Updated dependencies (#104)

* Updated dependencies

* Remove useless rustflag

* fmt

* Clippy

* Bumped rand_core

Author: LucFauvel

.cargo/config.toml

@@ -12,4 +12,4 @@ linker = "i686-linux-android21-clang"
 
 [target.x86_64-linux-android]
 ar = "x86_64-linux-android-ar"
-linker = "x86_64-linux-android21-clang"
+linker = "x86_64-linux-android21-clang"

Cargo.toml

@@ -50,15 +50,15 @@ sha2 = { version = "0.10", features = ["oid"] }
 hmac = { version = "0.12", features = ["reset"] }
 sha-1 = { version = "0.10", features = ["oid"] }
 time = "0.3"
-base32 = "0.4"
+base32 = "0.5"
 hex = "0.4"
-rsa = "0.9.2"
-rand = "0.8.5"
-x509-parser = "0.15.0"
+rsa = "0.9.8"
+rand_core = "0.6.4"
+x509-parser = "0.17.0"
 
-base64 = { version = "0.13", optional = true }
-byteorder = { version = "1.4", optional = true }
-ring = { version = "0.16", optional = true }
+base64 = { version = "0.22", optional = true }
+byteorder = { version = "1.5", optional = true }
+ring = { version = "0.17", optional = true }
 untrusted = { version = "0.9.0", optional = true }
 serde = { version = "1.0", optional = true }
 serde_repr = { version = "0.1", optional = true }
@@ -67,32 +67,32 @@ serde_bytes = { version = "0.11", optional = true }
 serde_json = { version = "1.0", optional = true }
 serde_cbor = { version = "0.11", optional = true }
 webpki = { version = "0.22", optional = true, features = ["alloc"] }
-bytes = { version = "1.2", optional = true }
-http = { version = "1.0", optional = true }
-uuid = { version = "1.6", optional = true }
-ed25519-dalek = { version = "2.1.0", features = [
+bytes = { version = "1.10", optional = true }
+http = { version = "1.3", optional = true }
+uuid = { version = "1.16", optional = true }
+ed25519-dalek = { version = "2.1.1", features = [
     "rand_core",
     "pkcs8",
 ], optional = true }
 p256 = { version = "0.13.2", optional = true }
-indexmap = { version = "2.2.6", features = ["serde"], optional = true }
+indexmap = { version = "2.9.0", features = ["serde"], optional = true }
 
 [target.'cfg(target_os = "android")'.dependencies]
 jni = { version = "0.21.1", optional = true }
 
 [target.'cfg(target_arch="wasm32")'.dependencies]
-wasm-bindgen = { version = "0.2.91" }
-js-sys = "0.3.37"
+wasm-bindgen = { version = "0.2.100" }
+js-sys = "0.3.77"
 # FIXME: https://docs.rs/getrandom/0.2.2/getrandom/#webassembly-support
 # let `getrandom` know that JavaScript is available for our targets
 # `getrandom` is not used directly, but by adding the right feature here
 # it will be compiled with it in our dependencies as well (since union of
 # all the features selected is used when building a Cargo project)
 getrandom = { version = "0.2", features = ["js"] }
-serde-wasm-bindgen = "0.6.3"
+serde-wasm-bindgen = "0.6.5"
 
 [target.'cfg(target_arch="wasm32")'.dev-dependencies]
-wasm-bindgen-test = "0.3.10"
+wasm-bindgen-test = "0.3.50"
 
 [target.'cfg(not(target_arch="wasm32"))'.dev-dependencies]
 saphir = { version = "3.1.0", git = "https://github.com/richerarc/saphir.git", tag = "v3.1.0", features = [
@@ -104,9 +104,9 @@ async-stream = ">= 0.3, < 0.3.4" # 0.3.4 and up currently break saphir
 [dev-dependencies]
 serde_json = "1.0"
 serde_cbor = "0.11"
-uuid = "1.2"
-rand = "0.8"
-bytes = "1.2"
+uuid = "1.16"
+rand = "0.9"
+bytes = "1.10"
 
