From 9c119be99d9d35e3e2e2d70b24cc07be455a066a Mon Sep 17 00:00:00 2001 From: Oz Date: Sun, 31 May 2026 16:14:59 +0000 Subject: [PATCH] fix: update ring to resolve CVE-2025-4432 Co-Authored-By: Oz --- Cargo.lock | 605 +++++++++++++++++++------ integration/gcpkms/Cargo.toml | 12 +- integration/gcpkms/src/default_sa.rs | 57 +-- integration/gcpkms/src/gcp_kms_aead.rs | 50 +- 4 files changed, 529 insertions(+), 195 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index fc9d03f6a..5939e9dba 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -210,9 +210,9 @@ checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" [[package]] name = "bitflags" -version = "2.6.0" +version = "2.11.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de" +checksum = "c4512299f36f043ab09a583e57bceb5a5aab7a73db1805848e8fef3c9e8c78b3" [[package]] name = "block-buffer" @@ -240,17 +240,18 @@ checksum = "0d261e256854913907f67ed06efbc3338dfe6179796deefc1ff763fc1aee5535" [[package]] name = "bytes" -version = "1.7.2" +version = "1.11.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "428d9aa8fbc0670b7b8d6030a7fadd0f86151cae55e4dbbece15f3780a3dfaf3" +checksum = "1e748733b7cbc798e1434b6ac524f0c1ff2ab456fe201501e6497c8417a4fc33" [[package]] name = "cc" -version = "1.1.24" +version = "1.2.63" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "812acba72f0a070b003d3697490d2b55b837230ae7c6c6497f05cc2ddbb8d938" +checksum = "556e016178bb5662a08681bbe0f00f8e17631781a4dfc8c45e466e4b185ec27f" dependencies = [ - "shlex", + "find-msvc-tools", + "shlex 2.0.1", ] [[package]] @@ -360,11 +361,21 @@ dependencies = [ "libc", ] +[[package]] +name = "core-foundation" +version = "0.10.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b2a6cd9ae233e7f62ba4e9353e81a88df7fc8a5987b8d445b4d90c879bd156f6" +dependencies = [ + "core-foundation-sys", + "libc", +] + [[package]] name = "core-foundation-sys" -version = "0.8.3" +version = "0.8.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5827cebf4670468b8772dd191856768aedcb1b0278a04f989f7766351917b9dc" +checksum = "773648b94d0e5d620f64f280777445740e61fe701025087ec8b57f45c791888b" [[package]] name = "cpufeatures" @@ -409,9 +420,9 @@ dependencies = [ [[package]] name = "crypto-mac" -version = "0.11.1" +version = "0.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b1d1a86f49236c215f271d40892d5fc950490551400b02ef360692c29815c714" +checksum = "25fab6889090c8133f3deb8f73ba3c65a7f456f66436fc012a1b1e272b1e103e" dependencies = [ "generic-array", "subtle", @@ -438,15 +449,6 @@ dependencies = [ "memchr", ] -[[package]] -name = "ct-logs" -version = "0.8.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c1a816186fa68d9e426e3cb4ae4dff1fcd8e4a2c34b781bf7a822574a0d0aac8" -dependencies = [ - "sct", -] - [[package]] name = "ctr" version = "0.9.2" @@ -547,6 +549,16 @@ dependencies = [ "zeroize", ] +[[package]] +name = "deranged" +version = "0.5.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7cd812cc2bc1d69d4764bd80df88b4317eaef9e773c75226407d9bc0876b211c" +dependencies = [ + "powerfmt", + "serde_core", +] + [[package]] name = "digest" version = "0.9.0" @@ -589,6 +601,17 @@ dependencies = [ "winapi", ] +[[package]] +name = "displaydoc" +version = "0.2.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1ac70aa55017e108007fbaf5aa0f54b021c98f92ff8af59d42eda9da96e3dd4f" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.89", +] + [[package]] name = "ecdsa" version = "0.16.9" @@ -799,6 +822,12 @@ version = "0.2.9" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "28dea519a9695b9977216879a3ebfddf92f1c08c05d984f8996aecd6ecdc811d" +[[package]] +name = "find-msvc-tools" +version = "0.1.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5baebc0774151f905a1a2cc41989300b1e6fbb29aff0ceffa1064fdd3088d582" + [[package]] name = "fixedbitset" version = "0.4.2" @@ -828,9 +857,9 @@ checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b" [[package]] name = "form_urlencoded" -version = "1.1.0" +version = "1.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a9c384f161156f5260c24a097c56119f9be8c798586aecc13afbcbe7b7e26bf8" +checksum = "cb4cb245038516f5f85277875cdaa4f7d2c9a0fa0468de06ed190163b1581fcf" dependencies = [ "percent-encoding", ] @@ -1198,19 +1227,19 @@ dependencies = [ [[package]] name = "hyper-rustls" -version = "0.22.1" +version = "0.27.