`ccf::crypto` namespace (#6298)

CHANGELOG.md

@@ -17,6 +17,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
   - `::threading` is now `ccf::threading`, and `ccf/ds/thread_ids.h` has moved to `ccf/threading/thread_ids.h`
   - `::consensus` is now `ccf::consensus`
   - `::tls` is now `ccf::tls`
+  - `::crypto` is now `ccf::crypto`
 - The `programmability` sample app now demonstrates how applications can define their own extensions, creating bindings between C++ and JS state, and allowing JS endpoints to call functions implemented in C++.
 - Introduce `DynamicJSEndpointRegistry::record_action_for_audit_v1` and `DynamicJSEndpointRegistry::check_action_not_replayed_v1` to allow an application making use of the programmability feature to easily implement auditability, and protect users allowed to update the application against replay attacks (#6285).
 - Endpoints now support a `ToBackup` redirection strategy, for requests which should never be executed on a primary. These must also be read-only. These are configured similar to `ToPrimary` endpoints, with a `to_backup` object (specifying by-role or statically-addressed targets) in each node's configuration.

doc/architecture/ledger.rst

@@ -39,9 +39,9 @@ The following table describes the structure of a serialised transaction as it is
 +          +------------------------------------------+-------------------------------------------------------------------------+
 |          | :cpp:type:`kv::Version`                  | Transaction version                                                     |
 +          +------------------------------------------+-------------------------------------------------------------------------+
-|          | :cpp:type:`crypto::Sha256Hash`           | User-defined claims digest, when entry type is WriteSetWith.*Claims     |
+|          | :cpp:type:`ccf::crypto::Sha256Hash`           | User-defined claims digest, when entry type is WriteSetWith.*Claims     |
 +          +------------------------------------------+-------------------------------------------------------------------------+
-|          | :cpp:type:`crypto::Sha256Hash`           | Commit evidence digest, when entry type is WriteSetWithCommitEvidence.* |
+|          | :cpp:type:`ccf::crypto::Sha256Hash`           | Commit evidence digest, when entry type is WriteSetWithCommitEvidence.* |
 +          +------------------------------------------+-------------------------------------------------------------------------+
 |          | :cpp:type:`kv::Version`                  | Unused, reserved for compatibility                                      |
 +          +------------------------------------------+-------------------------------------------------------------------------+

doc/build_apps/crypto.rst

@@ -8,17 +8,17 @@ For convenience, CCF provides access to commonly used cryptographic primitives t
 Hashing
 -------
 
-.. doxygenfunction:: crypto::sha256(const std::vector<uint8_t> &data)
+.. doxygenfunction:: ccf::crypto::sha256(const std::vector<uint8_t> &data)
   :project: CCF
 
-.. doxygenfunction:: crypto::hmac(MDType, const std::vector<uint8_t>&, const std::vector<uint8_t>&)
+.. doxygenfunction:: ccf::crypto::hmac(MDType, const std::vector<uint8_t>&, const std::vector<uint8_t>&)
   :project: CCF
 
-.. doxygenClass:: crypto::HashProvider
+.. doxygenClass:: ccf::crypto::HashProvider
   :project: CCF
   :members:
 
-.. doxygenfunction:: crypto::make_hash_provider
+.. doxygenfunction:: ccf::crypto::make_hash_provider
   :project: CCF
 
 
@@ -27,49 +27,49 @@ Asymmetric Keys
 
 CCF supports EC and RSA keys; public keys are held in (RSA)PublicKey objects and
 private keys in (RSA)KeyPair objects. (RSA)KeyPairs automatically generate random
-keys when constructed via :cpp:func:`KeyPairPtr crypto::make_key_pair(CurveID)` or
-:cpp:func:`RSAKeyPairPtr crypto::make_rsa_key_pair(size_t, size_t)`.
+keys when constructed via :cpp:func:`KeyPairPtr ccf::crypto::make_key_pair(CurveID)` or
+:cpp:func:`RSAKeyPairPtr ccf::crypto::make_rsa_key_pair(size_t, size_t)`.
 
-.. doxygenclass:: crypto::PublicKey
+.. doxygenclass:: ccf::crypto::PublicKey
   :project: CCF
   :members:
 
-.. doxygenclass:: crypto::KeyPair
+.. doxygenclass:: ccf::crypto::KeyPair
   :project: CCF
   :members:
 
-.. doxygenclass:: crypto::RSAPublicKey
+.. doxygenclass:: ccf::crypto::RSAPublicKey
   :project: CCF
   :members:
 
-.. doxygenclass:: crypto::RSAKeyPair
+.. doxygenclass:: ccf::crypto::RSAKeyPair
   :project: CCF
   :members:
 
-.. doxygenenum:: crypto::CurveID
+.. doxygenenum:: ccf::crypto::CurveID
   :project: CCF
 
-.. doxygenfunction:: crypto::make_key_pair(CurveID)
+.. doxygenfunction:: ccf::crypto::make_key_pair(CurveID)
   :project: CCF
 
-.. doxygenfunction:: crypto::make_key_pair(const Pem&)
+.. doxygenfunction:: ccf::crypto::make_key_pair(const Pem&)
   :project: CCF
 
-.. doxygenfunction:: crypto::make_rsa_key_pair(size_t, size_t)
+.. doxygenfunction:: ccf::crypto::make_rsa_key_pair(size_t, size_t)
   :project: CCF
 
 Symmetric Keys
 --------------------
 
-Currently, only AES-GCM is supported for symmetric encryption. New keys are generated via :cpp:func:`crypto::Entropy::random`
+Currently, only AES-GCM is supported for symmetric encryption. New keys are generated via :cpp:func:`ccf::crypto::Entropy::random`
 
-.. doxygenfunction:: crypto::aes_gcm_encrypt
+.. doxygenfunction:: ccf::crypto::aes_gcm_encrypt
   :project: CCF
 
-.. doxygenfunction:: crypto::aes_gcm_decrypt
+.. doxygenfunction:: ccf::crypto::aes_gcm_decrypt
   :project: CCF
 
-.. doxygenclass:: crypto::Entropy
+.. doxygenclass:: ccf::crypto::Entropy
   :project: CCF
   :members:
 
@@ -78,7 +78,7 @@ Signatures
 
 Verification of signatures is supported via the :cpp:class:`Verifier` class.
 
-.. doxygenclass:: crypto::Verifier
+.. doxygenclass:: ccf::crypto::Verifier
   :project: CCF
   :members:
 
@@ -88,36 +88,36 @@ Key Wrapping
 
 PKCS11 2.1.8 CKM_RSA_PKCS_OAEP
 
-.. doxygenfunction:: crypto::ckm_rsa_pkcs_oaep_wrap(RSAPublicKeyPtr, const std::vector<uint8_t>&, const std::optional<std::vector<uint8_t>>&)
+.. doxygenfunction:: ccf::crypto::ckm_rsa_pkcs_oaep_wrap(RSAPublicKeyPtr, const std::vector<uint8_t>&, const std::optional<std::vector<uint8_t>>&)
   :project: CCF
 
-.. doxygenfunction:: crypto::ckm_rsa_pkcs_oaep_wrap(const Pem&, const std::vector<uint8_t>&, const std::optional<std::vector<uint8_t>>&)
+.. doxygenfunction:: ccf::crypto::ckm_rsa_pkcs_oaep_wrap(const Pem&, const std::vector<uint8_t>&, const std::optional<std::vector<uint8_t>>&)
   :project: CCF
 
-.. doxygenfunction:: crypto::ckm_rsa_pkcs_oaep_unwrap(RSAKeyPairPtr, const std::vector<uint8_t>&, const std::optional<std::vector<uint8_t>>&)
+.. doxygenfunction:: ccf::crypto::ckm_rsa_pkcs_oaep_unwrap(RSAKeyPairPtr, const std::vector<uint8_t>&, const std::optional<std::vector<uint8_t>>&)
   :project: CCF
 
-.. doxygenfunction:: crypto::ckm_rsa_pkcs_oaep_unwrap(const Pem&, const std::vector<uint8_t>&, const std::optional<std::vector<uint8_t>>&)
+.. doxygenfunction:: ccf::crypto::ckm_rsa_pkcs_oaep_unwrap(const Pem&, const std::vector<uint8_t>&, const std::optional<std::vector<uint8_t>>&)
   :project: CCF
 
 PKCS11 2.14.3 CKM_AES_KEY_WRAP_PAD (RFC 5649)
 
-.. doxygenfunction:: crypto::ckm_aes_key_wrap_pad
+.. doxygenfunction:: ccf::crypto::ckm_aes_key_wrap_pad
   :project: CCF
 
-.. doxygenfunction:: crypto::ckm_aes_key_unwrap_pad
+.. doxygenfunction:: ccf::crypto::ckm_aes_key_unwrap_pad
   :project: CCF
 
 PKCS11 2.1.21 CKM_RSA_AES_KEY_WRAP
 
-.. doxygenfunction:: crypto::ckm_rsa_aes_key_wrap(size_t, RSAPublicKeyPtr, const std::vector<uint8_t>&, const std::optional<std::vector<uint8_t>>&)
+.. doxygenfunction:: ccf::crypto::ckm_rsa_aes_key_wrap(size_t, RSAPublicKeyPtr, const std::vector<uint8_t>&, const std::optional<std::vector<uint8_t>>&)
   :project: CCF
 
-.. doxygenfunction:: crypto::ckm_rsa_aes_key_wrap(size_t, const Pem&, const std::vector<uint8_t>&, const std::optional<std::vector<uint8_t>>&)
+.. doxygenfunction:: ccf::crypto::ckm_rsa_aes_key_wrap(size_t, const Pem&, const std::vector<uint8_t>&, const std::optional<std::vector<uint8_t>>&)
   :project: CCF
 
-.. doxygenfunction:: crypto::ckm_rsa_aes_key_unwrap(RSAKeyPairPtr, const std::vector<uint8_t>&, const std::optional<std::vector<uint8_t>>&)
+.. doxygenfunction:: ccf::crypto::ckm_rsa_aes_key_unwrap(RSAKeyPairPtr, const std::vector<uint8_t>&, const std::optional<std::vector<uint8_t>>&)
   :project: CCF
 
-.. doxygenfunction:: crypto::ckm_rsa_aes_key_unwrap(const Pem&, const std::vector<uint8_t>&, const std::optional<std::vector<uint8_t>>&)
+.. doxygenfunction:: ccf::crypto::ckm_rsa_aes_key_unwrap(const Pem&, const std::vector<uint8_t>&, const std::optional<std::vector<uint8_t>>&)
   :project: CCF

include/ccf/base_endpoint_registry.h

@@ -228,14 +228,16 @@ namespace ccf
     /** Get the certificate (PEM) of a given user id.
      */
     ApiResult get_user_cert_v1(
-      kv::ReadOnlyTx& tx, const UserId& user_id, crypto::Pem& user_cert_pem);
+      kv::ReadOnlyTx& tx,
+      const UserId& user_id,
+      ccf::crypto::Pem& user_cert_pem);
 
