Bump the dependencies group across 1 directory with 3 updates (#361)

dependabot[bot] · coltfred · skeet70 · web-flow · commit 0eeffd45c495 · 2026-02-05T10:06:53.000-07:00
* Bump the dependencies group across 1 directory with 3 updates Updates the requirements on [jsonwebtoken](https://github.com/Keats/jsonwebtoken), [recrypt](https://github.com/IronCoreLabs/recrypt-rs) and [reqwest](https://github.com/seanmonstar/reqwest) to permit the latest version. Updates `jsonwebtoken` to 10.3.0 - [Changelog](https://github.com/Keats/jsonwebtoken/blob/master/CHANGELOG.md) - [Commits](Keats/jsonwebtoken@v9.0.0...v10.3.0) Updates `recrypt` to 0.15.0 - [Changelog](https://github.com/IronCoreLabs/recrypt-rs/blob/main/CHANGELOG.md) - [Commits](https://github.com/IronCoreLabs/recrypt-rs/commits) Updates `reqwest` to 0.12.28 - [Release notes](https://github.com/seanmonstar/reqwest/releases) - [Changelog](https://github.com/seanmonstar/reqwest/blob/master/CHANGELOG.md) - [Commits](seanmonstar/reqwest@v0.12.0...v0.12.28) --- updated-dependencies: - dependency-name: jsonwebtoken dependency-version: 10.3.0 dependency-type: direct:production dependency-group: dependencies - dependency-name: recrypt dependency-version: 0.15.0 dependency-type: direct:production dependency-group: dependencies - dependency-name: reqwest dependency-version: 0.12.28 dependency-type: direct:production dependency-group: dependencies ... Signed-off-by: dependabot[bot] <support@github.com> * Downgrade jsonwebtoken and recrypt. Update reqwest features * Cargo sort * upgrade to jwt 10 * sort again * format * use aws-lc-rs * Cargo sort * Update Cargo.toml Co-authored-by: Craig Colegrove <34786857+giarc3@users.noreply.github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Colt Frederickson <coltfred@gmail.com> Co-authored-by: Murph Murphy <murph@clurictec.com> Co-authored-by: Craig Colegrove <34786857+giarc3@users.noreply.github.com>
diff --git a/Cargo.toml b/Cargo.toml
@@ -29,21 +29,22 @@ blocking = []
 # enable to use statically compiled openssl on supported OpenSSL platforms; use with 'default-features = false'
 tls-vendored-openssl = ["reqwest/native-tls-vendored"]
 # enable to use rustls-tls; use with 'default-features = false'
-tls-rustls = ["reqwest/rustls-tls"]
+tls-rustls = ["reqwest/rustls"]
 # dynamically use the target platform's native TLS
-tls-default = ["reqwest/default-tls"]
+tls-default = ["reqwest/native-tls"]
 
 default = ["tls-default", "tokio/rt-multi-thread"]
 
 [dependencies]
+aws-lc-rs = "1"
 base64 = "0.22"
 base64-serde = "0.8"
 bytes = "1"
 futures = "0.3.1"
 hex = "0.4"
 ironcore-search-helpers = { version = "0.2", optional = true }
 itertools = "0.14"
-jsonwebtoken = "9"
+jsonwebtoken = { version = "10", features = ["rust_crypto"] }
 lazy_static = "1.4"
 log = "0.4"
 papaya = "0.2.0"
@@ -54,8 +55,11 @@ rand = "0.8"
 rand_chacha = "0.3"
 recrypt = "0.14"
 regex = "1.4"
-reqwest = { version = "0.12", features = ["json"], default-features = false }
-ring = { version = "0.17", features = ["std"] }
+reqwest = { version = "0.13", features = [
+  "json",
+  "query",
+  "http2",
+], default-features = false }
 serde = { version = "1.0.126", features = ["derive"] }
 serde_json = "1"
 time = { version = "0.3.6", features = [
diff --git a/src/crypto/aes.rs b/src/crypto/aes.rs
@@ -1,7 +1,7 @@
 use std::{fmt, num::NonZeroU32};
 
+use aws_lc_rs::{aead, aead::BoundKey, digest, error::Unspecified, pbkdf2};
 use rand::{self, CryptoRng, RngCore};
-use ring::{aead, aead::BoundKey, digest, error::Unspecified, pbkdf2};
 
 use crate::internal::{IronOxideErr, take_lock};
 use std::{convert::TryFrom, ops::DerefMut, sync::Mutex};
@@ -112,7 +112,7 @@ impl TryFrom<&[u8]> for AesEncryptedValue {
     }
 }
 
