Migrate to rsa 0.9

Cargo.lock

@@ -682,9 +682,9 @@ dependencies = [
 
 [[package]]
 name = "der"
-version = "0.6.1"
+version = "0.7.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f1a467a65c5e759bce6e65eaf91cc29f466cdc57cb65777bd646872a8a1fd4de"
+checksum = "56acb310e15652100da43d130af8d97b509e95af61aab1c5a7939ef24337ee17"
 dependencies = [
  "const-oid",
  "zeroize",
@@ -1768,21 +1768,20 @@ dependencies = [
 
 [[package]]
 name = "pkcs1"
-version = "0.4.1"
+version = "0.7.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "eff33bdbdfc54cc98a2eca766ebdec3e1b8fb7387523d5c9c9a2891da856f719"
+checksum = "c8ffb9f10fa047879315e6625af03c164b16962a5368d724ed16323b68ace47f"
 dependencies = [
  "der",
  "pkcs8",
  "spki",
- "zeroize",
 ]
 
 [[package]]
 name = "pkcs8"
-version = "0.9.0"
+version = "0.10.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9eca2c590a5f85da82668fa685c09ce2888b9430e83299debf1f34b65fd4a4ba"
+checksum = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7"
 dependencies = [
  "der",
  "spki",
@@ -2131,11 +2130,12 @@ dependencies = [
 
 [[package]]
 name = "rsa"
-version = "0.7.2"
+version = "0.9.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "094052d5470cbcef561cb848a7209968c9f12dfa6d668f4bca048ac5de51099c"
+checksum = "6ab43bb47d23c1a631b4b680199a45255dce26fa9ab2fa902581f624ff13e6a8"
 dependencies = [
  "byteorder",
+ "const-oid",
  "digest 0.10.7",
  "num-bigint-dig",
  "num-integer",
@@ -2145,7 +2145,7 @@ dependencies = [
  "pkcs8",
  "rand_core 0.6.4",
  "signature",
- "smallvec",
+ "spki",
  "subtle",
  "zeroize",
 ]
@@ -2340,9 +2340,9 @@ dependencies = [
 
 [[package]]
 name = "signature"
-version = "1.6.4"
+version = "2.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "74233d3b3b2f6d4b006dc19dee745e73e2a6bfb6f93607cd3b02bd5b00797d7c"
+checksum = "5e1788eed21689f9cf370582dfc467ef36ed9c707f073528ddafa8d83e3b8500"
 dependencies = [
  "digest 0.10.7",
  "rand_core 0.6.4",
@@ -2371,9 +2371,9 @@ checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d"
 
 [[package]]
 name = "spki"
-version = "0.6.0"
+version = "0.7.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "67cf02bbac7a337dc36e4f5a693db6c21e7863f45070f7064577eb4367a3212b"
+checksum = "9d1e996ef02c474957d681f1b05213dfb0abab947b446a62d37770b23500184a"
 dependencies = [
  "base64ct",
  "der",

age/CHANGELOG.md

@@ -14,7 +14,7 @@ to 1.0.0 are beta releases.
 
 ### Changed
 - MSRV is now 1.65.0.
-- Migrated to `base64 0.21`.
+- Migrated to `base64 0.21`, `rsa 0.9`.
 
 ## [0.9.2] - 2023-06-12
 ### Added

age/Cargo.toml

@@ -27,7 +27,7 @@ rand.workspace = true
 
 # OpenSSH-specific dependencies:
 # - RSAES-OAEP from RFC 8017 with SHA-256 and MGF1
-rsa = { version = "0.7", default-features = false, optional = true }
+rsa = { version = "0.9", default-features = false, optional = true }
 