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5f9f7a97316d44c0af9b0301e65010573a853a9fc97046d7331d7f6bc0fd5a64" +checksum = "e3c93eb611681b207e1fe55d5a71ecf91572ec8a6705cdb6857f7d8d5242cf58" dependencies = [ - "ct-logs", - "futures-util", - "hyper 0.14.24", - "log", + "http 1.1.0", + "hyper 1.4.1", + "hyper-util", "rustls", "rustls-native-certs", + "rustls-pki-types", "tokio", "tokio-rustls", - "webpki", + "tower-service", ] [[package]] @@ -1282,14 +1311,106 @@ dependencies = [ "cxx-build", ] +[[package]] +name = "icu_collections" +version = "2.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4c6b649701667bbe825c3b7e6388cb521c23d88644678e83c0c4d0a621a34b43" +dependencies = [ + "displaydoc", + "potential_utf", + "yoke", + "zerofrom", + "zerovec", +] + +[[package]] +name = "icu_locale_core" +version = "2.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "edba7861004dd3714265b4db54a3c390e880ab658fec5f7db895fae2046b5bb6" +dependencies = [ + "displaydoc", + "litemap", + "tinystr", + "writeable", + "zerovec", +] + +[[package]] +name = "icu_normalizer" +version = "2.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5f6c8828b67bf8908d82127b2054ea1b4427ff0230ee9141c54251934ab1b599" +dependencies = [ + "icu_collections", + "icu_normalizer_data", + "icu_properties", + "icu_provider", + "smallvec", + "zerovec", +] + +[[package]] +name = "icu_normalizer_data" +version = "2.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7aedcccd01fc5fe81e6b489c15b247b8b0690feb23304303a9e560f37efc560a" + +[[package]] +name = "icu_properties" +version = "2.1.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "020bfc02fe870ec3a66d93e677ccca0562506e5872c650f893269e08615d74ec" +dependencies = [ + "icu_collections", + "icu_locale_core", + "icu_properties_data", + "icu_provider", + "zerotrie", + "zerovec", +] + +[[package]] +name = "icu_properties_data" +version = "2.1.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "616c294cf8d725c6afcd8f55abc17c56464ef6211f9ed59cccffe534129c77af" + +[[package]] +name = "icu_provider" +version = "2.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "85962cf0ce02e1e0a629cc34e7ca3e373ce20dda4c4d7294bbd0bf1fdb59e614" +dependencies = [ + "displaydoc", + "icu_locale_core", + "writeable", + "yoke", + "zerofrom", + "zerotrie", + "zerovec", +] + [[package]] name = "idna" -version = "0.3.0" +version = "1.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3b0875f23caa03898994f6ddc501886a45c7d3d62d04d2d90788d47be1b1e4de" +dependencies = [ + "idna_adapter", + "smallvec", + "utf8_iter", +] + +[[package]] +name = "idna_adapter" +version = "1.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e14ddfc70884202db2244c223200c204c2bda1bc6e0998d11b5e024d657209e6" +checksum = "3acae9609540aa318d1bc588455225fb2085b9ed0c4f6bd0d9d5bcd86f1a0344" dependencies = [ - "unicode-bidi", - "unicode-normalization", + "icu_normalizer", + "icu_properties", ] [[package]] @@ -1344,9 +1465,9 @@ dependencies = [ [[package]] name = "itertools" -version = "0.10.5" +version = "0.12.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b0fd2260e829bddf4cb6ea802289de2f86d6a7a690192fbe91b3f46e0f2c8473" +checksum = "ba291022dbbd398a455acf126c1e341954079855bc60dfdda641363bd6922569" dependencies = [ "either", ] @@ -1393,6 +1514,12 @@ version = "0.1.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f051f77a7c8e6957c0696eac88f26b0117e54f52d3fc682ab19397a8812846a4" +[[package]] +name = "litemap" +version = "0.8.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "92daf443525c4cce67b150400bc2316076100ce0b3686209eb8cf3c31612e6f0" + [[package]] name = "log" version = "0.4.29" @@ -1462,10 +1589,10 @@ dependencies = [ "libc", "log", "openssl", - "openssl-probe", + "openssl-probe 0.1.5", "openssl-sys", "schannel", - "security-framework", + "security-framework 2.8.2", "security-framework-sys", "tempfile", ] @@ -1480,6 +1607,12 @@ dependencies = [ "num-traits", ] +[[package]] +name = "num-conv" +version = "0.2.