fix(coap): Update Lakers

This commit contains the minimal changes to make things work, and does
not yet reap support for non-int C_x.

This breaks compatibility with aiocoap when credentials are sent by
value, as is the case in some examples. This is part of the fallout of a
previous Lakers bug [303], and due to be fixed in an upcoming aiocoap
update.

[303]: openwsn-berkeley/lakers#303

src/ariel-os-coap/Cargo.toml

@@ -25,8 +25,8 @@ embassy-net = { workspace = true, features = [
 embassy-sync.workspace = true
 embedded-nal-async = "0.8"
 embedded-nal-coap = { workspace = true }
-lakers-crypto-rustcrypto = "0.6.0"
-lakers = { version = "0.6.0", default-features = false }
+lakers-crypto-rustcrypto = "0.7.2"
+lakers = { version = "0.7.2", default-features = false }
 ariel-os-debug.workspace = true
 ariel-os-embassy = { workspace = true, features = ["net"] }
 ariel-os-random = { workspace = true, features = ["csprng"] }

src/ariel-os-coap/src/lib.rs

@@ -35,7 +35,7 @@ static CLIENT: OnceLock<
 /// This can only be run once, as it sets up a system wide CoAP handler.
 pub async fn coap_run(handler: impl coap_handler::Handler + coap_handler::Reporting) -> ! {
     use hexlit::hex;
-    const R: &[u8] = &hex!("72cc4761dbd4c78f758931aa589d348d1ef874a7e303ede2f140dcf3e6aa4aac");
+    const R: [u8; 32] = hex!("72cc4761dbd4c78f758931aa589d348d1ef874a7e303ede2f140dcf3e6aa4aac");
 
     static COAP: StaticCell<embedded_nal_coap::CoAPShared<CONCURRENT_REQUESTS>> = StaticCell::new();
 
@@ -65,8 +65,8 @@ pub async fn coap_run(handler: impl coap_handler::Handler + coap_handler::Report
         .unwrap();
 
     let own_identity = (
-        &lakers::CredentialRPK::new(lakers::EdhocMessageBuffer::new_from_slice(&hex!("A2026008A101A5010202410A2001215820BBC34960526EA4D32E940CAD2A234148DDC21791A12AFBCBAC93622046DD44F02258204519E257236B2A0CE2023F0931F1F386CA7AFDA64FCDE0108C224C51EABF6072")).expect("Credential should be small enough")).expect("Credential should be processable"),
-        R,
+        &lakers::Credential::parse_ccs(&hex!("A2026008A101A5010202410A2001215820BBC34960526EA4D32E940CAD2A234148DDC21791A12AFBCBAC93622046DD44F02258204519E257236B2A0CE2023F0931F1F386CA7AFDA64FCDE0108C224C51EABF6072")).expect("Credential should be processable"),
+        &R,
         );
 
     // FIXME: Should we allow users to override that? After all, this is just convenience and may

src/lib/coapcore/Cargo.toml

@@ -17,15 +17,15 @@ workspace = true
 # public
 coap-handler = "0.2.0"
 coap-message = "0.3.2"
-lakers = { version = "0.6.0", default-features = false }
+lakers = { version = "0.7.2", default-features = false }
 
 # private
 arrayvec = { version = "0.7.4", default-features = false }
 coap-message-implementations = { version = "0.1.2", features = ["downcast"] }
 coap-message-utils = "0.3.3"
 coap-numbers = "0.2.3"
 hexlit = "0.5.5"
-lakers-crypto-rustcrypto = "0.6.0"
+lakers-crypto-rustcrypto = "0.7.2"
 liboscore = "0.2.1"
 liboscore-msgbackend = "0.2.1"
 

src/lib/coapcore/src/seccontext.rs

@@ -145,15 +145,8 @@ enum SecContextStage<Crypto: lakers::Crypto> {
     // :-)
 
