From 25559a20129e507891ae3c8750fc01be662ae6f2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Apr 2024 12:57:35 -0700 Subject: [PATCH 1/5] chore(deps): bump rmp-serde from 1.1.2 to 1.2.0 (#1388) Bumps [rmp-serde](https://github.com/3Hren/msgpack-rust) from 1.1.2 to 1.2.0. - [Release notes](https://github.com/3Hren/msgpack-rust/releases) - [Commits](https://github.com/3Hren/msgpack-rust/commits/rmp-serde/v1.2.0) --- updated-dependencies: - dependency-name: rmp-serde dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Cargo.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index bef84edbc..26e2a6a5a 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1279,9 +1279,9 @@ dependencies = [ [[package]] name = "rmp" -version = "0.8.12" +version = "0.8.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7f9860a6cc38ed1da53456442089b4dfa35e7cedaa326df63017af88385e6b20" +checksum = "228ed7c16fa39782c3b3468e974aec2795e9089153cd08ee2e9aefb3613334c4" dependencies = [ "byteorder", "num-traits", @@ -1290,9 +1290,9 @@ dependencies = [ [[package]] name = "rmp-serde" -version = "1.1.2" +version = "1.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bffea85eea980d8a74453e5d02a8d93028f3c34725de143085a844ebe953258a" +checksum = "938a142ab806f18b88a97b0dea523d39e0fd730a064b035726adcfc58a8a5188" dependencies = [ "byteorder", "rmp", From a375cbf5bd0abd5159d4b3ec203d8b0a9166d1d6 Mon Sep 17 00:00:00 2001 From: Matt Palmer Date: Wed, 24 Apr 2024 22:31:06 +1000 Subject: [PATCH 2/5] base64ct: reject zero-length decode requests (#1387) --- base64ct/src/decoder.rs | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/base64ct/src/decoder.rs b/base64ct/src/decoder.rs index 01daf3867..840df16ce 100644 --- a/base64ct/src/decoder.rs +++ b/base64ct/src/decoder.rs @@ -103,8 +103,13 @@ impl<'i, E: Encoding> Decoder<'i, E> { /// /// # Returns /// - `Ok(bytes)` if the expected amount of data was read - /// - `Err(Error::InvalidLength)` if the exact amount of data couldn't be read + /// - `Err(Error::InvalidLength)` if the exact amount of data couldn't be read, or + /// if the output buffer has a length of 0 pub fn decode<'o>(&mut self, out: &'o mut [u8]) -> Result<&'o [u8], Error> { + if out.is_empty() { + return Err(InvalidLength); + } + if self.is_finished() { return Err(InvalidLength); } @@ -547,6 +552,8 @@ impl<'i> Iterator for LineReader<'i> { mod tests { use crate::{alphabet::Alphabet, test_vectors::*, Base64, Base64Unpadded, Decoder}; + #[cfg(feature = "std")] + use crate::Error::InvalidLength; #[cfg(feature = "std")] use {alloc::vec::Vec, std::io::Read}; @@ -592,6 +599,16 @@ mod tests { assert_eq!(buf.as_slice(), MULTILINE_PADDED_BIN); } + #[cfg(feature = "std")] + #[test] + fn reject_empty_read() { + let mut decoder = Decoder::::new(b"AAAA").unwrap(); + + let mut buf: Vec = vec![]; + + assert_eq!(decoder.decode(&mut buf), Err(InvalidLength)); + } + /// Core functionality of a decoding test #[allow(clippy::arithmetic_side_effects)] fn decode_test<'a, F, V>(expected: &[u8], f: F) From e8ef21c23483b45ba1e03c0e811ac5c76f15ef6f Mon Sep 17 00:00:00 2001 From: Tony Arcieri Date: Wed, 24 Apr 2024 08:48:33 -0600 Subject: [PATCH 3/5] der: add `Decode::from_ber` (#1389) Support for decoding an input byte slice while specifying what encoding rules should be used with the given reader. --- der/src/decode.rs | 12 +++++++++++- der/src/reader/slice.rs | 12 ++++++++++-- 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/der/src/decode.rs b/der/src/decode.rs index ccb487f52..4f856995c 100644 --- a/der/src/decode.rs +++ b/der/src/decode.rs @@ -1,6 +1,6 @@ //! Trait definition for [`Decode`]. -use crate::{Error, FixedTag, Header, Reader, SliceReader}; +use crate::{EncodingRules, Error, FixedTag, Header, Reader, SliceReader}; use core::marker::PhantomData; #[cfg(feature = "pem")] @@ -23,6 +23,16 @@ pub trait Decode<'a>: Sized + 'a { /// Attempt to decode this message using the provided decoder. fn decode>(decoder: &mut R) -> Result; + /// Parse `Self` from the provided BER-encoded byte slice. + /// + /// Note that most usages should probably use [`Decode::from_der`]. This method allows some + /// BER productions which are not allowed under DER. + fn from_ber(bytes: &'a [u8]) -> Result { + let mut reader = SliceReader::new_with_encoding_rules(bytes, EncodingRules::Ber)?; + let result = Self::decode(&mut reader)?; + Ok(reader.finish(result)?) + } + /// Parse `Self` from the