chore: update crypto deps

Update tons of cryptographic libraries: * ecdsa * ed25519 * p256 * p384 * signature The majority of these libraries broke their API during the upgrade, hence quite some fixes were needed. Signed-off-by: Flavio Castelli <fcastelli@suse.com>
sigstore · Jan 25, 2023 · 0d473d4 · 0d473d4
1 parent 0f310a8
commit 0d473d4
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 22 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -43,14 +43,14 @@ scrypt = "0.10.0"
 xsalsa20poly1305 = "0.9.0"
 pkcs8 = { version = "0.9.0", features = ["pem", "alloc", "pkcs5", "encryption"] }
 elliptic-curve = { version = "0.12.2", features = [ "arithmetic", "pem" ] }
-p256 = "0.11.1"
-p384 = "0.11.1"
-ecdsa = { version = "0.14.3", features = [ "pkcs8", "digest", "der" ] }
+p256 = "0.12"
+p384 = "0.12"
+ecdsa = { version = "0.15", features = [ "pkcs8", "digest", "der" ] }
 digest = "0.10.3"
-signature = { version = "1.5.0", features = [ "digest-preview" ] }
-ed25519 = { version = "1", features = [ "alloc" ] }
+signature = { version = "2.0" }
+ed25519 = { version = "2", features = [ "alloc" ] }
 ed25519-dalek-fiat = "0.1.0"
-rsa = "0.7.0"
+rsa = "0.8"
 pkcs1 = "0.4.0"
 reqwest = { version = "0.11", default-features = false, features = ["json", "multipart"] }
 

diff --git a/src/crypto/signing_key/ed25519.rs b/src/crypto/signing_key/ed25519.rs
@@ -64,7 +64,6 @@ use std::convert::TryFrom;
 
 use ed25519::{pkcs8::PublicKeyBytes, KeypairBytes};
 use pkcs8::{DecodePrivateKey, EncodePrivateKey, EncodePublicKey};
-use signature::Signer as _;
 use x509_parser::nom::AsBytes;
 
 use crate::{

diff --git a/src/crypto/signing_key/rsa/mod.rs b/src/crypto/signing_key/rsa/mod.rs
@@ -51,7 +51,8 @@
 //! ```
 
 use ::rsa::{pkcs1v15::SigningKey, pss::BlindedSigningKey};
-use signature::RandomizedSigner;
+use ecdsa::SignatureEncoding;
+use signature::{Keypair, RandomizedSigner};
 
 use self::keypair::RSAKeys;
 
@@ -162,22 +163,22 @@ impl RSASigner {
     pub fn to_verification_key(&self) -> Result<CosignVerificationKey> {
         Ok(match self {
             RSASigner::RSA_PSS_SHA256(signer, _) => {
-                CosignVerificationKey::RSA_PSS_SHA256(signer.into())
+                CosignVerificationKey::RSA_PSS_SHA256(signer.verifying_key())
             }
             RSASigner::RSA_PSS_SHA384(signer, _) => {
-                CosignVerificationKey::RSA_PSS_SHA384(signer.into())
+                CosignVerificationKey::RSA_PSS_SHA384(signer.verifying_key())
             }
             RSASigner::RSA_PSS_SHA512(signer, _) => {
-                CosignVerificationKey::RSA_PSS_SHA512(signer.into())
+                CosignVerificationKey::RSA_PSS_SHA512(signer.verifying_key())
             }
             RSASigner::RSA_PKCS1_SHA256(signer, _) => {
-                CosignVerificationKey::RSA_PKCS1_SHA256(signer.into())
+                CosignVerificationKey::RSA_PKCS1_SHA256(signer.verifying_key())
             }
             RSASigner::RSA_PKCS1_SHA384(signer, _) => {
-                CosignVerificationKey::RSA_PKCS1_SHA384(signer.into())
+                CosignVerificationKey::RSA_PKCS1_SHA384(signer.verifying_key())
             }
             RSASigner::RSA_PKCS1_SHA512(signer, _) => {
-                CosignVerificationKey::RSA_PKCS1_SHA512(signer.into())
+                CosignVerificationKey::RSA_PKCS1_SHA512(signer.verifying_key())
             }
         })
     }

