aws
diff --git a/‎aws-lc-rs/src/bn.rs
+1-5 b/‎aws-lc-rs/src/bn.rs
+1-5
diff --git a/‎aws-lc-rs/src/ec/key_pair.rs
+10-73 b/‎aws-lc-rs/src/ec/key_pair.rs
+10-73
diff --git a/‎aws-lc-rs/src/ec/signature.rs
+5-35 b/‎aws-lc-rs/src/ec/signature.rs
+5-35
diff --git a/‎aws-lc-rs/src/ed25519.rs
+10-65 b/‎aws-lc-rs/src/ed25519.rs
+10-65
@@ -1,7 +1,7 @@
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0 OR ISC
 
-use crate::aws_lc::{BN_bin2bn, BN_bn2bin, BN_new, BN_num_bits, BN_num_bytes, BN_set_u64, BIGNUM};
+use crate::aws_lc::{BN_bin2bn, BN_bn2bin, BN_new, BN_num_bytes, BN_set_u64, BIGNUM};
 use crate::ptr::{ConstPointer, DetachableLcPtr, LcPtr};
 use core::ptr::null_mut;
 
@@ -60,8 +60,4 @@ impl ConstPointer<BIGNUM> {
             byte_vec
         }
     }
-
-    pub(crate) fn num_bits(&self) -> u32 {
-        unsafe { BN_num_bits(**self) }
-    }
 }
@@ -5,31 +5,28 @@
 
 use core::fmt;
 use core::fmt::{Debug, Formatter};
-use core::mem::MaybeUninit;
-use core::ptr::{null, null_mut};
 
-use crate::aws_lc::{EVP_DigestSign, EVP_DigestSignInit, EVP_PKEY_cmp, EVP_PKEY, EVP_PKEY_EC};
+use crate::aws_lc::{EVP_PKEY_cmp, EVP_PKEY, EVP_PKEY_EC};
 
-use crate::digest::digest_ctx::DigestContext;
 use crate::ec::evp_key_generate;
 use crate::ec::signature::{EcdsaSignatureFormat, EcdsaSigningAlgorithm, PublicKey};
 #[cfg(feature = "fips")]
 use crate::ec::validate_evp_key;
 #[cfg(not(feature = "fips"))]
 use crate::ec::verify_evp_key_nid;
 
+use crate::ec;
 use crate::ec::encoding::rfc5915::{marshal_rfc5915_private_key, parse_rfc5915_private_key};
 use crate::ec::encoding::sec1::{
     marshal_sec1_private_key, parse_sec1_private_bn, parse_sec1_public_point,
 };
 use crate::encoding::{AsBigEndian, AsDer, EcPrivateKeyBin, EcPrivateKeyRfc5915Der};
 use crate::error::{KeyRejected, Unspecified};
-use crate::fips::indicator_check;
+use crate::evp_pkey::No_EVP_PKEY_CTX_consumer;
 use crate::pkcs8::{Document, Version};
 use crate::ptr::LcPtr;
 use crate::rand::SecureRandom;
 use crate::signature::{KeyPair, Signature};
-use crate::{digest, ec};
 
 /// An ECDSA key pair, used for signing.
 #[allow(clippy::module_name_repetitions)]
@@ -212,82 +209,22 @@ impl EcdsaKeyPair {
     // * Digest Algorithms: SHA256, SHA384, SHA512
     #[inline]
     pub fn sign(&self, _rng: &dyn SecureRandom, message: &[u8]) -> Result<Signature, Unspecified> {
-        let mut md_ctx = DigestContext::new_uninit();
-
-        let digest = digest::match_digest_type(&self.algorithm.digest.id);
-
-        if 1 != unsafe {
-            // EVP_DigestSignInit does not mutate |pkey| for thread-safety purposes and may be
-            // used concurrently with other non-mutating functions on |pkey|.
-            // https://github.com/aws/aws-lc/blob/9b4b5a15a97618b5b826d742419ccd54c819fa42/include/openssl/evp.h#L297-L313
-            EVP_DigestSignInit(
-                md_ctx.as_mut_ptr(),
-                null_mut(),
-                *digest,
-                null_mut(),
-                *self.evp_pkey.as_mut_unsafe(),
-            )
-        } {
-            return Err(Unspecified);
-        }
-
-        let mut out_sig = vec![0u8; get_signature_length(&mut md_ctx)?];
-
-        let out_sig = compute_ecdsa_signature(&mut md_ctx, message, out_sig.as_mut_slice())?;
+        let out_sig = self.evp_pkey.sign(
+            message,
+            Some(self.algorithm.digest),
+            No_EVP_PKEY_CTX_consumer,
+        )?;
 
