Upgrade ring to 0.16 and jsonwebtoken to 7

2020-12-09 16:46:21 +09:00 · 2020-12-09 16:46:21 +09:00 · 2b083d1a4d
--- a/Cargo.lock
+++ b/Cargo.lock
@ -144,6 +144,12 @@ version = "0.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b41b7ea54a0c9d92199de89e20e58d49f02f8e699814ef3fdf266f6f748d15c7"

+[[package]]
+name = "base64"
+version = "0.12.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3441f0f7b02788e948e47f457ca01f1d7e6d92c693bc132c22b087d3141c03ff"
+
 [[package]]
 name = "base64"
 version = "0.13.0"
@ -246,6 +252,12 @@ version = "0.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "40e38929add23cdf8a366df9b0e088953150724bcbe5fc330b0d8eb3b328eec8"

+[[package]]
+name = "bumpalo"
+version = "3.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2e8c087f005730276d1096a652e92a8bacee2e2472bcc9715a74d2bec38b5820"
+
 [[package]]
 name = "byte-tools"
 version = "0.3.1"
@ -1149,18 +1161,26 @@ dependencies = [
 ]

 [[package]]
-name = "jsonwebtoken"
-version = "6.0.1"
+name = "js-sys"
+version = "0.3.46"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a81d1812d731546d2614737bee92aa071d37e9afa1409bc374da9e5e70e70b22"
+checksum = "cf3d7383929f7c9c7c2d0fa596f325832df98c3704f2c60553080f7127a58175"
 dependencies = [
- "base64 0.10.1",
- "chrono",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "jsonwebtoken"
+version = "7.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "afabcc15e437a6484fc4f12d0fd63068fe457bf93f1c148d3d9649c60b103f32"
+dependencies = [
+ "base64 0.12.3",
+ "pem",
 "ring",
 "serde",
- "serde_derive",
 "serde_json",
- "untrusted",
+ "simple_asn1",
 ]

 [[package]]
@ -1514,6 +1534,17 @@ version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "61807f77802ff30975e01f4f071c8ba10c022052f98b3294119f3e615d13e5be"

+[[package]]
+name = "num-bigint"
+version = "0.2.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "090c7f9998ee0ff65aa5b723e4009f7b217707f1fb5ea551329cc4d6231fb304"
+dependencies = [
+ "autocfg 1.0.1",
+ "num-integer",
+ "num-traits 0.2.14",
+]
+
 [[package]]
 name = "num-integer"
 version = "0.1.44"
@ -1638,6 +1669,17 @@ dependencies = [
 "winapi 0.3.9",
 ]

+[[package]]
+name = "pem"
+version = "0.8.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f4c220d01f863d13d96ca82359d1e81e64a7c6bf0637bcde7b2349630addf0c6"
+dependencies = [
+ "base64 0.13.0",
+ "once_cell",
+ "regex",
+]
+
 [[package]]
 name = "percent-encoding"
 version = "1.0.1"
@ -2133,15 +2175,16 @@ dependencies = [

 [[package]]
 name = "ring"
-version = "0.14.6"
+version = "0.16.19"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "426bc186e3e95cac1e4a4be125a4aca7e84c2d616ffc02244eef36e2a60a093c"
+checksum = "024a1e66fea74c66c66624ee5622a7ff0e4b73a13b4f5c326ddb50c708944226"
 dependencies = [
 "cc",
- "lazy_static",
 "libc",
+ "once_cell",
 "spin",
- "untrusted",
+ "untrusted 0.7.1",
+ "web-sys",
 "winapi 0.3.9",
 ]

@ -2295,7 +2338,7 @@ dependencies = [
 "tokio-uds",
 "toml",
 "tower",
- "untrusted",
+ "untrusted 0.6.2",
 "url 1.7.2",
 "uuid",
 "version-compare",
@ -2456,6 +2499,17 @@ dependencies = [
 "libc",
 ]

+[[package]]
+name = "simple_asn1"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "692ca13de57ce0613a363c8c2f1de925adebc81b04c923ac60c5488bb44abe4b"
+dependencies = [
+ "chrono",
+ "num-bigint",
+ "num-traits 0.2.14",
+]
+
 [[package]]
 name = "siphasher"
 version = "0.2.3"
@ -3334,6 +3388,12 @@ version = "0.6.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "55cd1f4b4e96b46aeb8d4855db4a7a9bd96eeeb5c6a1ab54593328761642ce2f"