diff --git a/src/crypto/verification_key.rs b/src/crypto/verification_key.rs
@@ -17,7 +17,7 @@ use base64::{engine::general_purpose::STANDARD as BASE64_STD_ENGINE, Engine as _
 use pkcs8::DecodePublicKey;
 use rsa::{pkcs1v15, pss};
 use sha2::{Digest, Sha256, Sha384};
-use signature::{DigestVerifier, Signature as _, Verifier};
+use signature::{DigestVerifier, Verifier};
 use std::convert::TryFrom;
 use x509_parser::{prelude::FromDer, x509::SubjectPublicKeyInfo};
 
@@ -255,37 +255,37 @@ impl CosignVerificationKey {
 
         match self {
             CosignVerificationKey::RSA_PSS_SHA256(inner) => {
-                let sig = pss::Signature::from_bytes(&sig)?;
+                let sig = pss::Signature::try_from(sig.as_slice())?;
                 inner
                     .verify(msg, &sig)
                     .map_err(|_| SigstoreError::PublicKeyVerificationError)
             }
             CosignVerificationKey::RSA_PSS_SHA384(inner) => {
-                let sig = pss::Signature::from_bytes(&sig)?;
+                let sig = pss::Signature::try_from(sig.as_slice())?;
                 inner
                     .verify(msg, &sig)
                     .map_err(|_| SigstoreError::PublicKeyVerificationError)
             }
             CosignVerificationKey::RSA_PSS_SHA512(inner) => {
-                let sig = pss::Signature::from_bytes(&sig)?;
+                let sig = pss::Signature::try_from(sig.as_slice())?;
                 inner
                     .verify(msg, &sig)
                     .map_err(|_| SigstoreError::PublicKeyVerificationError)
             }
             CosignVerificationKey::RSA_PKCS1_SHA256(inner) => {
-                let sig = pkcs1v15::Signature::from_bytes(&sig)?;
+                let sig = pkcs1v15::Signature::try_from(sig.as_slice())?;
                 inner
                     .verify(msg, &sig)
                     .map_err(|_| SigstoreError::PublicKeyVerificationError)
             }
             CosignVerificationKey::RSA_PKCS1_SHA384(inner) => {
-                let sig = pkcs1v15::Signature::from_bytes(&sig)?;
+                let sig = pkcs1v15::Signature::try_from(sig.as_slice())?;
                 inner
                     .verify(msg, &sig)
                     .map_err(|_| SigstoreError::PublicKeyVerificationError)
             }
             CosignVerificationKey::RSA_PKCS1_SHA512(inner) => {
-                let sig = pkcs1v15::Signature::from_bytes(&sig)?;
+                let sig = pkcs1v15::Signature::try_from(sig.as_slice())?;
                 inner
                     .verify(msg, &sig)
                     .map_err(|_| SigstoreError::PublicKeyVerificationError)
@@ -308,7 +308,7 @@ impl CosignVerificationKey {
                     .map_err(|_| SigstoreError::PublicKeyVerificationError)
             }
             CosignVerificationKey::ED25519(inner) => {
-                let sig = ed25519::Signature::from_bytes(&sig[..])
+                let sig = ed25519::Signature::from_slice(sig.as_slice())
                     .map_err(|_| SigstoreError::PublicKeyVerificationError)?;
                 inner
                     .verify(msg, &sig)

diff --git a/src/errors.rs b/src/errors.rs
@@ -210,4 +210,7 @@ pub enum SigstoreError {
 
     #[error(transparent)]
     PKCS1Error(#[from] pkcs1::Error),
+
+    #[error(transparent)]
+    ED25519Error(#[from] ed25519_dalek_fiat::ed25519::Error),
 }