         Ok(match self.algorithm.sig_format {
             EcdsaSignatureFormat::ASN1 => Signature::new(|slice| {
-                slice[..out_sig.len()].copy_from_slice(out_sig);
+                slice[..out_sig.len()].copy_from_slice(&out_sig);
                 out_sig.len()
             }),
-            EcdsaSignatureFormat::Fixed => ec::ecdsa_asn1_to_fixed(self.algorithm.id, out_sig)?,
+            EcdsaSignatureFormat::Fixed => ec::ecdsa_asn1_to_fixed(self.algorithm.id, &out_sig)?,
         })
     }
 }
 
-#[inline]
-fn get_signature_length(ctx: &mut DigestContext) -> Result<usize, Unspecified> {
-    let mut out_sig_len = MaybeUninit::<usize>::uninit();
-
-    // determine signature size
-    if 1 != unsafe {
-        EVP_DigestSign(
-            ctx.as_mut_ptr(),
-            null_mut(),
-            out_sig_len.as_mut_ptr(),
-            null(),
-            0,
-        )
-    } {
-        return Err(Unspecified);
-    }
-
-    Ok(unsafe { out_sig_len.assume_init() })
-}
-
-#[inline]
-fn compute_ecdsa_signature<'a>(
-    ctx: &mut DigestContext,
-    message: &[u8],
-    signature: &'a mut [u8],
-) -> Result<&'a mut [u8], Unspecified> {
-    let mut out_sig_len = signature.len();
-
-    if 1 != indicator_check!(unsafe {
-        EVP_DigestSign(
-            ctx.as_mut_ptr(),
-            signature.as_mut_ptr(),
-            &mut out_sig_len,
-            message.as_ptr(),
-            message.len(),
-        )
-    }) {
-        return Err(Unspecified);
-    }
-
-    Ok(&mut signature[0..out_sig_len])
-}
-
 /// Elliptic curve private key.
 pub struct PrivateKey<'a>(&'a EcdsaKeyPair);
 
 
@@ -2,19 +2,18 @@
 // SPDX-License-Identifier: Apache-2.0 OR ISC
 
 use crate::aws_lc::{
-    ECDSA_SIG_new, ECDSA_SIG_set0, ECDSA_SIG_to_bytes, EVP_DigestVerify, EVP_DigestVerifyInit,
-    NID_X9_62_prime256v1, NID_secp256k1, NID_secp384r1, NID_secp521r1, BIGNUM, ECDSA_SIG, EVP_PKEY,
+    ECDSA_SIG_new, ECDSA_SIG_set0, ECDSA_SIG_to_bytes, NID_X9_62_prime256v1, NID_secp256k1,
+    NID_secp384r1, NID_secp521r1, BIGNUM, ECDSA_SIG, EVP_PKEY,
 };
 
