workspace: bump RustCrypto dependencies to pre-releases

biscuit-auth/Cargo.toml

@@ -26,21 +26,21 @@ uuid = ["dep:uuid"]
 pem = ["ed25519-dalek/pem", "ed25519-dalek/pkcs8"]
 
 [dependencies]
-rand_core = "^0.6"
-sha2 = "^0.9"
+rand_core = "0.9"
+sha2 = "0.11.0-rc.2"
 prost = "0.10"
 prost-types = "0.10"
 regex = { version = "1.5", default-features = false, features = ["std"] }
 nom = { version = "7", default-features = false, features = ["std"] }
 hex = "0.4"
 zeroize = { version = "1.5", default-features = false }
 thiserror = "1"
-rand = { version = "0.8" }
+rand = { version = "0.9" }
 wasm-bindgen = { version = "0.2", optional = true }
 base64 = "0.13.0"
-ed25519-dalek = { version = "2.0.0", features = ["rand_core", "zeroize"] }
+ed25519-dalek = { version = "3.0.0-pre.1", features = ["rand_core", "zeroize"] }
 serde = { version = "1.0.132", optional = true, features = ["derive"] }
-getrandom = { version = "0.2.15" }
+getrandom = { version = "0.3" }
 time = { version = "0.3.7", features = ["formatting", "parsing"] }
 uuid = { version = "1", optional = true }
 biscuit-parser = { version = "0.2.0", path = "../biscuit-parser" }
@@ -49,14 +49,14 @@ chrono = { version = "0.4.26", optional = true, default-features = false, featur
   "serde",
 ] }
 serde_json = "1.0.117"
-ecdsa = { version = "0.16.9", features = ["signing", "verifying", "pem", "alloc", "pkcs8", "serde"] }
-p256 = "0.13.2"
-pkcs8 = "0.9.0"
-elliptic-curve = { version = "0.13.8", features = ["pkcs8"] }
+ecdsa = { version = "0.17.0-rc.6", features = ["signing", "verifying", "pem", "alloc", "pkcs8", "serde"] }
+p256 = "0.14.0-pre.10"
+pkcs8 = "0.11.0-rc.6"
+elliptic-curve = { version = "0.14.0-rc.1", features = ["pkcs8"] }
 
 [dev-dependencies]
 bencher = "0.1.5"
-rand = "0.8"
+rand = "0.9"
 chrono = { version = "0.4.26", features = ["serde", "clock"] }
 colored-diff = "0.2.3"
 prost-build = "0.10"

biscuit-auth/examples/testcases.rs

@@ -722,7 +722,7 @@ fn random_block(target: &str, root: &KeyPair, test: bool) -> TestResult {
     } else {
         let serialized = biscuit2.container();
         let mut proto = serialized.to_proto();
-        let arr: [u8; 32] = rng.gen();
+        let arr: [u8; 32] = rng.random();
         proto.blocks[0].block = Vec::from(&arr[..]);
         let mut data = Vec::new();
         proto.encode(&mut data).unwrap();

biscuit-auth/src/crypto/ed25519.rs

@@ -31,10 +31,10 @@ pub struct KeyPair {
 
 impl KeyPair {
     pub fn new() -> Self {
-        Self::new_with_rng(&mut rand::rngs::OsRng)
+        Self::new_with_rng(&mut rand::rng())
     }
 
-    pub fn new_with_rng<T: RngCore + CryptoRng>(rng: &mut T) -> Self {
+    pub fn new_with_rng<T: RngCore + CryptoRng + ?Sized>(rng: &mut T) -> Self {
         let kp = ed25519_dalek::SigningKey::generate(rng);
         KeyPair { kp }
     }

biscuit-auth/src/crypto/mod.rs

@@ -35,15 +35,18 @@ pub enum KeyPair {
 impl KeyPair {
     /// Create a new ed25519 keypair with the default OS RNG
     pub fn new() -> Self {
-        Self::new_with_rng(Algorithm::Ed25519, &mut rand::rngs::OsRng)
+        Self::new_with_rng(Algorithm::Ed25519, &mut rand::rng())
     }
 
