build: update ed25519-dalek and base64

Signed-off-by: Roman Volosatovs <[email protected]>

Cargo.toml

@@ -47,12 +47,12 @@ anyhow = "1.0.44"
 async-compression = { version = "0.3", default-features = false, features = ["tokio", "gzip"], optional = true }
 async-trait = "0.1.51"
 atty = { version = "0.2", optional = true }
-base64 = "0.13.0"
+base64 = "0.21"
 bcrypt = "0.13"
 bytes = "1.1.0"
 clap = { workspace = true, features = ["derive", "env", "cargo"], optional = true }
 dirs = { version = "4.0.0", optional = true }
-ed25519-dalek = "1.0.1"
+ed25519-dalek = { version = "2", features = ["pkcs8", "rand_core"] }
 either = { version = "1.6.1", optional = true }
 futures = "0.3.17"
 hyper = { version = "0.14.12", optional = true }
@@ -62,8 +62,7 @@ mime = { version = "0.3.16", optional = true }
 mime_guess = { version = "2.0.3", optional = true }
 oauth2 = { version = "4.1.0", features = ["reqwest"], optional = true }
 openid = { version = "0.10", default-features = false, optional = true }
-# We need the older version of rand for dalek
-rand = "0.7"
+rand = "0.8"
 reqwest = { version = "0.11.4", features = ["stream"], default-features = false, optional = true }
 semver = { version = "1.0.4", features = ["serde"] }
 serde = { version = "1.0.130", features = ["derive"] }

bin/client/main.rs

@@ -19,6 +19,7 @@ use bindle::{
  provider::Provider,
 };
 
+use base64::Engine;
 use clap::Parser;
 use sha2::Digest;
 use tokio::io::AsyncWriteExt;
@@ -423,9 +424,10 @@ async fn run() -> std::result::Result<(), ClientError> {
  .await
  .unwrap_or_else(|_| KeyRing::default());
  // First, check that the key is actually valid
- let raw = base64::decode(&opts.key)
+ let key = base64::engine::general_purpose::STANDARD
+ .decode(&opts.key)
  .map_err(|_| SignatureError::CorruptKey(opts.key.clone()))?;
- ed25519_dalek::PublicKey::from_bytes(&raw)
+ ed25519_dalek::VerifyingKey::try_from(key.as_slice())
  .map_err(|_| SignatureError::CorruptKey(opts.key.clone()))?;
  keyring.add_entry(KeyEntry {
  label: opts.label,

src/authn/http_basic.rs

@@ -1,5 +1,7 @@
 use std::{collections::HashMap, path::Path};
 
+use base64::Engine;
+
 use super::Authenticator;
 use crate::authz::Authorizable;
 
@@ -99,7 +101,8 @@ fn parse_basic(auth_data: &str) -> anyhow::Result<(String, String)> {
  None => anyhow::bail!("Wrong auth type. Only Basic auth is supported"),
  Some(suffix) => {
  // suffix should be base64 string
- let decoded = String::from_utf8(base64::decode(suffix)?)?;
+ let decoded =
+ String::from_utf8(base64::engine::general_purpose::STANDARD.decode(suffix)?)?;
  let pair: Vec<&str> = decoded.splitn(2, ':').collect();
  if pair.len() != 2 {
  anyhow::bail!("Malformed Basic header")

src/authn/oidc.rs

@@ -1,4 +1,5 @@
 //! An authenticator that validates OIDC issued JWTs
+use base64::Engine;
 use jsonwebtoken::{Algorithm, DecodingKey, Validation};
 use openid::biscuit::jwk::{AlgorithmParameters, KeyType, PublicKeyUse};
 use serde::Deserialize;
@@ -151,22 +152,16 @@ impl OidcAuthenticator {
  // that key is malformed (which should be a rare instance because it would mean
  // misconfiguration on the OIDC provider's part), just skip it
  let raw =
- base64::decode(k.common.x509_chain.unwrap_or_default().pop()?).ok()?;
+ base64::engine::general_purpose::STANDARD.decode(k.common.x509_chain.unwrap_or_default().pop()?).ok()?;
  DecodingKey::from_ec_der(&raw)
  }
  KeyType::RSA => {
  if let AlgorithmParameters::RSA(rsa) = k.algorithm {
  // NOTE: jsonwebtoken expects a base64 encoded component (big endian) so
  // we are reencoding it here
  DecodingKey::from_rsa_components(
- &base64::encode_config(
- rsa.n.to_bytes_be(),
- base64::URL_SAFE_NO_PAD,
- ),
- &base64::encode_config(
- rsa.e.to_bytes_be(),
- base64::URL_SAFE_NO_PAD,
- ),
+ &base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(rsa.n.to_bytes_be()),
+ &base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(rsa.e.to_bytes_be()),
  ).map_or_else(|e| {
  tracing::error!(error = %e, "Unable to parse decoding key from discovery client, skipping");
  None

src/client/tokens.rs

@@ -6,6 +6,7 @@ use std::{
  sync::Arc,
 };
 
