fix: bump ed25519-dalek to v2.0 for RUSTSEC-2022-0093

Update ed25519-dalek dependency from v^1.0.1 to v2.0 to address the security vulnerability described in RUSTSEC-2022-0093. This update is backward-compatible as it does not introduce changes to the public API of rusty-paseto. Signed-off-by: Roland Rodriguez <[email protected]>
rrrodzilla · Nov 5, 2023 · 42718c1 · 42718c1
1 parent c76bd4f
commit 42718c1
Show file tree

Hide file tree

Showing 4 changed files with 1,623 additions and 1,597 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "rusty_paseto"
-version = "0.5.0"
+version = "0.6.0"
 edition = "2021"
 readme = "readme.md"
 authors = ["Roland Rodriguez <[email protected]>"]
@@ -9,11 +9,11 @@ repository = "https://github.com/rrrodzilla/rusty_paseto"
 license = "MIT OR Apache-2.0"
 keywords = ["paseto", "token", "security", "api", "web"]
 categories = [
-  "cryptography",
-  "authentication",
-  "encoding",
-  "network-programming",
-  "web-programming",
+    "cryptography",
+    "authentication",
+    "encoding",
+    "network-programming",
+    "web-programming",
 ]
 documentation = "https://docs.rs/rusty_paseto/latest/rusty_paseto/"
 
@@ -29,18 +29,16 @@ v2_local = ["v2", "local", "core", "blake2", "chacha20poly1305"]
 v3_local = ["v3", "local", "core", "aes", "hmac", "sha2", "chacha20"]
 v4_local = ["v4", "local", "core", "blake2", "chacha20"]
 v1_public = ["v1", "public", "core"]
-v2_public = ["v2", "public", "core", "ed25519-dalek"]
+v2_public = ["v2", "public", "core", "ed25519-dalek", "ring/std"]
 v3_public = ["v3", "public", "core", "p384"]
-v4_public = ["v4", "public", "core", "ed25519-dalek"]
+v4_public = ["v4", "public", "core", "ed25519-dalek", "ring/std"]
 core = []
 generic = ["core", "serde", "erased-serde", "serde_json"]
 batteries_included = ["generic"]
 default = [
-  "batteries_included",
-  "v3_public",
-  "v3_local",
-  "v4_local",
-  "v4_public",
+    "batteries_included",
+    "v4_local",
+    "v4_public",
 ]
 
 [lib]
@@ -56,7 +54,7 @@ ring = { version = "^0.16", features = ["std"], optional = false }
 base64 = { version = "^0.13.0", optional = false }
 hex = { version = "^0.4.3", optional = false }
 serde = { version = "1.0.117", features = ["derive"], optional = true }
-ed25519-dalek = { version = "1.0.1", optional = true }
+ed25519-dalek = { version = "2.0.0", features = ["zeroize"], optional = true }
 serde_json = { version = "^1.0.68", optional = true }
 thiserror = "1.0.29"
 iso8601 = "0.4.0"

diff --git a/src/core/error.rs b/src/core/error.rs
@@ -1,3 +1,4 @@
+use std::array::TryFromSliceError;
 use thiserror::Error;
 
 /// Potential errors from attempting to build a token claim
@@ -40,6 +41,12 @@ pub enum PasetoError {
   ///Occurs when a signature fails verification
   #[error("The token signature could not be verified")]
   InvalidSignature,
+  #[error("A slice conversion error occurred")]
+  TryFromSlice {
+    ///Surfaces errors from slice conversion attempts
+    #[from]
+    source: TryFromSliceError,
+  },
   ///Occurs when an untrusted token string is unable to be parsed into its constituent parts
   #[error("This string has an incorrect number of parts and cannot be parsed into a token")]
   IncorrectSize,