     /// Create a new keypair with a chosen algorithm and the default OS RNG
     pub fn new_with_algorithm(algorithm: Algorithm) -> Self {
-        Self::new_with_rng(algorithm, &mut rand::rngs::OsRng)
+        Self::new_with_rng(algorithm, &mut rand::rng())
     }
 
-    pub fn new_with_rng<T: RngCore + CryptoRng>(algorithm: Algorithm, rng: &mut T) -> Self {
+    pub fn new_with_rng<T: RngCore + CryptoRng + ?Sized>(
+        algorithm: Algorithm,
+        rng: &mut T,
+    ) -> Self {
         match algorithm {
             Algorithm::Ed25519 => KeyPair::Ed25519(ed25519::KeyPair::new_with_rng(rng)),
             Algorithm::Secp256r1 => KeyPair::P256(p256::KeyPair::new_with_rng(rng)),

biscuit-auth/src/crypto/p256.rs

@@ -9,9 +9,9 @@ use super::error;
 use super::Signature;
 
 use p256::ecdsa::{signature::Signer, signature::Verifier, SigningKey, VerifyingKey};
-use p256::elliptic_curve::rand_core::{CryptoRng, OsRng, RngCore};
+use p256::elliptic_curve::rand_core::{CryptoRng, RngCore};
 use p256::NistP256;
-use std::hash::Hash;
+use std::{convert::TryInto, hash::Hash};
 
 /// pair of cryptographic keys used to sign a token's block
 #[derive(Debug, PartialEq)]
@@ -21,10 +21,10 @@ pub struct KeyPair {
 
 impl KeyPair {
     pub fn new() -> Self {
-        Self::new_with_rng(&mut OsRng)
+        Self::new_with_rng(&mut rand::rng())
     }
 
-    pub fn new_with_rng<T: RngCore + CryptoRng>(rng: &mut T) -> Self {
+    pub fn new_with_rng<T: RngCore + CryptoRng + ?Sized>(rng: &mut T) -> Self {
         let kp = SigningKey::random(rng);
 
         KeyPair { kp }
@@ -41,9 +41,13 @@ impl KeyPair {
         if bytes.len() != 32 {
             return Err(Format::InvalidKeySize(bytes.len()));
         }
-        let kp = SigningKey::from_bytes(bytes.into())
-            .map_err(|s| s.to_string())
-            .map_err(Format::InvalidKey)?;
+        let kp = SigningKey::from_bytes(
+            bytes
+                .try_into()
+                .map_err(|_| Format::InvalidKeySize(bytes.len()))?,
+        )
+        .map_err(|s| s.to_string())
+        .map_err(Format::InvalidKey)?;
 
         Ok(KeyPair { kp })
     }
@@ -134,15 +138,14 @@ impl PrivateKey {
 
     /// deserializes from a big endian byte array
     pub fn from_bytes(bytes: &[u8]) -> Result<Self, error::Format> {
-        // the version of generic-array used by p256 panics if the input length
-        // is incorrect (including when using `.try_into()`)
-        if bytes.len() != 32 {
-            return Err(Format::InvalidKeySize(bytes.len()));
-        }
-        SigningKey::from_bytes(bytes.into())
-            .map(PrivateKey)
-            .map_err(|s| s.to_string())
-            .map_err(Format::InvalidKey)
+        SigningKey::from_bytes(
+            bytes
+                .try_into()
+                .map_err(|_| Format::InvalidKeySize(bytes.len()))?,
+        )
+        .map(PrivateKey)
+        .map_err(|s| s.to_string())
+        .map_err(Format::InvalidKey)
     }
 
     /// deserializes from an hex-encoded string

biscuit-auth/src/time.rs

@@ -6,9 +6,10 @@
 //!
 //! code from <https://github.com/rust-lang/rust/issues/48564#issuecomment-698712971>
 