+use base64::Engine;
 use oauth2::reqwest::async_http_client;
 use oauth2::{
  basic::*, devicecode::DeviceAuthorizationResponse, AuthUrl, Client as Oauth2Client, ClientId,
@@ -110,7 +111,8 @@ impl HttpBasic {
 #[async_trait::async_trait]
 impl TokenManager for HttpBasic {
  async fn apply_auth_header(&self, builder: RequestBuilder) -> Result<RequestBuilder> {
- let data = base64::encode(format!("{}:{}", self.username, self.password));
+ let data = base64::engine::general_purpose::STANDARD
+ .encode(format!("{}:{}", self.username, self.password));
  let mut header_val = HeaderValue::from_str(&format!("Basic {}", data))
  .map_err(|e| ClientError::Other(e.to_string()))?;
  header_val.set_sensitive(true);

src/invoice/mod.rs

@@ -22,6 +22,7 @@ pub use api::{
  ErrorResponse, HealthResponse, InvoiceCreateResponse, KeyOptions, MissingParcelsResponse,
  QueryOptions,
 };
+use base64::Engine;
 #[doc(inline)]
 pub use bindle_spec::BindleSpec;
 #[doc(inline)]
@@ -203,7 +204,8 @@ impl Invoice {
  let key = keyfile.key()?;
  // The spec says it is illegal for the a single key to sign the same invoice
  // more than once.
- let encoded_key = base64::encode(key.public.to_bytes());
+ let encoded_key =
+ base64::engine::general_purpose::STANDARD.encode(key.verifying_key().as_bytes());
  if let Some(sigs) = self.signature.as_ref() {
  for s in sigs {
  if s.key == encoded_key {
@@ -223,7 +225,7 @@ impl Invoice {
  let signature_entry = Signature {
  by: signer_name,
  key: encoded_key,
- signature: base64::encode(signature.to_bytes()),
+ signature: base64::engine::general_purpose::STANDARD.encode(signature.to_bytes()),
  role: signer_role,
  at: ts.as_secs(),
  };
@@ -270,7 +272,8 @@ fn sign_one(
  let key = keyfile.key()?;
  // The spec says it is illegal for the a single key to sign the same invoice
  // more than once.
- let encoded_key = base64::encode(key.public.to_bytes());
+ let encoded_key =
+ base64::engine::general_purpose::STANDARD.encode(key.verifying_key().as_bytes());
  if let Some(sigs) = inv.signature.as_ref() {
  for s in sigs {
  if s.key == encoded_key {
@@ -290,7 +293,7 @@ fn sign_one(
  let signature_entry = Signature {
  by: signer_name,
  key: encoded_key,
- signature: base64::encode(signature.to_bytes()),
+ signature: base64::engine::general_purpose::STANDARD.encode(signature.to_bytes()),
  role: signer_role,
  at: ts.as_secs(),
  };

src/invoice/signature.rs

@@ -1,6 +1,14 @@
 //! Contains the Signature type along with associated types and Roles
 
-pub use ed25519_dalek::{Keypair, PublicKey, Signature as EdSignature, Signer};
+use base64::Engine;
+pub use ed25519_dalek::{
+ Signature as EdSignature,
+ Signer,
+ SigningKey as Keypair, // re-export under old name for backwards compatibility
+ SigningKey,
+ VerifyingKey as PublicKey, // re-export under old name for backwards compatibility
+ VerifyingKey,
+};
 use serde::{Deserialize, Serialize};
 use thiserror::Error;
 #[cfg(not(target_arch = "wasm32"))]
@@ -197,7 +205,7 @@ impl KeyRing {
  self.key.push(entry)
  }
 
