chore: update axum crate

Cargo.toml

@@ -18,7 +18,7 @@ strip = true
 opt-level = 's'
 
 [workspace.package]
-version = "0.2.2"
+version = "0.2.3"
 edition = "2021"
 repository = "https://github.com/ldclabs/ic-tee"
 keywords = ["tee", "canister", "icp", "nitro"]
@@ -27,16 +27,18 @@ license = "MIT OR Apache-2.0"
 
 [workspace.dependencies]
 anyhow = "1"
-axum = { version = "0.7", features = [
+axum = { version = "0.8", features = [
   "http1",
   "http2",
   "json",
-  "macros",
+  # "macros",
   "matched-path",
   "tokio",
   "query",
 ], default-features = true }
+axum-core = "0.5"
 axum-server = { version = "0.7", features = ["tls-rustls"] }
+http = "1.2"
 bytes = "1"
 base64 = "0.22"
 clap = { version = "4.5", features = ["derive"] }

LICENSE-MIT

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2024 LDC Labs
+Copyright (c) 2024-2025 LDC Labs
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -21,6 +21,6 @@ Relation project:
 | [ic_tee_nitro_gateway](https://github.com/ldclabs/ic-tee/tree/main/src/ic_tee_nitro_gateway)         | A gateway service within an AWS Nitro enclave.                                                            |
 
 ## License
-Copyright © 2024 [LDC Labs](https://github.com/ldclabs).
+Copyright © 2024-2025 [LDC Labs](https://github.com/ldclabs).
 
 `ldclabs/ic-tee` is licensed under the MIT License. See [LICENSE](./LICENSE-MIT) for the full license text.

src/ic_tee_agent/Cargo.toml

@@ -11,6 +11,8 @@ license.workspace = true
 
 [dependencies]
 ic_tee_cdk = { path = "../ic_tee_cdk", version = "0.2" }
+http = { workspace = true }
+axum-core = { workspace = true }
 base64 = { workspace = true }
 candid = { workspace = true }
 ed25519-consensus = { workspace = true }
@@ -21,7 +23,6 @@ serde_bytes = { workspace = true }
 ic-agent = { workspace = true }
 rand = { workspace = true }
 tokio = { workspace = true }
-axum = { workspace = true }
 bytes = { workspace = true }
 mime = { workspace = true }
 thiserror = { workspace = true }

src/ic_tee_agent/src/http/authentication.rs

@@ -1,3 +1,37 @@
+use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine};
+use candid::Principal;
+use ciborium::from_reader;
+use http::header::{HeaderMap, HeaderName};
+use ic_agent::Identity;
+use ic_canister_sig_creation::delegation_signature_msg;
+use ic_cose_types::{cose::sha3_256, to_cbor_bytes};
+use ic_tee_cdk::SignedDelegation;
+use thiserror::Error;
+
+pub const PERMITTED_DRIFT_MS: u64 = 30 * 1000;
+pub const ANONYMOUS_PRINCIPAL: Principal = Principal::anonymous();
+
+pub static HEADER_X_FORWARDED_FOR: HeaderName = HeaderName::from_static("x-forwarded-for");
+pub static HEADER_X_FORWARDED_HOST: HeaderName = HeaderName::from_static("x-forwarded-host");
+pub static HEADER_X_FORWARDED_PROTO: HeaderName = HeaderName::from_static("x-forwarded-proto");
+
+/// Caller's public key for authentication
+pub static HEADER_IC_TEE_PUBKEY: HeaderName = HeaderName::from_static("ic-tee-pubkey");
+/// Delegation chain for authentication
+pub static HEADER_IC_TEE_DELEGATION: HeaderName = HeaderName::from_static("ic-tee-delegation");
+/// Request content hash (customizable by business logic)
+pub static HEADER_IC_TEE_CONTENT_DIGEST: HeaderName =
+    HeaderName::from_static("ic-tee-content-digest");
+/// Signature of the content digest
+pub static HEADER_IC_TEE_SIGNATURE: HeaderName = HeaderName::from_static("ic-tee-signature");
+
+/// TEE ID added to upstream requests
+pub static HEADER_IC_TEE_ID: HeaderName = HeaderName::from_static("ic-tee-id");
+/// TEE instance ID added to upstream requests
+pub static HEADER_IC_TEE_INSTANCE: HeaderName = HeaderName::from_static("ic-tee-instance");
+/// Authenticated caller principal (or anonymous principal)
+pub static HEADER_IC_TEE_CALLER: HeaderName = HeaderName::from_static("ic-tee-caller");
+
 /// The `UserSignature` struct represents an end user's signature and provides methods to
 /// parse and validate the signature from HTTP headers.
 ///
@@ -41,41 +75,6 @@
 /// # Static Variables
 /// - `IC_ROOT_PUBLIC_KEY`: The IC root public key used when verifying canister signatures.
 ///
-use axum::http::header::{HeaderMap, HeaderName};
-use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine};
-use candid::Principal;
-use ciborium::from_reader;
-use ic_agent::Identity;
-use ic_canister_sig_creation::delegation_signature_msg;
-use ic_cose_types::{cose::sha3_256, to_cbor_bytes};
-use ic_tee_cdk::SignedDelegation;
-use thiserror::Error;
-
-pub const PERMITTED_DRIFT_MS: u64 = 30 * 1000;
-pub const ANONYMOUS_PRINCIPAL: Principal = Principal::anonymous();
-
-pub static HEADER_X_FORWARDED_FOR: HeaderName = HeaderName::from_static("x-forwarded-for");
-pub static HEADER_X_FORWARDED_HOST: HeaderName = HeaderName::from_static("x-forwarded-host");
-pub static HEADER_X_FORWARDED_PROTO: HeaderName = HeaderName::from_static("x-forwarded-proto");
-
-/// Caller's public key for authentication
-pub static HEADER_IC_TEE_PUBKEY: HeaderName = HeaderName::from_static("ic-tee-pubkey");
-/// Delegation chain for authentication
-pub static HEADER_IC_TEE_DELEGATION: HeaderName = HeaderName::from_static("ic-tee-delegation");
-/// Request content hash (customizable by business logic)
-pub static HEADER_IC_TEE_CONTENT_DIGEST: HeaderName =
-    HeaderName::from_static("ic-tee-content-digest");
-/// Signature of the content digest
-pub static HEADER_IC_TEE_SIGNATURE: HeaderName = HeaderName::from_static("ic-tee-signature");
-
-/// TEE ID added to upstream requests
-pub static HEADER_IC_TEE_ID: HeaderName = HeaderName::from_static("ic-tee-id");
-/// TEE instance ID added to upstream requests
-pub static HEADER_IC_TEE_INSTANCE: HeaderName = HeaderName::from_static("ic-tee-instance");
-/// Authenticated caller principal (or anonymous principal)
-pub static HEADER_IC_TEE_CALLER: HeaderName = HeaderName::from_static("ic-tee-caller");
-
-/// Represents an end user's signature for HTTP request authentication.
 #[derive(Clone, Debug)]
 pub struct UserSignature {
     pub pubkey: Vec<u8>,