     /** Get the certificate (PEM) of a given member id.
      */
     ApiResult get_member_cert_v1(
       kv::ReadOnlyTx& tx,
       const MemberId& member_id,
-      crypto::Pem& member_cert_pem);
+      ccf::crypto::Pem& member_cert_pem);
 
     /** Get untrusted time from the host of the currently executing node.
      */

include/ccf/claims_digest.h

@@ -9,7 +9,7 @@ namespace ccf
   class ClaimsDigest
   {
   public:
-    using Digest = crypto::Sha256Hash;
+    using Digest = ccf::crypto::Sha256Hash;
 
   private:
     bool is_set = false;

include/ccf/crypto/base64.h

@@ -5,7 +5,7 @@
 #include <string>
 #include <vector>
 
-namespace crypto
+namespace ccf::crypto
 {
   std::vector<uint8_t> raw_from_b64(const std::string_view& b64_string);
 

include/ccf/crypto/cose_verifier.h

@@ -9,7 +9,7 @@
 
 #include <chrono>
 
-namespace crypto
+namespace ccf::crypto
 {
   class COSEVerifier
   {

include/ccf/crypto/curve.h

@@ -11,7 +11,7 @@
 #include <stdexcept>
 #include <string>
 
-namespace crypto
+namespace ccf::crypto
 {
   // SNIPPET_START: supported_curves
   enum class CurveID

include/ccf/crypto/ecdsa.h

@@ -6,7 +6,7 @@
 
 #include <vector>
 
-namespace crypto
+namespace ccf::crypto
 {
   /** Converts R and S signature parameters to RFC 3279 DER
    * encoding.

include/ccf/crypto/eddsa_key_pair.h

@@ -16,7 +16,7 @@
 #include <string>
 #include <vector>
 
-namespace crypto
+namespace ccf::crypto
 {
   class EdDSAKeyPair
   {

include/ccf/crypto/eddsa_public_key.h

@@ -10,7 +10,7 @@
 #include <string>
 #include <vector>
 
-namespace crypto
+namespace ccf::crypto
 {
   class EdDSAPublicKey
   {

include/ccf/crypto/entropy.h

@@ -27,7 +27,7 @@
 // issue.`
 #define RDRAND_RETRIES 10
 
-namespace crypto
+namespace ccf::crypto
 {
   using rng_func_t = int (*)(void* ctx, unsigned char* output, size_t len);
 

include/ccf/crypto/hash_bytes.h

@@ -5,7 +5,7 @@
 #include <cstdint>
 #include <vector>
 
-namespace crypto
+namespace ccf::crypto
 {
   using HashBytes = std::vector<uint8_t>;
 }

include/ccf/crypto/hash_provider.h

@@ -11,7 +11,7 @@
 #include <iostream>
 #include <vector>
 
-namespace crypto
+namespace ccf::crypto
 {
   class HashProvider
   {

include/ccf/crypto/hkdf.h

@@ -7,7 +7,7 @@
 #include <span>
 #include <vector>
 
-namespace crypto
+namespace ccf::crypto
 {
   /** Perform HKDF key derivation */
   std::vector<uint8_t> hkdf(

include/ccf/crypto/hmac.h

@@ -5,7 +5,7 @@
 #include "ccf/crypto/hash_bytes.h"
 #include "ccf/crypto/md_type.h"
 
-namespace crypto
+namespace ccf::crypto
 {
   /** Compute the HMAC of @p key and @p data
    */

include/ccf/crypto/jwk.h

@@ -8,7 +8,7 @@
 
 #include <string>
 
-namespace crypto
+namespace ccf::crypto
 {
   enum class JsonWebKeyType
   {

include/ccf/crypto/key_pair.h

@@ -13,7 +13,7 @@
 #include <string>
 #include <vector>
 
-namespace crypto
+namespace ccf::crypto
 {
   class KeyPair
   {

include/ccf/crypto/key_wrap.h

@@ -9,7 +9,7 @@
 #include <cstdint>
 #include <vector>
 
-namespace crypto
+namespace ccf::crypto
 {
   /// PKCS11 2.1.8 CKM_RSA_PKCS_OAEP wrap
   /// @param wrapping_key The wrapping (encryption) key

include/ccf/crypto/md_type.h

@@ -4,7 +4,7 @@
 
 #include "ccf/ds/json.h"
 
-namespace crypto
+namespace ccf::crypto
 {
   enum class MDType
   {

include/ccf/crypto/pem.h

@@ -11,7 +11,7 @@
 #include <string_view>
 #include <vector>
 
-namespace crypto
+namespace ccf::crypto
 {
   // Convenience class ensuring null termination of PEM-encoded certificates
   class Pem
@@ -128,11 +128,11 @@ namespace crypto
     return "Pem";
   }
 
-  static std::vector<crypto::Pem> split_x509_cert_bundle(
+  static std::vector<ccf::crypto::Pem> split_x509_cert_bundle(
     const std::string_view& pem)
   {
     std::string separator("-----END CERTIFICATE-----");
-    std::vector<crypto::Pem> pems;
+    std::vector<ccf::crypto::Pem> pems;
     auto separator_end = 0;
     auto next_separator_start = pem.find(separator);
     while (next_separator_start != std::string_view::npos)
@@ -154,9 +154,9 @@ namespace crypto
 namespace std
 {
   template <>
-  struct hash<crypto::Pem>
+  struct hash<ccf::crypto::Pem>
   {
-    size_t operator()(const crypto::Pem& pem) const
+    size_t operator()(const ccf::crypto::Pem& pem) const
     {
       return std::hash<std::string>()(pem.str());
     }

include/ccf/crypto/public_key.h

@@ -13,7 +13,7 @@
 #include <string>
 #include <vector>
 
-namespace crypto
+namespace ccf::crypto
 {
   class PublicKey
   {

include/ccf/crypto/rsa_key_pair.h

@@ -12,7 +12,7 @@
 #include <string>
 #include <vector>
 
-namespace crypto
+namespace ccf::crypto
 {
   class RSAKeyPair
   {

include/ccf/crypto/rsa_public_key.h

@@ -10,7 +10,7 @@
 #include <string>
 #include <vector>
 
-namespace crypto
+namespace ccf::crypto
 {
   class RSAPublicKey
   {

include/ccf/crypto/san.h

@@ -9,7 +9,7 @@
 #include <fmt/format.h>
 #include <string>
 
-namespace crypto
+namespace ccf::crypto
 {
   static const std::string IP_ADDRESS_PREFIX = "iPAddress:";
   static const std::string DNS_NAME_PREFIX = "dNSName:";
@@ -56,7 +56,7 @@ namespace crypto
 
 FMT_BEGIN_NAMESPACE
 template <>
-struct formatter<crypto::SubjectAltName>
+struct formatter<ccf::crypto::SubjectAltName>
 {
   template <typename ParseContext>
   constexpr auto parse(ParseContext& ctx)
@@ -65,7 +65,7 @@ struct formatter<crypto::SubjectAltName>
   }
 
   template <typename FormatContext>
-  auto format(const crypto::SubjectAltName& san, FormatContext& ctx) const
+  auto format(const ccf::crypto::SubjectAltName& san, FormatContext& ctx) const
     -> decltype(ctx.out())
   {
     std::string prefix;

include/ccf/crypto/sha256.h

@@ -6,7 +6,7 @@
 
 #include <vector>
 
-namespace crypto
+namespace ccf::crypto
 {
   /** Compute the SHA256 hash of @p data
    * @param data The data to compute the hash of

include/ccf/crypto/sha256_hash.h

@@ -10,7 +10,7 @@
 #define FMT_HEADER_ONLY
 #include <fmt/format.h>
 
-namespace crypto
+namespace ccf::crypto
 {
   class Sha256Hash
   {
@@ -36,7 +36,7 @@ namespace crypto
       const Sha256Hash& third);
 
     friend std::ostream& operator<<(
-      std::ostream& os, const crypto::Sha256Hash& h);
+      std::ostream& os, const ccf::crypto::Sha256Hash& h);
 
     std::string hex_str() const;
 
@@ -60,7 +60,7 @@ namespace crypto
 
 FMT_BEGIN_NAMESPACE
 template <>
-struct formatter<crypto::Sha256Hash>
+struct formatter<ccf::crypto::Sha256Hash>
 {
   template <typename ParseContext>
   constexpr auto parse(ParseContext& ctx)
@@ -69,7 +69,7 @@ struct formatter<crypto::Sha256Hash>
   }
 
   template <typename FormatContext>
-  auto format(const crypto::Sha256Hash& p, FormatContext& ctx) const
+  auto format(const ccf::crypto::Sha256Hash& p, FormatContext& ctx) const
   {
     return format_to(ctx.out(), "<sha256 {:02x}>", fmt::join(p.h, ""));
   }
@@ -79,18 +79,18 @@ FMT_END_NAMESPACE
 namespace kv::serialisers
 {
   template <>
-  struct BlitSerialiser<crypto::Sha256Hash>
+  struct BlitSerialiser<ccf::crypto::Sha256Hash>
   {
-    static SerialisedEntry to_serialised(const crypto::Sha256Hash& h)
+    static SerialisedEntry to_serialised(const ccf::crypto::Sha256Hash& h)
     {
       auto hex_str = h.hex_str();
       return SerialisedEntry(hex_str.begin(), hex_str.end());
     }
 
-    static crypto::Sha256Hash from_serialised(const SerialisedEntry& data)
+    static ccf::crypto::Sha256Hash from_serialised(const SerialisedEntry& data)
     {
       auto data_str = std::string{data.begin(), data.end()};
-      crypto::Sha256Hash ret;
+      ccf::crypto::Sha256Hash ret;
       return ret.from_hex_string(data_str);
     }
   };

include/ccf/crypto/symmetric_key.h

@@ -7,7 +7,7 @@
 #include <span>
 #include <vector>
 
-namespace crypto
+namespace ccf::crypto
 {
   constexpr size_t GCM_DEFAULT_KEY_SIZE = 32;
 
@@ -44,7 +44,7 @@ namespace crypto
       return GCM_SIZE_TAG + IV_SIZE;
     }
 
-    void set_random_iv(EntropyPtr entropy = crypto::get_entropy())
+    void set_random_iv(EntropyPtr entropy = ccf::crypto::get_entropy())
     {
       iv = entropy->random(IV_SIZE);
     }

include/ccf/crypto/verifier.h

@@ -9,7 +9,7 @@
 
 #include <chrono>
 
-namespace crypto
+namespace ccf::crypto
 {
   class Verifier
   {
@@ -252,13 +252,13 @@ namespace crypto
    */
   VerifierPtr make_verifier(const Pem& pem);
 