provided DER-encoded byte slice. fn from_der(bytes: &'a [u8]) -> Result { let mut reader = SliceReader::new(bytes)?; diff --git a/der/src/reader/slice.rs b/der/src/reader/slice.rs index 30345daf5..a9e1cabe7 100644 --- a/der/src/reader/slice.rs +++ b/der/src/reader/slice.rs @@ -21,9 +21,17 @@ pub struct SliceReader<'a> { impl<'a> SliceReader<'a> { /// Create a new slice reader for the given byte slice. pub fn new(bytes: &'a [u8]) -> Result { + Self::new_with_encoding_rules(bytes, EncodingRules::default()) + } + + /// Create a new slice reader with the given encoding rules. + pub fn new_with_encoding_rules( + bytes: &'a [u8], + encoding_rules: EncodingRules, + ) -> Result { Ok(Self { bytes: BytesRef::new(bytes)?, - encoding_rules: EncodingRules::default(), + encoding_rules, failed: false, position: Length::ZERO, }) @@ -196,7 +204,7 @@ mod tests { assert_eq!( ErrorKind::TrailingData { decoded: 3u8.into(), - remaining: 1u8.into() + remaining: 1u8.into(), }, err.kind() ); From c44d6af07eb9c1a763aa5f072a1984f8486ef1b0 Mon Sep 17 00:00:00 2001 From: Tony Arcieri Date: Wed, 24 Apr 2024 09:52:34 -0600 Subject: [PATCH 4/5] pkcs12: flatten API (#1390) Several modules contain a single type. This removes those modules from the public API and re-exports such types at the toplevel. --- pkcs12/src/lib.rs | 28 +++++++++++++++++++++------- pkcs12/src/safe_bag.rs | 8 ++++---- pkcs12/tests/cert_tests.rs | 38 +++++++++++++++++++++++--------------- x509-cert/src/request.rs | 6 ++---- 4 files changed, 50 insertions(+), 30 deletions(-) diff --git a/pkcs12/src/lib.rs b/pkcs12/src/lib.rs index 49baa6a6c..43d6bd7d6 100644 --- a/pkcs12/src/lib.rs +++ b/pkcs12/src/lib.rs @@ -14,15 +14,8 @@ unused_qualifications )] -use const_oid::ObjectIdentifier; extern crate alloc; -pub mod authenticated_safe; -pub mod bag_type; -pub mod cert_type; -pub mod crl_type; -pub mod digest_info; -pub mod mac_data; pub mod pbe_params; pub mod pfx; pub mod safe_bag; @@ -30,6 +23,27 @@ pub mod safe_bag; #[cfg(feature = "kdf")] pub mod kdf; +mod authenticated_safe; +mod bag_type; +mod cert_type; +mod crl_type; +mod digest_info; +mod mac_data; + +pub use crate::{ + authenticated_safe::AuthenticatedSafe, + bag_type::BagType, + cert_type::{CertBag, CertTypes}, + crl_type::{CrlBag, CrlTypes}, + digest_info::DigestInfo, + mac_data::MacData, + pfx::Pfx, + safe_bag::SafeBag, +}; +pub use cms; + +use const_oid::ObjectIdentifier; + // pbe oids /// `pbeWithSHAAnd128BitRC4` Object Identifier (OID). pub const PKCS_12_PBE_WITH_SHAAND128_BIT_RC4: ObjectIdentifier = diff --git a/pkcs12/src/safe_bag.rs b/pkcs12/src/safe_bag.rs index 04c5a0cb5..07b6c627a 100644 --- a/pkcs12/src/safe_bag.rs +++ b/pkcs12/src/safe_bag.rs @@ -7,16 +7,16 @@ use der::{AnyRef, Decode, Enumerated, Sequence}; use spki::AlgorithmIdentifierOwned; use x509_cert::attr::Attributes; -/// The `SafeContents` type is defined in [RFC 7292 Section 4.1]. +/// The `SafeContents` type is defined in [RFC 7292 Section 4.2]. /// /// ```text /// SafeContents ::= SEQUENCE OF SafeBag /// ``` /// -/// [RFC 7292 Section 4]: https://www.rfc-editor.org/rfc/rfc7292#section-4.2 +/// [RFC 7292 Section 4.2]: https://www.rfc-editor.org/rfc/rfc7292#section-4.2 pub type SafeContents = Vec; -/// The `SafeBag` type is defined in [RFC 7292 Section 4.1]. +/// The `SafeBag` type is defined in [RFC 7292 Section 4.2]. /// /// ```text /// SafeBag ::= SEQUENCE { @@ -26,7 +26,7 @@ pub type SafeContents = Vec; /// } /// ``` /// -/// [RFC 7292 Section 4]: https://www.rfc-editor.org/rfc/rfc7292#section-4.2 +/// [RFC 7292 Section 4.2]: https://www.rfc-editor.org/rfc/rfc7292#section-4.2 #[derive(Clone, Debug, Eq, PartialEq)] #[allow(missing_docs)] pub struct SafeBag { diff --git a/pkcs12/tests/cert_tests.rs b/pkcs12/tests/cert_tests.rs index 0f3b0b4bd..defa936ce 100644 --- a/pkcs12/tests/cert_tests.rs +++ b/pkcs12/tests/cert_tests.rs @@ -1,22 +1,30 @@ use cms::encrypted_data::EncryptedData; -use const_oid::db::rfc5911::{ID_DATA, ID_ENCRYPTED_DATA}; -use const_oid::db::rfc5912::ID_SHA_256; -use der::asn1::OctetString; -use der::{Decode, Encode}; +use const_oid::db::{ + rfc5911::{ID_DATA, ID_ENCRYPTED_DATA}, + rfc5912::ID_SHA_256, +}; +use der::{ + asn1::{ContextSpecific, OctetString}, + Decode, Encode, +}; use hex_literal::hex; - -use der::asn1::ContextSpecific; -use pkcs12::authenticated_safe::AuthenticatedSafe; -use pkcs12::cert_type::CertBag; -use pkcs12::pbe_params::Pbkdf2Params; -use