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "521739c6d2bac4aa25192232afe6841231376b2b26d4d9fae5ecf8ca5772e441" + [[package]] name = "num-integer" version = "0.1.46" @@ -1498,6 +1631,15 @@ dependencies = [ "autocfg", ] +[[package]] +name = "num_threads" +version = "0.1.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5c7398b9c8b70908f6371f47ed36737907c87c52af34c268fed0bf0ceb92ead9" +dependencies = [ + "libc", +] + [[package]] name = "once_cell" version = "1.17.1" @@ -1516,7 +1658,7 @@ version = "0.10.72" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fedfea7d58a1f73118430a55da6a286e7b044961736ce96a16a17068ea25e5da" dependencies = [ - "bitflags 2.6.0", + "bitflags 2.11.1", "cfg-if", "foreign-types", "libc", @@ -1542,6 +1684,12 @@ version = "0.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf" +[[package]] +name = "openssl-probe" +version = "0.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7c87def4c32ab89d880effc9e097653c8da5d6ef28e6b539d313baaacfbafcbe" + [[package]] name = "openssl-sys" version = "0.9.107" @@ -1662,6 +1810,21 @@ dependencies = [ "universal-hash", ] +[[package]] +name = "potential_utf" +version = "0.1.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b73949432f5e2a09657003c25bca5e19a0e9c84f8058ca374f49e0ebe605af77" +dependencies = [ + "zerovec", +] + +[[package]] +name = "powerfmt" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "439ee305def115ba05938db6eb1644ff94165c5ab5e9420d1c1bcedbba909391" + [[package]] name = "ppv-lite86" version = "0.2.17" @@ -1780,7 +1943,7 @@ version = "0.13.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1e8bbe1a966bd2f362681a44f6edce3c2310ac21e4d5067a6e7ec396297a6ea0" dependencies = [ - "bitflags 2.6.0", + "bitflags 2.11.1", "memchr", "unicase", ] @@ -1805,9 +1968,9 @@ dependencies = [ [[package]] name = "rand" -version = "0.8.5" +version = "0.8.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404" +checksum = "5ca0ecfa931c29007047d1bc58e623ab12e5590e8c7cc53200d5202b69266d8a" dependencies = [ "libc", "rand_chacha", @@ -1850,7 +2013,7 @@ checksum = "b033d837a7cf162d7993aded9304e30a83213c648b6e389db233191f891e5c2b" dependencies = [ "getrandom", "redox_syscall", - "thiserror", + "thiserror 1.0.39", ] [[package]] @@ -1894,17 +2057,16 @@ dependencies = [ [[package]] name = "ring" -version = "0.16.20" +version = "0.17.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3053cf52e236a3ed746dfc745aa9cacf1b791d846bdaf412f60a8d7d6e17c8fc" +checksum = "a4689e6c2294d81e88dc6261c768b63bc4fcdb852be6d1352498b114f61383b7" dependencies = [ "cc", + "cfg-if", + "getrandom", "libc", - "once_cell", - "spin", "untrusted", - "web-sys", - "winapi", + "windows-sys 0.52.0", ] [[package]] @@ -1963,7 +2125,7 @@ dependencies = [ "hyper 0.14.24", "serde", "serde_json", - "shlex", + "shlex 1.3.0", "tokio", "zeroize", ] @@ -2033,27 +2195,48 @@ dependencies = [ [[package]] name = "rustls" -version = "0.19.1" +version = "0.23.40" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "35edb675feee39aec9c99fa5ff985081995a06d594114ae14cbe797ad7b7a6d7" +checksum = "ef86cd5876211988985292b91c96a8f2d298df24e75989a43a3c73f2d4d8168b" dependencies = [ - "base64 0.13.1", - "log", + "once_cell", "ring", - "sct", - "webpki", + "rustls-pki-types", + "rustls-webpki", + "subtle", + "zeroize", ] [[package]] name = "rustls-native-certs" -version = "0.5.0" +version = "0.8.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5a07b7c1885bd8ed3831c289b7870b13ef46fe0e856d288c30d9cc17d75a2092" +checksum = "612460d5f7bea540c490b2b6395d8e34a953e52b491accd6c86c8164c5932a63" dependencies = [ - "openssl-probe", - "rustls", + "openssl-probe 0.2.1", + "rustls-pki-types", "schannel", - "security-framework", + "security-framework 3.7.0", +] + +[[package]] +name = "rustls-pki-types" +version = "1.14.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "30a7197ae7eb376e574fe940d068c30fe0462554a3ddbe4eca7838e049c937a9" +dependencies = [ + "zeroize", +] + +[[package]] +name = "rustls-webpki" +version = "0.103.13" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "61c429a8649f110dddef65e2a5ad240f747e85f7758a6bccc7e5777bd33f756e" +dependencies = [ + "ring", + "rustls-pki-types", + "untrusted", ] [[package]] @@ -2077,16 +2260,6 @@ version = "1.0.