-  crypto::Pem cert_der_to_pem(const std::vector<uint8_t>& der);
+  ccf::crypto::Pem cert_der_to_pem(const std::vector<uint8_t>& der);
   std::vector<uint8_t> cert_pem_to_der(const Pem& pem);
 
   std::vector<uint8_t> public_key_der_from_cert(
     const std::vector<uint8_t>& der);
 
-  crypto::Pem public_key_pem_from_cert(const std::vector<uint8_t>& der);
+  ccf::crypto::Pem public_key_pem_from_cert(const std::vector<uint8_t>& der);
 
   std::string get_subject_name(const Pem& cert);
 }

include/ccf/ds/json.h

@@ -66,7 +66,7 @@ namespace std
   {
     if constexpr (std::is_same_v<T, uint8_t>)
     {
-      j = crypto::b64_from_raw(t);
+      j = ccf::crypto::b64_from_raw(t);
     }
     else
     {
@@ -87,7 +87,7 @@ namespace std
       {
         try
         {
-          t = crypto::raw_from_b64(j.get<std::string>());
+          t = ccf::crypto::raw_from_b64(j.get<std::string>());
           return;
         }
         catch (const std::exception& e)

include/ccf/endpoints/authentication/cose_auth.h

@@ -61,7 +61,7 @@ namespace ccf
     MemberId member_id;
 
     /** Member certificate, used to sign this request, described by keyId */
-    crypto::Pem member_cert;
+    ccf::crypto::Pem member_cert;
 
     /** COSE Protected Header */
     GovernanceProtectedHeader protected_header;
@@ -71,7 +71,7 @@ namespace ccf
       const std::span<const uint8_t>& envelope_,
       const std::span<const uint8_t>& signature_,
       const MemberId& member_id_,
-      const crypto::Pem& member_cert_,
+      const ccf::crypto::Pem& member_cert_,
       const GovernanceProtectedHeader& protected_header_) :
       COSESign1AuthnIdentity(content_, envelope_, signature_),
       member_id(member_id_),
@@ -86,7 +86,7 @@ namespace ccf
     UserId user_id;
 
     /** User certificate, used to sign this request, described by keyId */
-    crypto::Pem user_cert;
+    ccf::crypto::Pem user_cert;
 
     /** COSE Protected Header */
     TimestampedProtectedHeader protected_header;
@@ -96,7 +96,7 @@ namespace ccf
       const std::span<const uint8_t>& envelope_,
       const std::span<const uint8_t>& signature_,
       const UserId& user_id_,
-      const crypto::Pem& user_cert_,
+      const ccf::crypto::Pem& user_cert_,
       const TimestampedProtectedHeader& protected_header_) :
       COSESign1AuthnIdentity(content_, envelope_, signature_),
       user_id(user_id_),

include/ccf/node/acme_subsystem_interface.h

@@ -28,7 +28,7 @@ namespace ccf
     virtual std::optional<const ccf::ACMEClientConfig*> config(
       const NodeInfoNetwork::RpcInterfaceID& id) = 0;
 
-    virtual crypto::Pem network_cert() = 0;
+    virtual ccf::crypto::Pem network_cert() = 0;
 
     virtual void install_challenge_handler(
       const ccf::NodeInfoNetwork::RpcInterfaceID& interface_id,

include/ccf/node/startup_config.h

@@ -29,7 +29,7 @@ struct CCFConfig
   {
     std::string subject_name = "CN=CCF Node";
     std::vector<std::string> subject_alt_names = {};
-    crypto::CurveID curve_id = crypto::CurveID::SECP384R1;
+    ccf::crypto::CurveID curve_id = ccf::crypto::CurveID::SECP384R1;
     size_t initial_validity_days = 1;
 
     bool operator==(const NodeCertificateInfo&) const = default;

include/ccf/node_context.h

@@ -66,7 +66,7 @@ namespace ccfapp
       return {};
     }
 
-    virtual crypto::Pem get_self_signed_certificate() const
+    virtual ccf::crypto::Pem get_self_signed_certificate() const
     {
       return {};
     }

include/ccf/pal/attestation.h

@@ -78,7 +78,7 @@ namespace ccf::pal
     report_data = SnpAttestationReportData(quote.report_data);
     measurement = SnpAttestationMeasurement(quote.measurement);
 
-    auto certificates = crypto::split_x509_cert_bundle(std::string_view(
+    auto certificates = ccf::crypto::split_x509_cert_bundle(std::string_view(
       reinterpret_cast<const char*>(quote_info.endorsements.data()),
       quote_info.endorsements.size()));
     if (certificates.size() != 3)
@@ -90,7 +90,7 @@ namespace ccf::pal
     auto sev_version_certificate = certificates[1];
     auto root_certificate = certificates[2];
 
-    auto root_cert_verifier = crypto::make_verifier(root_certificate);
+    auto root_cert_verifier = ccf::crypto::make_verifier(root_certificate);
 
     if (
       root_cert_verifier->public_key_pem().str() !=
@@ -109,7 +109,7 @@ namespace ccf::pal
         "self signed as expected");
     }
 
-    auto chip_cert_verifier = crypto::make_verifier(chip_certificate);
+    auto chip_cert_verifier = ccf::crypto::make_verifier(chip_certificate);
     if (!chip_cert_verifier->verify_certificate(
           {&root_certificate, &sev_version_certificate}))
     {
@@ -127,7 +127,7 @@ namespace ccf::pal
     }
 
     // Make ASN1 DER signature
-    auto quote_signature = crypto::ecdsa_sig_from_r_s(
+    auto quote_signature = ccf::crypto::ecdsa_sig_from_r_s(
       quote.signature.r,
       sizeof(quote.signature.r),
       quote.signature.s,

include/ccf/pal/report_data.h

@@ -53,7 +53,7 @@ namespace ccf::pal
 
     PlatformAttestationReportData() = default;
 
-    PlatformAttestationReportData(const crypto::Sha256Hash& hash) :
+    PlatformAttestationReportData(const ccf::crypto::Sha256Hash& hash) :
       data(hash.h.begin(), hash.h.end())
     {}
 
@@ -67,11 +67,11 @@ namespace ccf::pal
       return ds::to_hex(data);
     }
 
-    crypto::Sha256Hash to_sha256_hash() const
+    ccf::crypto::Sha256Hash to_sha256_hash() const
     {
-      std::span<const uint8_t, crypto::Sha256Hash::SIZE> s(
-        data.data(), crypto::Sha256Hash::SIZE);
-      return crypto::Sha256Hash::from_span(s);
+      std::span<const uint8_t, ccf::crypto::Sha256Hash::SIZE> s(
+        data.data(), ccf::crypto::Sha256Hash::SIZE);
+      return ccf::crypto::Sha256Hash::from_span(s);
     }
   };
 }

include/ccf/receipt.h

@@ -22,12 +22,12 @@ namespace ccf
 
     // Signature over the root digest, signed by the identity described in cert
     std::vector<uint8_t> signature = {};
-    virtual crypto::Sha256Hash calculate_root() = 0;
+    virtual ccf::crypto::Sha256Hash calculate_root() = 0;
 
     ccf::NodeId node_id = {};
-    crypto::Pem cert = {};
+    ccf::crypto::Pem cert = {};
 
-    std::vector<crypto::Pem> service_endorsements = {};
+    std::vector<ccf::crypto::Pem> service_endorsements = {};
 
     virtual bool is_signature_transaction() const = 0;
   };
@@ -42,7 +42,7 @@ namespace ccf
   public:
     struct Components
     {
-      crypto::Sha256Hash write_set_digest;
+      ccf::crypto::Sha256Hash write_set_digest;
       std::string commit_evidence;
       ccf::ClaimsDigest claims_digest;
     };
@@ -56,7 +56,7 @@ namespace ccf
         Right
       } direction;
 
-      crypto::Sha256Hash hash = {};
+      ccf::crypto::Sha256Hash hash = {};
 
       bool operator==(const ProofStep& other) const
       {
@@ -68,7 +68,7 @@ namespace ccf
     // A merkle-tree path from the leaf digest to the signed root
     Proof proof = {};
 
-    crypto::Sha256Hash calculate_root() override
+    ccf::crypto::Sha256Hash calculate_root() override
     {
       auto current = get_leaf_digest();
 
@@ -76,30 +76,31 @@ namespace ccf
       {
         if (element.direction == ProofStep::Left)
         {
-          current = crypto::Sha256Hash(element.hash, current);
+          current = ccf::crypto::Sha256Hash(element.hash, current);
         }
         else
         {
-          current = crypto::Sha256Hash(current, element.hash);
+          current = ccf::crypto::Sha256Hash(current, element.hash);
         }
       }
 
       return current;
     }
 
-    crypto::Sha256Hash get_leaf_digest()
+    ccf::crypto::Sha256Hash get_leaf_digest()
     {
-      crypto::Sha256Hash ce_dgst(leaf_components.commit_evidence);
+      ccf::crypto::Sha256Hash ce_dgst(leaf_components.commit_evidence);
       if (!leaf_components.claims_digest.empty())
       {
-        return crypto::Sha256Hash(
+        return ccf::crypto::Sha256Hash(
           leaf_components.write_set_digest,
           ce_dgst,
           leaf_components.claims_digest.value());
       }
       else
       {
-        return crypto::Sha256Hash(leaf_components.write_set_digest, ce_dgst);
+        return ccf::crypto::Sha256Hash(
+          leaf_components.write_set_digest, ce_dgst);
       }
     }
 
@@ -114,9 +115,9 @@ namespace ccf
   class SignatureReceipt : public Receipt
   {
   public:
-    crypto::Sha256Hash signed_root = {};
+    ccf::crypto::Sha256Hash signed_root = {};
 
-    crypto::Sha256Hash calculate_root() override
+    ccf::crypto::Sha256Hash calculate_root() override
     {
       return signed_root;
     };

include/ccf/service/blit_serialiser_pem.h

@@ -8,17 +8,17 @@
 namespace kv::serialisers
 {
   template <>
-  struct BlitSerialiser<crypto::Pem>
+  struct BlitSerialiser<ccf::crypto::Pem>
   {
-    static SerialisedEntry to_serialised(const crypto::Pem& pem)
+    static SerialisedEntry to_serialised(const ccf::crypto::Pem& pem)
     {
       const auto& data = pem.raw();
       return SerialisedEntry(data.begin(), data.end());
     }
 
-    static crypto::Pem from_serialised(const SerialisedEntry& data)
+    static ccf::crypto::Pem from_serialised(const SerialisedEntry& data)
     {
-      return crypto::Pem(data.data(), data.size());
+      return ccf::crypto::Pem(data.data(), data.size());
     }
   };
 }

include/ccf/service/node_info.h

@@ -31,7 +31,7 @@ namespace ccf
     /// Node enclave quote
     QuoteInfo quote_info;
     /// Node encryption public key, used to distribute ledger re-keys.
-    crypto::Pem encryption_pub_key;
+    ccf::crypto::Pem encryption_pub_key;
     /// Node status
     NodeStatus status = NodeStatus::PENDING;
 