-#[cfg(feature = "wasm")]
-use std::convert::TryInto;
-use std::ops::{Add, AddAssign, Sub, SubAssign};
+use std::{
+    convert::TryInto,
+    ops::{Add, AddAssign, Sub, SubAssign},
+};
 #[cfg(feature = "wasm")]
 use wasm_bindgen::prelude::*;
 

biscuit-auth/src/token/builder/biscuit.rs

@@ -133,10 +133,10 @@ impl BiscuitBuilder {
         root_key: &KeyPair,
         symbols: SymbolTable,
     ) -> Result<Biscuit, error::Token> {
-        self.build_with_rng(root_key, symbols, &mut rand::rngs::OsRng)
+        self.build_with_rng(root_key, symbols, &mut rand::rng())
     }
 
-    pub fn build_with_rng<R: RngCore + CryptoRng>(
+    pub fn build_with_rng<R: RngCore + CryptoRng + ?Sized>(
         self,
         root: &KeyPair,
         symbols: SymbolTable,

biscuit-auth/src/token/mod.rs

@@ -174,7 +174,7 @@ impl Biscuit {
     /// since the public key is integrated into the token, the keypair can be
     /// discarded right after calling this function
     pub fn append(&self, block_builder: BlockBuilder) -> Result<Self, error::Token> {
-        let keypair = KeyPair::new_with_rng(builder::Algorithm::Ed25519, &mut rand::rngs::OsRng);
+        let keypair = KeyPair::new_with_rng(builder::Algorithm::Ed25519, &mut rand::rng());
         self.append_with_keypair(&keypair, block_builder)
     }
 
@@ -251,7 +251,7 @@ impl Biscuit {
     /// creates a new token, using a provided CSPRNG
     ///
     /// the public part of the root keypair must be used for verification
-    pub(crate) fn new_with_rng<T: RngCore + CryptoRng>(
+    pub(crate) fn new_with_rng<T: RngCore + CryptoRng + ?Sized>(
         rng: &mut T,
         root_key_id: Option<u32>,
         root: &KeyPair,
@@ -413,8 +413,7 @@ impl Biscuit {
         external_key: PublicKey,
         response: ThirdPartyBlock,
     ) -> Result<Self, error::Token> {
-        let next_keypair =
-            KeyPair::new_with_rng(builder::Algorithm::Ed25519, &mut rand::rngs::OsRng);
+        let next_keypair = KeyPair::new_with_rng(builder::Algorithm::Ed25519, &mut rand::rng());
 
         self.append_third_party_with_keypair(external_key, response, next_keypair)
     }

biscuit-auth/src/token/unverified.rs

@@ -105,8 +105,7 @@ impl UnverifiedBiscuit {
     /// since the public key is integrated into the token, the keypair can be
     /// discarded right after calling this function
     pub fn append(&self, block_builder: BlockBuilder) -> Result<Self, error::Token> {
-        let keypair =
-            KeyPair::new_with_rng(super::builder::Algorithm::Ed25519, &mut rand::rngs::OsRng);
+        let keypair = KeyPair::new_with_rng(super::builder::Algorithm::Ed25519, &mut rand::rng());
         self.append_with_keypair(&keypair, block_builder)
     }
 
@@ -302,7 +301,7 @@ impl UnverifiedBiscuit {
 
     pub fn append_third_party(&self, slice: &[u8]) -> Result<Self, error::Token> {
         let next_keypair =
-            KeyPair::new_with_rng(super::builder::Algorithm::Ed25519, &mut rand::rngs::OsRng);
+            KeyPair::new_with_rng(super::builder::Algorithm::Ed25519, &mut rand::rng());
         self.append_third_party_with_keypair(slice, next_keypair)
     }
 

biscuit-capi/Cargo.toml

@@ -19,7 +19,7 @@ biscuit-auth = { version = "6.0.0", path = "../biscuit-auth", features = [
     "pem",
 ] }
 libc = "0.2"
-rand = "0.8"
+rand = "0.9"
 
 [dev-dependencies]
 inline-c = "0.1"