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1792db035ce95be60c3f8853017b3999209281c24e2ba5bc8e59bf97a0c590c1" -[[package]] -name = "sct" -version = "0.6.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b362b83898e0e69f38515b82ee15aa80636befe47c3b6d3d89a911e78fc228ce" -dependencies = [ - "ring", - "untrusted", -] - [[package]] name = "seahash" version = "4.1.0" @@ -2114,7 +2287,20 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a332be01508d814fed64bf28f798a146d73792121129962fdf335bb3c49a4254" dependencies = [ "bitflags 1.3.2", - "core-foundation", + "core-foundation 0.9.3", + "core-foundation-sys", + "libc", + "security-framework-sys", +] + +[[package]] +name = "security-framework" +version = "3.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b7f4bc775c73d9a02cde8bf7b2ec4c9d12743edf609006c7facc23998404cd1d" +dependencies = [ + "bitflags 2.11.1", + "core-foundation 0.10.1", "core-foundation-sys", "libc", "security-framework-sys", @@ -2122,9 +2308,9 @@ dependencies = [ [[package]] name = "security-framework-sys" -version = "2.8.0" +version = "2.17.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "31c9bb296072e961fcbd8853511dd39c2d8be2deb1e17c6860b1d30732b323b4" +checksum = "6ce2691df843ecc5d231c0b14ece2acc3efb62c0a398c7e1d875f3983ce020e3" dependencies = [ "core-foundation-sys", "libc", @@ -2220,6 +2406,12 @@ version = "1.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64" +[[package]] +name = "shlex" +version = "2.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f8fadd59c855ef2080decdef8ff161eb6661b86933c9d82e5ba29dc602a55aba" + [[package]] name = "signal-hook-registry" version = "1.4.1" @@ -2284,12 +2476,6 @@ dependencies = [ "windows-sys 0.60.2", ] -[[package]] -name = "spin" -version = "0.5.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d" - [[package]] name = "spki" version = "0.7.2" @@ -2300,6 +2486,12 @@ dependencies = [ "der", ] +[[package]] +name = "stable_deref_trait" +version = "1.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6ce2be8dc25455e1f91df71bfa12ad37d7af1092ae736f3a6cd0e37bc7810596" + [[package]] name = "strsim" version = "0.8.0" @@ -2332,9 +2524,9 @@ dependencies = [ [[package]] name = "subtle" -version = "2.4.1" +version = "2.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6bdef32e8150c2a081110b42772ffe7d7c9032b606bc226c8260fd97e0976601" +checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292" [[package]] name = "syn" @@ -2364,6 +2556,17 @@ version = "1.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0bf256ce5efdfa370213c1dabab5935a12e49f2c58d15e9eac2870d3b4f27263" +[[package]] +name = "synstructure" +version = "0.13.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "728a70f3dbaf5bab7f0c4b1ac8d7ae5ea60a4b5549c8a5914361c99147a709d2" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.89", +] + [[package]] name = "tempfile" version = "3.4.0" @@ -2401,7 +2604,16 @@ version = "1.0.39" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a5ab016db510546d856297882807df8da66a16fb8c4101cb8b30054b0d5b2d9c" dependencies = [ - "thiserror-impl", + "thiserror-impl 1.0.39", +] + +[[package]] +name = "thiserror" +version = "2.0.18" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4288b5bcbc7920c07a1149a35cf9590a2aa808e0bc1eafaade0b80947865fbc4" +dependencies = [ + "thiserror-impl 2.0.18", ] [[package]] @@ -2415,6 +2627,49 @@ dependencies = [ "syn 1.0.109", ] +[[package]] +name = "thiserror-impl" +version = "2.0.18" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ebc4ee7f67670e9b64d05fa4253e753e016c6c95ff35b89b7941d6b856dec1d5" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.89", +] + +[[package]] +name = "time" +version = "0.3.47" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "743bd48c283afc0388f9b8827b976905fb217ad9e647fae3a379a9283c4def2c" +dependencies = [ + "deranged", + "libc", + "num-conv", + "num_threads", + "powerfmt", + "serde_core", + "time-core", + "time-macros", +] + +[[package]] +name = "time-core" +version = "0.1.