 #[package.metadata.wasm-pack.profile.release]
 #wasm-opt = false

examples/web-server.rs

@@ -1,14 +1,17 @@
 use rand::seq::IteratorRandom;
 use saphir::prelude::*;
 use serde_json::{json, Value};
-use slauth::webauthn::{
-    error::{CredentialError as CredE, Error::CredentialError},
-    proto::{
-        constants::WEBAUTHN_CHALLENGE_LENGTH,
-        raw_message::CredentialPublicKey,
-        web_message::{PublicKeyCredential, PublicKeyCredentialCreationOptions, PublicKeyCredentialRequestOptions},
+use slauth::{
+    base64::*,
+    webauthn::{
+        error::{CredentialError as CredE, Error::CredentialError},
+        proto::{
+            constants::WEBAUTHN_CHALLENGE_LENGTH,
+            raw_message::CredentialPublicKey,
+            web_message::{PublicKeyCredential, PublicKeyCredentialCreationOptions, PublicKeyCredentialRequestOptions},
+        },
+        server::{CredentialCreationBuilder, CredentialCreationVerifier, CredentialRequestBuilder, CredentialRequestVerifier},
     },
-    server::{CredentialCreationBuilder, CredentialCreationVerifier, CredentialRequestBuilder, CredentialRequestVerifier},
 };
 use std::{collections::HashMap, sync::RwLock};
 
@@ -53,7 +56,7 @@ impl Responder for TestError {
 impl TestController {
     #[get("/register")]
     async fn register_request(&self) -> Result<Json<Value>, TestError> {
-        let uuid = base64::encode("e1aea4d6-d2ee-4218-9f1c-5ccddadaa1a7");
+        let uuid = BASE64.encode("e1aea4d6-d2ee-4218-9f1c-5ccddadaa1a7");
         let builder = CredentialCreationBuilder::new()
             .challenge(gen_challenge(WEBAUTHN_CHALLENGE_LENGTH))
             .user(uuid.clone(), "lfauvel@devolutions.net".to_string(), "Luc Fauvel".to_string(), None)
@@ -77,7 +80,7 @@ impl TestController {
     #[post("/register")]
     async fn complete_register(&self, cred: Json<PublicKeyCredential>) -> Result<(), TestError> {
         let cred = cred.into_inner();
-        let uuid = base64::encode("e1aea4d6-d2ee-4218-9f1c-5ccddadaa1a7");
+        let uuid = BASE64.encode("e1aea4d6-d2ee-4218-9f1c-5ccddadaa1a7");
         if let Some(context) = self.reg_contexts.read().expect("should be ok").get(&uuid) {
             let mut verifier = CredentialCreationVerifier::new(cred.clone(), context.clone(), "http://localhost");
             if let Ok(result) = verifier.verify() {
@@ -93,7 +96,7 @@ impl TestController {
         let mut builder = CredentialRequestBuilder::new()
             .rp("localhost".to_string())
             .challenge(gen_challenge(WEBAUTHN_CHALLENGE_LENGTH));
-        let uuid = base64::encode("e1aea4d6-d2ee-4218-9f1c-5ccddadaa1a7");
+        let uuid = BASE64.encode("e1aea4d6-d2ee-4218-9f1c-5ccddadaa1a7");
         for (cred, _) in self.creds.read().unwrap().iter() {
             builder = builder.allow_credential(cred.clone());
         }
@@ -112,7 +115,7 @@ impl TestController {
     #[post("/sign")]
     async fn complete_sign(&self, req: Json<PublicKeyCredential>) -> Result<(u16, String), TestError> {
         let cred = req.into_inner();
-        let uuid = base64::encode("e1aea4d6-d2ee-4218-9f1c-5ccddadaa1a7");
+        let uuid = BASE64.encode("e1aea4d6-d2ee-4218-9f1c-5ccddadaa1a7");
 
         let ctx_lock = self
             .sign_contexts
@@ -209,9 +212,9 @@ async fn main() -> Result<(), SaphirError> {
 pub fn gen_challenge(len: usize) -> String {
     let charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
 
-    let mut rng = rand::thread_rng();
+    let mut rng = rand::rng();
     let value = (0..len)
         .map(|_| charset.chars().choose(&mut rng).unwrap() as u8)
         .collect::<Vec<u8>>();
-    base64::encode_config(value.as_slice(), base64::URL_SAFE_NO_PAD)
+    BASE64_URLSAFE_NOPAD.encode(value.as_slice())
 }

