"
 env_logger = "0.11.5"
+hex-literal = "1"
+paste = "1.0.15"
+rsa = { version = "0.10.0-pre.3" }
 serde_json = "^1.0.108"
-sha2 = { version = "0.10.8", features = ["oid"] }
+sha2 = { version = "0.11.0-rc.3", features = ["oid"] }
 tss-esapi = { path = ".", features = [
     "integration-tests",
     "serde",
     "abstraction",
     "rustcrypto-full",
 ] }
-x509-cert = { version = "0.2.0", features = ["builder"] }
+p256 = { version = "0.14.0-rc.4", features = ["ecdh"] }
+x509-cert = { version = "0.3.0-rc.3", features = ["builder"] }
 
 [build-dependencies]
 semver = "1.0.7"
@@ -85,16 +102,25 @@ default = ["abstraction"]
 generate-bindings = ["tss-esapi-sys/generate-bindings"]
 abstraction = ["rustcrypto"]
 integration-tests = ["strum", "strum_macros"]
+
 rustcrypto = [
+    "byte-strings",
+    "cfb-mode",
+    "cipher",
+    "one-step-kdf",
     "digest",
     "ecdsa",
-    "elliptic-curve",
+    "elliptic-curve/ecdh",
+    "hmac",
+    "kbkdf",
     "pkcs8",
     "signature",
     "x509-cert",
 ]
 rustcrypto-full = [
     "rustcrypto",
+    "aes",
+    "camellia",
     "p192",
     "p224",
     "p256",
@@ -106,7 +132,10 @@ rustcrypto-full = [
     "sha3",
     "sm2",
     "sm3",
+    "sm4",
 ]
+
+rsa = ["dep:rsa", "kbkdf"]
 sha1 = ["dep:sha1", "rsa?/sha1"]
 sha2 = ["dep:sha2", "rsa?/sha2"]
 bundled = ["tss-esapi-sys/bundled"]
diff --git a/tss-esapi/src/abstraction/no_tpm/quote.rs b/tss-esapi/src/abstraction/no_tpm/quote.rs
@@ -13,19 +13,16 @@ use digest::{Digest, DynDigest};
 #[cfg(any(feature = "p224", feature = "p256", feature = "p384"))]
 use crate::{abstraction::public::AssociatedTpmCurve, structures::EccSignature};
 #[cfg(any(feature = "p224", feature = "p256", feature = "p384"))]
-use ecdsa::{
-    hazmat::{DigestPrimitive, VerifyPrimitive},
-    PrimeCurve, SignatureSize, VerifyingKey,
-};
+use ecdsa::{hazmat::DigestAlgorithm, PrimeCurve, SignatureSize, VerifyingKey};
 #[cfg(any(feature = "p224", feature = "p256", feature = "p384"))]
 use elliptic_curve::{
-    generic_array::ArrayLength,
+    array::ArraySize,
     point::AffinePoint,
     sec1::{FromEncodedPoint, ModulusSize, ToEncodedPoint},
     CurveArithmetic, FieldBytesSize,
 };
 #[cfg(any(feature = "p224", feature = "p256", feature = "p384"))]
-use signature::hazmat::PrehashVerifier;
+use signature::DigestVerifier;
 
 #[cfg(feature = "rsa")]
 use rsa::{pkcs1v15, pss, RsaPublicKey};
@@ -40,9 +37,9 @@ fn verify_ecdsa<C>(
     hashing_algorithm: HashingAlgorithm,
 ) -> Result<bool>
 where
-    C: PrimeCurve + CurveArithmetic + DigestPrimitive + AssociatedTpmCurve,
-    AffinePoint<C>: VerifyPrimitive<C> + FromEncodedPoint<C> + ToEncodedPoint<C>,
-    SignatureSize<C>: ArrayLength<u8>,
+    C: PrimeCurve + CurveArithmetic + DigestAlgorithm + AssociatedTpmCurve,
+    AffinePoint<C>: FromEncodedPoint<C> + ToEncodedPoint<C>,
+    SignatureSize<C>: ArraySize,
     FieldBytesSize<C>: ModulusSize,
 {
     let Ok(signature) = ecdsa::Signature::<C>::try_from(signature) else {
@@ -56,25 +53,45 @@ where
 
     match hashing_algorithm {
         #[cfg(feature = "sha1")]
-        HashingAlgorithm::Sha1 => {
-            let hash = sha1::Sha1::digest(message);
-            Ok(verifying_key.verify_prehash(&hash, &signature).is_ok())
-        }
+        HashingAlgorithm::Sha1 => Ok(verifying_key
+            .verify_digest(
+                |d: &mut sha1::Sha1| {
+                    Digest::update(d, message);
+                    Ok(())
+                },
+                &signature,
+            )
+            .is_ok()),
         #[cfg(feature = "sha2")]
-        HashingAlgorithm::Sha256 => {
-            let hash = sha2::Sha256::digest(message);
-            Ok(verifying_key.verify_prehash(&hash, &signature).is_ok())
-        }
+        HashingAlgorithm::Sha256 => Ok(verifying_key
+            .verify_digest(
+                |d: &mut sha2::Sha256| {
+                    Digest::update(d, message);
+                    Ok(())
+                },
+                &signature,
+            )
+            .is_ok()),
         #[cfg(feature = "sha2")]
-        HashingAlgorithm::Sha384 => {
-            let hash = sha2::Sha384::digest(message);
-            Ok(verifying_key.verify_prehash(&hash, &signature).is_ok())
-        }
+        HashingAlgorithm::Sha384 => Ok(verifying_key
+            .verify_digest(
+                |d: &mut sha2::Sha384| {
+                    Digest::update(d, message);
+                    Ok(())
+                },
+                &signature,
+            )
+            .is_ok()),
         #[cfg(feature = "sha2")]
-        HashingAlgorithm::Sha512 => {
-            let hash = sha2::Sha512::digest(message);
-            Ok(verifying_key.verify_prehash(&hash, &signature).is_ok())
-        }
+        HashingAlgorithm::Sha512 => Ok(verifying_key
+            .verify_digest(
+                |d: &mut sha2::Sha512| {
+                    Digest::update(d, message);
+                    Ok(())
+                },
+                &signature,
+            )
+            .is_ok()),
         _ => Err(Error::WrapperError(WrapperErrorKind::UnsupportedParam)),
     }
 }