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7694e1cfe791f8d31026952abf09c69ca6f6fa4e1a1229e18988f06a04a12dca" + +[[package]] +name = "time-macros" +version = "0.2.27" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2e70e4c5a0e0a8a4823ad65dfe1a6930e4f4d756dcd9dd7939022b5e8c501215" +dependencies = [ + "num-conv", + "time-core", +] + [[package]] name = "tink-aead" version = "0.3.0" @@ -2476,13 +2731,17 @@ name = "tink-gcpkms" version = "0.3.0" dependencies = [ "base64 0.22.1", + "bytes", "chrono", "futures", - "http 0.2.11", - "hyper 0.14.24", + "http 1.1.0", + "http-body-util", + "hyper 1.4.1", "hyper-rustls", + "hyper-util", "lazy_static", "percent-encoding", + "rustls", "serde", "serde_json", "tink-core", @@ -2617,20 +2876,15 @@ dependencies = [ ] [[package]] -name = "tinyvec" -version = "1.6.0" +name = "tinystr" +version = "0.8.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "87cc5ceb3875bb20c2890005a4e226a4651264a5c75edb2421b52861a0a0cb50" +checksum = "42d3e9c45c09de15d06dd8acf5f4e0e399e85927b7f00711024eb7ae10fa4869" dependencies = [ - "tinyvec_macros", + "displaydoc", + "zerovec", ] -[[package]] -name = "tinyvec_macros" -version = "0.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" - [[package]] name = "tokio" version = "1.48.0" @@ -2670,13 +2924,12 @@ dependencies = [ [[package]] name = "tokio-rustls" -version = "0.22.0" +version = "0.26.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bc6844de72e57df1980054b38be3a9f4702aba4858be64dd700181a8a6d0e1b6" +checksum = "1729aa945f29d91ba541258c8df89027d5792d85a8841fb65e8bf0f4ede4ef61" dependencies = [ "rustls", "tokio", - "webpki", ] [[package]] @@ -2853,27 +3106,12 @@ version = "2.8.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "75b844d17643ee918803943289730bec8aac480150456169e647ed0b576ba539" -[[package]] -name = "unicode-bidi" -version = "0.3.10" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d54675592c1dbefd78cbd98db9bacd89886e1ca50692a0692baefffdeb92dd58" - [[package]] name = "unicode-ident" version = "1.0.8" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e5464a87b239f13a63a501f2701565754bae92d243d4bb7eb12f6d57d2269bf4" -[[package]] -name = "unicode-normalization" -version = "0.1.22" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5c5713f0fc4b5db668a2ac63cdb7bb4469d8c9fed047b1d0292cc7b0ce2ba921" -dependencies = [ - "tinyvec", -] - [[package]] name = "unicode-segmentation" version = "1.10.1" @@ -2888,9 +3126,9 @@ checksum = "c0edd1e5b14653f783770bce4a4dabb4a5108a5370a5f5d8cfe8710c361f6c8b" [[package]] name = "universal-hash" -version = "0.5.0" +version = "0.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7d3160b73c9a19f7e2939a2fdad446c57c1bbbbf4d919d3213ff1267a580d8b5" +checksum = "fc1de2c688dc15305988b563c3854064043356019f97a4b46276fe734c4f07ea" dependencies = [ "crypto-common", "subtle", @@ -2898,21 +3136,28 @@ dependencies = [ [[package]] name = "untrusted" -version = "0.7.1" +version = "0.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a" +checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1" [[package]] name = "url" -version = "2.3.1" +version = "2.5.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0d68c799ae75762b8c3fe375feb6600ef5602c883c5d21eb51c09f22b83c4643" +checksum = "ff67a8a4397373c3ef660812acab3268222035010ab8680ec4215f38ba3d0eed" dependencies = [ "form_urlencoded", "idna", "percent-encoding", + "serde", ] +[[package]] +name = "utf8_iter" +version = "1.0.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be" + [[package]] name = "vcpkg" version = "0.2.15" @@ -3001,26 +3246,6 @@ version = "0.2.84" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0046fef7e28c3804e5e38bfa31ea2a0f73905319b677e57ebe37e49358989b5d" -[[package]] -name = "web-sys" -version = "0.3.61" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e33b99f4b23ba3eec1a53ac264e35a755f00e966e0065077d6027c0f575b0b97" -dependencies = [ - "js-sys", - "wasm-bindgen", -] - -[[package]] -name = "webpki" -version = "0.21.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b8e38c0608262c46d4a56202ebabdeb094cef7e560ca7a226c6bf055188aa4ea" -dependencies = [ - "ring", - "untrusted", -] - [[package]] name = "winapi" version = "0.3.9" @@ -3288,36 +3513,122 @@ version = "0.53.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d6bbff5f0aada427a1e5a6da5f1f98158182f26556f345ac9e04d36d0ebed650" +[[package]] +name = "writeable" +version = "0.6.