-use crate::digest::digest_ctx::DigestContext;
 use crate::ec::compressed_public_key_size_bytes;
 use crate::ec::encoding::parse_ec_public_key;
 use crate::ec::encoding::sec1::marshal_sec1_public_point;
 use crate::encoding::{
     AsBigEndian, AsDer, EcPublicKeyCompressedBin, EcPublicKeyUncompressedBin, PublicKeyX509Der,
 };
 use crate::error::Unspecified;
-use crate::fips::indicator_check;
+use crate::evp_pkey::No_EVP_PKEY_CTX_consumer;
 use crate::ptr::{DetachableLcPtr, LcPtr};
 use crate::signature::VerificationAlgorithm;
 use crate::{digest, sealed};
@@ -232,37 +231,8 @@ fn verify_asn1_signature(
     msg: &[u8],
     signature: &[u8],
 ) -> Result<(), Unspecified> {
-    let mut pkey = parse_ec_public_key(public_key, alg.nid())?;
-
-    let mut md_ctx = DigestContext::new_uninit();
-
-    let digest = digest::match_digest_type(&digest.id);
-
-    if 1 != unsafe {
-        EVP_DigestVerifyInit(
-            md_ctx.as_mut_ptr(),
-            null_mut(),
-            *digest,
-            null_mut(),
-            *pkey.as_mut(),
-        )
-    } {
-        return Err(Unspecified);
-    }
-
-    if 1 != indicator_check!(unsafe {
-        EVP_DigestVerify(
-            md_ctx.as_mut_ptr(),
-            signature.as_ptr(),
-            signature.len(),
-            msg.as_ptr(),
-            msg.len(),
-        )
-    }) {
-        return Err(Unspecified);
-    }
-
-    Ok(())
+    let evp_pkey = parse_ec_public_key(public_key, alg.nid())?;
+    evp_pkey.verify(msg, Some(digest), No_EVP_PKEY_CTX_consumer, signature)
 }
 
 #[inline]
 
@@ -12,16 +12,15 @@ use std::marker::PhantomData;
 use untrusted::Input;
 
 use crate::aws_lc::{
-    EVP_DigestSign, EVP_DigestSignInit, EVP_DigestVerify, EVP_DigestVerifyInit,
     EVP_PKEY_CTX_new_id, EVP_PKEY_keygen, EVP_PKEY_keygen_init, EVP_PKEY, EVP_PKEY_ED25519,
 };
 
 use crate::buffer::Buffer;
-use crate::digest::digest_ctx::DigestContext;
 use crate::encoding::{
     AsBigEndian, AsDer, Curve25519SeedBin, Pkcs8V1Der, Pkcs8V2Der, PublicKeyX509Der,
 };
 use crate::error::{KeyRejected, Unspecified};
+use crate::evp_pkey::No_EVP_PKEY_CTX_consumer;
 use crate::fips::indicator_check;
 use crate::pkcs8::{Document, Version};
 use crate::ptr::LcPtr;
@@ -30,8 +29,8 @@ use crate::signature::{KeyPair, Signature, VerificationAlgorithm};
 use crate::{constant_time, hex, sealed};
 
 /// The length of an Ed25519 public key.
-pub const ED25519_PUBLIC_KEY_LEN: usize = aws_lc::ED25519_PUBLIC_KEY_LEN as usize;
-const ED25519_SIGNATURE_LEN: usize = aws_lc::ED25519_SIGNATURE_LEN as usize;
+pub const ED25519_PUBLIC_KEY_LEN: usize = crate::aws_lc::ED25519_PUBLIC_KEY_LEN as usize;
+const ED25519_SIGNATURE_LEN: usize = crate::aws_lc::ED25519_SIGNATURE_LEN as usize;
 const ED25519_SEED_LEN: usize = 32;
 