diff --git a/tss-esapi/src/abstraction/public.rs b/tss-esapi/src/abstraction/public.rs
@@ -8,7 +8,7 @@ use crate::{Error, WrapperErrorKind};
 
 use core::convert::TryFrom;
 use elliptic_curve::{
-    generic_array::typenum::Unsigned,
+    array::typenum::Unsigned,
     sec1::{EncodedPoint, FromEncodedPoint, ModulusSize, ToEncodedPoint},
     AffinePoint, CurveArithmetic, FieldBytesSize, PublicKey,
 };
@@ -18,7 +18,7 @@ use x509_cert::spki::SubjectPublicKeyInfoOwned;
 #[cfg(feature = "rsa")]
 use {
     crate::structures::RsaExponent,
-    rsa::{BigUint, RsaPublicKey},
+    rsa::{BoxedUint, RsaPublicKey},
 };
 
 #[cfg(any(
@@ -57,15 +57,13 @@ where
                 let x = unique.x().as_bytes();
                 let y = unique.y().as_bytes();
 
-                if x.len() != FieldBytesSize::<C>::USIZE {
-                    return Err(Error::local_error(WrapperErrorKind::InvalidParam));
-                }
-                if y.len() != FieldBytesSize::<C>::USIZE {
-                    return Err(Error::local_error(WrapperErrorKind::InvalidParam));
-                }
-
-                let encoded_point =
-                    EncodedPoint::<C>::from_affine_coordinates(x.into(), y.into(), false);
+                let encoded_point = EncodedPoint::<C>::from_affine_coordinates(
+                    x.try_into()
+                        .map_err(|_| Error::local_error(WrapperErrorKind::InvalidParam))?,
+                    y.try_into()
+                        .map_err(|_| Error::local_error(WrapperErrorKind::InvalidParam))?,
+                    false,
+                );
                 let public_key = PublicKey::<C>::try_from(&encoded_point)
                     .map_err(|_| Error::local_error(WrapperErrorKind::InvalidParam))?;
 
@@ -86,10 +84,10 @@ impl TryFrom<&Public> for RsaPublicKey {
                 unique, parameters, ..
             } => {
                 let exponent = match parameters.exponent() {
-                    RsaExponent::ZERO_EXPONENT => BigUint::from(RSA_DEFAULT_EXP),
-                    _ => BigUint::from(parameters.exponent().value()),
+                    RsaExponent::ZERO_EXPONENT => BoxedUint::from(RSA_DEFAULT_EXP),
+                    _ => BoxedUint::from(parameters.exponent().value()),
                 };
-                let modulus = BigUint::from_bytes_be(unique.as_bytes());
+                let modulus = BoxedUint::from_be_slice_vartime(unique.as_bytes());
 
                 let public_key = RsaPublicKey::new(modulus, exponent)
                     .map_err(|_| Error::local_error(WrapperErrorKind::InvalidParam))?;
@@ -173,17 +171,21 @@ where
                 let x = x.as_slice();
                 let y = y.as_slice();
 
-                // TODO: When elliptic_curve bumps to 0.14, we can use the TryFrom implementation instead
-                // of checking lengths manually
                 if x.len() != FieldBytesSize::<C>::USIZE {
                     return Err(Error::local_error(WrapperErrorKind::InvalidParam));
                 }
                 if y.len() != FieldBytesSize::<C>::USIZE {
                     return Err(Error::local_error(WrapperErrorKind::InvalidParam));
                 }
 
-                let encoded_point =
-                    EncodedPoint::<C>::from_affine_coordinates(x.into(), y.into(), false);
+                let encoded_point = EncodedPoint::<C>::from_affine_coordinates(
+                    x.try_into()
+                        .map_err(|_| Error::local_error(WrapperErrorKind::InvalidParam))?,
+                    y.try_into()
+                        .map_err(|_| Error::local_error(WrapperErrorKind::InvalidParam))?,
+                    false,
+                );
+
                 let public_key = PublicKey::<C>::try_from(&encoded_point)
                     .map_err(|_| Error::local_error(WrapperErrorKind::InvalidParam))?;
 
@@ -201,8 +203,8 @@ impl TryFrom<&TpmPublicKey> for RsaPublicKey {
     fn try_from(value: &TpmPublicKey) -> Result<Self, Self::Error> {
         match value {
             TpmPublicKey::Rsa(modulus) => {
-                let exponent = BigUint::from(RSA_DEFAULT_EXP);
-                let modulus = BigUint::from_bytes_be(modulus.as_slice());
+                let exponent = BoxedUint::from(RSA_DEFAULT_EXP);
+                let modulus = BoxedUint::from_be_slice_vartime(modulus.as_slice());
 
                 let public_key = RsaPublicKey::new(modulus, exponent)
                     .map_err(|_| Error::local_error(WrapperErrorKind::InvalidParam))?;