diff --git a/biscuit-auth/Cargo.toml b/biscuit-auth/Cargo.toml index a7756e39..35601016 100644 --- a/biscuit-auth/Cargo.toml +++ b/biscuit-auth/Cargo.toml @@ -26,8 +26,8 @@ uuid = ["dep:uuid"] pem = ["ed25519-dalek/pem", "ed25519-dalek/pkcs8"] [dependencies] -rand_core = "^0.6" -sha2 = "^0.9" +rand_core = "0.9" +sha2 = "0.11.0-rc.2" prost = "0.10" prost-types = "0.10" regex = { version = "1.5", default-features = false, features = ["std"] } @@ -35,12 +35,12 @@ nom = { version = "7", default-features = false, features = ["std"] } hex = "0.4" zeroize = { version = "1.5", default-features = false } thiserror = "1" -rand = { version = "0.8" } +rand = { version = "0.9" } wasm-bindgen = { version = "0.2", optional = true } base64 = "0.13.0" -ed25519-dalek = { version = "2.0.0", features = ["rand_core", "zeroize"] } +ed25519-dalek = { version = "3.0.0-pre.1", features = ["rand_core", "zeroize"] } serde = { version = "1.0.132", optional = true, features = ["derive"] } -getrandom = { version = "0.2.15" } +getrandom = { version = "0.3" } time = { version = "0.3.7", features = ["formatting", "parsing"] } uuid = { version = "1", optional = true } biscuit-parser = { version = "0.2.0", path = "../biscuit-parser" } @@ -49,14 +49,14 @@ chrono = { version = "0.4.26", optional = true, default-features = false, featur "serde", ] } serde_json = "1.0.117" -ecdsa = { version = "0.16.9", features = ["signing", "verifying", "pem", "alloc", "pkcs8", "serde"] } -p256 = "0.13.2" -pkcs8 = "0.9.0" -elliptic-curve = { version = "0.13.8", features = ["pkcs8"] } +ecdsa = { version = "0.17.0-rc.6", features = ["signing", "verifying", "pem", "alloc", "pkcs8", "serde"] } +p256 = "0.14.0-pre.10" +pkcs8 = "0.11.0-rc.6" +elliptic-curve = { version = "0.14.0-rc.1", features = ["pkcs8"] } [dev-dependencies] bencher = "0.1.5" -rand = "0.8" +rand = "0.9" chrono = { version = "0.4.26", features = ["serde", "clock"] } colored-diff = "0.2.3" prost-build = "0.10" diff --git a/biscuit-auth/examples/testcases.rs b/biscuit-auth/examples/testcases.rs index 24d6ec3d..9035be9a 100644 --- a/biscuit-auth/examples/testcases.rs +++ b/biscuit-auth/examples/testcases.rs @@ -722,7 +722,7 @@ fn random_block(target: &str, root: &KeyPair, test: bool) -> TestResult { } else { let serialized = biscuit2.container(); let mut proto = serialized.to_proto(); - let arr: [u8; 32] = rng.gen(); + let arr: [u8; 32] = rng.random(); proto.blocks[0].block = Vec::from(&arr[..]); let mut data = Vec::new(); proto.encode(&mut data).unwrap(); diff --git a/biscuit-auth/src/crypto/ed25519.rs b/biscuit-auth/src/crypto/ed25519.rs index 9782fc22..152d761a 100644 --- a/biscuit-auth/src/crypto/ed25519.rs +++ b/biscuit-auth/src/crypto/ed25519.rs @@ -31,10 +31,10 @@ pub struct KeyPair { impl KeyPair { pub fn new() -> Self { - Self::new_with_rng(&mut rand::rngs::OsRng) + Self::new_with_rng(&mut rand::rng()) } - pub fn new_with_rng(rng: &mut T) -> Self { + pub fn new_with_rng(rng: &mut T) -> Self { let kp = ed25519_dalek::SigningKey::generate(rng); KeyPair { kp } } diff --git a/biscuit-auth/src/crypto/mod.rs b/biscuit-auth/src/crypto/mod.rs index 1c1054ce..f06f3d58 100644 --- a/biscuit-auth/src/crypto/mod.rs +++ b/biscuit-auth/src/crypto/mod.rs @@ -35,15 +35,18 @@ pub enum KeyPair { impl KeyPair { /// Create a new ed25519 keypair with the default OS RNG pub fn new() -> Self { - Self::new_with_rng(Algorithm::Ed25519, &mut rand::rngs::OsRng) + Self::new_with_rng(Algorithm::Ed25519, &mut rand::rng()) } /// Create a new keypair with a chosen algorithm and the default OS RNG pub fn new_with_algorithm(algorithm: Algorithm) -> Self { - Self::new_with_rng(algorithm, &mut rand::rngs::OsRng) + Self::new_with_rng(algorithm, &mut rand::rng()) } - pub fn new_with_rng(algorithm: Algorithm, rng: &mut T) -> Self { + pub fn new_with_rng( + algorithm: Algorithm, + rng: &mut T, + ) -> Self { match algorithm { Algorithm::Ed25519 => KeyPair::Ed25519(ed25519::KeyPair::new_with_rng(rng)), Algorithm::Secp256r1 => KeyPair::P256(p256::KeyPair::new_with_rng(rng)), diff --git a/biscuit-auth/src/crypto/p256.rs b/biscuit-auth/src/crypto/p256.rs index a76e4ce4..9756bd5b 100644 --- a/biscuit-auth/src/crypto/p256.rs +++ b/biscuit-auth/src/crypto/p256.rs @@ -9,9 +9,9 @@ use super::error; use super::Signature; use p256::ecdsa::{signature::Signer, signature::Verifier, SigningKey, VerifyingKey}; -use p256::elliptic_curve::rand_core::{CryptoRng, OsRng, RngCore}; +use p256::elliptic_curve::rand_core::{CryptoRng, RngCore}; use p256::NistP256; -use std::hash::Hash; +use std::{convert::TryInto, hash::Hash}; /// pair of cryptographic keys used to sign a token's block #[derive(Debug, PartialEq)] @@ -21,10 +21,10 @@ pub struct KeyPair { impl KeyPair { pub fn new() -> Self { - Self::new_with_rng(&mut OsRng) + Self::new_with_rng(&mut rand::rng()) } - pub fn new_with_rng(rng: &mut T) -> Self { + pub fn new_with_rng(rng: &mut T) -> Self { let kp = SigningKey::random(rng); KeyPair { kp } @@ -41,9 +41,13 @@ impl KeyPair { if bytes.len() != 32 { return Err(Format::InvalidKeySize(bytes.len())); } - let kp = SigningKey::from_bytes(bytes.into()) - .map_err(|s| s.to_string()) - .map_err(Format::InvalidKey)?; + let kp = SigningKey::from_bytes( + bytes + .try_into() + .map_err(|_| Format::InvalidKeySize(bytes.len()))?, + ) + .map_err(|s| s.to_string()) + .map_err(Format::InvalidKey)?; Ok(KeyPair { kp }) } @@ -134,15 +138,14 @@ impl PrivateKey { /// deserializes from a big endian byte array pub fn from_bytes(bytes: &[u8]) -> Result { - // the version of generic-array used by p256 panics if the input length - // is incorrect (including when using `.try_into()`) - if bytes.len() != 32 { - return Err(Format::InvalidKeySize(bytes.len())); - } - SigningKey::from_bytes(bytes.into()) - .map(PrivateKey) - .map_err(|s| s.to_string()) - .map_err(Format::InvalidKey) + SigningKey::from_bytes( + bytes + .try_into() + .map_err(|_| Format::InvalidKeySize(bytes.len()))?, + ) + .map(PrivateKey) + .map_err(|s| s.to_string()) + .map_err(Format::InvalidKey) } /// deserializes from an hex-encoded string diff --git a/biscuit-auth/src/time.rs b/biscuit-auth/src/time.rs index 69b87f24..5477844c 100644 --- a/biscuit-auth/src/time.rs +++ b/biscuit-auth/src/time.rs @@ -6,9 +6,10 @@ //! //! code from -#[cfg(feature = "wasm")] -use std::convert::TryInto; -use std::ops::{Add, AddAssign, Sub, SubAssign}; +use std::{ + convert::TryInto, + ops::{Add, AddAssign, Sub, SubAssign}, +}; #[cfg(feature = "wasm")] use wasm_bindgen::prelude::*; diff --git a/biscuit-auth/src/token/builder/biscuit.rs b/biscuit-auth/src/token/builder/biscuit.rs index 9d0cc294..92b122b6 100644 --- a/biscuit-auth/src/token/builder/biscuit.rs +++ b/biscuit-auth/src/token/builder/biscuit.rs @@ -133,10 +133,10 @@ impl BiscuitBuilder { root_key: &KeyPair, symbols: SymbolTable, ) -> Result { - self.build_with_rng(root_key, symbols, &mut rand::rngs::OsRng) + self.build_with_rng(root_key, symbols, &mut rand::rng()) } - pub fn build_with_rng( + pub fn build_with_rng( self, root: &KeyPair, symbols: SymbolTable, diff --git a/biscuit-auth/src/token/mod.rs b/biscuit-auth/src/token/mod.rs index 8d96094e..0d83a7a5 100644 --- a/biscuit-auth/src/token/mod.rs +++ b/biscuit-auth/src/token/mod.rs @@ -174,7 +174,7 @@ impl Biscuit { /// since the public key is integrated into the token, the keypair can be /// discarded right after calling this function pub fn append(&self, block_builder: BlockBuilder) -> Result { - let keypair = KeyPair::new_with_rng(builder::Algorithm::Ed25519, &mut rand::rngs::OsRng); + let keypair = KeyPair::new_with_rng(builder::Algorithm::Ed25519, &mut rand::rng()); self.append_with_keypair(&keypair, block_builder) } @@ -251,7 +251,7 @@ impl Biscuit { /// creates a new token, using a provided CSPRNG /// /// the public part of the root keypair must be used for verification - pub(crate) fn new_with_rng( + pub(crate) fn new_with_rng( rng: &mut T, root_key_id: Option, root: &KeyPair, @@ -413,8 +413,7 @@ impl Biscuit { external_key: PublicKey, response: ThirdPartyBlock, ) -> Result { - let next_keypair = - KeyPair::new_with_rng(builder::Algorithm::Ed25519, &mut rand::rngs::OsRng); + let next_keypair = KeyPair::new_with_rng(builder::Algorithm::Ed25519, &mut rand::rng()); self.append_third_party_with_keypair(external_key, response, next_keypair) } diff --git a/biscuit-auth/src/token/unverified.rs b/biscuit-auth/src/token/unverified.rs index bedbb7ab..129d789c 100644 --- a/biscuit-auth/src/token/unverified.rs +++ b/biscuit-auth/src/token/unverified.rs @@ -105,8 +105,7 @@ impl UnverifiedBiscuit { /// since the public key is integrated into the token, the keypair can be /// discarded right after calling this function pub fn append(&self, block_builder: BlockBuilder) -> Result { - let keypair = - KeyPair::new_with_rng(super::builder::Algorithm::Ed25519, &mut rand::rngs::OsRng); + let keypair = KeyPair::new_with_rng(super::builder::Algorithm::Ed25519, &mut rand::rng()); self.append_with_keypair(&keypair, block_builder) } @@ -302,7 +301,7 @@ impl UnverifiedBiscuit { pub fn append_third_party(&self, slice: &[u8]) -> Result { let next_keypair = - KeyPair::new_with_rng(super::builder::Algorithm::Ed25519, &mut rand::rngs::OsRng); + KeyPair::new_with_rng(super::builder::Algorithm::Ed25519, &mut rand::rng()); self.append_third_party_with_keypair(slice, next_keypair) } diff --git a/biscuit-capi/Cargo.toml b/biscuit-capi/Cargo.toml index aa1ae6d0..7abf1bd7 100644 --- a/biscuit-capi/Cargo.toml +++ b/biscuit-capi/Cargo.toml @@ -19,7 +19,7 @@ biscuit-auth = { version = "6.0.0", path = "../biscuit-auth", features = [ "pem", ] } libc = "0.2" -rand = "0.8" +rand = "0.9" [dev-dependencies] inline-c = "0.1"