chore: Merge branch 'release/1.5.0'

Author: Manuthor

.cargo/audit.toml

@@ -5,5 +5,6 @@
 # List of advisory IDs to ignore (extracted from deny.toml)
 ignore = [
     "RUSTSEC-2023-0071", # rsa
-    "RUSTSEC-2024-0436", # unmaintained paste
+    "RUSTSEC-2025-0052", # async-std has been discontinued
+    "RUSTSEC-2024-0436" # unmaintained paste crate
 ]

.cargo/config.toml

@@ -1,7 +1,7 @@
-# On Windows, the linker may exceed its number of allowed symbols
-# This is likely going to require nightly
-# see https://github.com/rust-lang/rust/issues/53014#issuecomment-646149774
-[target.aarch64-pc-windows-msvc]
-rustflags = "-Zshare-generics=off"
+# Use rust-lld (LLVM's lld-link) instead of MSVC link.exe to avoid
+# LNK1189: library limit of 65535 objects exceeded on large workspaces.
 [target.x86_64-pc-windows-msvc]
-rustflags = "-Zshare-generics=off"
+linker = "rust-lld.exe"
+
+[target.aarch64-pc-windows-msvc]
+linker = "rust-lld.exe"

.dockerignore

@@ -1 +1 @@
-crate/pkcs11/oracle
+.github/scripts/oracle

.github/copilot-instructions.md

@@ -256,7 +256,7 @@ rustup component add clippy rustfmt
 ### Configuration Files
 
 - Cargo workspace: `Cargo.toml`
-- Rust toolchain: `rust-toolchain.toml` (nightly-2025-03-31)
+- Rust toolchain: `rust-toolchain.toml` (1.90.0)
 - Formatting config: `.rustfmt.toml`
 - Docker services: `docker-compose.yml`
 

.github/dependabot.yml

@@ -0,0 +1,8 @@
+---
+version: 2
+
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily

.github/scripts/build_packages.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+set -exo pipefail
+
+if [ -z "$TARGET" ]; then
+  echo "Error: TARGET is not set. Examples of TARGET are x86_64-unknown-linux-gnu, x86_64-apple-darwin, aarch64-apple-darwin."
+  exit 1
+fi
+
+if [ -z "$OPENSSL_DIR" ]; then
+  echo "Error: OPENSSL_DIR is not set. Example OPENSSL_DIR=/usr/local/openssl"
+  exit 1
+fi
+
+ROOT_FOLDER=$(pwd)
+
+if [ "$DEBUG_OR_RELEASE" = "release" ]; then
+  # First build the Debian and RPM packages. It must come at first since
+  # after this step `cosmian` is built with custom features flags (non-fips for example).
+  rm -rf target/"$TARGET"/debian
+  rm -rf target/"$TARGET"/generate-rpm
+  cargo build --features non-fips --release --target "$TARGET"
+  if [ -f /etc/redhat-release ]; then
+    cargo install --version 0.16.0 cargo-generate-rpm --force
+    cd "$ROOT_FOLDER"
+    cargo generate-rpm --target "$TARGET" -p crate/cli
+  elif [ -f /etc/debian_version ]; then
+    cargo install --version 2.4.0 cargo-deb --force
+    cargo deb --target "$TARGET" -p cosmian_cli
+  fi
+fi

.github/scripts/cargo_build.ps1

@@ -20,13 +20,13 @@ function BuildProject {
     $env:FINDEX_TEST_DB = "sqlite-findex"
     if ($BuildType -eq "release")
     {
-        cargo build --features "non-fips" -p cosmian_cli -p cosmian_pkcs11 --release --target x86_64-pc-windows-msvc
-        cargo test  --features "non-fips" -p cosmian_cli --release --target x86_64-pc-windows-msvc -- --nocapture --skip sql --skip redis --skip google_cse --skip hsm --skip kms
+        cargo build --features "non-fips" -p cosmian_cli -p cosmian_pkcs11 --target x86_64-pc-windows-msvc --release
+        cargo test  --features "non-fips" -p cosmian_cli -p cosmian_pkcs11 --target x86_64-pc-windows-msvc --release -- --skip auth
     }
     else
     {
         cargo build --features "non-fips" -p cosmian_cli -p cosmian_pkcs11 --target x86_64-pc-windows-msvc
-        cargo  test --features "non-fips" -p cosmian_cli --target x86_64-pc-windows-msvc -- --nocapture --skip sql --skip redis --skip google_cse --skip hsm --skip kms
+        cargo test  --features "non-fips" -p cosmian_cli -p cosmian_pkcs11 --target x86_64-pc-windows-msvc -- --skip auth
     }
 