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1ffae5123b2d3fc086436f8834ae3ab053a283cfac8fe0a0b8eaae044768a4c4" + [[package]] name = "xml-rs" version = "0.8.28" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3ae8337f8a065cfc972643663ea4279e04e7256de865aa66fe25cec5fb912d3f" +[[package]] +name = "yoke" +version = "0.8.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "72d6e5c6afb84d73944e5cedb052c4680d5657337201555f9f2a16b7406d4954" +dependencies = [ + "stable_deref_trait", + "yoke-derive", + "zerofrom", +] + +[[package]] +name = "yoke-derive" +version = "0.8.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b659052874eb698efe5b9e8cf382204678a0086ebf46982b79d6ca3182927e5d" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.89", + "synstructure", +] + [[package]] name = "yup-oauth2" -version = "5.1.0" +version = "12.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2573621fa28865489bdf556cdb8703604f4e8498612e3041a212ac20e59c4aeb" +checksum = "ef19a12dfb29fe39f78e1547e1be49717b84aef8762a4001359ed4f94d3accc1" dependencies = [ - "base64 0.13.1", - "chrono", - "futures", - "http 0.2.11", - "hyper 0.14.24", + "async-trait", + "base64 0.22.1", + "http 1.1.0", + "http-body-util", + "hyper 1.4.1", "hyper-rustls", + "hyper-util", "log", "percent-encoding", "rustls", "seahash", "serde", "serde_json", + "thiserror 2.0.18", + "time", "tokio", "url", ] +[[package]] +name = "zerofrom" +version = "0.1.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0ec05a11813ea801ff6d75110ad09cd0824ddba17dfe17128ea0d5f68e6c5272" +dependencies = [ + "zerofrom-derive", +] + +[[package]] +name = "zerofrom-derive" +version = "0.1.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d71e5d6e06ab090c67b5e44993ec16b72dcbaabc526db883a360057678b48502" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.89", + "synstructure", +] + [[package]] name = "zeroize" -version = "1.5.7" +version = "1.8.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b97154e67e32c85465826e8bcc1c59429aaaf107c1e4a9e53c8d8ccd5eff88d0" + +[[package]] +name = "zerotrie" +version = "0.2.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2a59c17a5562d507e4b54960e8569ebee33bee890c70aa3fe7b97e85a9fd7851" +dependencies = [ + "displaydoc", + "yoke", + "zerofrom", +] + +[[package]] +name = "zerovec" +version = "0.11.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c394b5bd0c6f669e7275d9c20aa90ae064cb22e75a1cad54e1b34088034b149f" +checksum = "6c28719294829477f525be0186d13efa9a3c602f7ec202ca9e353d310fb9a002" +dependencies = [ + "yoke", + "zerofrom", + "zerovec-derive", +] + +[[package]] +name = "zerovec-derive" +version = "0.11.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "eadce39539ca5cb3985590102671f2567e659fca9666581ad3411d59207951f3" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.89", +] diff --git a/integration/gcpkms/Cargo.toml b/integration/gcpkms/Cargo.toml index c8fb98a16..c090128ff 100644 --- a/integration/gcpkms/Cargo.toml +++ b/integration/gcpkms/Cargo.toml @@ -16,13 +16,17 @@ rust-version = "1.78.0" base64 = "^0.22" chrono = "^0.4" futures = "^0.3" -http = "^0.2" -hyper = { version = "^0.14.20", features = ["client", "http1", "http2"] } -hyper-rustls = "^0.22.1" +bytes = "^1.11" +http = "^1" +http-body-util = "^0.1" +hyper = { version = "^1", features = ["client", "http1"] } +hyper-util = { version = "^0.1", features = ["client-legacy", "http1", "tokio"] } +hyper-rustls = { version = "=0.27.7", default-features = false, features = ["native-tokio", "http1", "ring", "tls12"] } lazy_static = "^1.5" percent-encoding = "^2.3" serde = { version = "^1.0", features = ["derive"] } +rustls = { version = "^0.23", default-features = false, features = ["ring", "std", "tls12"] } serde_json = "^1.0.145" tink-core = "^0.3" tokio = "^1.48" -yup-oauth2 = "^5.1" +yup-oauth2 = "^12" diff --git a/integration/gcpkms/src/default_sa.rs b/integration/gcpkms/src/default_sa.rs index fecbdfd49..22cf54291 100644 --- a/integration/gcpkms/src/default_sa.rs +++ b/integration/gcpkms/src/default_sa.rs @@ -18,11 +18,14 @@ //! //! Inspired by golang.org/x/oauth2/google and cloud.google.com/go/compute/metadata +use bytes::Bytes; use chrono::{DateTime, Utc}; use futures::join; +use http_body_util::{BodyExt, Empty}; +use hyper_util::{client::legacy::Client, rt::TokioExecutor}; use lazy_static::lazy_static; use percent_encoding::percent_encode; -use serde::{Deserialize, Serialize}; +use serde::Deserialize; use std::{ cell::RefCell, collections::HashMap, @@ -71,7 +74,7 @@ async fn on_gce_test() -> bool { // Method 1: check header returned by metadata server let http_result = async { - let client = hyper::Client::new(); + let client: Client<_, Empty> = Client::builder(TokioExecutor::new()).build_http(); let uri = match format!