src/base64.rs

@@ -0,0 +1,18 @@
+pub use base64::Engine as _;
+use base64::{
+    alphabet,
+    engine::{DecodePaddingMode, GeneralPurpose, GeneralPurposeConfig},
+};
+
+const CONFIG: GeneralPurposeConfig = GeneralPurposeConfig::new()
+    .with_encode_padding(true)
+    .with_decode_padding_mode(DecodePaddingMode::Indifferent)
+    .with_decode_allow_trailing_bits(true);
+
+const CONFIG_NO_PAD: GeneralPurposeConfig = GeneralPurposeConfig::new()
+    .with_encode_padding(false)
+    .with_decode_padding_mode(DecodePaddingMode::Indifferent)
+    .with_decode_allow_trailing_bits(true);
+
+pub const BASE64: GeneralPurpose = GeneralPurpose::new(&alphabet::STANDARD, CONFIG);
+pub const BASE64_URLSAFE_NOPAD: GeneralPurpose = GeneralPurpose::new(&alphabet::URL_SAFE, CONFIG_NO_PAD);

src/lib.rs

@@ -18,6 +18,8 @@ pub mod webauthn;
 #[cfg(target_arch = "wasm32")]
 pub mod wasm;
 
+pub mod base64;
+
 #[cfg(feature = "native-bindings")]
 pub mod strings {
     use std::{

src/oath/hotp.rs

@@ -139,7 +139,7 @@ impl OtpAuth for HOTPContext {
         let mut uri = format!(
             "otpauth://hotp/{}?secret={}&algorithm={}&digits={}&counter={}",
             label.unwrap_or("slauth"),
-            base32::encode(base32::Alphabet::RFC4648 { padding: false }, self.secret.as_slice()),
+            base32::encode(base32::Alphabet::Rfc4648 { padding: false }, self.secret.as_slice()),
             self.alg,
             self.digits,
             self.counter
@@ -174,7 +174,7 @@ impl OtpAuth for HOTPContext {
 
             let param_it_opt = type_label_it
                 .next()
-                .and_then(|label_param| label_param.split('?').last().map(|s| s.split('&')));
+                .and_then(|label_param| label_param.split('?').next_back().map(|s| s.split('&')));
 
             param_it_opt
                 .ok_or_else(|| "Otpauth uri is malformed, missing parameters".to_string())

src/oath/mod.rs

@@ -101,7 +101,7 @@ pub(crate) fn dt(hmac_res: &[u8]) -> u32 {
 #[inline]
 pub(crate) fn decode_hex_or_base_32(encoded: &str) -> Option<Vec<u8>> {
     // Try base32 first then is it does not follows RFC4648, try HEX
-    base32::decode(base32::Alphabet::RFC4648 { padding: false }, encoded).or_else(|| hex::decode(encoded).ok())
+    base32::decode(base32::Alphabet::Rfc4648 { padding: false }, encoded).or_else(|| hex::decode(encoded).ok())
 }
 
 #[cfg(target_arch = "wasm32")]

src/oath/totp.rs

@@ -202,7 +202,7 @@ impl OtpAuth for TOTPContext {
         let mut uri = format!(
             "otpauth://totp/{}?secret={}&algorithm={}&digits={}&period={}",
             label.unwrap_or("slauth"),
-            base32::encode(base32::Alphabet::RFC4648 { padding: false }, self.secret.as_slice()),
+            base32::encode(base32::Alphabet::Rfc4648 { padding: false }, self.secret.as_slice()),
             self.alg,
             self.digits,
             self.period
@@ -237,7 +237,7 @@ impl OtpAuth for TOTPContext {
 
             let param_it_opt = type_label_it
                 .next()
-                .and_then(|label_param| label_param.split('?').last().map(|s| s.split('&')));
+                .and_then(|label_param| label_param.split('?').next_back().map(|s| s.split('&')));
 
             param_it_opt
                 .ok_or_else(|| "Otpauth uri is malformed, missing parameters".to_string())

src/u2f/client/mod.rs

@@ -9,19 +9,22 @@ pub struct SigningKey {
 pub mod client {
     use sha2::{Digest, Sha256};
 
