From f2731ecc43e503edaa8cacf7331f75cb03337c9c Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Tue, 13 Jun 2023 23:32:23 +0000 Subject: [PATCH] Migrate to `rsa 0.9` --- Cargo.lock | 28 ++++++++++++++-------------- age/CHANGELOG.md | 2 +- age/Cargo.toml | 2 +- age/src/ssh.rs | 2 +- age/src/ssh/identity.rs | 4 ++-- age/src/ssh/recipient.rs | 4 ++-- supply-chain/config.toml | 14 +++++--------- supply-chain/imports.lock | 10 ++++++++++ 8 files changed, 36 insertions(+), 30 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index b6d748c..2eb6070 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -682,9 +682,9 @@ dependencies = [ [[package]] name = "der" -version = "0.6.1" +version = "0.7.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f1a467a65c5e759bce6e65eaf91cc29f466cdc57cb65777bd646872a8a1fd4de" +checksum = "56acb310e15652100da43d130af8d97b509e95af61aab1c5a7939ef24337ee17" dependencies = [ "const-oid", "zeroize", @@ -1768,21 +1768,20 @@ dependencies = [ [[package]] name = "pkcs1" -version = "0.4.1" +version = "0.7.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eff33bdbdfc54cc98a2eca766ebdec3e1b8fb7387523d5c9c9a2891da856f719" +checksum = "c8ffb9f10fa047879315e6625af03c164b16962a5368d724ed16323b68ace47f" dependencies = [ "der", "pkcs8", "spki", - "zeroize", ] [[package]] name = "pkcs8" -version = "0.9.0" +version = "0.10.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9eca2c590a5f85da82668fa685c09ce2888b9430e83299debf1f34b65fd4a4ba" +checksum = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7" dependencies = [ "der", "spki", @@ -2131,11 +2130,12 @@ dependencies = [ [[package]] name = "rsa" -version = "0.7.2" +version = "0.9.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "094052d5470cbcef561cb848a7209968c9f12dfa6d668f4bca048ac5de51099c" +checksum = "6ab43bb47d23c1a631b4b680199a45255dce26fa9ab2fa902581f624ff13e6a8" dependencies = [ "byteorder", + "const-oid", "digest 0.10.7", "num-bigint-dig", "num-integer", @@ -2145,7 +2145,7 @@ dependencies = [ "pkcs8", "rand_core 0.6.4", "signature", - "smallvec", + "spki", "subtle", "zeroize", ] @@ -2340,9 +2340,9 @@ dependencies = [ [[package]] name = "signature" -version = "1.6.4" +version = "2.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "74233d3b3b2f6d4b006dc19dee745e73e2a6bfb6f93607cd3b02bd5b00797d7c" +checksum = "5e1788eed21689f9cf370582dfc467ef36ed9c707f073528ddafa8d83e3b8500" dependencies = [ "digest 0.10.7", "rand_core 0.6.4", @@ -2371,9 +2371,9 @@ checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d" [[package]] name = "spki" -version = "0.6.0" +version = "0.7.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "67cf02bbac7a337dc36e4f5a693db6c21e7863f45070f7064577eb4367a3212b" +checksum = "9d1e996ef02c474957d681f1b05213dfb0abab947b446a62d37770b23500184a" dependencies = [ "base64ct", "der", diff --git a/age/CHANGELOG.md b/age/CHANGELOG.md index 1618e9f..91b60b3 100644 --- a/age/CHANGELOG.md +++ b/age/CHANGELOG.md @@ -14,7 +14,7 @@ to 1.0.0 are beta releases. ### Changed - MSRV is now 1.65.0. -- Migrated to `base64 0.21`. +- Migrated to `base64 0.21`, `rsa 0.9`. ## [0.9.2] - 2023-06-12 ### Added diff --git a/age/Cargo.toml b/age/Cargo.toml index 220ce4e..3409d12 100644 --- a/age/Cargo.toml +++ b/age/Cargo.toml @@ -27,7 +27,7 @@ rand.workspace = true # OpenSSH-specific dependencies: # - RSAES-OAEP from RFC 8017 with SHA-256 and MGF1 -rsa = { version = "0.7", default-features = false, optional = true } +rsa = { version = "0.9", default-features = false, optional = true } # - Conversion of public keys from Ed25519 to X25519 curve25519-dalek = { version = "3", optional = true } diff --git a/age/src/ssh.rs