     // actionable in response building
-    //
-    // FIXME: The 'static here means that our identity key needs to be 'static -- if identity
-    // roll-over is a topic, that'd be a no-go. An alternative is to both store the message and the
-    // ResponderWaitM3 state -- but that'll make our SecContextPool slots larger; best evaluate
-    // that once the states are ready and we see which ones are the big ones. Possible outcomes are
-    // to just do it, to store the message in the handler's `RequestData`, or to have one or a few
-    // slots in parallel to this in the [`SecContextPool`].
     EdhocResponderProcessedM1 {
-        responder: lakers::EdhocResponderProcessedM1<'static, Crypto>,
+        responder: lakers::EdhocResponderProcessedM1<Crypto>,
         // May be removed if lakers keeps access to those around if they are set at this point at
         // all
         c_r: COwn,
@@ -266,9 +259,7 @@ pub struct OscoreEdhocHandler<'a, H: coap_handler::Handler, Crypto: lakers::Cryp
     // locks for such sharing could still be acquired in a factory (at which point it may make
     // sense to make this a &mut).
     pool: SecContextPool<Crypto>,
-    // FIXME: That 'static is going to bite us -- but EdhocResponderProcessedM1 holds a reference
-    // to it -- see SecContextStage::EdhocResponderProcessedM1
-    own_identity: (&'a lakers::CredentialRPK, &'static [u8]),
+    own_identity: (&'a lakers::Credential, &'a lakers::BytesP256ElemLen),
 
     // FIXME: This currently bakes in the assumption that there is a single tree both for
     // unencrypted and encrypted resources. We may later generalize this by making this a factory,
@@ -288,7 +279,7 @@ impl<'a, H: coap_handler::Handler, Crypto: lakers::Crypto> OscoreEdhocHandler<'a
     // FIXME: Apart from an own identity, this will also need a function to convert ID_CRED_I into
     // a (CRED_I, AifStaticRest) pair.
     pub fn new(
-        own_identity: (&'a lakers::CredentialRPK, &'static [u8]),
+        own_identity: (&'a lakers::Credential, &'a lakers::BytesP256ElemLen),
         inner: H,
         crypto_factory: fn() -> Crypto,
     ) -> Self {
@@ -496,7 +487,8 @@ impl<'a, H: coap_handler::Handler, Crypto: lakers::Crypto> coap_handler::Handler
 
                     let (responder, c_i, ead_1) = lakers::EdhocResponder::new(
                         (self.crypto_factory)(),
-                        self.own_identity.1,
+                        lakers::EDHOCMethod::StatStat,
+                        *self.own_identity.1,
                         *self.own_identity.0,
                     )
                     .process_message_1(message_1)
@@ -600,14 +592,14 @@ impl<'a, H: coap_handler::Handler, Crypto: lakers::Crypto> coap_handler::Handler
                         let authorization;
 
                         if id_cred_i.reference_only() {
-                            match id_cred_i.kid {
-                                43 => {
+                            match id_cred_i.as_encoded_value() {
+                                &[43] => {
                                     info!("Peer indicates use of the one preconfigured key");
 
                                     use hexlit::hex;
                                     const CRED_I: &[u8] = &hex!("A2027734322D35302D33312D46462D45462D33372D33322D333908A101A5010202412B2001215820AC75E9ECE3E50BFC8ED60399889522405C47BF16DF96660A41298CB4307F7EB62258206E5DE611388A4B8A8211334AC7D37ECB52A387D257E6DB3C2A93DF21FF3AFFC8");
 
-                                    cred_i = lakers::CredentialRPK::new(
+                                    cred_i = lakers::Credential::parse_ccs(
                                         CRED_I.try_into().expect("Static credential is too large"),
                                     )
                                     .expect("Static credential is not processable");
@@ -623,12 +615,15 @@ impl<'a, H: coap_handler::Handler, Crypto: lakers::Crypto> coap_handler::Handler
                                 }
                             }
                         } else {
+                            let ccs = id_cred_i
+                                .get_ccs()
+                                .expect("Lakers only knows IdCred as reference or as credential");
                             info!(
-                                "Got credential by value: {:?}..",
-                                &id_cred_i.value.get_slice(0, 5)
+                                "Got credential CCS by value: {:?}..",
+                                &ccs.bytes.get_slice(0, 5)
                             );
 
-                            cred_i = lakers::CredentialRPK::new(id_cred_i.value)
+                            cred_i = lakers::Credential::parse_ccs(ccs.bytes.as_slice())
                                 // FIXME What kind of error do we send here?
                                 .map_err(|_| Own(CoAPError::bad_request()))?;