+[[package]]
+name = "untrusted"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a"
+
 [[package]]
 name = "url"
 version = "1.7.2"
@ -3460,6 +3520,70 @@ version = "0.10.0+wasi-snapshot-preview1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1a143597ca7c7793eff794def352d41792a93c481eb1042423ff7ff72ba2c31f"

+[[package]]
+name = "wasm-bindgen"
+version = "0.2.69"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3cd364751395ca0f68cafb17666eee36b63077fb5ecd972bbcd74c90c4bf736e"
+dependencies = [
+ "cfg-if 1.0.0",
+ "wasm-bindgen-macro",
+]
+
+[[package]]
+name = "wasm-bindgen-backend"
+version = "0.2.69"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1114f89ab1f4106e5b55e688b828c0ab0ea593a1ea7c094b141b14cbaaec2d62"
+dependencies = [
+ "bumpalo",
+ "lazy_static",
+ "log 0.4.11",
+ "proc-macro2",
+ "quote 1.0.7",
+ "syn 1.0.54",
+ "wasm-bindgen-shared",
+]
+
+[[package]]
+name = "wasm-bindgen-macro"
+version = "0.2.69"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7a6ac8995ead1f084a8dea1e65f194d0973800c7f571f6edd70adf06ecf77084"
+dependencies = [
+ "quote 1.0.7",
+ "wasm-bindgen-macro-support",
+]
+
+[[package]]
+name = "wasm-bindgen-macro-support"
+version = "0.2.69"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b5a48c72f299d80557c7c62e37e7225369ecc0c963964059509fbafe917c7549"
+dependencies = [
+ "proc-macro2",
+ "quote 1.0.7",
+ "syn 1.0.54",
+ "wasm-bindgen-backend",
+ "wasm-bindgen-shared",
+]
+
+[[package]]
+name = "wasm-bindgen-shared"
+version = "0.2.69"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7e7811dd7f9398f14cc76efd356f98f03aa30419dea46aa810d71e819fc97158"
+
+[[package]]
+name = "web-sys"
+version = "0.3.46"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "222b1ef9334f92a21d3fb53dc3fd80f30836959a90f9274a626d7e06315ba3c3"
+dependencies = [
+ "js-sys",
+ "wasm-bindgen",
+]
+
 [[package]]
 name = "which"
 version = "4.0.2"
--- a/Cargo.toml
+++ b/Cargo.toml
@ -43,7 +43,7 @@ http = "0.1"
 hyper = { version = "0.12", optional = true }
 hyperx = { version = "0.12", optional = true }
 jobserver = "0.1"
-jsonwebtoken = { version = "6.0.1", optional = true }
+jsonwebtoken = { version = "7", optional = true }
 lazy_static = "1.0.0"
 libc = "0.2.10"
 local-encoding = "0.2.0"
@ -59,7 +59,7 @@ redis = { version = "0.15.0", optional = true }
 regex = "1"
 reqwest = { version = "0.9.11", optional = true }
 retry = "0.4.0"
-ring = { version = "0.14.6", optional = true }
+ring = { version = "0.16", optional = true, features = ["std"] }
 sha-1 = { version = "0.8", optional = true }
 sha2 = { version = "0.8", optional = true }
 serde = "1.0"
--- a/src/bin/sccache-dist/main.rs
+++ b/src/bin/sccache-dist/main.rs
@ -262,10 +262,11 @@ fn create_jwt_server_token(
    header: &jwt::Header,
    key: &[u8],
 ) -> Result<String> {
-    jwt::encode(&header, &ServerJwt { server_id }, key).map_err(Into::into)
+    let key = jwt::EncodingKey::from_secret(key);
+    jwt::encode(&header, &ServerJwt { server_id }, &key).map_err(Into::into)
 }
-fn dangerous_unsafe_extract_jwt_server_token(server_token: &str) -> Option<ServerId> {
-    jwt::dangerous_unsafe_decode::<ServerJwt>(&server_token)
+fn dangerous_insecure_extract_jwt_server_token(server_token: &str) -> Option<ServerId> {
+    jwt::dangerous_insecure_decode::<ServerJwt>(&server_token)
        .map(|res| res.claims.server_id)
        .ok()
 }
@ -274,7 +275,8 @@ fn check_jwt_server_token(
    key: &[u8],
    validation: &jwt::Validation,
 ) -> Option<ServerId> {
-    jwt::decode::<ServerJwt>(server_token, key, validation)
+    let key = jwt::DecodingKey::from_secret(key);
+    jwt::decode::<ServerJwt>(server_token, &key, validation)
        .map(|res| res.claims.server_id)
        .ok()
 }
@ -407,7 +409,7 @@ fn run(command: Command) -> Result<i32> {
                }
                server_config::SchedulerAuth::JwtToken { token } => {