     # Check binaries

.github/scripts/cargo_build.sh

@@ -1,81 +1,55 @@
 #!/bin/bash
 
-set -ex
+set -exo pipefail
 
-# --- Declare the following variables for tests
-# export TARGET=x86_64-unknown-linux-gnu
-# export TARGET=aarch64-apple-darwin
-# export DEBUG_OR_RELEASE=debug
-# export OPENSSL_DIR=/usr/local/openssl
-# export SKIP_SERVICES_TESTS="--skip hsm"
-
-ROOT_FOLDER=$(pwd)
-
-if [ "$DEBUG_OR_RELEASE" = "release" ]; then
-  # First build the Debian and RPM packages. It must come at first since
-  rm -rf target/"$TARGET"/debian
-  rm -rf target/"$TARGET"/generate-rpm
-
-  if [ -f /etc/redhat-release ]; then
-    cargo build --features non-fips --target "$TARGET" --release
-    cargo install --version 0.16.0 cargo-generate-rpm --force
-    cargo generate-rpm --target "$TARGET" -p crate/cli
-  elif [ -f /etc/debian_version ]; then
-    cargo install --version 2.4.0 cargo-deb --force
-    cargo deb --target "$TARGET" -p cosmian_cli
-  fi
-fi
+# export FEATURES="non-fips"
 
 if [ -z "$TARGET" ]; then
-  echo "Error: TARGET is not set."
+  echo "Error: TARGET is not set. Examples of TARGET are x86_64-unknown-linux-gnu, x86_64-apple-darwin, aarch64-apple-darwin."
   exit 1
 fi
 
 if [ "$DEBUG_OR_RELEASE" = "release" ]; then
   RELEASE="--release"
 fi
 
-if [ -z "$SKIP_SERVICES_TESTS" ]; then
-  echo "Info: SKIP_SERVICES_TESTS is not set."
-  unset SKIP_SERVICES_TESTS
+if [ -n "$FEATURES" ]; then
+  FEATURES="--features $FEATURES"
 fi
 
-rustup target add "$TARGET"
-
-if [ -f /etc/lsb-release ]; then
-  bash .github/reusable_scripts/test_utimaco.sh
+if [ -z "$FEATURES" ]; then
+  echo "Info: FEATURES is not set."
+  unset FEATURES
 fi
 
-cd "$ROOT_FOLDER"
-
 if [ -z "$OPENSSL_DIR" ]; then
-  echo "Error: OPENSSL_DIR is not set."
+  echo "Error: OPENSSL_DIR is not set. Example OPENSSL_DIR=/usr/local/openssl"
   exit 1
 fi
 
+rustup target add "$TARGET"
+
 # shellcheck disable=SC2086
-cargo build --target $TARGET $RELEASE \
-  --features non-fips \
-  -p cosmian_cli \
-  -p cosmian_pkcs11
+cargo build -p cosmian_cli -p cosmian_pkcs11 --target $TARGET $RELEASE $FEATURES
+
+COSMIAN_CLI_EXE="target/$TARGET/$DEBUG_OR_RELEASE/cosmian"
 
-TARGET_FOLDER=./target/"$TARGET/$DEBUG_OR_RELEASE"
-"${TARGET_FOLDER}"/cosmian -h
+# Test binary functionality
+."/$COSMIAN_CLI_EXE" --help
 