@@ -47,10 +47,10 @@ namespace ccf
      */
 
     /// Node certificate signing request
-    std::optional<crypto::Pem> certificate_signing_request = std::nullopt;
+    std::optional<ccf::crypto::Pem> certificate_signing_request = std::nullopt;
 
     /// Public key
-    std::optional<crypto::Pem> public_key = std::nullopt;
+    std::optional<ccf::crypto::Pem> public_key = std::nullopt;
 
     /// Free-form user data, can be used to store operator correlation
     /// IDs/labels for the node for example
@@ -64,7 +64,7 @@ namespace ccf
      * Node certificate. Only set for 1.x releases. Further releases record
      * node identity in `public_key` field. Service-endorsed certificate is
      * recorded in "public:ccf.nodes.endorsed_certificates" table */
-    std::optional<crypto::Pem> cert = std::nullopt;
+    std::optional<ccf::crypto::Pem> cert = std::nullopt;
 
     /** Commit state for Retired state
      *

include/ccf/service/signed_req.h

@@ -21,7 +21,7 @@ namespace ccf
     std::vector<uint8_t> request_body = {};
 
     /// Hashing algorithm used to summarise content before signature
-    crypto::MDType md = crypto::MDType::NONE;
+    ccf::crypto::MDType md = ccf::crypto::MDType::NONE;
 
     /// Signer key id, if present in the request
     std::string key_id = {};

include/ccf/service/tables/acme_certificates.h

@@ -9,7 +9,7 @@
 namespace ccf
 {
   // Maps each interface name to a certificate
-  using ACMECertificates = ServiceMap<std::string, crypto::Pem>;
+  using ACMECertificates = ServiceMap<std::string, ccf::crypto::Pem>;
 
   namespace Tables
   {

include/ccf/service/tables/host_data.h

@@ -5,7 +5,7 @@
 #include "ccf/crypto/sha256_hash.h"
 #include "ccf/service/map.h"
 
-using HostData = crypto::Sha256Hash;
+using HostData = ccf::crypto::Sha256Hash;
 using HostDataMetadata =
   std::string; // Optional raw (i.e. not base64-encoded) policy
 

include/ccf/service/tables/jwt.h

@@ -94,7 +94,7 @@ namespace ccf
 
   struct JsonWebKeySet
   {
-    std::vector<crypto::JsonWebKey> keys;
+    std::vector<ccf::crypto::JsonWebKey> keys;
 
     bool operator!=(const JsonWebKeySet& rhs) const
     {

include/ccf/service/tables/members.h

@@ -30,17 +30,17 @@ namespace ccf
 
   struct NewMember
   {
-    crypto::Pem cert;
+    ccf::crypto::Pem cert;
 
     // If encryption public key is set, the member is a recovery member
-    std::optional<crypto::Pem> encryption_pub_key = std::nullopt;
+    std::optional<ccf::crypto::Pem> encryption_pub_key = std::nullopt;
     nlohmann::json member_data = nullptr;
 
     NewMember() {}
 
     NewMember(
-      const crypto::Pem& cert_,
-      const std::optional<crypto::Pem>& encryption_pub_key_ = std::nullopt,
+      const ccf::crypto::Pem& cert_,
+      const std::optional<ccf::crypto::Pem>& encryption_pub_key_ = std::nullopt,
       const nlohmann::json& member_data_ = nullptr) :
       cert(cert_),
       encryption_pub_key(encryption_pub_key_),
@@ -76,9 +76,9 @@ namespace ccf
 
   using MemberInfo = ServiceMap<MemberId, MemberDetails>;
 
-  using MemberCerts = kv::RawCopySerialisedMap<MemberId, crypto::Pem>;
+  using MemberCerts = kv::RawCopySerialisedMap<MemberId, ccf::crypto::Pem>;
   using MemberPublicEncryptionKeys =
-    kv::RawCopySerialisedMap<MemberId, crypto::Pem>;
+    kv::RawCopySerialisedMap<MemberId, ccf::crypto::Pem>;
 
   namespace Tables
   {
@@ -98,7 +98,8 @@ namespace ccf
 
     StateDigest() {}
 
-    StateDigest(const crypto::Sha256Hash& root) : state_digest(root.hex_str())
+    StateDigest(const ccf::crypto::Sha256Hash& root) :
+      state_digest(root.hex_str())
     {}
   };
   DECLARE_JSON_TYPE(StateDigest)
@@ -114,15 +115,16 @@ namespace ccf
 
     MemberAck() {}
 
-    MemberAck(const crypto::Sha256Hash& root) : StateDigest(root) {}
+    MemberAck(const ccf::crypto::Sha256Hash& root) : StateDigest(root) {}
 
-    MemberAck(const crypto::Sha256Hash& root, const SignedReq& signed_req_) :
+    MemberAck(
+      const ccf::crypto::Sha256Hash& root, const SignedReq& signed_req_) :
       StateDigest(root),
       signed_req(signed_req_)
     {}
 
     MemberAck(
-      const crypto::Sha256Hash& root,
+      const ccf::crypto::Sha256Hash& root,
       const std::vector<uint8_t>& cose_sign1_req_) :
       StateDigest(root),
       cose_sign1_req(cose_sign1_req_)

include/ccf/service/tables/nodes.h

@@ -18,7 +18,7 @@ namespace ccf
 {
   using Nodes = ServiceMap<NodeId, NodeInfo>;
   using NodeEndorsedCertificates =
-    kv::RawCopySerialisedMap<NodeId, crypto::Pem>;
+    kv::RawCopySerialisedMap<NodeId, ccf::crypto::Pem>;
 
   namespace Tables
   {
@@ -30,17 +30,18 @@ namespace ccf
   inline NodeId compute_node_id_from_pubk_der(
     const std::vector<uint8_t>& node_pubk_der)
   {
-    return crypto::Sha256Hash(node_pubk_der).hex_str();
+    return ccf::crypto::Sha256Hash(node_pubk_der).hex_str();
   }
 
   inline NodeId compute_node_id_from_cert_der(
     const std::vector<uint8_t>& node_cert_der)
   {
     return compute_node_id_from_pubk_der(
-      crypto::public_key_der_from_cert(node_cert_der));
+      ccf::crypto::public_key_der_from_cert(node_cert_der));
   }
 
-  inline NodeId compute_node_id_from_kp(const crypto::KeyPairPtr& node_sign_kp)
+  inline NodeId compute_node_id_from_kp(
+    const ccf::crypto::KeyPairPtr& node_sign_kp)
   {
     return compute_node_id_from_pubk_der(node_sign_kp->public_key_der());
   }

include/ccf/service/tables/service.h

@@ -27,7 +27,7 @@ namespace ccf
   struct ServiceInfo
   {
     /// x.509 Service Certificate, as a PEM string
-    crypto::Pem cert;
+    ccf::crypto::Pem cert;
     /// Status of the service
     ServiceStatus status = ServiceStatus::OPENING;
     /// Version (seqno) of previous service identity (before the last recovery)

include/ccf/service/tables/users.h

@@ -12,7 +12,7 @@ namespace ccf
 {
   struct NewUser
   {
-    crypto::Pem cert;
+    ccf::crypto::Pem cert;
     nlohmann::json user_data = nullptr;
   };
   DECLARE_JSON_TYPE_WITH_OPTIONAL_FIELDS(NewUser)
@@ -28,7 +28,7 @@ namespace ccf
   DECLARE_JSON_TYPE(UserDetails)
   DECLARE_JSON_REQUIRED_FIELDS(UserDetails, user_data)
 
-  using UserCerts = kv::RawCopySerialisedMap<UserId, crypto::Pem>;
+  using UserCerts = kv::RawCopySerialisedMap<UserId, ccf::crypto::Pem>;
   using UserInfo = ServiceMap<UserId, UserDetails>;
 
   namespace Tables

include/ccf/tx.h

@@ -51,7 +51,7 @@ namespace kv
 
     OrderedChanges all_changes;
 
-    std::optional<crypto::Sha256Hash> root_at_read_version = std::nullopt;
+    std::optional<ccf::crypto::Sha256Hash> root_at_read_version = std::nullopt;
 
     void retain_change_set(
       const std::string& map_name,
@@ -122,7 +122,7 @@ namespace kv
 
     virtual ~BaseTx();
 
-    std::optional<crypto::Sha256Hash> get_root_at_read_version()
+    std::optional<ccf::crypto::Sha256Hash> get_root_at_read_version()
     {
       return root_at_read_version;
     }

samples/apps/logging/logging.cpp

@@ -238,7 +238,7 @@ namespace loggingapp
         response += fmt::format(
           "\nThe caller is a user with ID: {}", user_cert_ident->user_id);
 
-        crypto::Pem user_cert;
+        ccf::crypto::Pem user_cert;
         if (
           get_user_cert_v1(ctx.tx, user_cert_ident->user_id, user_cert) ==
           ccf::ApiResult::OK)
@@ -266,7 +266,7 @@ namespace loggingapp
         response += fmt::format(
           "\nThe caller is a member with ID: {}", member_cert_ident->member_id);
 
-        crypto::Pem member_cert;
+        ccf::crypto::Pem member_cert;
         if (
           get_member_cert_v1(
             ctx.tx, member_cert_ident->member_id, member_cert) ==
@@ -810,7 +810,7 @@ namespace loggingapp
           auto current_value = records_handle->get(id);
           if (current_value.has_value())
           {
-            crypto::Sha256Hash value_digest(current_value.value());
+            ccf::crypto::Sha256Hash value_digest(current_value.value());
             auto etag = value_digest.hex_str();
 
             // On a POST operation, If-Match failing or If-None-Match passing
@@ -853,7 +853,7 @@ namespace loggingapp
         CCF_APP_INFO("Storing {} = {}", id, in.msg);
 
         // SNIPPET_START: public_table_post_etag
-        crypto::Sha256Hash value_digest(in.msg);
+        ccf::crypto::Sha256Hash value_digest(in.msg);
         // Succesful calls set an ETag
         ctx.rpc_ctx->set_response_header("ETag", value_digest.hex_str());
         // SNIPPET_END: public_table_post_etag
@@ -905,7 +905,7 @@ namespace loggingapp
 
           // If a record is present, compute an Entity Tag, and apply
           // If-Match and If-None-Match.
-          crypto::Sha256Hash value_digest(record.value());
+          ccf::crypto::Sha256Hash value_digest(record.value());
           const auto etag = value_digest.hex_str();
 
           if (match_headers.if_match.has_value())
@@ -1000,7 +1000,7 @@ namespace loggingapp
           {
             // If a Match header is present, we need to compute the ETag
             // to resolve the constraints
-            crypto::Sha256Hash value_digest(current_value.value());
+            ccf::crypto::Sha256Hash value_digest(current_value.value());
             const auto etag = value_digest.hex_str();
 
             if (match_headers.if_match.has_value())

src/apps/tpcc/clients/tpcc_client.cpp

@@ -157,7 +157,7 @@ int main(int argc, char** argv)
 {
   logger::config::default_init();
   logger::config::level() = LoggerLevel::INFO;
-  crypto::openssl_sha256_init();
+  ccf::crypto::openssl_sha256_init();
 