pkcs12::pfx::Pfx; -use pkcs12::pfx::Version; -use pkcs12::safe_bag::SafeContents; - -use pkcs8::pkcs5::pbes2::{AES_256_CBC_OID, HMAC_WITH_SHA256_OID, PBES2_OID, PBKDF2_OID}; -use pkcs8::{pkcs5, EncryptedPrivateKeyInfo}; +use pkcs8::{ + pkcs5::{ + self, + pbes2::{AES_256_CBC_OID, HMAC_WITH_SHA256_OID, PBES2_OID, PBKDF2_OID}, + }, + EncryptedPrivateKeyInfo, +}; use spki::AlgorithmIdentifierOwned; +use pkcs12::{ + pbe_params::Pbkdf2Params, + pfx::Pfx, + pfx::Version, + safe_bag::SafeContents, + {AuthenticatedSafe, CertBag}, +}; + // 0 1871: SEQUENCE { // 4 1: INTEGER 3 // 7 1797: SEQUENCE { diff --git a/x509-cert/src/request.rs b/x509-cert/src/request.rs index 50478d8bc..f477238b9 100644 --- a/x509-cert/src/request.rs +++ b/x509-cert/src/request.rs @@ -10,9 +10,8 @@ use alloc::vec::Vec; use const_oid::db::rfc5912::ID_EXTENSION_REQ; use const_oid::{AssociatedOid, ObjectIdentifier}; -use der::asn1::BitString; use der::{ - asn1::{Any, SetOfVec}, + asn1::{Any, BitString, SetOfVec}, Decode, Enumerated, Sequence, }; use spki::{AlgorithmIdentifierOwned, SubjectPublicKeyInfoOwned}; @@ -142,8 +141,7 @@ pub mod attributes { pub trait AsAttribute: AssociatedOid + Tagged + EncodeValue + Sized { /// Returns the Attribute with the content encoded. fn to_attribute(&self) -> Result { - let inner: Any = der::asn1::Any::encode_from(self)?; - + let inner = Any::encode_from(self)?; let values = SetOfVec::try_from(vec![inner])?; Ok(Attribute { From 72eec304acacd1af76cf7a18d6a9e58be1bebd3e Mon Sep 17 00:00:00 2001 From: Arthur Gautier Date: Fri, 26 Apr 2024 14:33:11 -0700 Subject: [PATCH 5/5] pkcs5: cms: spki: bump dependencies to pre-releases (#1391) * pkcs5: cms: spki: bump to pre-releases This makes pkcs5, cms, and spki to use pre-releases versions of: - aes 0.9.0-pre - cbc 0.2.0-pre - cipher 0.5.0-pre.4 - des 0.9.0-pre.0 - pbkdf2 0.13.0-pre.0 - scrypt 0.12.0-pre.0 - sha1 0.11.0-pre.3 - sha2 0.11.0-pre.3 * pkcs8: bump MSRV to 1.72 * spki: bump MSRV to 1.72 * pkcs5: bump MSRV to 1.72 * pkcs1: bump MSRV to 1.72 * sec1: Bump MSRV to 1.72 --- .github/workflows/pkcs1.yml | 4 +- .github/workflows/pkcs5.yml | 4 +- .github/workflows/pkcs8.yml | 4 +- .github/workflows/sec1.yml | 4 +- .github/workflows/spki.yml | 4 +- Cargo.lock | 196 +++++++++++----------------------- Cargo.toml | 7 ++ cms/Cargo.toml | 6 +- cms/src/builder.rs | 25 +++-- cms/tests/builder.rs | 12 ++- pkcs1/Cargo.toml | 2 +- pkcs5/Cargo.toml | 16 +-- pkcs5/src/pbes2/encryption.rs | 26 +++-- pkcs8/Cargo.toml | 2 +- sec1/Cargo.toml | 2 +- spki/Cargo.toml | 4 +- 16 files changed, 135 insertions(+), 183 deletions(-) diff --git a/.github/workflows/pkcs1.yml b/.github/workflows/pkcs1.yml index b10e2a124..9a3bed3d0 100644 --- a/.github/workflows/pkcs1.yml +++ b/.github/workflows/pkcs1.yml @@ -27,7 +27,7 @@ jobs: strategy: matrix: rust: - - 1.71.0 # MSRV + - 1.72.0 # MSRV - stable target: - thumbv7em-none-eabi @@ -52,7 +52,7 @@ jobs: strategy: matrix: rust: - - 1.71.0 # MSRV + - 1.72.0 # MSRV - stable steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/pkcs5.yml b/.github/workflows/pkcs5.yml index 7ee5b0a27..cdba00ade 100644 --- a/.github/workflows/pkcs5.yml +++ b/.github/workflows/pkcs5.yml @@ -26,7 +26,7 @@ jobs: strategy: matrix: rust: - - 1.71.0 # MSRV + - 1.72.0 # MSRV - stable target: - thumbv7em-none-eabi @@ -51,7 +51,7 @@ jobs: strategy: matrix: rust: - - 1.71.0 # MSRV + - 1.72.0 # MSRV - stable steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/pkcs8.yml b/.github/workflows/pkcs8.yml index 77dd1e27b..a8d8d85d4 100644 --- a/.github/workflows/pkcs8.yml +++ b/.github/workflows/pkcs8.yml @@ -28,7 +28,7 @@ jobs: strategy: matrix: rust: - - 1.71.0 # MSRV + - 1.72.0 # MSRV - stable target: - thumbv7em-none-eabi @@ -55,7 +55,7 @@ jobs: strategy: matrix: rust: - - 1.71.0 # MSRV + - 1.72.0 # MSRV - stable steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/sec1.yml b/.github/workflows/sec1.yml index 3f77bb5be..c143980a4 100644 --- a/.github/workflows/sec1.yml +++ b/.github/workflows/sec1.yml @@ -27,7 +27,7 @@ jobs: strategy: matrix: rust: - - 1.71.0 # MSRV + - 1.72.0 # MSRV - stable target: - thumbv7em-none-eabi @@ -52,7 +52,7 @@ jobs: strategy: matrix: rust: - - 1.71.0 # MSRV + - 1.72.0 # MSRV - stable steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/spki.yml b/.github/workflows/spki.yml index f84762a00..9e46cc121 100644 --- a/.github/workflows/spki.yml +++ b/.github/workflows/spki.yml @@ -26,7 +26,7 @@ jobs: strategy: matrix: rust: - - 1.71.0 # MSRV + - 1.72.0 # MSRV - stable target: - thumbv7em-none-eabi @@ -52,7 +52,7 @@ jobs: strategy: matrix: rust: - - 1.71.0 # MSRV + - 1.72.0 # MSRV - stable steps: - uses: actions/checkout@v4 diff --git a/Cargo.lock b/Cargo.lock index 26e2a6a5a..0650fcfa3 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -19,9 +19,9 @@ checksum = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe" [[package]] name = "aes" -version = "0.8.4" +version = "0.9.0-pre" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b169f7a6d4742236a0a00c541b845991d0ac43e546831af1249753ab4c3aa3a0" +checksum = "25512cae539ab9089dcbd69c4f704e787fdc8c1cea8d9daa68a9d89b02b0501f" dependencies = [ "cfg-if", "cipher", @@ -208,31 +208,22 @@ version = "2.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "327762f6e5a765692301e5bb513e0d9fef63be86bbc14528052b1cd3e6f03e07" -[[package]] -name = "block-buffer" -version = "0.10.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3078c7629b62d3f0439517fa394996acacc5cbc91c5a20d8c658e77abd503a71" -dependencies = [ - "generic-array", -] - [[package]] name = "block-buffer" version = "0.11.0-pre.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3ded684142010808eb980d9974ef794da2bcf97d13396143b1515e9f0fb4a10e" dependencies = [ - "crypto-common 0.2.0-pre.5", + "crypto-common", ] [[package]] name = "block-padding" -version = "0.3.3" +version = "0.4.0-pre.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a8894febbff9f758034a5b8e12d87918f56dfc64a8e1fe757d65e29041538d93" +checksum = "e8ab21a8964437caf2e83a92a1221ce65e356a2a9b8b52d58bece04005fe114e" dependencies = [ - "generic-array", + "hybrid-array", ] [[package]] @@ -255,9 +246,8 @@ checksum = "37b2a672a2cb129a2e41c10b1224bb368f9f37a2b16b612598138befd7b37eb5" [[package]] name = "cbc" -version = "0.1.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "26b52a9543ae338f279b96b0b9fed9c8093744685043739079ce85cd58f289a6" +version = "0.2.0-pre" +source = "git+https://github.com/RustCrypto/block-modes.git#957d4c989a6afd171b218c57e451c44269fac8a4" dependencies = [ "cipher", ] @@ -306,11 +296,11 @@ dependencies = [ [[package]] name = "cipher" -version = "0.4.4" +version = "0.5.0-pre.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "773f3b9af64447d2ce9850330c473515014aa235e6a783b02db81ff39e4a3dad" +checksum = "84fba98785cecd0e308818a87c817576a40f99d8bab6405bf422bacd3efb6c1f" dependencies = [ - "crypto-common 0.1.6", + "crypto-common", "inout", ] @@ -370,8 +360,8 @@ dependencies = [ "pkcs5", "rand", "rsa", - "sha1 0.11.0-pre.3", - "sha2 0.11.0-pre.3", + "sha1", + "sha2", "sha3", "signature", "spki", @@ -460,17 +450,6 @@ dependencies = [ "zeroize", ] -[[package]] -name = "crypto-common" -version = "0.1.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3" -dependencies = [ - "generic-array", - "rand_core", - "typenum", -] - [[package]] name = "crypto-common" version = "0.2.0-pre.5" @@ -529,33 +508,22 @@ dependencies = [ [[package]] name = "des" -version = "0.8.1" +version = "0.9.0-pre.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ffdd80ce8ce993de27e9f063a444a4d53ce8e8db4c1f00cc03af5ad5a9867a1e" +checksum = "3f106bfb220e7015669775195f68a439f4255a0baf95a437de2846f751b25997" dependencies = [ "cipher", ] -[[package]] -name = "digest" -version = "0.10.7" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292" -dependencies = [ - "block-buffer 0.10.4", - "crypto-common 0.1.6", - "subtle", -] - [[package]] name = "digest" version = "0.11.0-pre.8" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "065d93ead7c220b85d5b4be4795d8398eac4ff68b5ee63895de0a3c1fb6edf25" dependencies = [ - "block-buffer 0.11.0-pre.5", + "block-buffer", "const-oid", - "crypto-common 0.2.0-pre.5", + "crypto-common", "subtle", ] @@ -565,7 +533,7 @@ version = "0.17.0-pre.5" source = "git+https://github.com/RustCrypto/signatures#c2f3ee6497d8ab8069c149c5c922a342eedd3334" dependencies = [ "der", - "digest 0.11.0-pre.8", + "digest", "elliptic-curve", "rfc6979", "signature", @@ -586,7 +554,7 @@ checksum = "4a1775af172997a40c14854c3a9fde9e03e5772084b334b6a0bb18bf7f93ac16" dependencies = [ "base16ct", "crypto-bigint", - "digest 0.11.0-pre.8", + "digest", "ff", "group", "hybrid-array", @@ -737,16 +705,6 @@ dependencies = [ "slab", ] -[[package]] -name = "generic-array" -version = "0.14.7" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a" -dependencies = [ - "typenum", - "version_check", -] - [[package]] name = "getrandom" version = "0.2.14" @@ -815,22 +773,13 @@ version = "0.