+# Check for dynamic OpenSSL linkage
 if [ "$(uname)" = "Linux" ]; then
-  ldd "${TARGET_FOLDER}"/cosmian | grep ssl && exit 1
+  LDD_OUTPUT=$(ldd "$COSMIAN_CLI_EXE")
+  echo "$LDD_OUTPUT"
+  if echo "$LDD_OUTPUT" | grep -qi ssl; then
+    echo "Error: Dynamic OpenSSL linkage detected on Linux (ldd | grep ssl)."
+    exit 1
+  fi
 else
-  otool -L "${TARGET_FOLDER}"/cosmian | grep openssl && exit 1
+  OTOOL_OUTPUT=$(otool -L "$COSMIAN_CLI_EXE")
+  echo "$OTOOL_OUTPUT"
+  if echo "$OTOOL_OUTPUT" | grep -qi ssl; then
+    echo "Error: Dynamic OpenSSL linkage detected on macOS (otool -L | grep openssl)."
+    exit 1
+  fi
 fi
-
-find . -type d -name cosmian-findex-server -exec rm -rf \{\} \; -print || true
-rm -f /tmp/*.json /tmp/*.toml
-
-export RUST_LOG="fatal,cosmian_cli=error,cosmian_findex_client=debug,cosmian_kms_client=debug"
-
-# shellcheck disable=SC2086
-cargo test --target $TARGET $RELEASE \
-  --features non-fips \
-  -p cosmian_cli \
-  -p cosmian_pkcs11 \
-  -- --nocapture $SKIP_SERVICES_TESTS

.github/scripts/cargo_test.sh

@@ -0,0 +1,54 @@
+#!/bin/bash
+
+set -exo pipefail
+
+# export FEATURES="non-fips"
+
+if [ -z "$TARGET" ]; then
+  echo "Error: TARGET is not set. Examples of TARGET are x86_64-unknown-linux-gnu, x86_64-apple-darwin, aarch64-apple-darwin."
+  exit 1
+fi
+
+if [ "$DEBUG_OR_RELEASE" = "release" ]; then
+  RELEASE="--release"
+fi
+
+if [ -n "$FEATURES" ]; then
+  FEATURES="--features $FEATURES"
+fi
+
+if [ -z "$FEATURES" ]; then
+  echo "Info: FEATURES is not set."
+  unset FEATURES
+fi
+
+if [ -z "$OPENSSL_DIR" ]; then
+  echo "Error: OPENSSL_DIR is not set. Example OPENSSL_DIR=/usr/local/openssl"
+  exit 1
+fi
+
+export RUST_LOG="cosmian_cli=error,cosmian_findex_client=debug,cosmian_kms_client=debug"
+
+# shellcheck disable=SC2086
+cargo test --workspace --bins --target $TARGET $RELEASE $FEATURES
+
+# shellcheck disable=SC2086
+# cargo bench --target $TARGET $FEATURES --no-run
+
+export RUST_LOG="fatal,cosmian_cli=error,cosmian_findex_client=debug,cosmian_kms_client=debug"
+
+# shellcheck disable=SC2086
+cargo test --target $TARGET $RELEASE \
+  --features non-fips \
+  -p cosmian_cli \
+  -p cosmian_pkcs11 \
+  -- --nocapture
+
+if [ -f /etc/lsb-release ]; then
+  # Install Utimaco simulator and run tests
+  bash .github/reusable_scripts/test_utimaco.sh
+
+  # Test HSM package directly
+  # shellcheck disable=SC2086
+  cargo test -p cosmian_cli --target "$TARGET" $RELEASE -- test_all_hsm_cli --ignored
+fi

.github/scripts/cosmian_tests.sh

@@ -6,7 +6,7 @@ set -ex
 docker compose up -d
 sleep 5
 
-export COSMIAN_CLI_FORMAT=json
+export COSMIAN_KMS_CLI_FORMAT=json
 COSMIAN="cargo run --bin cosmian -- -c test_data/configs/cosmian_for_bash.toml"
 
 # Create the seed key