   CLI::App cli_app{"Tpcc Client"};
   TpccClientOptions options(cli_app, argv[0]);
@@ -165,7 +165,7 @@ int main(int argc, char** argv)
 
   TpccClient client(options);
   client.run();
-  crypto::openssl_sha256_shutdown();
+  ccf::crypto::openssl_sha256_shutdown();
 
   return 0;
 }

src/clients/perf/perf_client.h

@@ -203,7 +203,7 @@ namespace client
     };
 
   private:
-    crypto::Pem key = {};
+    ccf::crypto::Pem key = {};
     std::string key_id = "Invalid";
     std::shared_ptr<::tls::Cert> tls_cert = nullptr;
 
@@ -301,11 +301,11 @@ namespace client
         const auto raw_key = files::slurp(options.key_file);
         const auto ca = files::slurp_string(options.ca_file);
 
-        key = crypto::Pem(raw_key);
+        key = ccf::crypto::Pem(raw_key);
 
-        const crypto::Pem cert_pem(raw_cert);
-        auto cert_der = crypto::cert_pem_to_der(cert_pem);
-        key_id = crypto::Sha256Hash(cert_der).hex_str();
+        const ccf::crypto::Pem cert_pem(raw_cert);
+        auto cert_der = ccf::crypto::cert_pem_to_der(cert_pem);
+        key_id = ccf::crypto::Sha256Hash(cert_der).hex_str();
 
         tls_cert = std::make_shared<::tls::Cert>(
           std::make_shared<::tls::CA>(ca), cert_pem, key);

src/clients/rpc_tls_client.h

@@ -37,7 +37,7 @@ namespace client
   protected:
     http::ResponseParser parser;
     std::optional<std::string> prefix;
-    crypto::KeyPairPtr key_pair = nullptr;
+    ccf::crypto::KeyPairPtr key_pair = nullptr;
     std::string key_id = "Invalid";
 
     size_t next_send_id = 0;
@@ -113,9 +113,9 @@ namespace client
       key_id(c.key_id)
     {}
 
-    void create_key_pair(const crypto::Pem priv_key)
+    void create_key_pair(const ccf::crypto::Pem priv_key)
     {
-      key_pair = crypto::make_key_pair(priv_key);
+      key_pair = ccf::crypto::make_key_pair(priv_key);
     }
 
     PreparedRpc gen_request(

src/clients/tls_client.h

@@ -16,7 +16,7 @@
 #include <string>
 #include <vector>
 
-using namespace crypto::OpenSSL;
+using namespace ccf::crypto::OpenSSL;
 
 #ifdef _DEBUG
 static BIO* bio_err = NULL;

src/consensus/aft/impl/state.h

@@ -135,7 +135,7 @@ namespace aft
   public:
     Replica(const ccf::NodeId& id_, const std::vector<uint8_t>& cert_) :
       id(id_),
-      verifier(crypto::make_unique_verifier(cert_))
+      verifier(ccf::crypto::make_unique_verifier(cert_))
     {}
 
     ccf::NodeId get_id() const
@@ -145,7 +145,7 @@ namespace aft
 
   private:
     ccf::NodeId id;
-    crypto::VerifierUniquePtr verifier;
+    ccf::crypto::VerifierUniquePtr verifier;
   };
 
   struct State

src/consensus/aft/raft_types.h

@@ -19,7 +19,7 @@ namespace aft
   using Index = uint64_t;
   using Term = uint64_t;
   using Node2NodeMsg = uint64_t;
-  using Nonce = crypto::Sha256Hash;
+  using Nonce = ccf::crypto::Sha256Hash;
 
   using ReplyCallback = std::function<bool(
     void* owner,

src/consensus/aft/test/logging_stub.h

@@ -196,7 +196,7 @@ namespace aft
 
     void close_channel(const ccf::NodeId& peer_id) override {}
 
-    void set_endorsed_node_cert(const crypto::Pem&) override {}
+    void set_endorsed_node_cert(const ccf::crypto::Pem&) override {}
 
     bool have_channel(const ccf::NodeId& nid) override
     {
@@ -231,9 +231,9 @@ namespace aft
 
     void initialize(
       const ccf::NodeId& self_id,
-      const crypto::Pem& service_cert,
-      crypto::KeyPairPtr node_kp,
-      const std::optional<crypto::Pem>& node_cert = std::nullopt) override
+      const ccf::crypto::Pem& service_cert,
+      ccf::crypto::KeyPairPtr node_kp,
+      const std::optional<ccf::crypto::Pem>& node_cert = std::nullopt) override
     {}
 
     bool send_encrypted(
@@ -365,7 +365,8 @@ namespace aft
       kv::Version index;
       std::vector<uint8_t> entry;
       ccf::ClaimsDigest claims_digest;
-      std::optional<crypto::Sha256Hash> commit_evidence_digest = std::nullopt;
+      std::optional<ccf::crypto::Sha256Hash> commit_evidence_digest =
+        std::nullopt;
       kv::ApplyResult result;
 
     public:
@@ -400,7 +401,7 @@ namespace aft
         return std::move(claims_digest);
       }
 
-      std::optional<crypto::Sha256Hash>&& consume_commit_evidence_digest()
+      std::optional<ccf::crypto::Sha256Hash>&& consume_commit_evidence_digest()
         override
       {
         return std::move(commit_evidence_digest);
@@ -562,7 +563,7 @@ namespace aft
       Index,
       const std::vector<uint8_t>&,
       const ccf::NodeId&,
-      const crypto::Pem&)
+      const ccf::crypto::Pem&)
     {}
   };
 }

src/crypto/base64.cpp

@@ -5,7 +5,7 @@
 
 #include "ccf/ds/logger.h"
 
-namespace crypto
+namespace ccf::crypto
 {
   using Base64Impl = Base64_openssl;
 

src/crypto/certs.h

@@ -9,7 +9,7 @@
 #include <chrono>
 #include <string>
 
-namespace crypto
+namespace ccf::crypto
 {
   static std::string compute_cert_valid_to_string(
     const std::string& valid_from, size_t validity_period_days)
@@ -17,9 +17,9 @@ namespace crypto
     using namespace std::chrono_literals;
     // Note: As per RFC 5280, the validity period runs until "notAfter"
     // _inclusive_ so substract one second from the validity period.
-    auto valid_to = ds::time_point_from_string(valid_from) +
+    auto valid_to = ::ds::time_point_from_string(valid_from) +
       std::chrono::days(validity_period_days) - 1s;
-    return ds::to_x509_time_string(valid_to);
+    return ::ds::to_x509_time_string(valid_to);
   }
 
   static Pem create_self_signed_cert(

src/crypto/csr.h

@@ -7,7 +7,7 @@
 
 #include <openssl/bio.h>
 
-namespace crypto
+namespace ccf::crypto
 {
   /** Extracts the public key from a certificate signing request (CSR).
    * @param signing_request CSR to extract the public key from

src/crypto/ecdsa.cpp

@@ -9,7 +9,7 @@
 #include <openssl/ecdsa.h>
 #include <vector>
 
-namespace crypto
+namespace ccf::crypto
 {
   std::vector<uint8_t> ecdsa_sig_from_r_s(
     const uint8_t* r,

src/crypto/eddsa_key_pair.cpp

@@ -12,7 +12,7 @@
 #include <memory>
 #include <string>
 
-namespace crypto
+namespace ccf::crypto
 {
   using PublicKeyImpl = EdDSAPublicKey_OpenSSL;
   using KeyPairImpl = EdDSAKeyPair_OpenSSL;

src/crypto/entropy.cpp

@@ -5,7 +5,7 @@
 
 #include "openssl/entropy.h"
 
-namespace crypto
+namespace ccf::crypto
 {
   EntropyPtr get_entropy()
   {

src/crypto/hash.cpp

@@ -6,7 +6,7 @@
 #include "ccf/crypto/hkdf.h"
 #include "ccf/crypto/sha256.h"
 
-namespace crypto
+namespace ccf::crypto
 {
   void default_sha256(const std::span<const uint8_t>& data, uint8_t* h)
   {

src/crypto/hmac.cpp

@@ -6,7 +6,7 @@
 
 #include <openssl/hmac.h>
 
-namespace crypto
+namespace ccf::crypto
 {
   namespace OpenSSL
   {

src/crypto/key_exchange.h

@@ -19,9 +19,9 @@ namespace tls
   class KeyExchangeContext
   {
   private:
-    crypto::KeyPairPtr own_key;
-    crypto::PublicKeyPtr peer_key;
-    crypto::CurveID curve;
+    ccf::crypto::KeyPairPtr own_key;
+    ccf::crypto::PublicKeyPtr peer_key;
+    ccf::crypto::CurveID curve;
     std::vector<uint8_t> shared_secret;
 
     void compute_shared_secret()
@@ -41,7 +41,7 @@ namespace tls
     }
 
   public:
-    KeyExchangeContext() : curve(crypto::CurveID::SECP384R1) {}
+    KeyExchangeContext() : curve(ccf::crypto::CurveID::SECP384R1) {}
 
     ~KeyExchangeContext() {}
 
@@ -91,15 +91,15 @@ namespace tls
       std::vector<uint8_t> tmp(ks.begin(), ks.end());
       tmp.erase(tmp.begin());
 
-      int nid = crypto::PublicKey_OpenSSL::get_openssl_group_id(curve);
-      auto pk = crypto::key_from_raw_ec_point(tmp, nid);
+      int nid = ccf::crypto::PublicKey_OpenSSL::get_openssl_group_id(curve);
+      auto pk = ccf::crypto::key_from_raw_ec_point(tmp, nid);
 
       if (!pk)
       {
         throw std::runtime_error("Failed to parse peer key share");
       }
 
-      peer_key = std::make_shared<crypto::PublicKey_OpenSSL>(pk);
+      peer_key = std::make_shared<ccf::crypto::PublicKey_OpenSSL>(pk);
       shared_secret.clear();
     }
 

src/crypto/key_pair.cpp

@@ -12,7 +12,7 @@
 #include <memory>
 #include <string>
 
-namespace crypto
+namespace ccf::crypto
 {
   using PublicKeyImpl = PublicKey_OpenSSL;
   using KeyPairImpl = KeyPair_OpenSSL;

src/crypto/key_wrap.cpp

@@ -13,7 +13,7 @@
 #include <stdexcept>
 #include <vector>
 
-namespace crypto
+namespace ccf::crypto
 {
   // With inspiration from
   // http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html

src/crypto/openssl/base64.h

@@ -13,7 +13,7 @@
 // Inspired by openssl/test/evp_test.c
 // Ref: https://www.openssl.org/docs/man1.1.1/man3/EVP_DecodeBlock.html
 