- pub fn contains(&self, key: &PublicKey) -> bool {
+ pub fn contains(&self, key: &VerifyingKey) -> bool {
  // This could definitely be optimized.
  for k in self.key.iter() {
  // Note that we are skipping malformed keys because they don't matter
@@ -246,40 +254,43 @@ impl KeyEntry {
  /// In most cases, it is fine to construct a KeyEntry struct manually. This
  /// constructor merely encapsulates the logic to store the public key in its
  /// canonical encoded format (as a String).
- pub fn new(label: &str, roles: Vec<SignatureRole>, public_key: PublicKey) -> Self {
- let key = base64::encode(public_key.to_bytes());
+ pub fn new(label: &str, roles: Vec<SignatureRole>, public_key: VerifyingKey) -> Self {
+ let key = base64::engine::general_purpose::STANDARD.encode(public_key.to_bytes());
  KeyEntry {
  label: label.to_owned(),
  roles,
  key,
  label_signature: None,
  }
  }
- pub fn sign_label(&mut self, key: Keypair) {
+ pub fn sign_label(&mut self, key: SigningKey) {
  let sig = key.sign(self.label.as_bytes());
- self.label_signature = Some(base64::encode(sig.to_bytes()));
+ self.label_signature =
+ Some(base64::engine::general_purpose::STANDARD.encode(sig.to_bytes()));
  }
- pub fn verify_label(self, key: PublicKey) -> anyhow::Result<()> {
+ pub fn verify_label(self, key: VerifyingKey) -> anyhow::Result<()> {
  match self.label_signature {
  None => {
  tracing::log::info!("Label was not signed. Skipping.");
  Ok(())
  }
  Some(txt) => {
- let decoded_txt = base64::decode(txt)?;
+ let decoded_txt = base64::engine::general_purpose::STANDARD.decode(txt)?;
  let sig = EdSignature::try_from(decoded_txt.as_slice())?;
  key.verify_strict(self.label.as_bytes(), &sig)?;
  Ok(())
  }
  }
  }
- pub(crate) fn public_key(&self) -> Result<PublicKey, SignatureError> {
- let rawbytes = base64::decode(&self.key).map_err(|_e| {
- // We swallow the source error because it could disclose information about
- // the secret key.
- SignatureError::CorruptKey("Base64 decoding of the public key failed".to_owned())
- })?;
- let pk = PublicKey::from_bytes(rawbytes.as_slice()).map_err(|e| {
+ pub(crate) fn public_key(&self) -> Result<VerifyingKey, SignatureError> {
+ let rawbytes = base64::engine::general_purpose::STANDARD
+ .decode(&self.key)
+ .map_err(|_e| {
+ // We swallow the source error because it could disclose information about
+ // the secret key.
+ SignatureError::CorruptKey("Base64 decoding of the public key failed".to_owned())
+ })?;
+ let pk = VerifyingKey::try_from(rawbytes.as_slice()).map_err(|e| {
  error!(%e, "Error loading public key");
  // Don't leak information about the key, because this could be sent to
  // a remote. A generic error is all the user should see.
@@ -297,7 +308,7 @@ impl TryFrom<SecretKeyEntry> for KeyEntry {
  let mut s = Self {
  label: secret.label,
  roles: secret.roles,
- key: base64::encode(skey.public.to_bytes()),
+ key: base64::engine::general_purpose::STANDARD.encode(skey.verifying_key().as_bytes()),
  label_signature: None,
  };
  s.sign_label(skey);
@@ -312,7 +323,7 @@ impl TryFrom<&SecretKeyEntry> for KeyEntry {
  let mut s = Self {
  label: secret.label.clone(),
  roles: secret.roles.clone(),
- key: base64::encode(skey.public.to_bytes()),
+ key: base64::engine::general_purpose::STANDARD.encode(skey.verifying_key().as_bytes()),
  label_signature: None,
  };
  s.sign_label(skey);
@@ -337,28 +348,34 @@ pub struct SecretKeyEntry {
 impl SecretKeyEntry {
  pub fn new(label: &str, roles: Vec<SignatureRole>) -> Self {
  let mut rng = rand::rngs::OsRng {};
- let rawkey = Keypair::generate(&mut rng);
- let keypair = base64::encode(rawkey.to_bytes());
+ let rawkey = SigningKey::generate(&mut rng);
+ let keypair = base64::engine::general_purpose::STANDARD.encode(rawkey.to_keypair_bytes());
  Self {
  label: label.to_owned(),
  keypair,
  roles,
  }
  }
 