("http://{METADATA_IP_STR}").parse() { Ok(v) => v, Err(_) => return false, @@ -121,14 +124,14 @@ async fn get_gce_metadata(name: &str) -> Result { .path_and_query(format!("/computeMetadata/v1/{name}")) .build() .map_err(|e| wrap_err("failed to build Uri", e))?; - let client = hyper::Client::new(); + let client: Client<_, Empty> = Client::builder(TokioExecutor::new()).build_http(); let req = hyper::Request::builder() .method(http::method::Method::GET) .uri(uri) .header(http::header::USER_AGENT, USER_AGENT) .header("Metadata-Flavor", "Google") - .body(hyper::Body::empty()) + .body(Empty::new()) .map_err(|e| wrap_err("failed to build request", e))?; let rsp = client .request(req) @@ -137,9 +140,12 @@ async fn get_gce_metadata(name: &str) -> Result { if rsp.status() != http::StatusCode::OK { return Err("failed HTTP request".into()); } - let bytes = hyper::body::to_bytes(rsp.into_body()) + let bytes = rsp + .into_body() + .collect() .await - .map_err(|e| wrap_err("failed to retrieve response body", e))?; + .map_err(|e| wrap_err("failed to retrieve response body", e))? + .to_bytes(); String::from_utf8(bytes.to_vec()).map_err(|e| wrap_err("failed to convert body to string", e)) } @@ -151,17 +157,22 @@ struct Token { // Also has `token_type: String` which we ignore. } -/// Local copy of [`yup_oauth2::AccessToken`]. -#[derive(Clone, Debug, PartialEq, Eq, PartialOrd, Ord, Hash, Deserialize, Serialize)] -struct AccessTokenClone { +#[derive(Clone, Debug, PartialEq, Eq, PartialOrd, Ord, Hash)] +struct CachedAccessToken { pub value: String, - pub expires_at: Option>, + pub expires_at: DateTime, +} + +impl CachedAccessToken { + fn is_expired(&self) -> bool { + self.expires_at <= Utc::now() + chrono::Duration::minutes(1) + } } pub struct DefaultServiceAccountAuthenticator { // Map from scopelist to access tokens. // We don't attempt to canonicalize the scopelist (so a,b is different than b,a). - tokens: RefCell>, + tokens: RefCell>, } impl DefaultServiceAccountAuthenticator { @@ -174,12 +185,12 @@ impl DefaultServiceAccountAuthenticator { }) } - pub async fn token(&self, scopes: &[&str]) -> Result { + pub async fn token(&self, scopes: &[&str]) -> Result { let scopelist = scopes.join(","); if let Some(token) = self.tokens.borrow().get(&scopelist) { if !token.is_expired() { - return Ok(token.clone()); + return Ok(token.value.clone()); } } @@ -189,12 +200,9 @@ impl DefaultServiceAccountAuthenticator { self.tokens .borrow_mut() .insert(scopelist.to_string(), token.clone()); - Ok(token) + Ok(token.value) } - pub async fn refresh_token( - &self, - scopelist: &str, - ) -> Result { + async fn refresh_token(&self, scopelist: &str) -> Result { if !on_gce().await { return Err("not running on GCE".into()); } @@ -215,17 +223,10 @@ impl DefaultServiceAccountAuthenticator { .checked_add_signed(chrono::Duration::seconds(token.expires_in)) .ok_or_else(|| TinkError::new("failed to calculate expiry time"))?; - // The internals of [`yup_oauth2::TokenInfo`] and [`yup_oauth2::AccessToken`] are - // private, but deserialization is accessible, so round-trip via JSON using a clone - // of the structure. - let token_clone = AccessTokenClone { + let token = CachedAccessToken { value: token.access_token, - expires_at: Some(token_expiry), + expires_at: token_expiry, }; - let token_json = serde_json::to_string(&token_clone) - .map_err(|e| wrap_err("failed to JSON encode", e))?; - let token: yup_oauth2::AccessToken = serde_json::from_str(&token_json) - .map_err(|e| wrap_err("failed to parse internal JSON", e))?; Ok(token) } @@ -236,7 +237,7 @@ impl super::Authenticator for DefaultServiceAccountAuthenticator { &self, runtime: &mut tokio::runtime::Runtime, scopes: &[&str], - ) -> Result { + ) -> Result { runtime.block_on(self.token(scopes)) } } diff --git a/integration/gcpkms/src/gcp_kms_aead.rs b/integration/gcpkms/src/gcp_kms_aead.rs index 50681a21b..310d2324d 100644 --- a/integration/gcpkms/src/gcp_kms_aead.rs +++ b/integration/gcpkms/src/gcp_kms_aead.rs @@ -17,8 +17,14 @@ //! AEAD functionality via GCP KMS. use base64::Engine; -use hyper::{body::Buf, client::connect::HttpConnector}; -use hyper_rustls::HttpsConnector; +use bytes::Bytes; +use http_body_util::{BodyExt, Full}; +use hyper::body::Incoming; +use hyper_rustls::{HttpsConnector, HttpsConnectorBuilder}; +use hyper_util::{ + client::legacy::{connect::HttpConnector, Client}, + rt::TokioExecutor, +}; use percent_encoding::percent_encode; use serde::{Deserialize, Serialize}; use std::{cell::RefCell, rc::Rc}; @@ -28,12 +34,15 @@ use crate::default_sa::DefaultServiceAccountAuthenticator; const PLATFORM_SCOPE: &str = "https://www.googleapis.com/auth/cloud-platform"; +type RequestBody = Full; +type HttpsClient = Client, RequestBody>; + pub(crate) trait Authenticator { fn get_token( &self, runtime: &mut tokio::runtime::Runtime, scopes: &[&str], - ) -> Result; + ) -> Result; } impl Authenticator for yup_oauth2::authenticator::Authenticator> { @@ -41,10 +50,13 @@ impl Authenticator for yup_oauth2::authenticator::Authenticator Result { + ) -> Result { runtime .block_on(self.token(scopes)) - .map_err(|e| wrap_err("failed to get token", e)) + .map_err(|e| wrap_err("failed to get token", e))? + .token() + .map(str::to_string) + .ok_or_else(|| TinkError::new("empty access token")) } } @@ -53,7 +65,7 @@ impl Authenticator for yup_oauth2::authenticator::Authenticator, - client: hyper::Client>, + client: HttpsClient, // The Tokio runtime to execute KMS requests on, wrapped in: // - a `RefCell` for interior mutability (the [`tink_core::Aead`] trait's methods take // `&self`) @@ -68,8 +80,13 @@ impl GcpAead { key_uri: &str, sa_key: &Option, ) -> Result { - let https = HttpsConnector::with_native_roots(); - let client = hyper::Client::builder().build::<_, hyper::Body>(https); + let https = HttpsConnectorBuilder::new() + .with_provider_and_native_roots(rustls::crypto::ring::default_provider()) + .map_err(|e| wrap_err("failed to load native root certificates", e))? + .https_only() + .enable_http1() + .build(); + let client = Client::builder(TokioExecutor::new()).build(https); let runtime = tokio::runtime::Builder::new_current_thread() .enable_all() .build() @@ -95,7 +112,7 @@ impl GcpAead { }) } - fn token(&self) -> Result { + fn token(&self) -> Result { self.auth .get_token(&mut self.runtime.borrow_mut(), &[PLATFORM_SCOPE]) } @@ -104,7 +121,7 @@ impl GcpAead { &self, req: T, op: &str, - ) -> Result, TinkError> { + ) -> Result, TinkError> { let pq: http::uri::PathAndQuery = format!( "/v1/{}:{}/?alt=json", percent_encode(self.key_uri.as_bytes(), crate::DEFAULT_URL_ENCODE_SET), @@ -129,30 +146,31 @@ impl GcpAead { .header(http::header::CONTENT_LENGTH, req_body.len() as u64) .header( hyper::header::AUTHORIZATION, - format!("Bearer {}", self.token()?.as_str()), + format!("Bearer {}", self.token()?), ) - .body(req_body.into()) + .body(Full::new(Bytes::from(req_body))) .map_err(|e| wrap_err("failed to build request", e)) } fn parse_http_rsp( &self, - http_rsp: http::Response, + http_rsp: http::Response, ) -> Result { let status = http_rsp.status(); let body = self .runtime .borrow_mut() - .block_on(async { hyper::body::aggregate(http_rsp).await }) + .block_on(async { http_rsp.into_body().collect().await }) .map_err(|e| wrap_err("failed to aggregate body", e))?; + let bytes = body.to_bytes(); if status.is_success() { - let rsp: T = serde_json::from_reader(body.reader()) + let rsp: T = serde_json::from_slice(&bytes) .map_err(|e| wrap_err("failed to parse JSON response", e))?; Ok(rsp) } else { // Attempt to parse the response body as a GCP ErrorResponse object. - let err_rsp: ErrorResponse = serde_json::from_reader(body.reader()) + let err_rsp: ErrorResponse = serde_json::from_slice(&bytes) .map_err(|e| wrap_err("failed to parse JSON error response", e))?; Err(format!("API failure {err_rsp:?}").into()) }