-namespace crypto
+namespace ccf::crypto
 {
   struct Base64_openssl
   {

src/crypto/openssl/cose_verifier.cpp

@@ -15,7 +15,7 @@
 #include <openssl/x509_vfy.h>
 #include <t_cose/t_cose_sign1_verify.h>
 
-namespace crypto
+namespace ccf::crypto
 {
   using namespace OpenSSL;
 

src/crypto/openssl/cose_verifier.h

@@ -11,7 +11,7 @@
 #include <chrono>
 #include <openssl/x509.h>
 
-namespace crypto
+namespace ccf::crypto
 {
   class COSEVerifier_OpenSSL : public COSEVerifier
   {

src/crypto/openssl/eddsa_key_pair.cpp

@@ -5,7 +5,7 @@
 
 #include "openssl_wrappers.h"
 
-namespace crypto
+namespace ccf::crypto
 {
   EdDSAKeyPair_OpenSSL::EdDSAKeyPair_OpenSSL(CurveID curve_id)
   {

src/crypto/openssl/eddsa_key_pair.h

@@ -6,7 +6,7 @@
 #include "crypto/openssl/eddsa_public_key.h"
 #include "openssl_wrappers.h"
 
-namespace crypto
+namespace ccf::crypto
 {
   class EdDSAKeyPair_OpenSSL : public EdDSAPublicKey_OpenSSL,
                                public EdDSAKeyPair

src/crypto/openssl/eddsa_public_key.cpp

@@ -5,7 +5,7 @@
 #include "crypto/openssl/hash.h"
 #include "openssl_wrappers.h"
 
-namespace crypto
+namespace ccf::crypto
 {
   using namespace OpenSSL;
 

src/crypto/openssl/eddsa_public_key.h

@@ -11,7 +11,7 @@
 #include <string>
 #include <vector>
 
-namespace crypto
+namespace ccf::crypto
 {
   class EdDSAPublicKey_OpenSSL : public EdDSAPublicKey
   {

src/crypto/openssl/entropy.h

@@ -10,7 +10,7 @@
 #include <openssl/rand.h>
 #include <vector>
 
-namespace crypto
+namespace ccf::crypto
 {
   class Entropy_OpenSSL : public Entropy
   {

src/crypto/openssl/hash.cpp

@@ -7,7 +7,7 @@
 #include <openssl/sha.h>
 #include <stdexcept>
 
-namespace crypto
+namespace ccf::crypto
 {
   namespace OpenSSL
   {

src/crypto/openssl/hash.h

@@ -12,7 +12,7 @@
 #define FMT_HEADER_ONLY
 #include <fmt/format.h>
 
-namespace crypto
+namespace ccf::crypto
 {
   namespace OpenSSL
   {

src/crypto/openssl/key_pair.cpp

@@ -26,7 +26,7 @@
 #  include <openssl/core_names.h>
 #endif
 
-namespace crypto
+namespace ccf::crypto
 {
   using namespace OpenSSL;
 
@@ -457,8 +457,8 @@ namespace crypto
   std::vector<uint8_t> KeyPair_OpenSSL::derive_shared_secret(
     const PublicKey& peer_key)
   {
-    crypto::CurveID cid = peer_key.get_curve_id();
-    int nid = crypto::PublicKey_OpenSSL::get_openssl_group_id(cid);
+    ccf::crypto::CurveID cid = peer_key.get_curve_id();
+    int nid = ccf::crypto::PublicKey_OpenSSL::get_openssl_group_id(cid);
     auto pk = key_from_raw_ec_point(peer_key.public_key_raw(), nid);
 
     std::vector<uint8_t> shared_secret;

src/crypto/openssl/key_pair.h

@@ -11,7 +11,7 @@
 #include <stdexcept>
 #include <string>
 
-namespace crypto
+namespace ccf::crypto
 {
   class KeyPair_OpenSSL : public PublicKey_OpenSSL, public KeyPair
   {

src/crypto/openssl/openssl_wrappers.h

@@ -26,7 +26,7 @@
 #  include <openssl/evp.h>
 #endif
 
-namespace crypto
+namespace ccf::crypto
 {
   namespace OpenSSL
   {
@@ -341,7 +341,7 @@ namespace crypto
       Unique_X509_TIME(const std::string& s) :
         Unique_SSL_OBJECT(ASN1_TIME_new(), ASN1_TIME_free, /*check_null=*/false)
       {
-        auto t = ds::to_x509_time_string(s);
+        auto t = ::ds::to_x509_time_string(s);
         CHECK1(ASN1_TIME_set_string(*this, t.c_str()));
         CHECK1(ASN1_TIME_normalize(*this));
       }
@@ -349,7 +349,7 @@ namespace crypto
         Unique_SSL_OBJECT(t, ASN1_TIME_free, /*check_null=*/false)
       {}
       Unique_X509_TIME(const std::chrono::system_clock::time_point& t) :
-        Unique_X509_TIME(ds::to_x509_time_string(t))
+        Unique_X509_TIME(::ds::to_x509_time_string(t))
       {}
     };
 

src/crypto/openssl/public_key.cpp

@@ -23,7 +23,7 @@
 #  include <openssl/param_build.h>
 #endif
 
-namespace crypto
+namespace ccf::crypto
 {
   using namespace OpenSSL;
 

src/crypto/openssl/public_key.h

@@ -10,7 +10,7 @@
 #include <stdexcept>
 #include <string>
 
-namespace crypto
+namespace ccf::crypto
 {
   class PublicKey_OpenSSL : public PublicKey
   {

src/crypto/openssl/rsa_key_pair.cpp

@@ -10,7 +10,7 @@
 #  include <openssl/core_names.h>
 #endif
 
-namespace crypto
+namespace ccf::crypto
 {
   using namespace OpenSSL;
 

src/crypto/openssl/rsa_key_pair.h

@@ -10,7 +10,7 @@
 #include <string>
 #include <vector>
 
-namespace crypto
+namespace ccf::crypto
 {
   class RSAKeyPair_OpenSSL : public RSAPublicKey_OpenSSL, public RSAKeyPair
   {

src/crypto/openssl/rsa_public_key.cpp

@@ -10,7 +10,7 @@
 #  include <openssl/encoder.h>
 #endif
 
-namespace crypto
+namespace ccf::crypto
 {
   using namespace OpenSSL;
 

src/crypto/openssl/rsa_public_key.h

@@ -11,7 +11,7 @@
 #include <string>
 #include <vector>
 
-namespace crypto
+namespace ccf::crypto
 {
   class RSAPublicKey_OpenSSL : public PublicKey_OpenSSL, public RSAPublicKey
   {

src/crypto/openssl/symmetric_key.cpp

@@ -11,7 +11,7 @@
 #include <openssl/aes.h>
 #include <openssl/evp.h>
 
-namespace crypto
+namespace ccf::crypto
 {
   using namespace OpenSSL;
 

src/crypto/openssl/symmetric_key.h

@@ -7,7 +7,7 @@
 
 #include <openssl/crypto.h>
 
-namespace crypto
+namespace ccf::crypto
 {
   class KeyAesGcm_OpenSSL : public KeyAesGcm
   {

src/crypto/openssl/verifier.cpp

@@ -14,7 +14,7 @@
 #include <openssl/x509.h>
 #include <openssl/x509_vfy.h>
 
-namespace crypto
+namespace ccf::crypto
 {
   using namespace OpenSSL;
 
@@ -197,7 +197,7 @@ namespace crypto
     const std::chrono::system_clock::time_point& now) const
   {
     auto [from, to] = validity_period();
-    auto tp_to = ds::time_point_from_string(to);
+    auto tp_to = ::ds::time_point_from_string(to);
     return std::chrono::duration_cast<std::chrono::seconds>(tp_to - now)
              .count() +
       1;
@@ -207,8 +207,8 @@ namespace crypto
     const std::chrono::system_clock::time_point& now) const
   {
     auto [from, to] = validity_period();
-    auto tp_from = ds::time_point_from_string(from);
-    auto tp_to = ds::time_point_from_string(to);
+    auto tp_from = ::ds::time_point_from_string(from);
+    auto tp_to = ::ds::time_point_from_string(to);
     auto total_sec =
       std::chrono::duration_cast<std::chrono::seconds>(tp_to - tp_from)
         .count() +

src/crypto/openssl/verifier.h

@@ -8,7 +8,7 @@
 #include <chrono>
 #include <openssl/x509.h>
 
-namespace crypto
+namespace ccf::crypto
 {
   class Verifier_OpenSSL : public Verifier
   {

src/crypto/openssl/x509_time.h

@@ -7,7 +7,7 @@
 
 #include <openssl/asn1.h>
 
-namespace crypto::OpenSSL
+namespace ccf::crypto::OpenSSL
 {
   /** Set of utilities functions for working with x509 time, as defined in RFC
   5280 (https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.5.1) */
@@ -30,6 +30,6 @@ namespace crypto::OpenSSL
   {
     std::tm t;
     CHECK1(ASN1_TIME_to_tm(time, &t));
-    return ds::to_x509_time_string(t);
+    return ::ds::to_x509_time_string(t);
   }
 }

src/crypto/rsa_key_pair.cpp

@@ -5,7 +5,7 @@
 
 #include "crypto/openssl/rsa_key_pair.h"
 
-namespace crypto
+namespace ccf::crypto
 {
   using RSAPublicKeyImpl = RSAPublicKey_OpenSSL;
   using RSAKeyPairImpl = RSAKeyPair_OpenSSL;

src/crypto/sha256_hash.cpp

@@ -5,7 +5,7 @@
 
 #include "ccf/ds/hex.h"
 
-namespace crypto
+namespace ccf::crypto
 {
   extern void default_sha256(const std::span<const uint8_t>& data, uint8_t* h);
 
@@ -48,9 +48,9 @@ namespace crypto
     default_sha256(data, h.data());
   }
 
-  std::ostream& operator<<(std::ostream& os, const crypto::Sha256Hash& h)
+  std::ostream& operator<<(std::ostream& os, const ccf::crypto::Sha256Hash& h)
   {
-    for (unsigned i = 0; i < crypto::Sha256Hash::SIZE; i++)
+    for (unsigned i = 0; i < ccf::crypto::Sha256Hash::SIZE; i++)
     {
       os << std::hex << static_cast<int>(h.h[i]);
     }
@@ -123,7 +123,7 @@ namespace crypto
 
   bool operator==(const Sha256Hash& lhs, const Sha256Hash& rhs)
   {
-    for (unsigned i = 0; i < crypto::Sha256Hash::SIZE; i++)
+    for (unsigned i = 0; i < ccf::crypto::Sha256Hash::SIZE; i++)
     {
       if (lhs.h[i] != rhs.h[i])
       {

src/crypto/sharing.cpp

@@ -6,7 +6,7 @@
 
 #include <stdexcept>
 
-namespace crypto
+namespace ccf::crypto
 {
   namespace sharing
   {
@@ -94,7 +94,7 @@ namespace crypto
     // We assume the lower 31 bits are uniformly distributed,
     // and retry if they are all set to get uniformity in F[prime].
 