- pub(crate) fn key(&self) -> Result<Keypair, SignatureError> {
- let rawbytes = base64::decode(&self.keypair).map_err(|_e| {
+ pub(crate) fn key(&self) -> Result<SigningKey, SignatureError> {
+ let rawbytes = base64::engine::general_purpose::STANDARD
+ .decode(&self.keypair)
+ .map_err(|_e| {
+ // We swallow the source error because it could disclose information about
+ // the secret key.
+ SignatureError::CorruptKey("Base64 decoding of the keypair failed".to_owned())
+ })?;
+ let rawbytes = rawbytes.try_into().map_err(|_e| {
  // We swallow the source error because it could disclose information about
  // the secret key.
- SignatureError::CorruptKey("Base64 decoding of the keypair failed".to_owned())
+ SignatureError::CorruptKey("Invalid keypair length".to_owned())
  })?;
- let keypair = Keypair::from_bytes(&rawbytes).map_err(|e| {
+ SigningKey::from_keypair_bytes(&rawbytes).map_err(|e| {
  tracing::log::error!("Error loading key: {}", e);
  // Don't leak information about the key, because this could be sent to
  // a remote. A generic error is all the user should see.
  SignatureError::CorruptKey("Could not load keypair".to_owned())
- })?;
- Ok(keypair)
+ })
  }
 }
 
@@ -481,7 +498,7 @@ impl SecretKeyStorage for SecretKeyFile {
 #[cfg(test)]
 mod test {
  use super::*;
- use ed25519_dalek::Keypair;
+ use ed25519_dalek::SigningKey;
 
  #[test]
  fn test_parse_role() {
@@ -508,7 +525,7 @@ mod test {
  #[test]
  fn test_sign_label() {
  let mut rng = rand::rngs::OsRng {};
- let keypair = Keypair::generate(&mut rng);
+ let keypair = SigningKey::generate(&mut rng);
 
  let mut ke = KeyEntry {
  label: "Matt Butcher <[email protected]>".to_owned(),
@@ -517,7 +534,7 @@ mod test {
  label_signature: None,
  };
 
- let pubkey = keypair.public;
+ let pubkey = keypair.verifying_key();
  ke.sign_label(keypair);
 
  assert!(ke.label_signature.is_some());

src/invoice/verification.rs

@@ -2,7 +2,8 @@ use crate::invoice::Signed;
 
 use super::signature::KeyRing;
 use super::{Invoice, Signature, SignatureError, SignatureRole};
-use ed25519_dalek::{PublicKey, Signature as EdSignature};
+use base64::Engine;
+use ed25519_dalek::{Signature as EdSignature, VerifyingKey};
 use tracing::debug;
 
 use std::borrow::{Borrow, BorrowMut};
@@ -136,13 +137,15 @@ fn parse_roles(r: Option<&&str>) -> Result<Vec<SignatureRole>, &'static str> {
 /// A strategy for verifying an invoice.
 impl VerificationStrategy {
  fn verify_signature(&self, sig: &Signature, cleartext: &[u8]) -> Result<(), SignatureError> {
- let pk = base64::decode(sig.key.as_bytes())
+ let pk = base64::engine::general_purpose::STANDARD
+ .decode(sig.key.as_bytes())
  .map_err(|_| SignatureError::CorruptKey(sig.key.clone()))?;
- let sig_block = base64::decode(sig.signature.as_bytes())
+ let sig_block = base64::engine::general_purpose::STANDARD
+ .decode(sig.signature.as_bytes())
  .map_err(|_| SignatureError::CorruptSignature(sig.key.clone()))?;
 
- let pubkey =
- PublicKey::from_bytes(&pk).map_err(|_| SignatureError::CorruptKey(sig.key.clone()))?;
+ let pubkey = VerifyingKey::try_from(pk.as_slice())
+ .map_err(|_| SignatureError::CorruptKey(sig.key.clone()))?;
  let ed_sig = EdSignature::try_from(sig_block.as_slice())
  .map_err(|_| SignatureError::CorruptSignature(sig.key.clone()))?;
  pubkey
@@ -231,9 +234,10 @@ impl VerificationStrategy {
  filled_roles.push(role);
  }
  // See if the public key is known to us
- let pubkey = base64::decode(&s.key)
+ let pubkey = base64::engine::general_purpose::STANDARD
+ .decode(&s.key)
  .map_err(|_| SignatureError::CorruptKey(s.key.to_string()))?;
- let pko = PublicKey::from_bytes(pubkey.as_slice())
+ let pko = VerifyingKey::try_from(pubkey.as_slice())
  .map_err(|_| SignatureError::CorruptKey(s.key.to_string()))?;
 
  debug!("Looking for key");