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6fe2267d4ed49bc07b63801559be28c718ea06c4738b7a03c94df7386d2cde46" -[[package]] -name = "hmac" -version = "0.12.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6c49c37c09c17a53d937dfbb742eb3a961d65a994e6bcdcf37e7399d0cc8ab5e" -dependencies = [ - "digest 0.10.7", -] - [[package]] name = "hmac" version = "0.13.0-pre.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ffd790a0795ee332ed3e8959e5b177beb70d7112eb7d345428ec17427897d5ce" dependencies = [ - "digest 0.11.0-pre.8", + "digest", ] [[package]] @@ -855,12 +804,12 @@ dependencies = [ [[package]] name = "inout" -version = "0.1.3" +version = "0.2.0-pre.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a0c10553d664a4d0bcff9f4215d0aac67a639cc68ef660840afe309b807bc9f5" +checksum = "0a2cc35b920cc3b344af824e64e508ffc2c819fc2368ed4d253244446194d2fe" dependencies = [ "block-padding", - "generic-array", + "hybrid-array", ] [[package]] @@ -1017,7 +966,7 @@ dependencies = [ "ecdsa", "elliptic-curve", "primeorder", - "sha2 0.11.0-pre.3", + "sha2", ] [[package]] @@ -1028,12 +977,21 @@ checksum = "de3145af08024dea9fa9914f381a17b8fc6034dfb00f3a84013f7ff43f29ed4c" [[package]] name = "pbkdf2" -version = "0.12.2" +version = "0.13.0-pre.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f8ed6a7761f76e3b9f92dfb0a60a6a6477c61024b775147ff0973a02653abaf2" +checksum = "e4cf4eb113be91873131bc3c309666600c9b7b68919dd90ccaa20a1b37b84d26" dependencies = [ - "digest 0.10.7", - "hmac 0.12.1", + "digest", + "hmac", +] + +[[package]] +name = "pbkdf2" +version = "0.13.0-pre.0" +source = "git+https://github.com/RustCrypto/password-hashes.git#f453d34b407a7494b4eb4603f523bef25edbf162" +dependencies = [ + "digest", + "hmac", ] [[package]] @@ -1074,11 +1032,11 @@ dependencies = [ "cms", "const-oid", "der", - "digest 0.11.0-pre.8", + "digest", "hex-literal", "pkcs5", "pkcs8", - "sha2 0.11.0-pre.3", + "sha2", "spki", "whirlpool", "x509-cert", @@ -1094,11 +1052,11 @@ dependencies = [ "der", "des", "hex-literal", - "pbkdf2", + "pbkdf2 0.13.0-pre.0 (registry+https://github.com/rust-lang/crates.io-index)", "rand_core", "scrypt", - "sha1 0.10.6", - "sha2 0.10.8", + "sha1", + "sha2", "spki", ] @@ -1273,7 +1231,7 @@ name = "rfc6979" version = "0.5.0-pre.3" source = "git+https://github.com/RustCrypto/signatures#c2f3ee6497d8ab8069c149c5c922a342eedd3334" dependencies = [ - "hmac 0.13.0-pre.3", + "hmac", "subtle", ] @@ -1306,14 +1264,14 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "43e0089f12e510517c97e1adc17d0f8374efbabdd021dfb7645d6619f85633e9" dependencies = [ "const-oid", - "digest 0.11.0-pre.8", + "digest", "num-bigint-dig", "num-integer", "num-traits", "pkcs1", "pkcs8", "rand_core", - "sha2 0.11.0-pre.3", + "sha2", "signature", "spki", "subtle", @@ -1397,9 +1355,8 @@ checksum = "1ad4cc8da4ef723ed60bced201181d83791ad433213d8c24efffda1eec85d741" [[package]] name = "salsa20" -version = "0.10.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "97a22f5af31f73a954c10289c93e8a50cc23d971e80ee446f1f6f7137a088213" +version = "0.11.0-pre" +source = "git+https://github.com/RustCrypto/stream-ciphers.git#fea3dd013ee9c35fba56903ad44b411957de8cb2" dependencies = [ "cipher", ] @@ -1415,13 +1372,12 @@ dependencies = [ [[package]] name = "scrypt" -version = "0.11.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0516a385866c09368f0b5bcd1caff3366aace790fcd46e2bb032697bb172fd1f" +version = "0.12.0-pre.0" +source = "git+https://github.com/RustCrypto/password-hashes.git#f453d34b407a7494b4eb4603f523bef25edbf162" dependencies = [ - "pbkdf2", + "pbkdf2 0.13.0-pre.0 (git+https://github.com/RustCrypto/password-hashes.git)", "salsa20", - "sha2 0.10.8", + "sha2", ] [[package]] @@ -1512,17 +1468,6 @@ dependencies = [ "zeroize", ] -[[package]] -name = "sha1" -version = "0.10.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e3bf829a2d51ab4a5ddf1352d8470c140cadc8301b2ae1789db023f01cedd6ba" -dependencies = [ - "cfg-if", - "cpufeatures", - "digest 0.10.7", -] - [[package]] name = "sha1" version = "0.11.0-pre.3" @@ -1531,18 +1476,7 @@ checksum = "3885de8cb916f223718c1ccd47a840b91f806333e76002dc5cb3862154b4fed3" dependencies = [ "cfg-if", "cpufeatures", - "digest 0.11.0-pre.8", -] - -[[package]] -name = "sha2" -version = "0.10.8" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "793db75ad2bcafc3ffa7c68b215fee268f537982cd901d132f89c6343f3a3dc8" -dependencies = [ - "cfg-if", - "cpufeatures", - "digest 0.10.7", + "digest", ] [[package]] @@ -1553,7 +1487,7 @@ checksum = "8f33549bf3064b62478926aa89cbfc7c109aab66ae8f0d5d2ef839e482cc30d6" dependencies = [ "cfg-if", "cpufeatures", - "digest 0.11.0-pre.8", + "digest", ] [[package]] @@ -1562,7 +1496,7 @@ version = "0.11.0-pre.