-impl From<ring::error::Unspecified> for IronOxideErr {
+impl From<aws_lc_rs::error::Unspecified> for IronOxideErr {
     fn from(ring_err: Unspecified) -> Self {
         IronOxideErr::AesError(ring_err)
     }
diff --git a/src/internal.rs b/src/internal.rs
@@ -136,7 +136,7 @@ quick_error! {
         KeyGenerationError {
             display("Key generation failed")
         }
-        AesError(err: ring::error::Unspecified) {
+        AesError(err: aws_lc_rs::error::Unspecified) {
             source(err)
         }
         AesEncryptedDocSizeError{
diff --git a/src/internal/user_api.rs b/src/internal/user_api.rs
@@ -3,7 +3,7 @@ use crate::{
     internal::{rest::IronCoreRequest, *},
 };
 use itertools::{Either, Itertools};
-use jsonwebtoken::{Algorithm, DecodingKey, Validation};
+use jsonwebtoken::Algorithm;
 use rand::rngs::OsRng;
 use recrypt::prelude::*;
 use std::{
@@ -318,29 +318,22 @@ pub struct JwtClaims {
 /// Must be either ES256 or RS256 and have a payload similar to [JwtClaims](struct.JwtClaims.html), but could be
 /// generated from an external source.
 #[allow(clippy::derive_partial_eq_without_eq)]
-#[derive(Clone, Debug, PartialEq, Serialize, Deserialize, Hash)]
+#[derive(Clone, Debug, PartialEq, Serialize, Deserialize)]
 pub struct Jwt {
     jwt: String,
     header: jsonwebtoken::Header,
     claims: JwtClaims,
 }
+
 impl Jwt {
     /// Constructs a new Jwt.
     ///
     /// Verifies that the provided jwt uses a compatible algorithm and contains the required claims.
     pub fn new(jwt: &str) -> Result<Jwt, IronOxideErr> {
-        let bogus_key = DecodingKey::from_secret(&[]);
-        let validation = {
-            let mut temp: Validation = Default::default();
-            temp.insecure_disable_signature_validation();
-            temp.validate_aud = false;
-            temp.validate_exp = false;
-            temp
-        };
-        // This suspect key/validation is acceptable here because the server will do the actual
+        // This insecure decode is acceptable here because the server will do the actual
         // signature verification and validation. We just want to do a little initial validation
         // to catch issues earlier.
-        let token_data = jsonwebtoken::decode::<JwtClaims>(jwt, &bogus_key, &validation)
+        let token_data = jsonwebtoken::dangerous::insecure_decode::<JwtClaims>(jwt)
             .map_err(|e| IronOxideErr::ValidationError("jwt".to_string(), e.to_string()))?;
         let JwtClaims {
             pid,
@@ -416,6 +409,12 @@ impl std::fmt::Display for Jwt {
         write!(f, "{}", self.jwt)
     }
 }
+impl std::hash::Hash for Jwt {
+    fn hash<H: std::hash::Hasher>(&self, state: &mut H) {
+        // Header and claims are derived from the string
+        self.jwt.hash(state);
+    }
+}
 
 /// Verify an existing user given a valid JWT.
 pub async fn user_verify(

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`use std::{fmt, num::NonZeroU32};`
`2`	`2`
	`3`	`+use aws_lc_rs::{aead, aead::BoundKey, digest, error::Unspecified, pbkdf2};`
`3`	`4`	`use rand::{self, CryptoRng, RngCore};`
`4`		`-use ring::{aead, aead::BoundKey, digest, error::Unspecified, pbkdf2};`
`5`	`5`
`6`	`6`	`use crate::internal::{IronOxideErr, take_lock};`
`7`	`7`	`use std::{convert::TryFrom, ops::DerefMut, sync::Mutex};`
`@@ -112,7 +112,7 @@ impl TryFrom<&[u8]> for AesEncryptedValue {`
`112`	`112`	`}`
`113`	`113`	`}`
`114`	`114`
`115`		`-impl From<ring::error::Unspecified> for IronOxideErr {`
	`115`	`+impl From<aws_lc_rs::error::Unspecified> for IronOxideErr {`
`116`	`116`	`fn from(ring_err: Unspecified) -> Self {`
`117`	`117`	`IronOxideErr::AesError(ring_err)`
`118`	`118`	`}`
Original file line number	Diff line number	Diff line change
`@@ -136,7 +136,7 @@ quick_error! {`
`136`	`136`	`KeyGenerationError {`
`137`	`137`	`display("Key generation failed")`
`138`	`138`	`}`
`139`		`- AesError(err: ring::error::Unspecified) {`
	`139`	`+ AesError(err: aws_lc_rs::error::Unspecified) {`
`140`	`140`	`source(err)`
`141`	`141`	`}`
`142`	`142`	`AesEncryptedDocSizeError{`