                    let token_server_id: ServerId =
-                        dangerous_unsafe_extract_jwt_server_token(&token)
+                        dangerous_insecure_extract_jwt_server_token(&token)
                            .context("Could not decode scheduler auth jwt")?;
                    if token_server_id != server_id {
                        bail!(
--- a/src/bin/sccache-dist/token_check.rs
+++ b/src/bin/sccache-dist/token_check.rs
@ -121,11 +121,11 @@ impl MozillaCheck {
            sub: String,
        }
        // We don't really do any validation here (just forwarding on) so it's ok to unsafely decode
-        let unsafe_token =
-            jwt::dangerous_unsafe_decode::<MozillaToken>(token).context("Unable to decode jwt")?;
-        let user = unsafe_token.claims.sub;
+        let insecure_token = jwt::dangerous_insecure_decode::<MozillaToken>(token)
+            .context("Unable to decode jwt")?;
+        let user = insecure_token.claims.sub;
        trace!("Validating token for user {} with mozilla", user);
-        if UNIX_EPOCH + Duration::from_secs(unsafe_token.claims.exp) < SystemTime::now() {
+        if UNIX_EPOCH + Duration::from_secs(insecure_token.claims.exp) < SystemTime::now() {
            bail!("JWT expired")
        }
        // If the token is cached and not expired, return it
@ -353,17 +353,18 @@ impl ValidJWTCheck {
        trace!("Validating JWT in scheduler");
        // Prepare validation
        let kid = header.kid.context("No kid found")?;
-        let pkcs1 = self
-            .kid_to_pkcs1
-            .get(&kid)
-            .context("kid not found in jwks")?;
+        let pkcs1 = jwt::DecodingKey::from_rsa_der(
+            self.kid_to_pkcs1
+                .get(&kid)
+                .context("kid not found in jwks")?,
+        );
        let mut validation = jwt::Validation::new(header.alg);
-        validation.set_audience(&self.audience);
+        validation.set_audience(&[&self.audience]);
        validation.iss = Some(self.issuer.clone());
        #[derive(Deserialize)]
        struct Claims {}
        // Decode the JWT, discarding any claims - we just care about validity
-        let _tokendata = jwt::decode::<Claims>(token, pkcs1, &validation)
+        let _tokendata = jwt::decode::<Claims>(token, &pkcs1, &validation)
            .context("Unable to validate and decode jwt")?;
        Ok(())
    }
--- a/src/cache/gcs.rs
+++ b/src/cache/gcs.rs
@ -298,8 +298,8 @@ fn sign_rsa(
    key: &[u8],
    alg: &'static dyn signature::RsaEncoding,
 ) -> Result<String> {
-    let key_pair = signature::RsaKeyPair::from_pkcs8(untrusted::Input::from(key))
-        .context("failed to deserialize rsa key")?;
+    let key_pair =
+        signature::RsaKeyPair::from_pkcs8(key).context("failed to deserialize rsa key")?;

    let mut signature = vec![0; key_pair.public_modulus_len()];
    let rng = ring::rand::SystemRandom::new();
--- a/src/dist/http.rs
+++ b/src/dist/http.rs
@ -609,12 +609,14 @@ mod server {
    impl dist::JobAuthorizer for JWTJobAuthorizer {
        fn generate_token(&self, job_id: JobId) -> Result<String> {
            let claims = JobJwt { job_id };
-            jwt::encode(&JWT_HEADER, &claims, &self.server_key)
+            let key = jwt::EncodingKey::from_secret(&self.server_key);
+            jwt::encode(&JWT_HEADER, &claims, &key)
                .map_err(|e| anyhow!("Failed to create JWT for job: {}", e))
        }
        fn verify_token(&self, job_id: JobId, token: &str) -> Result<()> {
            let valid_claims = JobJwt { job_id };
-            jwt::decode(&token, &self.server_key, &JWT_VALIDATION)
+            let key = jwt::DecodingKey::from_secret(&self.server_key);
+            jwt::decode(&token, &key, &JWT_VALIDATION)
                .map_err(|e| anyhow!("JWT decode failed: {}", e))
                .and_then(|res| {
                    fn identical_t<T>(_: &T, _: &T) {}