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f32c02b9987a647a3d6af14c3e88df86594e4283050d9d8ee3a035df247785b9" dependencies = [ - "digest 0.11.0-pre.8", + "digest", "keccak", ] @@ -1572,7 +1506,7 @@ version = "2.3.0-pre.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1700c22ba9ce32c7b0a1495068a906c3552e7db386af7cf865162e0dea498523" dependencies = [ - "digest 0.11.0-pre.8", + "digest", "rand_core", ] @@ -1605,7 +1539,7 @@ dependencies = [ "base64ct", "der", "hex-literal", - "sha2 0.10.8", + "sha2", "tempfile", ] @@ -1821,12 +1755,6 @@ version = "0.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "711b9620af191e0cdc7468a8d14e709c3dcdb115b36f838e601583af800a370a" -[[package]] -name = "version_check" -version = "0.9.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f" - [[package]] name = "wait-timeout" version = "0.2.0" @@ -1857,7 +1785,7 @@ name = "whirlpool" version = "0.11.0-pre.2" source = "git+https://github.com/RustCrypto/hashes.git#e4dcf120629bd6461eff9ca1b281736336de423c" dependencies = [ - "digest 0.11.0-pre.8", + "digest", ] [[package]] @@ -1980,8 +1908,8 @@ dependencies = [ "rand", "rsa", "rstest", - "sha1 0.11.0-pre.3", - "sha2 0.11.0-pre.3", + "sha1", + "sha2", "signature", "spki", "tempfile", @@ -2005,14 +1933,14 @@ version = "0.3.0-pre" dependencies = [ "const-oid", "der", - "digest 0.11.0-pre.8", + "digest", "hex-literal", "lazy_static", "rand", "rand_core", "rsa", - "sha1 0.11.0-pre.3", - "sha2 0.11.0-pre.3", + "sha1", + "sha2", "signature", "spki", "x509-cert", diff --git a/Cargo.toml b/Cargo.toml index 8859a54be..1bc56ca67 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -64,7 +64,14 @@ x509-ocsp = { path = "./x509-ocsp" } p256 = { git = "https://github.com/RustCrypto/elliptic-curves.git" } # Pending a release of 0.11.0-pre.2 whirlpool = { git = "https://github.com/RustCrypto/hashes.git" } +# Pending a release of 0.2.0-pre +cbc = { git = "https://github.com/RustCrypto/block-modes.git" } +# Pending a release of 0.11.0-pre +salsa20 = { git = "https://github.com/RustCrypto/stream-ciphers.git" } # https://github.com/RustCrypto/formats/pull/1055 # https://github.com/RustCrypto/signatures/pull/809 ecdsa = { git = "https://github.com/RustCrypto/signatures" } + +# https://github.com/RustCrypto/password-hashes/pull/489 +scrypt = { git = "https://github.com/RustCrypto/password-hashes.git" } diff --git a/cms/Cargo.toml b/cms/Cargo.toml index e3020dfdf..5f2ab6502 100644 --- a/cms/Cargo.toml +++ b/cms/Cargo.toml @@ -21,9 +21,9 @@ x509-cert = { version = "=0.3.0-pre", default-features = false, features = ["pem const-oid = { version = "=0.10.0-pre.2", features = ["db"] } # optional dependencies -aes = { version = "0.8.4", optional = true } -cbc = { version = "0.1.2", optional = true } -cipher = { version = "0.4.4", features = ["alloc", "block-padding", "rand_core"], optional = true } +aes = { version = "=0.9.0-pre", optional = true } +cbc = { version = "=0.2.0-pre", optional = true } +cipher = { version = "=0.5.0-pre.4", features = ["alloc", "block-padding", "rand_core"], optional = true } rsa = { version = "=0.10.0-pre.1", optional = true } sha1 = { version = "=0.11.0-pre.3", optional = true } sha2 = { version = "=0.11.0-pre.3", optional = true } diff --git a/cms/src/builder.rs b/cms/src/builder.rs index 806cc8522..d8affe76c 100644 --- a/cms/src/builder.rs +++ b/cms/src/builder.rs @@ -19,10 +19,11 @@ use alloc::borrow::ToOwned; use alloc::boxed::Box; use alloc::string::String; use alloc::vec::Vec; -use cipher::block_padding::Pkcs7; -use cipher::rand_core::{CryptoRng, CryptoRngCore, RngCore}; -use cipher::BlockEncryptMut; -use cipher::{Key, KeyIvInit, KeySizeUser}; +use cipher::{ + block_padding::Pkcs7, + rand_core::{self, CryptoRng, CryptoRngCore, RngCore}, + BlockModeEncrypt, Key, KeyIvInit, KeySizeUser, +}; use const_oid::ObjectIdentifier; use core::cmp::Ordering; use core::fmt; @@ -55,6 +56,9 @@ pub enum Error { /// Public key errors propagated from the [`spki::Error`] type. PublicKey(spki::Error), + /// RNG error propagated for the [`rand_core::Error`] type. + Rng(rand_core::Error), + /// Signing error propagated for the [`signature::Signer`] type. Signature(signature::Error), @@ -67,6 +71,7 @@ impl fmt::Display for Error { match self { Error::Asn1(err) => write!