-    use crate::u2f::{
-        client::{token, SigningKey},
-        error::Error,
-        proto::{
-            constants::{MAX_RESPONSE_LEN_EXTENDED, U2F_AUTHENTICATE, U2F_AUTH_DONT_ENFORCE, U2F_REGISTER, U2F_V2_VERSION_STR},
-            raw_message::{
-                self,
-                apdu::{ApduFrame, Request as RawRequest},
-                Message as RawMessageTrait,
-            },
-            web_message::{
-                ClientData, ClientDataType, ClientError, Request, Response, U2fRegisterResponse, U2fRequest, U2fRequestType,
-                U2fResponse as WebResponse, U2fResponseType, U2fSignResponse,
+    use crate::{
+        base64::*,
+        u2f::{
+            client::{token, SigningKey},
+            error::Error,
+            proto::{
+                constants::{MAX_RESPONSE_LEN_EXTENDED, U2F_AUTHENTICATE, U2F_AUTH_DONT_ENFORCE, U2F_REGISTER, U2F_V2_VERSION_STR},
+                raw_message::{
+                    self,
+                    apdu::{ApduFrame, Request as RawRequest},
+                    Message as RawMessageTrait,
+                },
+                web_message::{
+                    ClientData, ClientDataType, ClientError, Request, Response, U2fRegisterResponse, U2fRequest, U2fRequestType,
+                    U2fResponse as WebResponse, U2fResponseType, U2fSignResponse,
+                },
             },
         },
     };
@@ -90,8 +93,8 @@ pub mod client {
                     Ok((
                         Response::Register(U2fRegisterResponse {
                             version: U2F_V2_VERSION_STR.to_string(),
-                            client_data: base64::encode_config(&client_data_str, base64::URL_SAFE_NO_PAD),
-                            registration_data: base64::encode_config(&raw_rsp_byte, base64::URL_SAFE_NO_PAD),
+                            client_data: BASE64_URLSAFE_NOPAD.encode(&client_data_str),
+                            registration_data: BASE64_URLSAFE_NOPAD.encode(&raw_rsp_byte),
                         }),
                         signing_key,
                     ))
@@ -156,8 +159,8 @@ pub mod client {
 
                     Ok(Response::Sign(U2fSignResponse {
                         key_handle: signing_key.key_handle.clone(),
-                        signature_data: base64::encode_config(&raw_rsp_byte, base64::URL_SAFE_NO_PAD),
-                        client_data: base64::encode_config(&client_data_str, base64::URL_SAFE_NO_PAD),
+                        signature_data: BASE64_URLSAFE_NOPAD.encode(&raw_rsp_byte),
+                        client_data: BASE64_URLSAFE_NOPAD.encode(&client_data_str),
                     }))
                 }
             }
@@ -382,11 +385,7 @@ pub mod client {
         pub unsafe extern "C" fn signing_key_to_string(s: *mut SigningKey) -> *mut c_char {
             let SigningKey { key_handle, private_key } = &*s;
 
-            strings::string_to_c_char(format!(
-                "{}.{}",
-                key_handle,
-                base64::encode_config(private_key, base64::URL_SAFE_NO_PAD)
-            ))
+            strings::string_to_c_char(format!("{}.{}", key_handle, BASE64_URLSAFE_NOPAD.encode(private_key)))
         }
 
         #[no_mangle]
@@ -402,11 +401,7 @@ pub mod client {
                     let mut parts = s.split('.');
                     let l = parts.next().and_then(|key_handle| parts.next().map(|b64| (key_handle, b64)));
 
-                    l.and_then(|(k, b64)| {
-                        base64::decode_config(b64, base64::URL_SAFE_NO_PAD)
-                            .ok()
-                            .map(|b64_v| (k.to_string(), b64_v))
-                    })
+                    l.and_then(|(k, b64)| BASE64_URLSAFE_NOPAD.decode(b64).ok().map(|b64_v| (k.to_string(), b64_v)))
                 })
                 .map(|(key_handle, key)| {
                     Box::into_raw(Box::new(SigningKey {

src/u2f/client/token.rs

@@ -5,7 +5,7 @@ use std::{
 };
 
 use ring::{
-    rand,
+    rand::{self, SystemRandom},
     signature::{self, KeyPair},
 };
 
@@ -24,7 +24,7 @@ pub(crate) fn gen_key_handle(app_id: &[u8], chall: &[u8]) -> String {
     let mut data = Vec::with_capacity(app_id.len() + chall.len());
     data.extend_from_slice(app_id);
     data.extend_from_slice(chall);
-    base32::encode(base32::Alphabet::RFC4648 { padding: false }, &data)
+    base32::encode(base32::Alphabet::Rfc4648 { padding: false }, &data)
 }
 
 pub fn register(req: RegisterRequest, attestation_cert: &[u8], attestation_key: &[u8]) -> Result<(RegisterResponse, SigningKey), Error> {
@@ -38,7 +38,9 @@ pub fn register(req: RegisterRequest, attestation_cert: &[u8], attestation_key:
 
     let key_handle = gen_key_handle(&application, &challenge);
 
-    let registered_key_pair = signature::EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P256_SHA256_ASN1_SIGNING, registered_key_pkcs8_bytes)?;
+    let random = SystemRandom::new();
+    let registered_key_pair =
+        signature::EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P256_SHA256_ASN1_SIGNING, registered_key_pkcs8_bytes, &random)?;
     let registered_pub_key = registered_key_pair.public_key();
     let mut user_public_key = [0u8; U2F_EC_POINT_SIZE];
 