src/ic_tee_agent/src/http/content.rs

@@ -1,14 +1,12 @@
-use axum::{
-    async_trait,
-    body::Bytes,
+use axum_core::{
     extract::{FromRequest, Request},
-    http::{
-        header::{self, HeaderMap, HeaderValue},
-        StatusCode,
-    },
     response::{IntoResponse, Response},
 };
-use bytes::{BufMut, BytesMut};
+use bytes::{BufMut, Bytes, BytesMut};
+use http::{
+    header::{self, HeaderMap, HeaderValue},
+    StatusCode,
+};
 use serde::{de::DeserializeOwned, Serialize};
 
 pub static CONTENT_TYPE_CBOR: &str = "application/cbor";
@@ -64,11 +62,9 @@ impl Content<()> {
     }
 }
 
-#[async_trait]
-impl<T, S> FromRequest<S> for Content<T>
+impl<S, T> FromRequest<S> for Content<T>
 where
-    T: DeserializeOwned + Send + Sync,
-    Bytes: FromRequest<S>,
+    T: DeserializeOwned,
     S: Send + Sync,
 {
     type Rejection = Response;

src/ic_tee_nitro_gateway/src/handler.rs

@@ -32,11 +32,6 @@ use crate::{attestation::sign_attestation, crypto, ic_sig_verifier::verify_sig,
 
 type Client = hyper_util::client::legacy::Client<HttpConnector, Body>;
 
-pub fn new_client() -> Client {
-    hyper_util::client::legacy::Client::<(), ()>::builder(TokioExecutor::new())
-        .build(HttpConnector::new())
-}
-
 #[derive(Clone)]
 pub struct AppState {
     info: Arc<TEEAppInformation>,
@@ -49,11 +44,14 @@ pub struct AppState {
 impl AppState {
     pub fn new(
         info: Arc<TEEAppInformation>,
-        http_client: Arc<Client>,
         tee_agent: Arc<TEEAgent>,
         root_secret: [u8; 48],
         upstream_port: Option<u16>,
     ) -> Self {
+        let http_client = Arc::new(
+            hyper_util::client::legacy::Client::<(), ()>::builder(TokioExecutor::new())
+                .build(HttpConnector::new()),
+        );
         Self {
             info,
             http_client,
@@ -396,7 +394,7 @@ pub async fn proxy(
         Ok(res) => Ok(res.into_response()),
         Err(err) => Err(Content::Text(
             err.to_string(),
-            Some(StatusCode::INTERNAL_SERVER_ERROR),
+            Some(StatusCode::BAD_REQUEST),
         )),
     }
 }