(f, "ASN.1 error: {}", err), Error::PublicKey(err) => write!(f, "public key error: {}", err), + Error::Rng(err) => write!(f, "rng error: {}", err), Error::Signature(err) => write!(f, "signature error: {}", err), Error::Builder(message) => write!(f, "builder error: {message}"), } @@ -91,6 +96,12 @@ impl From for Error { } } +impl From for Error { + fn from(err: rand_core::Error) -> Error { + Error::Rng(err) + } +} + type Result = core::result::Result; /// Collect info needed for creating a `SignerInfo`. @@ -998,7 +1009,7 @@ fn get_hasher( macro_rules! encrypt_block_mode { ($data:expr, $block_mode:ident::$typ:ident<$alg:ident>, $key:expr, $rng:expr, $oid:expr) => {{ let (key, iv) = match $key { - None => $block_mode::$typ::<$alg>::generate_key_iv($rng), + None => $block_mode::$typ::<$alg>::generate_key_iv_with_rng($rng)?, Some(key) => { if key.len() != $alg::key_size() { return Err(Error::Builder(String::from( @@ -1007,13 +1018,13 @@ macro_rules! encrypt_block_mode { } ( Key::<$block_mode::$typ<$alg>>::from_slice(key).to_owned(), - $block_mode::$typ::<$alg>::generate_iv($rng), + $block_mode::$typ::<$alg>::generate_iv_with_rng($rng)?, ) } }; let encryptor = $block_mode::$typ::<$alg>::new(&key.into(), &iv.into()); Ok(( - encryptor.encrypt_padded_vec_mut::($data), + encryptor.encrypt_padded_vec::($data), key.to_vec(), AlgorithmIdentifierOwned { oid: $oid, diff --git a/cms/tests/builder.rs b/cms/tests/builder.rs index 56c362145..a3fa2322b 100644 --- a/cms/tests/builder.rs +++ b/cms/tests/builder.rs @@ -2,7 +2,7 @@ use aes::Aes128; use cipher::block_padding::Pkcs7; -use cipher::{BlockDecryptMut, KeyIvInit}; +use cipher::{BlockModeDecrypt, KeyIvInit}; use cms::builder::{ create_signing_time_attribute, ContentEncryptionAlgorithm, EnvelopedDataBuilder, KeyEncryptionInfo, KeyTransRecipientInfoBuilder, SignedDataBuilder, SignerInfoBuilder, @@ -478,10 +478,12 @@ fn test_build_pkcs7_scep_pkcsreq() { let iv = iv_octet_string.as_bytes(); let encrypted_content_octet_string = encryption_info.encrypted_content.unwrap(); let encrypted_content = encrypted_content_octet_string.as_bytes(); - let csr_der_decrypted = - cbc::Decryptor::::new(content_encryption_key.as_slice().into(), iv.into()) - .decrypt_padded_vec_mut::(encrypted_content) - .unwrap(); + let csr_der_decrypted = cbc::Decryptor::::new( + content_encryption_key.as_slice().try_into().unwrap(), + iv.try_into().unwrap(), + ) + .decrypt_padded_vec::(encrypted_content) + .unwrap(); assert_eq!(csr_der_decrypted.as_slice(), csr_der) } diff --git a/pkcs1/Cargo.toml b/pkcs1/Cargo.toml index c5320f52e..281813046 100644 --- a/pkcs1/Cargo.toml +++ b/pkcs1/Cargo.toml @@ -13,7 +13,7 @@ categories = ["cryptography", "data-structures", "encoding", "no-std", "parser-i keywords = ["crypto", "key", "pem", "pkcs", "rsa"] readme = "README.md" edition = "2021" -rust-version = "1.71" +rust-version = "1.72" [dependencies] der = { version = "=0.8.0-pre.0", features = ["oid"] } diff --git a/pkcs5/Cargo.toml b/pkcs5/Cargo.toml index 68b045726..94fb4d9fc 100644 --- a/pkcs5/Cargo.toml +++ b/pkcs5/Cargo.toml @@ -13,21 +13,21 @@ categories = ["cryptography", "data-structures", "encoding", "no-std"] keywords = ["crypto", "key", "pkcs", "password"] readme = "README.md" edition = "2021" -rust-version = "1.71" +rust-version = "1.72" [dependencies] der = { version = "=0.8.0-pre.0", features = ["oid"] } spki = { version = "=0.8.0-pre.0" } # optional dependencies -cbc = { version = "0.1.2", optional = true } -aes = { version = "0.8.4", optional = true, default-features = false } -des = { version = "0.8.1", optional = true, default-features = false } -pbkdf2 = { version = "0.12.1", optional = true, default-features = false } +cbc = { version = "=0.2.0-pre", optional = true } +aes = { version = "=0.9.0-pre", optional = true, default-features = false } +des = { version = "=0.9.0-pre.0", optional = true, default-features = false } +pbkdf2 = { version = "=0.13.0-pre.0", optional = true, default-features = false, features = ["hmac"] } rand_core = { version = "0.6.4", optional = true, default-features = false } -scrypt = { version = "0.11", optional = true, default-features = false } -sha1 = { version = "0.10.6", optional = true, default-features = false } -sha2 = { version = "0.10.8", optional = true, default-features = false } +scrypt = { version = "=0.12.0-pre.0", optional = true, default-features = false } +sha1 = { version = "=0.11.0-pre.3", optional = true, default-features = false } +sha2 = { version = "=0.11.0-pre.3", optional = true, default-features = false } [dev-dependencies] hex-literal = "0.4" diff --git a/pkcs5/src/pbes2/encryption.rs b/pkcs5/src/pbes2/encryption.rs index 86349926d..4cf4924cb 100644 --- a/pkcs5/src/pbes2/encryption.rs +++ b/pkcs5/src/pbes2/encryption.rs @@ -3,14 +3,18 @@ use super::{EncryptionScheme, Kdf, Parameters, Pbkdf2Params, Pbkdf2Prf, ScryptParams}; use crate::{Error, Result}; use cbc::cipher::{ - block_padding::Pkcs7, BlockCipher, BlockDecryptMut, BlockEncryptMut, KeyInit, KeyIvInit, + block_padding::Pkcs7, BlockCipher, BlockCipherDecrypt, BlockCipherEncrypt, BlockModeDecrypt, + BlockModeEncrypt, KeyInit, KeyIvInit, }; use pbkdf2::{ - hmac::digest::{ - block_buffer::Eager, - core_api::{BlockSizeUser, BufferKindUser, CoreProxy, FixedOutputCore, UpdateCore}, - generic_array::typenum::{IsLess, Le, NonZero, U256}, - HashMarker, + hmac::{ + digest::{ + block_buffer::Eager, + core_api::{BlockSizeUser, BufferKindUser, FixedOutputCore, UpdateCore}, + typenum::{IsLess, Le, NonZero, U256}, + HashMarker, + }, + EagerHash, }, pbkdf2_hmac, }; @@ -19,7 +23,7 @@ use scrypt::scrypt; /// Maximum size of a derived encryption key const MAX_KEY_LEN: usize = 32; -fn cbc_encrypt<'a, C: BlockEncryptMut + BlockCipher + KeyInit>( +fn cbc_encrypt<'a, C: BlockCipherEncrypt + BlockCipher + KeyInit>( es: EncryptionScheme, key: EncryptionKey, iv: &[u8], @@ -28,11 +32,11 @@ fn cbc_encrypt<'a, C: BlockEncryptMut + BlockCipher + KeyInit>( ) -> Result<&'a [u8]> { cbc::Encryptor::::new_from_slices(key.as_slice(), iv) .map_err(|_| es.to_alg_params_invalid())? - .encrypt_padded_mut::(buffer, pos) + .encrypt_padded::(buffer, pos) .map_err(|_| Error::EncryptFailed) } -fn cbc_decrypt<'a, C: BlockDecryptMut + BlockCipher + KeyInit>( +fn cbc_decrypt<'a, C: BlockCipherDecrypt + BlockCipher + KeyInit>( es: EncryptionScheme, key: EncryptionKey, iv: &[u8], @@ -40,7 +44,7 @@ fn cbc_decrypt<'a, C: BlockDecryptMut + BlockCipher + KeyInit>( ) -> Result<&'a [u8]> { cbc::Decryptor::::new_from_slices(key.as_slice(), iv) .map_err(|_| es.to_alg_params_invalid())? - .decrypt_padded_mut::(buffer) + .decrypt_padded::(buffer) .map_err(|_| Error::EncryptFailed) } @@ -155,7 +159,7 @@ impl EncryptionKey { /// Derive key using PBKDF2. fn derive_with_pbkdf2(password: &[u8], params: &Pbkdf2Params, length: usize) -> Self where - D: CoreProxy, + D: EagerHash, D::Core: Sync + HashMarker + UpdateCore diff --git a/pkcs8/Cargo.toml b/pkcs8/Cargo.toml index f8143caf6..aa1dc46aa 100644 --- a/pkcs8/Cargo.toml +++ b/pkcs8/Cargo.toml @@ -14,7 +14,7 @@ categories = ["cryptography", "data-structures", "encoding", "no-std", "parser-i keywords = ["crypto", "key", "pkcs", "private"] readme = "README.md" edition = "2021" -rust-version = "1.71" +rust-version = "1.72" [dependencies] der = { version = "=0.8.0-pre.0", features = ["oid"] } diff --git a/sec1/Cargo.toml b/sec1/Cargo.toml index 16214db03..831c56a1a 100644 --- a/sec1/Cargo.toml +++ b/sec1/Cargo.toml @@ -14,7 +14,7 @@ categories = ["cryptography", "data-structures", "encoding", "no-std", "parser-i keywords = ["crypto", "key", "elliptic-curve", "secg"] readme = "README.md" edition = "2021" -rust-version = "1.71" +rust-version = "1.72" [dependencies] base16ct = { version = "0.2", optional = true, default-features = false } diff --git a/spki/Cargo.toml b/spki/Cargo.toml index 11aaacc95..50bfae10b 100644 --- a/spki/Cargo.toml +++ b/spki/Cargo.toml @@ -13,7 +13,7 @@ categories = ["cryptography", "data-structures", "encoding", "no-std"] keywords = ["crypto", "x509"] readme = "README.md" edition = "2021" -rust-version = "1.71" +rust-version = "1.72" [dependencies] der = { version = "=0.8.0-pre.0", features = ["oid"] } @@ -21,7 +21,7 @@ der = { version = "=0.8.0-pre.0", features = ["oid"] } # Optional dependencies arbitrary = { version = "1.2", features = ["derive"], optional = true } base64ct = { version = "1", optional = true, default-features = false } -sha2 = { version = "0.10", optional = true, default-features = false } +sha2 = { version = "=0.11.0-pre.3", optional = true, default-features = false } [dev-dependencies] hex-literal = "0.4"