-    static element sample(const crypto::EntropyPtr& entropy)
+    static element sample(const ccf::crypto::EntropyPtr& entropy)
     {
       uint64_t res = prime;
       while (res == prime)
@@ -107,7 +107,7 @@ namespace crypto
     /* POLYNOMIAL SHARING AND INTERPOLATION */
 
     static void sample_polynomial(
-      element p[], size_t degree, const crypto::EntropyPtr& entropy)
+      element p[], size_t degree, const ccf::crypto::EntropyPtr& entropy)
     {
       for (size_t i = 0; i <= degree; i++)
       {
@@ -148,7 +148,7 @@ namespace crypto
         shares[s].x = s + 1;
       }
 
-      auto entropy = crypto::get_entropy();
+      auto entropy = ccf::crypto::get_entropy();
 
       for (size_t limb = 0; limb < LIMBS; limb++)
       {

src/crypto/sharing.h

@@ -14,7 +14,7 @@
 
 #include <fmt/format.h>
 
-namespace crypto
+namespace ccf::crypto
 {
   namespace sharing
   {
@@ -51,7 +51,8 @@ namespace crypto
           reinterpret_cast<const uint8_t*>(y), sizeof(y));
         const std::span<const uint8_t> label(
           reinterpret_cast<const uint8_t*>(y), sizeof(y));
-        auto k = crypto::hkdf(crypto::MDType::SHA256, key_size, ikm, {}, label);
+        auto k = ccf::crypto::hkdf(
+          ccf::crypto::MDType::SHA256, key_size, ikm, {}, label);
         return k;
       }
 

src/crypto/symmetric_key.cpp

@@ -10,7 +10,7 @@
 #define FMT_HEADER_ONLY
 #include <fmt/format.h>
 
-namespace crypto
+namespace ccf::crypto
 {
   /// GcmHeader implementation
   GcmHeader::GcmHeader(size_t iv_size)

src/crypto/test/base64.cpp

@@ -8,7 +8,7 @@
 #include <string>
 
 using namespace std;
-using namespace crypto;
+using namespace ccf::crypto;
 
 static constexpr auto MAX_LEN = 2000;
 

src/crypto/test/bench.cpp

@@ -18,7 +18,7 @@
 #include <picobench/picobench.hpp>
 
 using namespace std;
-using namespace crypto;
+using namespace ccf::crypto;
 
 static const string lorem_ipsum =
   "Lorem ipsum dolor sit amet, consectetur adipiscing "
@@ -97,13 +97,14 @@ template <MDType M, size_t NContents>
 static void benchmark_hmac(picobench::state& s)
 {
   const auto contents = make_contents<NContents>();
-  const auto key = crypto::get_entropy()->random(crypto::GCM_DEFAULT_KEY_SIZE);
+  const auto key =
+    ccf::crypto::get_entropy()->random(ccf::crypto::GCM_DEFAULT_KEY_SIZE);
 
   s.start_timer();
   for (auto _ : s)
   {
     (void)_;
-    HashBytes hash = crypto::hmac(M, key, contents);
+    HashBytes hash = ccf::crypto::hmac(M, key, contents);
     do_not_optimize(hash);
     clobber_memory();
   }
@@ -381,7 +382,7 @@ namespace Hashes
 template <size_t size>
 static void sha256_bench(picobench::state& s)
 {
-  crypto::openssl_sha256_init();
+  ccf::crypto::openssl_sha256_init();
 
   std::vector<uint8_t> v(size);
   for (size_t i = 0; i < size; ++i)
@@ -389,15 +390,15 @@ static void sha256_bench(picobench::state& s)
     v[i] = rand();
   }
 
-  crypto::Sha256Hash h;
+  ccf::crypto::Sha256Hash h;
 
   s.start_timer();
   for (size_t i = 0; i < 10; ++i)
   {
-    crypto::openssl_sha256(v, h.h.data());
+    ccf::crypto::openssl_sha256(v, h.h.data());
   }
   s.stop_timer();
-  crypto::openssl_sha256_shutdown();
+  ccf::crypto::openssl_sha256_shutdown();
 }
 
 PICOBENCH_SUITE("digest sha256");
@@ -436,8 +437,8 @@ namespace Base64_bench
     {
       // We don't check the outputs as this is done elsewhere
       std::string encoded =
-        crypto::Base64_openssl::b64_from_raw(v.data(), v.size());
-      crypto::Base64_openssl::raw_from_b64(encoded);
+        ccf::crypto::Base64_openssl::b64_from_raw(v.data(), v.size());
+      ccf::crypto::Base64_openssl::raw_from_b64(encoded);
     }
     s.stop_timer();
   }
@@ -473,7 +474,7 @@ namespace HMAC_bench
   PICOBENCH(openssl_hmac_sha256_64).PICO_HASH_SUFFIX();
 }
 
-std::vector<crypto::sharing::Share> shares;
+std::vector<ccf::crypto::sharing::Share> shares;
 
 PICOBENCH_SUITE("share");
 namespace SHARE_bench
@@ -487,8 +488,8 @@ namespace SHARE_bench
     for (auto _ : s)
     {
       (void)_;
-      crypto::sharing::Share secret;
-      crypto::sharing::sample_secret_and_shares(secret, shares, threshold);
+      ccf::crypto::sharing::Share secret;
+      ccf::crypto::sharing::sample_secret_and_shares(secret, shares, threshold);
       do_not_optimize(secret);
       clobber_memory();
     }
@@ -520,9 +521,9 @@ namespace SHARE_bench
     for (auto _ : s)
     {
       (void)_;
-      crypto::sharing::Share secret;
-      crypto::sharing::sample_secret_and_shares(secret, shares, threshold);
-      crypto::sharing::recover_unauthenticated_secret(
+      ccf::crypto::sharing::Share secret;
+      ccf::crypto::sharing::sample_secret_and_shares(secret, shares, threshold);
+      ccf::crypto::sharing::recover_unauthenticated_secret(
         secret, shares, threshold);
       do_not_optimize(secret);
       clobber_memory();

src/crypto/test/crypto.cpp

@@ -29,7 +29,7 @@
 #include <span>
 
 using namespace std;
-using namespace crypto;
+using namespace ccf::crypto;
 
 static const string contents_ =
   "Lorem ipsum dolor sit amet, consectetur adipiscing "
@@ -57,15 +57,15 @@ static constexpr CurveID supported_curves[] = {
 
 static constexpr char const* labels[] = {"secp384r1", "secp256r1", "secp256k1"};
 
-crypto::Pem generate_self_signed_cert(
+ccf::crypto::Pem generate_self_signed_cert(
   const KeyPairPtr& kp, const std::string& name)
 {
   constexpr size_t certificate_validity_period_days = 365;
   using namespace std::literals;
   auto valid_from =
-    ds::to_x509_time_string(std::chrono::system_clock::now() - 24h);
+    ::ds::to_x509_time_string(std::chrono::system_clock::now() - 24h);
 
-  return crypto::create_self_signed_cert(
+  return ccf::crypto::create_self_signed_cert(
     kp, name, {}, valid_from, certificate_validity_period_days);
 }
 
@@ -219,12 +219,12 @@ TEST_CASE("Sign, verify. Fail to verify with bad contents")
   }
 }
 
-crypto::HashBytes bad_manual_hash(const std::vector<uint8_t>& data)
+ccf::crypto::HashBytes bad_manual_hash(const std::vector<uint8_t>& data)
 {
   // secp256r1 requires 32-byte hashes, other curves don't care. So use 32 for
   // general hasher
   constexpr auto n = 32;
-  crypto::HashBytes hash(n);
+  ccf::crypto::HashBytes hash(n);
 
   for (size_t i = 0; i < data.size(); ++i)
   {
@@ -241,7 +241,7 @@ TEST_CASE("Manually hash, sign, verify, with PublicKey")
     INFO("With curve: " << labels[static_cast<size_t>(curve) - 1]);
     auto kp = make_key_pair(curve);
     vector<uint8_t> contents(contents_.begin(), contents_.end());
-    crypto::HashBytes hash = bad_manual_hash(contents);
+    ccf::crypto::HashBytes hash = bad_manual_hash(contents);
     const vector<uint8_t> signature = kp->sign_hash(hash.data(), hash.size());
 
     const auto public_key = kp->public_key_pem();
@@ -259,7 +259,7 @@ TEST_CASE("Manually hash, sign, verify, with certificate")
     INFO("With curve: " << labels[static_cast<size_t>(curve) - 1]);
     auto kp = make_key_pair(curve);
     vector<uint8_t> contents(contents_.begin(), contents_.end());
-    crypto::HashBytes hash = bad_manual_hash(contents);
+    ccf::crypto::HashBytes hash = bad_manual_hash(contents);
     const vector<uint8_t> signature = kp->sign_hash(hash.data(), hash.size());
 
     auto cert = generate_self_signed_cert(kp, "CN=name");
@@ -495,71 +495,71 @@ void run_csr(bool corrupt_csr = false)
 TEST_CASE("2-digit years")
 {
   auto time_str = "220405175422Z";
-  auto tp = ds::time_point_from_string(time_str);
-  auto conv = ds::to_x509_time_string(tp);
+  auto tp = ::ds::time_point_from_string(time_str);
+  auto conv = ::ds::to_x509_time_string(tp);
   REQUIRE(conv == std::string("20") + time_str);
 }
 