@@ -54,7 +56,7 @@ pub fn register(req: RegisterRequest, attestation_cert: &[u8], attestation_key:
     tbs_vec.extend_from_slice(key_handle.as_bytes());
     tbs_vec.extend_from_slice(&user_public_key);
 
-    let att_key_pair = signature::EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P256_SHA256_ASN1_SIGNING, attestation_key)?;
+    let att_key_pair = signature::EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P256_SHA256_ASN1_SIGNING, attestation_key, &random)?;
 
     let sig = att_key_pair.sign(&rng, tbs_vec.as_slice())?;
 
@@ -94,8 +96,11 @@ pub fn sign(req: AuthenticateRequest, signing_key: &SigningKey, counter: u32, us
         U2F_AUTH_CHECK_ONLY => Err(Error::U2FErrorCode(U2F_SW_CONDITIONS_NOT_SATISFIED)),
         U2F_AUTH_ENFORCE | U2F_AUTH_DONT_ENFORCE => {
             let rng = rand::SystemRandom::new();
-            let key_pair =
-                signature::EcdsaKeyPair::from_pkcs8(&signature::ECDSA_P256_SHA256_ASN1_SIGNING, signing_key.private_key.as_slice())?;
+            let key_pair = signature::EcdsaKeyPair::from_pkcs8(
+                &signature::ECDSA_P256_SHA256_ASN1_SIGNING,
+                signing_key.private_key.as_slice(),
+                &SystemRandom::new(),
+            )?;
 
             let mut tbs_vec = Vec::with_capacity(U2F_AUTH_MAX_DATA_TBS_SIZE);
             tbs_vec.extend_from_slice(&application);

src/u2f/mod.rs

@@ -7,7 +7,10 @@ pub mod server;
 
 #[test]
 fn test() {
-    use crate::u2f::proto::web_message::{Response, U2fRequest};
+    use crate::{
+        base64::*,
+        u2f::proto::web_message::{Response, U2fRequest},
+    };
     use server::*;
     const ATT_PKEY: &str = "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgzgUSoDttmryF0C+ck4GppKwssha7ngah0dfezfTBzDOhRANCAATXk8CelRQjNuArEPpEW40yOOX9wPTq8pEG2XRf8KI3NzeKBOHWpxzTRAgKABBTF28dKf4NpJGSL+Qj04nyWQ8a";
     const ATT_CERT: &str = "MIICODCCAd6gAwIBAgIJAKsa9WC9HvEuMAoGCCqGSM49BAMCMFoxDzANBgNVBAMMBlNsYXV0aDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzETMBEGA1UEBwwKTGF2YWx0cm91ZTEUMBIGA1UECgwLRGV2b2x1dGlvbnMwHhcNMTkwNzAyMTgwMTUyWhcNMzEwNjI5MTgwMTUyWjBaMQ8wDQYDVQQDDAZTbGF1dGgxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxEzARBgNVBAcMCkxhdmFsdHJvdWUxFDASBgNVBAoMC0Rldm9sdXRpb25zMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE15PAnpUUIzbgKxD6RFuNMjjl/cD06vKRBtl0X/CiNzc3igTh1qcc00QICgAQUxdvHSn+DaSRki/kI9OJ8lkPGqOBjDCBiTAdBgNVHQ4EFgQU7iZ4JceUHOuWoMymFGm+ZBUmwwgwHwYDVR0jBBgwFoAU7iZ4JceUHOuWoMymFGm+ZBUmwwgwDgYDVR0PAQH/BAQDAgWgMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAVBgNVHREEDjAMggpzbGF1dGgub3JnMAoGCCqGSM49BAMCA0gAMEUCIEdjPFNsund4FXs/1HpK4AXWQ0asfY6ERhNlg29VGS6pAiEAx8f2lrlVV1tASWbC/edTgH9JsCbANuXW/9FZcWHGl2E=";
@@ -29,8 +32,8 @@ fn test() {
     let (rsp, signing_key) = web_req
         .register(
             origin.to_string(),
-            base64::decode(ATT_CERT).unwrap().as_slice(),
-            base64::decode(ATT_PKEY).unwrap().as_slice(),
+            BASE64.decode(ATT_CERT).unwrap().as_slice(),
+            BASE64.decode(ATT_PKEY).unwrap().as_slice(),
         )
         .expect("Unable to register");