 /// Parameters for `EdDSA` signing and verification.
@@ -49,9 +48,11 @@ impl VerificationAlgorithm for EdDSAParameters {
         msg: Input<'_>,
         signature: Input<'_>,
     ) -> Result<(), Unspecified> {
-        self.verify_sig(
-            public_key.as_slice_less_safe(),
+        let evp_pkey = try_ed25519_public_key_from_bytes(public_key.as_slice_less_safe())?;
+        evp_pkey.verify(
             msg.as_slice_less_safe(),
+            None,
+            No_EVP_PKEY_CTX_consumer,
             signature.as_slice_less_safe(),
         )
     }
@@ -62,35 +63,8 @@ impl VerificationAlgorithm for EdDSAParameters {
         msg: &[u8],
         signature: &[u8],
     ) -> Result<(), Unspecified> {
-        let public_key = try_ed25519_public_key_from_bytes(public_key)?;
-
-        let mut evp_md_ctx = DigestContext::new_uninit();
-
-        if 1 != unsafe {
-            EVP_DigestVerifyInit(
-                evp_md_ctx.as_mut_ptr(),
-                null_mut(),
-                null_mut(),
-                null_mut(),
-                *public_key.as_mut_unsafe(),
-            )
-        } {
-            return Err(Unspecified);
-        }
-
-        if 1 != indicator_check!(unsafe {
-            EVP_DigestVerify(
-                evp_md_ctx.as_mut_ptr(),
-                signature.as_ptr(),
-                signature.len(),
-                msg.as_ptr(),
-                msg.len(),
-            )
-        }) {
-            return Err(Unspecified);
-        }
-
-        Ok(())
+        let evp_pkey = try_ed25519_public_key_from_bytes(public_key)?;
+        evp_pkey.verify(msg, None, No_EVP_PKEY_CTX_consumer, signature)
     }
 }
 
@@ -433,36 +407,7 @@ impl Ed25519KeyPair {
 
     #[inline]
     fn try_sign(&self, msg: &[u8]) -> Result<Signature, Unspecified> {
-        let mut sig_bytes = [0u8; ED25519_SIGNATURE_LEN];
-
-        let mut evp_md_ctx = DigestContext::new_uninit();
-
-        if 1 != unsafe {
-            EVP_DigestSignInit(
-                evp_md_ctx.as_mut_ptr(),
-                null_mut(),
-                null_mut(),
-                null_mut(),
-                *self.evp_pkey.as_mut_unsafe(),
-            )
-        } {
-            return Err(Unspecified);
-        }
-
-        let mut out_sig_len = sig_bytes.len();
-        if 1 != indicator_check!(unsafe {
-            EVP_DigestSign(
-                evp_md_ctx.as_mut_ptr(),
-                sig_bytes.as_mut_ptr().cast(),
-                &mut out_sig_len,
-                msg.as_ptr(),
-                msg.len(),
-            )
-        }) {
-            return Err(Unspecified);
-        }
-
-        debug_assert_eq!(out_sig_len, sig_bytes.len());
+        let sig_bytes = self.evp_pkey.sign(msg, None, No_EVP_PKEY_CTX_consumer)?;
 
         Ok(Signature::new(|slice| {
             slice[0..ED25519_SIGNATURE_LEN].copy_from_slice(&sig_bytes);
Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.`
`2`	`2`	`// SPDX-License-Identifier: Apache-2.0 OR ISC`
`3`	`3`
`4`		`-use crate::aws_lc::{BN_bin2bn, BN_bn2bin, BN_new, BN_num_bits, BN_num_bytes, BN_set_u64, BIGNUM};`
	`4`	`+use crate::aws_lc::{BN_bin2bn, BN_bn2bin, BN_new, BN_num_bytes, BN_set_u64, BIGNUM};`
`5`	`5`	`use crate::ptr::{ConstPointer, DetachableLcPtr, LcPtr};`
`6`	`6`	`use core::ptr::null_mut;`
`7`	`7`
`@@ -60,8 +60,4 @@ impl ConstPointer<BIGNUM> {`
`60`	`60`	`byte_vec`
`61`	`61`	`}`
`62`	`62`	`}`
`63`		`-`
`64`		`- pub(crate) fn num_bits(&self) -> u32 {`
`65`		`- unsafe { BN_num_bits(**self) }`
`66`		`- }`
`67`	`63`	`}`