 TEST_CASE("Non-ASN.1 timepoint formats")
 {
   auto time_str = "2022-04-05 18:53:27";
-  auto tp = ds::time_point_from_string(time_str);
-  auto conv = ds::to_x509_time_string(tp);
+  auto tp = ::ds::time_point_from_string(time_str);
+  auto conv = ::ds::to_x509_time_string(tp);
   REQUIRE(conv == "20220405185327Z");
 
   time_str = "2022-04-05 18:53:27.190380";
-  tp = ds::time_point_from_string(time_str);
-  conv = ds::to_x509_time_string(tp);
+  tp = ::ds::time_point_from_string(time_str);
+  conv = ::ds::to_x509_time_string(tp);
   REQUIRE(conv == "20220405185327Z");
 
   time_str = "2022-04-05 18:53:27 +03:00";
-  tp = ds::time_point_from_string(time_str);
-  conv = ds::to_x509_time_string(tp);
+  tp = ::ds::time_point_from_string(time_str);
+  conv = ::ds::to_x509_time_string(tp);
   REQUIRE(conv == "20220405155327Z");
 
   time_str = "2022-04-05 18:53:27 +0300";
-  tp = ds::time_point_from_string(time_str);
-  conv = ds::to_x509_time_string(tp);
+  tp = ::ds::time_point_from_string(time_str);
+  conv = ::ds::to_x509_time_string(tp);
   REQUIRE(conv == "20220405155327Z");
 
   time_str = "2022-04-05 18:53:27.190380+03:00";
-  tp = ds::time_point_from_string(time_str);
-  conv = ds::to_x509_time_string(tp);
+  tp = ::ds::time_point_from_string(time_str);
+  conv = ::ds::to_x509_time_string(tp);
   REQUIRE(conv == "20220405155327Z");
 
   time_str = "2022-04-05 18:53:27 -03:00";
-  tp = ds::time_point_from_string(time_str);
-  conv = ds::to_x509_time_string(tp);
+  tp = ::ds::time_point_from_string(time_str);
+  conv = ::ds::to_x509_time_string(tp);
   REQUIRE(conv == "20220405215327Z");
 
   time_str = "2022-04-07T10:37:49.567612";
-  tp = ds::time_point_from_string(time_str);
-  conv = ds::to_x509_time_string(tp);
+  tp = ::ds::time_point_from_string(time_str);
+  conv = ::ds::to_x509_time_string(tp);
   REQUIRE(conv == "20220407103749Z");
 
   time_str = "2022-04-07T10:37:49.567612+03:00";
-  tp = ds::time_point_from_string(time_str);
-  conv = ds::to_x509_time_string(tp);
+  tp = ::ds::time_point_from_string(time_str);
+  conv = ::ds::to_x509_time_string(tp);
   REQUIRE(conv == "20220407073749Z");
 
   time_str = "2022-04-07T10:37:49.567612Z";
-  tp = ds::time_point_from_string(time_str);
-  conv = ds::to_x509_time_string(tp);
+  tp = ::ds::time_point_from_string(time_str);
+  conv = ::ds::to_x509_time_string(tp);
   REQUIRE(conv == "20220407103749Z");
 
   time_str = "220425165619+0000";
-  tp = ds::time_point_from_string(time_str);
-  conv = ds::to_x509_time_string(tp);
+  tp = ::ds::time_point_from_string(time_str);
+  conv = ::ds::to_x509_time_string(tp);
   REQUIRE(conv == "20220425165619Z");
 
   time_str = "220425165619+0200";
-  tp = ds::time_point_from_string(time_str);
-  conv = ds::to_x509_time_string(tp);
+  tp = ::ds::time_point_from_string(time_str);
+  conv = ::ds::to_x509_time_string(tp);
   REQUIRE(conv == "20220425145619Z");
 
   time_str = "20220425165619-0300";
-  tp = ds::time_point_from_string(time_str);
-  conv = ds::to_x509_time_string(tp);
+  tp = ::ds::time_point_from_string(time_str);
+  conv = ::ds::to_x509_time_string(tp);
   REQUIRE(conv == "20220425195619Z");
 }
 
@@ -581,7 +581,7 @@ static const vector<uint8_t>& get_raw_key()
 
 TEST_CASE("ExtendedIv0")
 {
-  auto k = crypto::make_key_aes_gcm(get_raw_key());
+  auto k = ccf::crypto::make_key_aes_gcm(get_raw_key());
 
   // setup plain text
   std::vector<uint8_t> plain(100);
@@ -601,7 +601,7 @@ TEST_CASE("ExtendedIv0")
   std::vector<uint8_t> cipher;
   k->encrypt(h.get_iv(), plain, {}, cipher, h.tag);
 
-  auto k2 = crypto::make_key_aes_gcm(get_raw_key());
+  auto k2 = ccf::crypto::make_key_aes_gcm(get_raw_key());
   std::vector<uint8_t> decrypted_plain;
   REQUIRE(k2->decrypt(h.get_iv(), h.tag, cipher, {}, decrypted_plain));
   REQUIRE(plain == decrypted_plain);
@@ -630,14 +630,14 @@ TEST_CASE("CKM_RSA_PKCS_OAEP")
   auto rsa_kp = make_rsa_key_pair();
   auto rsa_pk = make_rsa_public_key(rsa_kp->public_key_pem());
 
-  auto wrapped = crypto::ckm_rsa_pkcs_oaep_wrap(rsa_pk, key);
-  auto wrapped_ = crypto::ckm_rsa_pkcs_oaep_wrap(rsa_pk, key);
+  auto wrapped = ccf::crypto::ckm_rsa_pkcs_oaep_wrap(rsa_pk, key);
+  auto wrapped_ = ccf::crypto::ckm_rsa_pkcs_oaep_wrap(rsa_pk, key);
 
   // CKM_RSA_PKCS_OAEP wrap is non deterministic
   REQUIRE(wrapped != wrapped_);
 
-  auto unwrapped = crypto::ckm_rsa_pkcs_oaep_unwrap(rsa_kp, wrapped);
-  auto unwrapped_ = crypto::ckm_rsa_pkcs_oaep_unwrap(rsa_kp, wrapped_);
+  auto unwrapped = ccf::crypto::ckm_rsa_pkcs_oaep_unwrap(rsa_kp, wrapped);
+  auto unwrapped_ = ccf::crypto::ckm_rsa_pkcs_oaep_unwrap(rsa_kp, wrapped_);
 
   REQUIRE(unwrapped == unwrapped_);
 }
@@ -705,9 +705,9 @@ TEST_CASE("x509 time")
       const auto& from = data.input.from;
       const auto& to = data.input.to;
       REQUIRE(
-        crypto::OpenSSL::validate_chronological_times(
-          crypto::OpenSSL::Unique_X509_TIME(from),
-          crypto::OpenSSL::Unique_X509_TIME(to),
+        ccf::crypto::OpenSSL::validate_chronological_times(
+          ccf::crypto::OpenSSL::Unique_X509_TIME(from),
+          ccf::crypto::OpenSSL::Unique_X509_TIME(to),
           data.input.maximum_validity_period_days) ==
         data.expected_verification_result);
     }
@@ -723,14 +723,14 @@ TEST_CASE("x509 time")
     {
       auto adjusted_time = t + std::chrono::days(days_offset);
 
-      auto from = crypto::OpenSSL::Unique_X509_TIME(t);
-      auto to = crypto::OpenSSL::Unique_X509_TIME(adjusted_time);
+      auto from = ccf::crypto::OpenSSL::Unique_X509_TIME(t);
+      auto to = ccf::crypto::OpenSSL::Unique_X509_TIME(adjusted_time);
 
       // Convert to string and back to time_points
-      auto from_conv =
-        ds::time_point_from_string(crypto::OpenSSL::to_x509_time_string(from));
-      auto to_conv =
-        ds::time_point_from_string(crypto::OpenSSL::to_x509_time_string(to));
+      auto from_conv = ::ds::time_point_from_string(
+        ccf::crypto::OpenSSL::to_x509_time_string(from));
+      auto to_conv = ::ds::time_point_from_string(
+        ccf::crypto::OpenSSL::to_x509_time_string(to));
 
       // Diff is still the same amount of days
       auto days_diff =
@@ -747,9 +747,9 @@ TEST_CASE("x509 time")
     for (auto const& days_offset : days_offsets)
     {
       auto adjusted_time = time + std::chrono::days(days_offset);
-      auto adjusted_str = ds::to_x509_time_string(adjusted_time);
-      auto asn1_time = crypto::OpenSSL::Unique_X509_TIME(adjusted_str);
-      auto converted_str = crypto::OpenSSL::to_x509_time_string(asn1_time);
+      auto adjusted_str = ::ds::to_x509_time_string(adjusted_time);
+      auto asn1_time = ccf::crypto::OpenSSL::Unique_X509_TIME(adjusted_str);
+      auto converted_str = ccf::crypto::OpenSSL::to_x509_time_string(asn1_time);
       REQUIRE(converted_str == adjusted_str);
     }
   }
@@ -764,15 +764,15 @@ TEST_CASE("hmac")
 
   INFO("Same inputs, same hmac");
   {
-    auto r0 = crypto::hmac(MDType::SHA256, key, zeros);
-    auto r1 = crypto::hmac(MDType::SHA256, key, zeros);
+    auto r0 = ccf::crypto::hmac(MDType::SHA256, key, zeros);
+    auto r1 = ccf::crypto::hmac(MDType::SHA256, key, zeros);
     REQUIRE(r0 == r1);
   }
 
   INFO("Different inputs, different hmacs");
   {
-    auto r0 = crypto::hmac(MDType::SHA256, key, zeros);
-    auto r1 = crypto::hmac(MDType::SHA256, key, mostly_zeros);
+    auto r0 = ccf::crypto::hmac(MDType::SHA256, key, zeros);
+    auto r1 = ccf::crypto::hmac(MDType::SHA256, key, mostly_zeros);
     REQUIRE(r0 != r1);
   }
 }
@@ -889,8 +889,8 @@ TEST_CASE("PEM to JWK and back")
 
 TEST_CASE("Incremental hash")
 {
-  crypto::openssl_sha256_init();
-  auto simple_hash = crypto::Sha256Hash(contents);
+  ccf::crypto::openssl_sha256_init();
+  auto simple_hash = ccf::crypto::Sha256Hash(contents);
 
   INFO("Incremental hash");
   {
@@ -930,5 +930,5 @@ TEST_CASE("Incremental hash")
       REQUIRE_THROWS_AS(ihash->finalise(), std::logic_error);
     }
   }
-  crypto::openssl_sha256_shutdown();
+  ccf::crypto::openssl_sha256_shutdown();
 }

src/crypto/test/kp_cert.cpp

@@ -7,8 +7,8 @@
 #include <CLI11/CLI11.hpp>
 
 constexpr size_t certificate_validity_period_days = 365;
-auto valid_from = ds::to_x509_time_string(std::chrono::system_clock::now());
-auto valid_to = crypto::compute_cert_valid_to_string(
+auto valid_from = ::ds::to_x509_time_string(std::chrono::system_clock::now());
+auto valid_to = ccf::crypto::compute_cert_valid_to_string(
   valid_from, certificate_validity_period_days);
 
 int main(int argc, char** argv)
@@ -20,7 +20,7 @@ int main(int argc, char** argv)
       "--sn", name, "Subject Name in node certificate, eg. CN=CCF Node")
     ->capture_default_str();
 
-  std::vector<crypto::SubjectAltName> sans = {};
+  std::vector<ccf::crypto::SubjectAltName> sans = {};
   cli::add_subject_alternative_name_option(
     app,
     sans,
@@ -29,7 +29,7 @@ int main(int argc, char** argv)
     "iPAddress:xxx.xxx.xxx.xxx, or dNSName:sub.domain.tld");
   CLI11_PARSE(app, argc, argv);
 
-  auto kp = crypto::make_key_pair();
+  auto kp = ccf::crypto::make_key_pair();
   auto icrt = kp->self_sign("CN=issuer", valid_from, valid_to);
   auto csr = kp->create_csr(name, sans);
   auto cert = kp->sign_csr(icrt, csr, valid_from, valid_to);