 # - Conversion of public keys from Ed25519 to X25519
 curve25519-dalek = { version = "3", optional = true }

age/src/ssh.rs

@@ -522,7 +522,7 @@ mod read_ssh {
 mod write_ssh {
     use cookie_factory::{bytes::be_u32, combinator::slice, sequence::tuple, SerializeFn};
     use num_traits::identities::Zero;
-    use rsa::{BigUint, PublicKeyParts};
+    use rsa::{traits::PublicKeyParts, BigUint};
     use std::io::Write;
 
     use super::SSH_RSA_KEY_PREFIX;

age/src/ssh/identity.rs

@@ -14,7 +14,7 @@ use nom::{
     IResult,
 };
 use rand::rngs::OsRng;
-use rsa::{padding::PaddingScheme, pkcs1::DecodeRsaPrivateKey};
+use rsa::{pkcs1::DecodeRsaPrivateKey, Oaep};
 use sha2::{Digest, Sha256, Sha512};
 use std::fmt;
 use std::io;
@@ -60,7 +60,7 @@ impl UnencryptedKey {
                 Some(
                     sk.decrypt_blinded(
                         &mut rng,
-                        PaddingScheme::new_oaep_with_label::<Sha256, _>(SSH_RSA_OAEP_LABEL),
+                        Oaep::new_with_label::<Sha256, _>(SSH_RSA_OAEP_LABEL),
                         &stanza.body,
                     )
                     .map_err(DecryptError::from)

age/src/ssh/recipient.rs

@@ -16,7 +16,7 @@ use nom::{
     IResult,
 };
 use rand::rngs::OsRng;
-use rsa::{padding::PaddingScheme, PublicKey};
+use rsa::Oaep;
 use sha2::Sha256;
 use std::fmt;
 use x25519_dalek::{EphemeralSecret, PublicKey as X25519PublicKey, StaticSecret};
@@ -136,7 +136,7 @@ impl crate::Recipient for Recipient {
                 let encrypted_file_key = pk
                     .encrypt(
                         &mut rng,
-                        PaddingScheme::new_oaep_with_label::<Sha256, _>(SSH_RSA_OAEP_LABEL),
+                        Oaep::new_with_label::<Sha256, _>(SSH_RSA_OAEP_LABEL),
                         file_key.expose_secret(),
                     )
                     .expect("pubkey is valid and file key is not too long");

supply-chain/config.toml

@@ -240,7 +240,7 @@ version = "5.4.0"
 criteria = "safe-to-deploy"
 
 [[exemptions.der]]
-version = "0.6.1"
+version = "0.7.6"
 criteria = "safe-to-deploy"
 
 [[exemptions.digest]]
@@ -544,11 +544,11 @@ version = "0.5.0"
 criteria = "safe-to-deploy"
 
 [[exemptions.pkcs1]]
-version = "0.4.1"
+version = "0.7.5"
 criteria = "safe-to-deploy"
 
 [[exemptions.pkcs8]]
-version = "0.9.0"
+version = "0.10.2"
 criteria = "safe-to-deploy"
 
 [[exemptions.pkg-config]]
@@ -652,7 +652,7 @@ version = "6.0.1"
 criteria = "safe-to-deploy"
 
 [[exemptions.rsa]]
-version = "0.7.2"
+version = "0.9.2"
 criteria = "safe-to-deploy"
 
 [[exemptions.rust-embed]]
@@ -715,10 +715,6 @@ criteria = "safe-to-deploy"
 version = "0.6.2"
 criteria = "safe-to-deploy"
 
-[[exemptions.signature]]
-version = "1.6.4"
-criteria = "safe-to-deploy"
-
 [[exemptions.smallvec]]
 version = "1.10.0"
 criteria = "safe-to-deploy"
@@ -728,7 +724,7 @@ version = "0.5.2"
 criteria = "safe-to-deploy"
 
 [[exemptions.spki]]
-version = "0.6.0"
+version = "0.7.2"
 criteria = "safe-to-deploy"
 
 [[exemptions.stable_deref_trait]]

supply-chain/imports.lock

@@ -1302,6 +1302,16 @@ criteria = "safe-to-deploy"
 delta = "1.0.95 -> 1.0.96"
 aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
 
+[[audits.zcash.audits.signature]]
+who = "Daira Emma Hopwood <daira@jacaranda.org>"
+criteria = "safe-to-deploy"
+version = "2.1.0"
+notes = """
+This crate uses `#![forbid(unsafe_code)]`, has no build script, and only provides traits with some trivial default implementations.
+I did not review whether implementing these APIs would present any undocumented cryptographic hazards.
+"""
+aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
+
 [[audits.zcash.audits.time-core]]
 who = "Jack Grigg <jack@electriccoin.co>"
 criteria = "safe-to-deploy"