b/age/src/ssh.rs index 8553636..a816c59 100644 --- a/age/src/ssh.rs +++ b/age/src/ssh.rs @@ -522,7 +522,7 @@ mod read_ssh { mod write_ssh { use cookie_factory::{bytes::be_u32, combinator::slice, sequence::tuple, SerializeFn}; use num_traits::identities::Zero; - use rsa::{BigUint, PublicKeyParts}; + use rsa::{traits::PublicKeyParts, BigUint}; use std::io::Write; use super::SSH_RSA_KEY_PREFIX; diff --git a/age/src/ssh/identity.rs b/age/src/ssh/identity.rs index 34d92af..16dc1ec 100644 --- a/age/src/ssh/identity.rs +++ b/age/src/ssh/identity.rs @@ -14,7 +14,7 @@ use nom::{ IResult, }; use rand::rngs::OsRng; -use rsa::{padding::PaddingScheme, pkcs1::DecodeRsaPrivateKey}; +use rsa::{pkcs1::DecodeRsaPrivateKey, Oaep}; use sha2::{Digest, Sha256, Sha512}; use std::fmt; use std::io; @@ -60,7 +60,7 @@ impl UnencryptedKey { Some( sk.decrypt_blinded( &mut rng, - PaddingScheme::new_oaep_with_label::(SSH_RSA_OAEP_LABEL), + Oaep::new_with_label::(SSH_RSA_OAEP_LABEL), &stanza.body, ) .map_err(DecryptError::from) diff --git a/age/src/ssh/recipient.rs b/age/src/ssh/recipient.rs index 6b82cad..fe2bd5e 100644 --- a/age/src/ssh/recipient.rs +++ b/age/src/ssh/recipient.rs @@ -16,7 +16,7 @@ use nom::{ IResult, }; use rand::rngs::OsRng; -use rsa::{padding::PaddingScheme, PublicKey}; +use rsa::Oaep; use sha2::Sha256; use std::fmt; use x25519_dalek::{EphemeralSecret, PublicKey as X25519PublicKey, StaticSecret}; @@ -136,7 +136,7 @@ impl crate::Recipient for Recipient { let encrypted_file_key = pk .encrypt( &mut rng, - PaddingScheme::new_oaep_with_label::(SSH_RSA_OAEP_LABEL), + Oaep::new_with_label::(SSH_RSA_OAEP_LABEL), file_key.expose_secret(), ) .expect("pubkey is valid and file key is not too long"); diff --git a/supply-chain/config.toml b/supply-chain/config.toml index adb3f29..40a1dad 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -240,7 +240,7 @@ version = "5.4.0" criteria = "safe-to-deploy" [[exemptions.der]] -version = "0.6.1" +version = "0.7.6" criteria = "safe-to-deploy" [[exemptions.digest]] @@ -544,11 +544,11 @@ version = "0.5.0" criteria = "safe-to-deploy" [[exemptions.pkcs1]] -version = "0.4.1" +version = "0.7.5" criteria = "safe-to-deploy" [[exemptions.pkcs8]] -version = "0.9.0" +version = "0.10.2" criteria = "safe-to-deploy" [[exemptions.pkg-config]] @@ -652,7 +652,7 @@ version = "6.0.1" criteria = "safe-to-deploy" [[exemptions.rsa]] -version = "0.7.2" +version = "0.9.2" criteria = "safe-to-deploy" [[exemptions.rust-embed]] @@ -715,10 +715,6 @@ criteria = "safe-to-deploy" version = "0.6.2" criteria = "safe-to-deploy" -[[exemptions.signature]] -version = "1.6.4" -criteria = "safe-to-deploy" - [[exemptions.smallvec]] version = "1.10.0" criteria = "safe-to-deploy" @@ -728,7 +724,7 @@ version = "0.5.2" criteria = "safe-to-deploy" [[exemptions.spki]] -version = "0.6.0" +version = "0.7.2" criteria = "safe-to-deploy" [[exemptions.stable_deref_trait]] diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index a165eea..09205f0 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -1302,6 +1302,16 @@ criteria = "safe-to-deploy" delta = "1.0.95 -> 1.0.96" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.zcash.audits.signature]] +who = "Daira Emma Hopwood " +criteria = "safe-to-deploy" +version = "2.1.0" +notes = """ +This crate uses `#![forbid(unsafe_code)]`, has no build script, and only provides traits with some trivial default implementations. +I did not review whether implementing these APIs would present any undocumented cryptographic hazards. +""" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + [[audits.zcash.audits.time-core]] who = "Jack Grigg " criteria = "safe-to-deploy"